4 A firewall can serve as the platform for IPSec Using the tunnel mode

4 a firewall can serve as the platform for ipsec

This preview shows page 16 - 19 out of 20 pages.

4. A firewall can serve as the platform for IPSec. Using the tunnel mode capability described, the firewall can be used to implement virtual private networks. Firewalls have their limitations, including the following: 1. The firewall cannot protect against attacks that bypass the firewall. Internal systems may have dial-out capability to connect to an ISP. An internal LAN may support a modem pool that provides dial-in capability for travelling employees and telecommuters. 2. The firewall does not protect against internal threats, such as a disgruntled employee or an employee who unwittingly cooperates with an external attacker. 3. The firewall cannot protect against the transfer of virus-infected programs or files. Because of the variety of operating systems and applications supported inside the
Image of page 16
SWATI AGGARWAL (IMSEC) Page 17 perimeter, it would be impractical and perhaps impossible for the firewall to scan all incoming files, e-mail, and messages for viruses. 5. What are the two approaches for Digital Signatures? Give the suitable diagrams? Explain any one approach? Ans:- The two approaches for Digital Signature are 1. RSA 2. DSS DSS:- The DSS uses an algorithm that is designed to provide only the digital signature function. Unlike RSA, it cannot be used for encryption or key exchange. Nevertheless, it is a public-key technique. Figure contrasts the DSS approach for generating digital signatures to that used with RSA. In the RSA approach, the message to be signed is input to a hash function that produces a secure hash code of fixed length. This hash code is then encrypted using the sender's private key to form the signature. Both the message and the signature are then transmitted. The recipient takes the message and produces a hash code. The recipient also decrypts the signature using the sender's public key. If the calculated hash code matches the decrypted signature, the signature is accepted as valid. Because only the sender knows the private key, only the sender could have produced a valid signature. The DSS approach also makes use of a hash function. The hash code is provided as input to a signature function along with a random number k generated for this particular signature. The signature function also depends on the sender's private key (PR a ) and a set of parameters known to a group of communicating principals. We can consider this set to constitute a global public key (PU G ). The result is a signature consisting of two components, labeled s and r. At the receiving end, the hash code of the incoming message is generated. This plus the signature is input to a verification function. The verification function also depends on the global public key as well as the sender's public key (PU a ), which is paired with the sender's
Image of page 17
SWATI AGGARWAL (IMSEC) Page 18 private key. The output of the verification function is a value that is equal to the signature component r if the signature is valid. The signature function is such that only the sender, with knowledge of the private key, could have produced the valid signature.
Image of page 18
Image of page 19

You've reached the end of your free preview.

Want to read all 20 pages?

  • Summer '14
  • hash function, Cryptographic hash function, Block cipher, SWATI AGGARWAL

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture