What is link encryption method?

- Link encryption method is one of the classic methods used in the digital communications for the application of the crypto.

- Link encryption method has been designed for hiding the secrets and preventing the forgery of data. 

- It is quite a simple concept that has been discussed here and it fits for all the types of existing applications and software used in the communication.  

- Even though this method does not works well enough for most of the applications, it is the simplest of all. 

- Link encryption method is a security measure that should be used only if your security objectives match with those of the link encryption method. 

- It is commonly used in the applications where a boundary has to be maintained between the internal users and the external users. 

- With the link encryption it gets easy for the internal users to share data whereas it is just the opposite for the external users. 

- It provides transparent protection except for the separation that is maintained between the two classes of the users. 

Below we mention some security objectives that can be met with the link encryption:

Ø  Maintaining confidentiality: Our systems of course store very sensitive data. While exchanging the data with other systems, it is required that the risk of leakage involved should be as minimum as possible.

Ø  Communication with the outsiders: Obviously, we do not want to share our data with the unwanted outsiders and unauthorized sites and so we want these to be blocked. Such exchanges should be prevented from happening even by carelessness or accident.

Ø  Hiding data traffic: As much as possible we want our data and its details to be shielded from the outsiders. This data might contain information about the destination host and other info necessary for communication control. However, here it is assumed that the information will not be leaked by the insiders.

Ø  Familiarity and safety: We rank these two factors above the cost.

Ø  Protection of the data transfers: We need protection for our data against any sort of tampering or forgery by the outsiders during the transition. An assurance is important.  This objective is unconditionally met by this link encryption method.

- From security standpoint, a design is yielded by the link encryption that is highly reliable. 

- If in your organization some security parameter has been established that is strong enough, link encryption is the best technique for its maintenance. 

- A strict control is kept over the flow of physical documents through this security parameter. 

- The link encryption provides a complementary protection for the flow of the electronic documents. 

- We can have an environment with every data link that traverses the boundary having encryptors. 

- The documents will be kept within the parameter limits. 

- The data leaving the parameter will be protector by means of the encryptors. 

- Link encryption method is being used since years in banking organizations and military communications for providing secure links. 

- The link encryption uses the in-line encryptors as its building blocks.

- This hardware devices takes plain text and converts it into cipher text.

The encryptors have their own vulnerabilities as mentioned below:

Ø  Rewrite attacks: It is also known as the plain-text attack, it is used for forging the messages. Few crypto algorithms are vulnerable to these attacks.

Ø  Replay attacks: Most of us think that the encrypted data is self-validating and so by matching the encryptor with its keys a sensibly de-crypting message can be generated. Since the encrypted data is accessible to the outsiders, they can also access the message that decrypts sensibly.

Ø  Covert signaling attacks: This attack is based on the idea that there is always a way to leak info if there exists an internal process that tries to do so. 

What are the security problems faced by a network?

Making mistakes concerning the network security is very common. The same mistakes are repeated again and again. These problems cannot be solved without changing our working methods. In this article we discuss about some common security problems that are faced by a network.

ØUsing weak and non-complex passwords for accessing the network: 

- Brute forcing is an old school exploit to which many of the system network administrators are open to. 

- The very famous captcha technology has been implemented for correcting this vulnerability of the network security passwords. 

- In the common captcha, the user is required to type in the digits or the letters that are displayed on the screen in some sort of distorted image. 

- This technology has been designed to prevent the network to be accessed by unwanted internet bots.

- However, this is not as safe as it looks. 

- It just gives a false sense to the network admins for countering the brute forcing. 

- Complex password is the solution for this problem. 

- For creating a complex password, more than seven characters need to be combined with special characters and numbers. 

- Apart from the creation of the complex passwords, a password expiration system has to be implemented. 

- This system is for reminding the users for changing their passwords. 

- Also, care should be taken regarding the reuse of the passwords. 

- Cycling of the passwords should not be allowed.

Ø Using server application or software that is outdated: 

- The patches are released by the companies from time to time for ensuring that the system does not become vulnerable to the various threats. 

- Also, new exploits and threats are posed by the hackers that can harm the network if the patches are not properly used. 

- For ensuring the network administrator is kept informed of the new threats, the software or the applications have to be updated regularly.  

Ø Web cookies: 

- Even though the viruses and malware cannot be introduced in to the network through cookies, these cookies can be tracked by some third party cookies for compiling the records of the browsing histories of the individuals. 

- The cookies that are not encrypted pose a major threat because they make the system vulnerable to the cross site scripting (XSS) attacks, thus putting your privacy at risk. 

- The open cookies can provide access to the cookies with the log-in data which can be used by hackers for intruding in to your systems. 

- The solution to this problem is to use the encrypted cookies along with an encoded expiration time. 

- The admins might ask the users to re-log-in before accessing important network directories.

Ø Plain hashes: 

- Hashing is the technique used for indexing and retrieval purposes in the database. 

- In most of the encryption algorithms, the plain hashes are mostly used. 

- A type of encryption is the salt that might be added to the hashes for making the creation of a look-up table that might assist the brute force or directory attacks extremely difficult or let’s say almost impractical. 

- But this works only when large salt is used. 

- Usually a pre-computed look up table might not be used by the attacker in exploitation of the network. 

- This makes the network security system even more complex.

- So even if the attacker is able to break into your system, he won’t be able to access the information from the database. 

- The encryption key should be kept hidden.

Ø Shared web hosting: 

- This service is used by the websites that reside on one same server. 

- Each site is given its own partition. 

- This is economically feasible for most of the systems. 

- But here if the attacker breaches in to system of one website, he can get into other website’s security systems too. 

What is meant by Quality of Service provided by network layer?

- The QoS or the quality of service is such a parameter that refers to a number of aspects of computer networks, telephony etc. 

- This parameter allows transportation of traffic as per some specific requirements. 

- Technology has advanced so much now computer networks can also be doubled up as the telephone networks for doing audio conversations. 

- The technology even supports the applications which have strict service demands. 

- The ITU defines the quality of service in telephony. 

It covers all the requirements concerning all the connection’s aspects such as the following:

Ø  Service response time

Ø  Loss

Ø  Signal – to – noise ratio

Ø  Cross – talk

Ø  Echo

Ø  Interrupts

Ø  Frequency response

Ø  Loudness levels etc.  

- The GoS (grade of service) requirement is one subset of the QoS and consists of those aspects of the connection that relate to its coverage as well as capacity. 

- For example, outage probability, maximum blocking probability and so on. 

- In the case of the packet switched telecommunication networks and computer networking, the resource reservation mechanisms come under the concept of traffic engineering. 

- QoS can be defined as the ability by virtue of which the different applications, data flows and users can be provided with different priorities. 

- It is important to have QoS guarantees if the capacity of the network is quite insufficient. 

- For example, voice over IP, IP-TV and so on. 

- All these services are sensitive to delays, have fixed bit rates and have limited capacities.

- The protocol or network supporting the QoS might agree up on some traffic contract with the network node’s reserve capacity and the software. 

- However, the quality of service is not supported by the best effort services. 

-Providing high quality communication over such networks provides a alternative to the QoS control mechanisms that are complex. 

- This happens when the capacity is over-provisioned so much that it becomes sufficient for the peak traffic load that has been expected. 

- Now since the network congestion problems have been eliminated, the QoS mechanisms are also not required. 

- It might be sometimes be taken as the level of the service’s quality i.e., the GoS. 

- For example, low bit error probability, low latency, and high bit rate and so on. 

- QoS can also be defined as a metric that reflects up on the experienced quality of the service.

- It is the cumulative effect that can be accepted. 

Certain types of the network traffic require a defined QoS such as the following:

Ø  Streaming media such as IPTV (internet protocol television), audio over Ethernet, audio over IP etc.

Ø  Voice over IP

Ø  Video conferencing

Ø  Telepresence

Ø  iSCSI, FCoE tec. Storage applications

Ø  safety critical applications

Ø  circuit emulation service

Ø  network operations support systems

Ø  industrial control systems

Ø  online games

- All the above mentioned services are examples of the inelastic services and a certain level of latency and bandwidth is required for them to operate properly. - On the other hand, the opposite kind of services such as the elastic services can work with any level of bandwidth and latency. 

- An example of these type of services is the bulk file transfer application based up on TCP.

- A number of factors affect the quality of service in the packet switched networks. 

- These factors can be broadly classified in to two categories namely technical and the human factors. 

The following factors are counted as the human factors:

Ø  reliability

Ø  scalability

Ø  effectiveness

Ø  maintainability

Ø  grade of service and so on.

- ATM (asynchronous transfer mode) or GSM like voice transmissions in the circuit switched networks have QoS in their core protocol. 

Explain Border Gateway Protocol (BGP)?

- BGP or Border gateway protocol is the set of rules that is implemented for making the routing decisions at the core of the internet. 

- It involves the use of the IP networks table or we can say prefixes which are used for designating the reach-ability of the network to the autonomous systems. 

- This protocol falls under the category of the path vector protocol or sometimes classified as a variant of the distance vector routing protocols. 

- The metrics of the IGP or the interior gateway protocol are not used by the border gateway protocol rather paths, rule sets or polices are used for making decisions for routing. 

- This is why the border gateway protocol is often called a reach-ability protocol rather than being termed as a routing protocol. 

- The BGP has ultimately replaced the EGP or the exterior gateway protocol. 

- This is so because it allows the full decentralization of the routing process for making transition between the ARPANET model’s core and the decentralized system that consists of a NSFNET backbone and the regional networks associated with it. 

- The present version of the BGP that is being used is the version 4. 

- The earlier versions were discarded for being obsolete. 

- The major advantage is of the classless inter-domain routing and availability of a technique called the route aggregation for making reductions in the routing size. 

- The use of the BGP has made the whole routing system a decentralized system.

- BGP is used by most of the internet service providers for establishing a route between them. 

- This is done especially when the ISPs are multi-homed. 

- That’s why even though it is not used directly by the users; it is still one of the most important protocols in networking. 

- The BGP is used internally by a number of large private IP networks. 

- For example, it is used to combine many large open shortest path first or OSPF networks where these networks do not have the capability to scale to the size by themselves. 

- BGP is also used for multi-homing a network so as to provide a better redundancy. 

- This can be either to many ISPs or to a single ISP’s multi access points. 

- Neighbors of the border gateway protocol are known as the peers. 

- They are created by manually configuring the two routers so as to establish a TCP session on the port. 

- Messages called the 19 byte keep alive messages are sent to the port periodically by the BGP speaker for maintaining the connection. 

- Among the various routing protocols, the most unique is BGP since it relies up on TCP for transporting. 

- When the protocol is implemented in the autonomous system among two peers, it is called IBGP or the internal border gateway protocol. 

- The protocol is termed as the EBGP or the external border gateway protocol when it runs between many autonomous systems.

- Border edge routers are the routers that are implemented on the boundary for exchanging information between various autonomous systems.

- BGP speakers have the capability for negotiating with the session’s option capabilities such as the multi-protocol extensions and a number of recovery modes. 

- The NLRI (network layer reach-ability information) can be prefixed by the BGP speaker if at the time of the creation itself, the multi-protocol extensions are negotiated. 

- The NLRI is advertised along with some address family prefix. 

The family consists of the following:

Ø  IPv4

Ø  IPv6

Ø  Multicast BGP

Ø  IPv4/ IPv6 virtual private networks

- These days the border gateway protocol is being commonly employed as the generalized signaling protocol whose purpose is to carry information via the routes that might not form the global internet’s part. 

What are multi-protocol routers?

- There are routers that have the capability to route a number of protocols at the same time. 

- These routers are popularly known as the multi-protocol routers. 

- There are situations in networking where combinations of various protocols such as the appletalk, IP, IPX etc. are used. 

- In such situations normal typical router cannot help. This is where we use the multi-protocol routers. 

- Using the multi-protocol routers, information can be shared between the networks. 

- The multi-protocol router maintains an individual routing table for each of the protocols.

- The multi-protocol routers have to be used carefully since they cause an increase in the number of routing tables that are present on the network. 

- Each protocol is advertised individually by the router. 

A multiprotocol router consists of the following information:

Ø  Routing information protocol (RIP)

Ø  Boot protocol relay agent (BOOTP)

Ø  RIP for IPX

- The multi-protocol routers use this routing information protocol for performing dynamic exchange of the routing info. 

- Routers using RIP protocol can dynamically exchange information with the other routers that use the same protocol. 

- The BOOTP agent is included so that the DHCP requests can be forwarded to their respective servers residing on other subnets. 

- It is because of this, a single DHCP server can process a number of IP subnets. 

- Multi-protocol routers do not require to be manually configured.

- The networking world these days relies totally up on the internet protocol. But there are certain situations where certain tasks can be performed more efficiently by the other protocols. 

- Most of the network protocols share many similarities rather than being different. 

- Therefore, if one protocol can be routed by a protocol efficient, then it is obvious that it can route the other one also efficiently. 

- If we route the non-IP protocols in a network, this implies that the same staff that takes care of the IP monitoring is administering the non-IP routing also. 

- This reduces the need for more equipment and effort. 

- There are a number of non-IP protocols available using which a LAN can work more effectively. 

- Using a number of non-IP protocols, a network can be made very flexible and easier to meet the demands of its users. 

- All these points speak in the favor of multi-protocol routing in an abstract way. 

- But the non-IP protocols to be routed must be selected with care. 

Below we mention reasons why routing non – IP protocols can be avoided:

1. It requires additional knowledge because you cannot master everything. For individual protocol an expert is required who in case of a failure can diagnose it and fix it.
2. It puts extra load on the routers. For every protocol, the router would have to maintain a separate routing table. This calls for a dynamic routing protocol for the router itself. For all this, more memory is required along with high processing power.
3. It increases the complexity. Multi-protocol router even though it seems to be simple, it is quite a complicated thing in terms of both hardware and software. Any problem in the implementation of the protocol can have a negative impact up on the stability of all the protocols.
4. Difficulty in designing: There are separate rules for routing of each protocol, assignment of the addresses and so on. There are possibilities that there might be conflicts between these rules which means it is very difficult to design.
5. It decreases stability. Scaling capacity of certain protocols is not as good as of the others. Some of the protocols are not suited to work in a WAN environment. 

Application areas of leaky bucket algorithm and token bucket algorithm

In this article we discuss about the applications of the leaky bucket algorithm and the token bucket algorithm.  

Applications of Leaky Bucket Algorithm

- The leaky bucket algorithm is implemented in different versions. 

- For example, the generic cell rate algorithm is a version of this algorithm which is often implemented in the networks using ATM (asynchronous transfer mode).  

- The algorithm is applied at the user interfaces in the usage/network parameter control in order to provide protection to the network from the problems of congestive collapse or excess traffic. 

- An algorithm equivalent to the generic cell rate algorithm might be used in shaping the transmissions made by the network interface card to a network using ATM. 

There are two major applications of the leaky bucket algorithm. 

- The first is using it as a counter only for checking whether the events or the traffics confirm to the defined limits or not.

- Whenever a packet arrives at the check point, the counter is incremented. 

- This is same as adding water to the bucket in an intermittent way. 

- In the same way, the counter is decremented as the water leaks out at a constant rate. 

- Because of this, the conformance of the packet to the burstiness and bandwidth limits is indicated by the value of this counter whenever a packet arrives. 

- Or if an event occurs, the counter checks whether it confirms to the peak and average rate limits. 

- So, when the packets arrive or an event occurs, water is added to the bucket and then leaks out. We call this version of the leaky bucket algorithm as a meter.

- Another application of the leaky bucket algorithm involves its use as queue implemented for controlling the flow of traffic. 

- This queue maintains a direct control over the flow. 

- When the packets arrive, they are put in to the queue. 

- This is same as adding water to the bucket. 

- The packets are then removed in the order they arrived at a constant rate. 

- This is same as water leaking out. 

- As a result of this, there is no jitter or burstiness in the traffic flow.

Applications of Token Bucket Algorithm

- The token bucket algorithm finds its application in the telecommunications and packet switched computer networks.

- This algorithm is implemented for checking whether the data transmissions confirm to the burstiness and bandwidth predefined limits. 

- The token bucket algorithm used in traffic policing and traffic shaping. 

- In the former, the packets that are non-conformant are discarded or assigned low priorities. 

- This is done for the management of the downstream traffic. 

- On the other hand, the packets are kept in delay unless they are conformed in traffic shaping. 

- Both of these are used in protecting the network against the burstiness of the traffic. 

- Bursty traffic gives rise to congestion problems. 

- These algorithms help in managing the bandwidth as well congestion of the network. 

- Network interfaces commonly use the traffic shaping process for preventing the discarding of the transmissions by the network’s traffic management functions. 

- This algorithm is based up on the analogy of a bucket with fixed capacity. 

- Tokens are added to this bucket at a fixed rate and represent a single packet of a fixed size. 

- When the packet has to be checked whether it confirms to the predefined limits or not, first the bucket is checked if it contains sufficient tokens. 

- If sufficient tokens are there, tokens equal to the number of bytes in the packet are removed and the packet is transmitted. 

- If sufficient tokens are not there, the packet is said to be non-conformant and the number of tokens in the bucket remain unchanged.

What is meant by flow specification?

- There are many problems concerning the flow specification. 

- There are limited options for the provider for mitigation of the DDoS attacks that take place internally. 

- These can be categorized in to three different categories:

Ø  BGP (border gateway protocol) destination black holes

Ø  BGP src/ uRP

Ø  ACLS

- The basic idea is to make use of the BGP for the distribution of the flow specification filters. 

- This helps in dynamic filtering in the routers. 

- The flow specification rules are encoded according to the BGP NLRI address family. 

- The flow spec NLRI is used by the BGP as its opaque key is used as an entry key for its database. 

- The extended communities are used for specifying the actions such as accepting, discarding it, rate limiting, sampling, redirecting and so on. 

- The source/destination prefix and the source/destination port are matched in combinations according to the packet size, ICMP type/co9de, fragment encoding, DSCP, TCP flag and so on. 

- For example, the TCP ports 80…90 are matched with 192.168.0/24. 

- The flow specification trust model uni casts the routing advertisements for controlling the traffic. 

- Filter is considered as a hole for the traffic that is being transmitted to some destination. 

- Filter is accepted when it is advertised for the destination by the next hop. 

- Filters with various flow specifications are available today.

- The major benefit of the flow specifications is the filters with the fine grain specification which make it easy for deploying and managing the BGP. 

- The trust and the distribution problems are solved by the BGP. 

- ASIC filtering in routers is leveraged. 

- This is another major benefit of flow specifications. 

Apart from the benefits, there are various limitations of the flow specifications as mentioned below:

Ø  There is no update level security in the BGP.

Ø The statistics and the application level acknowledgement are not well defined.

Ø  The flow specifications work only for those nodes for which the BGP has been enabled.

Ø  Beyond routing the BGP payload has to be overloaded.

Ø  There are various operational issues between the security operations and the network operations.

Ø  The threat information cannot be gathered in one place.

- The integration of the flow specifications was announced by various security vendors. 

- The DDoS attacks are experienced by a large number of customers. 

- The DDoS attacks are now massive and have put the network infrastructure at risk apart from the end customer. 

- Congestion problems occur at both the exchange and the backbone. 

- The attacks of long durations add to the cost of bursting and circuit congestion problems. 

- Depending up on the size of the attack the POP has to be isolated.

- VoIP is also affected. 

- These attacks have negative economic effects as the cost of the operations has been increased. 

- This has led to a degradation of the business. 

- Measures such as firewall filtering and destination BGP black-holing have proved to be insufficient in preventing the attacks. 

- These methods are slow since it is required to log-in and configuring the devices. 

- The configuration has to be constantly. 

- The traffic is terminated to some destination. 

- This affects the availability. 

- The black hole routes are removed by constantly changing the configurations. - Earlier version of the flow specifications had many bugs. 

- There were some limitations on the performance. 

- However, it provided arbor support for the actions of the flow specifications. 

- It does not provide multi–vendor support. 

- To some extent it provides the mitigation facility for the attack that occurred at the source. 

- The collateral damage is eliminated for both the carriers and supports the change in the matching criteria.