VPNs, Security Associations, WEP, EAP, and Firewalls

Posted on Feb 22, 2025 in Contemporary Music Composition

Virtual Private Networks (VPNs)

Motivation: Institutions often want private networks for security. This traditionally involved costly separate routers, links, and DNS infrastructure. A VPN provides a solution where an institution’s inter-office traffic is sent over the public Internet but is made secure.

  • Traffic is encrypted before entering the public Internet.
  • Traffic is logically separate from other traffic, creating a secure tunnel.

Security Associations (SAs)

  1. Before sending data, a Security Association (SA) is established between the sending and receiving entities.
  2. SAs are simplex, meaning they only operate in one direction.
  3. The receiving entities maintain state information about the SA.
    • Note: This is similar to how TCP endpoints maintain state information. Although IP is connectionless, IPsec is connection-oriented.

WEP (Wired Equivalent Privacy)

Wired Equivalent Privacy (WEP) is a security algorithm for IEEE 802.11 wireless networks. Introduced as part of the original 802.11 standard in 1997, its intention was to provide data confidentiality comparable to that of a traditional wired network.

Design Goals:

  1. Symmetric key cryptography for confidentiality, end-host authorization, and data integrity.
  2. Self-synchronizing: Each packet is separately encrypted. Given an encrypted packet and the key, it can be decrypted. Decryption can continue even if preceding packets are lost (unlike Cipher Block Chaining (CBC) in block ciphers).
  3. Efficiency: It can be implemented in hardware or software.

EAP (Extensible Authentication Protocol)

  1. EAP is an end-to-end protocol between a client (e.g., a mobile device) and an authentication server.
  2. EAP is sent over separate “links”:
    1. Mobile device to Access Point (AP) (EAP over LAN).
    2. AP to authentication server (RADIUS over UDP).

Operational Security: Firewalls and IDS

Firewall: A firewall isolates an organization’s internal network from the larger Internet, allowing some packets to pass while blocking others.

Why Firewalls?

  1. Prevent denial-of-service attacks, such as SYN flooding, where an attacker establishes many bogus TCP connections, leaving no resources for legitimate connections.
  2. Prevent illegal modification or access of internal data. For example, an attacker replacing a company’s homepage.
  3. Allow only authorized access to the inside network, restricting access to a set of authenticated users or hosts.

Three Types of Firewalls

  1. Stateless packet filters
  2. Stateful packet filters
  3. Application gateways

Stateless Packet Filtering (Traditional)

The internal network is connected to the Internet via a router firewall. The router filters packets individually, deciding to forward or drop them based on:

  • Source IP address, destination IP address
  • TCP/UDP source and destination port numbers
  • ICMP message type
  • TCP SYN and ACK bits

Example Policy: No outside Web access.
Firewall Setting: Drop all outgoing packets to any IP address, port 80.

Example Policy: Prevent your network from being tracerouted.
Firewall Setting: Drop all outgoing ICMP TTL expired traffic.

Access Control Lists (ACLs)

ACLs are tables of rules, applied top to bottom to incoming packets. They consist of (action, condition) pairs.

Stateless packet filters are a heavy-handed tool. They can admit packets that “make no sense,” such as a packet with a destination port of 80 and the ACK bit set, even though no TCP connection has been established.

Stateful Packet Filters

Stateful packet filters track the status of every TCP connection.

  • They track connection setup (SYN) and teardown (FIN) to determine whether incoming and outgoing packets “make sense.”
  • They timeout inactive connections at the firewall.