Chapter 4: Network security in protocol TCP/IP

- There issue of network protection, more precisely, the protection of

information stored and moved on the network, against intruders and
saboteurs (collectively known as hackers), both inside and outside the
network, network administrators put on the forefront of network
administration.
- Hackers not only attack TCP/IP networks, but the potential threat to these
networks is huge, because TCP/IP is an open protocol, hackers can find its
vulnerabilities easily by trying different types of attacks.
- The goals that hackers target before performing attacks on TCP/IP
networks are usually:
 Impersonation: To be able to perform unauthorized access to network
resources (data)
 Denial of Service Attack: To make the network’s resources (service
servers: Web server,…) become ineffective.
 Replay of messages: To be able to access/receive information and
change it, while the information is moving on the road.
 Guessing of password: In order to gain access to information/services
that should have been denied (called dictionary attack).
 Guessing of key: To gain access to encrypted password and data
(called a brute force attack).
Security Polices of TCP/IP
- Security administrators of networks, especially TCP/IP networks, must
implement a combination of the following security policies to protect their
networks and the data in transit. It is not only limited to a LAN/WAN but
also on both Intranet and Internet:
 Encryption of information before transmitting/sending on the network: to
protect data and password.
 Authentication: Can use digital signatures and/or certificates: To check
who is sending (source) the data on the network.
 Authorization: To prevent inappropriate/invalid access (improper).
 Integrity: Data and Message Authentication Code: To protect against
message changes/modifications.
 Non repudiation Polices: To ensure that an action cannot be
denied/rejected by the person performing it.
 One time password policies and two way random number handshake:
mutual conversation: To allow communication pairs to authenticate
each other.
 Frequent key refresh policies: use strong key; Preventing the
phenomenon of “fake” keys in the future;… : To protect the network
 against attacks by way of “cracking” the key: “Dictionary” attack,
“Rough” attack.
 Address concealment policies: uses NAT/PAT techniques: To protect
the network against denial of service (DoS) attacks.
- Since the TCP/IP protocol was not designed with security in mind, various
security systems have been developed for applications and traffic running
on the Intranet/Internet.
- These software are responsible for preparing data for transmission over a
network, taking into account the possibilities for authentication and
encryption.
- In a TCP/IP network, the aforementioned applications can be built in one of
three layers: Applications; Transport/Network; Physics//Data link.
- To prevent eavesdropping of messages transmitted on the network: The
message must be encrypted before transmission and will be decrypted at
the receiver. In this case, the sender and receiver must share a secret key
to encrypt/decrypt the message.
- With this solution, the key must also be transmitted/distributed on the
network, so the next question is how to distribute the key securely, where
different encryption techniques can use private key and/or public key.
- It is not possible to use a key for a long time and to prevent the hacker
from guessing the key (possibility guessing the future key if the current key
is known). As a countermeasure, a “key refresh” should be done frequently
and a policy of “relying on old keys to derive new keys” should not be
used, this ensures that keys are securely transmitted/distributed (in
secret).
- For preventing message “replay” by an impostor (replay attack): Use
sequence
- To ensure that the message is not altered/modified during transmission
from sender to receiver: use message digest, use hash function or on way
function.
- To ensure that a “shortened message” is uncompromising or unaltered in
transit: Use a digital signature by encrypting the shortened message with a
secret or private key (it is authentication or non-repudiation mechanisms).
- How to ensure that a message or a digital signature is derived/originated
from a trusted/desried partner: Using the included two-way handshake
encrypted random numbers (or mutual authentication).
- How to ensure that a “handshake” is exchanged with a trusted
counterparty (from main in the middle attack): Using digital tokens (another
event) combination of the public key with the partner’s identity information.
- How to prevent invalid use of service by users who are not properly
authenticated: Use a multi-tier access control model.
 - To protect against malicious code or unwanted messages (from DoS
attacks): Limit access to the internal network, using: Filter, Firewall, Proxy,
Packet Authentication, Conceal internal address anh name structure (hide
the address and name structure of the internal network),…
Security Services
- Authentication Service:
 Peer entity authentication – xác thực ngang hàng
 Data origin authentication – xác thực nguồn gốc dữ liệu
- Access Control Service – dịch vụ điều khiển, kiểm soát truy cập
- Data Confidentiality Service – dịch vụ bảo mật dữ liệu
- Data Integrity Service – dịch vụ đảm bảo data truyền tải nguyên vẹn
- Non-repudiation Service -
- Availability Service – khó nhất, chưa có giải pháp tận gốc
Authentication Service
- This service ensures a reliable communication. If only message
transmission is concerned, then the authenticator’s job is simply to assure
the receiver that the message it receives is from an authenticated source.
If you are interested in the interaction process of two communication
partners, for example, the connection between Terminal and Host, two
aspects must be considered,
- First, at the time of connection initiation, the service ensures that these two
communication partners are trusted.
- Second, the service ensures that the connection is not tampered with by a
third party – a hacker can impersonate one of two legitimate partners, for
the purpose of exchanging or receiving “unauthorized” messages.
- There are 2 kinds of authentication service:
 Peer entity authentication: Provides an authentication of the identity of
the peer entities in an association. It is made available for use at the
time of connection establishment or during the data exchange of the
connection. It tries to provide a confidence that either the
communication partner cannot perform spoofing or an unauthorized
replay of the previous connection.
 Data origin authentication: Proving authentication of the origin of the
data unit, it does not provide protection against duplication or
modification attacks. This type is often used to support authentication
for e-mail applications.
Access Control Service
- In the field of network security, access control is the ability to limit and
control access to hosts and applications over a communication link.
 - The task of the access control service is: when each communication entity
tries to access the system, it must first be identified or authenticated, and
then can obtain the appropriate access rights, its own, it include:
 Who is authorized to access the resource?
 What are the conditions for accessing the resource?
 What extent is the resource allowed?
 What operations are performed on the resource?
- In general, this service performs the task of preventing “unauthorized” use
of resources.
Data Confidentiality Service
- This service provides protection for transmitted data against passive
attacks.
- If attention is paid to the content of the transmitted data, it is possible to
establish different levels of protection, so that they can be identified. That
is, the service can be defined to protect a single message or specific fields
of a message.
- Another aspect of trust is the protection of the traffic flow against message
parsing attacks. It makes it impossible for an attacker to obtain the source
address, destination address, frequency of occurrence, length, or other
characteristics of traffic as it moves across systems, media, and systems.
Data Integrity Service
- Like trust, integrity can apply to a message stream, a single message, or
fields specified within a message.
- This service ensures that the message received by the receiver is
completely true to the message sent by the sender, that is the message is
not duplicated, not change, not rearranged, not detected. Again as it
moves along the transmission line.
- Data destruction is also covered by this service. Therefore, this service
supports protecting the network against two common types of active
attacks: Message flow change and DoS.
- When a breach of data integrity is detected, this service will make a report
of the breach, forward this report to the system to request data recovery.
Non-repudiation Service
- Recognition prevents the sender or receiver from rejecting a message that
has been (they) delivered.
- So when a message is sent, the receiver must present proof that the
message was received from the sender. Similarly, when a message is
received, the sender must present proof that the message has been
delivered to the receiver.
Availability Service
 - This service is responsible for making system resources accessible and
usable by authorized entities within a certain limit.
- That is, a system is said to be available if it provides services whenever
the user requests them according to the system design.
- The variety of attack types available today can render existing systems
ineffective or meaningless
Relation between Attacks and Service
Deployment of Network Security solutions in TCP/IP Protocol
- There are some systems and protocols which is deployed to provide many
different of Network security solutions in TCP/IP protocol. It includes:
 IP Filtering
 Network Address Translation (NAT)
- In this diagram:
 IP Filtering (Filtering IP Address)
 NAT: Network Address Translation (converting Network Address)
 IPSec: IP Security Architecture (Safe IP Architecture)
 Application proxies
 Firewalls
 Tunnel protocols (L2TP)
 Authentication Protocols (CHAP; PAP; MS-CHAP)
- S-MIME: Secure Multipurpose Internet Mail Extension:
 As an application-level security construct, it is only used to protect e-
mail, through encryption and digital signatures.
 It is based on public key cryptography and uses the X.509 token to
verify the identity of the communication
- SOCKS: A standard for gateway circuit-level.
 It does not
- SSH: Secure Shell.
 Can be used for secure connection between systems. It
- SSL: Secure Sockets Layer
 It is a security protocol developed by Netscape Communications and
RSA Data Security.
 The main goal of the SSL protocol is to provide a private channel
between communication applications that require authentication of
communication partners and to ensure data integrity and privacy. SSL
provides an alternative to the standard TCP/IP sockets, which have
built in security features.
  Therefore, it can theoretically run any TCP/IP applications in a secure
environment without changing the application. SSL is usually installed
for support traffic such as HTTP, NNTP, Telnet, …
- Kerberos:
 The Kerberos Network Authentication Service v5 is recommended as a
standard protocol and is described in RFC 1510. The Kerberos service
typically runs on its own system, within a secure range.
 Users need their own validation
 The mission of Kerberos is:
 Authentication: Preventing the fraudulent request/responses
 Authorization
 Permits
 Used
- Remot