ASSIGNMENT 2

CCN20203 – Network & Data Security

Student Photo

Name: Zainur Ariffin Fadzli bin Zainal

Abidin
ID :012019071116

Name: Ashratul Balkis Binti Abas

ID : 012019072293

Name: Idham Izzudin Bin Shamsul Bahri

ID : 012019070072

Name: Muhammad Faidhi Faiz Mohd Yusof Rajan

ID : 012019071117

DUE DATE:
WEEK 7 (3/4/2020)

LECTURER NAME:
DR. MARWAN D. SALEH

1|Page
 TABLE OF CONTENTS

No. Contents Pages

1. Assignment questions 3
2. Introduction 4
3. Introduction on Internet Protocol Security (IPSec) 5
4. Applications of IPSec 6
5. Advantages and Disadvantages of IPsec 8
6. Components of IPSec. i.e. Authentication Header(AH), Encapsulated 10
Security Payload (ESP), and key management protocols (ISAKMP and
IKE).
7. Comparison between the AH and ESP protocols 11
8. Summary 12
9. Conclusion 14
10. Peer Assessment Collaboration Rubric 15
11. Report Rubric 19

ASSIGNMENT QUESTIONS

 In this assignment, each group should write a report on the network security architecture
and its related protocols.

2|Page
 The topics below are to be covered by this assignment:

1) Introduction on Internet Protocol Security (IPSec).

2) Applications of IPSec.
3) Advantages and Disadvantages of IPsec.
4) Components of IPSec. i.e. Authentication Header(AH), Encapsulated Security Payload
(ESP), and key management protocols (ISAKMP and IKE).
5) Comparison between the AH and ESP protocols.
6) Summary.

INTRODUCTION

Network security is a wide concept encompassing a range of systems, tools and processes.
In its simplest word, it is a collection of guidelines and settings intended to secure computer

3|Page
networks and data privacy, security and usability utilizing both software and hardware
technology. While, network security protocols are a form of network protocol that guarantees
data security and privacy over a network link in transit. Network security standards describe
the mechanisms and procedures for protecting network data against any unauthorized effort
to access or remove data material.

Throughout this assignment there are several types of protocol used for network security.
The protocols involves are:

 Internet Protocol Security (IPSec)

 In computing, Internet Protocol Protection is a protected network protocol package
that authenticates and encrypts data packets to enable safe encrypted
communication between two computers over an Internet Protocol network. This is
found on virtual private networks.
 Authentication Header(AH)
 The Authentication Header (AH) is an IPSec mechanism that offers IP data
confidentiality, device root protection and optional anti-replay functionality.
Authentication Header (AH) does not include protection of data (encryption of data).
 Encapsulated Security Payload (ESP)
Encapsulation Protection Payload (ESP) is a part of the IPsec protocol set. Provides
identity of origin through source authentication, validity of data through hash
functions, and secrecy through IP packet encryption security.
 Key management protocols (ISAKMP and IKE)
 The Internet Protection Alliance and Key Management Protocol is a framework
specified by RFC 2408 for the establishment of a protection alliance and
cryptographic keys in an Internet context.

INTRODUCTION ON INTERNET PROTOCOL SECURITY (IPSEC)

4|Page
Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and
encrypts the packets of data. This will provide secure encrypted communication between two
computers over an Internet Protocol (IP) network. It is used in virtual private networks
(VPNs).

IPsec can be used to:

 To encrypt application layer data.

 To provide security for routers sending routing data across the public internet.
 To provide authentication without encryption, like to authenticate that the data originates
from a known sender.

An example of the used of IPsec is by setting circuits using IPsec tunnelling, in which all data
being sent between two endpoints is encrypted, as with a VPN connection. IPsec can also
be used to provide authentication without encryption, for example to authenticate that data
originates from a known sender.

IPsec protects one or more paths between a pair of hosts, a pair of security gateways, or a
security gateway and a host. A security gateway is an intermediate device, such as a switch
or firewall that implements IPsec. Devices that use IPsec to protect a path between them are
called peers.

IPsec provides the following security services for traffic at the IP layer:

 Data origin authentication: Identifying who sent the data.

 Confidentiality (encryption): Ensuring the data has not been read en route.
 Connectionless integrity: Ensuring the data has not been changed en route.
 Replay protection: Detecting packets received more than once to help protect against
denial of service attacks.

5|Page
 APPLICATIONS OF IPSEC

IP Security (IPSec) is an Internet Engineering Task Force (IETF) standard suite of protocols
that provide data protection, privacy, and confidentiality between 2 contact points across
the IP network. This also specifies packet encryption, decryption, and authentication. Within
it are specified the protocols required for secure key exchange and key management.

IPsec can be used to do the following things:

 To encrypt data on the application layer. 
 Providing protection for routers that transmit data through the public internet. 
 To authenticate without encryption, please authenticate the data from a known sender.
 Secure network data by setting up IPsec tunneling circuits to encrypt all data between th
e two endpoints, as with VPN

It has the following components:

 Secure Encapsulating Payload (ESP) – 
 Provides data confidentiality, encryption, authentication and anti-replay.
This also allows for payload authentication. 
 Authentication Header (AH) – This also includes data 
 Confidentiality, authentication and anti-replay and no encryption is provided. 
 The defense against replays, safeguards against unauthorized packet transmission. 
 It doesn't secure your data confidentially.
 Internet Key Exchange (IKE) –
 This is a network security protocol designed to exchange encryption key dynamically
and to find a way between 2 devices over Security Association (SA). 
 To help safe
 Internet Key Exchange (IKE) offers security of message content and also an open
environment for the implementation of standard algorithms such as SHA and MD5.
Users of the IP sec algorithm create a unique identifier for each packet. This identifier
then allows a computer to decide whether the packet was right or not.
 Unauthorized packets are discarded and not issued to the recipient.

6|Page
Working of IP Security –

 The host checks if the packet should be transmitted using IPsec or not. These packet
traffic triggers the security policy for themselves. This is done when the system sending
the packet apply an appropriate encryption. The incoming packets are also checked by
the host that they are encrypted properly or not.
 Then the IKE Phase 1 starts in which the 2 hosts (using IPsec) authenticate themselves
to each other to start a secure channel. It has 2 modes. The Main mode which provides
the greater security and the Aggressive mode which enables the host to establish an
IPsec circuit more quickly.
 The channel created in the last step is then used to securely negotiate the way the IP
circuit will encrypt data across the IP circuit.
 Now, the IKE Phase 2 is conducted over the secure channel in which the two hosts
negotiate the type of cryptographic algorithms to use on the session and agreeing on
secret keying material to be used with those algorithms.
 Then the data is exchanged across the newly created IPsec encrypted tunnel. These
packets are encrypted and decrypted by the hosts using IPsec SAs.
 When the communication between the hosts is completed or the session times out then
the IPsec tunnel is terminated by discarding the keys by both the hosts.

7|Page
 ADVANTAGES AND DISADVANTAGES OF IPSEC

Advantage of IPSec:

1) Network Layer Security and transparency

Since IPSec operates at layer 3 of the network layer, it has zero impact on higher network
layer. Therefore, IPSec offers better transparency to the applications and the end user does
not need to bother about the IPSec and its configuration.

2) Zero Dependability on Application

IPSec does not require to meet Application specification as all the application data will be
routed with IP which makes it IPSec compatible.

3) Wide Combabilities and Flexibility

IPSec can be implemented over any IP-enable network which makes it flexible and cost
effective. IPSec is widely supported to all IP-based application system without modifying
them because it is implemented under the transport layer such as TCP and UDP. Hence,
providing end user the ease of use and configuration process.

4) Precise Encryption

IPSec encrypts on per-packet rather than per-flow basis which allows for better internet
protocol security and allows flexibility.

Disadvantage of IPSec:

1) Possible security breach within the network

When a computer system is attached to the IPSec system, all other devices attached to the
local network will be able to gain access throughout the Wide Area Network (WAN).
Therefore, there is a possibility of security data breaching as any vulnerabilities able to
spread to other devices through IPSec tunnel.

2) Higher CPU Overhead

IPSec impose a much higher CPU overhead on certain application such as Virtual Private
Network due to the demanding processing power necessary for packet encryption/decryption
and authentication tasks.

8|Page
3) High risk of weakness within the protocol

IPSec is a rather complex due to its high number of features and options. A high complexity
system could lead to higher chances of meeting with weakness or loophole in the protocol.

9|Page
 COMPONENTS OF IPSEC

IPSec consists of three major components which are Encapsulating Security Payload (ESP),
Authentication Header (AH) and Internet Key Exchange (IKE).

1) Encapsulating Security Payload (ESP)

Encapsulating Security Payload or ESP is being used as one of the key components of
IPSec system mainly to provide better data integrity, encryption and authentication
throughout the network system. It also provides anti-replay, which is a sub protocol and
responsible for prevent incoming hacking activities towards the network system. Hence,
making sure IPSec is a well secured connection.

2) Authentication Header (AH)

Authentication Header or AH is the other security mechanism component used in IPSec, the
primary functions are identical to that of Encapsulating Security Payload (ESP) but without
providing encryption functionalities. Authentication Header (AH) primary function is to
provide higher level of data integrity by verifying the original source of data packet to check
for possible altered data packet between payload and header. This ensures that any data is
not being tempered throughout the transmissions.

Even though Authentication Header (AH) providing authentication and integrity, it does not
protect data’s confidential.

3) Internet Key Exchange (IKE)

Internet Key Exchange (IKE) is a network security protocol implemented within IPSec
system to dynamically altering encryption keys and find path over Security Association (SA)
between two separate devices. A key management protocol such as ISAKMP provides a
vital framework for authentication and exchange key encryption purposes.

Internet Key Exchange (IKE) provides a foundation frame for implementing standardized
network security algorithms such as SHA and MD5 that provide a unique identifier for each
packet. This algorithm will check the authenticity of each packet to determine if the packets
are authorized, otherwise the algorithm will prevent the unauthorized data packets from
reaching to the receiver.

10 | P a g e
 COMPARISON BETWEEN THE AH AND ESP PROTOCOLS

Authentication Header, AH, IPSec Internet Authentication Protocol. The Authentication

Header (AH) is an IPSec protocol offering IP data confidentiality, verification of user origin
and optional anti-replay services. While, Protection Payload Encapsulation (ESP) is a part of
the IPsec protocol set. It provides authenticity of origin via source authentication, data
integrity through hash functions and confidentiality via IP packet encryption security. Below
are the table of comparison between AH and ESP protocols:

No. Authentication Header (AH) Encapsulation Security Payload (ESP)

1. Provides integrity protection for both ESP does not supply the outermost IP
packet headers and data header with an integrity defense
2. Often inconsistent with NATing, as The real srce and dest IP is encrypted in
the validity of the Srce and dest IP ESP tunnel format. Therefore ESP tunnel
headers has been maintained mode is the most commonly used for IPSec
VPN
3. Does not provide encryption options Provides encryption option
4. Usage of AH decreased Padding features make traffic forecasting
substantially. Such IPSec difficult for an adversary
implementation does not help AH

SUMMARY

11 | P a g e
IP Security (IPsec) is a standards based framework for ensuring secure private
communication over IP networks. IPsec provides a secure way to authenticate senders and
encrypt IP version 4 (IPv4) and version 6 (IPv6) traffic between network devices, such as
routers and hosts. IPsec includes data integrity, sender authentication, source data
confidentiality, and protection against data replay.

This are the concepts we need to understand:

1. IPsec-Enabled Line Cards

 IPsec on a Junos OS-based router is the type of line card you wish to use. The term line
card includes Physical Interface Cards (PICs), Modular Interface Cards (MICs), Dense
Port Concentrators (DPCs), and Modular Port Concentrators (MPCs).
2. Authentication Algorithms
 Authentication is the process of verifying the identity of the sender. Authentication
algorithms use a shared key to verify the authenticity of the IPsec devices.
3. Encryption Algorithms
 Encryption encodes data into a secure format so that it cannot be deciphered by
unauthorized users. Like authentication algorithms, a shared key is used with encryption
algorithms to verify the authenticity of the IPsec devices.
4. IPsec Protocols
 IPsec protocols determine the type of authentication and encryption applied to packets
that are secured by the router
5. IPsec Security Associations
 An SA is a set of IPSec specifications that are negotiated between devices that are
establishing an IPSec relationship. These specifications include preferences for the type
of authentication, encryption, and IPSec protocol that should be used when establishing
the IPSec connection. An SA can be either unidirectional or bidirectional, depending on
the choices made by the network administrator. 
6. IPsec Modes
 When configuring IPSec, the last major consideration is the type of IPSec mode you wish
to implement in your network. The Junos OS supports the following IPSec modes
7. Digital Certificates
 A digital certificate implementation uses the public key infrastructure (PKI), which
requires you to generate a key pair consisting of a public key and a private key. The keys
are created with a random number generator and are used to encrypt and decrypt data.

12 | P a g e
 In networks that do not use digital certificates, an IPSec-enabled device encrypts data
with the private key and IPSec peers decrypt the data with the public key.
8. Service Sets
 The Adaptive Services PIC supports two types of service sets when you configure IPSec
tunnels. Because they are used for different purposes, it is important to know the
differences between these service set types.

13 | P a g e
 CONCLUSION

Network protection is one of the most critical things to remember while operating on the
Internet, LAN or some other tool, no matter how tiny or big the company is. Although there is
no network that is resistant to threats, a reliable and effective network security infrastructure
is important for the safety of client data. Network protection aims to secure the workstations
from malicious spyware. This also means that mutual data are held safe. Network security
architecture offers a range of layers of defense to deter threats by breaking down information
into several sections, encrypting and distributing it via separate channels, while mitigating
situations such as eavesdropping.

A network protocol is a specification that specifies the formats and sequences used for data
transmission. Such guidelines can be patented frameworks or standards as specified by
public agencies or industry organizations. We can be confidential (' closed') or public ('
open'). The protocol is a guide to insure that all programs are written in the same language.
It will be useless to compose a software system in which the author invents his own series of
codes and messages. Such a system will not be authorized to communicate with the other.
The software that obtained the production of this initial system will not be able to decode the
messages.

14 | P a g e
 PEER ASSESSMENT COLLABORATION RUBRIC (5% - (Individual) – 25 marks)

Name : ASHRATUL BALKIS BINTI ABAS

Excellent Good Satisfactory Needs Improvement

CATEGORY
5 4 3 1-2
Excellent in their
Discipline Good in their discipline Some discipline problem Weak in their discipline
discipline

Did not significantly

Did the task successfully Did the task successfully Did not participate in the
Participation participate in the given
with full dedication. but lack of dedication. given task.
task.

Works well with others.

Works well with others. Takes part in most Works with others, but Cannot work with others
Assumes a clear role in decisions and shares in has difficulty sharing in most situations.
Teamwork
decision making and the responsibilities. decisions and Cannot share decisions
responsibilities. responsibilities or responsibilities

Good in their
Excellent in their cooperation before, Even during this
cooperation before, during and after this Only cooperate during
Cooperation programme this student
during and after this project this programme
not well cooperate
project

Group member listened Group member Group member did not

Group member usually
Listening carefully to others’ sometimes did not listen listen to others and
listened to others’ ideas.
ideas. to others’ ideas. often interrupted them.

ID : 012019072293
Participation

Cooperation
Teamwork
Discipline

Listening

Other Team Members Total

1. Zainur Ariffin Fadzli bin Zainal Abidin 4 4 4 4 4 20

2. Idham Izzudin Bin Shamsul Bahri 4 4 4 4 4 20

3. Muhammad Faidhi Faiz Mohd Yusof Rajan 4 4 4 4 4 20

Total /25

15 | P a g e
 PEER ASSESSMENT COLLABORATION RUBRIC (5% - (Individual) – 25 marks)

Name : ZAINUR ARIFFIN FADZLI BIN ZAINAL ABIDIN

ID : 012019071116

Excellent Good Satisfactory Needs Improvement

CATEGORY
5 4 3 1-2
Excellent in their
Discipline Good in their discipline Some discipline problem Weak in their discipline
discipline

Did not significantly

Did the task successfully Did the task successfully Did not participate in the
Participation participate in the given
with full dedication. but lack of dedication. given task.
task.

Works well with others.

Works well with others. Takes part in most Works with others, but Cannot work with others
Assumes a clear role in decisions and shares in has difficulty sharing in most situations.
Teamwork
decision making and the responsibilities. decisions and Cannot share decisions
responsibilities. responsibilities or responsibilities

Good in their
Excellent in their cooperation before, Even during this
cooperation before, during and after this Only cooperate during
Cooperation programme this student
during and after this project this programme
not well cooperate
project

Group member listened Group member Group member did not

Group member usually
Listening carefully to others’ sometimes did not listen listen to others and
listened to others’ ideas.
ideas. to others’ ideas. often interrupted them.
Participation

Cooperation
Teamwork
Discipline

Listening

Other Team Members Total

1. Ashratul Balkis Binti Abas 4 5 4 5 3 21

2. Muhammad Faidhi Faiz Mohd Yusof Rajan 3 5 4 4 4 20

3. Idham Izzudin Bin Shamsul Bahri 4 5 3 4 5 21

Total /25

PEER ASSESSMENT COLLABORATION RUBRIC (5% - (Individual) – 25 marks)

16 | P a g e
 Name : IDHAM IZZUDIN BIN SHAMSUL BAHRI

ID : 012019070072

Excellent Good Satisfactory Needs Improvement

CATEGORY
5 4 3 1-2
Excellent in their
Discipline Good in their discipline Some discipline problem Weak in their discipline
discipline

Did not significantly

Did the task successfully Did the task successfully Did not participate in the
Participation participate in the given
with full dedication. but lack of dedication. given task.
task.

Works well with others.

Works well with others. Takes part in most Works with others, but Cannot work with others
Assumes a clear role in decisions and shares in has difficulty sharing in most situations.
Teamwork
decision making and the responsibilities. decisions and Cannot share decisions
responsibilities. responsibilities or responsibilities

Good in their
Excellent in their cooperation before, Even during this
cooperation before, during and after this Only cooperate during
Cooperation programme this student
during and after this project this programme
not well cooperate
project

Group member listened Group member Group member did not

Group member usually
Listening carefully to others’ sometimes did not listen listen to others and
listened to others’ ideas.
ideas. to others’ ideas. often interrupted them.
Participation

Cooperation
Teamwork
Discipline

Listening

Other Team Members Total

4. Ashratul Balkis Binti Abas 4 5 4 5 3 21

5. Muhammad Faidhi Faiz Mohd Yusof Rajan 4 5 4 4 4 21

6. Zainur Ariffin Bin Zainal Abidin 5 5 4 4 5 23

Total /25

17 | P a g e
 PEER ASSESSMENT COLLABORATION RUBRIC (5% - (Individual) – 25 marks)

Name : MUHAMMAD FAIDHI FAIZ MOHD YUSOF RAJAN

ID : 012019071117

Excellent Good Satisfactory Needs Improvement

CATEGORY
5 4 3 1-2
Excellent in their
Discipline Good in their discipline Some discipline problem Weak in their discipline
discipline

Did not significantly

Did the task successfully Did the task successfully Did not participate in the
Participation participate in the given
with full dedication. but lack of dedication. given task.
task.

Works well with others.

Works well with others. Takes part in most Works with others, but Cannot work with others
Assumes a clear role in decisions and shares in has difficulty sharing in most situations.
Teamwork
decision making and the responsibilities. decisions and Cannot share decisions
responsibilities. responsibilities or responsibilities

Good in their
Excellent in their cooperation before, Even during this
cooperation before, during and after this Only cooperate during
Cooperation programme this student
during and after this project this programme
not well cooperate
project

Group member listened Group member Group member did not

Group member usually
Listening carefully to others’ sometimes did not listen listen to others and
listened to others’ ideas.
ideas. to others’ ideas. often interrupted them.
Participation

Cooperation
Teamwork
Discipline

Listening

Other Team Members Total

Zainur Ariffin Fadzli bin Zainal Abidin 5 4 5 5 5 24

Idham Izzudin Bin Shamsul Bahri 5 4 5 5 5 24

Ashratul Balkis Binti Abas 5 5 5 4 5 24

Total /25

18 | P a g e

ASSESSMENT CRITERIA 15-12
Information is presented in
effective order. Excellent
Organization
structure of paragraphs and
(Overall order, flow, and
transitions enhances
transitions) readability and
comprehension.
Supporting details are specific
Quality of Information to topic and provide the
necessary information.
Introductory paragraph is
clearly stated, has a sharp,
Introduction
distinct focus and enhances
the impact of the report
Concluding paragraph
summarizes with a clear,
Conclusion effective conclusion and
enhances the impact of the
report.
Exceptionally well-presented
and argued; ideas are
detailed, well-developed,
Accuracy of Content
supported with specific
evidence & facts, as well as
examples and specific details.
REPORT RUBRIC (15% - (Group) – 75 marks)
11 - 8
Information is logically
ordered with paragraphs
and transitions.
Some details don’t support
the report topic.
Introductory paragraph is
clearly stated with a focus.
Concluding paragraph
follows and summarizes
the report discussion with
a conclusion.
Well-presented and
argued; ideas are detailed,
developed and supported
with evidence and details,
mostly specific.
Total
7-4 3-1 MARKS
Details and examples are not
Information is scattered
organized, are hard to follow and
and needs further understand.
development.
Details are somewhat
Unable to find specific details.
sketchy.
Introductory paragraph is Introductory paragraph is not
vague. apparent.
Concluding paragraph is
Concluding paragraph is not
only remotely related to
apparent.
the report topic.
Content is sound and solid;
ideas are present but not
particularly developed or
Content is not sound
supported; some evidence,
but usually of a
generalized nature.
/75
19 | P a g e
20 | P a g e