CS402 Study Guide

Unit 7: Multimedia, Security, and Cloud Computation over the internet


7a. Compare application protocols, such as Voice over Internet Protocol (VoIP) and Internet Protocol television (IPTV)

  • What protocols are involved for an IPTV system to provide full video streaming?
  • What are some of the codecs used by media streaming companies today?

With the emergence of digital networks and the internet, Voice over IP (VoIP), or IP Telephony, began to be used to deliver voice and multimedia over IP. IPTV is closely related and refers to the delivery of television content over IP.

Audio and video are analog signals. Before sending these signals through digital infrastructure, they need to be transformed by the sender into a digital bitstream. The receiving side must decode the signal to obtain the analog video or audio content. A codec, which is a shortcut for coder/decoder, is the computer program used to do that. Both sides must agree ahead of time what codec will be used, so they both use the same mechanisms to encode and decode. Agreement of what codec to use is done when the session is established using a protocol like SIP. Codecs like MPEG combine both audio and video in one. Another big advantage of codecs is that they might also compress the data to reduce transmission bandwidth. Sending uncompressed video results in huge demands for bandwidth. Some popular codecs include AAC-LD (Facetime), Opus (WhatsApp), SILK (Skype), and G.722, G.711, and MPEG-4 for video on demand. Once the signal is in digital form, several protocols are needed to establish and maintain the connection and to deliver the content. Protocols like SIP, RTP and RTCP help with that task.

Let's now consider bandwidth requirements if uncompressed multimedia streams are to be sent. The introduction of multimedia streaming created many challenges for TV service providers. As an isolated example, consider the case where a service provider wants to offer high-definition TV (HDTV) with a resolution of 1080p to its customers. What bandwidth would be required to do this?

Resolution is normally expressed as horizontal pixels by vertical pixels. So, an HDTV of 1920 × 1080 means that the screen will be 1920 pixels in the horizontal direction and 1080 pixels in the vertical direction. In other words, one single frame has 1920 × 1080 = 2,073,600 pixels. We also need to consider the number of frames per unit of time. To make it simple, assume that 30 frames are sent every second. That means that we would need to send 30 × 2,073,600 = 62,208,000 pixels per second. Finally, each pixel is represented by bits, since information is being sent digitally. How many bits are there per pixel? A rule of thumb is that for true color depth, you need 3 bytes per pixel, which is equal to 24 bits per pixel. 

Therefore, the bandwidth is:

Bandwidth = (62,208,000 pixels/second) × (24 bits/pixel) = 1,492,992,000 bits per second.

This is over 1.5 Mbps. You can see why compression techniques and high bandwidth capabilities like those provided by fiber optics are so important. To review, see SIP and RTP and IPTV.


7b. Describe some typical challenges for TCP/IP security and their solutions

  • How are symmetric and asymmetric key encryption different?
  • How are symmetric and asymmetric key encryption similar?

Today's business climate requires companies to establish and maintain:

  • extranets to creating links with suppliers and business partners;
  • intranets, which are costly wide area networks that link facilities across the world; and
  • the ability to support remote users when employees need to telecommute or access the company network while traveling.

Before the internet became the preferred tool, companies relied on leased private lines. However, the internet is much more convenient, and allows for vastly increased productivity. Needless to say, security issues can be a problem, such as the privacy risks of confidential data being intercepted as it is accessed remotely. There is also the danger of losing data integrity, which involves the modification of confidential or non-confidential data. Finally, identity spoofing is a risk, where intruders impersonate users and gain access to confidential information.

The problem with the internet is that IP routing methods make large IP networks vulnerable to issues like spoofing, where one machine in the network imitates another, sniffing, where one machine eavesdrops on the transmissions between two other machines, or session hijacking, where an attacker employs both of these techniques to take over an established communication and masquerade as one of the communicating parties.

There are many methods for providing security over the internet. The simplest is basic data encryption. Data encryption simply means to take the original data and apply a key to encrypt it so that it appears garbled or otherwise unreadable to any unintended users.

Encryption is accomplished by:

  • taking an unencrypted message (plaintext);
  • applying an encryption algorithm using a secret "key" to generate encrypted text, called "ciphertext";
  • transmitting the encrypted ciphertext message;
  • having the recipient apply the same algorithm to the ciphertext using the same key to recover the original plaintext message.

Most encryption and hashing algorithms are complex, but we can see how they work by considering a simple XOR function. XOR encoding works by taking a bit pattern for the message, M, and performing an XOR function with bit pattern K (the encryption key) to get bit pattern C, the ciphertext that is sent through the network. The receiver will perform a similar procedure by applying XOR to C with K to get back M, the original message.

On the sending side:

M = Original Message = 00111010 11110110 00001111
K = Encryption Key    = 11100011 01010101 11110000
C = Ciphertext           = 11011001 10100011 11111111

As you can see, C is a completely different message that is sent through the internet.

On the receiving side:

C = Ciphertext              = 11011001 10100011 11111111
K = Encryption Key        = 11100011 01010101 11110000
M = Recovered Message = 00111010 11110110 00001111

The recovered message is the same as the original message.

If the encryption key can be kept secret between both parties, this method can work. However, a skilled hacker can, within a few seconds, break this kind of code and recover the key. In the real world, several more complex encryption algorithms based on mathematical transforms are used for encryption, such as:

  • Data Encryption Standard (DES, 56-bit key)
  • Triple Data Encryption Standard (3DES, 168-bit key)
  • Advanced Encryption Standard (AES, 128, 192, and 256-bit keys)

Even with these, high-tech hackers can find ways to crack keys that are used repeatedly. The "key" to having a safe key is to change them often. However, by doing this, making sure that both parties have the most recent key becomes a big challenge.

Consider symmetric key encryption. Both sides use the same key to encrypt and decrypt; that key is called a "shared secret". An approach that could be better would be asymmetric encryption, which uses private and public keys. The public key encrypts data, while the private key decrypts data. If A wants to send data to B, A will use B's public key to encrypt. B will decrypt using its own secret key. The secret key is never shared, and thus provides a level of security not present with symmetric key encryption. This method uses complex math with modular arithmetic, and key distribution is easier, since the public key can simply be broadcast or stored in a public shared database like a certificate authority. The private key always stays with the owner. How does this algorithm, which uses a key that everyone knows, work? By knowing the public key, you only know half of what you need to know:


m = original message

K+b = B's public encryption key

K-b = B's private decryption key

K+b (m) = encrypted ciphertext using B's public key

K-b (m) = decrypted message using B's private key

For public key cryptography you encrypt with public key and decrypt with private key such that:

K-b (K+b (m)) = m

An intruder, C, can't decrypt the message, since C does not have K-b, and

K-c (K+b (m)) ≠ m

The decrypted message by the intruder C will not be the right one.

One potential issue is that asymmetric algorithms can be much slower (up to a thousand times slower, in fact) than symmetric algorithms. There are ways to overcome this limitation, however.


7c. Improve TCP/IP security by using security protocols

  • How does the Diffie-Hellman algorithm work?
  • What is IPsec used for?

One way of using some of the advantages of symmetric key cryptography without the burden of asymmetric key cryptography is via a method that allows hosts to dynamically create and share secret keys using a public network. This is like having the best of both worlds.

The best-known and most-used algorithm to accomplish this is Diffie-Helman. When using the Diffie-Hellman there is no need to store secret keys for long periods of time, which reduces risk. With Diffie-Helman, the nodes agree on two values ahead of time: P (a prime number larger than 2) and G (an integer smaller than P). These values can be made public. Each node will also select its own private value X, which is less than P-1. After that each node calculates a new value Y = GXMod P. Y is also a public key and can be exchanged through the internet.

However, the public key Y is useless without its other "half", which is the private (secret) key X. When receiving the public key Y, each node calculates a new common secret key, Z, which is equal to YX mod P. This uses modulo mathematics. Modulo (or mod) is an operation that divides the two numbers and returns the remainder. For example, 64 mod 11 = 9, because 64/11 = 5 with a remainder of 9. Z is then derived from the host's original secret key, X, and the other host's public key, Y. Using this technique, Z1 and Z2 are the same number. Because of this, Z can be used as the key for a symmetric method.


7d. Illustrate how IT professionals use Virtual Private Networks (VPNs) to enhance security in the workplace

  • What are the various kinds of VPNs? What are each of their strengths and weaknesses?
  • What is the difference between the Tunnel and Transport modes of IPsec? When is one preferred over the other?

VPNs use the public internet to carry private communications safely and inexpensively. VPNs supply network connectivity over long physical distances, and are a form of a WAN over public networks instead of private leased lines. VPNs support remote access client connections, LAN-to-LAN internetworks, and controlled access within an intranet. VPNs are based on a "tunneling" strategy – packets in one of several VPN protocol formats are encapsulated within IP packets.

One of the original VPN protocols was PPTP, which was developed by Microsoft. It was easy to configure, had low overhead, and ran much faster than its counterparts. Windows supported it by default, which made it attractive to some users. However, the lack of strong security features made it less desirable than its main rival, Layer 2 Transport Protocol (L2TP). The L2TP protocol constructs a tunnel to encapsulate L2 data in an IP packet via the public Internet. L2TP has lots of industry support, and runs over any transport. It makes a remote user look as though they are connected to the corporate network, even if they access it through the internet. The one big weakness of L2TP is its lack of encryption and security on a per-packet basis. L2, by itself, does not provide security, but was designed to work alongside IPSec. L2TP defines the protocol for the establishment of the tunnel, leaving IPsec to negotiate the security parameters and send encapsulated packets.

IPsec is a framework of open standards for ensuring secure private communication over IP networks. It ensures confidentiality, integrity, and authenticity of data communications across a public IP network using the Diffie-Hellman key exchange between peers on a public network. It uses public key cryptography for signing the Diffie-Hellman exchanges, and digital certificates signed by a certificate authority to act as digital ID cards. It offers two modes of operation, transport, and tunnel. In transport mode, only the IP payload is encrypted, and the original IP header is left intact. This only adds a few bytes to each packet, and allows other devices on the public network to see the final source and destination of the packet. It is better suited for telecommuting and remote access. In tunnel mode, the entire original IP datagram is encrypted, and it becomes the payload in a new IP packet. The company's IP addresses are hidden from the public network, and only the original and ultimate IP addresses are sent as clear text. Tunnel mode is better suited for site-to-site connectivity. IPsec adds a header to each packet. Two headers are possible, the authentication header and the ESP header. They can be used independently or together.


7e. Evaluate remote access and directory services

  • What are the differences between the two popular remote access protocols RCP and VNC?

Remote Desktop Protocol (RDP) is Microsoft's proprietary remote access protocol, while Virtual Network Computing (VNC) is an open, platform-independent remote access protocol. They are both designed to allow remote access or control of another computer. VNC normally connects directly to computers, while RDP typically connects to a shared server. By default, RDP servers listen on TCP port 3389, while VNC uses port 5900. The single most important issue to consider with RDP is that it is only compatible on Windows-based applications. For Windows-based platforms, it is the way to go. VNC, on the other hand, is platform-independent, so it should always be the protocol of choice for multi-platform environments.

To review see VNC and RDP.


7f. Apply fault tolerance techniques to improve network reliability

  • What are two popular methods for improving network reliability by implementing redundancy?

Although it was not originally designed to do so, the spanning tree protocol can be used to provide redundancy by making two parallel (but different) paths to each segment of a network. This creates a redundant path, but comes with the cost of forming network loops. STP breaks all loops in the topology, which allows for the network to continue operating but quickly converge into a new loop-free topology if a switch fails.

Virtual Router Redundancy Protocol (VRRP) was designed from scratch to provide router redundancy and increase the reliability of a network. VRRP eliminates the single point of failure inherent in static default routed environments. VRRP specifies an election process, in which one router declares itself the master router and the other becomes the backup. The backup router monitors the master's availability by receiving periodic VRRP master advertisements. If the backup fails to receive the master advertisements, it will assume ownership of the default router IP address. Cisco has also created a proprietary protocol called Host Standby Router Protocol (HSRP). VRRP was based on HSRP, and both suffer from a lack of load balancing. Cisco overcame that limitation by developing GLBP, which addressed the load balancing feature, but again, in Cisco environments. The counterpart in a multivendor environment is called Common Address Redundancy Protocol, CARP. The main use of CARP is still to provide failover redundancy, however with the addition of load balancing functionality.


7g. Describe the basis of cloud computing over the internet

  • What is the difference between the DaaS, SaaS, and FaaS cloud computing platforms?

Cloud computing refers to using resources available in the "cloud" (that is, on other servers) to have a vast supply of resources without the need to have them physically available. Cloud computing can be of great help for enterprises that want to expand their offerings and services without investing in high-tech infrastructure. There are, of course, some limitations to cloud computing. For example, when using cloud computing, you rely on a third party, and you must use their systems as-is, which gives you limited or no customization options. Also, since cloud computing resources are owned and controlled by a third party, you do not have control over things like downtime or security. Despite these limitations, cloud computing is widely used. 

Cloud computing works using a service-oriented platform like Desktop as a Service (DaaS), Infrastructure as a Service (IaaS), Software as a Service (SaaS), Function as a Service (FaaS), and more. DaaS is a platform where a cloud provider hosts the back-end that is required for a typical desktop infrastructure operation. With DaaS, desktop operating systems run inside virtual machines on servers in the cloud provider's data center. In IaaS, the cloud provider maintains the infrastructure components that would normally be in the customer's data center. This includes things like servers, storage, and networking hardware. In SaaS, software is provided and hosted by the cloud provider, and is normally accessed via the Internet from the customer's premises on a subscription basis. Software does not need to be installed in individual computers. In FaaS, customers can offer on-demand services for application functionality without the need for the customer to host the application on their premises. Customers normally pay when an action occurs, and when it is done, everything stops making it very cost-effective for the customer. 

To read more about cloud services, see Cloud Computing.


Unit 7 Vocabulary

This vocabulary and acronym list includes terms that might help you with the review items above and some terms you should be familiar with to be successful in completing the final exam for the course.

Try to think of the reason why each term is included.

  • VoIP
  • VOD
  • IP Telephony
  • Codec
  • Ciphertext
  • Symmetric key encryption
  • Asymmetric key encryption
  • Diffie Helman
  • VPN
  • PPTP
  • L2TP
  • IPsec
  • Tunnel Mode
  • Transport Mode
  • RDP
  • VNC
  • VRRP
  • HRSP
  • GLBP
  • Public Cloud
  • Private Cloud
  • Hybrid Cloud
  • EaaS
  • SaaS
  • PaaS
  • DaaS
  • IaaS
  • AaaS
  • FaaS
  • MBaaS