The document discusses network security policies for TCP/IP protocols. It outlines common goals of hackers such as impersonation, denial of service attacks, and password/key guessing. It recommends implementing encryption, authentication, authorization, integrity checks, and frequent key refreshing to protect against various attacks. The document also describes security services for TCP/IP like authentication, access control, data confidentiality, integrity, and non-repudiation.
The document discusses network security policies for TCP/IP protocols. It outlines common goals of hackers such as impersonation, denial of service attacks, and password/key guessing. It recommends implementing encryption, authentication, authorization, integrity checks, and frequent key refreshing to protect against various attacks. The document also describes security services for TCP/IP like authentication, access control, data confidentiality, integrity, and non-repudiation.
The document discusses network security policies for TCP/IP protocols. It outlines common goals of hackers such as impersonation, denial of service attacks, and password/key guessing. It recommends implementing encryption, authentication, authorization, integrity checks, and frequent key refreshing to protect against various attacks. The document also describes security services for TCP/IP like authentication, access control, data confidentiality, integrity, and non-repudiation.
- There issue of network protection, more precisely, the protection of
information stored and moved on the network, against intruders and saboteurs (collectively known as hackers), both inside and outside the network, network administrators put on the forefront of network administration. - Hackers not only attack TCP/IP networks, but the potential threat to these networks is huge, because TCP/IP is an open protocol, hackers can find its vulnerabilities easily by trying different types of attacks. - The goals that hackers target before performing attacks on TCP/IP networks are usually: Impersonation: To be able to perform unauthorized access to network resources (data) Denial of Service Attack: To make the network’s resources (service servers: Web server,…) become ineffective. Replay of messages: To be able to access/receive information and change it, while the information is moving on the road. Guessing of password: In order to gain access to information/services that should have been denied (called dictionary attack). Guessing of key: To gain access to encrypted password and data (called a brute force attack). Security Polices of TCP/IP - Security administrators of networks, especially TCP/IP networks, must implement a combination of the following security policies to protect their networks and the data in transit. It is not only limited to a LAN/WAN but also on both Intranet and Internet: Encryption of information before transmitting/sending on the network: to protect data and password. Authentication: Can use digital signatures and/or certificates: To check who is sending (source) the data on the network. Authorization: To prevent inappropriate/invalid access (improper). Integrity: Data and Message Authentication Code: To protect against message changes/modifications. Non repudiation Polices: To ensure that an action cannot be denied/rejected by the person performing it. One time password policies and two way random number handshake: mutual conversation: To allow communication pairs to authenticate each other. Frequent key refresh policies: use strong key; Preventing the phenomenon of “fake” keys in the future;… : To protect the network against attacks by way of “cracking” the key: “Dictionary” attack, “Rough” attack. Address concealment policies: uses NAT/PAT techniques: To protect the network against denial of service (DoS) attacks. - Since the TCP/IP protocol was not designed with security in mind, various security systems have been developed for applications and traffic running on the Intranet/Internet. - These software are responsible for preparing data for transmission over a network, taking into account the possibilities for authentication and encryption. - In a TCP/IP network, the aforementioned applications can be built in one of three layers: Applications; Transport/Network; Physics//Data link. - To prevent eavesdropping of messages transmitted on the network: The message must be encrypted before transmission and will be decrypted at the receiver. In this case, the sender and receiver must share a secret key to encrypt/decrypt the message. - With this solution, the key must also be transmitted/distributed on the network, so the next question is how to distribute the key securely, where different encryption techniques can use private key and/or public key. - It is not possible to use a key for a long time and to prevent the hacker from guessing the key (possibility guessing the future key if the current key is known). As a countermeasure, a “key refresh” should be done frequently and a policy of “relying on old keys to derive new keys” should not be used, this ensures that keys are securely transmitted/distributed (in secret). - For preventing message “replay” by an impostor (replay attack): Use sequence - To ensure that the message is not altered/modified during transmission from sender to receiver: use message digest, use hash function or on way function. - To ensure that a “shortened message” is uncompromising or unaltered in transit: Use a digital signature by encrypting the shortened message with a secret or private key (it is authentication or non-repudiation mechanisms). - How to ensure that a message or a digital signature is derived/originated from a trusted/desried partner: Using the included two-way handshake encrypted random numbers (or mutual authentication). - How to ensure that a “handshake” is exchanged with a trusted counterparty (from main in the middle attack): Using digital tokens (another event) combination of the public key with the partner’s identity information. - How to prevent invalid use of service by users who are not properly authenticated: Use a multi-tier access control model. - To protect against malicious code or unwanted messages (from DoS attacks): Limit access to the internal network, using: Filter, Firewall, Proxy, Packet Authentication, Conceal internal address anh name structure (hide the address and name structure of the internal network),… Security Services - Authentication Service: Peer entity authentication – xác thực ngang hàng Data origin authentication – xác thực nguồn gốc dữ liệu - Access Control Service – dịch vụ điều khiển, kiểm soát truy cập - Data Confidentiality Service – dịch vụ bảo mật dữ liệu - Data Integrity Service – dịch vụ đảm bảo data truyền tải nguyên vẹn - Non-repudiation Service - - Availability Service – khó nhất, chưa có giải pháp tận gốc Authentication Service - This service ensures a reliable communication. If only message transmission is concerned, then the authenticator’s job is simply to assure the receiver that the message it receives is from an authenticated source. If you are interested in the interaction process of two communication partners, for example, the connection between Terminal and Host, two aspects must be considered, - First, at the time of connection initiation, the service ensures that these two communication partners are trusted. - Second, the service ensures that the connection is not tampered with by a third party – a hacker can impersonate one of two legitimate partners, for the purpose of exchanging or receiving “unauthorized” messages. - There are 2 kinds of authentication service: Peer entity authentication: Provides an authentication of the identity of the peer entities in an association. It is made available for use at the time of connection establishment or during the data exchange of the connection. It tries to provide a confidence that either the communication partner cannot perform spoofing or an unauthorized replay of the previous connection. Data origin authentication: Proving authentication of the origin of the data unit, it does not provide protection against duplication or modification attacks. This type is often used to support authentication for e-mail applications. Access Control Service - In the field of network security, access control is the ability to limit and control access to hosts and applications over a communication link. - The task of the access control service is: when each communication entity tries to access the system, it must first be identified or authenticated, and then can obtain the appropriate access rights, its own, it include: Who is authorized to access the resource? What are the conditions for accessing the resource? What extent is the resource allowed? What operations are performed on the resource? - In general, this service performs the task of preventing “unauthorized” use of resources. Data Confidentiality Service - This service provides protection for transmitted data against passive attacks. - If attention is paid to the content of the transmitted data, it is possible to establish different levels of protection, so that they can be identified. That is, the service can be defined to protect a single message or specific fields of a message. - Another aspect of trust is the protection of the traffic flow against message parsing attacks. It makes it impossible for an attacker to obtain the source address, destination address, frequency of occurrence, length, or other characteristics of traffic as it moves across systems, media, and systems. Data Integrity Service - Like trust, integrity can apply to a message stream, a single message, or fields specified within a message. - This service ensures that the message received by the receiver is completely true to the message sent by the sender, that is the message is not duplicated, not change, not rearranged, not detected. Again as it moves along the transmission line. - Data destruction is also covered by this service. Therefore, this service supports protecting the network against two common types of active attacks: Message flow change and DoS. - When a breach of data integrity is detected, this service will make a report of the breach, forward this report to the system to request data recovery. Non-repudiation Service - Recognition prevents the sender or receiver from rejecting a message that has been (they) delivered. - So when a message is sent, the receiver must present proof that the message was received from the sender. Similarly, when a message is received, the sender must present proof that the message has been delivered to the receiver. Availability Service - This service is responsible for making system resources accessible and usable by authorized entities within a certain limit. - That is, a system is said to be available if it provides services whenever the user requests them according to the system design. - The variety of attack types available today can render existing systems ineffective or meaningless Relation between Attacks and Service Deployment of Network Security solutions in TCP/IP Protocol - There are some systems and protocols which is deployed to provide many different of Network security solutions in TCP/IP protocol. It includes: IP Filtering Network Address Translation (NAT) - In this diagram: IP Filtering (Filtering IP Address) NAT: Network Address Translation (converting Network Address) IPSec: IP Security Architecture (Safe IP Architecture) Application proxies Firewalls Tunnel protocols (L2TP) Authentication Protocols (CHAP; PAP; MS-CHAP) - S-MIME: Secure Multipurpose Internet Mail Extension: As an application-level security construct, it is only used to protect e- mail, through encryption and digital signatures. It is based on public key cryptography and uses the X.509 token to verify the identity of the communication - SOCKS: A standard for gateway circuit-level. It does not - SSH: Secure Shell. Can be used for secure connection between systems. It - SSL: Secure Sockets Layer It is a security protocol developed by Netscape Communications and RSA Data Security. The main goal of the SSL protocol is to provide a private channel between communication applications that require authentication of communication partners and to ensure data integrity and privacy. SSL provides an alternative to the standard TCP/IP sockets, which have built in security features. Therefore, it can theoretically run any TCP/IP applications in a secure environment without changing the application. SSL is usually installed for support traffic such as HTTP, NNTP, Telnet, … - Kerberos: The Kerberos Network Authentication Service v5 is recommended as a standard protocol and is described in RFC 1510. The Kerberos service typically runs on its own system, within a secure range. Users need their own validation The mission of Kerberos is: Authentication: Preventing the fraudulent request/responses Authorization Permits Used - Remot