Debremrkos University

Department of
Computer Science
Computer Security

Chapter Four: Network Security

 4.1 Network security basics
• Security is a continuous process of protecting an object from unauthorized access. It is as state
of being or feeling protected from harm.
• That object in that state may be a person, an organization such as a business, or property such
as a computer system or a file.
• Network Security deals with all aspects related to the protection of the sensitive information
assets existing on the network.
• It covers various mechanisms developed to provide fundamental security services for data
communication.
 4.2 Threats and Vulnerabilities on Network
4.2.1 Security Threats
• When talking about threat it can be any person or event that can cause the damage of data or
network. Threats can also be natural for example wind, lightning, flooding or can be
accidental, such as accidentally deletion of file.
4.2.2 Security Vulnerabilities
• System vulnerabilities are weaknesses in the software or hardware on a server or a client that
can be exploited by a determined intruder to gain access to or shut down a network. System
vulnerability as a condition, a weakness of or an absence of security procedure, or technical,
physical, or other controls that could be exploited by a threat.
• Vulnerabilities defined as the weakness in any network that can be exploited by a threat.
Recently almost in all areas network technologies have been applied, such as banking, E-
Commerce, ETC.
• These applications are consist of different network devices and computers and it is very
important to protect these applications and devices from malicious hackers so that chances to
exploit the vulnerabilities may reduce.
• Available hardware and software tools in the market:
Firewalls,
Intrusion Detection Systems (IDS),
antivirus software and vulnerability scanning software
 4.5 Network security protocols
• Network security is one of the essential cybersecurity branches, and protocols play a vital role
in securing the network.
• Network security protocols are a type of network protocol that ensures the security and
integrity of data in transit over a network connection.
• Network security protocols define the processes and methodology to secure network data from
any illegitimate attempt to review or extract the contents of data.
• Network security protocols are primarily designed to prevent any unauthorized user,
application, service or device from accessing network data.
• Network security protocols generally implement cryptography and encryption techniques to
secure the data so that it can only be decrypted with a special algorithm, logical key,
mathematical formula and/or a combination of all of them.
• Some of the popular network security protocols include Secure File Transfer Protocol (SFTP),
Secure Hypertext Transfer Protocol (HTTPS) and Secure Socket Layer (SSL).
4.5.1 Application Layer Security
• Various business services are now offered online though client-server applications. The most
popular forms are web application and e-mail.
• In both applications, the client communicates to the designated server and obtains services.
• While using a service from any server application, the client and server exchange a lot of
information on the underlying intranet or Internet.
• We are aware of fact that these information transactions are vulnerable to various attacks.
• Network security entails securing data against attacks while it is in transit on a network.
• To achieve this goal, many real-time security protocols have been designed. Such protocol
needs to provide at least the following primary objectives −
The parties can negotiate interactively to authenticate each other.
Establish a secret session key before exchanging information on network.
Exchange the information in encrypted form.

• Interestingly, these protocols work at different layers of networking model.

• For example, S/MIME (Secure/Multipurpose internet Mail Extensions) protocol works at
Application layer, SSL protocol is developed to work at transport layer, and IPsec protocol
works at Network layer.
 4.5.1.1 Web security
• Web Security may be defined as technological and managerial procedures applied to computer
systems to ensure the availability, integrity, and confidentiality of information.
• It means that protection of integrity, availability and confidentiality of computer assets and
services from associated threats and vulnerabilities.
• The security of the web is divided into two categories (a) computer security, and (b) network
security.
• In generic terms, computer security is the process of securing a single, standalone computer;
while network security is the process of securing an entire network of computers.
 4.5.1.2 E-mail Security
• Nowadays, e-mail has become very widely used network application.
E-mail Infrastructure
• The simplest way of sending an e-mail would be sending a message directly from the sender’s
machine to the recipient’s machine.
• In this case, it is essential for both the machines to be running on the network simultaneously.

• The mail is sent to a mail server which is permanently available on the network.
• When the recipient’s machine connects to the network, it reads the mail from the mail server.
• In general, the e-mail infrastructure consists of a mesh of mail servers, also termed as Message
Transfer Agents (MTAs) and client machines running an e-mail program comprising of User
Agent (UA) and local MTA.
• Typically, an e-mail message gets forwarded from its UA, goes through the mesh of MTAs and
finally reaches the UA on the recipient’s machine.

• The protocols used for e-mail are as follows −

 Simple mail Transfer Protocol (SMTP) used for forwarding e-mail messages.
 Post Office Protocol (POP) and Internet Message Access Protocol (IMAP) are used to retrieve
the messages by recipient from the server.
 E-Mail Security Services
• Growing use of e-mail communication for important and crucial transactions demands
provision of certain fundamental security services as the following −
 Confidentiality − E-mail message should not be read by anyone but the intended
recipient.
 Authentication − E-mail recipient can be sure of the identity of the sender.
 Integrity − Assurance to the recipient that the e-mail message has not been altered since it
was transmitted by the sender.
 Proof of submission − E-mail sender gets the confirmation that the message is handed to
the mail delivery system.
 Proof of delivery − Sender gets a confirmation that the recipient received the message.
 4.5.2 Transport layer security
• Network security entails securing data against attacks while it is in transit on a network. To
achieve this goal, many real-time security protocols have been designed.
• There are popular standards for real-time network security protocols such as S/MIME,
SSL/TLS, SSH, and IPsec.
Need for Transport Layer Security
• Bob visits Alice’s website for selling goods. In a form on the website, Bob enters the type of
good and quantity desired, his address and payment card details.
• Bob clicks on Submit and waits for delivery of goods with debit of price amount from his
account.
• All this sounds good, but in absence of network security, Bob could be in for a few surprises.
 If transactions did not use confidentiality (encryption), an attacker could obtain his payment
card information. The attacker can then make purchases at Bob's expense.
 If no data integrity measure is used, an attacker could modify Bob's order in terms of type or
quantity of goods.
 Lastly, if no server authentication is used, a server could display Alice's famous logo but the
site could be a malicious site maintained by an attacker, who is masquerading as Alice. After
receiving Bob's order, he could take Bob's money and flee. Or he could carry out an identity
theft by collecting Bob's name and credit card details.
• Transport layer security schemes can address these problems by enhancing TCP/IP based
network communication with confidentiality, data integrity, server authentication, and client
authentication.
• The security at this layer is mostly used to secure HTTP based web transactions on a network.
However, it can be employed by any application running over TCP.
 Philosophy of TLS Design
• Transport Layer Security (TLS) protocols operate above the TCP layer. Design of these
protocols use popular Application Program Interfaces (API) to TCP, called “sockets" for
interfacing with TCP layer.
• Applications are now interfaced to Transport Security Layer instead of TCP directly. Transport
Security Layer provides a simple API with sockets, which is similar and analogous to TCP's
API.
• TLS is designed to operate over TCP, the reliable layer 4 protocol (not on UDP protocol), to
make design of TLS much simpler, because it doesn't have to worry about ‘timing out’ and
‘retransmitting lost data’. The TCP layer continues doing that as usual which serves the need of
TLS.
Why TLS is Popular?
• The reason for popularity of using a security at Transport Layer is simplicity. Design and
deployment of security at this layer does not require any change in TCP/IP protocols that are
implemented in an operating system.
• Only user processes and applications needs to be designed/modified which is less complex.
Secure Socket Layer (SSL)
• In this section, we discuss the family of protocols designed for TLS. The family includes SSL
versions 2 and 3 and TLS protocol.
 Features of SSL
• The salient features of SSL protocol are as follows −SSL provides network connection security
through −
• Confidentiality − Information is exchanged in an encrypted form.
• Authentication − Communication entities identify each other through the use of digital
certificates. Web-server authentication is mandatory whereas client authentication is kept
optional.
• Reliability − Maintains message integrity checks.
SSL is available for all TCP applications
Supported by almost all web browsers
Provides ease in doing business with new online entities
Developed primarily for web e-commerce
 4.5.3 Network layer security
• Network layer security controls have been used frequently for securing communications,
particularly over shared networks such as the Internet because they can provide protection for
many applications at once without modifying them.
• SSL is developed specifically to secure applications like HTTP or FTP. But there are several
other applications which also need secure communications.
• In 1992, the Internet Engineering Task Force (IETF) began to define a standard ‘IPsec’. how
security is achieved at network layer using this very popular set of protocol IPsec?
• Any scheme that is developed for providing network security needs to be implemented at some
layer in protocol stack as depicted in the diagram below −

• The popular framework developed for ensuring security at network layer is Internet Protocol
Security (IPsec).
 Features of IPsec
• IPsec is not designed to work only with TCP as a transport protocol. It works with UDP as well
as any other protocol above IP such as ICMP, OSPF etc.
• IPsec protects the entire packet presented to IP layer including higher layer headers.
• Since higher layer headers are hidden which carry port number, traffic analysis is more
difficult.
• IPsec works from one network entity to another network entity, not from application process to
application process. Hence, security can be adopted without requiring changes to individual
user computers/applications.
• Tough widely used to provide secure communication between network entities, IPsec can
provide host-to-host security as well.
• The most common use of IPsec is to provide a Virtual Private Network (VPN), either between
two locations (gateway-to-gateway) or between a remote user and an enterprise network (host-
 4.5.4 Link layer security
• We have seen that rapid growth of Internet has raised a major concern for network security.
• Several methods have been developed to provide security in the application, transport, or
network layer of a network.
• Many organizations incorporate security measures at higher OSI layers, from application layer
all the way down to IP layer.
• However, one area generally left unattended is hardening of Data Link layer. This can open the
network to a variety of attacks and compromises.
 Security Concerns in Data Link Layer
• Data link Layer in Ethernet networks is highly prone to several attacks. The most common
attacks are −
ARP Spoofing
• Address Resolution Protocol (ARP) is a protocol used to map an IP address to a physical
machine address recognizable in the local Ethernet.
• When a host machine needs to find a physical Media Access Control (MAC) address for an IP
address, it broadcasts an ARP request.
• The other host that owns the IP address sends an ARP reply message with its physical address.
• Each host machine on network maintains a table, called ‘ARP cache’. The table holds the IP
address and associated MAC addresses of other host on the network.
• Since ARP is a stateless protocol, every time a host gets an ARP reply from another host, even
though it has not sent an ARP request, it accepts that ARP entry and updates its ARP cache.
• The process of modifying a target host’s ARP cache with a forged entry known as ARP
poisoning or ARP spoofing.
• ARP spoofing may allow an attacker to masquerade as legitimate host and then intercept data
frames on a network, modify or stop them.
• Often the attack is used to launch other attacks such as man-in-the-middle, session hijacking,
or denial of service.
 MAC Flooding
• Every switch in the Ethernet has a Content-Addressable Memory (CAM) table that stores the
MAC addresses, switch port numbers, and other information.
• The table has a fixed size. In the MAC flooding attack, the attacker floods the switch with
MAC addresses using forged ARP packets until the CAM table is full.
• Once CAM is flooded, the switch goes into hub-like mode and starts broadcasting the traffic
that do not have CAM entry.
• The attacker who is on the same network, now receives all the frames which were destined
only for a specific host.
 Port Stealing
• Ethernet switches have the ability to learn and bind MAC addresses to ports.
• When a switch receives traffic from a port with a MAC source address, it binds the port
number and that MAC address.
• The port stealing attack exploits this ability of the switches. The attacker floods the switch with
forged ARP frames with the target host’s MAC address as the source address.
• Switch is fooled to believe that the target host is on port, on which actually an attacker is
connected.
• Now all data frames intended for the targeted host are sent to the attacker’s switch port and not
to the target host.
• Thus, the attacker now receives all the frames which were actually destined only for the target
host.
 DHCP Attacks
• Dynamic Host Configuration Protocol (DHCP) is not a datalink protocol but solutions to
DHCP attacks are also useful to thwart Layer 2 attacks.
• DHCP is used to dynamically allocate IP addresses to computers for a specific time period.

• It is possible to attack DHCP servers by causing denial of service in the network or by

impersonating the DHCP server.
• In a DHCP starvation attack, the attacker requests all of the available DHCP addresses. This
results in a denial of service to the legitimate host on the network.
• In DHCP spoofing attack, the attacker can deploy a rogue DHCP server to provide addresses to
the clients.
• Here, the attacker can provide the host machines with a rouge default gateway with the DHCP
responses.
• Data frames from the host are now guided to rouge gateway where the attacker can intercept all
package and reply to actual gateway or drop them.
Securing Ethernet LANs
• We discussed some widely known attacks at Data Link Layer in the previous section.
• Several methods have been developed to mitigate these types of attacks. Some of the important
methods are −
• Port Security: Anyone can access an unsecure network by simply connecting the host to one
of the available switch ports.
• By default, port security limits the ingress MAC address count to one. However, it is possible
to allow more than one authorized host to connect from that port through configuration.
Allowed MAC addresses per interface can be statically configured.
• To ensure security, reaction to the change in the specified MAC addresses on a port or excess
addresses on a port can be controlled in many different ways.
• The port can be configured to shut down or block the MAC addresses that exceed a specified
limit.
• The recommended best practice is to shut down the port. Port security prevents MAC flooding
and cloning attacks.
 DHCP Snooping
• We have seen that DHCP spoofing is an attack where the attacker listens for DHCP requests
from host on the network and answers them with fake DHCP response before the authorized
DHCP response comes to the host.
• DHCP snooping can prevent such attacks. DHCP snooping is a switch feature. Switch can be
configured to determine which switch ports can respond to DHCP requests. Switch ports are
identified as trusted or untrusted ports.
• Only ports that connect to an authorized DHCP server are configured as “trusted”, and allowed
to send all types of DHCP messages.
• All other ports on the switch are untrusted and can send only DHCP requests. If a DHCP
response is seen on an untrusted port, the port is shut down.
 Preventing ARP Spoofing
• The method of port security can prevent MAC flooding and cloning attacks. However, it does
not prevent ARP spoofing.
• Port security validates the MAC source address in the frame header, but ARP frames contain an
additional MAC source field in the data payload, and the host uses this field to populate their
ARP cache.
• Some methods to prevent ARP spoofing are listed as follows.
Static ARP
Intrusion Detection System
Dynamic ARP inspection
 4.5.5 Physical security (Access Control)
• Network access control is a method of enhancing the security of a private organizational
network by restricting the availability of network resources to endpoint devices that comply
with the organization’s security policy.
• A typical network access control scheme comprises of two major components such as
Restricted Access and Network Boundary Protection.
• Restricted Access to the network devices is achieved through user authentication and
authorization control which is responsible for identifying and authenticating different users to
the network system.
• Authorization is the process of granting or denying specific access permissions to a protected
resource.
• Network Boundary Protection controls logical connectivity into and out of networks. For
example, multiple firewalls can be deployed to prevent unauthorized access to the network
systems.
• Also intrusion detection and prevention technologies can be deployed to defend against attacks
from the Internet.
 Securing Access to Network Devices
• Restricting access to the devices on network is a very essential step for securing a network.
• Since network devices comprise of communication as well as computing equipment,
compromising these can potentially bring down an entire network and its resources.
• An important aspect of network device security is access control and authorization. Many
protocols have been developed to address these two requirements and enhance network
security to higher levels.
 User Authentication and Authorization
• User authentication is necessary to control access to the network systems, in particular network
infrastructure devices.
• Authentication has two aspects: general access authentication and functional authorization.
• General access authentication is the method to control whether a particular user has “any” type
of access right to the system he is trying to connect to. Usually, this kind of access is associated
with the user having an “account” with that system.
• Authorization deals with individual user “rights”. For example, it decides what can a user do
once authenticated; the user may be authorized to configure the device or only view the data.
 k s!
h a n
y T
a n
M