CHAPTER-FOUR

Network Security Concepts and Mechanisms

1
By: Mikiale T.
 4.1 Introduction
A closer look at the network structure of the Internet
 three broad components
 The Network Edge
o consists of applications
and hosts
 Access Networks
o connect end systems to
edge routers through wired
or wireless communication
links
 Network Core
o interconnected routers
creating network of networks
2
 Internet View of Networking
PC  millions of connected Mobile network
computing devices: hosts National or
server
Global
(end systems) running ISP
wireless
laptop network applications
cell
phone
Home network
Regional ISP
 communication links
access  fiber, copper, radio,
points satellite Institutional network
wired
links  transmission rate =
bandwidth

 routers: forward packets

router/switch (chunks of data)

3
 Protocols control the sending and receiving of
messages
 e.g., TCP, IP, HTTP, Skype, Ethernet
Layers of TCP/IP
 Internet Protocol Stack (TCP/IP)
 Application: supports network applications Application
 FTP, SMTP, HTTP
 Transport: process-to-process data transfer Transport
and end-to-end reliability
 TCP, UDP Network
 Network: routing of datagrams (packets) Data Link
from source to destination
 IP, routing protocols Physical
 Data Link: reliable data transfer between
neighboring network elements
 PPP, ARP, Ethernet
 Physical: bits “on the wire or in the air” 4
 ISO/OSI Reference Model
Layers of ISO/OSI
 Presentation: allows applications to
interpret meaning of data, e.g., Application
encryption, compression, machine-
Presentation
specific conventions
Session
 Session: managing sessions such as
synchronization, check pointing, Transport
recovery of data exchange Network
 Internet protocol stack “missing”
Data Link
these layers!
 these services, if needed, must be Physical
implemented in the application
layer

5
 source Layers and Encapsulation
message M application
segment Ht transport
H t M
Hn network
datagram Hn
Ht M
frame data link
Hd Hn Ht M physical
data link
message: application layer
segment: transport layer physical
switch
datagram/packet: network layer
frame: data link layer

destination Hn Ht M network
M application data
Hd Hn Ht M
Ht M transport link
Hn Ht M network physical
Hd Hn Ht M data link router
physical

6
 What can a “bad guy” do on Networking?
 Bad guys can do a lot on networking
 Eavesdrop: intercept messages
 Insert messages into a connection
 Impersonation: can fake (spoof) source address in packet
(or any field in packet)
 Session Hijacking: “take over” ongoing connection by
removing sender or receiver, inserting itself in place
 The attacker monitors an authenticated session between
the client machine and the server, and takes that session
over
 When a TCP connection is established between a client
and a server, all information is transmitted in clear and
this can be exploited to hijack the session
 Denial of Service: prevent service from being used by
others
4.2 What is Network Security?
 Confidentiality: only sender and intended receiver should
“understand” message contents
 sender encrypts message
 receiver decrypts message
 Authentication: sender and receiver want to confirm identity of
each other
 Message integrity: sender or receiver wants to ensure message is
not altered (in transit, or afterwards) without detection
 Access and availability: services must be accessible and available
to users

8
 In today’s highly networked world, we can’t talk of computer
security without talking of network security
 Although there are many types of networks, the focus is this
course is on
 Internet and intranet security (TCP/IP based networks)
 Attacks that use security holes of the network protocols
and their defenses
 We do not discuss attacks that use networks to perform
some crime based on human weaknesses (such as scams)

10
Security Features in the TCP/IP Protocol Stack
 Use of IP Security (IPSec) (Figure a)
 Transparent to applications
 Provides general purpose solution
 Provides filtering capability (rejection of
replayed packets)
 Security just above TCP (Figure b)
 SSL: Secure Sockets Layer
 TLS: Transport Layer Security
 SSL/TLS could be provided as part of the
underlying protocol suite  Transparent to
applications
 Alternatively, can be embedded into
applications
 Example: Microsoft Explorer is equipped
with SSL 11
 Application specific security services
(Figure c)
 Embedded within specific
applications
 Examples are
 Electronic mail - S/MIME
(Multipurpose Internet Mail
Extensions) and PGP (Pretty Good
Privacy) on SMTP (Simple Mail
Transfer Protocol)
 SET (Secure Electronic
Transaction) on top of HTTP
 Client/server – Kerberos
4.3 Network Protocols and Vulnerabilities
 Attacks on TCP/IP Networks
 The Internet was not originally designed with (much) security
in mind
 It was designed to be used by a trusted group of users
 original vision: “a group of mutually trusting users attached
to a transparent network” , i.e., there is no need for
security
 The protocols are not designed to withstand attacks
 Internet is now used by all sorts of people
 Attackers exploit vulnerabilities of every protocol to achieve
their goals
 Hence, security considerations in all layers is important!
4.3.1 Data Link Layer: ARP Spoofing
 How does ARP work?
 a computer that wants to access another computer for which it
knows its IP address broadcasts this address
 the owner responds by sending its Ethernet (MAC) address
 ARP Spoofing (also called ARP cache poisoning or ARP poison
routing) is a link layer attack
 It is a technique by which an attacker sends (spoofed) Address
Resolution Protocol (ARP) messages onto a local area
network
 The aim is to associate the attacker's MAC address with the IP
address of another host, such as the default gateway, causing
any traffic meant for that IP address to be sent to the attacker
instead
 ARP spoofing may allow an attacker to intercept data frames on
a network, modify the traffic, or stop all traffic
 Often the attack is used as an opening for other attacks, such as
denial of service, man in the middle, or session hijacking
attacks
 How does it happen?
 Because ARP is a stateless protocol
 Hosts will automatically cache any ARP replies they receive,
regardless of whether they requested them.
 Even ARP entries which have not yet expired will be
overwritten when a new ARP reply packet is received
 There is no method in the ARP protocol by which a host can
authenticate the peer from which the packet originated
 This behavior is the vulnerability which allows ARP
spoofing to occur
4.3.2 Network Layer Security: IPSec
 IP is vulnerable
 IP packets can be intercepted
 In the LAN broadcast
 In the router, switch
 Since the packets are not protected they can be easily read
 Since IP packets are not authenticated they can be easily
modified
 Even if the user encrypts his/her data it will still be vulnerable to
traffic analysis attack
 Information exchanged between routers to maintain their routing
tables is not authenticated
 All sorts of problems can happen if a router is compromised
 IP Security (IPSec) Overview
 There are application-specific security mechanisms for a
number of application areas
 However, security concerns cut across protocol layers
 By implementing security at the IP layer, an organization can
ensure secure networking not only for applications that have
security mechanisms but also for the many security-
ignorant applications
 IPSec provides
 origin authentication
 confidentiality
 message integrity
 replay detection
 key management at the level of IP packets
 Benefits of IPSec
 It is transparent to applications since it is below the transport
layer (TCP, UDP): There is no need to change software on
a user or server system when IPsec is implemented in the
firewall or router
 IPsec can be transparent to end users
 Provides security for individual users
 In addition to supporting end users and protecting premises
systems and networks, IPSec has a role in routing. It assures that
 A router advertisement (a new router advertises its presence)
comes from an authorized router
 A neighbor advertisement (a router seeks to establish or
maintain a neighbor relationship with a router in another routing
domain) comes from an authorized router
 A redirect message comes from the router to which the initial IP
packet was sent
 A routing update is not forged 21
 IP Security Scenario

 A message passes through intermediate hosts. If the IPsec

mechanisms reside on an intermediate host (for example, a router,
a firewall or gateway), that host is called a security gateway 22
 Components of the IPSec security architecture
 Two protocols provide message security:
Encapsulating Security Payload (ESP) and AH
 Encryption and Authentication
Algorithms
 DOI: Domain of Interpretation:
identifiers for approved
algorithms, operational
parameters like key lifetime
 Key Management: The
distribution of cryptographic
keys for use with the security
protocols (namely, the Internet
Key Exchange, or IKE)
4.3.3 Transport Layer Security
TCP SYNC attacks
 TCP SYN flood (or CYN flood or Synflood) is a type of DDoS
attack that exploits part of the normal TCP three-way handshake
to consume resources on the targeted server and render it
unresponsive
 The attacker sends TCP connection requests faster than the
targeted machine can process them, causing network saturation
 When a client and server establish a normal TCP three-way
handshake, the exchange looks like the following
 Client requests connection by sending SYN (synchronize)
message to the server
 Server acknowledges by sending SYN-ACK (synchronize-
acknowledge) message back to the client
 Client responds with an ACK (acknowledge) message, and the
connection is established
 In a SYN flood attack, the attacker sends repeated SYN packets to
every port on the targeted server, often using a fake IP address
 The server, unaware of the attack, receives multiple, apparently
legitimate requests to establish communication
 It responds to each attempt with a SYN-ACK packet from each
open port
 The attacker either does not send the expected ACK, or - if the IP
address is spoofed - never receives the SYN-ACK in the first place.
o Either way, the server under attack will wait for
acknowledgement of its SYN-ACK packet for some time
SSL/TLS Protocols
 SSL – Secure Sockets Layer
 Widely deployed, “real-world” security protocol
 Considered as the de-facto standard for Internet security
 First designed by Netscape in 1994
 Evolved through versions 1.0, 2.0 and 3.0
 Version 3.0 is renamed to TLS (Transport Layer Service)
by IETF (Sometimes called SSL 3.1)
 Supports mutual authentication
 SSL, like most modern security protocols, is based on
cryptography
 When an SSL session is established, the server begins by
announcing a public key to the client, no encryption is in use
initially
 Both parties (and any eavesdropper) can read this key
 The client then transmits information to the server using the
server's public key in a way that no one else could decode it
 Session key is then negotiated on and established between the
server and the client to encrypt the rest of the session
 SSL is used extensively by web browsers to provide secure
connections for transferring sensitive data

24
 SSL-protected HTTP transfer uses port 443 (instead of port 80),
and is identified with a special URL method - https
 For example: https://www.abc.com/ would cause an SSL-
enabled browser to open a secure SSL session to port 443 at
www.abc.com
 When HTTPS is used, the following elements of the communication
are encrypted
 URL of the requested document
 Contents of the document
 Contents of browser forms (filled in by browser user)
 Cookies sent from browser to server and from server to browser
 Contents of HTTP header
4.4 Web Security
 The Web (WWW) as a client/server application running over the
Internet or TCP/IP intranet presents new challenges not well
appreciated in the context of the main stream of computer and
network security
 It is a very visible outlet for corporate and business transactions
that may lead to damages and loses; reputations can be damaged
and money can be lost if the Web servers are subverted
 Web servers are easy to configure and web content is easy to
develop and manage, but the underlying software is getting
extraordinarily complex that may hide many potential security
flaws
 Web servers can be exploited as a launching pad to attack
corporate data systems as users are usually not aware of the
risks
 Types of Web threats and counter measures
 Integrity
 Data, memory and/or message modification
 Trojan horse browser
 Cryptographic checksums
 Confidentiality
 Eavesdropping
 Theft of data from client & information from server
 Access to information about network configuration
 Access to information about which client is communicating
 Encryption
 Denial of Service
 Killing of user thread
 Machine flooding with bogus requests
 Filling up disk/memory
 Isolating machine by DNS attacks
 Detection and action (suspicious pattern)
 Authentication
 Impersonation of legitimate users
 Data forgery
 Cryptographic techniques
 Types of threats faced in using the Web can also be classified in
terms of the location of the threat
 Web server (computer system security)
 Web browser (computer system security)
 Network traffic security between browser and server (network
security)
 Web security (Web traffic security) mainly falls into the category
of Network traffic security
 Different Web security approaches provide similar services but
differ with respect to their scope of applicability and their relative
location in the TCP/IP protocol stack
 There are three standardized schemes that are becoming
increasingly important as part of Web commerce and that focus
on security at the transport layer: SSL/TLS, HTTPS, and SSH
 SSL/TLS
 Provides security services between TCP and applications that
use TCP
 Provides confidentiality using symmetric encryption and
message integrity using a message authentication code
 It includes protocol mechanisms to enable two TCP users to
determine the security mechanisms and services they will use
 HTTPS (HTTP over SSL) refers to the combination of HTTP and
SSL to implement secure communication between a Web browser
and a Web server
 Secure Shell (SSH) provides secure remote login and other
secure client/server facilities
4.4.1 Secure Sockets Layer
 SSL consists two layers of protocols: SSL Record Protocol Layer
and Upper Layer Protocols (SSL Handshake, SSL Change
Cypher Spec, SSL Alert)
 SSL Handshake: Allows the
server and the client to
authenticate each other and
negotiate on MAC (message
authentication code)
algorithm and cryptographic
key
 SSL Change Cypher Spec:
Allows pending state to be
copied into the current state
 SSL Alert: Used to convey
SSL related alerts to the peer
entity
 Security-Enhanced Application Protocols
 Solution to most application layer security problems are
tackled by developing security-enhanced application
protocols
 Examples
 For FTP - FTPS
 For HTTP - HTTPS
 For SMTP - SMTPS
 For DNS - DNSSEC
4.4.2 Secure Electronic Transaction (SET)
 E-commerce (Electronic Payment)
 Payment involves a customer, a merchant, and often banks
 How does the customer ensure that the merchant gets paid?
 Delivery of goods is in the sphere of Delivery Science 
 Payment systems can be organized based on cash (Fig. a),
check (Fig. b), and credit card (Fig. c)
SET - Secure Electronic Transaction
 The Secure Sockets Layer (SSL) protocol, implemented in most
major Web browsers used by consumers, has helped create a
basic level of security but is not sufficient
 SSL provides a secure channel between the consumer and the
merchant for exchanging payment information, i.e., it supports
confidentiality
 The cardholder is protected from eavesdroppers but not from the
merchant; some merchants are dishonest, e.g., some just put
up an illegal Web site and claim to be the XYZ Corp., or
impersonate the XYZ Corp. and collect credit card numbers for
personal use
 The merchant is not protected from dishonest customers who
supply an invalid credit card number or who claim a refund from
their bank without cause
4.5 Application Layer Security
 DNS Spoofing
 If the attacker has access to a name server it can modify it
so that it gives false information
 e.g., redirecting www.ebay.com to
map to own (attacker’s) IP address
 The cache of a DNS name server can be poisoned with
false information using some simple techniques
 Web Browsers as Threats
 We obtain most of our browsers on-line
 Potential problems that can come from malicious code within
the browser
 Inform the attacker of the activities of the user
 Inform the attacker of passwords typed in by the user
 Downgrade browser security (e.g., reduce key length used
in SSL)
4.6 E-mail Security
 E-mails transit through various servers before reaching their
destinations
 By default, they are visible by anybody who has access to the
servers
 SMTP protocol has security holes and operational limitations
 E-mail security can be improved using tools and protocols like
PGP and S/MIME
o PGP: Pretty Good Privacy
o S/MIME: Secure Multi-Purpose Internet Mail Extension

36
 PGP
 Philip R. Zimmerman is the creator of PGP
 PGP is an open-source, freely available software package for e-mail
security
 There are several software implementations available as
freeware for most desktop operating systems
 PGP provides confidentiality and authentication services that can
be used for e-mail and file storage applications
 It provides authentication through the use of digital signature,
confidentiality through the use of symmetric encryption,
compression using the ZIP algorithm, and e-mail compatibility using
the radix-64 (Base 64) encoding scheme
 PGP incorporates tools for developing a public-key trust model
and public-key certificate management
37
 SMTP
 SMTP Limitations - Can not transmit, or has a problem with
 Executable files, or other binary files (e.g., JPEG image)
 “national language” characters (non-ASCII)
 Messages over a certain size
 ASCII to EBCDIC translation problems
 Lines longer than a certain length (72 to 254 characters)
 Multipurpose Internet Mail Extension (MIME) is intended to
address some of the problems and limitations of the use
of SMTP
 S/MIME Functions
 S/MIME is an Internet standard approach to e-mail security
that incorporates the same functionality as PGP
 Enveloped Data: Encrypted content and encrypted session
keys for recipients
 Signed Data: Message Digest encrypted with private key of
“signer”
 Clear-Signed Data: Signed but not encrypted
 Signed and Enveloped Data: Various orderings for
encrypting and signing
 ---

ANY QUESTIONS?
Thank You!

40