Technology for Network Security

Technology for Network Security 2.0 CHAPTER TWO 2.1 INTRODUCTION The ever increasing need for information technology as a result of globalisation has brought about the need for an application of a better network security system. It is without a doubt that the rate at which computer networks are expanding in this modern time to accommodate higher bandwidth, unique storage demand, and increase number of users can not be over emphasised. As this demand grows on daily bases, so also, are the threats associated with it. Some of which are, virus attacks, worm attacks, denial of services or distributed denial of service attack etc. Having this in mind then call for swift security measures to address these threats in order to protect data reliability, integrity, availability and other needed network resources across the network. Generally, network security can simply be described as a way of protecting the integrity of a network by making sure authorised access or threats of any form are restricted from accessing valuable information. As network architecture begins to expand, tackling the issue of security is becomes more and more complex to handle, therefore keeping network administrators on their toes to guard against any possible attacks that occurs on daily basis. Some of the malicious attacks are viruses and worm attacks, denial of service attacks, IP spoofing, cracking password, Domain Name Server (DNS) poisoning etc. As an effort to combat these threats, many security elements have been designed to tackle these attacks on the network. Some of which includes, firewall, Virtual Private Network (VPN), Encryption and Decryption, Cryptography, Internet Protocol Security (IPSec), Data Encryption Standard (3DES), Demilitarised Zone, (DMZ), Secure Shell Layer (SSL) etc. This chapter starts by briefly discussi ng Internet Protocol (IP), Transmission Control Protocol (TCP), User datagram Protocol (UDP), Internet Control Message Protocol (ICMP), then discussed the Open system interconnection (OSI) model and the protocols that operate at each layer of the model, network security elements, followed by the background of firewall, types and features of firewalls and lastly, network security tools. 2.2 A BRIEF DESCRIPTION OF TCP, IP, UDP AND ICMP 2.2.1 DEFINITION Going by the tremendous achievement of the World Wide Web (internet), a global communication standard with the aim of building interconnection of networks over heterogeneous network is known as the TCP/IP protocol suite was designed (Dunkels 2003; Global Knowledge 2007; Parziale et al 2006). The TCP/IP protocol suite is the core rule used for applications transfer such as File transfers, E-Mail traffics, web pages transfer between hosts across the heterogeneous networks (Dunkels 2003; Parziale et al 2006). Therefore, it becomes necessary for a network administrator to have a good understanding of TCP/IP when configuring firewalls, as most of the policies are set to protect the internal network from possible attacks that uses the TCP/IP protocols for communication (Noonan and Dobrawsky 2006). Many incidents of network attacks are as a result of improper configuration and poor implementation TCP/IP protocols, services and applications. TCP/IP make use of protocols such as TCP, UDP, IP, ICMP etc to define rules of how communication over the network takes place (Noonan and Dobrawsky 2006). Before these protocols are discussed, this thesis briefly looks into the theoretical Open Systems Interconnection (OSI) model (Simoneau 2006). 2.2.2 THE OSI MODEL The OSI model is a standardised layered model defined by International Organization for Standardization (ISO) for network communication which simplifies network communication to seven separate layers, with each individual layer having it own unique functions that support immediate layer above it and at same time offering services to its immediate layer below it (Parziale et al 2006; Simoneau 2006). The seven layers are Application, Presentation, Session Transport, Network, Data, Link and Physical layer. The first three lower layers (Network, Data, Link and Physical layer) are basically hardware implementations while the last four upper layers (Application, Presentation, Session and Transport) are software implementations. Application Layer This is the end user operating interface that support file transfer, web browsing, electronic mail etc. This layer allows user interaction with the system. Presentation Layer This layer is responsible for formatting the data to be sent across the network which enables the application to understand the message been sent and in addition it is responsible for message encryption and decryption for security purposes. Session Layer This layer is responsible for dialog and session control functions between systems. Transport layer This layer provides end-to-end communication which could be reliable or unreliable between end devices across the network. The two mostly used protocols in this layer are TCP and UDP. Network Layer This layer is also known as logical layer and is responsible for logical addressing for packet delivery services. The protocol used in this layer is the IP. Data Link Layer This layer is responsible for framing of units of information, error checking and physical addressing. Physical Layer This layer defines transmission medium requirements, connectors and responsible for the transmission of bits on the physical hardware (Parziale et al 2006; Simoneau 2006). 2.2.3 INTERNET PROTOCOL (IP) IP is a connectionless protocol designed to deliver data hosts across the network. IP data delivery is unreliable therefore depend on upper layer protocol such as TCP or lower layer protocols like IEEE 802.2 and IEEE802.3 for reliable data delivery between hosts on the network.(Noonan and Dobrawsky 2006) 2.2.4 TRANSMISSION CONTROL PROTOCOL (TCP) TCP is a standard protocol which is connection-oriented transport mechanism that operates at the transport layer of OSI model. It is described by the Request for Comment (RFC) 793. TCP solves the unreliability problem of the network layer protocol (IP) by making sure packets are reliably and accurately transmitted, errors are recovered and efficiently monitors flow control between hosts across the network. (Abie 2000; Noonan and Dobrawsky 2006; Simoneau 2006). The primary objective of TCP is to create session between hosts on the network and this process is carried out by what is called TCP three-way handshake. When using TCP for data transmission between hosts, the sending host will first of all send a synchronise (SYN) segment to the receiving host which is first step in the handshake. The receiving host on receiving the SYN segment reply with an acknowledgement (ACK) and with its own SYN segment and this form the second part of the handshake. The final step of the handshake is the n completed by the sending host responding with its own ACK segment to acknowledge the acceptance of the SYN/ACK. Once this process is completed, the hosts then established a virtual circuit between themselves through which the data will be transferred (Noonan and Dobrawsky 2006). As good as the three ways handshake of the TCP is, it also has its short comings. The most common one being the SYN flood attack. This form of attack occurs when the destination host such as the Server is flooded with a SYN session request without receiving any ACK reply from the source host (malicious host) that initiated a SYN session. The result of this action causes DOS attack as destination host buffer will get to a point it can no longer take any request from legitimate hosts but have no other choice than to drop such session request (Noonan and Dobrawsky 2006). 2.2.5 USER DATAGRAM PROTOCOL (UDP) UDP unlike the TCP is a standard connectionless transport mechanism that operates at the transport layer of OSI model. It is described by the Request for Comment (RFC) 768 (Noonan and Dobrawsky 2006; Simoneau 2006). When using UDP to transfer packets between hosts, session initiation, retransmission of lost or damaged packets and acknowledgement are omitted therefore, 100 percent packet delivery is not guaranteed (Sundararajan et al 2006; Postel 1980). UDP is designed with low over head as it does not involve initiation of session between hosts before data transmission starts. This protocol is best suite for small data transmission (Noonan and Dobrawsky 2006). 2.2.6 INTERNET CONTROL MESSAGE PROTOCOL (ICMP). ICMP is primarily designed to identify and report routing error, delivery failures and delays on the network. This protocol can only be used to report errors and can not be used to make any correction on the identified errors but depend on routing protocols or reliable protocols like the TCP to handle the error detected (Noonan and Dobrawsky 2006; Dunkels 2003). ICMP makes use of the echo mechanism called Ping command. This command is used to check if the host is replying to network traffic or not (Noonan and Dobrawsky 2006; Dunkels 2003). 2.3 OTHER NETWORK SECURITY ELEMENTS. 2.3.1 VIRTUAL PRIVATE NETWORK (VPN) VPN is one of the network security elements that make use of the public network infrastructure to securely maintain confidentiality of information transfer between hosts over the public network (Bou 2007). VPN provides this security features by making use of encryption and Tunneling technique to protect such information and it can be configured to support at least three models which are Remote- access connection. Site-to-site ( branch offices to the headquarters) Local area network internetworking (Extranet connection of companies with their business partners) (Bou 2007). 2.3.2 VPN TECHNOLOGY VPN make use of many standard protocols to implement the data authentication (identification of trusted parties) and encryption (scrambling of data) when making use of the public network to transfer data. These protocols include: Point-to-Point Tunneling Protocol PPTP [RFC2637] Secure Shell Layer Protocol (SSL) [RFC 2246] Internet Protocol Security (IPSec) [RFC 2401] Layer 2 Tunneling Protocol (L2TP) [RFC2661] 2.3.2.1 POINT-TO-POINT TUNNELING PROTOCOL [PPTP] The design of PPTP provides a secure means of transferring data over the public infrastructure with authentication and encryption support between hosts on the network. This protocol operates at the data link layer of the OSI model and it basically relies on user identification (ID) and password authentication for its security. PPTP did not eliminate Point-to-Point Protocol, but rather describes better way of Tunneling PPP traffic by using Generic Routing Encapsulation (GRE) (Bou 2007; Microsoft 1999; Schneier and Mudge 1998). 2.3.2.2 LAYER 2 TUNNELING PROTOCOL [L2TP] The L2TP is a connection-oriented protocol standard defined by the RFC 2661which merged the best features of PPTP and Layer 2 forwarding (L2F) protocol to create the new standard (L2TP) (Bou 2007; Townsley et al 1999). Just like the PPTP, the L2TP operates at the layer 2 of the OSI model. Tunneling in L2TP is achieved through series of data encapsulation of the different levels layer protocols. Examples are UDP, IPSec, IP, and Data-Link layer protocol but the data encryption for the tunnel is provided by the IPSec (Bou 2007; Townsley et al 1999). 2.3.2.3 INTERNET PROTOCOL SECURITY (IPSEC) [RFC 2401] IPSec is a standard protocol defined by the RFC 2401 which is designed to protect the payload of an IP packet and the paths between hosts, security gateways (routers and firewalls), or between security gateway and host over the unprotected network (Bou 2007; Kent and Atkinson 1998). IPSec operate at network layer of the OSI model. Some of the security services it provides are, authentication, connectionless integrity, encryption, access control, data origin, rejection of replayed packets, etc (Kent and Atkinson 1998). 2.3.3.4 SECURE SOCKET LAYER (SSL) [RFC 2246] SSL is a standard protocol defined by the RFC 2246 which is designed to provide secure communication tunnel between hosts by encrypting hosts communication over the network, to ensure packets confidentiality, integrity and proper hosts authentication, in order to eliminate eavesdropping attacks on the network (Homin et al 2007; Oppliger et al 2008). SSL makes use of security elements such as digital certificate, cryptography and certificates to enforce security measures over the network. SSL is a transport layer security protocol that runs on top of the TCP/IP which manage transport and routing of packets across the network. Also SSL is deployed at the application layer OSI model to ensure hosts authentication (Homin et al 2007; Oppliger et al 2008; Dierks and Allen 1999). 2.4 FIREWALL BACKGROUND The concept of network firewall is to prevent unauthorised packets from gaining entry into a network by filtering all packets that are coming into such network. The word firewall was not originally a computer security vocabulary, but was initially used to illustrate a wall which could be brick or mortar built to restrain fire from spreading from one part of a building to the other or to reduce the spread of the fire in the building giving some time for remedial actions to be taken (Komar et al 2003). 2.4.1BRIEF HISTORY OF FIREWALL Firewall as used in computing is dated as far back as the late 1980s, but the first set of firewalls came into light sometime in 1985, which was produced by a Ciscos Internet work Operating System (IOS) division called packet filter firewall (Cisco System 2004). In 1988, Jeff Mogul from DEC (Digital Equipment Corporation) published the first paper on firewall. Between 1989 and 1990, two workers of the ATT Bell laboratories Howard Trickey and Dave Persotto initiated the second generation firewall technology with their study in circuit relays called Circuit level firewall. Also, the two scientists implemented the first working model of the third generation firewall design called Application layer firewalls. Sadly enough, there was no published documents explaining their work and no product was released to support their work. Around the same year (1990-1991), different papers on the third generation firewalls were published by researchers. But among them, Marcus Ranums work received the most attention in 1991 and took the form of bastion hosts running proxy services. Ranums work quickly evolved into the first commercial product—Digital Equipment Corporations SEAL product (Cisco System 2004). About the same year, work started on the fourth generation firewall called Dynamic packet filtering and was not operational until 1994 when Check Point Software rolled out a complete working model of the fourth generation firewall architecture. In 1996, plans began on the fifth generation firewall design called the Kernel Proxy architecture and became reality in 1997 when Cisco released the Cisco Centri Firewall which was the first Proxy firewall produced for commercial use (Cisco System 2004). Since then many vendor have designed and implemented various forms of firewall both in hardware and software and till date, research works is on going in improving firewalls architecture to meet up with ever increasing challenges of network security. 2.5 DEFINITION According to the British computer society (2008), Firewalls are defence mechanisms that can be implemented in either hardware or software, and serve to prevent unauthorized access to computers and networks. Similarly, Subrata, et al (2006) defined firewall as a combination of hardware and software used to implement a security policy governing the flow of network traffic between two or more networks. The concept of firewall in computer systems security is similar to firewall built within a building but differ in their functions. While the latter is purposely designed for only one task which is fire prevention in a building, computer system firewall is designed to prevent more than one threat (Komar et al 2003).This includes the following Denial Of Service Attacks (DoS) Virus attacks Worm attack. Hacking attacks etc 2.5.1 DENIAL OF SERVICE ATTACKS (DOS) â€Å"Countering DoS attacks on web servers has become a very challenging problem† (Srivatsa et al 2006). This is an attack that is aimed at denying legitimate packets to access network resources. The attacker achieved this by running a program that floods the network, making network resources such as main memory, network bandwidth, hard disk space, unavailable for legitimate packets. SYN attack is a good example of DOS attacks, but can be prevented by implementing good firewall polices for the secured network. A detailed firewall policy (iptables) is presented in chapter three of this thesis. 2.5.2 VIRUS AND WORM ATTACKS Viruses and worms attacks are big security problem which can become pandemic in a twinkle of an eye resulting to possible huge loss of information or system damage (Ford et al 2005; Cisco System 2004). These two forms of attacks can be programs designed to open up systems to allow information theft or programs that regenerate themselves once they gets into the system until they crashes the system and some could be programmed to generate programs that floods the network leading to DOS attacks. Therefore, security tools that can proactively detect possible attacks are required to secure the network. One of such tools is a firewall with good security policy configuration (Cisco System 2004). Generally speaking, any kind of firewall implementation will basically perform the following task. Manage and control network traffic. Authenticate access Act as an intermediary Make internal recourses available Record and report event 2.5.3 MANAGE AND CONTROL NETWORK TRAFFIC. The first process undertaken by firewalls is to secure a computer networks by checking all the traffic coming into and leaving the networks. This is achieved by stopping and analysing packet Source IP address, Source port, Destination IP address, Destination port, IP protocol Packet header information etc. in order decide on what action to take on such packets either to accept or reject the packet. This action is called packet filtering and it depends on the firewall configuration. Likewise the firewall can also make use of the connections between TCP/IP hosts to establish communication between them for identification and to state the way they will communicate with each other to decide which connection should be permitted or discarded. This is achieved by maintaining the state table used to check the state of all the packets passing through the firewall. This is called stateful inspection (Noonan and Dobrawsky 2006). 2.5.4 AUTHENTICATE ACCESS When firewalls inspects and analyses packets Source IP address, Source port, Destination IP address, Destination port, IP protocol Packet header information etc, and probably filters it based on the specified security procedure defined, it does not guarantee that the communication between the source host and destination host will be authorised in that, hackers can manage to spoof IP address and port action which defeats the inspection and analysis based on IP and port screening. To tackle this pit fall over the network, an authentication rule is implemented in firewall using a number of means such as, the use of username and password (xauth), certificate and public keys and pre-shared keys (PSKs).In using the xauth authentication method, the firewall will request for the source host that is trying to initiate a connection with the host on the protected network for its username and password before it will allow connection between the protected network and the source host to be establi shed. Once the connection is been confirmed and authorised by the security procedure defined, the source host need not to authenticate itself to make connection again (Noonan and Dobrawsky 2006). The second method is using certificates and public keys. The advantage of this method over xauth is that verification can take place without source host intervention having to supply its username and password for authentication. Implementation of Certificates and public keys requires proper hosts (protected network and the source host) configuration with certificates and firewall and making sure that protected network and the source host use a public key infrastructure that is properly configured. This security method is best for big network design (Noonan and Dobrawsky 2006). Another good way of dealing with authentication issues with firewalls is by using pre-shared keys (PSKs). The implementation of PSKs is easy compare to the certificates and public keys although, authentication still occur without the source host intervention its make use of an additional feature which is providing the host with a predetermined key that is used for the verification procedure (Noonan and Dobrawsky 2006). 2.5.5 ACT AS AN INTERMEDIARY When firewalls are configured to serve as an intermediary between a protected host and external host, they simply function as application proxy. The firewalls in this setup are configured to impersonate the protected host such that all packets destined for the protected host from the external host are delivered to the firewall which appears to the external host as the protected host. Once the firewalls receive the packets, they inspect the packet to determine if the packet is valid (e.g. genuine HTTT packet) or not before forwarding to the protected host. This firewall design totally blocks direct communication between the hosts. 2.5.6 RECORD AND REPORT EVENTS While it is good practise to put strong security policies in place to secure network, it is equally important to record firewalls events. Using firewalls to record and report events is a technique that can help to investigate what kind of attack took place in situations where firewalls are unable to stop malicious packets that violate the access control policy of the protected network. Recording this event gives the network administrator a clear understanding of the attack and at the same time, to make use of the recorded events to troubleshoot the problem that as taken place. To record these events, network administrators makes use of different methods but syslog or proprietary logging format are mostly used for firewalls. However, some malicious events need to be reported quickly so that immediate action can be taken before serious damage is done to the protected network. Therefore firewalls also need an alarming mechanism in addition to the syslog or proprietary logging format whe n ever access control policy of the protected network is violated. Some types of alarm supported by firewalls include Console notification, Simple Network Management Protocol (SNMP), Paging notification, E-mail notification etc (Noonan and Dobrawsky 2006). Console notification is a warning massage that is presented to the firewall console. The problem with this method of alarm is that, the console needs to be monitored by the network administrator at all times so that necessary action can be taken when an alarm is generated. Simple Network Management Protocol (SNMP) notification is implemented to create traps which are transferred to the network management system (NMS) monitoring the firewall. Paging notification is setup on the firewall to deliver a page to the network administrator whenever the firewall encounters any event. The message could be an alphanumeric or numeric depending on how the firewall is setup. E-mail notification is similar to paging notification, but in this case, the firewall send an email instead to proper address. 2.6 TYPES OF FIREWALLS Going by firewall definition, firewalls are expected to perform some key functions like, Application Proxy, Network Translation Address, and Packet filtering. 2.6.1 APPLICATION PROXY This is also known as Application Gateway, and it acts as a connection agent between protected network and the external network. Basically, the application proxy is a host on the protected network that is setup as proxy server. Just as the name implies, application proxy function at the application layer of the Open System Interconnection (OSI) model and makes sure that all application requests from the secured network is communicated to the external network through the proxy server and no packets passes through from to external network to the secured network until the proxy checks and confirms inbound packets. This firewall support different types of protocols such as a Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP) and Simple Mail Transport Protocol (SMTP) (Noonan and Dobrawsky 2006; NetContinuum 2006). 2.6.2 NETWORK ADDRESS (NAT) NAT alter the IP addresses of hosts packets by hiding the genuine IP addresses of secured network hosts and dynamically replacing them with a different IP addresses (Cisco System 2008; Walberg 2007). When request packets are sent from the secured host through the gateway to an external host, the source host address is modified to a different IP address by NAT.  When the reply packets arrives at the gateway, the NAT then replaces the modified address with genuine host address before forwarding it to the host (Walberg 2007).The role played by NAT in a secured network system makes it uneasy for unauthorized access to know: The number of hosts available in the protected network The topology of the network The operating systems the host is running The type of host machine (Cisco System 2008). 2.6.3 PACKET FILTERING. â€Å"Firewalls and IPSec gateways have become major components in the current high speed Internet infrastructure to filter out undesired traffic and protect the integrity and confidentiality of critical traffic† (Hamed and Al-Shaer 2006). Packet filtering is based on the lay down security rule defined for any network or system. Filtering traffic over the network is big task that involves comprehensive understanding of the network on which it will be setup. This defined policy must always be updated in order to handle the possible network attacks (Hamed and Al-Shaer 2006). 2.6.4 INSTRUCTION DETECTION SYSTEMS. Network penetration attacks are now on the increase as valuable information is being stolen or damaged by the attacker. Many security products have been developed to combat these attacks. Two of such products are Intrusion Prevention systems (IPS) and Intrusion Detection Systems (IDS). IDS are software designed to purposely monitor and analysed all the activities (network traffic) on the network for any suspicious threats that may violate the defined network security policies (Scarfone and Mell 2007; Vignam et al 2003). There are varieties of methods IDS uses to detect threats on the network, two of them are, anomaly based IDS, and signature based IDS. 2.6.4.1 ANOMALY BASED IDS Anomaly based IDS is setup to monitor and compare network events against what is defined to be normal network activities which is represented by a profile, in order to detect any deviation from the defined normal events. Some of the events are, comparing the type of bandwidth used, the type of protocols etc and once the IDS identifies any deviation in any of this events, it notifies the network administrator who then take necessary action to stop the intended attack (Scarfone and Mell 2007). 2.6.4.2 SIGNATURE BASED IDS Signature based IDS are designed to monitor and compare packets on the network against the signature database of known malicious attacks or threats. This type of IDS is efficient at identifying already known threats but ineffective at identifying new threats which are not currently defined in the signature database, therefore giving way to network attacks (Scarfone and Mell 2007). 2.6.5 INTRUSION PREVENTION SYSTEMS (IPS). IPS are proactive security products which can be software or hardware used to identify malicious packets and also to prevent such packets from gaining entry in the networks (Ierace et al 2005, Botwicz et al 2006). IPS is another form of firewall which is basically designed to detect irregularity in regular network traffic and likewise to stop possible network attacks such as Denial of service attacks. They are capable of dropping malicious packets and disconnecting any connection suspected to be illegal before such traffic get to the protected host. Just like a typical firewall, IPS makes use of define rules in the system setup to determine the action to take on any traffic and this could be to allow or block the traffic. IPS makes use of stateful packet analysis to protect the network. Similarly, IPS is capable of performing signature matching, application protocol validation etc as a means of detecting attacks on the network (Ierace et al 2005). As good as IPS are, they also have t heir downsides as well. One of it is the problem of false positive and false negative. False positive is a situation where legitimate traffic is been identified to be malicious and thereby resulting to the IPS blocking such traffic on the network. False negative on the other hand is when malicious traffic is be identified by the IPS as legitimate traffic thereby allowing such traffic to pass through the IPS to the protected network (Ierace N et al 2005). 2.7 SOFTWARE AND HARDWARE FIREWALLS 2.7.1 SOFTWARE FIREWALLS Software-based firewalls are computers installed software for filtering packets (Permpootanalarp and Rujimethabhas 2001). These are programs setup either on personal computers or on network servers (Web servers and Email severs) operating system. Once the software is installed and proper security polices are defined, the systems (personal computers or servers) assume the role of a firewall. Software firewalls are second line of defence after hardware firewalls in situations where both are used for network security. Also software firewalls can be installed on different operating system such as, Windows Operating Systems, Mac operating system, Novel Netware, Linux Kernel, and UNIX Kernel etc. The function of these firewalls is, filtering distorted network traffic. There are several software firewall some of which include, Online Armor firewall, McAfee Personal Firewall, Zone Alarm, Norton Personal Firewall, Black Ice Defender, Sygate Personal Firewall, Panda Firewall, The DoorStop X Fi rewall etc (Lugo Parker 2005). When designing a software firewall two keys things are considered. These are, per-packet filtering and a per-process filtering. The pre-packet filter is design to search for distorted packets, port scan detection and checking if the packets are accepted into the protocol stack. In the same vein, pre-process filter is the designed to check if a process is allowed to begin a connection to the secured network or not (Lugo and Parker 2005). It should be noted that there are different implantations of all Firewalls. While some are built into the operating system others are add-ons. Examples of built-in firewalls are windows based firewall and Linux based. 2.7.2 WINDOWS OPERATING SYSTEM BASED FIREWALL. In operating system design, security features is one important aspect that is greatly considered. This is a challenge the software giant (Microsoft) as always made sure they implement is their products. In the software industry, Mi Technology for Network Security Technology for Network Security 2.0 CHAPTER TWO 2.1 INTRODUCTION The ever increasing need for information technology as a result of globalisation has brought about the need for an application of a better network security system. It is without a doubt that the rate at which computer networks are expanding in this modern time to accommodate higher bandwidth, unique storage demand, and increase number of users can not be over emphasised. As this demand grows on daily bases, so also, are the threats associated with it. Some of which are, virus attacks, worm attacks, denial of services or distributed denial of service attack etc. Having this in mind then call for swift security measures to address these threats in order to protect data reliability, integrity, availability and other needed network resources across the network. Generally, network security can simply be described as a way of protecting the integrity of a network by making sure authorised access or threats of any form are restricted from accessing valuable information. As network architecture begins to expand, tackling the issue of security is becomes more and more complex to handle, therefore keeping network administrators on their toes to guard against any possible attacks that occurs on daily basis. Some of the malicious attacks are viruses and worm attacks, denial of service attacks, IP spoofing, cracking password, Domain Name Server (DNS) poisoning etc. As an effort to combat these threats, many security elements have been designed to tackle these attacks on the network. Some of which includes, firewall, Virtual Private Network (VPN), Encryption and Decryption, Cryptography, Internet Protocol Security (IPSec), Data Encryption Standard (3DES), Demilitarised Zone, (DMZ), Secure Shell Layer (SSL) etc. This chapter starts by briefly discussi ng Internet Protocol (IP), Transmission Control Protocol (TCP), User datagram Protocol (UDP), Internet Control Message Protocol (ICMP), then discussed the Open system interconnection (OSI) model and the protocols that operate at each layer of the model, network security elements, followed by the background of firewall, types and features of firewalls and lastly, network security tools. 2.2 A BRIEF DESCRIPTION OF TCP, IP, UDP AND ICMP 2.2.1 DEFINITION Going by the tremendous achievement of the World Wide Web (internet), a global communication standard with the aim of building interconnection of networks over heterogeneous network is known as the TCP/IP protocol suite was designed (Dunkels 2003; Global Knowledge 2007; Parziale et al 2006). The TCP/IP protocol suite is the core rule used for applications transfer such as File transfers, E-Mail traffics, web pages transfer between hosts across the heterogeneous networks (Dunkels 2003; Parziale et al 2006). Therefore, it becomes necessary for a network administrator to have a good understanding of TCP/IP when configuring firewalls, as most of the policies are set to protect the internal network from possible attacks that uses the TCP/IP protocols for communication (Noonan and Dobrawsky 2006). Many incidents of network attacks are as a result of improper configuration and poor implementation TCP/IP protocols, services and applications. TCP/IP make use of protocols such as TCP, UDP, IP, ICMP etc to define rules of how communication over the network takes place (Noonan and Dobrawsky 2006). Before these protocols are discussed, this thesis briefly looks into the theoretical Open Systems Interconnection (OSI) model (Simoneau 2006). 2.2.2 THE OSI MODEL The OSI model is a standardised layered model defined by International Organization for Standardization (ISO) for network communication which simplifies network communication to seven separate layers, with each individual layer having it own unique functions that support immediate layer above it and at same time offering services to its immediate layer below it (Parziale et al 2006; Simoneau 2006). The seven layers are Application, Presentation, Session Transport, Network, Data, Link and Physical layer. The first three lower layers (Network, Data, Link and Physical layer) are basically hardware implementations while the last four upper layers (Application, Presentation, Session and Transport) are software implementations. Application Layer This is the end user operating interface that support file transfer, web browsing, electronic mail etc. This layer allows user interaction with the system. Presentation Layer This layer is responsible for formatting the data to be sent across the network which enables the application to understand the message been sent and in addition it is responsible for message encryption and decryption for security purposes. Session Layer This layer is responsible for dialog and session control functions between systems. Transport layer This layer provides end-to-end communication which could be reliable or unreliable between end devices across the network. The two mostly used protocols in this layer are TCP and UDP. Network Layer This layer is also known as logical layer and is responsible for logical addressing for packet delivery services. The protocol used in this layer is the IP. Data Link Layer This layer is responsible for framing of units of information, error checking and physical addressing. Physical Layer This layer defines transmission medium requirements, connectors and responsible for the transmission of bits on the physical hardware (Parziale et al 2006; Simoneau 2006). 2.2.3 INTERNET PROTOCOL (IP) IP is a connectionless protocol designed to deliver data hosts across the network. IP data delivery is unreliable therefore depend on upper layer protocol such as TCP or lower layer protocols like IEEE 802.2 and IEEE802.3 for reliable data delivery between hosts on the network.(Noonan and Dobrawsky 2006) 2.2.4 TRANSMISSION CONTROL PROTOCOL (TCP) TCP is a standard protocol which is connection-oriented transport mechanism that operates at the transport layer of OSI model. It is described by the Request for Comment (RFC) 793. TCP solves the unreliability problem of the network layer protocol (IP) by making sure packets are reliably and accurately transmitted, errors are recovered and efficiently monitors flow control between hosts across the network. (Abie 2000; Noonan and Dobrawsky 2006; Simoneau 2006). The primary objective of TCP is to create session between hosts on the network and this process is carried out by what is called TCP three-way handshake. When using TCP for data transmission between hosts, the sending host will first of all send a synchronise (SYN) segment to the receiving host which is first step in the handshake. The receiving host on receiving the SYN segment reply with an acknowledgement (ACK) and with its own SYN segment and this form the second part of the handshake. The final step of the handshake is the n completed by the sending host responding with its own ACK segment to acknowledge the acceptance of the SYN/ACK. Once this process is completed, the hosts then established a virtual circuit between themselves through which the data will be transferred (Noonan and Dobrawsky 2006). As good as the three ways handshake of the TCP is, it also has its short comings. The most common one being the SYN flood attack. This form of attack occurs when the destination host such as the Server is flooded with a SYN session request without receiving any ACK reply from the source host (malicious host) that initiated a SYN session. The result of this action causes DOS attack as destination host buffer will get to a point it can no longer take any request from legitimate hosts but have no other choice than to drop such session request (Noonan and Dobrawsky 2006). 2.2.5 USER DATAGRAM PROTOCOL (UDP) UDP unlike the TCP is a standard connectionless transport mechanism that operates at the transport layer of OSI model. It is described by the Request for Comment (RFC) 768 (Noonan and Dobrawsky 2006; Simoneau 2006). When using UDP to transfer packets between hosts, session initiation, retransmission of lost or damaged packets and acknowledgement are omitted therefore, 100 percent packet delivery is not guaranteed (Sundararajan et al 2006; Postel 1980). UDP is designed with low over head as it does not involve initiation of session between hosts before data transmission starts. This protocol is best suite for small data transmission (Noonan and Dobrawsky 2006). 2.2.6 INTERNET CONTROL MESSAGE PROTOCOL (ICMP). ICMP is primarily designed to identify and report routing error, delivery failures and delays on the network. This protocol can only be used to report errors and can not be used to make any correction on the identified errors but depend on routing protocols or reliable protocols like the TCP to handle the error detected (Noonan and Dobrawsky 2006; Dunkels 2003). ICMP makes use of the echo mechanism called Ping command. This command is used to check if the host is replying to network traffic or not (Noonan and Dobrawsky 2006; Dunkels 2003). 2.3 OTHER NETWORK SECURITY ELEMENTS. 2.3.1 VIRTUAL PRIVATE NETWORK (VPN) VPN is one of the network security elements that make use of the public network infrastructure to securely maintain confidentiality of information transfer between hosts over the public network (Bou 2007). VPN provides this security features by making use of encryption and Tunneling technique to protect such information and it can be configured to support at least three models which are Remote- access connection. Site-to-site ( branch offices to the headquarters) Local area network internetworking (Extranet connection of companies with their business partners) (Bou 2007). 2.3.2 VPN TECHNOLOGY VPN make use of many standard protocols to implement the data authentication (identification of trusted parties) and encryption (scrambling of data) when making use of the public network to transfer data. These protocols include: Point-to-Point Tunneling Protocol PPTP [RFC2637] Secure Shell Layer Protocol (SSL) [RFC 2246] Internet Protocol Security (IPSec) [RFC 2401] Layer 2 Tunneling Protocol (L2TP) [RFC2661] 2.3.2.1 POINT-TO-POINT TUNNELING PROTOCOL [PPTP] The design of PPTP provides a secure means of transferring data over the public infrastructure with authentication and encryption support between hosts on the network. This protocol operates at the data link layer of the OSI model and it basically relies on user identification (ID) and password authentication for its security. PPTP did not eliminate Point-to-Point Protocol, but rather describes better way of Tunneling PPP traffic by using Generic Routing Encapsulation (GRE) (Bou 2007; Microsoft 1999; Schneier and Mudge 1998). 2.3.2.2 LAYER 2 TUNNELING PROTOCOL [L2TP] The L2TP is a connection-oriented protocol standard defined by the RFC 2661which merged the best features of PPTP and Layer 2 forwarding (L2F) protocol to create the new standard (L2TP) (Bou 2007; Townsley et al 1999). Just like the PPTP, the L2TP operates at the layer 2 of the OSI model. Tunneling in L2TP is achieved through series of data encapsulation of the different levels layer protocols. Examples are UDP, IPSec, IP, and Data-Link layer protocol but the data encryption for the tunnel is provided by the IPSec (Bou 2007; Townsley et al 1999). 2.3.2.3 INTERNET PROTOCOL SECURITY (IPSEC) [RFC 2401] IPSec is a standard protocol defined by the RFC 2401 which is designed to protect the payload of an IP packet and the paths between hosts, security gateways (routers and firewalls), or between security gateway and host over the unprotected network (Bou 2007; Kent and Atkinson 1998). IPSec operate at network layer of the OSI model. Some of the security services it provides are, authentication, connectionless integrity, encryption, access control, data origin, rejection of replayed packets, etc (Kent and Atkinson 1998). 2.3.3.4 SECURE SOCKET LAYER (SSL) [RFC 2246] SSL is a standard protocol defined by the RFC 2246 which is designed to provide secure communication tunnel between hosts by encrypting hosts communication over the network, to ensure packets confidentiality, integrity and proper hosts authentication, in order to eliminate eavesdropping attacks on the network (Homin et al 2007; Oppliger et al 2008). SSL makes use of security elements such as digital certificate, cryptography and certificates to enforce security measures over the network. SSL is a transport layer security protocol that runs on top of the TCP/IP which manage transport and routing of packets across the network. Also SSL is deployed at the application layer OSI model to ensure hosts authentication (Homin et al 2007; Oppliger et al 2008; Dierks and Allen 1999). 2.4 FIREWALL BACKGROUND The concept of network firewall is to prevent unauthorised packets from gaining entry into a network by filtering all packets that are coming into such network. The word firewall was not originally a computer security vocabulary, but was initially used to illustrate a wall which could be brick or mortar built to restrain fire from spreading from one part of a building to the other or to reduce the spread of the fire in the building giving some time for remedial actions to be taken (Komar et al 2003). 2.4.1BRIEF HISTORY OF FIREWALL Firewall as used in computing is dated as far back as the late 1980s, but the first set of firewalls came into light sometime in 1985, which was produced by a Ciscos Internet work Operating System (IOS) division called packet filter firewall (Cisco System 2004). In 1988, Jeff Mogul from DEC (Digital Equipment Corporation) published the first paper on firewall. Between 1989 and 1990, two workers of the ATT Bell laboratories Howard Trickey and Dave Persotto initiated the second generation firewall technology with their study in circuit relays called Circuit level firewall. Also, the two scientists implemented the first working model of the third generation firewall design called Application layer firewalls. Sadly enough, there was no published documents explaining their work and no product was released to support their work. Around the same year (1990-1991), different papers on the third generation firewalls were published by researchers. But among them, Marcus Ranums work received the most attention in 1991 and took the form of bastion hosts running proxy services. Ranums work quickly evolved into the first commercial product—Digital Equipment Corporations SEAL product (Cisco System 2004). About the same year, work started on the fourth generation firewall called Dynamic packet filtering and was not operational until 1994 when Check Point Software rolled out a complete working model of the fourth generation firewall architecture. In 1996, plans began on the fifth generation firewall design called the Kernel Proxy architecture and became reality in 1997 when Cisco released the Cisco Centri Firewall which was the first Proxy firewall produced for commercial use (Cisco System 2004). Since then many vendor have designed and implemented various forms of firewall both in hardware and software and till date, research works is on going in improving firewalls architecture to meet up with ever increasing challenges of network security. 2.5 DEFINITION According to the British computer society (2008), Firewalls are defence mechanisms that can be implemented in either hardware or software, and serve to prevent unauthorized access to computers and networks. Similarly, Subrata, et al (2006) defined firewall as a combination of hardware and software used to implement a security policy governing the flow of network traffic between two or more networks. The concept of firewall in computer systems security is similar to firewall built within a building but differ in their functions. While the latter is purposely designed for only one task which is fire prevention in a building, computer system firewall is designed to prevent more than one threat (Komar et al 2003).This includes the following Denial Of Service Attacks (DoS) Virus attacks Worm attack. Hacking attacks etc 2.5.1 DENIAL OF SERVICE ATTACKS (DOS) â€Å"Countering DoS attacks on web servers has become a very challenging problem† (Srivatsa et al 2006). This is an attack that is aimed at denying legitimate packets to access network resources. The attacker achieved this by running a program that floods the network, making network resources such as main memory, network bandwidth, hard disk space, unavailable for legitimate packets. SYN attack is a good example of DOS attacks, but can be prevented by implementing good firewall polices for the secured network. A detailed firewall policy (iptables) is presented in chapter three of this thesis. 2.5.2 VIRUS AND WORM ATTACKS Viruses and worms attacks are big security problem which can become pandemic in a twinkle of an eye resulting to possible huge loss of information or system damage (Ford et al 2005; Cisco System 2004). These two forms of attacks can be programs designed to open up systems to allow information theft or programs that regenerate themselves once they gets into the system until they crashes the system and some could be programmed to generate programs that floods the network leading to DOS attacks. Therefore, security tools that can proactively detect possible attacks are required to secure the network. One of such tools is a firewall with good security policy configuration (Cisco System 2004). Generally speaking, any kind of firewall implementation will basically perform the following task. Manage and control network traffic. Authenticate access Act as an intermediary Make internal recourses available Record and report event 2.5.3 MANAGE AND CONTROL NETWORK TRAFFIC. The first process undertaken by firewalls is to secure a computer networks by checking all the traffic coming into and leaving the networks. This is achieved by stopping and analysing packet Source IP address, Source port, Destination IP address, Destination port, IP protocol Packet header information etc. in order decide on what action to take on such packets either to accept or reject the packet. This action is called packet filtering and it depends on the firewall configuration. Likewise the firewall can also make use of the connections between TCP/IP hosts to establish communication between them for identification and to state the way they will communicate with each other to decide which connection should be permitted or discarded. This is achieved by maintaining the state table used to check the state of all the packets passing through the firewall. This is called stateful inspection (Noonan and Dobrawsky 2006). 2.5.4 AUTHENTICATE ACCESS When firewalls inspects and analyses packets Source IP address, Source port, Destination IP address, Destination port, IP protocol Packet header information etc, and probably filters it based on the specified security procedure defined, it does not guarantee that the communication between the source host and destination host will be authorised in that, hackers can manage to spoof IP address and port action which defeats the inspection and analysis based on IP and port screening. To tackle this pit fall over the network, an authentication rule is implemented in firewall using a number of means such as, the use of username and password (xauth), certificate and public keys and pre-shared keys (PSKs).In using the xauth authentication method, the firewall will request for the source host that is trying to initiate a connection with the host on the protected network for its username and password before it will allow connection between the protected network and the source host to be establi shed. Once the connection is been confirmed and authorised by the security procedure defined, the source host need not to authenticate itself to make connection again (Noonan and Dobrawsky 2006). The second method is using certificates and public keys. The advantage of this method over xauth is that verification can take place without source host intervention having to supply its username and password for authentication. Implementation of Certificates and public keys requires proper hosts (protected network and the source host) configuration with certificates and firewall and making sure that protected network and the source host use a public key infrastructure that is properly configured. This security method is best for big network design (Noonan and Dobrawsky 2006). Another good way of dealing with authentication issues with firewalls is by using pre-shared keys (PSKs). The implementation of PSKs is easy compare to the certificates and public keys although, authentication still occur without the source host intervention its make use of an additional feature which is providing the host with a predetermined key that is used for the verification procedure (Noonan and Dobrawsky 2006). 2.5.5 ACT AS AN INTERMEDIARY When firewalls are configured to serve as an intermediary between a protected host and external host, they simply function as application proxy. The firewalls in this setup are configured to impersonate the protected host such that all packets destined for the protected host from the external host are delivered to the firewall which appears to the external host as the protected host. Once the firewalls receive the packets, they inspect the packet to determine if the packet is valid (e.g. genuine HTTT packet) or not before forwarding to the protected host. This firewall design totally blocks direct communication between the hosts. 2.5.6 RECORD AND REPORT EVENTS While it is good practise to put strong security policies in place to secure network, it is equally important to record firewalls events. Using firewalls to record and report events is a technique that can help to investigate what kind of attack took place in situations where firewalls are unable to stop malicious packets that violate the access control policy of the protected network. Recording this event gives the network administrator a clear understanding of the attack and at the same time, to make use of the recorded events to troubleshoot the problem that as taken place. To record these events, network administrators makes use of different methods but syslog or proprietary logging format are mostly used for firewalls. However, some malicious events need to be reported quickly so that immediate action can be taken before serious damage is done to the protected network. Therefore firewalls also need an alarming mechanism in addition to the syslog or proprietary logging format whe n ever access control policy of the protected network is violated. Some types of alarm supported by firewalls include Console notification, Simple Network Management Protocol (SNMP), Paging notification, E-mail notification etc (Noonan and Dobrawsky 2006). Console notification is a warning massage that is presented to the firewall console. The problem with this method of alarm is that, the console needs to be monitored by the network administrator at all times so that necessary action can be taken when an alarm is generated. Simple Network Management Protocol (SNMP) notification is implemented to create traps which are transferred to the network management system (NMS) monitoring the firewall. Paging notification is setup on the firewall to deliver a page to the network administrator whenever the firewall encounters any event. The message could be an alphanumeric or numeric depending on how the firewall is setup. E-mail notification is similar to paging notification, but in this case, the firewall send an email instead to proper address. 2.6 TYPES OF FIREWALLS Going by firewall definition, firewalls are expected to perform some key functions like, Application Proxy, Network Translation Address, and Packet filtering. 2.6.1 APPLICATION PROXY This is also known as Application Gateway, and it acts as a connection agent between protected network and the external network. Basically, the application proxy is a host on the protected network that is setup as proxy server. Just as the name implies, application proxy function at the application layer of the Open System Interconnection (OSI) model and makes sure that all application requests from the secured network is communicated to the external network through the proxy server and no packets passes through from to external network to the secured network until the proxy checks and confirms inbound packets. This firewall support different types of protocols such as a Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP) and Simple Mail Transport Protocol (SMTP) (Noonan and Dobrawsky 2006; NetContinuum 2006). 2.6.2 NETWORK ADDRESS (NAT) NAT alter the IP addresses of hosts packets by hiding the genuine IP addresses of secured network hosts and dynamically replacing them with a different IP addresses (Cisco System 2008; Walberg 2007). When request packets are sent from the secured host through the gateway to an external host, the source host address is modified to a different IP address by NAT.  When the reply packets arrives at the gateway, the NAT then replaces the modified address with genuine host address before forwarding it to the host (Walberg 2007).The role played by NAT in a secured network system makes it uneasy for unauthorized access to know: The number of hosts available in the protected network The topology of the network The operating systems the host is running The type of host machine (Cisco System 2008). 2.6.3 PACKET FILTERING. â€Å"Firewalls and IPSec gateways have become major components in the current high speed Internet infrastructure to filter out undesired traffic and protect the integrity and confidentiality of critical traffic† (Hamed and Al-Shaer 2006). Packet filtering is based on the lay down security rule defined for any network or system. Filtering traffic over the network is big task that involves comprehensive understanding of the network on which it will be setup. This defined policy must always be updated in order to handle the possible network attacks (Hamed and Al-Shaer 2006). 2.6.4 INSTRUCTION DETECTION SYSTEMS. Network penetration attacks are now on the increase as valuable information is being stolen or damaged by the attacker. Many security products have been developed to combat these attacks. Two of such products are Intrusion Prevention systems (IPS) and Intrusion Detection Systems (IDS). IDS are software designed to purposely monitor and analysed all the activities (network traffic) on the network for any suspicious threats that may violate the defined network security policies (Scarfone and Mell 2007; Vignam et al 2003). There are varieties of methods IDS uses to detect threats on the network, two of them are, anomaly based IDS, and signature based IDS. 2.6.4.1 ANOMALY BASED IDS Anomaly based IDS is setup to monitor and compare network events against what is defined to be normal network activities which is represented by a profile, in order to detect any deviation from the defined normal events. Some of the events are, comparing the type of bandwidth used, the type of protocols etc and once the IDS identifies any deviation in any of this events, it notifies the network administrator who then take necessary action to stop the intended attack (Scarfone and Mell 2007). 2.6.4.2 SIGNATURE BASED IDS Signature based IDS are designed to monitor and compare packets on the network against the signature database of known malicious attacks or threats. This type of IDS is efficient at identifying already known threats but ineffective at identifying new threats which are not currently defined in the signature database, therefore giving way to network attacks (Scarfone and Mell 2007). 2.6.5 INTRUSION PREVENTION SYSTEMS (IPS). IPS are proactive security products which can be software or hardware used to identify malicious packets and also to prevent such packets from gaining entry in the networks (Ierace et al 2005, Botwicz et al 2006). IPS is another form of firewall which is basically designed to detect irregularity in regular network traffic and likewise to stop possible network attacks such as Denial of service attacks. They are capable of dropping malicious packets and disconnecting any connection suspected to be illegal before such traffic get to the protected host. Just like a typical firewall, IPS makes use of define rules in the system setup to determine the action to take on any traffic and this could be to allow or block the traffic. IPS makes use of stateful packet analysis to protect the network. Similarly, IPS is capable of performing signature matching, application protocol validation etc as a means of detecting attacks on the network (Ierace et al 2005). As good as IPS are, they also have t heir downsides as well. One of it is the problem of false positive and false negative. False positive is a situation where legitimate traffic is been identified to be malicious and thereby resulting to the IPS blocking such traffic on the network. False negative on the other hand is when malicious traffic is be identified by the IPS as legitimate traffic thereby allowing such traffic to pass through the IPS to the protected network (Ierace N et al 2005). 2.7 SOFTWARE AND HARDWARE FIREWALLS 2.7.1 SOFTWARE FIREWALLS Software-based firewalls are computers installed software for filtering packets (Permpootanalarp and Rujimethabhas 2001). These are programs setup either on personal computers or on network servers (Web servers and Email severs) operating system. Once the software is installed and proper security polices are defined, the systems (personal computers or servers) assume the role of a firewall. Software firewalls are second line of defence after hardware firewalls in situations where both are used for network security. Also software firewalls can be installed on different operating system such as, Windows Operating Systems, Mac operating system, Novel Netware, Linux Kernel, and UNIX Kernel etc. The function of these firewalls is, filtering distorted network traffic. There are several software firewall some of which include, Online Armor firewall, McAfee Personal Firewall, Zone Alarm, Norton Personal Firewall, Black Ice Defender, Sygate Personal Firewall, Panda Firewall, The DoorStop X Fi rewall etc (Lugo Parker 2005). When designing a software firewall two keys things are considered. These are, per-packet filtering and a per-process filtering. The pre-packet filter is design to search for distorted packets, port scan detection and checking if the packets are accepted into the protocol stack. In the same vein, pre-process filter is the designed to check if a process is allowed to begin a connection to the secured network or not (Lugo and Parker 2005). It should be noted that there are different implantations of all Firewalls. While some are built into the operating system others are add-ons. Examples of built-in firewalls are windows based firewall and Linux based. 2.7.2 WINDOWS OPERATING SYSTEM BASED FIREWALL. In operating system design, security features is one important aspect that is greatly considered. This is a challenge the software giant (Microsoft) as always made sure they implement is their products. In the software industry, Mi

Liberal Arts Essay

An education conducted in a spirit of free inquiry undertaken without concern for topical relevance or vocational utility. This kind of learning is not only one of the enrichments of existence; it is one of the achievements of civilization. It heightens students’ awareness of the human and natural worlds they inhabit. It makes them more reflective about their beliefs and choices, more self-conscious and criticising, speaking, critical and logical thinking. Law schools report that by the yardsticks of law review and grades, their top students come from math, classics, and literature, with political science, economics, â€Å"pre-law â€Å"and† legal studies† ranking lower. In today’s fast evolving world, leaders across the spectrum of vocations and professions need a broad imaginative and critical capacity, not a prematurely narrow point of view. In terms of the actual world, a solid liberal arts and sciences education will generally prove the most practical preparation for many demanding, high-level careers, or for the several careers that an increasing number of adults will eventually pursue. No particular concentration or area of study is inherently a better ticket to security, leadership, or personal satisfaction than another. Students should be encouraged to follow their passions and interests, not what they guess (or what others tell them) will lead to a supposedly more marketable set of skills. Of course, higher education has a utilitarian function. In that regard, as Robert Bellah states, it possesses â€Å"its own legitimacy.† Yet, it is crucial to combine and integrate that function with other aims and ends, with what Bellah calls â€Å"education for the development of character, citizenship, and culture.† A healthy system of higher education offers many rewards: scientific discoveries, eventual and even unforeseen applications, thoughtful political leadership, intelligent public discourse, cultural vitality, and an educated workforce. Higher learning serves several goals in coordination, goals that are mutually reinforcing. The aims are at once personal and social, private and public, economic, ethical, and intellectual. Harvard College exists to serve all these goals and offers a broad array of concentrations and courses for the purpose of educating the whole individual. Why? Because that kind of education, and not one aimed at certain occupational targets, is, in the long run, the best preparation for advanced achievement. The very broad, capacious form of education that we call the liberal arts is rooted in a specific curriculum in classical and medieval times. But it would be wrong to assume that because it has such ancient roots, this kind of education is outdated, stale, fusty, or irrelevant. In fact, quite the contrary. A liberal-arts education, which Louis Menand defined in The Marketplace of Ideas as â€Å"a background mentality, a way of thinking, a kind of intellectual DNA that informs work in every specialized area of inquiry,† lends itself particularly well to contemporary high-tech methods of imparting knowledge. We all wrestle with the challenges of educating students who are used to multitasking, doing their homework while listening to music and texting on their iPhones. For such students, the Web-based facilities of exciting liberal-arts courses are particularly salient. What would Aristotle or Erasmus or Robert Maynard Hutchins not have given for a technique that allows one to tour the world’s greatest museums, looking closely at the details of countless masterpieces; explore the ruins of ancient castles and pyramids and forums; join archaeological digs at your desk, turning objects around to see all sides of them; visualize problems in geometry or astronomy or mathematics in several dimensions and work out their solutions. An excellent example of the power of multimedia coupled with the liberal arts is â€Å"Imaginary Journeys,† a general-education course sometimes taught at Harvard University by Stephen Greenblatt. The course is described as being â€Å"about global mobility, encounter, and exchange at the time that Harvard College was founded in 1636. Using the interactive resources of computer technology, we follow imaginary voyages of three ships that leave England in 1633. Sites include London’s Globe Theatre, Benin, Barbados, Brazil, Mexico.† With this kind of course in mind, it seems that the liberal arts could almost have been designed for sophisticated online learning, so far from being stale or fusty are these ways of knowing. This kind of education has become more and more appealing to students and teachers at universities around the world. Donald Markwell, the warden of Oxford’s Rhodes House, recently gave a series of lectures in Canada entitled â€Å"The Need for Breadth.† He referred to a â€Å"surge of interest† in liberal education in â€Å"many other countries.† He cites a major address in London by Yale’s Richard Levin in which Levin noted that â€Å"Asian leaders are increasingly attracted to the American model of undergraduate curriculum,† specifically because of the two years of breadth and depth in different disciplines provided before a student chooses an area of concentration or embarks on professional training. Levin described liberal-arts honors programs at Peking University, South Korea’s Yonsei University, and the National University of Singapore; he also referred to liberal-arts curricula at Fudan University, Nanjing University, and the University of Hong Kong. Yet, as we know, the trends in the United States are in the opposite direction, and this is not just a recent problem. Menand cites evidence that in the United States, â€Å"the proportion of undergraduate degrees awarded annually in the liberal arts and sciences has been declining for a hundred years, apart from a brief rise between 1955 and 1970, which was a period of rapidly increasing enrollments and national economic growth.† Thus, paradoxically, as a liberal-arts education becomes more appealing to leaders and families in Asia and elsewhere in the world, it is losing ground in our own country. At least three factors are at work in this decline: a) the creation of increasingly specialized disciplines, and the rewards for faculty members for advancing knowledge in those areas; b) the economic premium that is thought to reside in a highly technical form of preparation for careers; and c) a growing focus on graduate education from the early 20th century to the present day. T hese developments have clearly not been beneficial for American undergraduate education. â€Å"Liberal education in crisis† is a tiresomely familiar theme, and countless commissions, reports, and study groups have attempted to address it. I am under no illusions that I have the magic key to resolve a problem that has stumped so many brilliant educators. But these are not just theoretical quandaries, they are the issues we confront almost every day: How do we defend liberal education against the skeptics—parents, potential students, the media, the marketplace, even some trustees and students? The first, most practical defense is that the liberal arts (and sciences) are the best possible preparation for success in the learned professions—law, medicine, teaching—as well as in the less traditionally learned but increasingly arcane professions of business, finance, and high-tech innovation. So my first defense of liberal learning is what you are taught and the way you learn it: the materials a doctor or financial analyst or physicist or humanist ne eds to know, but taught in a liberally construed fashion, so that you look at the subject from many different dimensions and incorporate the material into your own thinking in ways that will be much more likely to stay with you, and help you later on. This way of learning has several distinct advantages: It’s insurance against obsolescence; in any rapidly changing field (and every field is changing rapidly these days), if you only focus on learning specific materials that are pertinent in 2012, rather than learning about them in a broader context, you will soon find that your training will have become valueless. Most important, with a liberal education you will have learned how to learn, so that you will be able to do research to answer questions in your field that will come up years from now, questions that nobody could even have envisioned in 2012, much less taught you how to answer. The second, slightly less utilitarian defence of a liberal-arts education is that it hones the mind, teaching focus, critical thinking, and the ability to express oneself clearly both in writing and speaking—skills that are of great value no matter what profession you may choose. It’s not just that you are taught specific materi als in a liberally designed context, but more generally, the way your mind is shaped, the habits of thought that you develop. These skills were well described by a former dean of the Harvard Law School, Erwin Griswold, cited in a recent speech by the current dean, Martha Minow. Griswold was discussing an ideal vision of the law school, but his arguments fit a liberal education wherever it is provided: â€Å"You go to a great school not so much for knowledge as for arts or habits; for the art of expression, for the art of entering quickly into another person’s thoughts, for the art of assuming at a moment’s notice a new intellectual position, for the habit of submitting to censure and refutation, for the art of indicating assent or dissent in graduated terms, for the habit of regarding minute points of accuracy, for the art of working out what is possible in a given time; for taste, for discrimination, for mental courage, and mental soberness.† My third argument is that a liberal-arts education is the best education for citizenship in a democracy like ours. In her book, Not for Profit, M artha Nussbaum points out that from the early years of our republic educators and leaders have â€Å"connected the liberal arts to the preparation of informed, independent, and sympathetic †¦ citizens.† Nussbaum argues that democracies need â€Å"complete citizens who can think for themselves, criticize tradition, and understand the significance of another person’s sufferings and achievements.† Among the skills a liberal-arts education fosters, she notes, are the ability â€Å"to think about the good of the nation as a whole, not just that of one’s local group,† and â€Å"to see one’s own nation, in turn, as part of a complicated world order.† At a time when democracy is struggling to be born in countries around the world, and countries that have long enjoyed democracy are struggling to sustain it against pressures of multiple varieties, this may be the best of all the arguments for a liberal-arts education. My fourth argument I borrow from Michel de Montaigne, who thought of his own mind as a kind of tower library to which he could retreat even when he was far from home, filled with quotations from wise people and experimental thoughts and jokes and anecdotes, where he could keep company with himself. In his essay â€Å"Of Solitude,† he suggested that we all have such back rooms in our minds. The most valuable and attractive people we know are those who have rich and fascinating intellectual furniture in those spaces rather than a void between their ears. Virginia Woolf used a different spatial image to make a similar point in her book Three Guineas, when she talked about the importance of cultivating taste and the knowledge of the arts and literature and music. She argues that people who are so caught up in their professions or business that they never have time to listen to music or look at pictures lose the sense of sight, the sense of sound, the sense of proportion. And she concludes: â€Å"What then remains of a human being who has lost sight, and sound, and a sense of proportion? Only a cripple in a cave.† So my fourth argument for a liberal-arts education is that it allows you to furnish the back room of your mind, preparing you for both society and solitude. My final argument is that the liberal arts admit you to a community of scholars, both professional a nd amateur, spanning the ages. Here I would quote one of my predecessors at Wellesley, Alice Freeman (later Alice Freeman Palmer). When she presided over Wellesley in the last part of the 19th century, it was quite unusual for girls to go to college (as indeed it still is today in some parts of the world). In a speech she gave to answer the repeated question she got from girls and their families, â€Å"Why Go to College?† she said: â€Å"We go to college to know, assured that knowledge is sweet and powerful, that a good education emancipates the mind and makes us citizens of the world.† The sweet and powerful knowledge imparted by a liberal-arts education is specifically designed to fulfill this promise. But how can college presidents today best go about making the case for the liberal arts? First and most obvious, they should use the bully pulpit of the college presidency deliberately and effectively—at convocations, commencements, groundbreakings for new buildings, in speeches to the local Rotary Club or the state 4-H club convention, and addresses to alumni clubs. This is a truly precious opportunity that few other leaders have, to address the community in situations where there is likely to be respectful attention to their message, at least for a while! They should use the opportunity with zest! The second way is by using their fund-raising skills and obligations to raise money for exciting programs like Greenblatt’s â€Å"Imaginary Journeys.† They can make this case effectively to foundations and generous alumni who remember their own liberal-arts education fondly, and thus enhance the resources available for this purpose. Presidents can demonstrate their support of the liberal arts in how they honor faculty members. With the teaching awards and other distinctions their colleges offer, they should single out for praise and support those who have been most effective in advancing the liberal-arts mission. And then they can ensure that these awards and recognitions are appropriately highlighted in college publications and in messages to parents and prospective students. And perhaps the most effective way presidents can use their leadership to offer support is to speak from a liberal-arts perspective in their own discourse, both formal and informal, by citing examples of fine literature, drawing on instances from history, referring to the arts, and describing learning in the sciences in liberal terms. Rhetoric was one of the original artes liberales, and it can still be one of the most transformative. Taking my own advice about larding language with liberal learning, I will conclude with a poem by Imam Al-Shafi’i, which I discovered in a brochure on a recent visit to the Georgetown University School of Foreign Service, in Doha, Qatar: According to the measure of hardship are heights achieved, And he who seeks loftiness must keep vigil by night; As for he who wants heights without toil, He wastes his life seeking the impossible— So seek nobility now, then sleep once more (finally), He who seeks pearls must dive into the sea. As this poem reminds us, a liberal-arts education is not always easy; it involves paying close attention, taking risks, exploring uncharted territory, diving into the sea. But despite these challenges, the deep rewards of a liberal education are surely worth our best efforts on its behalf.

Heres What I Know About Cae Essay Writing Samples

Here's What I Know About Cae Essay Writing Samples The Lost Secret of Cae Essay Writing Samples Make a decision as to what information to put in each individual paragraph. Our rates are reasonable, and it enables you to have your paper revised at no cost. Today, there are several on-line websites that provide sample papers. Please be aware that these reviewsdo not stick to the required CAE Review format they are supposed to offer you a few ideas and vocabulary examples. The 5-Minute Rule for Cae Essay Writing Samples Also bear in mind this kind of essay requires you to write from your own perspective, so utilize suitable words to express your own mindset. The introduction, generally, outlines the principal concept, sets the tone for a great many work, and introduces the reach of problems under consideration. In some instances, a topic might already be given. The Chronicles of Cae Essay Writing Samples Avoid giving your opinion within this paragraph you will do it in these passages. The principal part and conclusion are the two most necessary elements of the essay that show your comprehension of the topic. A huge conclusion section is a huge minus, which says that you cannot summarize your thoughts concisely. Separate words are excessively narrow and specific, and the major idea or topic is quite hard to convey. You might, if you want, use the opinions expressed in the discussion, but you ought to use your own words so far as possible. You should start your work with the analysis of the topic, on the grounds of the analysis of the subject of the essay, you pick the material, the key facts, and the vital points of your paper. As you're going to be writing about two points it is normal to dedicate 1 paragraph to every point. It's especially useful once you have exhausted the topic and so you've got nothing else to add to the text. The Cae Essay Writing Samples Chronicles Learn all the suggestions you need to understand to be able to ace TOEFL Writing! It may also be beneficial to review other TOEFL writing samples to receive a better idea about what a terrific TOEFL essay appears like. Whichever you use, you ought to be consistent and stick to a single register throughout the entire essay. Short essays, as its name implies, ought to be concise and succinct. As soon as you've determined the point of your essay, you're know what information has to be included and the way that it has to be presented. Writing is a rather strong tool. If you're worried that you won't have the ability to locate an affordable essay writing service capable of dealing with your academic papers, we're here to prove you wrong. As a writer, you compose an essay for a particular purpose. Of all Of the kinds of essay, writing a brief essay may appear to be the easiest. Who Else Wants to Learn About Cae Essay Writing Samples? Essay writing may be fundamental part of analyzing each and every university pupil knows it is crucial to be aware of the gaps between several kinds of writings in order to produce the journey at master how to compose papers that are excellent. Personal narrative essays are about personal experience that's presented in the very first person. To boost knowledge in a certain study discipline, dissertation is regarded as an effective way. This example demonstrates that even for an engineer with years of experience in the area, the essentials of private essay writing remain the exac t same. When you surf our site for recommendations that may help you write your own essay, you will come across many helpful tips. A review is just one of the options in the 2nd job of the writing exam. The top-rated reviews are on top of the principal page. Click to find the complete collection of reviews such as this one. To improve writing skills it's critical to read a whole lot, generally. Students may go through these samples before availing help from us so they can find a notion about the standard of the solutions we provide. Her multiple volunteer activities like helping at the neighborhood soup kitchen. It isn't as demanding as other varieties of academic papers, but nevertheless, it can provide you an overall insight on writing providing you with the fundamental skills of information gathering, creating an outline, and editing. An individual have to bear in mind a specific regularity in the usage of verbal forms. No body is going to assist you to and you also also may help no body. To start, it is necessary to inspect the vitamin content of produce and its effect physically.

International Business Cultural Diversity - Free Essay Example

Sample details Pages: 7 Words: 2152 Downloads: 8 Date added: 2017/06/26 Category Business Essay Type Analytical essay Did you like this example? International business Cultural diversity Executive Summary The current obsession of fairness or skin bleaching product is over-whelming in India bring in more than USD 400 million revenue, which is greater than Coca à ¢Ã¢â€š ¬Ã¢â‚¬Å" Cola and tea in India. The great demand is the cause of heavy advertising and cultural norm where it is believed that the fair skinned succeed in life. Unilever India has exploited this cultural norm to market their fairness product fair lovely which is an immense success. The à ¢Ã¢â€š ¬Ã…“Dark is beautifulà ¢Ã¢â€š ¬Ã‚  campaign headed by the famous actor-director Nandita Das is fighting against this obsession for fair skin in India. The video launched by the campaign à ¢Ã¢â€š ¬Ã‹Å"1.2 billion shades of beautifulà ¢Ã¢â€š ¬Ã¢â€ž ¢ promotes the ideology that each individual is beautiful in their unique way. In order to analyze the marketing procedure to verify if it is ethical and socially responsible, three principles have to be applied. Table of Contents Statement of Originality of Subm itted Work Acknowledgement Executive Summary Introduction Colorism Indiaà ¢Ã¢â€š ¬Ã¢â€ž ¢s obsession with fair skin Conclusion References Don’t waste time! Our writers will create an original "International Business Cultural Diversity" essay for you Create order Introduction India, officially known as the Republic of India is the seventh largest country by area and the second largest by population, which is currently 1.2 billion. Home to the Indus valley civilization and a region of historic trade routes and vast empires, the Indian sub-continent was identified with its commercial and cultural wealth for much of its long history. India is one of the most religiously diverse nations in the world, with some of the most deeply religious societies and cultures. Religion still plays a central and definitive role in the life of many of its people. India is the birthplace of Hinduism, Buddhism, Jainism and Sikhism, collectively known as Indian religions. Indian religions, also known as Dharmic religions are a major form of world religions along with Abrahamic one. Today, Hinduism and Buddhism are the worlds third and fourth-largest religions respectively, with over 2 billion followersà ¢Ã¢â€š ¬Ã¢â€ž ¢ altogether. The traditional Indian culture is de fined by a relatively strict social hierarchy. From an early age, children are reminded of their roles and places in society. This is reinforced by the way many believe gods and spirits have an integral and functional role in determining their life. Several differences such as religion and occupation divide the culture. With India being the second largest populated country, it is an extremely large market for local and global marketers. Since India adapted the open economic policy, the market has been elongated with various foreign products. Since this had a great impact on local industry, the government introduced the à ¢Ã¢â€š ¬Ã…“Be Indian, Buy Indianà ¢Ã¢â€š ¬Ã‚  concept which has helped local industry to survive up to date. Modern India is as High tech as many other countries, but the manufacture is mostly Indian. Although India has a highly developed society, the average Indian faces discrimination every day. The main form of discrimination are colorism and gender ba sed discrimination. Women are greatly threatened by gender discrimination for many centuries in India. Since birth a female child is discriminated. At present in urban and city areas, the gender discrimination has reduced and in some areas it has disappeared altogether. But still colorism is a major discriminatory factor for both males and females alike. Colorism Colorism, a term devised by Alice walker in 1982, is not a synonym of racism. à ¢Ã¢â€š ¬Ã…“Raceà ¢Ã¢â€š ¬Ã‚  depends in multiple factors: therefore, racial categorization does not solely rely on skin color. Skin color is only one mechanism used to assign individuals to a racial category, but race is set of beliefs and assumptions assigned to that category. Racism is the dependence of social status on the social meaning attached to race; colorism is the dependence of social status on only skin color. In order for a form of discrimination to be considered colorism, differential treatment must not result from racial categorization, but from social values associated with skin color. (Jones, 2000, pp. 14871557) In the Mahabharata, the god Krishna, whose Sanskrit word in its origin language KÃÆ' ¡Ãƒâ€šÃ‚ ¹Ãƒ ¢Ã¢â€š ¬Ã‚ ºÃƒÆ' ¡Ãƒâ€šÃ‚ ¹Ãƒâ€šÃ‚ £ÃƒÆ' ¡Ãƒâ€šÃ‚ ¹Ãƒ ¢Ã¢â€š ¬Ã‚ ¡a is primarily an adjective for Black or Dark, is sometimes also translated as all attractive. Wherea s the character Arjuna is often depicted as being lighter, and his name means silvery white. The Rigveda referred to two classes of people, the white-skinned Aryans and the black-skinned Dasas. The Aryans were religious and followed the Vedas, performing all the rituals while the Dasas (at a later stage merged into the Shudraclass) were to serve them. (Chavan and Kidwai, 2006) Individuals in South Asia have tended to see whiter skin as more beautiful. This was most visible in British India, where skin color served as a signal of high status for British. Thus, those individuals with fairer skin color enjoyed more privileges and opportunities than those with dark skin. Anglo-Indians with more European features were often more upwardly mobile and were considered to have a more affluent status. These individuals gained preferences in education and in employment. Darker skinned individuals were socially and economically disadvantaged due to their appearance. (Beyond the South Asian su bcontinent, persons who were dark-skinned, black or colored faced a disadvantage in most European-held colonies.) Most Indian actors and actresses have light skin. (Reddy, 2008) There are many advertisements in reference to a skin bleaching product, Fair and Lovely, which is targeted directly towards mostly women have darker skin. These advertisements appear on billboards throughout South Asian cities, on television advertisements, and Internet advertisements as well. The subject of the majority of the advertisements depicts a darker skinned woman needing a solution to her problem of not being chosen for marriage or a job. The solution suggests that by using Fair and Lovely, her skin tone can be lightened and she can enjoy the privileges associated with it. (Rajesh, 2013) Indiaà ¢Ã¢â€š ¬Ã¢â€ž ¢s obsession with fair skin Indias obsession with fair skin is well documented: in 1978, Unilever launched Fair Lovely cream, which has subsequently spawned numerous whitening face cleansers, shower gels and even vaginal washes that claim to lighten the surrounding skin. In 2010, Indias whitening-cream market was worth $432m, according to a report by market researchers ACNielsen, and was growing at 18% per year. Last year, Indians reportedly consumed 233 tons of skin-whitening products, spending more money on them than on Coca-Cola. (Rajesh, 2013) It is widely known that the obsession to have fair skin has a very long history behind it, owing to caste and culture. It is evident that the marketers at Unilever exploited this cultural norm. As India is a very large market, the marketers at Unilever saw this as a great opportunity to sell their skin lightening product. Although it is not scientifically proven that à ¢Ã¢â€š ¬Ã‹Å"Fair Lovelyà ¢Ã¢â€š ¬Ã¢â€ž ¢ actually whiten skin as it claims to do so, the pr oduct was a success. Indians became obsessed to get fair skin in order to succeed in life, as portrayed in Unilever advertisements and Bollywood movies. Media played a major role in this obsession. Educated, successful people were portrayed as light-skinned persons in almost every movie which was produced. This was the main reason for Indians to lust after fair skin. In response to the obsession with fair skin, a group of Indian women founded à ¢Ã¢â€š ¬Ã‹Å"Dark is beautifulà ¢Ã¢â€š ¬Ã¢â€ž ¢ in 2009, which has picked up pace in 2013 since award winning actress director Nandita Das has become the face of the campaign. Das, who has spoken out against the bias against dark skin in recent years, has been actively promoting the cause in interviews on social media and with mainstream media. (Globalvoicesonline.org, 2013) The desire in India for lighter skin is fueled by a widespread belief that dark-skin is ugly and inferior. Not only is fair skin perceived to be a key definer of beauty, but also seen to be an essential element of self-confidence, success, and happiness. (Globalvoicesonline.org, 2013) The fact that fair skin is superior to darker skin has been embedded in all Indians that the majority of the population believe that to be true. However, if you look at this matter in a global point of view, this proves to be wrong, For example, the richest man in the world is a Mexican, who is colored. The most powerful man in the world, the president of USA is colored. Even the face of the à ¢Ã¢â€š ¬Ã‹Å"Dark is beautifulà ¢Ã¢â€š ¬Ã¢â€ž ¢ campaign Nandita Das is brown à ¢Ã¢â€š ¬Ã¢â‚¬Å" skinned. The most successful basketball player Michael Jordan is colored and so is the world heavy weight champion Mohammed Ali. These people are proof that you do not have to be fair skinned to be successful in life. There are plenty of examples where people who do not have fair skin are extremely successful and have left an everlasting impression on the population all over the world. In a perspective of an organization, which exists to earn profit it could be said it is fair to grab a chance to expedite the launch of fair lovely to a fairness obsessed market such as India. The organization managed to rake in turnover of 400 million US dollars a year, which is more than Coca-Cola and tea in India. But ethically the conduct of these organization is wrong. Although it brings large amounts of profits, it hood-winks the masses and misleads people to believe in ideologies which are not true and do not exist outside of India. à ¢Ã¢â€š ¬Ã‹Å"Darkness is beautifulà ¢Ã¢â€š ¬Ã¢â€ž ¢ recently launched a video named à ¢Ã¢â€š ¬Ã…“1.2 billion shades of beautifulà ¢Ã¢â€š ¬Ã‚  to promote the anti-fairness obsession in the country. The organization are creating a demand for the fairness products by advertising and portraying how a dark skinned woman does not have a job at an Airline, but after using a fairness product the woman gets a job oppor tunity to work in the Airline industry. Advertising campaigns such as this create the demand for fairness products in the Indian community. Exploiting the cultural norms is unethical when looking at the issue in an individual perspective, because it takes advantage of the beliefs of the people in that particular culture heavily. It is evident that the companies have exploited these narrow minded Indian beliefs to earn profits, which I believe is unethical. The determination whether exploitation of cultural norms and values to promote a product is ethical or not is guided by the three ethical principles which provide a framework to help a business or market distinguish between right and wrong, determine what ought to be done and properly justify such actions (Cateora et al., 2011, p. 151). These principles are: 1. Utilitarian ethics this helps to answer the question; does the action optimize the common good or benefits of all constituencies? And who are the pertinent constituencies? 2. Rights of the parties this probe into the question; does the action respect the rights of the individuals involved? 3. Justice or fairness- this answers the question; does the action respect the canons of justice or fairness to all parties involved? (Cateora et al., 2011, p.151). Using these three basic ethical principles to assess how ethical it is to exploit cultural norms and values to promote a product, it is safe to say that if cultural norms and values are exploited to promote a product in a socially responsible and positive manner is ethical but in the case of the à ¢Ã¢â€š ¬Ã‹Å"Fair Lovelyà ¢Ã¢â€š ¬Ã‚  advertisement campaign, it is not ethical. So its huge series of campaign that centered on the à ¢Ã¢â€š ¬Ã…“fair girl gets the menà ¢Ã¢â€š ¬Ã¢â€ž ¢s attentionà ¢Ã¢â€š ¬Ã‚  à ¢Ã¢â€š ¬Ã…“fair girl gets the best jobà ¢Ã¢â€š ¬Ã‚  theme is unethical. Conclusion The current obsession of fairness or skin bleaching product is over-whelming in India bring in more than USD 400 million revenue, which is greater than Coca à ¢Ã¢â€š ¬Ã¢â‚¬Å" Cola and tea in India. The great demand is the cause of heavy advertising and cultural norm where it is believed that the fair skinned succeed in life. Unilever India has exploited this cultural norm to market their fairness product fair lovely which is an immense success. The à ¢Ã¢â€š ¬Ã…“Dark is beautifulà ¢Ã¢â€š ¬Ã‚  campaign headed by the famous actor-director Nandita Das is fighting against this obsession for fair skin in India. The video launched by the campaign à ¢Ã¢â€š ¬Ã‹Å"1.2 billion shades of beautifulà ¢Ã¢â€š ¬Ã¢â€ž ¢ promotes the ideology that each individual is beautiful in their unique way. After analyzing the marketing procedure with the three ethical principles, it was determined that the fair lovely product advertising campaign is unethical because it does not promote the p roduct in a socially responsible manner. References Books/Journals Jones, T. 2000. Shades of brown: The law of skin color. Duke Law Journal, pp. 14871557. Chavan, N. and Kidwai, Q. J. 2006. Personal law reforms and gender empowerment. Gurgaon: Hope India. Cateora P.R., Gilly M.C. Graham J.L. (2011), International Marketing (15th ed.), p. 94 216, New York, McGraw-Hill Irwin. Online Rajesh, M. 2013. Indias unfair obsession with lighter skin. [online] 14th August. Available at: https://www.theguardian.com/world/shortcuts/2013/aug/14/indias-dark-obsession-fair-skin [Accessed: 9 Jan 2014]. Reddy, S. 2008. Commentary: Fashion Mavens Still Like Light Skin. [online] 02nd July. Available at: https://www.newsweek.com/commentary-fashion-mavens-still-light-skin-93003 [Accessed: 9 Jan 2014]. Globalvoicesonline.org. 2013. à ¢Ã¢â€š ¬Ã‹Å"Dark Is Beautifulà ¢Ã¢â€š ¬Ã¢â€ž ¢ Campaign Questions Indiaà ¢Ã¢â€š ¬Ã¢â€ž ¢s Skin Colour Prejudices Global Voices. [online] Available at: https://globalvoicesonline.org/2013/08/21/dark-is -beautiful-campaign-questions-indias-skin-colour-prejudices/ [Accessed: 9 Jan 2014].