Dickson K.W. Chiu

1
CSC3530 Software Technology Introduction to
Information Security

• Dickson K.W. Chiu
• Dept. of Computer Science Engineering
• Chinese University of Hong Kong, Shatin, HK
• Thanks to Dr SC Cheung (HKUST), Dr Michael Lyu
  (CUHK)

2
What is Information Security?

• Security - protecting data stored in and
  transferred between distributed components from
  unauthorised access
• Security is a non-functional requirement that
  cannot be added as a component but has to be
  built into all components
• More vital/secret data handled by distributed
  systems and especially over the Internet
• Information Security Portal
• http//www.infosyssec.org/infosyssec/index.html
• Network Security Library http//secinf.net/

3
Why Security?

• Confidentiality - To ensure your information is
  accessible only to authorized parties
• Artifacts Cryptography
• Authentication - To ensure the origin of a
  message or electronic document is correctly
  identified, with assurance that the identity is
  not false
• Artifacts Digital Certificates
• Non-repudiation - To proof the completion of a
  transaction and the identity of involved parties.
• Artifacts Digital Signatures Certificates
• Authorization - To manage access rights and
  permissions
• Artifacts Policy-Based Access Control
• Integrity - To ensure that content is not
  altered, malicious or incorrectly processed
• Artifacts Digitally-Signed Data Content
• Availability services / resources available to
  authorized parties
• Artifacts Anti-virus software

4
Effects of Insecurity

• Confidential Data may be stolen, e.g.
• corporate plans.
• new product designs.
• medical/financial records (e.g. Access
  bills....).
• Data may be altered, e.g.
• finances made to seem better than they are.
• results of tests, e.g. on drugs, altered.
• examination results amended (up or down).
• Loss of confidence above effects may reduce
  confidence in computerized systems.
• Claims for damages legal developments may allow
  someone to sue if data on computer has not been
  guarded according to best practice.
• Loss of privacy data legally stored on a
  computer may well be private to the person
  concerned (e.g. medical/personnel) record.

5
Security Threats

• Categorization of attacks (and goals of attacks)
  that may be made on system.
• Leakage (Interception) - information leaving
  system (vs secrecy)
• Tampering (Modification) - unauthorised
  information altering (vs integrity)
• Resource stealing - illegal use of resources (vs
  availabilty)
• Vandalism (Interruption) - disturbing correct
  system operation (vs availabilty)
• Fabrication unauthorized party inserts
  counterfeit objects / information into the system
  (vs authenticity)
• Used to specify what the system is proof, or
  secure, against.

6
Methods of Attack

• Eavesdropping - Obtaining message copies without
  authority.
• Masquerading - Using identity of another
  principle without authority.
• Message tampering - Intercepting and altering
  messages.
• Replaying - Storing messages and sending them
  later.
• Clandestine user Seizes supervisory control to
  evade auditing / access control or suppress audit
  collection

7
Increasing Security Threats

• Exposure to the Internet
• Globalization keen competition among
  international competitors and
• Client / server architecture
• Hackers steep learning curve
• Hackers clubs / bulletin board / newsgroup /
  forum / web-site, e.g.,
• Underground search engine http//www.ilsearch.c
  om/
• Natural reluctance of security / systems
  personnel to share information
• Attackers often exploit vulnerabilities before
  holes are filled

8
Infiltration

• Launch of attack requires access to the system
• Launched by legitimate users
• Launched after obtaining passwords of known users
• Malicious Programs
• Bacteria consume system resources by
  replication
• Logic Bomb authorized action upon meeting a
  certain set of conditions
• Trojan horses secrete undocumented security
  routine embedded within a useful program
• Trapdoor secret entry point into a program to
  allow unauthorized security access
• Viruses - code embedded within a program that
  causes a copy of itself to be inserted in one or
  more other programs
• Worms replicate itself and spread across
  network
• Viruses and worms often perform some unwanted
  actions

9
Viruses Life Phases

• Dormant phase but eventually activated by some
  event (e.g., date, idle system)
• Propagation phase places identical copy of
  itself into other programs or system areas
• Triggering phase activation upon certain events
  and condition (date, etc.)
• Execution phase the function (harmless or
  destructive) is performed

10
Types of viruses

• Parasitic virus attaches to executable files
  and replicates when the infected program is
  executed
• Memory-resident virus lodges in main memory as
  part of a resident system program, then infects
  every program executed
• Boot sector virus infects a (master)boot record
  and spreads when a system is booted from the
  infect disk
• Stealth virus explicitly design to hide itself
  from detection by anti-virus software
• Polymorphic virus mutates with every infection,
  making detection by signature impossible

11
Antivirus Approaches

• Prevention may be difficult
• Reactive procedure
• Detection
• Identification
• Removal
• 4 generations of antivirus software
• Simple scanners virus signature (bit pattern)
• Heuristic scanners detection rules, integrity
  check
• Activity traps memory-resident against
  virus/suspicious actions
• Full-featured protection full packages (current
  status)
• Arm-race continues

12
Cryptography

• Encryption
• The translation of data into a secret code
• The most effective way to achieve data security
• prevents unauthorised access to the data (i.e.,
  prevents eavesdropping).
• If encrypted data can only be encrypted with a
  matching key, this can be used to prove senders
  identity (i.e., prevents masquerading).
• used to ensure that only intended recipients can
  use the data.
• Two main types of encryption
• asymmetric encryption (public key)
• symmetric encryption (secret key)
• Decryption
• The process of decoding encrypted data into a
  secret format
• Requires a secret key or password

13
How does Cryptography Work?

• In general, we consider an encryption mechanism
  secure if it meets the following two criteria.
• The cost of breaking the cipher exceeds the value
  of the encrypted information
• The amount of time required to break the cipher
  exceeds the useful lifetime of the information
• Unencrypted data is called plain text
• Encrypted data is called cipher text
• To read an encrypted file, you must have right to
  access a secret key or password that enables you
  to decrypt it
• Function the encryption or decryption algorithm
  used, in conjunction with key, to encode or
  decode message.
• Key distribution service trusted service which
  hands out keys.

14
Secret Key Approach

• One key is used to both encrypt and decrypt data
• Encryption and decryption functions are often
  chosen to be the same
• Security should not be compromised by making
  function well-known as security comes from secret
  keys
• Sender and recipient exchange keys through some
  secure, trusted, non-network based means.
• Sender encodes message using function and sends,
  knowing that only the holder of key (the intended
  recipient) can make sense of it.
• Recipient decodes message, and knows that only
  intended sender could generate it.
• Message can be captured but is of no use.

15
Secret Key Pros and Cons
Plain Text
Same Key
Encoder
Decoder
Encrypted Message
Plain Text
Same Key

• Pros Simple and fast
• Cons Two parties must somehow exchange the key
  in a secure way, which increase the risk that
  someone can obtain your secret key

16
Key Distribution Center (KDC)

• Client and Server pre-registered to KDC (and have
  their own KDC key)
• KDC send encrypted session key for each
  transaction
• Session key same for client and server
• Reduce the need of physical (paper) key delivery
• Problem if KDC is compromised

17
Kerberos

• A three-headed dog guarding gates of Hades (Greek
  Myth)
• Similar to key distribution centers (based on
  symmetric key)
• Invented by MIT http//web.mit.edu/kerberos/www/
• Steps (cf. Japan rail-pass!)
• Protected server requires a Kerberos "ticket"
  before honoring your request.
• To get your ticket, you request authentication
  (username/password) from the Authentication
  Server (AS) to obtain a ticket-granting ticket
  (encrypted with the symmetric key) base on your
  password and a random value.
• You send the decrypted ticket-granting ticket to
  a ticket-granting server (TGS) (may be same
  physical server as AS). The TGS returns the
  ticket valid for the requested service server.
• The service server either rejects the ticket or
  accepts it and performs the service.
• Because the ticket you received from the TGS is
  time-stamped, it allows you to make additional
  requests using the same ticket within a certain
  time period (typically, eight hours) without
  having to be re-authenticated.

18
Secret Key Example - DES

• Data Encryption Standard (DES) - official US
  national standard since 1977
• Originated at IBM research team in 1977 (128-bit)
• Applies a 56-bit key chosen at random from among
  7.2 x 1016 possible encryption keys
• NSA (US spy agency) insisted 56-bit gt breakable
• Specified in
• Approved as ANS X3.92-1981/R1987
• Federal FIPS PUB 46 and 81 standards
• First report crack June 1997 by an ad hoc team
  of 10000s of peoples PC over the Internet

19
Triple DES

• An encryption method strengthens DES by
  performing the DES algorithm three times with
  different DES keys
• DES-EEE3 Three DES encryptions with three
  different keys
• DES-EDE3 Three DES operations in the sequence
  encrypt-decrypt-encrypt with 3 different keys
• DES-EEE2 and DES-EDE2 Same as the above format
  except 1st and 3rd operations use the same key

20
Improvement of Triple DES
128-bit DES Triple DES
Key nature A single key of 128-bit length 3 different keys of 56-bit length
Runtime Shorter Longer
Key possibility 2128 3.4 x 1038 23x56 3.7 x 1050
Security strength High Higher

• 128-bit DES For most business or government
  needs
• Triple DES For banks and other institutions that
  handle highly sensitive data
• 1 hr vs 10 billion years

21
Statistics on key search
Key Size (bits) Number of Alternative Keys Time required at 1 encryption/ms Time required at 106 encryptions/ms
32 232 4.3 x 109 231 ms 35.8 minutes 2.15 milliseconds
56 256 7.2 x 1016 255 ms 1142 years 10.01 hours
128 2128 3.4 x 1038 2127 ms 5.4 x 1024 years 5.4 x 1018 years
26 char permutation 26! 4 x 1026 2 x 1026 ms 6.4 x 1012 years 6.4 x 106 years

• Note key size of DES algorithm - 56/128-bit

22
Public Key Encryption
Plain Text
Private Key
Others
Encoder
Decoder
Encrypted Message
You
Plain Text
Public Key

• Also called asymmetric encryption as it uses 2
  different keys instead of one single key
  (symmetric encryption)
• a public key
• a private key
• Messages encrypted with public/private key for
  security measure
• Messages can be decrypted with the corresponding
  private/public key
• Impossible to deduce the private key from the
  public key or vice versa

23
Usage of Public Key Encryption
Plain Text
Public Key
You
Encoder
Decoder
Encrypted Message
Others
Plain Text
Private Key

• Encryption - Anyone can send you an encrypted
  message with your public key you decode it with
  your private key (but nobody else)
• Document Signing - You can encrypt your message
  with your private key and send it to other people
  if you message decrypts with your public key,
  then it must by you
• No key exchange needed

24
Mutual Authentication (Public Key)
25
What is RSA?

• Public-key encryption technology by RSA Data
  Security, Inc. http//www.rsasecurity.com (1977)
• Acronym stands for inventors Rivest, Shamir,
  Adelman.
• To deduce a RSA key requires an extraordinary
  amount of computer processing power and time.
• A de facto standard for industrial encryption,
  especially for data that is sent over the
  Internet
• Embedded in many software products, for example,
  Netscape Navigator and Microsoft Internet
  Explorer
• U.S. government has restricted exporting this
  encryption methodology to foreign countries
• A similar technology NetAuthority PKI which is
  also widely used is offered by a company called
  Cylink

26
Sketch of RSA Algorithm (Reference)

• Choose a pair of large prime number (p and q)
• Calculate n p q
• Choose an encryption key (e, usually small) such
  that
• e and (p-1)(q-1) are relatively prime.
• Then decryption key (d) will be obtained by
  formula
• ed 1 mod (p-1)(q-1)
• d e-1 mod (p-1)(q-1) (say, by Euclidean
  Algorithm)
• (e, n) will be the encryption key available to
  public
• Cypher Text ci mie mod n
• (d, n) will be the decryption key owners keeps
  private
• Plain Text mi cid mod n
• With p and q discarded, it would be extremely
  hard to factorize n and therefore this method is
  safe.
• The decryption holds because
• cid (mie)d mied mik(p-1)(q-1)1
• mimik(p-1)(q-1) mi1 (Eulers theorm)
• mi all (mod n)

27
Example of RSA

• Choose p11, q17 (thus npq187)
• Choose e7 (note 7 and 187 relatively prime)
• Compute d23 because
• (7)(23) 161 1 mod (11-1)(17-1)
• Example
• Encrypt m13, c1372187130mod(187)
• Decrypt m1130233mod(187)
• In this example, given (e,n)(7,187), it is easy
  to determine d23 because factorizing a small
  number like 187 is easy.
• Calculating large numbers are easy in some
  languages like Scheme or LISP which supports
  (unlimited-length) big integers

28
Pretty Good Privacy (PGP)

• By Phil Zimmermann in 1991
• de-facto standard for email encryption
• Free package Pretty Good Privacy (PGP)
• http//web.mit.edu/network/pgp.html
• International version
• http//www.pgpi.org/
• US Export Regulations
• Use of RSA keys are supported (to ensure
  backwards compatibility with PGP 2.x).
• The default key-server is in Europe, not in USA.
• The source code for PGPi is available for
  download
• Documentation and tutorial (You should read!)
• http//www.pgpi.org/doc/guide/6.5/en/intro/

29
Digital Envelope

• (Symmetric) Key Agreement Protocol
• RSA too slow for encrypting a whole long message
• Main message encrypted with symmetric key
• Send also symmetric key encrypted with senders
  public key

30
What is a Digital Signature?

• A digital code attached to an electronically
  transmitted message
• Generated by a private key over some block of
  data
• Use to uniquely identify message senders
• Signature can only be decrypted by the public key
  issued by the signer
• Usage
• To guarantee identity claimed by the message
  senders
• To endorse an electronic document in a way that
  can be validated for authenticity
• Used to support certification authorities in
  endorsing certificates of web servers
• Used to endorse consumers certificates

31
Digital Signature Procedure

• Hash function ensures that, if the information is
  changed in any way, an entirely different output
  value is produced
• A one-way hash function takes variable-length
  input message and produces a fixed-length output
  (message digest)
• Digital signature - message digest encrypted with
  private key
• Digital signature varies with message content
  (different from pen-signed signature on paper)
• Send message body (plaintext) with digital
  signature
• Receiver can decrypt the digital signature with
  the public key and verify with the message body

32
Public Key Infrastructure (PKI)

• How does a client know the server indeed belongs
  to a particular organization/individual and is
  not masquerading to steal info?
• Also called trust hierarchy
• It is a system consisted of
• Digital certificates
• Certificate Authorities

33
What is a Digital Certificate?

• A digital document issued by a certification
  authority (CA)
• You validate certificates. You trust people.
• Usage
• Use to verify the identity of the message senders
• Provide users a secure way to encode reply
  messages
• Can be embedded to the messages to ensure
  security throughout the data transmission
• Common Standards PGP and X.509

34
Digital Certificate Distribution

• Manual public key distribution for small group
• Certificate servers (cert server or a key server)
  
• A database for users to submit and retrieve
  digital certificates
• Provides some administrative features that enable
  a company to maintain its security policies,
  e.g., allowing only those keys that meet certain
  requirements to be stored
• Products from Microsoft, etc.
• Public Key Infrastructures
• Certificate repository/servers from Certification
  Authorities
• Cf. country's government's Passport Office

35
Certificate Authorities

• Financial institution or trusted third party,
  such as VeriSign (http//www.verisign.com)
• CUHK CA http//www.cuhk.edu.hk/ca/
• Takes responsibility for authentication before
  issuing a digital certificate (signed with CAs
  public key)
• Holds the digital certificates for public
  verification (e.g., with Light-weight Directory
  Access Protocol, LDAP)
• Certificate Authority Hierarchy
• A chain of certificates starting with the root
  certification authority (IPRA Internet Policy
  Registration Authority)
• IRPA signs certificates with the root key, only
  for policy creation authorities
• Policy creation authorities then sign digital
  certificates for CA
• CA signs users certificate

36
A Digital Certificate Usage Scenario
37
X.509 Certificate

• Different companies have created their own
  extensions
• ITU-T X.509 international standard
• X.509 version number - most current is version 3.
  
• Certificate holder's public key
• Serial number of the certificate used in
  numerous ways e.g., when a certificate is
  revoked, its serial number is placed in a
  Certificate Revocation List or CRL.
• Certificate holder's unique identifier (or DN
  Distinguished Name) - unique across the Internet
  - multiple subsections and may look something
  like this CNBob Allen, OUTotal Network
  Security Division, ONetwork Associates, Inc.,
  CUS (Common Name, Organizational Unit,
  Organization, and Country.)
• Certificate's validity period
• Unique name of the certificate issuer
• Digital signature of the issuer
• Signature algorithm identifier

38
PGP Certificate

• Includes but not limited to
• PGP version number
• Certificate holder's public key
• Certificate holder's information - name, user ID,
  photograph, etc.
• Certificate's validity period
• Preferred encryption algorithm for the key
• Digital signature of the certificate owner
  self-signature, signature using the corresponding
  private key of the public key associated with the
  certificate
• Several or many people may sign the key/
  identification pair to attest to their own
  assurance that the public key definitely belongs
  to the specified owner (different from X.509)

39
Trust Models

• How users will go about establishing certificate
  validity
• Direct Trust
• User knows where it came from
• E.g., in web browsers - root Certification
  Authority keys were shipped by the manufacturer
• Hierarchical Trust in PKI
• Web of Trust
• Trust is in the eye of the beholder (real-world
  view)
• More information is better
• As in PGP - when any user signs another's key,
  the user becomes an introducer of that key. As
  this process goes on, it establishes a web of
  trust
• Any user can act as a certifying authority to
  validate another PGP user's public key certificate

40
Expired and Revoked Certificates

• Expired certificate
• Expiration date/ time (validity period
  lifetime)
• Can still be safely used to reconfirm information
  that was encrypted or signed within the validity
  period
• Revoked certificate
• invalidate a certificate prior to its expiration
  date
• when an the certificate holder terminates
  employment with the company
• suspects that the certificate's corresponding
  private key has been compromised

41
Handling Revoked Certificates

• PGP - post it on a certificate server that you
  are warned not to use that public key
• PKI
• Via a data structure called a Certificate
  Revocation List (CRL) published by the CA.
• CRL contains a time-stamped, validated list of
  all revoked, unexpired certificates in the
  system.
• Revoked certificates remain on the list only
  until they expire (keeps the list from getting
  too long)
• The CA distributes the CRL to users at some
  regularly scheduled interval (and potentially
  off-cycle, whenever a certificate is revoked)
• It is possible, though, that there may be a time
  period between CRLs in which a newly compromised
  certificate is used.

42
Passphrase

• A longer version of a password
• In theory, a more secure one
• Typically composed of multiple words
• More secure against standard dictionary attacks
• PGP uses a passphrase to encrypt your private key
  on your machine
• If you forget your passphrase, you are out of luck

43
Key Splitting

• Sharing a private key
• A secret is not a secret if it is known to more
  than one person
• BUT Corporate Signing Keys
• Private keys used by a company to sign legal
  documents, sensitive personnel information, or
  press releases
• Multiple members of the company to have access to
  the private key
• Any single individual can act fully on behalf of
  the company.
• To solve the problem, more than one or two people
  must present a piece of the key in order to
  reconstitute it to a usable condition

44
Can you prove it in Court?

• Non-repudiation
• proof the completion of a transaction and the
  identity of involved parties.
• ISO non-repudiation model
• Evidence of message creation
• Proof-of-origin certificate
• Delivery authority service
• Evidence of message receipt
• Proof-of-receipt certificate
• Action Timestamp
• Evidence long-term storage facility
• Adjudicator settle disputes based on stored
  evidence

45
TCP/IP Encryption at Different Layers

• S-HTTP individual documents (web pages)
  encrypted / signed
• SSL ensures the channel of communication
  between 2 parties is encrypted and authenticated
• IPSec like SSL but at IP layer
• These security measures are complementary and can
  coexists

46
Secure Socket Layer (SSL)

• Netscape handed over the ownership of SSL to IETF
  (July 1998) http//developer.netscape.com/docs/man
  uals/security/sslin/contents.htm
• Then called Transport Layer Security (TLS)
• HTTP servers that implement SSL must run on port
  443 instead of 80
• Now all commercial browsers and web servers
  support SSL
• To enable SSL on server, you must mark part or
  entire server as secure
• At the browser, you can tell whether you are
  using SSL by
• URL begins with https//
• Security icon (a lock icon)
• Notification dialog

47
Secure Socket Layer Functions

• Main Functions
• SSL server authentication (certificate)
• Allow the client and server to select the
  cryptographic algorithms, or ciphers, that they
  both support
• SSL client authentication (certificate)
• Use public-key encryption techniques to generate
  shared secrets
• An encrypted SSL connection
• Two sub-protocols
• SSL record protocol - defines exchange data
  format
• SSL handshake protocol - involves using the SSL
  record protocol to exchange a series of messages
  for establishing SSL connection

48
SSL Handshake (Reference)

1. The client sends the server the client's SSL
   version number, cipher settings, randomly
   generated data, etc.
2. The server sends the client the server's SSL
   version number, cipher settings, etc., with its
   own certificate. If the client is requesting a
   server resource that requires client
   authentication, requests the client's
   certificate.
3. The client uses some of the information sent by
   the server to authenticate the server
4. Creates the premaster secret for the session,
   encrypts it with the server's public key and
   sends the encrypted premaster secret to the
   server.
5. If the server has requested client
   authentication, the client also signs and send
   another piece of data that is unique to this
   handshake and known by both the client and
   server.
6. If the server has requested client
   authentication, the server attempts to
   authenticate the client. If OK, the server uses
   its private key to decrypt the premaster secret,
   then performs a series of steps to generate the
   master secret.
7. Both the client and the server use the master
   secret to generate the session keys (symmetric
   keys)
8. The client sends a message to the server
   informing it that future messages from the client
   will be encrypted with the session key. It then
   sends a separate (encrypted) message indicating
   that the client portion of the handshake is
   finished.
9. The server sends a message to the client
   informing it that future messages from the server
   will be encrypted with the session key. It then
   sends a separate (encrypted) message indicating
   that the server portion of the handshake is
   finished.
10. The SSL handshake is now complete, and the SSL
    session has begun.

49
Secure HTTP (S-HTTP)

• Secure message-oriented communications protocol
  designed for use in conjunction with HTTP
• Designed to coexist with HTTP's messaging model
  and to be easily integrated with HTTP
  applications
• Does not require client-side public key
  certificates (or public keys), as it supports
  symmetric key-only operation modes
• Newer browsers support both SSL and S-HTTP
• Developed in 1994 by Enterprise Integration
  Technologies (EIT), which was acquired by
  Verifone, Inc. in 1995
• S-HTTP has been submitted to the Internet
  Engineering Task Force (IETF) for consideration
  as a standard http//www.ietf.org/rfc/rfc2660.txt
  

50
Internet Protocol Security (IPSec)

• A developing standard for security at the network
  (IP) layer
• especially useful for implementing virtual
  private networks and for remote user access
  through dial-up connection to private networks
• without requiring changes to individual user
  computers
• Cisco has been a leader in proposing IPsec as a
  standard (and support in its routers)
• http//www.cisco.com/warp/public/cc/techno/protoco
  l/ipsecur/prodlit/ipsec_ov.htm
• Two choices of security service
• Authentication Header (AH) - essentially allows
  authentication of the sender of data
• Encapsulating Security Payload (ESP) - supports
  both authentication of the sender and encryption
  of data
• Specific service information inserted into the
  packet in a header that follows the IP packet
  header
• Internet Key Exchange (IKE) Protocol -
  authenticates each peer in an IPSec transaction,
  negotiates security policy, and handles the
  exchange of session keys

51
Secure Electronic Transaction (SET)

• Invented by VISA and MasterCard
• Application layer protocol on top of SSL

52
Firewall

• A gatekeeper computer between the Internet and a
  private network
• Protects the private network by filtering traffic
  to and from the Internet based on defined
  policies (rules)
• Usually requires two network interfaces
• Also for Internet sharing
• Disadvantages
• Access Restrictions
• Back-Door Challenges The Modem Threat
• Risk of Insider Attacks
• Online book http//secinf.net/info/fw/complete/

53
Packet Filtering Firewall

• Extended functions in routers
• Looking at IP header of current packet
• Administrator specify rules to drop / reject /
  permit packets based on source / destination /
  port number
• No modifications or special client software
  necessary
• Disadvantages
• Do not maintain context or understand application
• Less secure than proxy-based firewalls
• More complex to maintain (imaging interpreting a
  lot of filtering rules)

54
Proxy Firewall

• Application firewall
• Incoming Internet traffic directed to appropriate
  proxy software (on Bastion host) for mail, HTTP,
  FTP, etc., then to individual users with access
  right control
• Consider context, authorization and
  authentication (instead of just IP addresses)
• Many proxies require applications configuration
  to point to them (e.g., IE or Netscape)
• Transparent proxies does not require user set-up
  (e.g., HTTP proxy in ISP for increasing
  performance)

HTTP/1.0 200 OK Age 92165 Accept-Ranges
bytes Date Sat, 17 Nov 2001 064403
GMT Content-Length 3494389 Content-Type
application/zip Server Microsoft-IIS/4.0 Last-Mod
ified Thu, 15 Nov 2001 032051 GMT ETag
"eaab5087846dc1185ac" Via 1.1 imsbbcache03
(NetCache NetApp/5.0.1R2D2) Going to
Download By the 000014 downloaded 3494389
bytes at speed of 232959 b/s Download
succeeded Going to Ok
55
Virtual Private Network (VPN)

• Extranet extends corporate backbone to outsider
  (e.g., business partners) via Internet
• VPN creates a secure channel across public IP
  networks with encryption (e.g., IPsec)
• Eliminates long-distance calls, modem pools, (or
  even lease line), etc., as users can dial-up to
  local ISP to connect by VPN
• VPN therefore supports intranets, extranets and
  remote access
• Security and interoperability issues solved by
  IPsec