Network Security Lab Manual

Published on May 2016 | Categories: Types, Instruction manuals | Downloads: 85 | Comments: 0 | Views: 652
of 75
Download PDF   Embed   Report

Complete Lab Manual of Network Security

Comments

Content

[Document title]

LAB MANUAL

NETWORK SECURITY

Submitted To: Engr. Tauseef Ahmed Siddiqui

Department of Telecommunication Engineering
University College of Engineering & Technology

The Islamia University of Bahawalpur

LABORATORY WORK BOOK

For The Course
Network Security (TE-424)

Student Name: ______________
Roll No. __________________

Prepared By:
Engr. Tauseef Ahmad Siddiqui
Assistant Professor, Telecommunications Engineering

Department of Telecommunication Engineering
University College of Engineering & Technology

The Islamia University of Bahawalpur, Pakistan

LIST OF EXPERIMENTS

Sr. No

Name of Experiment

Lab 01

Introduction To Cryptool

Lab 02

Implementation of ADFGVX Cipher

Lab 03

Implementation of Caesar Cipher

Lab 04

Implementation of Playfair Cipher

Lab 05

Implementation of Hill Cipher

Lab 06

Implementation of Vigenère Cipher

Lab 07

Implementation of Vernam Cipher

Lab 08

Implementation of Transposition Cipher

Lab 09

Implementation of Data Encryption Standard (DES)

Lab 10

Implementation of Advance Encryption Standard (AES)

Lab 11

Implementation of RC4 Algorithm

Lab 12

Implementation of MD5 Hash Algorithm

Lab 13

Implementation of Secure Hash Algorithm (SHA)

Lab 14

IP Access Control List Concepts

Lab 15

Standard IP Access Control List

Lab 16

Extended IP Access Control List

Lab 17

Virtual Private Network (VPN)

Lab 18

Windows Firewall

Network Security (TE-424)

Telecom 8th Semester

LAB EXPERIMENT NO.01
INTRODUCTION TO CRYPTOOL

Student Name:

Roll No:

Lab Instructor Signatures:

Date:

OBJECTIVE:
Introduction of Cryptool Software.
INTRODUCTION:
The cryptool 2 is supplied free program with which each person installing the computer to experiment
with encryption. Create their own provisions, to test the algorithms and study the results.
BASIC DESCRIPTION:
More specifically, a description of the basic steps are the following: Select an algorithm determines
what kind of work will be performed (encryption - decryption), place the input data (text - file, picture
, etc) appropriate type keys according to the algorithm , we form connections in the interface and the
output connectors where the result will look and if everything is as it should be - if not, the program
does not allow the completion of connections and not running - and then displayed after the execution
result. The results obtained are thereafter studied, and compared or used in new encryption or
decryption.
ORIGINAL IMAGE:

Figure 1

Department of Telecommunication Engineering

1

Network Security (TE-424)

Telecom 8th Semester

Figure 1 shows the original image of the program before making any choice. The horizontal space on
the upper side is the menu options on the known functions of storage, file selection, updates, settings,
and program execution. The vertical left side is the toolbox of options the remaining space is the work
area and the implementation of connecting the necessary parties.
OPTIONS OF THE SOFTWARE:

Department of Telecommunication Engineering

2

Network Security (TE-424)

Telecom 8th Semester

Detail in Figure 2 is what is included in the toolbox on the left side. We see all the classic algorithms,
all current algorithms, hash functions, steganography, protocols and types of inputs - outputs needed
to run an algorithm. With the right "click" on all these elements, when introduced into the work area,
given by the program even more information on how to use and operate.
DETAILS OF ALGORITHMS:

Department of Telecommunication Engineering

3

Network Security (TE-424)

Telecom 8th Semester

The icons of the algorithms when the zoom in enabling us to deal with details of their settings. In
Figure 3, the icons of DES and ADFGVX have options for the type of use (encryption - decryption),
the channing mode associated with modes of algorithms parts (Electronic Code Book, Cipher Block
Chaning, Cipher Feed Back, Output Feed Back and Counter) the padding mode (filling gaps), the keys
used.
DISPLAY CONNECTION:

Then in Figure 4, it seems a case of how connected all the necessary elements to perform the operation.
Appears RSA with which you encrypted a passage. Necessary figures in the left side are the public
and private keys to encrypt data.
OPERATION:

Department of Telecommunication Engineering

4

Network Security (TE-424)

Telecom 8th Semester

Previous Figure illustrates how becoming the "execution" of the program to export the result. Once
you have given the 100% in the execution, we have completed, press the stop and we have the result.

In above Figure we see what gives us a text from the PLAYFAIR. It is obvious that the result (output)
process can be used as input in a subsequent procedure.
LANGUAGE STATISTICS:

So if you use the exit of PLAYFAIR we can make use of another function is the statistics of the
language (Figure shown above). How often repeated that one letter. This is based on the specificity of
each language is an element of cryptanalysis to extract the original message.
Department of Telecommunication Engineering

5

Network Security (TE-424)

Telecom 8th Semester

CRYPTANALYSIS:
Referring little earlier in language statistics and their usefulness should be noted that the potential of
cryptool 2 are not limited to statistical incorporating other instruments (tests) cryptanalysis as the
Friedman test (calculation process length possible keys to polyalphabetic substitution algorithm) and
Kasinski test (is a process attack on polyalphabetic substitutions, based on an analysis of gaps in
repeated sections cipher text). In Figure 9, we make use of the ENIGMA machine cryptanalyzing the
result by applying the tests mentioned above.

Department of Telecommunication Engineering

6

Network Security (TE-424)

Telecom 8th Semester

LAB EXPERIMENT NO.02
IMPLEMENTATION OF ADFGVX CIPHER

Student Name:

Roll No:

Lab Instructor Signatures:

Date:

OBJECTIVE:
Implementation of ADFGVX cipher.
TOOLS/ APPRATUS




PC/Laptops
Windows 7 and Windows 8.
Cryptool 2

THEORY:
The 'key' for a ADFGVX cipher is a 'key square' and a key word. e.g.
p h 0 q g 6
4 m e a 1 y
l 2 n o f d
x k r 3 c v
s 5 z w 7 b
j 9 u t i 8

The key square is a 6 by 6 square containing all the letters and the numbers 0 - 9. The key word is any
word e.g. GERMAN
There are a number of steps involved:
1. Build a table like the following with the key square. This is known as a polybius square.
A D F G V X
A | p h 0 q g 6
D | 4 m e a 1 y
F | l 2 n o f d
G | x k r 3 c v
V | s 5 z w 7 b
X | j 9 u t i 8

Department of Telecommunication Engineering

1

Network Security (TE-424)

Telecom 8th Semester

2. Encode the plaintext using this matrix, to encode the letter 'a', locate it in the matrix and read off
the letter on the far left side on the same row, followed by the letter at the top in the same column.
In this way each plaintext letter is replaced by two cipher text letters. E.g. 'attack' -> 'DG XG XG
DG GV GD'. The cipher text is now twice as long as the original plaintext. Note that so far, it is
just a simple substitution cipher, and trivial to break.
3. Write the code word with the enciphered plaintext underneath e.g.
G E R M A N
D G X G X G
D G G V G D

4. Perform a columnar transposition. Sort the code word alphabetically, moving the columns as you
go. Note that the letter pairs that make up each letter get split apart during this step, this is called
fractionating.
A E G M N R
X G D G G X
G G D V D G

5. Read the final cipher text off in columns.
-> XG GG DD GV GD XG
PROCEDURE:

Department of Telecommunication Engineering

2

Network Security (TE-424)

Telecom 8th Semester

NOTE: Attach print outs of Cryptool file using another plain text along with this lab sheet.
RSULTS/OBSERVATIONS:
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________

Department of Telecommunication Engineering

3

Network Security (TE-424)

Telecom 8th Semester

LAB EXPERIMENT NO.03
IMPLEMENTATION OF CAESAR CIPHER

Student Name:

Roll No:

Lab Instructor Signatures:

Date:

OBJECTIVE:
Implementation of CAESAR cipher.
TOOLS/ APPRATUS




PC/Laptops
Windows 7 and Windows 8.
Cryptool 2

THEORY:
The Caesar cipher is one of the earliest known and simplest ciphers. It is a type of substitution cipher
in which each letter in the plaintext is 'shifted' a certain number of places down the alphabet. For
example, with a shift of 1, A would be replaced by B, B would become C, and so on. The method is
named after Julius Caesar, who apparently used it to communicate with his generals. The Caesar cipher
involves replacing each letter of the alphabet with the letter standing three places further down the
alphabet. For example,
plain: meet me after the toga party
cipher: PHHW PH DIWHU WKH WRJD SDUWB

Note that the alphabet is wrapped around, so that the letter following Z is A. We can define the
transformation by listing all possibilities, as follows:
plain: a b c d e f g h i j k l m n o p q r s t u v w x y z
cipher: D E F G H I J K L M N O P Q R S T U V W X Y Z A B C

Let us assign a numerical equivalent to each letter:

Department of Telecommunication Engineering

1

Network Security (TE-424)

Telecom 8th Semester

Then the algorithm can be expressed as follows. For each plaintext letter, substitute the cipher text
letter C2:
C = E(3, p) = (p + 3) mod 26
A shift may be of any amount, so that the general Caesar algorithm is
C = E(k, p) = (p + k) mod 26
Where takes on a value in the range 1 to 25.The decryption algorithm is simply
p = D(k, C) = (C - k) mod 26
PROCEDURE:

NOTE: Attach print outs of Cryptool file using another plain text along with this lab sheet.
RSULTS/OBSERVATIONS:
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________
_________________________________________________________________________________

Department of Telecommunication Engineering

2

Network Security (TE-424)

Telecom 8th Semester

LAB EXPERIMENT NO.04
IMPLEMENTATION OF PLAYFAIR CIPHER

Student Name:

Roll No:

Lab Instructor Signatures:

Date:

OBJECTIVE:
Implementation of Playfair cipher.
TOOLS/ APPRATUS




PC/Laptops
Windows 7 and Windows 8.
Cryptool 2

THEORY:
The Playfair cipher was the first practical digraph substitution cipher. The scheme was invented in
1854 by Charles Wheatstone, but was named after Lord Playfair who promoted the use of the cipher.
The technique encrypts pairs of letters (digraphs), instead of single letters as in the simple substitution
cipher. The Playfair is significantly harder to break since the frequency analysis used for simple
substitution ciphers does not work with it. Frequency analysis can still be undertaken, but on the
25*25=625 possible digraphs rather than the 25 possible monographs. Frequency analysis thus requires
much more ciphertext in order to work.
The best-known multiple-letter encryption cipher is the Playfair, which treats digrams in the plaintext
as single units and translates these units into ciphertext digrams. The Playfair algorithm is based on
the use of a 5 × 5 matrix of letters constructed using a keyword. Here is an example, solved by Lord
Peter Wimsey in Dorothy Sayers’s Have His Carcase:

In this case, the keyword is monarchy. The matrix is constructed by filling in the letters of the keyword
(minus duplicates) from left to right and from top to bottom, and then filling in the remainder of the
matrix with the remaining letters in alphabetic order. The letters I and J count as one letter. Plaintext
is encrypted two letters at a time, according to the following rules:
Department of Telecommunication Engineering

1

Network Security (TE-424)

Telecom 8th Semester

1. Repeating plaintext letters that are in the same pair are separated with a filler letter, such as x,
so that balloon would be treated as ba lx lo on.
2. Two plaintext letters that fall in the same row of the matrix are each replaced by the letter to
the right, with the first element of the row circularly following the last. For example, ar is
encrypted as RM.
3. Two plaintext letters that fall in the same column are each replaced by the letter beneath, with
the top element of the column circularly following the last. For example, mu is encrypted as
CM.
4. Otherwise, each plaintext letter in a pair is replaced by the letter that lies in its own row and
the column occupied by the other plaintext letter. Thus, hs becomes BP and ea becomes IM (or
JM, as the encipherer wishes).
Assume one wants to encrypt the digraph OR. There are three general cases:
m * * a *
* * * * *
* * * * *
l * * s *
* * * * *
Hence, al -> ms
* * * * *
* h y b d
* * * * *
* * * * *
* * * * *
Hence, hb -> yd
* * n * *
* * y * *
* * * * *
* * q * *
* * w * *
Hence, nq -> yw

An example encryption, "we are discovered, save yourself" using the key square shown at the
beginning of this section:
plaintext:

wearediscoveredsaveyourselfx

ciphertext: ugrmkcsxhmufmkbtoxgcmvatluiv
Department of Telecommunication Engineering

2

Network Security (TE-424)

Telecom 8th Semester

PROCEDURE:

NOTE: Attach print outs of Cryptool file using another plain text along with this lab sheet.
RSULTS/OBSERVATIONS:
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________

Department of Telecommunication Engineering

3

Network Security (TE-424)

Telecom 8th Semester

LAB EXPERIMENT NO.05
IMPLEMENTATION OF HILL CIPHER

Student Name:

Roll No:

Lab Instructor Signatures:

Date:

OBJECTIVE:
Implementation of Hill cipher.
TOOLS/ APPRATUS




PC/Laptops
Windows 7 and Windows 8.
Cryptool 2

THEORY:
THE HILL Cipher is an encryption algorithm takes m successive plaintext letters and substitutes for
them m cipher text letters. The substitution is determined by m linear equations in which each character
is assigned a numerical value (a = 0, b = 1… z = 25). For m =3, the system can be described as;

c1 = (k11p1 + k12p2 + k13p3) mod 26
c2 = (k21p1 + k22p2 + k23p3) mod 26
c3 = (k31p1 + k32p2 + k33p3) mod 26
This can be expressed in terms of row vectors and matrices:

Or
C = PK mod 26
Where C and P are row vectors of length 3 representing the plaintext and cipher text, and K is a 3 x
3 matrix representing the encryption key. Operations are performed mod 26.
Department of Telecommunication Engineering

1

Network Security (TE-424)

Telecom 8th Semester

The key for a hill cipher is a matrix e.g.

In the above case, we have taken the size to be 3×3, however it can be any size (as long as it is square).
Assume we want to encipher the message ATTACK AT DAWN. To encipher this, we need to break
the message into chunks of 3. We now take the first 3 characters from our plaintext, ATT and create
a vector that corresponds to the letters (replace A with 0, B with 1 ... Z with 25 etc.) to get: [0 19
19] (this is ['A' 'T' 'T']).
To get our cipher text we perform a matrix multiplication (you may need to revise matrix
multiplication if this doesn't make sense):

This process is performed for all 3 letter blocks in the plaintext. The plaintext may have to be padded
with some extra letters to make sure that there is a whole number of blocks.
Now for the tricky part, the decryption. We need to find an inverse matrix modulo 26 to use as our
'decryption key'. i.e. we want something that will take 'PFO' back to 'ATT'. If our 3 by 3 key matrix is
called K, our decryption key will be the 3 by 3 matrix K-1 , which is the inverse of K.

To find K-1 we have to use a bit of maths. It turns out that K-1 above can be calculated from our key.
A lengthy discussion will not be included here, but we will give a short example. The important things
to know are inverses (mod m), determinants of matrices, and matrix adjugates.
Let K be the key matrix. Let d be the determinant of K. We wish to find K-1 (the inverse of K), such
that K × K-1 = I (mod 26), where I is the identity matrix. The following formula tells us how to find K1

given K:

Department of Telecommunication Engineering

2

Network Security (TE-424)

Telecom 8th Semester

Where d × d-1 = 1(mod 26), and adj(K) is the adjugate matrix of K.
d (the determinant) is calculated normally for K (for the example above, it is 489 = 21 (mod 26)). The
inverse, d-1 , is found by finding a number such that d × d-1 = 1 (mod 26) (this is 5 for the example
above since 5*21 = 105 = 1 (mod 26)). The simplest way of doing this is to loop through the numbers
1..25 and find the one such that the equation is satisfied. There is no solution (i.e. choose a different
key) if gcd(d,26) ≠ 1 (this means d and 26 share factors, if this is the case K cannot be inverted, this
means the key you have chosen will not work, so choose another one).That is it. Once K-1 is found,
decryption can be performed.
PROCEDURE:

NOTE: Attach print outs of Cryptool file using another plain text along with this lab sheet.
RSULTS/OBSERVATIONS:
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________

Department of Telecommunication Engineering

3

Network Security (TE-424)

Telecom 8th Semester

LAB EXPERIMENT NO.06
IMPLEMENTATION OF VIGENÈRE CIPHER

Student Name:

Roll No:

Lab Instructor Signatures:

Date:

OBJECTIVE:
Implementation of Vigenère cipher.
TOOLS/ APPRATUS




PC/Laptops
Windows 7 and Windows 8.
Cryptool 2

THEORY:
The Vigenère cipher, was invented by a Frenchman, Blaise de Vigenère in the 16th century. It is a
polyalphabetic cipher because it uses two or more cipher alphabets to encrypt the data. In other words,
the letters in the Vigenère cipher are shifted by different amounts, normally done using a word or
phrase as the encryption key.
Unlike the mono-alphabetic ciphers, polyalphabetic ciphers are not susceptible to frequency analysis,
as more than one letter in the plaintext can be represented by a single letter in the encryption. One of
the main problems with simple substitution ciphers is that they are so vulnerable to frequency analysis.
Given a sufficiently large cipher text, it can easily be broken by mapping the frequency of its letters to
the know frequencies of, say, English text.
Therefore, to make ciphers more secure, cryptographers have long been interested in developing
enciphering techniques that are immune to frequency analysis. One of the most common approaches
is to suppress the normal frequency data by using more than one alphabet to encrypt the message.
A polyalphabetic substitution cipher involves the use of two or more cipher alphabets. Instead of there
being a one-to-one relationship between each letter and its substitute, there is a one-to-many
relationship between each letter and its substitutes.
THE VIGENÈRE SQUARE:
Blaise de Vigenère developed a square to help encode messages. Reading along each row, you can see
that it is a really a series of Caesar ciphers the first has a shift of 1, the second a shift of 2 and so.
Department of Telecommunication Engineering

1

Network Security (TE-424)

Telecom 8th Semester

The Vigenère cipher uses this table in conjunction with a key to encipher a message. So, if we were to
encode a message using the key COUNTON, we write it as many times as necessary above our
message. To find the encryption, we take the letter from the intersection of the Key letter row, and the
Plaintext letter column.

To decipher the message, the recipient needs to write out the key above the cipher text and reverse the
process. The maths behind the Vigenère cipher can be written as follows:
To encrypt a message: Ca = Ma + Kb (mod 26)
To decrypt a message: Ma = Ca – Kb (mod 26)
(Where C = Code, M = Message, K = Key, and where a = the ath character of the message bounded
by the message, and b is the bth character of the Key bounded by the length of the key.)
Department of Telecommunication Engineering

2

Network Security (TE-424)

Telecom 8th Semester

PROCEDURE:

NOTE: Attach print outs of Cryptool file using another plain text along with this lab sheet.
RSULTS/OBSERVATIONS:
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________

Department of Telecommunication Engineering

3

Network Security (TE-424)

Telecom 8th Semester

LAB EXPERIMENT NO.07
IMPLEMENTATION OF VERNAM CIPHER

Student Name:

Roll No:

Lab Instructor Signatures:

Date:

OBJECTIVE:
Implementation of Vernam cipher.
TOOLS/ APPRATUS




PC/Laptops
Windows 7 and Windows 8.
Cryptool 2

THEORY:
Vernam cipher is an ultimate defense against such a cryptanalysis is to choose a keyword that is as
long as the plaintext and has no statistical relationship to it. Such a system was introduced by an AT&T
engineer named Gilbert Vernam in 1918. His system works on binary data (bits) rather than letters.
The system can be expressed succinctly as follows in the figure;

c  p k
i

i

i

Where
pi=ith binary digit of plaintext
ki=ith binary digit of key
ci=ith binary digit of ciphertext
 = exclusive-or (XOR) operation
Compare above Equation with the Equation for Vigenère cipher given below;
Ci = (pi + kimod m) mod 26

Department of Telecommunication Engineering

1

Network Security (TE-424)

Telecom 8th Semester

Thus, the ciphertext is generated by performing the bitwise XOR of the plaintext and the key. Because
of the properties of the XOR, decryption simply involves the same bitwise operation:
ci  p  k i
i

Which compares with following Equation.
Pi = (Ci - kimod m) mod 26
The essence of this technique is the means of construction of the key. Vernam proposed the use of a
running loop of tape that eventually repeated the key, so that in fact the system worked with a very
long but repeating keyword. Although such a scheme, with a long key, presents formidable
cryptanalytic difficulties, it can be broken with sufficient cipher text, the use of known or probable
plaintext sequences, or both.
PROCEDURE:

NOTE: Attach print outs of Cryptool file using another plain text along with this lab sheet.
RSULTS/OBSERVATIONS:
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________

Department of Telecommunication Engineering

2

Network Security (TE-424)

Telecom 8th Semester

LAB EXPERIMENT NO.08
IMPLEMENTATION OF TRANSPOSITION CIPHER

Student Name:

Roll No:

Lab Instructor Signatures:

Date:

OBJECTIVE:
Implementation of Transposition cipher.
TOOLS/ APPRATUS




PC/Laptops
Windows 7 and Windows 8.
Cryptool 2

THEORY:
Transposition cipher, simple data encryption scheme in which plaintext characters are shifted in some
regular pattern to form cipher text.
In manual systems transpositions are generally carried out with the aid of an easily remembered
mnemonic. For example, a popular schoolboy cipher is the “rail fence,” in which letters of the plaintext
are written alternating between rows and the rows are then read sequentially to give the cipher. In a
depth-two rail fence (two rows) the message WE ARE DISCOVERED SAVE YOURSELF would be
written;

Simple frequency counts on the cipher text would reveal to the cryptanalyst that letters occur
with precisely the same frequency in the cipher as in an average plaintext and, hence, that a
simple rearrangement of the letters is probable.
The rail fence is the simplest example of a class of transposition ciphers, known as route
ciphers, which enjoyed considerable popularity in the early history of cryptology. In general,
the elements of the plaintext (usually single letters) are written in a prearranged order (route) into a
geometric array (matrix)—typically a rectangle—agreed upon in advance by the transmitter and
receiver and then read off by following another prescribed route through the matrix to produce the
Department of Telecommunication Engineering

1

Network Security (TE-424)

Telecom 8th Semester

cipher. The key in a route cipher consists of keeping secret the geometric array, the starting point, and
the routes. Clearly both the matrix and the routes can be much more complex than in this example; but
even so, they provide little security. One form of transposition (permutation) that was widely used
depends on an easily remembered key word for identifying the route in which the columns of a
rectangular matrix are to be read. For example, using the key word AUTHOR and ordering the columns
by the lexicographic order of the letters in the key word

In decrypting a route cipher, the receiver enters the cipher text symbols into the agreed-upon matrix
according to the encryption route and then reads the plaintext according to the original order of entry.
A significant improvement in crypto-security can be achieved by re-encrypting the cipher obtained
from one transposition with another transposition. Because the result (product) of two transpositions
is also a transposition, the effect of multiple transpositions is to define a complex route in the matrix,
which in itself would be difficult to describe by any simple mnemonic.
In the same class also fall systems that make use of perforated cardboard matrices called grilles;
descriptions of such systems can be found in older books on cryptography. In contemporary
cryptography, transpositions serve principally as one of several encryption steps in forming a
compound or product cipher.
PROCEDURE:

Department of Telecommunication Engineering

2

Network Security (TE-424)

Telecom 8th Semester

NOTE: Attach print outs of Cryptool file using another plain text along with this lab sheet.
RSULTS/OBSERVATIONS:
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________

Department of Telecommunication Engineering

3

Network Security (TE-424)

Telecom 8th Semester

LAB EXPERIMENT NO.09
IMPLEMENTATION OF DATA ENCRYPTION STANDARD (DES)

Student Name:

Roll No:

Lab Instructor Signatures:

Date:

OBJECTIVE:
Implementation of Data Encryption Standard.
TOOLS/ APPRATUS




PC/Laptops
Windows 7 and Windows 8.
Cryptool 2

THEORY:
The Data Encryption Standard is a previously predominant symmetric-key algorithm for the
encryption of electronic data. It was highly influential in the advancement of modern cryptography in
the academic world. Developed in the early 1970s at IBM and based on an earlier design by Horst
Feistel, the algorithm was submitted to the National Bureau of Standards (NBS) following the agency's
invitation to propose a candidate for the protection of sensitive, unclassified electronic government
data. In 1976, after consultation with the National Security Agency (NSA), the NBS eventually
selected a slightly modified version, which was published as an official Federal Information Processing
Standard (FIPS) for the United States in 1977.
The publication of an NSA-approved encryption standard simultaneously resulted in its quick
international adoption and widespread academic scrutiny. Controversies arose out of classified design
elements, a relatively short key length of the symmetric-key block cipher design, and the involvement
of the NSA, nourishing suspicions about a backdoor. The intense academic scrutiny the algorithm
received over time led to the modern understanding of block ciphers and their cryptanalysis.
DES FEATURES:



Block size = 64 bits
Key size = 56 bits (in reality, 64 bits, but 8 are used as parity-check bits for error control)

Department of Telecommunication Engineering

1

Network Security (TE-424)



Telecom 8th Semester

Number of rounds = 16
16 intermediary keys, each 48 bits

KEY LENGTH IN DES:



In the DES specification, the key length is 64 bit.
8 bytes; in each byte, the 8th bit is a parity-check bit.

Each parity-check bit is the XOR of the previous 7 bits.
DES ROUNDS:

Department of Telecommunication Engineering

2

Network Security (TE-424)

Telecom 8th Semester

PROCEDURE:
In this excercize you can use the DES-component to encrypt an arbitrary text entered in the Input
message-component on the left side. The resulting encrypted text is displayed in the Output messagecomponent on the right side after hitting the Play-button. The DES-component works on binary values,
i.e. bytes. Thus, the inputed text is first converted to bytes with the Message decoder-component.
With the current settings, it is interpreted as ASCII. The resulting bytes are then encrypted with DES,
yielding another sequence of bytes. These bytes are then simply printed as hexadecimal values with
the help of the Message encoder-component. Note that you can also decrypt messages with this
template. To do so, you first copy the encrypted hexadecimal values to the Input message. Then you
have to change the following:




Set Input format of the Message decoder to Hexadecimal
Set Action of DES to Decrpyt;
Set Format of the Message encoder to Text and the encoding to ASCII.

NOTE: Attach print outs of Cryptool file using another plain text along with this lab sheet.
RSULTS/OBSERVATIONS:
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________

Department of Telecommunication Engineering

3

Network Security (TE-424)

Telecom 8th Semester

LAB EXPERIMENT NO.10
IMPLEMENTATION OF ADVANCE ENCRYPTION STANDARD (AES)

Student Name:

Roll No:

Lab Instructor Signatures:

Date:

OBJECTIVE:
Implementation of Advance Encryption Standard.
TOOLS/ APPRATUS




PC/Laptops
Windows 7 and Windows 8.
Cryptool 2

THEORY:
The Advanced Encryption Standard (AES) is a specification for the encryption of electronic data
established by the U.S.National Institute of Standards and Technology (NIST) in 2001. AES is based
on the Rijndael cipher developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen,
who submitted a proposal to NIST during the AES selection process. Rijndael is a family of ciphers
with different key and block sizes. For AES, NIST selected three members of the Rijndael family, each
with a block size of 128 bits, but three different key lengths: 128, 192 and 256 bits.
AES has been adopted by the U.S. government and is now used worldwide. It supersedes the Data
Encryption Standard (DES), which was published in 1977. The algorithm described by AES is
a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data.
In the United States, AES was announced by the NIST as U.S. FIPS PUB 197 (FIPS 197) on November
26, 2001.[4] This announcement followed a five-year standardization process in which fifteen
competing designs were presented and evaluated, before the Rijndael cipher was selected as the most
suitable. AES became effective as a federal government standard on May 26, 2002 after approval by
the Secretary of Commerce. AES is included in the ISO/IEC 18033-3 standard. AES is available in
many different encryption packages, and is the first publicly accessible and open cipher approved by
the National Security Agency (NSA) for top secret information when used in an NSA approved
cryptographic module.
Department of Telecommunication Engineering

1

Network Security (TE-424)

Department of Telecommunication Engineering

Telecom 8th Semester

2

Network Security (TE-424)

Telecom 8th Semester

Much of the Rijndael algorithm is based on arithmetic on a finite field, or Galois field (after the
mathematician). Regular arithmetic works on an infinite range of numbers – keep doubling a number
and it will get ever bigger. Arithmetic in a finite field is limited to numbers within that field. The
Rijndael algorithm works in GF(28), in which arithmetic results can always be stored within one byte
– which is pretty convenient for computers. I can’t begin to understand the maths (considering that
addition and subtraction are the same thing – an XOR operation – and multiplication is performed
‘modulo an irreducible polynomial’: doubling 0x80 in GF(28) gives 0x1b).
The Rijndael algorithm lends itself to widely differing implementations, since the maths can be either
coded directly, or pre-computed as lookup tables – directly parallel to using log tables for arithmetic.
Different implementations can have varying pay-offs between speed, complexity, and storage
requirements. Some may barely resemble each other. In this implementation, I have followed the
standard closely; as per the standard, I have used a lookup table (‘S-box’) to implement the
multiplicative inverse (i.e. 1/x) within a finite field (used for the SubBytes transformation), but other
calculations are made directly rather than being pre-computed.
PROCEDURE:
In this excercize you can use the AES-component to encrypt an arbitrary text entered in the Input
message-component on the left side. The resulting encrypted text is displayed in the Output messagecomponent on the right side after hitting the Play-button. The AES-component works on binary values,
i.e. bytes. Thus, the inputed text is first converted to bytes with the Message decoder-component.
With the current settings, it is interpreted as ASCII. The resulting bytes are then encrypted with AES,
yielding another sequence of bytes. These bytes are then simply printed as hexadecimal values with
the help of the Message encoder-component. Note that you can also decrypt messages with this
template. To do so, you first copy the encrypted hexadecimal values to the Input message. Then you
have to change the following:




Set Input format of the Message decoder to Hexadecimal;
Set Action of AES to Decrpyt;
Set Format of the Message encoder to Text and the encoding to ASCII.

Department of Telecommunication Engineering

3

Network Security (TE-424)

Telecom 8th Semester

NOTE: Attach print outs of Cryptool file using another plain text along with this lab sheet.
RSULTS/OBSERVATIONS:
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________

Department of Telecommunication Engineering

4

Network Security (TE-424)

Telecom 8th Semester

LAB EXPERIMENT NO.11
IMPLEMENTATION OF RC4 ALGORITHM

Student Name:

Roll No:

Lab Instructor Signatures:

Date:

OBJECTIVE:
Implementation of RC4 Algorithm.
TOOLS/ APPRATUS




PC/Laptops
Windows 7 and Windows 8.
Cryptool 2

THEORY:
RC4 is a stream cipher designed in 1987 by Ron Rivest for RSA Security. It is a variable key size
stream cipher with byte-oriented operations. The algorithm is based on the use of a random
permutation. Analysis shows that the period of the cipher is overwhelmingly likely to be greater than
10100 [ROBS95a]. Eight to sixteen machine operations are required per output byte, and the cipher can
be expected to run very quickly in software.
RC4 is used in the Secure Sockets Layer/Transport Layer Security (SSL/TLS) standards that have been
defined for communication between Web browsers and servers. It is also used in the Wired Equivalent
Privacy (WEP) protocol and the newer WiFi Protected Access (WPA) protocol that are part of the
IEEE 802.11 wireless LAN standard. RC4 was kept as a trade secret by RSA Security. In September
1994, the RC4 algorithm was anonymously posted on the Internet on the Cypher-punks anonymous
remailers list.
The RC4 algorithm is remarkably simple and quite easy to explain. A variable length key of from 1 to
256 bytes (8 to 2048 bits) is used to initialize a 256-byte state vector S, with elements S[0], S[1], c,
S[255]. At all times, S contains a permutation of all 8-bit numbers from 0 through 255. For encryption
and decryption, a byte k (see Figure 1) is generated from S by selecting one of the 255 entries in a
systematic fashion. As each value of k is generated, the entries in S are once again permuted.
Department of Telecommunication Engineering

1

Network Security (TE-424)

Telecom 8th Semester

Figure 1: Stream Cipher Diagram
Initialization of S:
To begin, the entries of S are set equal to the values from 0 through 255 in ascending order; that is,
S[0] = 0, S[1] = 1, c, S[255] = 255 . A temporary vector, T, is also created. If the length of the key K
is 256 bytes, then K is transferred to T. Otherwise, for a key of length keylen bytes, the first keylen
elements of T are copied from K, and then K is repeated as many times as necessary to fill out T. These
preliminary operations can be summarized as;
/* Initialization */
for i = 0 to 255 do
S[i] = i;
T[i] = K[i mod keylen];

Next we use T to produce the initial permutation of S. This involves starting with S[0] and going
through to S[255], and for each S[i], swapping S[i] with another byte in S according to a scheme
dictated by T[i]:
/* Initial Permutation of S */
j = 0;
for i = 0 to 255 do
j = (j + S[i] + T[i]) mod 256;
Swap (S[i], S[j]);

Because the only operation on S is a swap, the only effect is a permutation. S still contains all the
numbers from 0 through 255.
Stream Generation:
Once the S vector is initialized, the input key is no longer used. Stream generation involves cycling
through all the elements of S[i], and for each S[i], swapping S[i] with another byte in S according to a
scheme dictated by the current configuration of S. After S[255] is reached, the process continues,
starting over again at S[0]:
/* Stream Generation */
i, j = 0;
while (true)
i = (i + 1) mod 256;
j = (j + S[i]) mod 256;
Swap (S[i], S[j]);
t = (S[i] + S[j]) mod 256;
k = S[t];

Department of Telecommunication Engineering

2

Network Security (TE-424)

Telecom 8th Semester

To encrypt, XOR the value k with the next byte of plaintext. To decrypt, XOR the value k with the
next byte of cipher text. Figure 2 illustrates the RC4 logic.

Figure 2: Working of RC4
PROCEDURE:
After K has been created, K is XORed with a byte of plaintext for encryption and XORed with byte of
ciphertext for decryption.

NOTE: Attach print outs of Cryptool file using another plain text along with this lab sheet.
RSULTS/OBSERVATIONS:
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________

Department of Telecommunication Engineering

3

Network Security (TE-424)

Telecom 8th Semester

LAB EXPERIMENT NO.12
IMPLEMENTATION OF MD5 HASH ALGORITHM

Student Name:

Roll No:

Lab Instructor Signatures:

Date:

OBJECTIVE:
Implementation of MD5 Hash Algorithm.
TOOLS/ APPRATUS




PC/Laptops
Windows 7 and Windows 8.
Cryptool 2

THEORY:
The MD5 message-digest algorithm is a widely used cryptographic hash function producing a 128bit (16-byte) hash value, typically expressed in text format as a 32 digit hexadecimal number. MD5
has been utilized in a wide variety of cryptographic applications, and is also commonly used to
verify data integrity.
MD5 was designed by Ronald Rivest in 1991 to replace an earlier hash function, MD4. The source
code in RFC 1321 contains a "by attribution" RSA license.
In 1996 a flaw was found in the design of MD5. While it was not deemed a fatal weakness at the time,
cryptographers began recommending the use of other algorithms, such as SHA-1—which has since
been found to be vulnerable as well. In 2004 it was shown that MD5 is not collision resistant.[5] As
such, MD5 is not suitable for applications like SSL certificates or digital signatures that rely on this
property for digital security. Also in 2004 more serious flaws were discovered in MD5, making further
use of the algorithm for security purposes questionable; specifically, a group of researchers described
how to create a pair of files that share the same MD5 checksum. Further advances were made in
breaking MD5 in 2005, 2006, and 2007. In December 2008, a group of researchers used this technique
to fake SSL certificate validity, and CMU Software Engineering Institute now says that MD5 "should
be considered cryptographically broken and unsuitable for further use", and most U.S. government
Department of Telecommunication Engineering

1

Network Security (TE-424)

Telecom 8th Semester

applications now require the SHA-2 family of hash functions. In 2012, the Flame malware exploited
the weaknesses in MD5 to fake a Microsoft digital signature.
ALGORITHM:
MD5 processes a variable-length message into a fixed-length output of 128 bits. The input message is
broken up into chunks of 512-bit blocks (sixteen 32-bit words); the message is padded so that its length
is divisible by 512. The padding works as follows: first a single bit, 1, is appended to the end of the
message. This is followed by as many zeros as are required to bring the length of the message up to 64
bits fewer than a multiple of 512. The remaining bits are filled up with 64 bits representing the length
of the original message, modulo 264.
The main MD5 algorithm operates on a 128-bit state, divided into four 32-bit words, denoted A, B, C,
and D. These are initialized to certain fixed constants. The main algorithm then uses each 512-bit
message block in turn to modify the state. The processing of a message block consists of four similar
stages, termed rounds; each round is composed of 16 similar operations based on a non-linear
function F, modular addition, and left rotation. Figure 1 illustrates one operation within a round. There
are four possible functions F; a different one is used in each round:

Denote the XOR, AND, OR and NOT operations respectively.

Figure 1: Message Digest Algorithm
Department of Telecommunication Engineering

2

Network Security (TE-424)

Telecom 8th Semester

One MD5 operation. MD5 consists of 64 of these operations, grouped in four rounds of 16
operations. F is a nonlinear function; one function is used in each round.






Mi denotes a 32-bit block of the message input
Ki denotes a 32-bit constant, different for each operation.
s denotes a left bit rotation by s places;
s varies for each operation.
denotes addition modulo 232.

MD5 Hash Properties:
The MD5 hash consists of a small amount of binary data, typically no more than 128 bits. All hash
values share the following properties:
Hash length
The length of the hash value is determined by the type of the used algorithm, and its length does not
depend on the size of the file. The most common hash value lengths are either 128 or 160 bits.
Non-discoverability
Every pair of non-identical files will translate into a completely different hash value, even if the two
files differ only by a single bit. Using today's technology, it is not possible to discover a pair of files
that translate to the same hash value.
Repeatability
Each time a particular file is hashed using the same algorithm, the exact same hash value will be
produced.
Irreversibility
All hashing algorithms are one-way. Given a checksum value, it is infeasible to discover the password.
In fact, none of the properties of the original message can be determined given the checksum value
alone.
PROCEDURE:
The MD5 function provides a 32 digit hexadecimal number. If we were to turn ‘makeuseof.com’ into
into an MD5 hash value then it would look like:64399513b7d734ca90181b27a62134dc. It was built

Department of Telecommunication Engineering

3

Network Security (TE-424)

Telecom 8th Semester

upon a method called the Merkle”“DamgÃ¥rd structure (below), which is used to build what are
known as “collision-proof” hash functions.

NOTE: Attach print outs of Cryptool file using another plain text along with this lab sheet.
RSULTS/OBSERVATIONS:
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________

Department of Telecommunication Engineering

4

Network Security (TE-424)

Telecom 8th Semester

LAB EXPERIMENT NO.13
IMPLEMENTATION OF SHA HASH ALGORITHM (SHA)

Student Name:

Roll No:

Lab Instructor Signatures:

Date:

OBJECTIVE:
Implementation of SHA Algorithm.
TOOLS/ APPRATUS




PC/Laptops
Windows 7 and Windows 8.
Cryptool 2

THEORY:
In cryptography, SHA-1 is a cryptographic hash function designed by the United States National
Security Agency and is a U.S. Federal Information Processing Standard published by the United
States NIST.
SHA-1 produces a 160-bit (20-byte) hash value. A SHA-1 hash value is typically rendered as
a hexadecimal number, 40 digits long.
SHA stands for "secure hash algorithm". The four SHA algorithms are structured differently and are
named SHA-0, SHA-1, SHA-2, and SHA-3. SHA-0 is the original version of the 160-bit hash function
published in 1993 under the name "SHA": it was not adopted by many applications. Published in 1995,
SHA-1 is very similar to SHA-0, but alters the original SHA hash specification to correct alleged
weaknesses. SHA-2, published in 2001, is significantly different from the SHA-1 hash function.SHA1 is the most widely used of the existing SHA hash functions, and is employed in several widely used
applications and protocols.
In 2005, cryptanalysts found attacks on SHA-1 suggesting that the algorithm might not be secure
enough for ongoing use. NIST required many applications in federal agencies to move to SHA-2 after
2010 because of the weakness. Although no successful attacks have yet been reported on SHA-2, it is
algorithmically similar to SHA-1. In 2012, following a long-running competition, NIST selected an
additional algorithm, Keccak, for standardization under SHA-3.
In November 2013 Microsoft announced their deprecation policy on SHA-1 according to which
Windows will stop accepting SHA-1 certificates in SSL by 2017. In September
Department of Telecommunication Engineering

1

Network Security (TE-424)

Telecom 8th Semester

2014 Google announced their deprecation policy on SHA-1 according to which Chrome will stop
accepting SHA-1 certificates in SSL in a phased way by 2017. Mozilla is also planning to stop
accepting SHA-1-based SSL certificates by 2017.

ALGORITHM:
SHA-1 produces a message digest based on principles similar to those used by Ronald L.
Rivest of MIT in the design of theMD4 and MD5 message digest algorithms, but has a more
conservative design.
The original specification of the algorithm was published in 1993 under the title Secure Hash
Standard, FIPS PUB 180, by U.S. government standards agency NIST (National Institute of Standards
and Technology). This version is now often namedSHA-0. It was withdrawn by the NSA shortly after
publication and was superseded by the revised version, published in 1995 in FIPS PUB 180-1 and
commonly designated SHA-1. SHA-1 differs from SHA-0 only by a single bitwise rotation in the
message schedule of its compression function; this was done, according to the NSA, to correct a flaw
in the original algorithm which reduced its cryptographic security. However, the NSA did not provide
any further explanation or identify the flaw that was corrected. Weaknesses have subsequently been
reported in both SHA-0 and SHA-1. SHA-1 appears to provide greater resistance to attacks, supporting
the NSA’s assertion that the change increased the security.

Figure 1: Secure Hash Algorithm






One iteration within the SHA-1 compression function:
A, B, C, D and E are 32-bit words of the state;
F is a nonlinear function that varies;
n denotes a left bit rotation by n places;
n varies for each operation;

Department of Telecommunication Engineering

2

Network Security (TE-424)




Telecom 8th Semester

Wt is the expanded message word of round t;
Kt is the round constant of round t;
denotes addition modulo 232.

PROCEDURE:

NOTE: Attach print outs of Cryptool file using another plain text along with this lab sheet.
RSULTS/OBSERVATIONS:
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________

Department of Telecommunication Engineering

3

Network Security (TE-424)

Telecom 8th Semester

LAB EXPERIMENT NO.14
IP ACCESS CONTROL LIST CONCEPTS

Student Name:

Roll No:

Lab Instructor Signatures:

Date:

OBJECTIVE:
Routers use access lists to control incoming or outgoing traffic. You will know the following
characteristics of an access list.








Access lists Filter packets internally
Access lists Protect the internal network from illegal Internet access
Access lists Restrict access to virtual terminal ports
Access lists describe the traffic type that will be controlled.
Access list entries describe the traffic characteristics.
Access list entries identify either permitted or denied traffic.
Access list entries can describe a specific traffic type, or allow or restrict all traffic.

THEORY:
Network administrators must be capable of denying unwanted access to the network while allowing
appropriate access. Although security tools such as passwords, callback equipment, and physical
security devices are helpful, they often lack the flexibility of basic traffic filtering and the specific
controls that most administrators prefer. For example, a network administrator might want to allow
user’s access to the Internet but might not want external users Telnetting into the LAN.
Routers provide basic traffic-filtering capabilities, such as blocking Internet traffic, with access control
lists (ACLs). An ACL is a sequential collection of permit or deny statements that apply to addresses
or upper-layer protocols. ACLs filter network traffic by controlling whether routed packets are
forwarded or blocked at the router’s interfaces. The router examines each packet to determine whether
to forward or drop it, based on the conditions specified in the ACL. ACL conditions could be the source
address of the traffic, the destination address of the traffic, the upper-layer protocol, the port, or
applications.
Why Create ACLs?
Many reasons exist for creating ACLs. ACLs can be used to perform the following operations:


Limit network traffic and increase network performance. For example, ACLs can designate
certain packets to be processed by a router before other traffic, on the basis of a protocol. This
is referred to as queuing. Queuing ensures that routers will not process packets that are not
needed. As a result, queuing limits network traffic and reduces network congestion.

Department of Telecommunication Engineering

1

Network Security (TE-424)





Telecom 8th Semester

Provide traffic flow control. For example, ACLs can restrict or reduce the contents of routing
updates. These restrictions are used to limit information about specific networks from
propagating through the network.
Provide a basic level of security for network access. ACLs can allow one host to access a part
of your network and prevent another host from accessing the same area.
Decide which type of traffic is forwarded or blocked at the router interface. For example, you
can permit e-mail traffic to be routed, but at the same time block All Telnet traffic.

There are two types of Access Lists;
Standard ACL
Range 1-99
General
Source Address only
Applied closed to the Destination
Filter Complete Protocol Suite

Extended ACL
Range 100-199
Specific
Source and Destination Address
Applied closed to the Source
Can filter one Protocol out of complete
suite

Department of Telecommunication Engineering

2

Network Security (TE-424)

Telecom 8th Semester

LAB EXPERIMENT NO.15
STANDARD IP ACCESS CONTROL LIST

Student Name:

Roll No:

Lab Instructor Signatures:

Date:

OBJECTIVE:
To implement Standard IP Access Control List on a Router.
TOOLS/ APPRATUS




PC/Laptops
Windows 7 and Windows 8.
Packet Tracer

THEORY:
The standard IP access lists use only the source IP address in an IP packet to filter the Network. This
basically permits or denies an entire protocol suite. They cannot distinguish between the any of the
many type of IP traffic such as web, telnet, UDP etc.
TOPOLOGY:

Department of Telecommunication Engineering

1

Network Security (TE-424)

Telecom 8th Semester

BASIC CONFIGURATION ON ROUTER 1:
Router> enable
Router#configure terminal
Router(config)# hostname router1
router1(config)# interface serial 0/3/0
router1(config-if)#ip address 12.1.1.1 255.0.0.0
router1(config-if)#no shutdown
router1(config-if)#exit
router1(config)#interface loopback 0
router1(config-if)#ip address 1.1.1.1 255.0.0.0
router1(config-if)#exit
router1(config)#exit
router1# wr

BASIC CONFIGURATION ON ROUTER 2:
Router> enable
Router#configure terminal
Router(config)# hostname router2
router2(config)# interface serial 0/3/0
router2(config-if)#ip address 12.1.1.2 255.0.0.0
router2(config-if)#no shutdown
router2(config-if)#exit
router2(config)# interface serial 0/3/1
router2(config-if)#ip address 23.1.1.2 255.0.0.0
router2(config-if)#no shutdown
router2(config-if)#exit
router2(config)#interface loopback 0
router2(config-if)#ip address 2.2.2.2 255.0.0.0
router2(config-if)#exit
router2(config)#exit
router2# wr

Department of Telecommunication Engineering

2

Network Security (TE-424)

Telecom 8th Semester

BASIC CONFIGURATION ON ROUTER 3:
Router> enable
Router#configure terminal
Router(config)#hostname router3
router3(config)#interface serial 0/3/1
router3(config-if)#ip address 23.1.1.3 255.0.0.0
router3(config-if)#no shutdown
router3(config-if)#exit
router3(config)# interface serial 0/3/0
router3(config-if)#ip address 34.1.1.3 255.0.0.0
router3(config-if)#no shutdown
router3(config-if)#exit
router3(config)#interface loopback 0
router3(config-if)#ip address 3.3.3.3 255.0.0.0
router3(config-if)#exit
router3(config)#exit
router3# wr
BASIC CONFIGURATION ON ROUTER 4:
Router> enable
Router#configure terminal
Router(config)#hostname router4
router4(config)#interface serial 0/3/0
router4(config-if)#ip address 34.1.1.4 255.0.0.0
router4(config-if)#no shutdown
router4(config-if)#exit
router4(config)#interface loopback 0
router4(config-if)#ip address 4.1.1.1 255.255.0.0
router4(config-if)#exit
router4(config)#interface loopback 1
router4(config-if)#ip address 4.2.2.2 255.255.0.0
router4(config-if)#exit
Department of Telecommunication Engineering

3

Network Security (TE-424)

Telecom 8th Semester

router4(config)#interface loopback 2
router4(config-if)#ip address 4.3.3.3 255.255.0.0
router4(config-if)#exit
router4(config)#exit
router4# wr
RUNNING RIP ON ROUTER 1:
router1#configure terminal
router1(config)#router rip
router1(config-router)# do show ip route
router1(config-router)# network 1.0.0.0
router1(config-router)# network 12.0.0.0
router1(config-router)#exit
router1(config)#exit
router1#wr

RUNNING RIP ON ROUTER 2:
router2#configure terminal
router2(config)#router rip
router2(config-router)# do show ip route
router2(config-router)# network 2.0.0.0
router2(config-router)# network 12.0.0.0
router2(config-router)# network 23.0.0.0
router2(config-router)#exit
router2(config)#exit
router2#wr

RUNNING RIP ON ROUTER 3:
router3#configure terminal
router3(config)#router rip
router3(config-router)# do show ip route
router3(config-router)# network 34.0.0.0
router3(config-router)# network 3.0.0.0

Department of Telecommunication Engineering

4

Network Security (TE-424)

Telecom 8th Semester

router3(config-router)# network 23.0.0.0
router3(config-router)#exit
router3(config)#exit
router3#wr
RUNNING RIP ON ROUTER 4:
router4#configure terminal
router4(config)#router rip
router4(config-router)# do show ip route
router4(config-router)# network 34.0.0.0
router4(config-router)# network 4.1.0.0
router4(config-router)# network 4.2.0.0
router4(config-router)# network 4.3.0.0
router4(config-router)#exit
router4(config)#exit
router4#wr
ROUTING TABLE OF ROUTER 1:
router1#show ip route
C

1.0.0.0/8 is directly connected, Loopback0

R

2.0.0.0/8 [120/1] via 12.1.1.2, 00:00:15, Serial0/3/0

R

3.0.0.0/8 [120/2] via 12.1.1.2, 00:00:15, Serial0/3/0

R

4.0.0.0/8 [120/3] via 12.1.1.2, 00:00:15, Serial0/3/0

C

12.0.0.0/8 is directly connected, Serial0/3/0

R

23.0.0.0/8 [120/1] via 12.1.1.2, 00:00:15, Serial0/3/0

R

34.0.0.0/8 [120/2] via 12.1.1.2, 00:00:15, Serial0/3/0

ROUTING TABLE OF ROUTER 2:
router2#show ip route
R

1.0.0.0/8 [120/1] via 12.1.1.1, 00:00:16, Serial0/3/0

C

2.0.0.0/8 is directly connected, Loopback0

R

3.0.0.0/8 [120/1] via 23.1.1.3, 00:00:16, Serial0/3/1

R

4.0.0.0/8 [120/2] via 23.1.1.3, 00:00:16, Serial0/3/1

Department of Telecommunication Engineering

5

Network Security (TE-424)

Telecom 8th Semester

C

12.0.0.0/8 is directly connected, Serial0/3/0

C

23.0.0.0/8 is directly connected, Serial0/3/1

R

34.0.0.0/8 [120/1] via 23.1.1.3, 00:00:16, Serial0/3/1

ROUTING TABLE OF ROUTER 3:
router3#show ip route
R

1.0.0.0/8 [120/2] via 23.1.1.2, 00:00:06, Serial0/3/1

R

2.0.0.0/8 [120/1] via 23.1.1.2, 00:00:06, Serial0/3/1

C

3.0.0.0/8 is directly connected, Loopback0

R

4.0.0.0/8 [120/1] via 34.1.1.4, 00:00:19, Serial0/3/0

R

12.0.0.0/8 [120/1] via 23.1.1.2, 00:00:06, Serial0/3/1

C

23.0.0.0/8 is directly connected, Serial0/3/1

C

34.0.0.0/8 is directly connected, Serial0/3/0

ROUTING TABLE OF ROUTER 4:
router4#show ip route
R

1.0.0.0/8 [120/3] via 34.1.1.3, 00:00:04, Serial0/3/0

R

2.0.0.0/8 [120/2] via 34.1.1.3, 00:00:04, Serial0/3/0

R

3.0.0.0/8 [120/1] via 34.1.1.3, 00:00:04, Serial0/3/0
4.0.0.0/16 is subnetted, 3 subnets

C

4.1.0.0 is directly connected, Loopback0

C

4.2.0.0 is directly connected, Loopback1

C

4.3.0.0 is directly connected, Loopback2

R

12.0.0.0/8 [120/2] via 34.1.1.3, 00:00:04, Serial0/3/0

R

23.0.0.0/8 [120/1] via 34.1.1.3, 00:00:04, Serial0/3/0

C

34.0.0.0/8 is directly connected, Serial0/3/0

VERIFICATION:
router4#
router4#ping
Protocol [ip]:
Target IP address: 4.1.1.1
Repeat count [5]:
Department of Telecommunication Engineering

6

Network Security (TE-424)

Telecom 8th Semester

Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: yes
Source address or interface: 1.1.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/3 ms
VERIFICATION:
router4#ping
Protocol [ip]:
Target IP address: 4.2.2.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: yes
Source address or interface: 1.1.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Department of Telecommunication Engineering

7

Network Security (TE-424)

Telecom 8th Semester

Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/5/16
ms
CREATING STANDARD ACL ON ROUTER 4:
Task:
%% Block all the traffic Coming from the host 1.1.1.1 to
router 4
router4#configure terminal
router4(config)#access-list 5 deny 1.1.1.1 0.0.0.0
router4(config)#access-list 5 permit any
APPLYING STANDARD ACL ON INTERFACE SERIAL 0/3/0 ON ROUTER 4:
%% interface nearest to destination as possible
router4(config)#interface serial 0/3/0
router4(config-if)#ip access-group 5 in
router4(config-if)#exit

router4(config)#exit
router4#wr
VERIFICATION:
router1#ping
Protocol [ip]:
Target IP address: 4.2.2.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: yes
Source address or interface: 1.1.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:

Department of Telecommunication Engineering

8

Network Security (TE-424)

Telecom 8th Semester

Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
UUUUU
Success rate is 0 percent (0/5)
RSULTS/OBSERVATIONS:
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________

Department of Telecommunication Engineering

9

Network Security (TE-424)

Telecom 8th Semester

LAB EXPERIMENT NO.16
EXTENDED IP ACCESS CONTROL LIST

Student Name:

Roll No:

Lab Instructor Signatures:

Date:

OBJECTIVE:
To implement Extended IP Access Control List on a Router.
TOOLS/ APPRATUS




PC/Laptops
Windows 7 and Windows 8.
Packet Tracer

THEORY:
Extended Access lists can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP
packet. They can evaluate source & destination IP address, the protocol field in the Network layer
header, and port number at Transport layer header.
TOPOLOGY:

Department of Telecommunication Engineering

1

Network Security (TE-424)

Telecom 8th Semester

BASIC CONFIGURATION ON ROUTER 1:
Router> enable
Router#configure terminal
Router(config)# hostname router1
router1(config)# interface serial 0/3/0
router1(config-if)#ip address 12.1.1.1 255.0.0.0
router1(config-if)#no shutdown
router1(config-if)#exit
router1(config)#interface loopback 0
router1(config-if)#ip address 1.1.1.1 255.0.0.0
router1(config-if)#exit
router1(config)#exit
router1# wr
CONFIGURING TELNET PASSWORD ON ROUTER 1:
router1#configure terminal
router1(config)#line vty 0 15
router1(config-line)#password cisco
router1(config-line)#login
router1(config-line)#exit
router1(config)#enable password cisco
router1(config)#end
BASIC CONFIGURATION ON ROUTER 2:
Router> enable
Router#configure terminal
Router(config)# hostname router2
router2(config)# interface serial 0/3/0
router2(config-if)#ip address 12.1.1.2 255.0.0.0
router2(config-if)#no shutdown
router2(config-if)#exit
router2(config)# interface serial 0/3/1
Department of Telecommunication Engineering

2

Network Security (TE-424)

Telecom 8th Semester

router2(config-if)#ip address 23.1.1.2 255.0.0.0
router2(config-if)#no shutdown
router2(config-if)#exit
router2(config)#interface loopback 0
router2(config-if)#ip address 2.2.2.2 255.0.0.0
router2(config-if)#exit
router2(config)#exit
router2# wr

BASIC CONFIGURATION ON ROUTER 3:
Router> enable
Router#configure terminal
Router(config)#hostname router3
router3(config)#interface serial 0/3/1
router3(config-if)#ip address 23.1.1.3 255.0.0.0
router3(config-if)#no shutdown
router3(config-if)#exit
router3(config)# interface serial 0/3/0
router3(config-if)#ip address 34.1.1.3 255.0.0.0
router3(config-if)#no shutdown
router3(config-if)#exit
router3(config)#interface loopback 0
router3(config-if)#ip address 3.3.3.3 255.0.0.0
router3(config-if)#exit
router3(config)#exit
router3# wr
BASIC CONFIGURATION ON ROUTER 4:
Router> enable
Router#configure terminal
Router(config)#hostname router4
router4(config)#interface serial 0/3/0
router4(config-if)#ip address 34.1.1.4 255.0.0.0
Department of Telecommunication Engineering

3

Network Security (TE-424)

Telecom 8th Semester

router4(config-if)#no shutdown
router4(config-if)#exit
router4(config)#interface loopback 0
router4(config-if)#ip address 4.1.1.1 255.255.0.0
router4(config-if)#exit
router4(config)#interface loopback 1
router4(config-if)#ip address 4.2.2.2 255.255.0.0
router4(config-if)#exit
router4(config)#interface loopback 2
router4(config-if)#ip address 4.3.3.3 255.255.0.0
router4(config-if)#exit
router4(config)#exit
router4# wr

RUNNING RIP ON ROUTER 1:
router1#configure terminal
router1(config)#router rip
router1(config-router)# do show ip route
router1(config-router)# network 1.0.0.0
router1(config-router)# network 12.0.0.0
router1(config-router)#exit
router1(config)#exit
router1#wr
RUNNING RIP ON ROUTER 2:
router2#configure terminal
router2(config)#router rip
router2(config-router)# do show ip route
router2(config-router)# network 2.0.0.0
router2(config-router)# network 12.0.0.0
router2(config-router)# network 23.0.0.0
router2(config-router)#exit
router2(config)#exit
Department of Telecommunication Engineering

4

Network Security (TE-424)

Telecom 8th Semester

router2#wr
RUNNING RIP ON ROUTER 3:
router3#configure terminal
router3(config)#router rip
router3(config-router)# do show ip route
router3(config-router)# network 34.0.0.0
router3(config-router)# network 3.0.0.0
router3(config-router)# network 23.0.0.0
router3(config-router)#exit
router3(config)#exit
router3#wr
RUNNING RIP ON ROUTER 4:
router4#configure terminal
router4(config)#router rip
router4(config-router)# do show ip route
router4(config-router)# network 34.0.0.0
router4(config-router)# network 4.1.0.0
router4(config-router)# network 4.2.0.0
router4(config-router)# network 4.3.0.0
router4(config-router)#exit
router4(config)#exit
router4#wr
ROUTING TABLE OF ROUTER 1:
router1#show ip route
C

1.0.0.0/8 is directly connected, Loopback0

R

2.0.0.0/8 [120/1] via 12.1.1.2, 00:00:15, Serial0/3/0

R

3.0.0.0/8 [120/2] via 12.1.1.2, 00:00:15, Serial0/3/0

R

4.0.0.0/8 [120/3] via 12.1.1.2, 00:00:15, Serial0/3/0

C

12.0.0.0/8 is directly connected, Serial0/3/0

R

23.0.0.0/8 [120/1] via 12.1.1.2, 00:00:15, Serial0/3/0

Department of Telecommunication Engineering

5

Network Security (TE-424)
R

Telecom 8th Semester

34.0.0.0/8 [120/2] via 12.1.1.2, 00:00:15, Serial0/3/0

ROUTING TABLE OF ROUTER 2:
router2#show ip route
R

1.0.0.0/8 [120/1] via 12.1.1.1, 00:00:16, Serial0/3/0

C

2.0.0.0/8 is directly connected, Loopback0

R

3.0.0.0/8 [120/1] via 23.1.1.3, 00:00:16, Serial0/3/1

R

4.0.0.0/8 [120/2] via 23.1.1.3, 00:00:16, Serial0/3/1

C

12.0.0.0/8 is directly connected, Serial0/3/0

C

23.0.0.0/8 is directly connected, Serial0/3/1

R

34.0.0.0/8 [120/1] via 23.1.1.3, 00:00:16, Serial0/3/1

ROUTING TABLE OF ROUTER 3:
router3#show ip route
R

1.0.0.0/8 [120/2] via 23.1.1.2, 00:00:06, Serial0/3/1

R

2.0.0.0/8 [120/1] via 23.1.1.2, 00:00:06, Serial0/3/1

C

3.0.0.0/8 is directly connected, Loopback0

R

4.0.0.0/8 [120/1] via 34.1.1.4, 00:00:19, Serial0/3/0

R

12.0.0.0/8 [120/1] via 23.1.1.2, 00:00:06, Serial0/3/1

C

23.0.0.0/8 is directly connected, Serial0/3/1

C

34.0.0.0/8 is directly connected, Serial0/3/0

ROUTING TABLE OF ROUTER 4:
router4#show ip route
R

1.0.0.0/8 [120/3] via 34.1.1.3, 00:00:04, Serial0/3/0

R

2.0.0.0/8 [120/2] via 34.1.1.3, 00:00:04, Serial0/3/0

R

3.0.0.0/8 [120/1] via 34.1.1.3, 00:00:04, Serial0/3/0
4.0.0.0/16 is subnetted, 3 subnets

C

4.1.0.0 is directly connected, Loopback0

C

4.2.0.0 is directly connected, Loopback1

C

4.3.0.0 is directly connected, Loopback2

R

12.0.0.0/8 [120/2] via 34.1.1.3, 00:00:04, Serial0/3/0

R

23.0.0.0/8 [120/1] via 34.1.1.3, 00:00:04, Serial0/3/0

Department of Telecommunication Engineering

6

Network Security (TE-424)
C

Telecom 8th Semester

34.0.0.0/8 is directly connected, Serial0/3/0

VERIFICATION:
router4#
router4#ping
Protocol [ip]:
Target IP address: 4.1.1.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: yes
Source address or interface: 1.1.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/3 ms
VERIFICATION:
router4#ping
Protocol [ip]:
Target IP address: 4.2.2.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: yes
Source address or interface: 1.1.1.1
Department of Telecommunication Engineering

7

Network Security (TE-424)

Telecom 8th Semester

Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/5/16
ms
VERIFICATION:
router4#telnet 12.1.1.1
Trying 12.1.1.1 ...Open
User Access Verification
Password:
router1>

CREATING STANDARD ACL ON ROUTER 1:
Task:

%% Block all the telnet traffic Coming from the host

34.1.1.4 to host 12.1.1.1
router1#configure terminal
router1(config)#access-list 101 deny tcp 34.1.1.4 0.0.0.0 12.1.1.1
0.0.0.0 eq 23
router1(config)#access-list 101 permit ip any any
APPLYING STANDARD ACL ON INTERFACE SERIAL 0/3/0 ON ROUTER 1:
router1(config)#interface serial 0/3/0
router1(config-if)#ip access-group 101 in
router1(config-if)#exit
router1(config)#exit
Department of Telecommunication Engineering

8

Network Security (TE-424)

Telecom 8th Semester

router1#wr

VERIFICATION:
router4#telnet 12.1.1.1
Trying 12.1.1.1 ...
% Connection timed out; remote host not responding

VERIFICATION:
router2#telnet 12.1.1.1
Trying 12.1.1.1 ...Open
User Access Verification
Password:
router1>
RSULTS/OBSERVATIONS:
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________

Department of Telecommunication Engineering

9

Network Security (TE-424)

Telecom 8th Semester

LAB EXPERIMENT NO.17
VIRTUAL PRIVATE NETWORK (VPN)

Student Name:

Roll No:

Lab Instructor Signatures:

Date:

OBJECTIVE:
Creating a Virtual Private Network (VPN).
TOOLS/ APPRATUS



PC/Laptops
Windows 7 and Windows 8.

THEORY:
A VPN is a network that uses a public telecommunication infrastructure, such as the Internet, to
provide remote offices or individual users with secure access to their organization's network. A VPN
ensures privacy through security procedures and tunneling protocols such as the Layer Two Tunneling
Protocol ( L2TP ). Data is encrypted at the sending end and decrypted at the receiving end. But VPNs
connect to the outside world over the Internet, and they can serve to secure general Internet traffic in
addition to corporate assets. In fact, the lion's share of modern VPNs are encrypted, so computers,
devices, and other networks that connect to them do so via encrypted tunnels.
WHY WE WANT TO CREATE A VPN:
You have at least four great reasons to start using a VPN. First, you can use it to connect securely to a
remote network via the Internet. Most companies maintain VPNs so that employees can access files,
applications, printers, and other resources on the office network without compromising security, but
you can also set up your own VPN to safely access your secure home network while you're on the
road.
Second, VPNs are particularly useful for connecting multiple networks together securely. For this
reason, most businesses big and small rely on a VPN to share servers and other networked resources
among multiple offices or stores across the globe. Even if you don't have a chain of offices to worry

Department of Telecommunication Engineering

1

Network Security (TE-424)

Telecom 8th Semester

about, you can use the same trick to connect multiple home networks or other networks for personal
use.

Figure 1: This diagram illustrates the difference between using an unencrypted connection and using
a VPN-secured Internet connection at your average coffee shop.
Third, if you're concerned about your online privacy, connecting to an encrypted VPN while you're on
a public or untrusted network—such as a Wi-Fi hotspot in a hotel or coffee shop—is a smart, simple
security practice. Because the VPN encrypts your Internet traffic, it helps to stymie other people who
may be trying to snoop on your browsing via Wi-Fi to capture your passwords.
Fourth and finally, one of the best reasons to use a VPN is to circumvent regional restrictions—known
as geo blocking—on certain websites. Journalists and political dissidents use VPNs to get around statesponsored censorship all the time, but you can also use a VPN for recreational purposes, such as
connecting to a British VPN to watch the BBC iPlayer outside the UK. Because your Internet traffic
routes through the VPN, it looks as if you're just another British visitor.
PICK YOUR PROTOCOL:
When choosing a networking protocol for your VPN, you need worry only about the four most popular
ones. Here's a quick rundown, including the strengths and weaknesses of each.
Point-to-Point Tunneling Protocol (PPTP) is the least secure VPN method, but it’s a great starting
point for your first VPN because almost every operating system supports it, including Windows, Mac
OS, and even mobile OSs.
Layer 2 Tunneling Protocol (L2TP) and Internet Protocol Security (IPsec) are more secure than
PPTP and are almost as widely supported, but they are also more complicated to set up and are
susceptible to the same connection issues as PPTP is.
Secure Sockets Layer (SSL) VPN systems provide the same level of security that you trust when you
log on to banking sites and other sensitive domains. Most SSL VPNs are referred to as "clientless,"
Department of Telecommunication Engineering

2

Network Security (TE-424)

Telecom 8th Semester

since you don't need to be running a dedicated VPN client to connect to one of them. They're my
favorite kind of VPN because the connection happens via a Web browser and thus is easier and more
reliable to use than PPTP, L2TP, or IPsec.

Figure 2: An SSL VPN server is designed to be accessed via Web browser and creates encrypted
channels so that you can safely access the server from anywhere.
OpenVPN is exactly what it sounds like: an open-source VPN system that's based on SSL code. It's
free and secure, and it doesn't suffer from connection issues, but using OpenVPN does require you to
install a client since Windows, Mac OS X, and mobile devices don't natively support it.
In short: When in doubt, try to use SSL or OpenVPN. Keep in mind that some of the services
highlighted in the next section don’t use these protocols. Instead, they use their own proprietary VPN
technology.
Now, let's talk about how to create and connect to your own VPN. If you want simple remote access
to a single computer, consider using the VPN software built into Windows. If you’d like to network
multiple computers together quickly through a VPN, consider installing stand-alone VPN server
software.
If you need a more reliable and robust arrangement (one that also supports site-to-site connections),
consider using a dedicated VPN router. And if you just want to use a VPN to secure your Internet
traffic while you're on public Wi-Fi hotspots and other untrusted networks—or to access regionally
restricted sites—consider subscribing to a third-party hosted VPN provider.
SET UP A SIMPLE VPN WITH WINDOWS:
Windows comes loaded with a VPN client that supports the PPTP and L2TP/IPsec protocols. The
setup process is simple: If you're using Windows 8, just bring up the Search charm, type VPN, and
then launch the VPN wizard by clicking Set up a virtual private network (VPN) connection.
Department of Telecommunication Engineering

3

Network Security (TE-424)

Telecom 8th Semester

You can use this client to connect securely to other Windows computers or to other VPN servers that
support the PPTP and L2TP/IPsec protocols—you just need to provide the IP address or domain name
of the VPN server to which you want to connect. If you're connecting to a corporate or commercial
VPN, you can contact the administrator to learn the proper IP address. If you're running your own VPN
server via Windows, you can figure out the server's IP address by typing CMD in the Search charm,
launching the Command Prompt, and typing ipconfig. This simple trick comes in handy when
you're setting up your Windows PC as a VPN server, and then connecting to it so that you can securely,
remotely access your files from anywhere.

Figure 3: Windows has a built-in VPN client, but you'll need to provide the connection information
(namely, the IP address) for the VPN server you want to use.
Quick Note: When setting up incoming PPTP VPN connections in Windows, you must configure your
network router to forward VPN traffic to the Windows computer you want to access remotely. You
can do this by logging in to the router’s control panel—consult the manufacturer's instructions on how
to do this—and configuring the port-forwarding or virtual-server settings to forward port 1723 to the
IP address of the computer you wish to access. In addition, PPTP or VPN pass-through options need
to be enabled in the firewall settings, but usually they're switched on by default.
HOW TO SET UP VPN IN WINDOWS 7:
Windows 7 comes preloaded with the Agile VPN client, which makes setting up either kind of
connection relatively easy.
Step by Step: Connecting to a VPN (Outgoing)

Step 1 Click the Start button. In the search bar, type VPN and then select Set up a virtual private
network (VPN) connection.
Department of Telecommunication Engineering

4

Network Security (TE-424)

Telecom 8th Semester

Step 2 Enter the IP address or domain name of the server to which you want to connect. If you're
connecting to a work network, your IT administrator can provide the best address.
Step 3 If you want to set up the connection, but not connect, select Don't connect now; otherwise,
leave it blank and click Next.
Step 4 On this next screen, you can either put in your username and password, or leave it blank. You'll
be prompted for it again on the actual connection. Click Connect.
Step 5 To connect, click on the Windows network logo on the lower-right part of your screen; and
then select Connect under VPN Connection.
Step 6 In the Connect VPN Connection box, enter the appropriate domain and your log-in credentials;
and then click Connect.

Step 7 If you can't connect, the problem could be due to the server configuration. (There are different
types of VPN.) Check with your network administrator to see what kind is in use--such as PPTP--then,
on the Connect VPN Connection screen, select Properties.
Step 8 Navigate to the Security tab and select the specific Type of VPN from the drop-down list. You
may also have to unselect Include Windows logon domain under the Options tab. Then click OK and
Connect.
Step by Step: Building a VPN (Incoming):

Step 1 Click the Start button, and, in the search bar, type Network and Sharing.
Step 2 Click Change Adapter Settings in the left-hand menu.
Step 3 Click File, and then New Incoming Connection.
Step 4 Select the users you'd like to give access to and click Next.
Department of Telecommunication Engineering

5

Network Security (TE-424)

Telecom 8th Semester

Step 5 Click Through the Internet and select Next.
Step 6 Select the Internet Protocol you'd like to use. (The default TCP/IPv4--the line highlighted in
the screenshot below--will work fine.)

Step 7 Finally, click Allow access; you've now set up an incoming VPN connection.
RSULTS/OBSERVATIONS:
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________

Department of Telecommunication Engineering

6

Network Security (TE-424)

Telecom 8th Semester

LAB EXPERIMENT NO.18
WINDOWS FIREWALL

Student Name:

Roll No:

Lab Instructor Signatures:

Date:

OBJECTIVE:
Configure Windows firewall settings.
TOOLS/ APPRATUS



PC/Laptops
Windows 7 and Windows 8.

THEORY:
A firewall is software or hardware that checks information coming from the Internet or a network, and
then either blocks it or allows it to pass through to your computer, depending on your firewall settings.
A firewall can help prevent hackers or malicious software from gaining access to your computer
through a network or the Internet. A firewall can also help stop your computer from sending malicious
software to other computers.
Configure Windows Firewall
You can customize most settings of your Windows Firewall through left pane of the Firewall applet in
Control Panel.

Department of Telecommunication Engineering

1

Network Security (TE-424)

Telecom 8th Semester

Turn on Windows Firewall.
This setting is selected by default. When Windows Firewall is on, most programs are blocked from
communicating through the firewall. If you want to allow a program to communicate through the
firewall, you can add it to the list of allowed programs. For example, you might not be able to send
photos in an instant message until you add the instant messaging program to the list of allowed
programs. To add a program to the list, see Allow a program to communicate through Windows
Firewall.
Block all incoming firewall connections, including those in the list of allowed programs
This setting blocks all unsolicited attempts to connect to your computer. Use this setting when you
need maximum protection for your computer, such as when you connect to a public network in a hotel
or airport, or when a computer worm is spreading over the Internet. With this setting, you are not
notified when Windows Firewall blocks programs, and programs in the list of allowed programs are
ignored. When you block all incoming connections, you can still view most webpages, send and
receive e-mail, and send and receive instant messages.
Turn off Windows Firewall
Avoid using this setting unless you have another firewall running on your computer. Turning off
Windows Firewall might make your computer more vulnerable to damage from hackers and malicious
software.
Allow a program to communicate through Windows Firewall
By default, most programs are blocked by Windows Firewall to help make your computer more secure.
To work properly, some programs might require you to allow them to communicate through the
firewall. Here’s how to do that:
Click Allow a program or feature through Windows Firewall. If you are prompted for an administrator
password or confirmation, type the password or provide confirmation.
Click Enable all controls. If you are prompted for an administrator password or confirmation, type the
password or provide confirmation.
Select the check box next to the program you want to allow, select the network location types you want
to allow communication on, and then click OK.
How to open a port in Windows Firewall
If Windows Firewall is blocking a program and you want to allow that program to communicate
through the firewall, you can usually do that by selecting the program in the list of allowed programs
(also called the exceptions list) in Windows Firewall. To learn how to do this, see Allow a program to
communicate through Windows Firewall.
However, if the program isn’t listed, you might need to open a port. For example, to play a multiplayer
game with friends online, you might need to open a port for the game so that the firewall allows the
game information to reach your computer. A port stays open all the time, so be sure to close ports that
you don’t need anymore.
Click to open Windows Firewall. In the left pane, click Advanced settings.
Department of Telecommunication Engineering

2

Network Security (TE-424)

Telecom 8th Semester

In the Windows Firewall with Advanced Security dialog box, in the left pane, click Inbound Rules,
and then, in the right pane, click New Rule.

Department of Telecommunication Engineering

3

Network Security (TE-424)

Telecom 8th Semester

Next, follow the instructions on your screen to its logical conclusion.
RSULTS/OBSERVATIONS:
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________

Department of Telecommunication Engineering

4

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close