Network security

Network Security
 Network Security
Model
Model
Trusted
Third Party

Information Channel

Security Security
Related Related
Transmition Transmition

Opponent
 Network Security
Introduction
Introduction

In
In today’s
today’s highly
highly networked
networked world,
world, we
we can’t
can’t talk
talk of
of
computer
computersecurity
securitywithout
withouttalking
talkingof
ofnetwork
networksecurity
security
Focus
Focusisison:
on:
 Internet

Internetand
andIntranet
Intranetsecurity
security(TCP/IP
(TCP/IPbased
basednetworks)
networks)
 Attacks

Attacks that
that use
use security
security holes
holes of
of the
the network
network protocol
protocol and
and
their
theirdefenses
defenses
Does
Does not
not include
include attacks
attacks that
that use
use networks
networks to
to perform
perform
some
somecrime
crimebased
basedon
onhuman
humanweaknesses
weaknesses(such
(suchas
asscams)
scams)
 Network Security/ Types of Attacks
Passive
Passive attacks
attacks

Listen
Listen to
to the
the network
network and
and make
make use
use of
of the
the information
information without
without
altering
altering
 Passive

Passivewiretapping
wiretappingattack
attack
 Traffic analysis

Traffic analysis
Most
Mostnetworks
networksuse
useaabroadcast
broadcastmedium
mediumand
andititisiseasy
easyto
toaccess
accessother
other
machines
machinespackets
packets
 Utilities

Utilitiessuch
suchas
asetherfind
etherfindand
andtcpdump
tcpdump
 Network management utilities such as SnifferPro

Network management utilities such as SnifferPro
Defense
Defense
 Using

Using switching
switching tools
tools rather
rather than
than mere
mere repeating
repeating hubs
hubs limits
limits this
this
possibility
possibility
 Using

Usingcryptography;
cryptography;does
doesnot
notprotect
protectagainst
againsttraffic
trafficanalysis
analysis
 Network Security/ Types of Attacks
Active
Active attacks
attacks
An
An active
active attack
attack threatens
threatens the
the integrity
integrity and
and availability
availability of
of data
data being
being
transmitted
transmitted
 The

Thetransmitted
transmitteddata
dataisisfully
fullycontrolled
controlledby
bythe
theintruder
intruder
 The

Theattacker
attackercan
canmodify,
modify,extend,
extend,delete
deleteor
orplay
playany
anydata
data
This
This isis quite
quite possible
possible in
in TCP/IP
TCP/IP since
since the
the frames
frames and
and packets
packets are
are not
not
protected
protectedin interms
termsofofauthenticity
authenticityand
andintegrity
integrity

Denial
Denialof
ofservice
serviceor
ordegrading
degradingof
ofservice
serviceattack
attack
 Prevention

Preventionofofauthorized
authorizedaccess
accessto
toresources
resources
 Examples

Examples
 E-mail
E-mailbombing:
bombing:flooding
floodingsomeone's
someone'smail
mailstore
store
 Smurf
Smurf attack:
attack: Sending
Sending aa “ping”
“ping” multicast
multicast or
orbroadcast
broadcast with
with aa spoofed
spoofed IP
IPofof aa
victim.
victim.The
Therecipients
recipientswill
willrespond
respondwith
withaa“pong”
“pong”totothe
thevictim
victim
 There had been reports of incidences of distributed denial attacks against major
There had been reports of incidences of distributed denial attacks against major
sites
sitessuch
suchas
asAmazon,
Amazon,Yahoo,
Yahoo,CNN
CNNand
andeBay
eBay
 Network Security/ Types of Attacks
Active
Active attacks
attacks …
…
Spoofing
Spoofing attack:
attack: aa situation
situation in
in which
which one
one person
person oror
program
program successfully
successfully imitate
imitate another
another by
by falsifying
falsifying
data
data and
and thereby
thereby gaining
gaining anan illegitimate
illegitimate advantage.
advantage.
 IP
 IPspoofing
spoofing

 Putting
Putting aa wrong
wrong IP
IP address
address in
in the
the source
source IP
IP address
address of
of an
an IP
IP
packet
packet
 DNS
 DNSspoofing
spoofing

 Changing
Changing the
the DNS
DNS information
information so
so that
that itit directs
directs to
to aa wrong
wrong
machine
machine
 URL
 URLspoofing/Webpage
spoofing/Webpagephishing
phishing

 AAlegitimate
legitimateweb
webpage
pagesuch
suchas
asaabank's
bank'ssite
siteisisreproduced
reproducedinin"look
"look
and
andfeel"
feel"on
onanother
anotherserver
serverunder
undercontrol
controlofofthe
theattacker
attacker
 E-mail
 E-mailaddress
addressspoofing
spoofing
 Network Security/ Types of Attacks
Active
Active attacks
attacks …
…

Session
Session hijacking
hijacking
 When
 When aa TCP
TCP connection
connection isis established
established between
between aa
client
client and
and aa server,
server, all
all information
information isis transmitted
transmitted
in
in clear
clear and
and this
this can
can be be exploited
exploited toto hijack
hijack the
the
session
session
 Network Security/ Protocols and vulnerabilities
Attacks
Attacks on
on TCP/IP
TCP/IP Networks
Networks

TCP/IP
TCP/IP waswas designed
designed to
to bebe used
used byby aa trusted
trusted
group
group of
of users
users
The
The protocols
protocols are are not
not designed
designed to to withstand
withstand
attacks
attacks
Internet
Internet isis now
now used
used by
by all
all sorts
sorts of
of people
people

Attackers
Attackers exploit
exploit vulnerabilities
vulnerabilities of
of every
every protocol
protocol
to
to achieve
achieve their
theirgoals
goals
The
The next
next slides
slides show
show some
some attacks
attacks atat each
each layer
layer of
of
the
the TCP/IP
TCP/IPstack
stack
 Network Security/ Protocols and vulnerabilities
Link
Link Layer:
Layer:ARP
ARP spoofing
spoofing
Request 08:00:20:03:F6:42 00:00:C0:C2:9B:26
.1 .2 .3 .4 .5

140.252.13
arp req | target IP: 140.252.13.5 | target eth: ?

Reply
08:00:20:03:F6:42 00:34:CD:C2:9F:A0 00:00:C0:C2:9B:26
.1 .2 .3 .4 .5

140.252.13

arp rep | sender IP: 140.252.13.5 | sender eth: 00:34:CD:C2:9F:A0

 Network Security/ Protocols and vulnerabilities
Network
Network Layer:
Layer: IP
IP Vulnerabilities
Vulnerabilities
IP
IPpackets
packetscan
canbe
beintercepted
intercepted
 In

Inthe
theLAN
LANbroadcast
broadcast
 In the router, switch

In the router, switch
Since
Sincethe
thepackets
packetsare
arenot
notprotected
protectedthey
theycan
canbe beeasily
easilyread
read
Since
Since IP
IP packets
packets are
are not
not authenticated
authenticated they
they cancan be
be easily
easily
modified
modified
Even
Even ifif the
the user
user encrypts
encrypts his/her
his/her data
data itit will
will still
still be
be
vulnerable
vulnerableto totraffic
trafficanalysis
analysisattack
attack
Information
Information exchanged
exchanged between
between routers
routers to
to maintain
maintain their
their
routing
routingtables
tablesisisnot
notauthenticated
authenticated
 All

Allsort
sortof
ofproblems
problemscan
canhappen
happenififaarouter
routerisiscompromised
compromised
 Network Security/ Protocols and vulnerabilities
Network
Network Layer:
Layer: IP
IP security
security (IPSec)
(IPSec) overview
overview

IPSec
IPSec isis aa set
set of
of security
security algorithms
algorithms plus
plus aa general
general
framework
framework that that allows
allows aa pair
pair of
of communicating
communicating
entities
entities to to useuse whichever
whichever algorithms
algorithms provide
provide
security
security appropriate
appropriate for forthe
the communication.
communication.
Applications
Applications of of IPSec
IPSec
 Secure
 Securebranch
branchoffice
officeconnectivity
connectivityover
overthe
theInternet
Internet
 Secure
 Secureremote
remoteaccess
accessover
overthe
theInternet
Internet
 Establsihing
 Establsihing extranet
extranet and
and intranet
intranet connectivity
connectivity with
with
partners
partners
 Enhancing
 Enhancingelectronic
electroniccommerce
commercesecurity
security
 Network Security/ Protocols and vulnerabilities
Network
Network Layer:
Layer: IP
IP security
security (IPSec)
(IPSec) overview
overview …
…

Benefits
Benefits of
of IPSec
IPSec
 Transparent
 Transparent to
to applications
applications (below
(below transport
transport layer)
layer)
(TCP,
(TCP,UDP)
UDP)
 Provide
 Providesecurity
securityfor
forindividual
individualusers
users

IPSec
IPSec can
can assure
assure that:
that:
A
 A router
router or
or neighbor
neighbor advertisement
advertisement comes
comes from
from an
an
authorized
authorizedrouter
router
A
 Aredirect
redirect message
message comes
comes from
from the
the router
router to
to which
which the
the
initial
initialpacket
packetwas
wassent
sent
A
 Arouting
routingupdate
updateisisnot
notforged
forged
 Network Security/ Protocols and vulnerabilities
Network
Network Layer:
Layer: IP
IP security
security (IPSec)
(IPSec) services
services

Access
Access Control
Control
Connectionless
Connectionless integrity
integrity
Data
Data origin
origin authentication
authentication
Rejection
Rejection of
of replayed
replayed packets
packets
Confidentiality
Confidentiality (encryption)
(encryption)
 Network Security/ Protocols and vulnerabilities
Network
Network Layer:
Layer: IP
IP security
security scenario
scenario …
…
 Network Security/ Protocols and vulnerabilities
Network
NetworkLayer:
Layer: IPSec
IPSec-- Security
SecurityAssociations
Associations(SA)
(SA)
SA
SA isis aa one
one way
way relationship
relationship between
between aa sender
sender and
and aa
receiver
receiverthat
thatprovides
providessecurity
securityservices
services(authentication
(authenticationand
and
confidentiality)
confidentiality)
SA
SAisisuniquely
uniquelyidentified
identifiedby:
by:
 Security

Security Parameters
Parameters Index
Index (SPI)
(SPI) in
in the
the enclosed
enclosed extension
extension header
header
of
ofAH
AHor
orESP
ESP

 AH:
AH:Authentication
AuthenticationHeader
Header(Authetication)
(Authetication)

 ESP:
ESP: Encapsulating
Encapsulating Security
Security Payload
Payload (both
(both authentication
authentication and
and
confidentiality)
confidentiality)
 IP

IPDestination
Destinationaddress
addressin
inthe
theIPv4/IPv6
IPv4/IPv6header
header
Both
BothAH
AHand
andESP
ESPsupport
supporttwo
twomodes
modesof
ofuse
use
 Transport

TransportMode:
Mode:Protection
Protectionfor
forupper
upperlayer
layerprotocols
protocols(TCP,
(TCP,UDP)
UDP)
 Tunnel Mode: Protection to the entire IP packet

Tunnel Mode: Protection to the entire IP packet
 Network Security/ Protocols and vulnerabilities
Network
Network Layer:
Layer: IPSec
IPSecAH
AHAuthentication
Authentication

(a) Before AH
 Network Security/ Protocols and vulnerabilities
Network
Network Layer:
Layer: IPSec
IPSecAH
AHAuthentication
Authentication …
…

(b) Transport Mode

 Network Security/ Protocols and vulnerabilities
Network
Network Layer:
Layer: IPSec
IPSecAH
AHAuthentication
Authentication …
…

(c) Tunnel Mode

 Network Security/ Protocols and vulnerabilities
Network
NetworkLayer:
Layer: IPSec
IPSecESP
ESPEncryption
Encryptionand
andAuthentication
Authentication
 Network Security/ Protocols and vulnerabilities
Network
NetworkLayer:
Layer:IPSec
IPSecESP
ESPEncryption
Encryption and
andAuthentication…
Authentication…
 Network Security/ Protocols and vulnerabilities
Network
NetworkLayer:
Layer:Combination
Combinationof
of Security
SecurityAssociations
Associations

* Implements IPSec
 Network Security/ Protocols and vulnerabilities
Network
NetworkLayer:
Layer:Combination
Combinationof
of Security
SecurityAssociations
Associations…
…

* Implements IPSec
 Network Security/ Protocols and vulnerabilities
Network
NetworkLayer:
Layer:Combination
Combinationof
of Security
SecurityAssociations
Associations…
…

* Implements IPSec
 Network Security/ Protocols and vulnerabilities
Network
NetworkLayer:
Layer:Combination
Combinationof
of Security
SecurityAssociations
Associations…
…

* Implements IPSec
 Network Security/ Protocols and vulnerabilities
IPSec:
IPSec:Encryption,
Encryption,Authentication…
Authentication…Summary
Summary
IPSec
IPSec provides
provides authentication,
authentication, confidentiality,
confidentiality, and
and key
key management
management at at
the
thelevel
levelofofIP
IPpackets.
packets.
IP-level
IP-level authentication
authentication isis provided
provided by by inserting
inserting anan Authentication
Authentication
Header
Header(AH)(AH)intointothethepackets.
packets.
IP-level
IP-level confidentiality
confidentiality isis provided
provided by by inserting
inserting anan Encapsulating
Encapsulating
Security
SecurityPayload
Payload(ESP)(ESP)header
headerintointothe
thepackets.
packets.AnAnESP
ESPheader
headercan canalso
also
do
do the
the job
job ofof the
theAHAH header
headerby by providing
providing authentication
authentication inin addition
addition toto
confidentiality.
confidentiality.
Before
Before ESPESP can can be be used,
used, itit isis necessary
necessary forfor the
the two
two ends
ends ofof aa
communication
communication link link toto exchange
exchange the the secret
secret key
key that
that will
will bebe used
used for
for
encryption.
encryption. Similarly,
Similarly, AH AH needs
needs an an authentication
authentication key.
key. Keys
Keys areare
exchanged
exchangedwith withaaprotocol
protocolnamed
namedas asthe
theInternet
InternetKey
KeyExchange
Exchange(IKE).
(IKE).
IPSec
IPSec isis aa specification
specification for for the
the IP-level
IP-level security
security features
features that
that are
are built
built
into
intothe
theIPv6
IPv6internet
internetprotocol.
protocol.These
Thesesecurity
securityfeatures
featurescan
canalso
alsobe
beused
used
with
withthetheIPv4
IPv4internet
internetprotocol.
protocol.
IPSec
IPSecisistransparent
transparentto toapplications
applications(functions
(functionsbelow
belowtransport
transportlayer)
layer)
 Network Security/ Protocols and vulnerabilities
Transport
Transport Layer
Layer :: TCP
TCP SYNC
SYNC attack
attack
The
The useuse of
of Sequence
Sequence Number:
Number: monotonically
monotonically increasing
increasing
32
32bits
bitslong
longcounter
counterthat
thatprovides
providesanti-replay
anti-replayfunction
function
Sequence
Sequence numbers
numbers areare initialized
initialized with
with aa “random”
“random”
value
valueduring
duringconnection
connectionsetup
setup
The
The RFC RFC suggests
suggests that
that the
the ISN ISN (Initial
(Initial Sequence
Sequence
Number)
Number)isisincremented
incrementedby byone
oneat atleast every44 ms
leastevery ms
In
In many
many implementations,
implementations, itit isis computationally
computationally feasible
feasible
to
toguess
guessthethenext
nextISN
ISNnumber
number
IfIfsuccessful,
successful,an anattacker
attackercan
can impersonate
impersonateaatrusted
trustedhost
host
 Network Security/ Protocols and vulnerabilities
Transport
Transport Layer
Layer :: TCP
TCP SYNC
SYNC attack
attack …
…
3 way handshake

client server
SYN = ISNC
SYN = ISNS, ACK(ISNC)
ISN – Initial Sequence Number
ACK(ISNS)

data transfer

attacker server
SYN = ISNX, SRC_IP = T trusted host (T)

SYN = ISNS, ACK(ISNX)

ACK(ISNS), SRC_IP = T

SRC_IP = T, nasty_data
 Network Security/ Protocols and vulnerabilities
Application
Application layer:
layer: DNS
DNS spoofing
spoofing

If
If the
the attacker
attacker has
has access
access to
to aa name
name server
server itit
can
can modify
modify itit so
so that
that itit gives
gives false
false
information
information
 Ex:
 Ex: redirecting
redirecting www.ebay.com
www.ebay.com to
to map
map to
to own
own
(attacker’s)
(attacker’s) IP
IPaddress
address
The
The cache
cache ofof aa DNS
DNS name
name server
server can
can be
be
poisoned
poisoned with
with false
false information
information using
using some
some
simple
simple techniques
techniques
 Network Security/ Protocols and vulnerabilities
Application
Application layer:
layer: Web
Web browsers
browsers as
as threats
threats
We
Weobtain
obtainmost
mostof
ofour
ourbrowsers
browserson-line
on-line
 How

Howdo
dowe
wemake
makesure
surethat
thatsome
someTrojan
Trojanhorse
horseisisnot
notinserted
inserted
Potential
Potential problems
problems that
that can
can come
come from
from malicious
malicious code
code
within
withinthe
thebrowser
browser
 Inform

Informthe
theattacker
attackerof
ofthe
theactivities
activitiesof
ofthe
theuser
user
 Inform the attacker of passwords typed in by the user

Inform the attacker of passwords typed in by the user
 Downgrade

Downgradebrowser
browsersecurity
security
Helper
Helperapplications
applicationsare
areused
usedby
bybrowsers
browsers
 Example:

Example:MS
MSWord,
Word,Ghost
Ghostview,
view,etc
etc
 The

Thehelpers
helperscan
canhave
haveTrojan
Trojanhorse
horsecode
code
 Downloaded

Downloadeddata
datacan
canexploit
exploitvulnerabilities
vulnerabilitiesof
ofhelpers
helpers
 Network Security/ Protocols and vulnerabilities
Application
Applicationlayer:
layer: Web
Web browser
browser …
…
Mobile
Mobile code
code
 Java
 Javaapplets
appletsand
andActiveX
ActiveXcontrols
controls

 normally
normally run
run within
within aa controlled
controlled environment
environment (sandbox)
(sandbox) and
and
access
access to
to local
local resources
resources isis strictly
strictly controlled
controlled by
by aa security
security
manager
manager

 however,
however, anan applet
applet may
may escape
escape from
from the
the sandbox
sandbox due
due to
to some
some
bugs
bugs in
in the
the implementation
implementation of of the
the Java
Java Virtual
Virtual Machine
Machine forfor
example
example
Cookies
Cookies
 cookies
 cookies are
are set
set by
by web
web servers
servers and
and stored
stored by
by web
web
browsers
browsers
A
 A cookie
cookie set
set by
by aa server
server isis sent
sent back
back to
to the
the server
server when
when
the
thebrowser
browservisits
visitsthe
theserver
serveragainagain
 Cookies
 Cookies can
can bebe used
used toto track
track what
what sites
sites the
the user
user visits
visits
 Network Security/ Protocols and vulnerabilities
Application
Application layer:
layer: Web
Web browser
browser …
…

Interactive
Interactive web
web sites
sites are
are based
based on
on
forms
forms and
and scripts
scripts
By
 By writing
writing malicious
malicious scripts
scripts the
the client
client can
can
Crash

Crash the
the server
server(ex.
(ex. Buffer
Bufferoverflow)
overflow)
Gain

Gain control
control over
overthe
the server
server
 Network Security/ Protocols and vulnerabilities
Application
Application layer:
layer: E-mail
E-mail Security
Security
E-mails
E-mails transit
transit through
through various
various servers
servers before
before
reaching
reaching their
theirdestinations
destinations
By
By default,
default, they
they are
are visible
visible by
by anybody
anybody who
who has
has
access
access to
to the
the servers
servers
SMTP
SMTP protocol
protocol has has security
security holes
holes operational
operational
limitations
limitations
E-mail
E-mail security
security cancan be
be improved
improved using
using some
some tools
tools
and
and protocols
protocols
 Example:
 Example:PGP,
PGP,S-MIME
S-MIME
PGP:
PGP:Pretty
PrettyGood
GoodPrivacy
Privacy
S-MIME:
S-MIME:Secure
SecureMulti-Purpose
Multi-PurposeInternet
InternetMail
MailExtension
Extension
 Network Security/ Protocols and vulnerabilities
Application
Application layer:
layer: E-Mail
E-Mail Security
Security -- SMTP
SMTP

SMTP
SMTP Limitations
Limitations -- CanCan not
not transmit,
transmit, oror has
has aa
problem
problemwith:with:
 executable
executablefiles,
files,or
orother
otherbinary
binaryfiles
files(jpeg
(jpegimage)
image)
 “national
“nationallanguage”
language”characters
characters(non-ASCII)
(non-ASCII)
 messages
messagesover
overaacertain
certainsize
size
 ASCII
ASCIIto toEBCDIC
EBCDICtranslation
translationproblems
problems
 lines
lineslonger
longerthan
thanaacertain
certainlength
length(72
(72to
to254
254characters)
characters)

34
 Network Security/ Protocols and vulnerabilities
Application
Application layer:
layer: E-mail
E-mail Security
Security -- PGP
PGP
Philip
PhilipR.
R.Zimmerman
Zimmermanisisthe thecreator
creatorofofPGP
PGP
PGP
PGPprovides
providesaaconfidentiality
confidentialityand
andauthentication
authenticationservice
servicethat
thatcan
canbe
beused
usedfor
for
electronic
electronicmail
mailand
andfile
filestorage
storageapplications.
applications.
Five
Fiveservices
servicesofofPGP
PGP

Function Algorithm Used

1. Digital Signature DSS/SHA or RSA/SHA
2. Message Encryption CAST or IDEA or three-key triple DES
with Diffie-Hellman or RSA
3. Compression ZIP

4. E-mail Compatibility Radix-64 conversion

5. Segmentation -
 Network Security/ Protocols and vulnerabilities
Application
Applicationlayer:
layer: E-mail
E-mail Security
Security ––S/MIME
S/MIME Functions
Functions

Enveloped
Enveloped Data: Data: Encrypted
Encrypted content
content and
and encrypted
encrypted
session
sessionkeys
keys for
for recipients
recipients
Signed
Signed Data:
Data: Message
Message Digest
Digest encrypted
encrypted with
with private
private key
key
of
of “signer.”
“signer.”
Clear-Signed
Clear-Signed Data:
Data: Signed
Signedbut
but not
not encrypted
encrypted
Signed
Signed and and Enveloped
Enveloped Data:
Data: Various
Various orderings
orderings forfor
encrypting
encryptingand and signing.
signing.
 Network Security/ Protocols and vulnerabilities
Application
Applicationlayer:
layer:Security-enhanced
Security-enhancedapplication
applicationprotocols
protocols

Solution
Solution to
to most
most application
application layer
layer security
security
problems
problems have
have been
been found
found by
by developing
developing security-
security-
enhanced
enhanced application
application protocols
protocols
Examples
Examples
 For
 ForFTP
FTP=>
=>FTPS
FTPS
 For
 ForHTTP
HTTP=>
=>HTTPS
HTTPS
 For
 ForSMTP
SMTP=>
=>SMTPS
SMTPS
 For
 ForDNS
DNS=>
=>DNSSEC
DNSSEC