Information Security

Network Security - II
OCT 07, 2023

Muhammad Wasi
Senior Application Security Analyst, BankIslami – Head Office
MS CYBERSECURITY, NUST UNIVERSITY
 What we will be covering?
We will cover:

1. Vulnerabilities and mitigations

2. TCP and UDP – SSL and TLS
3. How HTTPS Works?
4. IPsec (Internet Protocol Security)
5. Practical Session / Assignment
 1- Vulnerabilities and mitigations
Some common vulnerabilities on the OSI / TCP-IP layers and their mitigations:

Physical Layer
 Vulnerability: Eavesdropping
Mitigation: Use shielded cabling, encryption, and physical security measures to protect
network equipment and wiring.

Data Link Layer

 Vulnerability: MAC spoofing
Mitigation: Use MAC filtering, port security, and 802.1X authentication.
 1- Vulnerabilities and mitigations
Network Layer
 Vulnerability: IP spoofing
Mitigation: IPsec, Use ingress filtering, egress filtering / inbound, outbound filtering.

 Vulnerability: ARP spoofing

Mitigation: Use static ARP entries, ARP inspection, and DAI.

 Vulnerability: Denial-of-service (DoS) attacks

Mitigation: Use traffic filtering, load balancing, and content delivery networks (CDNs).
 1- Vulnerabilities and mitigations
Transport Layer

 Vulnerability: SYN flood attack

Mitigation: Use SYN rate limiting, SYN cookies, and load balancing.

 Vulnerability: Man-in-the-middle attack

Mitigation: Use encryption, such as TLS or SSL.
 1- Vulnerabilities and mitigations
Application Layer
 Vulnerability: Cross-site scripting (XSS)
Mitigation: Use input validation, output encoding, and content security policy (CSP).

 Vulnerability: SQL injection

Mitigation: Use prepared statements, parameterized queries, and whitelisting.

 Vulnerability: Cross-site request forgery (CSRF)

Mitigation: Use CSRF tokens and same-origin policy (SOP).
 1- Vulnerabilities and mitigations
 Cross-site scripting (XSS)
XSS occurs when malicious code is injected into a web page or application.
When a user visits the compromised page, the malicious code can be executed on their
computer.
This can allow attackers to steal cookies, session tokens, and other sensitive
information.

 Cross-site request forgery (CSRF)

CSRF occurs when an attacker tricks a user into performing an action on a website or
application that they did not intend to perform.
For example, an attacker could send a malicious link to a user that, when clicked, would
automatically log the user into a website and make a purchase.
 1- Vulnerabilities and mitigations
 SQL injection
SQL injection occurs when an attacker injects malicious SQL code into a web application.
When the application executes the malicious code, it can be used to steal data from the
database or even take control of the application.

 SYN flood attack

A SYN flood attack is a type of denial-of-service attack.
It works by sending a large number of SYN packets to a server.
The server then has to allocate resources to each SYN packet, even though most of
them will never be completed.
This can eventually overwhelm the server and make it unavailable to legitimate users.
 1- Vulnerabilities and mitigations
 ARP spoofing
ARP spoofing occurs when an attacker sends forged ARP messages to a network.
These messages trick the victim's computer into thinking that the attacker's computer is
the gateway.
This allows the attacker to intercept traffic between the victim's computer and the
gateway.

 IP spoofing
IP spoofing occurs when an attacker sends packets with a forged IP address.
This allows the attacker to impersonate another computer on the network.
This can be used to launch attacks such as denial-of-service attacks and man-in-the-
middle attacks.
 1- Vulnerabilities and mitigations
 MAC spoofing
MAC spoofing occurs when an attacker changes the MAC address of their computer.
This allows the attacker to impersonate another computer on the network.
This can be used to bypass network security measures such as MAC filtering.

 DOS Attack
A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network,
making it inaccessible to its intended users.

 DDOS Attack
Distributed denial-of-service (DDoS) attack is a DoS attack that uses multiple computers
or machines to flood a targeted resource.
1- Vulnerabilities and mitigations
 2- TCP and UDP
Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) both are
protocols of the Transport Layer.
Feature TCP UDP
Connection-oriented, Requires an Connectionless protocol with no
established connection to transmit data requirements for opening,
Connection status
(connection should be closed once maintaining, or terminating a
transmission is complete) connection
Data sequencing Able to sequence Unable to sequence
Can guarantee delivery of data to the Cannot guarantee delivery of data to
Guaranteed delivery
destination router the destination
Speed Slower than UDP Faster than TCP
Used by HTTPS, HTTP, SMTP, POP, Video conferencing, streaming, DNS,
Optimal use
FTP, etc VoIP, etc
2- TCP and UDP
 2- SSL and TLS
SSL: Secure Sockets Layer (SSL) is a communication protocol, or set of rules, that creates
a secure connection between two devices or applications on a network. It prevents
hackers from seeing or stealing any information transferred, including personal or
financial data.

TLS: Transport Layer Security

TLS is an updated, more secure version of SSL.
 3- How HTTPs Work?
Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer
Protocol (HTTP.) HTTPS transmits encrypted data using Transport Layer Security (TLS).

HTTP transfers data over TCP/IP connection between client and server. The default port
is TCP 80, but other ports can be used. HTTPs use port 443.

HTTP transfers plain text over the connection which can be read by someone who has
access to your connection.

For example, if you are exchanging data over shared wifi one can sniff your data using
sniffers(Will add a blog on how Wireshark can be used for sniffing the data).
 3- How HTTPs Work?
How HTTPS works? It means HTTP over a secure layer so that no one will be able to sniff
data or modify it in middle(Man in the middle attack).

1. During the handshake, the server sends an SSL certificate that has an asymmetric
public key to the client. It has a private key that is stored at the webserver(self) end.

2. The client will create a session key based on algorithms. This session key will be
encrypted by using the public key. Then it will be sent to the server.

3. The server will use the asymmetric private key to decrypt the encrypted session key
and will get the session key.
 3- How HTTPs Work?
4. Now the browser will use the session key for encrypting and decrypting the data for
the session. This is known as symmetric encryption. Now the data is secured as the
session key will be known by the client and server.

Once the session will be expired the process will be repeated again from step 1 as the
session key will be no longer valid.

Hijacking the session key will be tough as it will be valid for a very shorter period.
Symmetric encryption is relatively fast compared to asymmetric. As it involves very little
computation.
 4- IPsec
IP Security Issues
• Eavesdropping
• Modification of packets in transit
• Identity spoofing (forged source IP addresses)
• Denial of service

Many solutions are application‐specific

TLS for Web, S/MIME for email, SSH for remote login

IPSec aims to provide a framework of open standards for secure communications over IP
 4- IPsec
IPsec is a suite of protocols that provides security for IP networks. It can be used to
protect data in transit between two hosts, or between two networks. IPsec can be used
to encrypt data, authenticate users, and provide traffic integrity. Specified by Internet
Engineering Task Force (IETF)

Network‐layer security protocol

• Protects IP packets between two hosts or gateways
• IP addresses used to as host identifiers

Two steps:
1. IKE authenticated key exchange creates security associations
2. ESP session protocol protects data
 4- IPsec
IPSec supports two encryption modes:
• Transport mode: Encrypts only the data portion (payload) of each packet, leaving the
header untouched.
• Tunnel mode: Encrypts both the header and the payload.

IPSec also provides two choices of security service:

• Authentication Header (AH), which allows authentication of the sender of the data.

• Encapsulating Security Payload (ESP), which supports both authentication of the

sender and encryption of data
4- IPsec
4- IPsec
4- IPsec
 8 - Practical Session / Assignment

Openssl
• Certification Authority
• Self Signed Certificate
- Setup website and create and assign self signed certificate