Question

(b) You have been employed as a network administrator in an organization. If you have to send the data of your organization through the internet (there might be very untrusty network nodes), what kind of encryption will you use? Further, sometimes attackers exploit a special feature of the transport layer (segmentation and reassembly) to launch an attack. What attack is this? (c) Of the various firewall types available for use in a business network, which type collects network connection information and maintains dynamic state tables used for subsequent connections and which enables ports to be opened and closed as needed? Explain. Further, why is it so difficult to stop DDoS attacks by blocking the attacking IP addresses?

Answer 1

QUE: f you have to send the data of your organization through the internet (there might be very untrusty network nodes), what kind of encryption will you use

ANS: AES or Advanced Encryption Standard is a cipher, i.e., a method for encrypting and decrypting information. Whenever you transmit files over secure file transfer protocols like HTTPS, FTPS, SFTP, WebDAVS, OFTP, or AS2, there's a good chance your data will be encrypted by some flavor of AES ciphers - either AES 256, 192, or 128.

How does AES work? AES belongs to a family of ciphers known as block ciphers. A block cipher is an algorithm that encrypts data on a per-block basis. The size of each block is usually measured in bits. AES, for example, is 128 bits long. Meaning, AES will operate on 128 bits of plaintext to produce 128 bits of ciphertext.

Like almost all modern encryption algorithms, AES requires the use of keys during the encryption and decryption processes. AES supports three keys with different lengths: 128-bit, 192-bit, and 256-bit keys. The longer the key, the stronger the encryption. So, AES 128 encryption is the least strong, while AES 256 encryption is the strongest.

In terms of performance though, shorter keys result in faster encryption times compared to longer keys. So 128 bit AES encryption is faster than AES 256 bit encryption.

The keys used in AES encryption are the same keys used in AES decryption. When the same keys are used during both encryption and decryption, the algorithm is said to be symmetric. Read the article Symmetric vs Asymmetric Encryption if you want to know the difference between the two.

How is the AES encryption algorithm used in secure file transfers?

As mentioned earlier, AES is implemented in secure file transfer protocols like FTPS, HTTPS, SFTP, AS2, WebDAVS, and OFTP. But what exactly is its role?

Because symmetric and asymmetric encryption algorithms each have their own strengths, modern secure file transfer protocols normally use a combination of the two. Asymmetric key ciphers a.k.a. public key encryption algorithms are great for key distribution and hence are used to encrypt the session key used for symmetric encryption.

Symmetric key ciphers like AES, on the other hand, are more suitable for encrypting the actual data (and commands) because they require less resources and are also much faster than asymmetric ciphers. The article Symmetric vs Asymmetric Encryption has a more thorough discussion regarding these two groups of ciphers.

Here's a simplified diagram illustrating the encryption process during a typical secure file transfer secured by SSL/TLS (e.g. HTTPS, FTPS, WebDAVS) or SSH (e.g. SFTP). AES encryption operates in step 3.

OUE : what kind of encryption will you use? Further, sometimes attackers exploit a special feature of the transport layer (segmentation and reassembly) to launch an attack. What attack is this?

ANS:  

TCP SYN Flood Attack description

When a client and server establish a normal TCP “three-way handshake,” the exchange looks like this:

1. Client requests connection by sending SYN (synchronize) message to the server.
2. Server acknowledges by sending SYN-ACK (synchronize-acknowledge) message back to the client.
3. Client responds with an ACK (acknowledge) message, and the connection is established.

In a SYN flood attack, the attacker sends repeated SYN packets to every port on the targeted server, often using a fake IP address. The server, unaware of the attack, receives multiple, apparently legitimate requests to establish communication. It responds to each attempt with a SYN-ACK packet from each open port.

The malicious client either does not send the expected ACK, or—if the IP address is spoofed—never receives the SYN-ACK in the first place. Either way, the server under attack will wait for acknowledgement of its SYN-ACK packet for some time.

QUE: which type collects network connection information and maintains dynamic state tables used for subsequent connections and which enables ports to be opened and closed as needed?

ANS:

A stateful firewall is a firewall that monitors the full state of active network connections. This means that stateful firewalls are constantly analyzing the complete context of traffic and data packets, seeking entry to a network rather than discrete traffic and data packets in isolation.

One of the most basic firewall types used in modern networks is the stateful inspection firewall. This type of firewall has long been a standard method used by firewalls to offer a more in-depth inspection method over the previous packet inspection firewall methods (think ACL's). This article takes a look at what a stateful firewall is and how it is used to secure a network while also offering better network usability and easier network firewall configuration.

QUE: why is it so difficult to stop DDoS attacks by blocking the attacking IP addresses?

ANS:

A distributed denial of service attack requires a flood of access requests from multiple servers, oftentimes controlled by a single hacker using a bot — a hostile program controlling other machines. One of the fundamental reasons DDoS attacks are so efficient, is that many DNS services can’t tell the difference between a legitimate server request and the bulk packets sent out by connected devices in an attack. In the past, experts have used router-filtering and over-provisioning bandwidth (making it more available than necessary for day-to-day traffic) to account for attacks. But digital security has fallen behind advancements in hacking. Firewalls, the most common form of server protection, were designed for the internet of the 90’s, not 2016. One of the only ways to mitigate damage, according to Cisco security, is to passively monitor traffic — to separate bad traffic from legitimate traffic in the case of an attack.