Computer Networks and Security (2IC60) Summary
Q4 2021
This summary is a combination of the lecture slides and the lecture notes.
Contents
S01 / Chapter 1 – Introduction (network, security) ........................................................................................ 2
S02 / Chapter 2 – Protocol layering (layers, delay) ....................................................................................... 4
S03 / Chapter 3 – Application layer (HTTP, P2P) ......................................................................................... 6
S04 / Chapter 4 – Transport layer (UDP, TCP) ............................................................................................ 9
S05 / Chapter 5 – Network Layer................................................................................................................ 13
S06 / Chapter 6 – Link Layer ...................................................................................................................... 17
S07 / Chapter 7 – Authentication & Authorization ....................................................................................... 20
S08 / Chapter 8 – Network Security & Web Security .................................................................................. 22
S09 / Chapter 9 – Cryptography ................................................................................................................. 26
S10 / Chapter 10 – Network Security Protocols .......................................................................................... 29
1
Computer Networks and Security (2IC60) Summary Q4 2021 by Isabel Rutten
,S01 / Chapter 1 – Introduction (network, security)
A network is an interconnected configuration of system components that are designed to communicate
and share. Networking refers to communicating either with or within a group. Example: colony of ants
searching for food. A computer network is (a) physically an “infrastructure” (communication links, packet
switches) interconnecting “end-devices” (pc’s, smart tv’s, etc.) and (b) logically a facility providing
information exchange between programs that are not sharing memory. Most predictions about the future
market of computers were incorrect, but not Moore’s law: the number of transistors that fit in unit area of
an integrated circuit doubles every two years.
A network infrastructure consists of:
- network edge: end systems/devices (hosts) run applications at “edge of network”.
- access networks: connects end devices/network edges to a router
- network core: interconnected routers
In a client/server model, the client host requests and receives server from always-on server (e.g. e-mail).
A client is the party that initiates a connection while a server is the one that continuously awaits incoming
connections.
In a peer-to-peer model, there is minimal (or no) use of dedicated servers (e.g. BitTorrent).
An embedded system is a special purpose computer on hardware dedicated to that purpose, which range
from simple sensors to complex machines. Types of embedded systems:
- standalone: have a standalone functionality and do not communicate to other systems
- network-aware: allow access of some internal functionality from outside, simple data retrieval is possible
- network-connected: are ‘on-line’ using standard protocols, “machine-to-machine” networks
- network-central: have some standalone function but the design aim at operation in a networked context
- fully networked: do not have a meaningful standalone function when disconnected from the network
Dominating access connections: Digital Subscriber Line (DSL, copper, high speed, low costs, not shared),
Cable Internet (coaxial, high speed, low cost, shared connection: bad during peak hours, half-duplex),
Fiber to the Home (FTTH, fiber optic, very high speed, asymmetric, high cost, full-duplex)
Data can be transferred from edge to edge in two ways:
- circuit switching: provides dedicated path per call/session, resources reserved for the call, no sharing,
call setup needed, resources not used by call are idle, is created by logically dividing network into pieces.
Examples: Frequency Division Multiplexing (FDM, different frequency sub band allocated to every session),
Time Division Multiplexing (TDM, different time slice of a (fixed) time period allocated to every session),
combination of FDM and TDM, Code Division Multiplexing (CDM, every session uses a signal code which
is orthogonal to all the other codes that are used by other transmitters such that the multiplication by the
session’s own code will return zero for all transmissions except for this specific session).
- packet-switching: each end-to-end data stream is divided into packets, packets share network
resources, each packet uses full link bandwidth (for a very short time), prevents idle time, resources used
as needed (no reservations). Result: resource contention (bandwidth demand can exceed amount available
(congestion) which leads to too many packets. It uses statistical multiplexing: sequence of A & B packets
does not have a fixed pattern, bandwidth is shared on demand. Store-and-forward behavior: packets
move one hop at a time, node receives full packet before forwarding, takes L/R seconds to transmit (push
out) packet of L bits on a link at R bps, delay = 3L/R assuming zero propagation delay. It is also possible to
realize virtual circuits using packet switching (virtual → each packet uses entire channel resources but the
multiplexing of packets can be done in such a way to provide circuit-like guarantees for selected sessions).
Pro: packet switching allows more users to use the network than in the case of circuit switching.
2
Computer Networks and Security (2IC60) Summary Q4 2021 by Isabel Rutten
, The Internet is (a) physically a public network of computer networks and (b) logically a network facility that
provides services to (globally) distributed applications. An explanation for the industry boom in and around
Internet technology is Metcalfe’s law: the value of a network equals the square of the number of users.
There are three major standardization bodies for the Internet: ITU, IETF, IEEE. There are also government
regulations, like fighting digital crimes, facilitating open market competition and practicing censorship, or
local regulations enforced by network administrators.
Internet structure is a network of networks which is roughly hierarchical:
- tier-1 ISPs: at center, national/international coverage, treat each other as equals, interconnect peer
privately (e.g. KPN, Verizon)
- tier-2 ISPs: smaller (often regional) ISPs, connect to one or more tier-1 ISPs and possibly other tier-2
ISPs (privately), pays tier-1 ISP for connectivity to the rest of the Internet / is a customer of a tier-1 provider
- tier-3 ISPs and local ISPs: last hop network (closest to end systems), no peering, just purchases, are
customers of higher tier ISPs connecting them to the rest of the internet.
The Internet of Things (IoT) is (a) physically an extension of the Internet into the physical world
surrounding us using things and (b) logically a network that extends the reach of distributed applications to
billions of resource-poor devices. ‘Things’ in the context of the IoT are constrained devices, which are
connected to constrained network but then, united with ‘regular’ Internet services and broadband networks.
Their constraints include: low memory, low power, low throughput, etc.
Most common security attributes (CIA):
- Confidentiality: Keep your data hidden from those who are not supposed to see it.
- Integrity: Your data has not been altered by those who are not supposed to change it.
- Availability: Your data can be used by those who are supposed to use it.
Other security attributes include:
- Privacy: information about me is not misused (focus on purpose of data instead of who has data).
- Authenticity: is this information authentic (i.e. of undisputed origin, focuses on source instead of change)
- Non-repudiation: is this information undeniable (e.g. signature on a contract)
- Accountability: is the information provider accountable (i.e. can we punish provider if incorrect info)
A security policy explains what security attributes the system should achieve when (in which context) and
by which components and/or for what type of resources. It can be high-level (textual) or low level (code).
A security model is a formal framework used to express and interpret policies.
The security attributes of the system may be at risk from several types of threats. An attacker model
contains the capabilities and goals of an attacker and is used to determine whom we want to protect the
system against. They can be general or formal.
A chain is no stronger than its weakest link. So, consider all individual aspects of the system for security:
- Design: needs to address security goals which do not imply security problems
- Software quality: should not be flawed, example is buffer overflow vulnerability, not easy to solve bugs
- Security Tool Selection: leave choosing your crypto to the experts, obscurity is not good crypto
- System usage: users have different priorities but should still use the system appropriately
So, one needs to consider the system as a whole and consider security from the start.
Security tools by themselves do not make the system secure. A good security design determines what
security tools need to be employed where and when, considering the security requirements and the effects
including trade-offs) different tools have on these requirements. There are trade-offs between security
attributes. It is hard to quantify security but for cryptographic primitives one can look at the computational
cost for breaking a system, expressed by the entropy. For web applications, security metrics have been
defined by checking for common security issues and assigning a risk to each of them.
Security Requirement Engineering:
1) Identify actors and goals: actors are those with a legitimate interest, their goals may depend/conflict
2) Identify attackers, vulnerabilities and attacks: consider attacks by insiders, think of countermeasures.
3
Computer Networks and Security (2IC60) Summary Q4 2021 by Isabel Rutten
Q4 2021
This summary is a combination of the lecture slides and the lecture notes.
Contents
S01 / Chapter 1 – Introduction (network, security) ........................................................................................ 2
S02 / Chapter 2 – Protocol layering (layers, delay) ....................................................................................... 4
S03 / Chapter 3 – Application layer (HTTP, P2P) ......................................................................................... 6
S04 / Chapter 4 – Transport layer (UDP, TCP) ............................................................................................ 9
S05 / Chapter 5 – Network Layer................................................................................................................ 13
S06 / Chapter 6 – Link Layer ...................................................................................................................... 17
S07 / Chapter 7 – Authentication & Authorization ....................................................................................... 20
S08 / Chapter 8 – Network Security & Web Security .................................................................................. 22
S09 / Chapter 9 – Cryptography ................................................................................................................. 26
S10 / Chapter 10 – Network Security Protocols .......................................................................................... 29
1
Computer Networks and Security (2IC60) Summary Q4 2021 by Isabel Rutten
,S01 / Chapter 1 – Introduction (network, security)
A network is an interconnected configuration of system components that are designed to communicate
and share. Networking refers to communicating either with or within a group. Example: colony of ants
searching for food. A computer network is (a) physically an “infrastructure” (communication links, packet
switches) interconnecting “end-devices” (pc’s, smart tv’s, etc.) and (b) logically a facility providing
information exchange between programs that are not sharing memory. Most predictions about the future
market of computers were incorrect, but not Moore’s law: the number of transistors that fit in unit area of
an integrated circuit doubles every two years.
A network infrastructure consists of:
- network edge: end systems/devices (hosts) run applications at “edge of network”.
- access networks: connects end devices/network edges to a router
- network core: interconnected routers
In a client/server model, the client host requests and receives server from always-on server (e.g. e-mail).
A client is the party that initiates a connection while a server is the one that continuously awaits incoming
connections.
In a peer-to-peer model, there is minimal (or no) use of dedicated servers (e.g. BitTorrent).
An embedded system is a special purpose computer on hardware dedicated to that purpose, which range
from simple sensors to complex machines. Types of embedded systems:
- standalone: have a standalone functionality and do not communicate to other systems
- network-aware: allow access of some internal functionality from outside, simple data retrieval is possible
- network-connected: are ‘on-line’ using standard protocols, “machine-to-machine” networks
- network-central: have some standalone function but the design aim at operation in a networked context
- fully networked: do not have a meaningful standalone function when disconnected from the network
Dominating access connections: Digital Subscriber Line (DSL, copper, high speed, low costs, not shared),
Cable Internet (coaxial, high speed, low cost, shared connection: bad during peak hours, half-duplex),
Fiber to the Home (FTTH, fiber optic, very high speed, asymmetric, high cost, full-duplex)
Data can be transferred from edge to edge in two ways:
- circuit switching: provides dedicated path per call/session, resources reserved for the call, no sharing,
call setup needed, resources not used by call are idle, is created by logically dividing network into pieces.
Examples: Frequency Division Multiplexing (FDM, different frequency sub band allocated to every session),
Time Division Multiplexing (TDM, different time slice of a (fixed) time period allocated to every session),
combination of FDM and TDM, Code Division Multiplexing (CDM, every session uses a signal code which
is orthogonal to all the other codes that are used by other transmitters such that the multiplication by the
session’s own code will return zero for all transmissions except for this specific session).
- packet-switching: each end-to-end data stream is divided into packets, packets share network
resources, each packet uses full link bandwidth (for a very short time), prevents idle time, resources used
as needed (no reservations). Result: resource contention (bandwidth demand can exceed amount available
(congestion) which leads to too many packets. It uses statistical multiplexing: sequence of A & B packets
does not have a fixed pattern, bandwidth is shared on demand. Store-and-forward behavior: packets
move one hop at a time, node receives full packet before forwarding, takes L/R seconds to transmit (push
out) packet of L bits on a link at R bps, delay = 3L/R assuming zero propagation delay. It is also possible to
realize virtual circuits using packet switching (virtual → each packet uses entire channel resources but the
multiplexing of packets can be done in such a way to provide circuit-like guarantees for selected sessions).
Pro: packet switching allows more users to use the network than in the case of circuit switching.
2
Computer Networks and Security (2IC60) Summary Q4 2021 by Isabel Rutten
, The Internet is (a) physically a public network of computer networks and (b) logically a network facility that
provides services to (globally) distributed applications. An explanation for the industry boom in and around
Internet technology is Metcalfe’s law: the value of a network equals the square of the number of users.
There are three major standardization bodies for the Internet: ITU, IETF, IEEE. There are also government
regulations, like fighting digital crimes, facilitating open market competition and practicing censorship, or
local regulations enforced by network administrators.
Internet structure is a network of networks which is roughly hierarchical:
- tier-1 ISPs: at center, national/international coverage, treat each other as equals, interconnect peer
privately (e.g. KPN, Verizon)
- tier-2 ISPs: smaller (often regional) ISPs, connect to one or more tier-1 ISPs and possibly other tier-2
ISPs (privately), pays tier-1 ISP for connectivity to the rest of the Internet / is a customer of a tier-1 provider
- tier-3 ISPs and local ISPs: last hop network (closest to end systems), no peering, just purchases, are
customers of higher tier ISPs connecting them to the rest of the internet.
The Internet of Things (IoT) is (a) physically an extension of the Internet into the physical world
surrounding us using things and (b) logically a network that extends the reach of distributed applications to
billions of resource-poor devices. ‘Things’ in the context of the IoT are constrained devices, which are
connected to constrained network but then, united with ‘regular’ Internet services and broadband networks.
Their constraints include: low memory, low power, low throughput, etc.
Most common security attributes (CIA):
- Confidentiality: Keep your data hidden from those who are not supposed to see it.
- Integrity: Your data has not been altered by those who are not supposed to change it.
- Availability: Your data can be used by those who are supposed to use it.
Other security attributes include:
- Privacy: information about me is not misused (focus on purpose of data instead of who has data).
- Authenticity: is this information authentic (i.e. of undisputed origin, focuses on source instead of change)
- Non-repudiation: is this information undeniable (e.g. signature on a contract)
- Accountability: is the information provider accountable (i.e. can we punish provider if incorrect info)
A security policy explains what security attributes the system should achieve when (in which context) and
by which components and/or for what type of resources. It can be high-level (textual) or low level (code).
A security model is a formal framework used to express and interpret policies.
The security attributes of the system may be at risk from several types of threats. An attacker model
contains the capabilities and goals of an attacker and is used to determine whom we want to protect the
system against. They can be general or formal.
A chain is no stronger than its weakest link. So, consider all individual aspects of the system for security:
- Design: needs to address security goals which do not imply security problems
- Software quality: should not be flawed, example is buffer overflow vulnerability, not easy to solve bugs
- Security Tool Selection: leave choosing your crypto to the experts, obscurity is not good crypto
- System usage: users have different priorities but should still use the system appropriately
So, one needs to consider the system as a whole and consider security from the start.
Security tools by themselves do not make the system secure. A good security design determines what
security tools need to be employed where and when, considering the security requirements and the effects
including trade-offs) different tools have on these requirements. There are trade-offs between security
attributes. It is hard to quantify security but for cryptographic primitives one can look at the computational
cost for breaking a system, expressed by the entropy. For web applications, security metrics have been
defined by checking for common security issues and assigning a risk to each of them.
Security Requirement Engineering:
1) Identify actors and goals: actors are those with a legitimate interest, their goals may depend/conflict
2) Identify attackers, vulnerabilities and attacks: consider attacks by insiders, think of countermeasures.
3
Computer Networks and Security (2IC60) Summary Q4 2021 by Isabel Rutten
