VPNs, Firewalls, and Network Security Essentials

Posted on Feb 3, 2025 in Contemporary Music Composition

Virtual Private Networks (VPNs)

Motivation: Institutions often want private networks for security. However, maintaining separate routers, links, and DNS infrastructure can be costly. A VPN offers a solution by creating a secure tunnel over the public internet. With a VPN, an institution’s inter-office traffic is sent over the public internet but is:

  • Encrypted before entering the public internet
  • Logically separated from other traffic

Security Associations (SAs)

  1. Before sending data, a “security association (SA)” is established between the sending and receiving entities.
  2. SAs are simplex, meaning they are for one direction only.
  3. The sending and receiving entities maintain state information about the SA. *Note: While TCP endpoints also maintain state information, IP is connectionless. IPsec, on the other hand, is connection-oriented.*

Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP) is a security algorithm for IEEE 802.11 wireless networks. Introduced as part of the original 802.11 standard ratified in 1997, its intention was to provide data confidentiality comparable to that of a traditional wired network. WEP’s design goals include:

  1. Symmetric key cryptography for confidentiality, end-host authorization, and data integrity.
  2. Self-synchronizing: Each packet is separately encrypted. Given an encrypted packet and the key, one can decrypt it. Decryption can continue even if the preceding packet was lost (unlike Cipher Block Chaining (CBC) in block ciphers).
  3. Efficiency: Implementable in hardware or software.

Extensible Authentication Protocol (EAP)

  1. EAP is an end-to-end client (mobile) to authentication server protocol.
  2. EAP is sent over separate “links”:
  • A) Mobile-to-AP (EAP over LAN)
  • B) AP to authentication server (RADIUS over UDP)

Operational Security: Firewalls and IDS

Firewall: Isolates an organization’s internal network from the larger internet, allowing some packets to pass while blocking others.

Firewalls: Why They Are Necessary

  1. Prevent denial-of-service attacks, such as SYN flooding, where an attacker establishes many bogus TCP connections, leaving no resources for “real” connections.
  2. Prevent illegal modification or access of internal data. For example, an attacker replacing the CIA’s homepage with something else.
  3. Allow only authorized access to the inside network, such as a set of authenticated users or hosts.

Three Types of Firewalls

  1. Stateless packet filters
  2. Stateful packet filters
  3. Application gateways

Stateless Packet Filtering (Traditional)

In this setup, the internal network is connected to the internet via a router firewall. The router filters packets one by one, deciding to forward or drop them based on:

  • Source IP address, destination IP address
  • TCP/UDP source and destination port numbers
  • ICMP message type
  • TCP SYN and ACK bits

Example: Policy: No outside web access. Firewall Setting: Drop all outgoing packets to any IP address, port 80.

Example: Policy: Prevent your network from being tracerouted. Firewall Setting: Drop all outgoing ICMP TTL expired traffic.

Access Control Lists (ACLs)

ACLs are tables of rules applied top to bottom to incoming packets. They consist of (action, condition) pairs.

Stateless packet filters are heavy-handed tools that may admit packets that “make no sense,” such as a packet with a destination port of 80 and the ACK bit set, even though no TCP connection has been established.

Stateful Packet Filtering

Stateful packet filters track the status of every TCP connection:

  • They track connection setup (SYN) and teardown (FIN) to determine whether incoming or outgoing packets “make sense.”
  • They time out inactive connections at the firewall.