Add to collection(s) Add to saved
  1. No category
Uploaded by gondwet

190066 - Tatenda D. Gondwe - Adv. Networking Assignment

advertisement 
Tatenda D. Gondwe – 190066
Advanced Networking Assignment
Question 1
Using relevant examples describe how the AAA model can ensure security at any
organisation of your choice
The AAA stands for Authentication, Authorisation, Accounting. The AAA model is a standardbased paradigm for controlling who is allowed to use network resources (by authentication),
what they are allowed to do (by authorisation), and recording actions taken while on the
network (by accounting). GeeksforGeeks (2021) defines Authentication as the process of
verifying if a user attempting to access network resources is valid or not by requesting
credentials such as a username and password. GeeksforGeeks (2021) states that after a user has
gained access to network resources through authentication, authorisation provides the ability
to enforce policies on those resources and once the authentication process is successful,
authorisation can be used to decide what resources the user is permitted to access and what
operations they are permitted to do. In terms of Accounting, it facilitates for the tracking and
recording of events that occur while a user is accessing network resources and it even keeps
track of how long the user has been connected to the network.
Authentication is the first step in the AAA model. Alepo Technologies (2021) states that when
using multimodal authentication methods, authentication acts as the first line of defence in
protecting network resources from fraud and identity theft. When someone attempts to access
the network, the Authentication function determines whether or not they are authorised to do
so, as well as verifying that the user is who they claim to be. It achieves this by verifying that
the user provides valid credentials, such as a username, password, biometrics or any other
security measures that the operator has established . Access is granted if the user's credentials
are valid. Those who use faked or incorrect credentials are denied entry. Verified users' network
usage is tracked and logged for future reference. In Authentication, these credentials are stored
in databases and network and system administrators are continuously updating and monitoring
these databases. At Africa University, the use of usernames and passwords is used essentially
everywhere. This type of authentication is used by students and staff members when they want
to gain access into the Africa University Virtual Classroom, the school Gmail accounts, the
Student and Staff Portals and connecting to the school WiFi.
Mylonas (2018) defines Authorisation as the process of enforcing policies, such as identifying
the quality of activities, resources, or services that a user is entitled to use. Authorisation is
typically done alongside with authentication; once a person has been authenticated, the AAA
security authorisation compiles a list of attributes that explain what he/she is permitted to do.
Mylonas (2018) states that authorisation levels are issued to users, establishing their access to
a network and its resources. A user may, for example, be able to type commands but only be
able to execute particular ones. He also states that this could be due to geographical constraints,
date or time-of-day limits, login frequency, or repeated logins by a single user. Route
assignments, IP address filtering, and encryption are some of other types of Authorisation.
Even if an administrator has privileged access, they may be prohibited from performing certain
tasks. Passwords are saved with no decryption step in more secure application architectures
and these passwords can be changed but never recovered using these secure applications. At
Africa University, once a student or staff member has been authenticated on the network, they
are authorised to access anything on that network be it the AU Online Library. Students or Staff
Members are not authorised or permitted to access any websites or any other applications that
are not school related as long as they are connected on the Africa University network. If they
attempt to access the websites, the network firewall will block them from accessing them. This
has been done to protect the Africa University network from viruses, trojans, cyberattacks,
worms and other malicious software.
In Accounting, SearchSecurity (2010) states that this is the last component in the AAA
framework, and it measures the resources a user consumes during access. This can involve
system time or the volume of data sent and/or received by a user during a session.
SearchSecurity (2010) also states that accounting encompasses logging session statistics and
usage data, which is needed for authorisation control, invoicing, trend analysis, resource
utilisation, and capacity planning. Mylonas (2018) states that Accounting enables
administrators to log in and see what actions were taken, by whom and when. At Africa
University, the systems administrator monitors the students’ network usage and the network
firewall alerts the systems administrator about any odd internet activity such as downloading
torrents, accessing inappropriate websites etc by students. The systems administrator will alert
those students via e-mail warning them about their usage and that e-mail will also include the
amount of data used on the network by the students.
The AAA model has a number of benefits. It creates a multi-layered security barrier that
safeguards, measures, monitors how the network is accessed and by who. This prevents
cybercriminals from stealing and misusing data. In the AAA model, a centralised security
database allows particular access to each user based on their unique credentials, allowing
inactive or banned users to be easily and quickly terminated. The AAA model also gives
operators more control and flexibility when it comes to managing network access, as well as
the ability to use a variety of standardised authentication methods such as the RADIUS and
TACACS+. Lee (2021) defines RADIUS (Remote Authentication Dial-In User Service) as a
network protocol for authenticating and authorising user access to a network whether distant
or on-premise. GeeksforGeeks (2019) defines TACACS as (Terminal Access Controller
Access Control Server) a security protocol that is used in the AAA framework to enable
centralized authentication for network users. The AAA model also employs various backup
systems to ensure redundancy in the event that one of the security servers fails or the network
becomes overwhelmed.
Question 2
Using specific and relevant examples, describe how the layer 3 protocols ensure safe and
efficient connectivity
In the Open Systems Interconnection (OSI) model, there is the network layer which is the third
layer of this model. The third layer can also be called Layer 3. Techopedia (2014) states that
Layer 3 is responsible for the network's routing and switching technologies, which construct
logical channels known as virtual circuits (VC) for data transmission between network nodes.
Routing and forwarding, internetworking, addressing, packet sequencing, congestion control,
and error handling, are all Layer 3 functions. The protocols used in Layer 3 include Internet
Protocol IPv4/v6, Internet Control Message Protocol (ICMP), Distance Vector Multicast
Routing Protocol (DVMRP), Internet Group Management Protocol (IGMP), Address
Resolution Protocol (ARP) and Internet Protocol Security (IPsec). These protocols have a role
in ensuring safe and efficient connectivity.
The Internet Protocol (IP) is defined as a collection of rules that govern how data is delivered
over the internet. Cloudflare (n.d.) states that data traveling over the Internet is broken down
into smaller units known as packets. Each packet has IP information attached to it, which helps
routers send packets to the correct location. The internet uses protocols such as the IPv4 and
the IPv6. These are numerical combinations that allow devices to communicate with one
another. The IPv4 is the very first version of the IP protocol that was developed at the inception
of the internet. Despite the increasing adoption of the IPv6 protocol, IPv4 still routes the
majority of the world's traffic. The IPv6 is becoming more popular and in a short space of time,
it will be widely utilised worldwide. This is due to the fact that it uses addresses in the 128bit
standard. while the IPv4 uses addresses in the 32bit standard. The IPv6 also enables for the
creation of 340 undecillion unique addresses, which is more than enough to support all global
traffic for a long time.
How the IP ensures safe and efficient connectivity
Wisdomeplexus (n.d.) states that the IPv6 marks a significant security gain since the number
of addresses it contains is so large that it makes it hard to utilize IP scanning techniques in
networks to locate possible computers with security flaws. Sophos (n.d.) states that end-to-end
encryption can be run on the IPv6 and that the widespread use of IPv6 will make man-in-themiddle attacks far more difficult.
Lutkevich (2021) defines the Internet Control Message Protocol (ICMP) as an errorreporting protocol used by network devices such as routers to generate error messages to the
originating IP address when network difficulties hinder IP packet delivery. Extrahop (n.d.)
states that the ICMP packets relay information about network connectivity problems to the
source of the corrupted communication and it sends control messages such source route failure,
destination network unreachable, and source quench. It has an 8-byte header and a variablesize data portion in its data packet structure. Lutkevich (2021) states that ICMP messages are
sent in a variety of situations and he gives an example whereby if one device transmits a
message that is too large for the receiver to handle, the recipient will ignore it and return an
ICMP message to the source. Another example he gives is when the network gateway discovers
a more efficient path for the message to take. An ICMP message is delivered in this case, and
the packet is diverted to the shorter path.
How the ICMP ensures safe and efficient connectivity
The ping and traceroute terminal utilities, in particular, utilise ICMP for network diagnostics.
The traceroute utility is used to show the physical routing path between two internet devices
that are communicating. Traceroute can be used to diagnose network faults and determine the
source of a network delay. The ping utility is a simpler traceroute since it sends out pings and
then measures how long it takes for the message to travel to its destination and return to the
source. Pings are important for determining the latency of a specific device. Ping, unlike
traceroute, does not display visual maps of the routing layout. However, Extrahop (n.d.) states
that the ICMP can be used as a network attack vector. An attacker can use a ping scan or sweep
to discover systems to attack in the future. A distributed denial of service (DDoS) assault, such
as an ICMP flood, a ping of death, or a Smurf attack, can bring a network to a halt.
Thakur (n.d.) defines the Distance Vector Multicast Routing Protocol (DVMRP) as a
multicast routing protocol that decides on packet routing based on the packet's source address.
The Routing Information Protocol (RIP) is the foundation of the DVMRP. The router creates
a routing table with the multicast groups about which it is aware, as well as the distances
between the router and the destination. When a router receives a multicast packet, the router's
interfaces listed in the routing table forward it. Thakur (n.d.) states that the DVMRP should
prevent loops from forming in the network, prevent duplicate packets from forming, ensure
that a packet’s journey from its source to the router is the shortest possible and allow for
dynamic membership.
How the DVMRP ensures safe and efficient connectivity
The DVMRP uses decision making strategies to accomplish the aforementioned tasks and these
include, but not limited to, Reverse Path Forwarding (RPF) and Reverse Path Broadcasting
(RPB). Teletopix (2014) states that the DVMRP has enhanced efficiency whereby the network
traffic is controlled and server and CPU loads are reduced. Its performance is optimised and
this eliminates traffic redundancy. Teletopix (2014) also states that the DVMRP also has
distributed applications whereby multipoint applications are made possible.
Cloudflare (n.d.) defines the Internet Group Management Protocol (IGMP) as a protocol
that enables several devices to share a single IP address and receive the same data. The IGMP
is a network layer protocol that enables multicasting on Internet Protocol version 4 networks
(IPv4). The IGMP, in particular, enables devices to join a multicasting group. GeeksforGeeks
(2020) states that the IGMP is applied in streaming videos, gaming and web conferencing tools.
The IGMP has 3 versions namely IGMPv1, IGMPv2 and IGMPv3. In the IGMPv1, all
supporting hosts can join multicast groups using membership requests. In the IGMPv2, an
upgrade of IGMPv1, there is the ability to leave a multicast group by using group membership.
In IGMPv3, which is an upgrade of IGMPv2, there is source-specific multicast and
membership report aggregation.
How the IGMP ensures safe and efficient connectivity
The IGMP has benefits. One benefit given by GeeksforGeeks (2020) is that the IGMP
efficiently distributes multicast data to receivers and this results in no waste packets being sent
to the host resulting in improved performance. Another benefit is that because of all shared
links connected, the bandwidth is used completely. The other benefit is that hosts have the
option of leaving one multicast group and joining another one. However, the IGMP is
inefficient in terms of filtering and security. Network congestion can arise due to a lack of TCP.
The IGMP is also prone to attacks such as the Denial-of-Service (DOS).
Zydyk (n.d.) states that in a local area network, the Address Resolution Protocol (ARP) is a
technique for translating a dynamic IP address to a permanent physical machine address. A
Media Access Control (MAC) address is another name for the physical machine address. The
ARP's main function is to convert 32-bit addresses to 48-bit addresses and vice versa. Because
IP addresses in IPv4 are 32 bits long, but MAC addresses are 48 bits long, this is essential.
When ARP was first developed in 1982, security was not a primary focus, therefore the
protocol's authors didn't include any authentication tools to validate ARP messages. Any device
on the network can respond to an ARP request, regardless of whether it was meant for it or not.
Grimmick (n.d.) gives an example saying if Computer A were to ask for Computer B’s MAC
address, an attacker from Computer C can reply and Computer A would accept it as a genuine
response. Grimmick (n.d.) also states that a number of attacks have been made available as a
result of this error. These attacks are called ARP poisoning attacks and these include Denial of
Service (DoS), Man-in-the-Middle (MiTM) and Session Hijacking.
How the ARP ensures safe and efficient connectivity
Mitigating these attacks can be done through, but not limited to, encryption and static ARP
Tables. With SSL/TLS encryption on the web, it is difficult for MiTM attacks to occur. The
attacker can intercept the traffic but can not do anything with it in its encrypted form. All of
the MAC addresses in a network can be statically mapped to their correct IP addresses. This is
a very effective way to avoid ARP Poisoning attacks so creating a distinct network segment
with static ARP tables can aid in the protection of sensitive data.
Thomas and Elbirt (2004) define the IP Security (IPsec) as a set of protocols designed to
ensure the confidentiality, integrity and authentication of data communication over an IP
network. Virtual Private Networks (VPN), routing security and application-level security are
three security domains where IPsec can be used. Currently, IPsec is the most popular VPN
protocol. IPsec is not a full solution for application-level security or routing security and it
must be used in conjunction with additional security measures to be effective, restricting its
applicability in these domains. Thomas and Elbirt (2004) state that the two modes of operation
contained in IPsec include transport mode and tunnel mode.
How IPsec ensures safe and efficient connectivity
All cryptographic procedures must be performed directly by the source and destination hosts
when operating in transport mode. The Layer 2 Tunnelling Protocol (L2TP) creates a single
tunnel through which encrypted data is delivered. The source host generates data – which is
ciphertext – that the destination host retrieves. End-to-end security is established in this style
of operation. Thomas and Elbirt (2004) also state that special gateways, in addition to the
source and destination hosts, execute cryptographic processing in tunnel mode. Gateway-togateway security is established when many tunnels are built in series between gateways.
References
• GeeksforGeeks (2021). Computer Network | AAA (Authentication, Authorization and
Accounting). Retrieved from https://www.geeksforgeeks.org/computer-network-aaaauthentication-authorization-and-accounting/
• Alepo Technologies (2021). How the AAA server ensures security in telecom
networks. Retrieved from https://alepotech.medium.com/how-the-aaa-server-ensuressecurity-in-telecom-networks-809a6cb4e427
• Mylonas L. (2018). What is AAA security? An introduction to authentication,
authorisation and accounting. Retrieved from https://codebots.com/applicationsecurity/aaa-security-an-introduction-to-authentication-authorisation-accounting
• SearchSecurity (2010). Authentication, authorisation and accounting (AAA).
Retrieved from https://searchsecurity.techtarget.com/definition/authenticationauthorization-and-accounting
• Lee B. (2021). What is RADIUS protocol? Retrieved from
https://jumpcloud.com/blog/what-is-the-radiusprotocol#:~:text=RADIUS%20is%20a%20network%20protocol,Authentication%20D
ial%2DIn%20User%20Service
• GeeksforGeeks (2019). TACACS+ Protocol. Retrieved from
https://www.geeksforgeeks.org/tacacs-protocol/
• Techopedia (2014). Layer 3: What Does Layer 3 Mean? Retrieved from
https://www.techopedia.com/definition/14825/layer-3
• Cloudflare. (n.d.). What is the Internet Protocol? Retrieved from
https://www.cloudflare.com/learning/network-layer/internet-protocol/
•
Sophos (n.d.). Why IPv6 Matters for Your Security. Retrieved from
https://www.sophos.com/en-us/security-news-trends/security-trends/why-switch-toipv6.aspx
• Wisdomplexus (n.d.). IPv4 vs IPv6 Security: Know the Difference. Retrieved from
https://wisdomplexus.com/blogs/ipv4-vs-ipv6-security/
• Lutkevich B. (2021). ICMP (Internet Control Message Protocol). Retrieved from
https://www.techtarget.com/searchnetworking/definition/ICMP
• Extrahop (n.d.). Internet Control Message Protocol (ICMP). Retrieved from
https://www.extrahop.com/resources/protocols/icmp/
• Thakur D. (n.d.). DVMRP – What is DVMRP (Distance Vector Multicast Routing
Protocol) Retrieved from
https://ecomputernotes.com/computernetworkingnotes/routing/dvmrp
• Teletopix. (2014). Multicast Advantages and Disadvantages. Retrieved from
http://teletopix.org/wimax/multicast-advantages-and-disadvantages/
• Cloudflare (n.d.). What is IGMP? | Internet Group Management Protocol. Retrieved
from https://www.cloudflare.com/learning/network-layer/what-is-igmp/
• GeeksforGeeks (2020). What is IGMP (Internet Group Management Protocol)?
Retrieved from https://www.geeksforgeeks.org/what-is-igmpinternet-groupmanagement-protocol/
• Zydyk M. (n.d.). Address Resolution Protocol (ARP). Retrieved from
https://www.techtarget.com/searchnetworking/definition/Address-ResolutionProtocol-ARP
• Grimmick R. (n.d.). ARP Poisoning: What it is & How to Prevent ARP Spoofing
Attacks. Retrieved from https://www.varonis.com/blog/arp-poisoning/
• Thomas J & Elbirt A.J. (2004). How IPsec works, why we need it, and its biggest
drawbacks. Retrieved from https://www.csoonline.com/article/2117067/dataprotection-ipsec.html
Related documents
The benefits of exercise and The dangers of lack of exercise
The benefits of exercise and The dangers of lack of exercise
605 tree obstacle course
605 tree obstacle course
Activity 2
Activity 2
Untitled document
Untitled document
plastic bag references
plastic bag references
Session management, authentication
Session management, authentication
Computer System Engineer
Computer System Engineer
L2 L3 Protocols Testing
L2 L3 Protocols Testing
Outcomes Evaluation for Community Organization
Outcomes Evaluation for Community Organization
Download
advertisement