Chapter 4 Network Security
Chapter 4 Network Security
Network Security
1
Outline
2
Security - The Big Picture
PSTN
Remote Users
Internet VPN
Remote Connection Server
Authentication Teammate /
Firewall Telecommuter via
VPN?
Commercial ISP
Local Users Web Server
Extranet
SSL Encryption
PKI Authentication (Non-repudiation
of transactions)
Anti-Virus SW
E-Commerce Customer
Intranet PKI
Anti-Virus SW
Firewall/
URL Filtering
Anti-Virus SW
Network Manager
Network Management System
Vulnerability Scan
Intrusion Detection
Mail Server Risk Assessment
E-Mail Scan
Anti-Virus
4
OSI Model
Application
Application Allows
Allowsaccess
accesstotonetwork
networkresources
resources
Presentation
Presentation Translates,
Translates,encrypts
encryptsand
andcompresses
compressesdata
data
Session
Session Establishes,
Establishes,manages
managesand
andterminates
terminatessessions
sessions
Transport
Transport Provides
Providesend-to-end
end-to-endmessage
messagedelivery
delivery&&error
errorrecovery
recovery
Network
Network Moves
Movespackets
packetsfrom
fromsource
sourcetotodestination;
destination;Provides
Provides
internetworking
internetworking
Data
DataLink
Link Organizes
Organizesbits
bitsinto
intoframes;
frames;Provides
Providesnode-to-node
node-to-nodedelivery
delivery
Physical
Physical Transmits
Transmitsbits;
bits; Provides
Providesmechanical
mechanicaland
andelectrical
electrical
specifications
specifications
5
OSI Model…
Intermediate Intermediate Server
Client Node Node
Physical
6 Physical Physical Physical
TCP/IP and OSI Model cont’d
Application
Message
Presentation Applications
Session
Segment
Transport TCP UDP
Network Datagram
IP
Frame
Data Link Protocols defined by
the underlying networks
Bits
7 Physical
TCP/IP and Addressing
Application Processes
layer
Transport Port
Port
TCP UDP address
layer address
Data link
layer Underlying
Physical
Physical
physical
Physical (MAC)
(MAC)
networks
layer address
address
8
Network Security
TCP/IP Layering
application
HTTP …
…
FTP DNS
SMTP SNMP
transport
TCP
TCP UDP
UDP
network
ICMP
ICMP IP
IP IGMP
IGMP
link
hardware
hardware
ARP
ARP RARP
RARP
interface
interface
9
• The next slides show some attacks at each layer of the TCP/IP
stack
13
Network Security/ Types of Attacks
14
Network Security/ Types of Attacks
15
Smurf : Denial of Service
IC M P e c h o ( s p o o f e d s o u r c e a d d r e s s o f v ic t im )
S e n t to IP b ro a d c a s t a d d re s s
IC M P e c h o r e p ly
In te rn e t
P e rp e tra to r V ic t im
16
Network Security/Protocols and vulnerabilities
Network Layer: IPv4 Header
17
Network Security/Protocols and vulnerabilities
• Network Layer: IPv6 Header …
18
Network Layer: IP security (IPSec)
KEY POINTS
• IP security (IPSec) is a capability that can be added to Internet
Protocol (IPv4 or IPv6), by means of additional headers.
• IPSec encompasses three functional areas: authentication,
confidentiality, and key management.
• Authentication makes use of Hash algorithms (SHA,MD-5,MAC)
• Authentication can be applied to:
– the entire original IP packet ( tunnel mode) or
– to all of the packet except for the IP header (transport mode).
• Confidentiality is provided by an encryption format known as
encapsulating security payload.
• Both tunnel and transport modes can be accommodated.
• IPSec defines a number of techniques for key management.
19
Network Layer: IP security (IPSec)
• The Internet community has developed application-specific security
mechanisms in a number of application areas, including:
– Electronic mail (S/MIME, PGP),
– client/server (Kerberos),
– Web access (Secure Sockets Layer), and others.
• However, users have some security concerns that cut across protocol
layers.
• For example, an enterprise can run a secure, private TCP/IP network by:
– disallowing links to untrusted sites,
– encrypting packets that leave the organization, and
– authenticating packets that enter the organization.
20
Network Layer: IP security (IPSec)
• IP-level security encompasses three functional areas:
authentication, confidentiality, and key management.
21
Network Layer: IP security (IPSec)
22
Network Layer: IP security (IPSec)
• IPSec is a protocol suit for securing IP communications
by authenticating and encrypting each IP packet of a
communication session.
• Applications of IPSec
• Secure branch office connectivity over the Internet
• Secure remote access over the Internet
• Establsihing intranet connectivity with partners
• Enhancing electronic commerce security
• The principal feature of IPSec that enables it to support these
varied applications is that it can encrypt and/or authenticate all
traffic at the IP level.
• Thus, all distributed applications, including remote logon,
client/server, e-mail, file transfer, Web access, and so on, can
be secured.
23
Network Layer: IP security (IPSec)
Benefits of IPSec
• When IPSec is implemented in a firewall or router, it
provides strong security that can be applied to all traffic
crossing the border.
• Traffic within a company or workgroup does not incur the
overhead of security-related processing.
25
Network Layer: IP security (IPSec)
Benefits of IPSec (Routing application)
• A router advertisement (a new router advertises its presence)
comes from an authorized router
• A neighbor advertisement comes from an authorized router.
• A redirect message comes from the router to which the initial
packet was sent.
• A routing update is not forged.
• Without such security measures, an opponent can disrupt
communications or divert some traffic.
• Routing protocols such as BGP/OSPF should be run on top of
security associations between routers that are defined by
IPSec.
26
Network Layer: IP security (IPSec) scenario
27
IPSec Documents
• RFC 2401: An overview of a security architecture
28
IPSec - Security Associations (SA)
• SA is a one way relationship between a sender and a
receiver that provides security services (authentication and
confidentiality)
29
Network Layer: IP security (IPSec) Services
• Connectionless integrity
- Ensuring the data has not been read/modified en route.
• Confidentiality (encryption)
- Encryption of user data for privacy
• Access control
- Gives access privileges to end users (done by Admin)
30
IPSec - Security Associations (SA)
Both AH and ESP support two modes of use:
• Transport Mode:
– The protocol protects the message passed down to IP from the transport
layer.
– The message is processed by AH/ESP and appropriate headers are added in
front of the transport header.
– The IP header is then added in front of that by IP.
• Tunnel Mode:
– IPsec is used to protect a complete encapsulated IP datagram after the IP
header has already been applied to it.
– The IPsec header appears in front of the original IP header and then a new
IP header is added in front of the IPsec header.
31
IPSec - Security Associations (SA)
32
Transport and Tunnel Modes for AH
• Fig. shows two ways in which the IPSec authentication service can be used for AH:
– In one case, authentication is provided directly between a server and client workstations. It uses
transport mode.
– In the other case, a remote workstation authenticates itself to the corporate firewall, for access to
the entire internal network, Tunnel mode.
33
Network Layer: IPSec AH Authentication
(a) Before AH
34
Network Layer: IPSec AH Authentication…
• For transport mode AH using IPv4, the AH is inserted after the original IP
header and before the IP payload (e.g., a TCP segment).
• Authentication covers the entire packet, excluding mutable fields in the IPv4
header.
Therefore, the AH appears after the IPv6 base header and the hop-by-hop, 35
routing, and fragment extension headers.
Network Layer: IPSec AH Authentication…
• For tunnel mode AH, the entire original IP packet is authenticated, and the AH is
inserted between the original IP header and a new outer IP header .
• The inner IP header carries the ultimate source and destination addresses, while
an outer IP header may contain different IP addresses (e.g., addresses of firewalls
or other security gateways).
If authentication is selected, the ESP Authentication Data field is added after the
ESP trailer.
Transport mode
In the context of IPv6, ESP is viewed as an end-to-end payload; that is, it is not
examined or processed by intermediate routers.
37
Therefore, the ESP header appears after the IPv6 base header and the hop-by-
hop, routing, and fragment extension headers.
IPSec ESP Encryption and Authentication
• Tunnel mode ESP is used to encrypt an entire IP packet .
• the ESP header is prefixed to the packet and then the packet plus the ESP trailer is
encrypted. This method can be used to counter traffic analysis.
38
Ipsec Implementation
• The IPSec Architecture document lists four examples of
combinations of SAs that must be supported by:
– IPSec hosts (e.g., workstation, server) or
– security gateways (e.g. firewall, router)
39
Network Layer SA: End system implementation (host side)
• Case 4 provides:
• support for a remote host
that uses the Internet to
reach an organization's
firewall and
• then to gain access to
some server/workstation
behind the firewall.
43
* Implements
IPSec
• Three different architectures are defined to describe the
methods for how to get the IPsec into the TCP/IP protocol
stack:
• Integrated architecture - this is simply integrating the IPsec’s
protocols and capabilities directly into the TCP/IP protocols
stack.
44
IPsec Architecture
IPSec Bump in the stack
45
IPsec Architecture
IPSec Bump in the wire
46
IPSec Encryption and Authentication
Summary
• IPSec provides authentication, confidentiality, and key
management at the level of IP packets.
47
IPSec Encryption and Authentication
Summary…
• IPSec is a specification for the IP-level security features that are built
into the IPv6 internet protocol.
- These security features can also be used with the IPv4 internet protocol.
48
TCP Connection Management
Recall: TCP sender, receiver Three way handshake:
establish “connection” before
exchanging data segments
Step 1: client host sends TCP SYN
• initialize TCP variables: segment to server
– seq. #s
• specifies initial seq #
– buffers, flow control info (e.g.
RcvWindow) • no data
• client: connection initiator Step 2: server host receives SYN,
Socket clientSocket = new replies with SYNACK segment
Socket("hostname","port number");
49
TCP Three phase handshaking: connection
establishment
client server
50
TCP Connection Management (cont.)
clientSocket.close();
ACK
Step 1: client sends TCP FIN control close
segment to server FIN
timed wait
with ACK. Closes connection,
sends FIN.
closed
51
TCP Connection Management (cont.)
closed
52
Network Security/Protocols and vulnerabilities
Transport Layer attacks
53
Network Security/Protocols and vulnerabilities
Transport Layer : TCP SYNC attack
3 way handshake
client server
SYN = ISNC
SYN = ISNS, ACK(ISNC) ISN – Initial Sequence Number
ACK(ISNS)
data transfer
attacker server
SYN = ISNX, SRC_IP = T trusted host (T)
ACK(ISNS), SRC_IP = T
SRC_IP = T, nasty_data 54
Network Security/Protocols and vulnerabilities
Transport Layer :
• TCP sequence number attack: Each time a TCP message is
sent, the sender generates a 32 bit sequence number.
• The attacker intercepts and responds with a sequence number
similar to the one used in the original session.
• This means, the attacker hijacks the session and gains access;
hence this type of attack is also called TCP session hijacking.
• Attacker can insert malicious data into the TCP stream, and the
recipient will believe it came from the original source
• Ex. Instead of downloading and running new program, you download a
virus and execute it
• There are some programs, e.g. Wireshark, that allow to view TCP
sequence number.
55
Network Security/Protocols and vulnerabilities
TCP Attacks…
• Say hello to Alice, Bob and Mr. Big Ears
56
Network Security/Protocols and vulnerabilities
TCP Attacks…
• Alice and Bob have an established TCP
connection
57
Network Security/Protocols and vulnerabilities
TCP Attacks…
• Mr. Big Ears lies on the path between Alice and
Bob on the network
– He can intercept all of their packets
58
Network Security/Protocols and vulnerabilities
TCP Attacks…
• First, Mr. Big Ears must drop all of Alice’s
packets since they must not be delivered to Bob
Packets
The Void
59
Network Security/Protocols and vulnerabilities
TCP Attacks…
• Then, Mr. Big Ears sends his malicious packet
with the next ISN (sniffed from the network)
ISN, SRC=Alice
60
Network Security/Protocols and vulnerabilities
TCP Attacks…
• Why are these types of TCP attacks so dangerous?
• Malicious user can send a virus to the trusting web client,
instead of the program they thought they were downloading.
Malicious user 61
Network Security/Protocols and vulnerabilities
TCP Attacks…
• How do we prevent this?
• IPSec
– Provides source authentication, so Mr. Big Ears
cannot pretend to be Alice
– Encrypts data before transport, so Mr. Big Ears
cannot talk to Bob without knowing what the session
key is
62