1. Read the text and find the answers to the following questions.
1. What does data encryption provide?
2. A message encrypted with the recipient’s public key can only be decrypted with
a. the sender’s private key
b. the sender’s public key
с. the recipient’s private key.
3. What system is commonly used for encryption?
4. What is the opposite of ‘encrypt’?
5. A message-digest function is used to
a. authenticate a user
b. create a MAC
с. encrypt a message.
6. What information does a digital certificate give to a client?
SAFE DATA TRANSFER
Secure transactions across the Internet have three goals. First, the two parties engaging in a transaction (say, an email or a business purchase) don’t want a third party to be able to read their transmission. Some form of data encryption is necessary to prevent this. Second, the receiver of the message should be able to detect whether someone has tampered with it in transit. This calls for a message-integrity scheme. Finally, both parties must know that they’re communicating with each other, not an impostor. This is done with user authentication.
Today’s data encryption methods rely on a technique called public-key cryptography.
Everyone using a public key system has a public key and a private key. Messages are encrypted and decrypted with these keys. A message encrypted with your public key can only be decrypted by a system that knows your private key.
For the system to work, two parties engaging in a secure transaction must know each other’s public keys. Private keys, however, are closely guarded secrets known only to their owners.
When I want to send you an encrypted message, I use your public key to turn my message into gibberish. I know that only you can turn the gibberish back into the original message because only you know your private key. Public- key cryptography also works in reverse – that is, only your public key can decipher your private key’s encryption.
To make a message tamper-proof (providing message integrity), the sender runs each message through a message-digest function. This function within an application produces a number called a message-authentication code (MAC). The system works because it’s almost impossible for an altered message to have the same MAC as another message. Also, you can’t take a MAC and turn it back into the original message.
The software being used for a given exchange produces a MAC for a message before it’s encrypted. Next, it encrypts the MAC with the sender’s private key. It then encrypts both the message and the encrypted MAC with the recipient’s public key and sends the message.
When the recipient gets the message and so decrypts it, they also get an encrypted MAC. The software takes the message and runs it through the same message-digest function that the sender used and creates its own MAC. Then it decrypts the sender’s MAC. If the two are the same, then the message hasn’t been tampered with.
The dynamics of the Web dictate that a user-authentication system must exist. This can be done using digital certificates.
A server authenticates itself to a client by sending an unencrypted ASCII-based digital certificate. A digital certificate contains information about the company operating the server, including the server’s public key. The digital certificate is ‘signed’ by a trusted digital-certificate issuer, which means that the issuer has investigated the company operating the server and believes it to be legitimate. If the client trusts the issuer, then it can trust the server. The issuer ‘signs’ the certificate by generating a MAC for it, then encrypts the MAC with the issuer’s private key. If the client trusts the issuer, then it already knows the issuer’s public key.
The dynamics and standards of secure transactions will change, but the three basic tenets of secure transactions will remain the same. If you understand the basics, then you’re already three steps ahead of everyone else.
2. Match the functions 1-4 with the keys A-D.
1. to encrypt a message for sending
A. sender’s private key
2. to decrypt a received message
B. trusted issuer’s private key
3. to encrypt the MAC of a message
C. the recipient’s private key
4. to encrypt the MAC of a digital signature
D. the recipient’s public key
3. Match the terms 1-6 with the statements A-F.
A. Message-authentication code
B. Principal features
C. Meaningless data
D. Person pretending to be someone else
E. Make unauthorized changes
F. Convert to meaningful data
4. Mark the following statements as True or False. Correct the false ones.
1. A message encrypted with a public key can be decrypted by anyone.
2. To send a secure message you must know the recipient’s public key.
3. Secure messages are normally encrypted using a private key before they are sent.
4. A message can be reconstructed from its MAC.
5. Two messages can often have the same MAC.
6. A digital certificate is sent to a client in an encrypted form.
7. A digital certificate should be signed by a trusted digital-certificate issuer.
8. A MAC is used to check that a message has not been tampered with.
5. Put the following sentences, about sending a secure email, in the correct order.
A. The message is decrypted with the recipient’s private key.
B. The message is received by the recipient.
C. The message is encrypted with the recipient’s public key.
D. The message is sent by the sender.
6. Read the text and find the answers to the following questions.
1. Name 3 areas of computing that companies rely on more and more.
2. What can intimidate even the most experienced network manager?
3. What 3 types of peripheral storage devices do most companies rely on for backing up data and storing information?
4. What type of data-intensive application do companies rely more heavily on?
5. What has kept the SCSI bus from evolving rapidly?
6. What traditional LAN interface is mentioned in the text?
7. Name 2 drawbacks of NAS.
8. What type of server can be connected to a SAN?
9. In what 2 ways will a SAN lighten your server’s workload?
10. What types of cabling can be used with Fibre Channel?
DOING THE SAN THING
As companies rely more and more on e-commerce, online-transaction processing and databases, the amount of information that needs to be managed and stored on a network can intimidate even the most experienced of network managers.
While servers do a good job of storing data, their capacity is limited and they can become a bottleneck if too many users try to access the same information. Instead, most companies rely on peripheral storage devices, such as tape libraries, RAID disks and even optical storage systems. These devices are effective for backing up data online and storing large amounts of information.
But as server farms increase in size and companies rely more heavily on data intensive applications, such as multimedia, the traditional storage model isn’t quite as useful. This is because access to these peripheral devices can be slow, and it might not always be possible for every user to easily and transparently access each storage device.
The most basic way of expanding storage capacity on the network is to hang disk arrays or other storage devices off servers, using the SCSI interface or bus.
While SCSI has been a workhorse over the years for connecting peripherals at a relatively fast speed, distance limitations have kept this particular bus interface from evolving rapidly.
The SCSI standards put a bus length limit of about 6m on devices. While this distance limitation doesn’t really affect connecting storage devices directly to a server, it does severely restrict placing RAID and tape libraries at other points on the network.
This is where the concept of Network Attached Storage (NAS) comes in. NAS is simple in concept and execution: disk arrays and other storage devices connect to the network through a traditional LAN interface, such as Ethernet. Storage devices would thus attach to network hubs, much the same as servers and other network devices. However, NAS does have a few drawbacks.
First, network bandwidth places throughput limitations on the storage devices. Another downside to NAS is the lack of cohesion among storage devices. While disk arrays and tape drives are on the LAN, managing the devices can prove challenging, since they are separate entities and not logically tied together. NAS has its place as viable storage architecture, but large companies need something more.
Large enterprises that want the ability to store and manage large amounts of information in a high-performance environment now have another option: the Storage Area Network (SAN). In a SAN, storage devices such as Digital Linear Tapes (DLTs) and RAID arrays are connected to many kinds of servers via a high speed interconnection, such as Fibre Channel.
This high-speed link creates a separate, external network, that’s connected to the LAN, but acts as an independent entity.
This setup allows for any-to-any communication among all devices on the SAN. It also provides alternative paths from server to storage device. In other words, if a particular server is slow or completely unavailable, another server on the SAN can provide access to the storage device. A SAN also makes it possible to mirror data, making multiple copies available.
SANs offer several advantages. First, they allow for the addition of bandwidth without burdening the main LAN. SANs also make it easier to conduct online backups without users feeling the bandwidth pinch. When more storage is needed, additional drives do not need to be connected to a specific server; rather, they can simply be added to the storage network and accessed from any point.
Another reason for the interest in SANs is that all the devices can be centrally managed. Instead of managing the network on a per-device basis, storage can be managed as a single entity, making it easier to deal with storage networks that could potentially consist of dozens or even hundreds of servers and devices.
You can connect almost any modern server to a SAN, because SAN-support hardware and software spans most PC midrange and mainframe platforms. Ideally, a SAN will lighten your server’s workload by offloading many storage-related server tasks to the SAN and by better allocating storage resources to servers.
The most important piece of any SAN architecture is the underlying network technology that drives it. You can use ordinary Fast Ethernet, but Fibre Channel is emerging as the technology of choice too for SAN implementations. Fibre Channel was developed by ANSI in the early 1990s as a means to transfer large amounts of data very quickly. Fibre Channel is compatible with SCSI, IP, IEE 802.2, ATM Adaptation Layer for computer data, and Link Encapsulation, and it can be used over copper cabling or fibre-optic cable.
7. Note the advantages of a SAN.
8. Match the terms 1-6 with the statements A-F.
A. Storage area network
2. Fibre Channel
B. Write copies of data to two disks at the same time
C. A large collection of computers that work together to provide services on a network
D. Network attached storage
5. Server farm
E. A set of interconnected disks
6. Disk array
F. A type of high speed interconnection
9. Using information from the text, mark the following as True or False. Correct the false ones.
1. In the traditional storage model, it is always possible for every user to access each storage device.
2. Hanging storage devices off servers is the most basic way of expanding storage capacity.
3. The distance limitation of SCSI affects the direct connection of storage devices to a server.
4. A SAN is not usually connected to a LAN.
5. All devices can be centrally managed in a SAN.
6. Fast Ethernet is becoming the most popular type of interconnection for SANs.
1. Study this diagram of a firewalled network system. Write a description of how it operates. You may need to do some research on firewalls to supplement the diagram. Your description should answer these questions:
1. What is its function?
2. What does it consist of?
3. How are the firewalls managed?
4. How does it control outgoing communications?
5. How does it prevent external attack?
1. How a firewall works
Suggested online resources:
2. Write a list of tips to prevent computer infections.