Chapter four: Network Security

• Network security focus on:

• Attacks that use security holes of the network protocol and

their defense mechanisms

• Applications, systems, and networks can be made secure

through the use of security protocols, which provide a wide
range of encryption and authentication services.

• Each security protocol is placed within several layers of a

computing infrastructure, that is, network, transport, and
application layers.
1
 TCP/IP Layering
application
HTTP …
…
FTP DNS
SMTP SNMP

transport
TCP
TCP UDP
UDP

network
ICMP
ICMP IP
IP IGMP
IGMP

link
hardware
hardware
ARP
ARP RARP
RARP
interface
interface
2

Media Levente Buttyán

 Attacks on TCP/IP Networks

• TCP/IP protocol suite was created in 1980

as an internetworking solution with very
little concern for security aspects.
• The protocols are not designed to
withstand attacks
• Internet is now used by all sorts of people
• Attackers exploit vulnerabilities of every
protocol to achieve their goals

3
 Network attacks
Spoofing attack: a situation in which one person or program
successfully imitate another by falsifying data and thereby
gaining an illegitimate advantage.

• IP spoofing
• Putting a wrong IP address in the source IP address of an
IP packet
• DNS spoofing
• Changing the DNS information so that it directs to a
wrong machine
4
 Network attacks (cont’d…)
URL spoofing/Webpage phishing

• This technique often directs users to enter detailed information at

a fake website which appears almost identical to the legitimate
one.

• Popular method of phishing is:

• sending legitimate looking email containing a link to the fake

website.
• Registering fake website with a misspelled URL of popular
websites
• (www.microsoft.com www.microshoft.com) or 5
 Achieving Network Security
 International Telecommunication Union (ITU), has
defined certain mechanisms to bring the standardization to
achieve network security. these mechanisms are:
• En-cipherment. This mechanism provides data
confidentiality services by transforming data into not-
readable forms for the unauthorized persons.
– This mechanism uses encryption-decryption algorithm
with secret keys.
• Digital signatures. This mechanism is the electronic
equivalent of ordinary signatures in electronic data.
– It provides authenticity of the data.
• Access control. This mechanism is used to provide 6
access control services.
 E-mail Security

• the mail is sent to a mail server which is

permanently available on the network. When the
recipient’s machine connects to the network, it reads
the mail from the mail server.
• In general, the e-mail infrastructure consists of:
• mesh of mail servers, also termed as Message
Transfer Agents (MTAs) and
• client machines running an e-mail program
comprising of User Agent (UA) and local MTA.
• Typically, an e-mail message gets forwarded from its
UA, goes through the mesh of MTAs and finally
reaches the UA on the recipient’s machine.
7
 E-mail Security(cont’d…)

• The protocols used for e-mail are:

• Simple mail Transfer Protocol (SMTP):
• used for forwarding e-mail messages.
• Post Office Protocol (POP) and Internet Message Access
Protocol (IMAP)
• are used to retrieve the messages by recipient from
the server.
8
 MIME

• Basic Internet e-mail standard was written in 1982 and it

describes the format of e-mail message exchanged on the
Internet.
• It mainly supports e-mail message written as text in basic Roman
alphabet.
• By 1992, additional standard Multipurpose Internet Mail
Extensions (MIME) was defined.
• MIME is a set of extensions to the basic Internet E-mail
standard
• It provides an ability to send e-mail using characters other
than those of the basic Roman alphabet
• Another need fulfilled by MIME is to send non-text contents,
such as images or video clips.
• Due to this features, the MIME standard became widely adopted
with SMTP for e-mail communication.
9
 Pretty Good Privacy (PGP)

• Pretty Good Privacy (PGP) is an e-mail encryption

scheme. It has become the de-facto standard for
providing security services for e-mail communication.
• It uses public key cryptography, symmetric key
cryptography, hash function, and digital signature. It
provides −
• Privacy
• Sender Authentication
• Message Integrity
• Non-repudiation
• Along with these security services, it also provides data
compression and key management support.
• PGP uses existing cryptographic algorithms such as RSA,
IDEA, MD5, etc., rather than inventing the new ones.
10
 Working of PGP

• First Hash of the message is calculated. (MD5 algorithm)

• The resulted 128 bit hash is signed using the private
key of the sender (RSA Algorithm).
• The digital signature is concatenated to message, and
the result is compressed.
• A 128-bit symmetric key, KS is generated and used to
encrypt the compressed message with IDEA.
• KS is encrypted using the public key of the recipient
using RSA algorithm and the result is appended to the
encrypted message.

11
Working of PGP(cont’d…)

12
 Transport Layer attack
• TCP operates using synchronized connections,
initiated with 3 way handshake.
• TCP SYN flood attack exploits the vulnerability at this
stage of TCP connection.
– The attacker sends TCP SYN packets by
impersonating the IP address of an inactive host.
– The target machine responds SYN acknowledgment
waiting for the inactive host to respond.
– However, instead of opening a session, the
attacker continuously sends SYN requests and the
victim’s buffer will be flooded and cannot respond
to other requests. 13
 Philosophy of TLS Design

• Transport Layer Security (TLS) protocols operate

above the TCP layer.

• Design of these protocols use popular Application

Program Interfaces (API) to TCP, called “sockets"
for interfacing with TCP layer.

• Applications are now interfaced to Transport

Security Layer instead of TCP directly.

• Transport Security Layer provides a simple API with

14
 Secure Socket Layer (SSL)

• The SSL protocol (Secure Socket Layer)

was developed by Netscape to allow
client/server applications to
communicate safely

• It is transport layer security service

• Uses TCP to provide a reliable end-to-end

service 15
 Architecture of SSL
• SSL protocol is designed to interwork between
application and transport layer as shown in the
following image −

16
 Architecture of SSL…
• SSL itself is not a single layer protocol; in fact it is composed of two
sub-layers.

• Lower sub-layer comprises of the one component of SSL protocol

called as SSL Record Protocol. This component provides integrity
and confidentiality services.

• Upper sub-layer comprises of three SSL-related protocol

components and an application protocol.

• Three SSL related protocol components are:

• SSL Handshake Protocol
• Change Cipher Spec Protocol
• Alert Protocol. 17
 Functions of SSL Protocol Components

 The four sub-components of the SSL protocol handle various tasks for secure
communication between the client machine and the server.

• Record Protocol

• The record layer formats the upper layer protocol messages.

• It fragments the data into manageable blocks (max length 16 KB). It

optionally compresses the data.
• Encrypts the data.

• Provides a header for each message and a hash (Message Authentication

Code (MAC)) at the end.
• Hands over the formatted blocks to TCP layer for transmission.

18
 Functions of SSL Protocol Components…

SSL Handshake Protocol

• It is invoked before any application data is transmitted.

• It creates SSL sessions between the client and the server.

• Establishment of session involves Server authentication, Key and algorithm

negotiation, Establishing keys and Client authentication (optional).
• A session is identified by unique set of cryptographic security parameters.

• Multiple secure TCP connections between a client and a server can share
the same session.
• Handshake protocol actions through four phases.

19
 Functions of SSL Protocols…

Change Cipher Spec Protocol

• Simplest part of SSL protocol. It comprises of a single message

exchanged between two communicating entities, the client and the
server.
• As each entity sends the Change Cipher Spec message, it changes
its side of the connection into the secure state as agreed upon.
• The cipher parameters pending state is copied into the current state.
• Exchange of this Message indicates all future data exchanges are
encrypted and integrity is protected.

20
 Functions of SSL Protocols…

SSL Alert Protocol

• This protocol is used to report errors – such as

unexpected message, bad record MAC, security
parameters negotiation failed, etc.
• It is also used for other purposes – such as notify
closure of the TCP connection, notify receipt of
bad or unknown certificate, etc.

21
 Establishment of SSL Session

• There are four phases of SSL session establishment.

• These are mainly handled by SSL Handshake protocol
• Phase 1 − Establishing security capabilities.

22
 Establishing security capabilities…
• This phase comprises of exchange of two messages
– Client_hello and Server_hello.

• Client_hello contains of list of cryptographic algorithms supported by the

client, in decreasing order of preference.

• Server_hello contains the selected Cipher Specification (CipherSpec) and

a new session_id.

• The CipherSpec contains fields like −

• Cipher Algorithm (DES, 3DES, RC2, and RC4)

• MAC Algorithm (based on MD5, SHA-1)

• Public-key algorithm (RSA)

23
 Phase 2 − Server authentication and key exchange…

• Server sends certificate.

• Client software comes configured

with public keys of various “trusted”
organizations (CAs) to check
certificate.

• Server may request client certificate.

• Server indicates end of Server_hello.

24
 Phase 3 − Client authentication and key exchange

• Client sends certificate, only if

requested by the server.

• It also sends the Pre-master Secret

(PMS) encrypted with the server’s public
key.

• Client also
sends Certificate_verify message if
certificate is sent by him to prove he
has the private key associated with this
certificate. Basically, the client signs a
hash of the previous messages.
25
 Phase-4:Finish
• Client and server
send Change_cipher_spec mes
sages to each other to cause
the pending cipher state to be
copied into the current state.

• From now on, all data is

encrypted and integrity
protected.
26
 Secure Browsing - HTTPS
• Hyper Text Transfer Protocol (HTTP) protocol is used for
web browsing.

• The function of HTTPS is similar to HTTP.

• The only difference is that HTTPS provides “secure” web

browsing.

• HTTPS stands for HTTP over SSL.

• HTTPS protocol is used to provide the encrypted and

authenticated connection between the web browser and27
28
 Network layer security
• Network layer security controls have been used frequently for securing
communications, particularly over shared networks such as the Internet

• It can provide protection for many applications at once without

modifying them.

• Most protocols remained focused at the higher layer protocol stack, to

compensate for inherent lack of security in standard Internet Protocol.

• For example, SSL is developed specifically to secure applications like

HTTP or FTP.
• But there are several other applications which also need secure
communications.
29
 Features of IPsec

• IPsec is not designed to work only with TCP as a transport

layer security protocol. It works with UDP as well as any other
protocol above IP such as ICMP, OSPF etc.

• IPsec protects the entire packet presented to IP layer including

higher layer headers.

• It works from one network entity to another network entity,

not from application process to application process.

• Security at network layer can be adopted without requiring

changes to individual user computers/applications.
30
 Network Layer: IP security (IPSec)
• IP security (IPSec) is a capability that can be added to
Internet Protocol (IPv4 or IPv6), by means of additional
headers.

• an enterprise can run a secure, private TCP/IP network by:

– disallowing links to untrusted sites,

– encrypting packets that leave the organization, and
– authenticating packets that enter the organization.

• By implementing security at the IP level, an organization can

ensure secure networking.
31
Network Layer: IP security (IPSec)
• IP-level security encompasses three functional
areas: authentication, confidentiality, and key
management.

• The authentication mechanism assures that a

received packet was transmitted by the party
identified as the source in the packet header.
• The confidentiality facility enables communicating
nodes to encrypt messages to prevent
eavesdropping by third parties.
• The key management facility is concerned with the
secure exchange of keys.

32
Network Layer: IP security (IPSec)
• IPSec is a protocol suit for securing IP
communications by authenticating and encrypting
each IP packet of a communication session.

• Applications of IPSec

• Secure branch office connectivity over the

Internet
• Secure remote access over the Internet
• Establsihing intranet connectivity with partners
• Enhancing electronic commerce security
33
 Network Layer: IP security (IPSec)
Benefits of IPSec
• When IPSec is implemented in a firewall or router,
it provides strong security that can be applied to
all traffic crossing the border.
• Traffic within a company or workgroup does not incur
the overhead of security-related processing.

• IPSec is below the transport layer (TCP, UDP) and so

is transparent to applications.
– There is no need to change software on a user or server
system when IPSec is implemented in the firewall or
router.

34
 The two protocols of IPsec
• There are two security protocols defined by IPsec — Authentication
Header (AH) and Encapsulating Security Payload (ESP).

• IP-level authentication is provided by inserting an

Authentication Header (AH) into the packets.

• IP-level confidentiality is provided by inserting an

Encapsulating Security Payload (ESP) header into the
packets.

- An ESP header can also do the job of the AH header by

providing authentication in addition to confidentiality. 35
 IPSec - Security Associations (SA)
SA is a one way relationship between a sender and a
receiver that provides security services (authentication
and confidentiality)
• SA is uniquely identified by:
• Security Parameters Index (SPI) in the enclosed
extension header of AH or ESP
– The SPI is a random number generated by the
sender to identify the SA to the recipient.
• IP Destination address: It can be IP address of end
router
• Security Protocol Identifier: This indicates whether
the association is an AH or ESP security association.
36
 Network Layer: IP security (IPSec)
Services
• Connectionless integrity
- Ensuring the data has not been read/modified en
route.

• Data origin authentication

- Identifying who sent the data

• Rejection of replayed packets

- Detecting packets received more than once to help
protect against DoS.

• Confidentiality (encryption)
- Encryption of user data for privacy

• Access control 37
- Gives access privileges to end users (done by
 Two communication modes of IPSec
• Transport Mode:
– The protocol protects the message passed down to
IP from the transport layer.
– The message is processed by AH/ESP and
appropriate headers are added in front of the
transport header.
– The IP header is then added in front of that by IP.
• Tunnel Mode:
– IPsec is used to protect a complete encapsulated IP
datagram after the IP header has already been
applied to it.
– The IPsec header appears in front of the original IP
38
header and then a new IP header is added in front of