4 Security

Chapter Four
Network Security
Network Security
 Network security describe all aspects of securing your computer or
computers from unauthorized access.
 This includes blocking outsiders from getting into the network, as well as
password protecting your computers and ensuring that only authorized
users can view sensitive data.
Network Security
Security Services
Confidentiality
Authentication
Integrity
Non Repudiation
Access Control
Availability
Network Security
Model
Trusted
Third Party
Information Channel
Security Security
Related Related
Transmition Transmition
Opponent
Network Security
Introduction
In today’s highly networked world, we can’t talk of

computer security without talking of network security
Focus is on:
 Internet and Intranet security (TCP/IP based networks)
 Attacks that use security holes of the network protocol and
their defenses
Does not include attacks that use networks to perform
some crime based on human weaknesses (such as scams)
Network Security/ Types of Attacks
Passive attacks
Listen to the network and make use of the information
without altering
 Passive wiretapping attack
 Traffic analysis
Most networks use a broadcast medium and it is easy to
access other machines packets
 Utilities such as etherfind and tcpdump
 Network management utilities such as SnifferPro
Defense
 Using switching tools rather than mere repeating hubs limits
this possibility
 Using cryptography; does not protect against traffic analysis
Active attacks
An active attack threatens the integrity and availability of data being
transmitted
 The transmitted data is fully controlled by the intruder
 The attacker can modify, extend, delete or play any data
This is quite possible in TCP/IP since the frames and packets are not
protected in terms of authenticity and integrity
Denial of service or degrading of service attack

 Prevention of authorized access to resources
 Examples
 E-mail bombing: flooding someone's mail store
 Smurf attack: Sending a “ping” multicast or broadcast with a spoofed IP
of a victim. The recipients will respond with a “pong” to the victim
 There had been reports of incidences of distributed denial attacks
against major sites such as Amazon, Yahoo, CNN and eBay
Active attacks …
Spoofing attack: a situation in which one person or
program successfully imitate another by falsifying
data and thereby gaining an illegitimate advantage.
 IP spoofing
 Putting a wrong IP address in the source IP address of an IP
packet
 DNS spoofing
 Changing the DNS information so that it directs to a wrong
machine
 URL spoofing/Webpage phishing
 A legitimate web page such as a bank's site is reproduced in "look
and feel" on another server under control of the attacker
 E-mail address spoofing
Active attacks …
Session hijacking
 When a TCP connection is established between a
client and a server, all information is transmitted
in clear and this can be exploited to hijack the
session
Network Security/ Protocols and vulnerabilities
Attacks on TCP/IP Networks
TCP/IP was designed to be used by a trusted

group of users
The protocols are not designed to withstand
attacks
Internet is now used by all sorts of people
Attackers exploit vulnerabilities of every protocol

to achieve their goals
Link Layer: ARP spoofing
The primary purpose of ARP is o ﬁnd the MAC-address that
corresponds to a given IP address for hosts on the same LAN.
Each node has its own ARP table, generated automatically.
The entries expire after a period of time (typically, 20 minutes) so they
must be refreshed periodically
Request 08:00:20:03:F6:42 00:00:C0:C2:9B:26

.1 .2 .3 .4 .5
140.252.13
arp req | target IP: 140.252.13.5 | target eth: ?
Reply
08:00:20:03:F6:42 00:34:CD:C2:9F:A0 00:00:C0:C2:9B:26
.1 .2 .3 .4 .5
140.252.13
arp rep | sender IP: 140.252.13.5 | sender eth: 00:34:CD:C2:9F:A0
Link Layer: ARP spoofing
When a node doesn’t know a particular IP-to-MAC mapping, it
broadcasts an ARP request message to the LAN.
The appropriate node on the LAN responds with an ARP reply and the
requesting node can then ﬁll in an entry in its ARP cache.
ARP is a stateless protocol, and, as a result, a node does not have a
record of ARP requests that it has sent.
As a consequence, a node will accept any ARP reply that it receives,
even if it made no corresponding ARP request.
This opens the door to an attack by a malicious host on the LAN.
This attack—which is known as ARP cache poisoning.
ARP is an example of a vulnerable stateless protocol.
Network Layer: IP Vulnerabilities
IP packets can be intercepted
 In the LAN broadcast
 In the router, switch
Since the packets are not protected they can be easily read
Since IP packets are not authenticated they can be easily
modified
Even if the user encrypts his/her data it will still be
vulnerable to traffic analysis attack
Information exchanged between routers to maintain their
routing tables is not authenticated
 All sort of problems can happen if a router is compromised
Network Layer: IP security (IPSec) overview
IPSec is a set of security algorithms plus a general

framework that allows a pair of communicating
entities to use whichever algorithms provide
security appropriate for the communication.
Applications of IPSec
 Secure branch office connectivity over the Internet
 Secure remote access over the Internet
 Establsihing extranet and intranet connectivity with
partners
 Enhancing electronic commerce security
Network Layer: IP security (IPSec) overview …
Benefits of IPSec
 Transparent to applications (below transport layer)
(TCP, UDP)
 Provide security for individual users
IPSec can assure that:

 A router or neighbor advertisement comes from an
authorized router
 A redirect message comes from the router to which the
initial packet was sent
 A routing update is not forged
Network Layer: IP security scenario …
An organization maintains LANs at dispersed locations.
Nonsecure IP traffic is conducted on each LAN.
For traffic offsite, through some sort of private or public WAN, IPsec
protocols are used.
These protocols operate in networking devices, such as a router or firewall, that
connect each LAN to the outside world.
The IPsec networking device will typically encrypt and compress all
traffic going into the WAN and decrypt and decompress traffic
coming from the WAN; these operations are transparent to
workstations and servers on the LAN.
Secure transmission is also possible with individual users who dial
into the WAN.
Such user workstations must implement the IPsec protocols to provide
security.
Network Layer: IP security scenario …
Network Layer: IP security (IPSec) services
IPsec provides security services at the IP layer by enabling a

system to select required security protocols, determine the
algorithm(s) to use for the service(s), and put in place any
cryptographic keys required to provide the requested
services.
Two protocols are used to provide security:
An authentication protocol designated by the header of the
protocol, Authentication Header (AH)
 A combined encryption/authentication protocol designated
by the format of the packet for that protocol, Encapsulating
Security Payload (ESP).
Network Layer: IP security (IPSec) services
Access Control
•In the context of network security is the ability to limit and
control the access to host systems and applications via
communications links.
Connectionless integrity
• Deals with individual messages without regard to any larger
context, generally provides protection against message
modification only.
Data origin authentication
• In a connectionless transfer, provides assurance that the source of
received data is as claimed.
Confidentiality (encryption)
• The protection of data from unauthorized disclosure.
Rejection of replayed packets
Network Layer: IPSec - Security Associations (SA)
A key concept that appears in both the authentication and confidentiality

mechanisms for IP is the security association (SA).
An association is a one-way relationship between a sender and a receiver that
affords security services to the traffic carried on it.
If a peer relationship is needed, for two-way secure exchange, then two
security associations are required.
Security services are afforded to an SA for the use of AH or ESP, but not
both.
A security association is uniquely identified by three parameters:
 Security Parameters Index (SPI)
 The SPI is carried in AH and ESP headers to enable the receiving system to
select the SA under which a received packet will be processed.
 IP Destination Address: in the IPv4/IPv6 header
 Security Protocol Identifier: This indicates whether the association is an
AH or ESP security association.
Network Layer: IPSec - Transport and Tunnel Modes
Both AH and ESP support two modes of use: transport and tunnel
mode.
Transport Mode:
Transport mode provides protection primarily for upper-layer
protocols.
That is, transport mode protection extends to the payload of an IP packet.
Examples include a TCP or UDP segment or an ICMP packet, all of
which operate directly above IP in a host protocol stack.
Typically, transport mode is used for end-to-end communication between
two hosts (e.g., a client and a server, or two workstations).
When a host runs AH or ESP over IPv4, the payload is the data that
normally follow the IP header.
ESP in transport mode encrypts and optionally authenticates the IP payload
but not the IP header.
AH in transport mode authenticates the IP payload and selected portions of
Network Layer: IPSec - Transport and Tunnel Modes
Tunnel Mode:
Tunnel mode provides protection to the entire IP packet.
To achieve this, after the AH or ESP fields are added to the IP packet, the
entire packet plus security fields is treated as the payload of new "outer"
IP packet with a new outer IP header.
The entire original, or inner, packet travels through a "tunnel" from one
point of an IP network to another; no routers along the way are able to
examine the inner IP header.
Because the original packet is encapsulated, the new, larger packet may
have totally different source and destination addresses, adding to the
security.
Tunnel mode is used when one or both ends of an SA are a security
gateway, such as a firewall or router that implements IPSec.
With tunnel mode, a number of hosts on networks behind firewalls may
engage in secure communications without implementing IPSec.
Network Layer: IPSec AH Authentication
The Authentication Header provides support for data integrity and
authentication of IP packets.
The data integrity feature ensures that undetected modification to a
packet's content in transit is not possible.
The authentication feature enables an end system or network device to
authenticate the user or application and filter traffic accordingly.
It also prevents the address spoofing attacks
The AH also guards against the replay attack
IPSec Authentication Header
Network Layer: IPSec AH Authentication
(a) Before AH
Network Layer: IPSec AH Authentication …
(b) Transport Mode

Network Layer: IPSec AH Authentication …
(c) Tunnel Mode

Network Layer: IPSec ESP Encryption and Authentication
The Encapsulating Security Payload provides confidentiality services,

including confidentiality of message contents and limited traffic flow
confidentiality.
As an optional feature, ESP can also provide an authentication service.
Transport Mode ESP:
Transport mode ESP is used to encrypt and optionally authenticate the data
carried by IP (e.g., a TCP segment).
The ESP header is inserted into the IP packet immediately prior to the
transport-layer header (e.g., TCP, UDP, ICMP) and an ESP trailer (Padding,
Pad Length, and Next Header fields) is placed after the IP packet.
If authentication is selected, the ESP Authentication Data field is
added after the ESP trailer.
The entire transport-level segment plus the ESP trailer are encrypted.
Authentication covers all of the ciphertext plus the ESP header.
Network Layer: IPSec ESP Encryption and Authentication
Network Layer: IPSec ESP Encryption and Authentication…
Tunnel Mode ESP:

• Tunnel mode ESP is used to encrypt an entire IP packet.
• The ESP header is prefixed to the packet and then the packet plus the
ESP trailer is encrypted.
Application layer: DNS spoofing
If the attacker has access to a name server it

can modify it so that it gives false
information
 Ex: redirecting www.ebay.com to map to own
(attacker’s) IP address
The cache of a DNS name server can be
poisoned with false information using some
simple techniques
Application layer: Web browsers as threats
We obtain most of our browsers on-line

Potential problems that can come from malicious code
within the browser
 Inform the attacker of the activities of the user
 Inform the attacker of passwords typed in by the user
 Downgrade browser security
Cookies
 cookies are set by web servers and stored by web
browsers
 A cookie set by a server is sent back to the server when
the browser visits the server again
 Cookies can be used to track what sites the user visits
Application layer: E-mail Security
E-mails transit through various servers before

reaching their destinations
By default, they are visible by anybody who has
access to the servers
SMTP protocol itself has some security holes
E-mail security can be improved using some tools
and protocols
 Example: PGP, S-MIME
PGP: Pretty Good Privacy
S-MIME: Secure Multi-Purpose Internet Mail Extension
Application layer: Security-enhanced application protocols
Solution to most application layer security

problems have been found by developing security-
enhanced application protocols
Examples
 For FTP => FTPS
 For HTTP => HTTPS
 For SMTP => SMTPS
 For DNS => DNSSEC
Thank You !!

4 Security

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

4 Security

Uploaded by

Copyright:

Available Formats

Chapter Four

In today’s highly networked world, we can’t talk of

Denial of service or degrading of service attack

TCP/IP was designed to be used by a trusted

Attackers exploit vulnerabilities of every protocol

Request 08:00:20:03:F6:42 00:00:C0:C2:9B:26

IPSec is a set of security algorithms plus a general

IPSec can assure that:

IPsec provides security services at the IP layer by enabling a

A key concept that appears in both the authentication and confidentiality

(b) Transport Mode

(c) Tunnel Mode

The Encapsulating Security Payload provides confidentiality services,

Tunnel Mode ESP:

If the attacker has access to a name server it

We obtain most of our browsers on-line

E-mails transit through various servers before

Solution to most application layer security

You might also like