DEBRE MARKOS UNIVERSITY

BURIE CAMPUS
DEPARTMENT OF COMPUTER SCIENCE
Computer Security
By:
Amare W.

1
 2

Chapter 4: Network Security

4.1 Network security basics

♥ Security is a continuous process of protecting an object from
unauthorized access. It is as state of being or feeling protected
from harm.
♥ That object in that state may be a person, an organization such as
a business, or property such as a computer system or a file.
♥ Network Security deals with all aspects related to the protection
of the sensitive information assets existing on the network.
♥ It covers various mechanisms developed to provide fundamental
security services for data communication.
 3 06/20/2023

4.5 Network security protocols

♥ Network security is one of the essential cybersecurity

branches, and protocols play a vital role in securing the
network.
♥ Network security protocols are a type of network protocol that
ensures the security and integrity of data in transit over a
network connection.
♥ Network security protocols define the processes and
methodology to secure network data from any illegitimate
3/2/2018
attempt to review or extract the contents of data.
 4 06/20/2023

♥Network security protocols are primarily designed to prevent any

unauthorized user, application, service or device from accessing network
data.
♥Network security protocols generally implement cryptography and
encryption techniques to secure the data so that it can only be decrypted with
a special algorithm, logical key, mathematical formula and/or a combination
of all of them.
♥Some of the popular network security protocols include Secure File Transfer
Protocol (SFTP), Secure Hypertext Transfer Protocol (HTTPS) and Secure
3/2/2018
Socket Layer (SSL).
 5 06/20/2023

4.5.1 Application Layer Security

♥Various business services are now offered online though client-server

applications. The most popular forms are web application and e-mail.
♥In both applications, the client communicates to the designated server
and obtains services.
♥While using a service from any server application, the client and
server exchange a lot of information on the underlying intranet or
Internet.
♥We are aware of fact that these information transactions are vulnerable
to various attacks. 3/2/2018
 6 06/20/2023

♥ Network security entails securing data against attacks while it is

in transit on a network.
♥ To achieve this goal, many real-time security protocols have been
designed. Such protocol needs to provide at least the following
primary objectives −
 The parties can negotiate interactively to authenticate each other.
 Establish a secret session key before exchanging information on
network.
 Exchange the information in encrypted form. 3/2/2018
 7 06/20/2023

♥ Interestingly, these protocols work at different layers of

networking model.
♥ For example, S/MIME protocol works at Application layer,
SSL protocol is developed to work at transport layer, and IPsec
protocol works at Network layer.

3/2/2018
 8 06/20/2023

4.5.1.2 E-mail Security

♥Nowadays, e-mail has become very widely used network

application.
E-mail Infrastructure
♥The simplest way of sending an e-mail would be sending a message
directly from the sender’s machine to the recipient’s machine.
♥In this case, it is essential for both the machines to be running on
the network simultaneously.
♥However, this setup is impractical as users may occasionally
3/2/2018
connect their machines to the network.
 9 06/20/2023

♥ Hence, the concept of setting up e-mail servers arrived. In this

setup, the mail is sent to a mail server which is permanently
available on the network.
♥ When the recipient’s machine connects to the network, it reads
the mail from the mail server.
♥ In general, the e-mail infrastructure consists of a mesh of mail
servers, also termed as Message Transfer Agents (MTAs) and
client machines running an e-mail program comprising of User
3/2/2018
Agent (UA) and local MTA.
 10 06/20/2023

♥Typically, an e-mail message gets forwarded from its UA, goes through
the mesh of MTAs and finally reaches the UA on the recipient’s machine.

♥The protocols used for e-mail are as follows −

Simple mail Transfer Protocol (SMTP) used for forwarding e-mail messages.
Post Office Protocol (POP) and Internet Message Access Protocol (IMAP)
are used to retrieve the messages by recipient from the server.

3/2/2018
 11 06/20/2023

E-Mail Security Services

♥Growing use of e-mail communication for important and crucial transactions

demands provision of certain fundamental security services as the following −
Confidentiality − E-mail message should not be read by anyone but the intended
recipient.
Authentication − E-mail recipient can be sure of the identity of the sender.
Integrity − Assurance to the recipient that the e-mail message has not been altered
since it was transmitted by the sender.
Proof of submission − E-mail sender gets the confirmation that the message is
handed to the mail delivery system.
Proof of delivery − Sender gets a confirmation that the recipient received the
message. 3/2/2018
 12 06/20/2023

4.5.2 Transport layer security

♥Network security entails securing data against attacks while it is in transit on a

network. To achieve this goal, many real-time security protocols have been
designed.
♥There are popular standards for real-time network security protocols such as
S/MIME, SSL/TLS, SSH, and IPsec.
Need for Transport Layer Security
♥Bob visits Alice’s website for selling goods. In a form on the website, Bob enters
the type of good and quantity desired, his address and payment card details.
♥Bob clicks on Submit and waits for delivery of goods with debit of price amount
from his account.
3/2/2018
 13 06/20/2023

♥All this sounds good, but in absence of network security, Bob could be in for a few
surprises.
If transactions did not use confidentiality (encryption), an attacker could obtain his
payment card information. The attacker can then make purchases at Bob's expense.
If no data integrity measure is used, an attacker could modify Bob's order in terms of
type or quantity of goods.
Lastly, if no server authentication is used, a server could display Alice's famous logo
but the site could be a malicious site maintained by an attacker, who is
masquerading as Alice. After receiving Bob's order, he could take Bob's money and
flee. Or he could carry out an identity theft by collecting Bob's name and credit card
details. 3/2/2018
 14 06/20/2023

♥ Transport layer security schemes can address these problems

by enhancing TCP/IP based network communication with
confidentiality, data integrity, server authentication, and client
authentication.
♥ The security at this layer is mostly used to secure HTTP based
web transactions on a network. However, it can be employed
by any application running over TCP.

3/2/2018
 15 06/20/2023

Philosophy of TLS Design

♥ Transport Layer Security (TLS) protocols operate above the TCP

layer. Design of these protocols use popular Application Program
Interfaces (API) to TCP, called “sockets" for interfacing with TCP
layer.
♥ Applications are now interfaced to Transport Security Layer instead
of TCP directly. Transport Security Layer provides a simple API
with sockets, which is similar and analogous to TCP's API.

3/2/2018
 16 06/20/2023

♥ TLS is designed to operate over TCP, the reliable layer 4 protocol

(not on UDP protocol), to make design of TLS much simpler,
because it doesn't have to worry about ‘timing out’ and
‘retransmitting lost data’. The TCP layer continues doing that as
usual which serves the need of TLS.
Why TLS is Popular?
♥ The reason for popularity of using a security at Transport Layer
is simplicity. Design and deployment of security at this layer does
not require any change in TCP/IP protocols that are implemented
3/2/2018

in an operating system.
 17 06/20/2023

♥ Only user processes and applications needs to be

designed/modified which is less complex.
Secure Socket Layer (SSL)
♥ In this section, we discuss the family of protocols
designed for TLS. The family includes SSL versions
2 and 3 and TLS protocol.

3/2/2018
 18 06/20/2023

Features of SSL

♥The salient features of SSL protocol are as follows −SSL provides network
connection security through −
♥Confidentiality − Information is exchanged in an encrypted form.
♥Authentication − Communication entities identify each other through the use of
digital certificates. Web-server authentication is mandatory whereas client
authentication is kept optional.
♥Reliability − Maintains message integrity checks.
SSL is available for all TCP applications
Supported by almost all web browsers
Provides ease in doing business with new online entities
3/2/2018
Developed primarily for web e-commerce
 19 06/20/2023

4.5.3 Network layer security

♥ Network layer security controls have been used frequently for

securing communications, particularly over shared networks such
as the Internet because they can provide protection for many
applications at once without modifying them.
♥ SSL is developed specifically to secure applications like HTTP or
FTP. But there are several other applications which also need
secure communications.
♥ In 1992, the Internet Engineering Task Force (IETF) began to
define a standard ‘IPsec’. how security is achieved at 3/2/2018
network
layer using this very popular set of protocol IPsec?
 20 06/20/2023

♥ Any scheme that is developed for providing network security

needs to be implemented at some layer in protocol stack as
depicted in the diagram below −
Layer Communication Protocols Security Protocols

Application Layer HTTP FTP SMTP PGP. S/MIME, HTTPS

Transport Layer TCP /UDP SSL, TLS, SSH

Network Layer IP IPsec

♥ The popular framework developed for ensuring security at

3/2/2018

network layer is Internet Protocol Security (IPsec).

 21 06/20/2023

Features of IPsec

♥IPsec is not designed to work only with TCP as a transport protocol. It

works with UDP as well as any other protocol above IP such as ICMP,
OSPF etc.
♥IPsec protects the entire packet presented to IP layer including higher
layer headers.
♥Since higher layer headers are hidden which carry port number, traffic
analysis is more difficult.
♥IPsec works from one network entity to another network entity, not from
application process to application process. Hence, security can be adopted
without requiring changes to individual user computers/applications.
3/2/2018
 22 06/20/2023

♥ Tough widely used to provide secure communication between

network entities, IPsec can provide host-to-host security as
well.
♥ The most common use of IPsec is to provide a Virtual Private
Network (VPN), either between two locations (gateway-to-
gateway) or between a remote user and an enterprise network
(host-to-gateway).

3/2/2018
 23 06/20/2023

4.5.4 Link layer security

♥We have seen that rapid growth of Internet has raised a major
concern for network security.
♥Several methods have been developed to provide security in the
application, transport, or network layer of a network.
♥Many organizations incorporate security measures at higher OSI
layers, from application layer all the way down to IP layer.
♥ However, one area generally left unattended is hardening of Data
Link layer. This can open the network to a variety of attacks and
3/2/2018
compromises.
 24 06/20/2023

Security Concerns in Data Link Layer

♥Data link Layer in Ethernet networks is highly prone to several attacks.

The most common attacks are −

ARP Spoofing
♥Address Resolution Protocol (ARP) is a protocol used to map an IP
address to a physical machine address recognizable in the local Ethernet.
♥When a host machine needs to find a physical Media Access Control
(MAC) address for an IP address, it broadcasts an ARP request.
♥The other host that owns the IP address sends an ARP reply message with
its physical address.
3/2/2018
 25 06/20/2023

♥ Each host machine on network maintains a table, called ‘ARP

cache’. The table holds the IP address and associated MAC
addresses of other host on the network.
♥ Since ARP is a stateless protocol, every time a host gets an
ARP reply from another host, even though it has not sent an
ARP request, it accepts that ARP entry and updates its ARP
cache.
♥ The process of modifying a target host’s ARP cache with a
3/2/2018
forged entry known as ARP poisoning or ARP spoofing.
 26 06/20/2023

♥ ARP spoofing may allow an attacker to masquerade as

legitimate host and then intercept data frames on a network,
modify or stop them.
♥ Often the attack is used to launch other attacks such as man-
in-the-middle, session hijacking, or denial of service.

3/2/2018
 27 06/20/2023

MAC Flooding

♥ Every switch in the Ethernet has a Content-Addressable Memory

(CAM) table that stores the MAC addresses, switch port numbers, and
other information.
♥ The table has a fixed size. In the MAC flooding attack, the attacker
floods the switch with MAC addresses using forged ARP packets until
the CAM table is full.
♥ Once CAM is flooded, the switch goes into hub-like mode and starts
broadcasting the traffic that do not have CAM entry.
♥ The attacker who is on the same network, now receives all the frames
3/2/2018
which were destined only for a specific host.
 28 06/20/2023

Port Stealing

♥ Ethernet switches have the ability to learn and bind MAC

addresses to ports.
♥ When a switch receives traffic from a port with a MAC source
address, it binds the port number and that MAC address.
♥ The port stealing attack exploits this ability of the switches.
The attacker floods the switch with forged ARP frames with
the target host’s MAC address as the source address.
♥ Switch is fooled to believe that the target host is on port, on
3/2/2018

which actually an attacker is connected.

 29 06/20/2023

♥ Now all data frames intended for the targeted host are sent to the
attacker’s switch port and not to the target host.
♥ Thus, the attacker now receives all the frames which were
actually destined only for the target host.

DHCP Attacks
♥ Dynamic Host Configuration Protocol (DHCP) is not a datalink
protocol but solutions to DHCP attacks are also useful to thwart
Layer 2 attacks.
3/2/2018
♥ DHCP is used to dynamically allocate IP addresses to computers
for a specific time period.
 30 06/20/2023

♥It is possible to attack DHCP servers by causing denial of service in the network
or by impersonating the DHCP server.
♥In a DHCP starvation attack, the attacker requests all of the available DHCP
addresses. This results in a denial of service to the legitimate host on the
network.
♥In DHCP spoofing attack, the attacker can deploy a rogue DHCP server to
provide addresses to the clients.
♥ Here, the attacker can provide the host machines with a rouge default gateway
with the DHCP responses.
♥Data frames from the host are now guided to rouge gateway where the attacker
3/2/2018
can intercept all package and reply to actual gateway or drop them.
 31 06/20/2023

Securing Ethernet LANs

♥ We discussed some widely known attacks at Data Link Layer in the

previous section.
♥ Several methods have been developed to mitigate these types of
attacks. Some of the important methods are −
♥ Port Security: Anyone can access an unsecure network by simply
connecting the host to one of the available switch ports.
♥ By default, port security limits the ingress MAC address count to one.
However, it is possible to allow more than one authorized host to
connect from that port through configuration. Allowed MAC
3/2/2018
addresses per interface can be statically configured.
 32 06/20/2023

♥ To ensure security, reaction to the change in the specified

MAC addresses on a port or excess addresses on a port can be
controlled in many different ways.
♥ The port can be configured to shut down or block the MAC
addresses that exceed a specified limit.
♥ The recommended best practice is to shut down the port. Port
security prevents MAC flooding and cloning attacks.

3/2/2018
 33 06/20/2023

DHCP Snooping

♥We have seen that DHCP spoofing is an attack where the attacker listens for
DHCP requests from host on the network and answers them with fake DHCP
response before the authorized DHCP response comes to the host.
♥DHCP snooping can prevent such attacks. DHCP snooping is a switch feature.
Switch can be configured to determine which switch ports can respond to DHCP
requests. Switch ports are identified as trusted or untrusted ports.
♥Only ports that connect to an authorized DHCP server are configured as
“trusted”, and allowed to send all types of DHCP messages.
♥All other ports on the switch are untrusted and can send only DHCP requests. If
a DHCP response is seen on an untrusted port, the port is shut down.
3/2/2018
 34 06/20/2023

Preventing ARP Spoofing

♥ The method of port security can prevent MAC flooding and cloning
attacks. However, it does not prevent ARP spoofing.
♥ Port security validates the MAC source address in the frame header,
but ARP frames contain an additional MAC source field in the data
payload, and the host uses this field to populate their ARP cache.
♥ Some methods to prevent ARP spoofing are listed as follows.
 Static ARP
 Intrusion Detection System
 Dynamic ARP inspection 3/2/2018
 35 06/20/2023

4.5.5 Physical security (Access Control)

♥ Network access control is a method of enhancing the security of

a private organizational network by restricting the availability of
network resources to endpoint devices that comply with the
organization’s security policy.
♥ A typical network access control scheme comprises of two major
components such as Restricted Access and Network Boundary
Protection.
♥ Restricted Access to the network devices is achieved through user
authentication and authorization control which is responsible
3/2/2018 for

identifying and authenticating different users to the network system.

 36 06/20/2023

♥ Authorization is the process of granting or denying specific

access permissions to a protected resource.
♥ Network Boundary Protection controls logical connectivity
into and out of networks. For example, multiple firewalls can
be deployed to prevent unauthorized access to the network
systems.
♥ Also intrusion detection and prevention technologies can be
deployed to defend against attacks from the Internet.
3/2/2018
 37 06/20/2023

Securing Access to Network Devices

♥ Restricting access to the devices on network is a very essential step for

securing a network.
♥ Since network devices comprise of communication as well as computing
equipment, compromising these can potentially bring down an entire
network and its resources.
♥ Paradoxically, many organizations ensure excellent security for their servers
and applications but leave communicating network devices with
rudimentary security.
♥ An important aspect of network device security is access control and
authorization. Many protocols have been developed to address 3/2/2018
these two
requirements and enhance network security to higher levels.
 38 06/20/2023

User Authentication and Authorization

♥User authentication is necessary to control access to the network systems, in

particular network infrastructure devices.
♥Authentication has two aspects: general access authentication and functional
authorization.
♥General access authentication is the method to control whether a particular user
has “any” type of access right to the system he is trying to connect to. Usually,
this kind of access is associated with the user having an “account” with that
system.
♥Authorization deals with individual user “rights”. For example, it decides what
can a user do once authenticated; the user may be authorized to configure the
3/2/2018
device or only view the data.
 39

Thank you