Chapter 4

Network Security
 Network security
Is any system, device, or action designed to protect the
safety and reliability of a network and its data.
 Network security manages access to a network by
stopping a variety of threats from entering and
spreading through a system.
• Network security is focused on protecting files,
documents, and information from those types of
attacks.
• Most commonly, network security starts with
authentication in the form of a username and
password, but it can also employ other tools like
firewalls, anti-virus programs, and virtual private
networks (VPNs) to protect the network’s information.
 Benefits of Network Security

 Builds Trust: Security for large systems translates to security for

everyone. Network security boosts client and consumer
confidence, and it protects your business from the reputational
and legal fallout of a security breach.
 Mitigates Risk: The right network security solution will help
your business stay compliant with business and government
regulations, and it will minimize the business and financial impact
of a breach if it does occur.
 Protects Proprietary Information: clients and customers rely
on organizations to protect their sensitive information. Business
relies on that same protection, too. Network security ensures the
protection of information and data shared across the network.
 Enables a more modern workplace: from allowing employees
to work securely from any location using VPN to encouraging
collaboration with secure network access, network security
provides options to enable the future of work.
Effective network security also provides many levels of security to scale
with your growing business.
 Threats and Attacks on Network Security

1. Malware: Malware is a program that attacks information

systems. There are various types of malware, each designed
to perform specific malicious activities.
• For example, ransomware encrypts files and holds it for
ransom, spyware covertly spies on victims, and Trojans
infiltrate systems.
 Threat actors use malware to achieve various objectives, such
as stealing or secretly copying sensitive data, blocking access
to files, disrupting system operations, or making systems
inoperable.
2. Phishing: Phishing is a type of fraud that occurs when a
threat actor impersonates a reputable entity in person, via
email, or other communication forms.
 Threat actors often use phishing emails to spread malicious
attachments or links that perform various functions, such as
extracting the victim’s account information or login
credentials.
 Threats and Attacks on Network Security
3. Bots: A bot is a small program that automates web requests with
various goals. Bots perform their tasks without any human
intervention, for example, scanning website content and testing
stolen credit card numbers.
o A bot attack utilizes automated web requests to defraud,
manipulate, or disrupt applications, websites, end-users, or APIs.
o Bot attacks were originally used primarily for spam and denial of
service, but have evolved into complex enterprises with economies
and infrastructure that enables waging additional, more damaging
attacks.
4. DDoS Attacks: A Distributed Denial of Service (DDoS) attack
employs multiple compromised computer systems to attack a target
and cause a denial of service for the targeted resource’s users.
It sends a flood of messages, malformed packets, or connection requests to the
target system, forcing it to slow down or entirely shut down, denying service to
real systems and users.
DDoS attacks can target a website, server, and other network
resources.
 Threats and Attacks on Network Security
5. Advanced Persistent Threats (APTs): is a
targeted and prolonged attack during which
intruders gain unauthorized access to a network,
remaining undetected for an extended time.
Threat actors usually launch APT attacks to steal data
rather than cause damage to the target’s network.
6. Drive-by Download: is the unintentional
download of malicious code to a computer or mobile
device, exposing the victim to a cyber attack.
 Unlike other cyberattacks, a drive-by does not rely on a
user to actively enable the attack.
It exploits an application, web browser, or operating system
containing security flaws, which may occur due to a lack of
updates or unsuccessful updates.
7. DNS Attack: occurs when a threat actor exploits
vulnerabilities in a domain name system (DNS).
Network Security Vulnerabilities
 In computer security, vulnerability is a weakness that can be exploited
by a threat actor, usually for malicious purposes. There are four main
types of security vulnerabilities:
A. Misconfigurations: Incorrectly configured systems and applications
are often the weakest links in an organization’s security posture.
 A poorly configured firewall in cybersecurity, weak passwords, and leaving
default accounts active are all examples of common misconfigurations that can
lead to serious security vulnerabilities.
B. Unsecured APIs: Many modern applications rely on application
programming interfaces (APIs) to function properly.
 However, if APIs are not properly secured, they can be a serious security
vulnerability. Attackers can exploit unsecured APIs to gain access to sensitive
data or even take control of entire systems.
C. Outdated or Unpatched Software: Software vulnerabilities are
often the root cause of major security breaches.
 Outdated software is especially vulnerable, as attackers can exploit
known weaknesses that have already been patched in newer versions.
Unpatched software is also a major security risk, as many organizations fail to apply
critical security updates in a timely manner.
 Network Security
Vulnerabilities
D. Zero-Day Vulnerability: Zero-day vulnerability is a
previously unknown security flaw exploited by attackers
before the vendor has patched it.
• These types of vulnerabilities are extremely dangerous, as
there is usually no way to defend against them until after
they have been exploited.
TCP/IP Suite Weaknesses and Buffer Flow
 Sniffing: Sniffing is the act by machine S of making copies
of a network packet sent by machine A intended to be
received by machine B.
Sniffing can be used for monitoring the health of a network as well as
capturing the passwords used in telnet, rlogin, and FTP connections.
 Buffer Overflow: Many of these server programs run with
the privileges of a super user. Among the many servers that
suffer from such bugs are several implementations of FTP
servers, the ubiquitous DNS server program called bind,
the popular mail server called sendmail, and the Web
server IIS, to name a few.
 TCP/IP Suite Weaknesses and Buffer Flow

 Spoofing: Spoofing refers to altering (portions of) a

packet so that the overall packet remains
structurally legitimate (e.g., checksums are valid)
but the “info” it contains is fake.
 Poisoning: Many network services are essentially
mappings implemented as table lookups.
– The mappings are dynamic, and update methods are well-
defined.
• Unfortunately, who is qualified to provide the
updates, and how messages that provide update
information are to be authenticated are ill-defined.
– An attacker takes advantage of this, and provides fake
updates causing the table to be “poisoned.”
 TCP/IP Suite Weaknesses and Buffer Flow
 TCP “SYN” Attack: This attack is caused by the three-way
handshake mechanism used between host and the server to
setup connection. A server has limited resources. Once it
responds to a SYN request using SYN ACK it sets aside
resources for this connection and listens for ACK from client.
If the attacker sends multiple SYN within very short interval
then the server will exhaust its resources. The attacker does
not respond to SYN ACK sent by the server and the
connections are left half opened. This ways server is unable
to respond to further connection request because of
exhaustion of resources and denial of service takes place.
 Connection Hijacking: Authentication between two hosts
takes place during the initial stages of the connection setup.
o No authentication is required.
 The attacker can take advantage of this by sending a reset to the client
and killing the connection for the client and then the attacker spoofs
the client and continues session with server.
 Network Security Protocols
Network security entails securing data against attacks while it is in
transit on a network.
• To achieve this goal, many real-time security protocols have
been designed. Such protocol needs to provide at least the
following primary objectives:
 The parties can negotiate interactively to authenticate each
other.
 Establish a secret session key before exchanging information on
network.
 Exchange the information in encrypted form.
 Interestingly, these protocols work at different layers of
networking model. For example,
 S/MIME (Secure/Multipurpose Internet Mail Extensions) protocol
works at Application layer,
 SSL (Secure Socket Layer) protocol is developed to work at
transport layer, and
 IPsec (IP Security) protocol works at Network layer.
 Application Layer Security

Email Security
Growing use of e-mail communication for important and crucial
transactions demands provision of certain fundamental security
services as the following:
• Confidentiality − E-mail message should not be read by
anyone but the intended recipient.
• Authentication − E-mail recipient can be sure of the identity
of the sender.
• Integrity − Assurance to the recipient that the e-mail message
has not been altered since it was transmitted by the sender.
• Non-repudiation − E-mail recipient is able to prove to a third
party that the sender really did send the message.
• Proof of submission − E-mail sender gets the confirmation
that the message is handed to the mail delivery system.
• Proof of delivery − Sender gets a confirmation that the
recipient received the message.
 Cont. ……
Security services such as privacy, authentication, message
integrity, and non-repudiation are usually provided by using
public key cryptography.
 Here are the protocols and schemes used in email security.
 Pretty Good Privacy (PGP) is an e-mail encryption scheme.
 It works at an application layer.
 It has become the de-facto standard for providing security services
for e-mail communication.
 S/MIME: S/MIME is a secure e-mail standard. It is based on
an earlier non-secure e-mailing standard called MIME.
 A secure e-email communication in a captive network can be
provided by adapting to PGP.
 For e-mail security over Internet, where mails are exchanged
with new unknown users very often, S/MIME is considered as
a good option.
 Application Layer Security
Web Security
Secure web browsing is provided by HTTPS (Secured
HTTP).
o It stands for HTTP over SSL.
o This protocol is used to provide the encrypted and
authenticated connection between the client web browser
and the website server.
 The secure browsing through HTTPS ensures that the
following content are encrypted:
 URL of the requested web page.
 Web page contents provided by the server to the
user client.
 Contents of forms filled in by user.
 Cookies established in both directions.
 Transport Layer Security

 The security at this layer is mostly used to secure HTTP based web transactions
on a network.
 The main protocols that provides security scheme at the transport layer are TLS
and SSL.
Transport Layer Security (TLS)
• TLS protocols operate above the TCP layer. Design of these protocols uses
popular Application Program Interfaces (API) to TCP, called “sockets" for
interfacing with TCP layer.
• Applications are now interfaced to Transport Security Layer instead of TCP
directly.
• Transport Security Layer provides a simple API with sockets, which is similar and
analogous to TCP's API.
• TLS is designed to operate over TCP, the reliable layer 4 protocol (not on UDP
protocol), to make design of TLS much simpler, because it doesn't have to worry
about ‘timing out’ and ‘retransmitting lost data’.
• The TCP layer continues doing that as usual which serves the need of TLS.
Secure Socket Layer (SSL)
• SSL provides network connection security through confidentiality, authentication
and reliability.
– It is available for all TCP applications and is support by almost all web browsers. It
provides ease in doing business with new online entities.
– It developed primarily for web e-commerce.
 Network Layer Security

Internet Protocol Security (IPSec)

The popular framework developed for ensuring security at
network layer is Internet Protocol Security (IPsec).
IPsec provides an easy mechanism for implementing Virtual
Private Network (VPN) for medium to large institutions.
The important security functions provided by the IPsec are as
follows:
 Confidentiality: Enables communicating nodes to encrypt
messages. Prevents eavesdropping by third parties.
 Origin authentication and data integrity: Provides
assurance that a received packet was actually transmitted by
the party identified as the source in the packet header.
Confirms that the packet has not been altered or otherwise.
 Key Management: Allows secure exchange of keys.
Protection against certain types of security attacks, such as
replay attacks.
 Link Layer Security

• Data link Layer in Ethernet networks is highly

prone to several attacks. The most common
attacks are:
o ARP Spoofing (the process of modifying a target
host’s ARP cache with a forged entry),
o MAC Flooding (the attacker floods the switch with
MAC addresses using forged ARP packets until the
CAM table is full),
o Port Stealing (an attack that exploits the ability of
a switch to bind MAC to ports).
• Several methods have been developed to
mitigate these types of attacks. Some of the
important methods are:
 Link Layer Security
Port Security
 It is a feature available on intelligent Ethernet switches. By
default, port security limits the ingress MAC address count
to one.
 The port can be configured to shut down or block the MAC
addresses that exceed a specified limit.
DHCP Spoofing
o DHCP spoofing is an attack where the attacker listens for
DHCP requests from host on the network and answers them
with fake DHCP response before the authorized DHCP
response comes to the host.
o DHCP snooping can prevent such attacks. DHCP snooping is
a switch feature. Switch can be configured to determine
which switch ports can respond to DHCP requests.
o Switch ports are identified as trusted or untrusted ports.
Spanning Tree Protocol (STP)
 In order to provide desired path redundancy, as well as to
 Physical Security
Restricting access to the devices on network is a
very essential step for securing a network.
Since network devices comprise of communication
as well as computing equipment, compromising
these can potentially bring down an entire network
and its resources. Paradoxically, many
organizations ensure excellent security for their
servers and applications but leave communicating
network devices with rudimentary security.
• An important aspect of network device security is
access control and authorization.
– Many protocols have been developed to address these
two requirements and enhance network security to
higher levels.
 Physical Security
User Authentication and Authorization
User authentication is necessary to control access to the network systems,
in particular network infrastructure devices.
 Authentication has two aspects:
– general access authentication and
– functional authorization.
 General access authentication is the method to control whether a
particular user has “any” type of access right to the system he is trying to
connect to.
 Usually, this kind of access is associated with the user having an “account” with
that system.
 Authorization deals with individual user “rights”.
 For example, it decides what can a user do once authenticated; the user may be
authorized to configure the device or only view the data.
 User authentication depends up on factors that include something he
knows (password), something he has (cryptographic token/Card), or
something he is (biometric).
 The use of more than one factor for identification and authentication
provides the basis for Multifactor authentication.
 Physical Security
Password Based Authentication
At a minimum level, all network devices should have username and
password authentication.
The password should be non-trivial (at least 10 character, mixed
alphabets, numbers, and symbols).
 In case of remote access by the user, a method should be used
to ensure usernames and passwords are not passed in the clear
over the network.
– passwords should also be changed with some reasonable frequency.
Centralized Authentication Methods
Individual device based authentication system provides a basic
access control measure.
 However, a centralized authentication method is considered
more effective and efficient when the network has large number
of devices with large numbers of users accessing these devices.
 Traditionally, centralized authentication was used to solve
problems faced in remote network access.
 In Remote Access Systems (RAS), the administration of users on
the network devices is not practical.
 Physical Security
 Placing all user information in all devices and then
keeping that information up-to-date is an
administrative nightmare.
 Centralized authentication systems, such as RADIUS
and Kerberos, solve this problem.
 These centralized methods allow user information to
be stored and managed in one place.
 These systems can usually be seamlessly integrated
with other user account management schemes such
as Microsoft’s Active Directory or LDAP directories.
 Most RADIUS servers can communicate with other
network devices in the normal RADIUS protocol and
then securely access account information stored in
the directories.
 Physical Security
Access Control Lists
Many network devices can be configured with access
lists.
 These lists define hostnames or IP addresses that
are authorized for accessing the device.
• It is typical, for instance, to restrict access to
network equipment from IPs except for the network
administrator.
– This would then protect against any type of access that
might be unauthorized.
 These types of access lists serve as an important
last defense and can be quite powerful on some
devices with different rules for different access
protocols.
 Wireless Security

Wireless security is the protection of wireless networks,

devices and data from unwanted access and breaches.
• Wireless networks broadcast data using radio waves,
which can be intercepted by anybody within the
network range.
– As a result, wireless networks are prone to eavesdropping,
illegal access and theft.
 Wireless security protocols encrypt data
transmitted over wireless networks to prevent
unauthorized access and eavesdropping.
 They also provide authentication mechanisms to verify the
identity of users and devices attempting to access the network.
 These protocols implement access control rules to
determine which users or devices are allowed on the
network and what their access level is.
 Wireless Security
o Wired Equivalent Privacy (WEP): employs a shared key
authentication mechanism and the RC4 encryption algorithm
to encrypt data.
– However, this protocol is outdated and considered insecure because it
is easily hackable.
o Wi-Fi Protected Access (WPA): is an improvement of WEP
introduced in 2003. It provides stronger security measures like
message integrity checks and improved key management.
– WPA uses the Temporal Key Integrity Protocol (TKIP) encryption
algorithm, but is still vulnerable to attacks.
o Wi-Fi Protected Access II (WPA2): introduced in 2004,
remains the most popular wireless security protocol.
o It uses the Counter Mode Cipher Block Chaining Message
Authentication Code Protocol (CCMP) based on the Advanced
Encryption Standard (AES) encryption algorithm for stronger
security measures.
 WPA2 is basically an upgraded version of WPA since it’s features
improved management and is less vulnerable to attacks.
 Wireless Security
o Wi-Fi Protected Access III (WPA3): is the latest
wireless security protocol and offers enhanced security
features such as stronger encryption, protection against
dictionary attacks and individualized data encryption.
o Announced in 2018 by the Wi-Fi Alliance, WPA3 simplifies
the process of configuring devices with little to no
display interface, such as IoT devices, by introducing Wi-
Fi Easy Connect.
– This works by allowing the IoT device to present a QR code or a
Near Field Communication (NFC) tag, which the user can scan
with their device to establish a secure Wi-Fi connection.
o Despite advances like stronger encryption and more
secure key exchange, WPA3 has yet to gain much
traction among users.
 Assignment

– Firewall
– Proxy server
– IDS/IPS
– Virtual Private network