Lecture 05

Network Security

ECEG 4192 1
 Introduction
• Today's Internet is primarily comprised of :
– Public
– Un-trusted
– Unreliable IP networks
• Internetwork Protocol (IP)
– Aim
• provide interconnection across different networks
– IP is an unreliable protocol
• IP datagrams may be lost
• IP datagrams may arrive out of order
• TCP takes care of those problems
ECEG 4192 2
Internetwork Protocol (IP)

ECEG 4192 3
 Internet threats
• Some of the common attacks
• Data integrity
– The contents of a packet can be accidentally or
deliberately modified.
• Spoofing
– The source of an IP packet can be forged.
• Loss of privacy
– The contents of a packet can be examined in transit.

ECEG 4192 4
 Is IP secure?
• Content (Payload) is not encrypted
– confidentiality is not provided
– IP sniffers are available on the net
• IP addresses may be spoofed
– authentication based on IP addresses can be broken
• So IP is not secure!
• Because of this inherent lack of security, the
Internet is subject to various types of threats

ECEG 4192 5
 Where to provide security?
• Application-layer?
– The Internet community has developed application-
specific security mechanisms in a number of application
areas, including electronic mail (S/MIME, PGP),
client/server (Kerberos), SSH (secured telnet), etc.
– Implemented in end hosts
• Transport level?
– SSL / TLS (e.g for web access)
– between TCP and Application
– implemented in end-hosts
• Disadvantage: protocol specific
ECEG 4192 6
 Cont’d
• However users have some security concerns that
cut across protocol layers.
• By implementing security at the IP level:
– we can ensure secure networking for all applications
including security-ignorant applications
• We would like security implemented by the
network for all applications
– IP level: IP Security
– Implemented at end-hosts and routers/firewalls

ECEG 4192 7
IP Security (IPSec)

ECEG 4192 8
 Introduction
• IPSec is a framework of open standards developed
by the Internet Engineering Task Force (IETF).

• Creates secure, authenticated, reliable

communications over IP networks

• Provides seamless security to applications and

upper-layer protocols

ECEG 4192 9
 Cont’d
• IP-level security encompasses three functional areas:
– authentication, confidentiality, and key management.
• In 1994, the Internet Architecture Board (IAB) issued a
report titled "Security in the Internet Architecture"
• To provide security, the IAB included authentication and
encryption as necessary security features in the next-
generation IP, which has been issued as IPv6.
• Fortunately, these security capabilities were designed to
be usable both with the current IPv4 and the future IPv6
• IPSec support is mandatory for IPv6 products, optional
for v4
– many manufacturers support IPSec in their v4 products
ECEG 4192 10
 IP security services
• Connectionless integrity
– Assurance that received traffic has not been modified.
• Data origin authentication
– Assurance that traffic is sent by legitimate party or parties.

• Confidentiality (encryption)
– Assurance that user’s traffic is not examined by non-authorized
parties.
• Access control
– Prevention of unauthorized use of a resource.

ECEG 4192 11
 Applications of IPSec
• IPsec provides the capability to secure
communications across a LAN, across private and
public WANs, and across the Internet
– Secure branch office connectivity over the Internet
– Secure remote access over the Internet, etc
• The principal feature of IPsec that enables it to
support varied applications is that it can encrypt
and/or authenticate all traffic at the IP level.
• Thus, all distributed applications (including remote
logon, client/server, e-mail, file transfer, Web access,
and so on) can be secured
ECEG 4192 12
Example of IPSec

ECEG 4192 13
 Benefits of IPSec
• Some of the benefits of IPSec include:
• When implemented in a firewall or router, it provides strong
security that can be applied to all traffic crossing the perimeter.
• IPSec is below the transport layer (TCP, UDP) and so is transparent
to applications.
• There is no need to change software on a user or server system
when IPsec is implemented in the firewall or router. Even if IPsec is
implemented in end systems, upper-layer software, including
applications, is not affected.
• can be transparent to end users. There is no need to train users on
security mechanisms, issue keying material on a per-user basis, or
revoke keying material when users leave the organization.

ECEG 4192 14
 IPSec Architecture
• Specification is quite complex, with groups:
– Architecture: covers security requirements, definitions and
mechanisms defining IPSec technology
• RFC4301 Security Architecture for Internet Protocol
– Authentication Header (AH): provides message authentication
• RFC4302 IP Authentication Header
– Encapsulating Security Payload (ESP): encapsulating header
and trailer to provide encryption or encryption+authentication
• RFC4303 IP Encapsulating Security Payload (ESP)
– Internet Key Exchange (IKE): key management in IPSec
• RFC4306 Internet Key Exchange (IKEv2) Protocol
– Cryptographic algorithms: describe cryptographic algorithms
for encryption, message authentication, key exchange
ECEG 4192 15
 IPSec protocols
• Authentication Header (AH)
– defines the authentication protocol
– no encryption
– Since ESP covers authentication, it is not
recommended anymore
• Encapsulating Security Payload (ESP)
– provides encryption
– optionally authentication

ECEG 4192 16
 IP Security modes of operation
• Both AH and ESP support two modes of use: transport and tunnel
mode.
• Transport mode provides protection primarily for upper-layer
protocols.
• Transport mode is used to encrypt and/or authenticate the data
carried by IP.
• Typically, transport mode is used for end-to-end communication
between two hosts (e.g., a client and a server, or two
workstations).
• When a host runs AH or ESP over IPv4, the payload is the data
that normally follow the IP header.
• For IPv6, the payload is the data that normally follow both the IP
header and any IPv6 extensions headers that are present.

ECEG 4192 17
 Transport Mode
• Transport Mode
– to encrypt & optionally
authenticate IP data
– good for host to host
traffic

ECEG 4192 18
 Tunnel mode
• Tunnel mode ESP is used to encrypt an entire IP packet. To
achieve this, after the AH or ESP fields are added to the IP
packet, the entire packet plus security fields is treated as the
payload of new "outer" IP packet with a new outer IP header.
• The entire original, or inner, packet travels through a "tunnel"
from one point of an IP network to another; no routers along the
way are able to examine the inner IP header.
• Tunnel mode is useful in a configuration that includes a firewall
or other sort of security gateway that protects a trusted network
from external networks.
• In this case, encryption occurs only between an external host
and the security gateway or between two security gateways.
• With tunnel mode, a number of hosts on networks behind
firewalls may engage in secure communications without
implementing IPsec.

ECEG 4192 19
 Cont’d
• Tunnel Mode
– encrypts entire IP
packet
– add new header
for next hop
– no routers on
way can examine
inner IP header
– good for VPNs,
gateway to
gateway security

ECEG 4192 20
 Cont’d
• Transport Mode: protect the upper layer protocols

Original IP IP TCP Data

Datagram Header Header

Transport Mode IP IPSec TCP Data

protected packet Header Header Header

protected
• Tunnel Mode: protect the entire IP payload

Tunnel Mode New IP IPSec Original IP TCP Data

protected packet Header Header Header Header

protected

ECEG 4192 21
 Example of tunnel-mode

Encrypted Tunnel

Gateway 1 Gateway 2

Encrypted
A B

New IP AH or ESP Orig IP TCP Data

Header Header Header

ECEG 4192 22
 Authentication Header (AH)
• Provides support for data integrity and authentication of
IP packets
– malicious modifications are detected (data integrity)
– address spoofing is prevented (authentication )
• Authentication is based on use of a MAC (Message
Authentication Code) and two parties must share a
secret key
– AH supports MACs using HMAC-MD5-96 or HMAC-SHA-1-96

ECEG 4192 23
• Next Header:
AH format
specifies next
header or upper
layer protocol
• Payload length:
specifies length of
the AH in 32-bit
words
• SPI: to identify SA
• Sequence number:
• Authentication data: MAC value
used for replay
(variable length)
control • must be an integral number of 32-bit
• E.g. Detection of words
duplicate packets
or out of order
ECEG 4192 24
arrival
 Encapsulating Security Payload (ESP)
• Provides
– message content confidentiality
• via encryption
– optionally authentication services as in AH
• via MAC (HMAC)
• ESP can work with a variety of encryption and
authentication algorithms
• Supports range of ciphers
– DES, Triple-DES, RC5 etc.

ECEG 4192 25
ESP Format

ECEG 4192 26
 Cont’d
• Security Parameters Index (32 bits): Identifies a security
association
• Sequence Number (32 bits): A monotonically increasing counter
value;
• Payload Data (variable): This is a transport-level segment
(transport mode) or IP packet (tunnel mode) that is protected by
encryption
• Padding (0–255 bytes): for various reasons (E.g. to fill block size)
• Pad Length (8 bits): Indicates the number of pad bytes
immediately preceding this field
• Next Header (8 bits): Identifies the type of data contained in the
payload data field by identifying the first header in that payload
• Authentication Data (variable): A variable-length field that
contains the Integrity Check Value computed over the ESP packet
ECEG 4192 27
 Transport mode ESP
Upper layer data is
protected but IP
header left in clear

ECEG 4192 28
Tunnel mode ESP

ECEG 4192 29
 Internet Key Exchange (IKE)
• The key management portion of IPSec involves the determination
and distribution of secret keys.
• The IPSec Architecture document mandates support for two types
of key management:
– Manual where a system administrator manually configures each system
with its own keys and with the keys of other communicating
– Automated where an automated system enables the on-
demand creation of keys for SAs and facilitates the use of keys
in a large distributed system with an evolving configuration
• The default automated key management protocol for IPSec is
referred to as ISAKMP/Oakley.
– Oakley is a key exchange protocol
– Internet Security Association and Key Management Protocol
(ISAKMP) provides framework for key management
• Defines procedures and packet formats
ECEG 4192 30
Introduction to Firewalls

ECEG 4192 31
 What is a firewall?
• Conventional def: a firewall is a partition made of
fireproof material designed to prevent the spread of
fire from one part of a building to another.
• In computer network:
– A firewall is a system of hardware and software components
that enforces an access control policy between two or more
networks.

• The firewall is part of an overall security policy that

creates a perimeter defense designed to protect the
information resources of the organization.

ECEG 4192 32
 Cont’d
• Some of the criteria of a firewall include:
– The firewall is at the boundary between the two networks
– All traffic between the two networks must pass through the
firewall
– The firewall has a mechanism to allow some traffic to pass
while blocking other traffic

• Additional desirable criteria include:

– Resistance to security compromise
– Auditing and accounting capabilities
– Resource monitoring
ECEG 4192 33
 Mode of operation
• A firewall that stands in between two networks
will inspect a packet that is ready to pass
between the networks and allow or block the
packet based on the rules set for the firewall to
operate

• Firewall, most of the time, sits between trusted

(internal network) and untrusted (external
network)

ECEG 4192 34
 General model of firewall use on the
security perimeter

• General model of firewall use on the security perimeter, as a

choke point for traffic between the external less-trusted Internet
and the internal more trusted private network.

ECEG 4192 35
 Classes of firewall
• All firewalls fall within three classes
• Appliance-based firewalls: are hardware platforms
that are specifically designed as dedicated firewalls
– E.g: Cisco ASA
• Server-based firewalls: consist of firewall
applications that run on operating systems such as
Linux, Windows etc
– E.g: Iptables of Linux
• Integrated firewalls: are implemented by adding
firewall functionality to an existing device
– E.g: routers that support firewall service
ECEG 4192 36
 Firewall Limitations
• Cannot protect from attacks bypassing it
– eg trusted organisations, trusted services (eg SSH)
• Cannot protect against internal threats
– eg employee who cooperates with an attacker
• Cannot protect against access via WLAN
– An improperly secured wireless LAN may be accessed from
outside the organization
• Cannot protect against malware imported via laptop,
PDA, storage infected outside a corporate network

ECEG 4192 37
 Types of firewalls
• Common types of firewalls: packet filters, Stateful
Inspection Firewalls, application-level gateways, & circuit-
level gateways.
1. Packet filtering firewall:
– A packet-filtering firewall applies a set of rules to each incoming
and outgoing IP packet to forward or discard the packet.
– Filtering rules are based on information contained in a network
packet such as src & dest IP addresses, transport protocol and
ports.
– If there is no match to any rule, then one of two default policies
are applied:
• Discard: That which is not expressly permitted is prohibited.
Initially everything is blocked.
• Forward: That which is not expressly prohibited is permitted.
Default action is forwardECEG
packet.
4192 38
 Packet filtering firewalls …
• The packet filter firewall utilizes
information from the transport,
network & data link layers to
make decisions
• Advantage:
– Simplicity, fast
• Limitation:
– Because these do not
examine upper-layer data,
they cannot prevent attacks
that employ application-
specific vulnerabilities
– logging functionality present
in packet filter firewalls is
limited (only src/dst address,
traffic type)
– Lack advanced user
authentication ECEG 4192 39
Packet filtering example

ECEG 4192 40
 2. Stateful Inspection Firewalls
• A traditional packet filter makes filtering decisions on an individual packet
basis
– does not take into consideration any higher layer context.
• Stateful firewall keeps track of each established flows and all the packets
that belong to an existing flow
– To do this, the firewall keeps a cache (State table) for each open flow.
– When the first packet of a new flow is seen by the firewall , the firewall
matches it against the rule-base.
– If there is a rule that allows the packet to cross , the firewall inserts a
new entry into the cache.
– This entry includes both end points’ IP addresses , and both port
numbers .
– When a subsequent packet reaches the firewall, the firewall checks
whether an entry for the flow already exists in the cache.
– If the flow is listed in the cache – the packet is allowed through
immediately.
– If no such flow exists , then the packet is matched against the rule-
based, and is handled accordingly .
ECEG 4192 41
 Cont’d

Stateful inspection firewall State table (cache of flows)

• Most firewalls nowadays are stateful.

ECEG 4192 42
Stateful Inspection example

ECEG 4192 43
 3. Application-Level Gateway
• Also called an application proxy, acts as a relay of application-level
traffic
• The user contacts the gateway using a TCP/IP application and the
gateway
• When the user is authenticated, the gateway contacts the
application on the remote host and relays TCP segments
containing the application data between the two endpoints
• More secured than packet filtering but has processing overhead

• Firewall runs set of proxy programs

• Proxies filter incoming, outgoing
packets
• All network traffic directed to firewall
• Does not allow end-to-end connection
(through relay)
ECEG 4192 44
 4. Circuit-Level Gateway
• Also called circuit-level proxy
• Does not permit an end-to-end TCP connection;
– rather, the gateway sets up two TCP connections, one between
itself and a TCP user on an inner host and one between itself
and a TCP user on an outside host.

ECEG 4192 45
 Firewall location/topology
Single bastion inline: A single firewall device between an internal and external ntk
• For small to medium-sized organizations.

Single bastion T: Similar to single bastion inline but has a third network interface
on bastion to a DMZ where externally visible servers are placed.
• For medium to large-sized organizations

• DMZ Networks: (Demilitarized Zone)

– has systems that are externally
accessible but need some protections
– Neither part of the internal network
nor part of the Internet

46
ECEG 4192
 Cont’d
Double bastion inline: DMZ is sandwiched between firewalls.
• Common for large businesses and government organizations.

47
ECEG 4192
 Cont’d
Example of
distributed firewall
• Is used by some large
businesses and
government
organizations.

ECEG 4192 48
 Implementing Packet Filtering Firewall using
Access Control List (ACL)
 filters network traffic by controlling whether packets are
forwarded or blocked at the router’s interface
 List of permit and deny statements
 Used for:
 Access control
 Filtering traffic
 Rules:
 List is read from top to bottom and stops at the first match
 Implicit deny at the bottom
 Applied to an interface inbound or outbound

49
 ACL (cont’d)
Increase network performance
Provides security
which traffic is blocked
which traffic is forwarded

Uses src/dst addresses, protocol types (TCP,

UDP or IP), port numbers to classify network
traffic

50
 Types
Standard ACL:
Matches based on source address
Lower processor utilization
Extended ACL:
Matches based source/destination address,
protocol, source/destination port numbers
Higher processor utilization
Relatively complex syntax

51
 Configuration
Create the ACL
Apply to an interface
inbound or outbound
Verify configuration
Use show access-lists

52
 Configuration (cont’d)
Configuring standard access list
Router(config)#access-list <1-99>
<permit/deny> <src address> <wild card>
E.g:
 R1(config)#access-list 1 permit 192.168.1.0 0.0.0.255
 Access list 1 when applied will allow the network 192.168.1.0/24
 R1(config)#access-list 1 deny host 192.168.1.1
 Will deny only 192.168.1.1 ip address
 R1(config)#access-list 1 deny any
Will deny any network

53
 Configuration (cont’d)
 Configuring Extended access control list
access-list <100-199> <permit|deny>
<protocol> <source-address> <source-
wildcard-mask> <destination-address>
<destination-wildcard-mask> <eq | lt| gt>
<port-number>
 E.g.
 access-list 101 permit ip 192.168.10.0 0.0.0.255 67.10.10.5 0.0.0.0
 Permits all ip connections from 192.168.10.0 network to a host 67.10.10.5
 access-list 101 deny tcp 192.168.10.10 0.0.0.0 67.10.10.5 0.0.0.0 eq
80
 Denies web access from host 192.168.10.10 to web server of 67.10.10.5

54
 Applying ACL
 Apply the ACL to an interface either inbound or
outbound
 Use
ip access-group <acl-number> <in | out>
 E.g.
 int fa 0/0
 Ip access-group 1 in applies acl number 1 on
fa0/0 for inbound traffic

 int fa 0/1
 Ip access-group 1 out applies acl 1 on fa 0/1 for
out bound traffic
55