Chapter four: Network Security

• In today’s highly networked world, we can’t talk of

computer security without talking of network security.
• Focus is on:
• Attacks that use security holes of the network protocol
and their defense mechanisms
• Applications, systems, and networks can be made secure
through the use of security protocols,
• which provide a wide range of encryption and
authentication services.
• Each security protocol is placed within several layers of a
computing infrastructure, that is, network, transport, and
application layers.
1
 Network attacks
Spoofing attack: a situation in which one person or program
successfully imitate another by falsifying data and thereby
gaining an illegitimate advantage.

• IP spoofing
• Putting a wrong IP address in the source IP address of an
IP packet
• DNS spoofing
• Changing the DNS information so that it directs to a
wrong machine
2
 Network attacks (cont’d…)
URL spoofing/Webpage phishing

• This technique often directs users to enter detailed information at

a fake website which appears almost identical to the legitimate
one.

• Popular method of phishing is:

• sending legitimate looking email containing a link to the fake

website.
• Registering fake website with a misspelled URL of popular
websites
• (www.microsoft.com www.microshoft.com) or 3
 OSI Model
Application Application
Allows access to network
Allows resources
access to network resources

PresentationPresentation
Translates, encrypts and compresses
Translates, encrypts data
and compresses data

Session Session
Establishes, Establishes,
managesmanages
and terminates sessions
and terminates sessions

Transport Provides end-to-end

Transport message
Provides end-to-end delivery
message & error
delivery & error
recovery recovery

Network Moves packets

Network from
Moves source
packets to destination;
from source to destination;
Provides Provides
internetworking
internetworking

Data Link Organizes

Data Link bits into frames;
Organizes Provides
bits into frames; node-to-node
Provides node-to-node
delivery delivery

Physical Transmits bits;

Physical Provides
Transmits mechanical
bits; Provides andand
mechanical
electrical electrical
specifications
specifications
4
 Achieving Network Security
 International Telecommunication Union (ITU), has
defined certain mechanisms to bring the standardization to
achieve network security. these mechanisms are:
• En-cipherment. This mechanism provides data
confidentiality services by transforming data into not-
readable forms for the unauthorized persons.
– This mechanism uses encryption-decryption algorithm
with secret keys.
• Digital signatures. This mechanism is the electronic
equivalent of ordinary signatures in electronic data.
– It provides authenticity of the data.
• Access control. This mechanism is used to provide 5
access control services.
 E-mail Security

• the mail is sent to a mail server which is

permanently available on the network. When the
recipient’s machine connects to the network, it reads
the mail from the mail server.
• In general, the e-mail infrastructure consists of:
• mesh of mail servers, also termed as Message
Transfer Agents (MTAs) and
• client machines running an e-mail program
comprising of User Agent (UA) and local MTA.
• Typically, an e-mail message gets forwarded from its
UA, goes through the mesh of MTAs and finally
reaches the UA on the recipient’s machine.
6
 E-mail Security(cont’d…)

• The protocols used for e-mail are:

• Simple mail Transfer Protocol (SMTP):
• used for forwarding e-mail messages.
• Post Office Protocol (POP) and Internet Message Access
Protocol (IMAP)
• are used to retrieve the messages by recipient from
the server.
7
 MIME

• Basic Internet e-mail standard was written in 1982 and it

describes the format of e-mail message exchanged on the
Internet.
• It mainly supports e-mail message written as text in basic Roman
alphabet.
• By 1992, additional standard Multipurpose Internet Mail
Extensions (MIME) was defined.
• MIME is a set of extensions to the basic Internet E-mail
standard
• It provides an ability to send e-mail using characters other
than those of the basic Roman alphabet
• Another need fulfilled by MIME is to send non-text contents,
such as images or video clips.
• Due to this features, the MIME standard became widely adopted
with SMTP for e-mail communication.
8
 E-mail communication

One-to-One E-mail
• In this scenario, the sender sends an e-mail message to
only one recipient. Usually, not more than two MTA are
involved in the communication.

9
 One-to-One E-mail(cont’d…)

• Let’s assume a sender wants to send a confidential e-mail

to a recipient. The provision of privacy in this case is
achieved as follows −
• The sender and receiver have their private-public keys as (SPVT,
SPUB) and (RPVT, RPUB) respectively.
• The sender generates a secret symmetric key, KS for encryption.
Though the sender could have used RPUB for encryption, a
symmetric key is used to achieve faster encryption and decryption.
• The sender encrypts message with key KS and also encrypts KS with
public key of the recipient, RPUB.
• The sender sends encrypted message and encrypted KS to the
recipient.
• The recipient first obtains KS by decrypting encoded KS using his
private key, RPVT.
• The recipient then decrypts message using the symmetric key, KS. 10
 One-to-Multiple Recipients E-mail

• In this case, the sender sends an e-mail message to two or more

recipients.
• The list is managed by the sender’s e-mail program (UA + local MTA).
All recipients get the same message.

11
 One-to-Multiple Recipients E-mail(cont’d…)

• Let’s, the sender wants to send confidential e-mail to

many recipients (say R1, R2, and R3). The provision of
privacy in this case is achieved as follows −
• The sender and all recipients have their own pair of private-
public keys.
• The sender generates a secret symmetric key, K s and encrypts
the message with this key.
• The sender then encrypts KS multiple times with public keys of
R1, R2, and R3, getting R1PUB(KS), R2PUB(KS), and R3PUB(KS).
• The sender sends encrypted message and corresponding
encrypted KS to the recipient. For example, recipient 1 (R1)
receives encrypted message and R1 PUB(KS).
• Each recipient first extracts key K S by decrypting encoded
KS using his private key.
• Each recipient then decrypts the message using the symmetric
key, KS. 12
 One-to-Distribution List E-mail

• In this scenario, the sender sends an e-mail message to

two or more recipients
• but the list of recipients is not managed locally by the
sender. Generally, the e-mail server (MTA) maintains the
mailing list.
• The sender sends a mail to the MTA managing the
mailing list and then the mail is exploded by MTA to all
recipients in the list

13
 One-to-Distribution List E-mail(cont’d…)
• When the sender wants to send a confidential e-mail to the
recipients of the mailing list (say R1, R2, and R3); the privacy is
ensured as follows −
• The sender and all recipients have their own pair of private-public keys. The
Exploder Server has a pair of private-public key for each mailing list (ListPUB,
ListPVT) maintained by it.
• The sender generates a secret symmetric key Ks and then encrypts the
message with this key.
• The sender then encrypts KS with the public key associated with the list,
obtains ListPUB(KS).
• The sender sends encrypted message and ListPUB(KS). The exploder MTA
decrypts ListPUB(KS) using ListPVT and obtains KS.
• The exploder encrypts KS with many public keys as there are members in the
list.
• The Exploder forwards the received encrypted message and corresponding
encrypted KS to all recipients in the list. For example, the Exploder forwards
the encrypted message and R1PUB(KS) to recipient 1 and so on. 14
 Pretty Good Privacy (PGP)

• Pretty Good Privacy (PGP) is an e-mail encryption

scheme. It has become the de-facto standard for
providing security services for e-mail communication.
• It uses public key cryptography, symmetric key
cryptography, hash function, and digital signature. It
provides −
• Privacy
• Sender Authentication
• Message Integrity
• Non-repudiation
• Along with these security services, it also provides data
compression and key management support.
• PGP uses existing cryptographic algorithms such as RSA,
IDEA, MD5, etc., rather than inventing the new ones.
15
 Working of PGP

• First Hash of the message is calculated. (MD5 algorithm)

• The resulted 128 bit hash is signed using the private
key of the sender (RSA Algorithm).
• The digital signature is concatenated to message, and
the result is compressed.
• A 128-bit symmetric key, KS is generated and used to
encrypt the compressed message with IDEA.
• KS is encrypted using the public key of the recipient
using RSA algorithm and the result is appended to the
encrypted message.

16
Working of PGP(cont’d…)

17
 Transport Layer attack
• TCP operates using synchronized connections,
initiated with 3 way handshake.
• TCP SYN flood attack exploits the vulnerability at this
stage of TCP connection.
– The attacker sends TCP SYN packets by
impersonating the IP address of an inactive host.
– The target machine responds SYN acknowledgment
waiting for the inactive host to respond.
– However, instead of opening a session, the
attacker continuously sends SYN requests and the
victim’s buffer will be flooded and cannot respond
to other requests. 18
 Philosophy of TLS Design

• Transport Layer Security (TLS) protocols operate

above the TCP layer.

• Design of these protocols use popular Application

Program Interfaces (API) to TCP, called “sockets"
for interfacing with TCP layer.

• Applications are now interfaced to Transport

Security Layer instead of TCP directly.

• Transport Security Layer provides a simple API with

19
 Secure Socket Layer (SSL)

• The SSL protocol (Secure Socket Layer)

was developed by Netscape to allow
client/server applications to
communicate safely

• It is transport layer security service

• Uses TCP to provide a reliable end-to-end

service 20
 Architecture of SSL
• SSL protocol is designed to interwork between
application and transport layer as shown in the
following image −

21
 Architecture of SSL…
• SSL itself is not a single layer protocol; in fact it is composed of two
sub-layers.

• Lower sub-layer comprises of the one component of SSL protocol

called as SSL Record Protocol. This component provides integrity
and confidentiality services.

• Upper sub-layer comprises of three SSL-related protocol

components and an application protocol.

• Three SSL related protocol components are:

• SSL Handshake Protocol
• Change Cipher Spec Protocol
• Alert Protocol. 22
 Functions of SSL Protocol Components

 The four sub-components of the SSL protocol handle various tasks for secure
communication between the client machine and the server.

• Record Protocol

• The record layer formats the upper layer protocol messages.

• It fragments the data into manageable blocks (max length 16 KB). It

optionally compresses the data.
• Encrypts the data.

• Provides a header for each message and a hash (Message Authentication

Code (MAC)) at the end.
• Hands over the formatted blocks to TCP layer for transmission.

23
 Functions of SSL Protocol Components…

SSL Handshake Protocol

• It is invoked before any application data is transmitted.

• It creates SSL sessions between the client and the server.

• Establishment of session involves Server authentication, Key and algorithm

negotiation, Establishing keys and Client authentication (optional).
• A session is identified by unique set of cryptographic security parameters.

• Multiple secure TCP connections between a client and a server can share
the same session.
• Handshake protocol actions through four phases.

24
 Functions of SSL Protocols…

Change Cipher Spec Protocol

• Simplest part of SSL protocol. It comprises of a single message

exchanged between two communicating entities, the client and the
server.
• As each entity sends the Change Cipher Spec message, it changes
its side of the connection into the secure state as agreed upon.
• The cipher parameters pending state is copied into the current state.
• Exchange of this Message indicates all future data exchanges are
encrypted and integrity is protected.

25
 Functions of SSL Protocols…

SSL Alert Protocol

• This protocol is used to report errors – such as

unexpected message, bad record MAC, security
parameters negotiation failed, etc.
• It is also used for other purposes – such as notify
closure of the TCP connection, notify receipt of
bad or unknown certificate, etc.

26
 Establishment of SSL Session

• There are four phases of SSL session establishment.

• These are mainly handled by SSL Handshake protocol
• Phase 1 − Establishing security capabilities.

27
 Establishing security capabilities…
• This phase comprises of exchange of two messages
– Client_hello and Server_hello.

• Client_hello contains of list of cryptographic algorithms supported by the

client, in decreasing order of preference.

• Server_hello contains the selected Cipher Specification (CipherSpec) and

a new session_id.

• The CipherSpec contains fields like −

• Cipher Algorithm (DES, 3DES, RC2, and RC4)

• MAC Algorithm (based on MD5, SHA-1)

• Public-key algorithm (RSA)

28
 Phase 2 − Server authentication and key exchange…

• Server sends certificate.

• Client software comes configured

with public keys of various “trusted”
organizations (CAs) to check
certificate.

• Server may request client certificate.

• Server indicates end of Server_hello.

29
 Phase 3 − Client authentication and key exchange

• Client sends certificate, only if

requested by the server.

• It also sends the Pre-master Secret

(PMS) encrypted with the server’s public
key.

• Client also
sends Certificate_verify message if
certificate is sent by him to prove he
has the private key associated with this
certificate. Basically, the client signs a
hash of the previous messages.
30
 Phase-4:Finish
• Client and server
send Change_cipher_spec mes
sages to each other to cause
the pending cipher state to be
copied into the current state.

• From now on, all data is

encrypted and integrity
protected.
31
32
 Network layer security
• Network layer security controls have been used frequently for securing
communications, particularly over shared networks such as the Internet

• It can provide protection for many applications at once without

modifying them.

• Most protocols remained focused at the higher layer protocol stack, to

compensate for inherent lack of security in standard Internet Protocol.

• For example, SSL is developed specifically to secure applications like

HTTP or FTP.
• But there are several other applications which also need secure
communications.
33
 Features of IPsec

• IPsec is not designed to work only with TCP as a transport

layer security protocol. It works with UDP as well as any other
protocol above IP such as ICMP, OSPF etc.

• IPsec protects the entire packet presented to IP layer including

higher layer headers.

• It works from one network entity to another network entity,

not from application process to application process.

• Security at network layer can be adopted without requiring

changes to individual user computers/applications.
34
 Network Layer: IP security (IPSec)
• IP security (IPSec) is a capability that can be added to
Internet Protocol (IPv4 or IPv6), by means of additional
headers.

• an enterprise can run a secure, private TCP/IP network by:

– disallowing links to untrusted sites,

– encrypting packets that leave the organization, and
– authenticating packets that enter the organization.

• By implementing security at the IP level, an organization can

ensure secure networking.
35
Network Layer: IP security (IPSec)
• IP-level security encompasses three functional
areas: authentication, confidentiality, and key
management.

• The authentication mechanism assures that a

received packet was transmitted by the party
identified as the source in the packet header.
• The confidentiality facility enables communicating
nodes to encrypt messages to prevent
eavesdropping by third parties.
• The key management facility is concerned with the
secure exchange of keys.

36
Network Layer: IP security (IPSec)
• IPSec is a protocol suit for securing IP
communications by authenticating and encrypting
each IP packet of a communication session.

• Applications of IPSec

• Secure branch office connectivity over the

Internet
• Secure remote access over the Internet
• Establsihing intranet connectivity with partners
• Enhancing electronic commerce security
37
 Network Layer: IP security (IPSec)
Benefits of IPSec
• When IPSec is implemented in a firewall or router,
it provides strong security that can be applied to
all traffic crossing the border.
• Traffic within a company or workgroup does not incur
the overhead of security-related processing.

• IPSec is below the transport layer (TCP, UDP) and so

is transparent to applications.
– There is no need to change software on a user or server
system when IPSec is implemented in the firewall or
router.

38
 Network Layer: IP security (IPSec)

Benefits of IPSec...

• IPSec can be transparent to end users

– There is no need to train users on security

mechanisms,

– No need to issue keying material on a per-user

basis, or

– No need to revoke keying material when users

leave the organization.
39
 The two protocols of IPsec
• There are two security protocols defined by IPsec — Authentication
Header (AH) and Encapsulating Security Payload (ESP).

• IP-level authentication is provided by inserting an

Authentication Header (AH) into the packets.

• IP-level confidentiality is provided by inserting an

Encapsulating Security Payload (ESP) header into the
packets.

- An ESP header can also do the job of the AH header by

providing authentication in addition to confidentiality. 40
 IPSec - Security Associations (SA)
• SA is a one way relationship between a sender and a receiver that
provides security services (authentication and confidentiality)
• SA is uniquely identified by:
 Security Parameters Index (SPI) in the enclosed extension
header of AH or ESP
 AH : Authentication Header (Authentication)
 ESP: Encapsulating Security Payload (both authentication and
confidentiality)
 IP Destination address: in the IPv4/IPv6 header(end
user/router/firewall)
 Security Protocol Identifier: This indicates whether the
association is an AH or ESP security association.
41
 Network Layer: IP security (IPSec)
Services
• Connectionless integrity
- Ensuring the data has not been read/modified en
route.

• Data origin authentication

- Identifying who sent the data

• Rejection of replayed packets

- Detecting packets received more than once to help
protect against DoS.

• Confidentiality (encryption)
- Encryption of user data for privacy

• Access control 42
- Gives access privileges to end users (done by
 Two communication modes of
IPSec
• Transport Mode:
– The protocol protects the message passed down to
IP from the transport layer.
– The message is processed by AH/ESP and
appropriate headers are added in front of the
transport header.
– The IP header is then added in front of that by IP.
• Tunnel Mode:
– IPsec is used to protect a complete encapsulated IP
datagram after the IP header has already been
applied to it.
– The IPsec header appears in front of the original IP
43
header and then a new IP header is added in front of
 CHAPTER 5

security mechanism

44
 Securing Private Networks
• Minimize external access to LAN

• Done by means of firewalls and proxy servers

• Firewalls provide a secure interface between an

“inner” trusted network and “outer” untrusted
network
• every packet to and from inner and outer network is
“processed”
• Firewalls require hardware and software to
implement
• Software that is used are proxies and filters that
allow or deny network traffic access to either
45
network
 Overview of Firewall

• Firewall is a router or other communications device which

filters access to a protected network.

• Firewall is also a program that screens all incoming traffic

and protects the network from unwelcome intruders.

• It is a means of protection a local system or network of

systems from network-based security threats,
– while affording access to the outside world via WANs or
the Internet 46
 Overview of Firewall…
Firewall Objectives

 Keep intruders,
malicious code and
unwanted traffic or
information out
 Keep private and
Private Network
sensitive
information in
Private data
security wall
between External attacks
private
(protected) External Network
network and
47
outside word
 Overview of Firewall…

• Firewalls can be designed to operate at any of the following three

layers in the TCP/IP protocol stacks:

- The application layer (eg: HTTP proxy)

- The network and transport layer (eg: packet filtering)
- The layer b/n the application layer and the transport layer
(eg: SOCKS proxy)

48
 Types of Firewalls

• Packet Filtering Firewalls

• Circuit-Level Gateway
• Proxy Server Firewalls

49
 Packet Filtering Firewalls/Routers
• Packet Filtering router applies a set of rules to each
incoming and outgoing IP packet and then forwards or
discards the packet.
– A filtering firewall works at the network level.

• The router is typically configured to filter packets going in

both directions (from and to the internal network).
• Filtering rules are based on information contained in a
network packet:
– Source IP address: The IP address of the system that originated
the IP packet (e.g., 192.178.1.1)
– Destination IP address: The IP address of the system the IP
packet is trying to reach (e.g., 192.168.1.2)
– Source and destination port address: The transport level (e.g.,
TCP or UDP) port number, which defines applications such as SNMP
or TELNET 50
• Packet filtering is generally accomplished using Access
 Packet Filtering Firewalls
• Packet-filtering Router…
• Many network routers have the ability to perform some
firewall services.
• Filtering firewalls can be thought of as a type of router

51
 Overview of Proxy Server
• Proxy Server is a computer program that acts as an
intermediary between a web browser and a web server.
– To give users rapid access to popular web destinations.

• Internet Service Providers use proxy servers as “holding

bins" to store frequently requested pages,
– rather than going out and fetching them repeatedly from
the Net (Eg, www.google.com.et)

• Proxy server is also used to control and monitor outbound

and inbound traffics.
52
 Firewalls - Application Level Gateway (or
Proxy)
 Proxy Services

 Application that mediates traffic between a protected network

and the internet
 Able to understand the application protocol being utilized and
implement protocol specific security
 Protocols include: FTP, HTTP, Telnet etc
 They decide based on TCP/IP information
e.g. source and destination ports and IP addresses
 They decide based on content of message
• e.g. do not forward on and message containing VB executable
or ActiveX components

53
 Web caches (proxy server)
Goal: satisfy client request without involving origin server

• user sets browser: origin

server
Web accesses via
cache Proxy
HT st
TP server u e
• browser sends all H
req
u P req
client TTP est TT on se
HTTP requests to res
pon
H
P res
p
cache se H TT
est
HT
u TP
req e H req
– If object in cache: P ns TT ue
TT p o Pr st
H e s
cache return that r es
po
T TP ns
object H e

– else cache requests client

origin
object from origin server
server, then returns
object to client 54
 Web caching…
• cache acts as both client and server
• typically cache is installed by ISP
(university, company, residential ISP)
Why Web caching?
• reduce response time for client request
• reduce traffic on an institution’s access
link.
• Reduce costs to use access link.
55
 How Proxy Servers Work

• Function as a software , forwarding data

between internal and external hosts

• Focus on the port each service uses

– Screen all traffic into and out of each port

– Decide whether to block or allow traffic based on

rules

56
 Steps Involved in a Proxy Transaction
1. Internal host makes request to access a Web
site
2. Request goes to proxy server, which examines
header and data of the packet against rule base
3. Proxy server recreates packet in its entirety
with a different source IP address
4. Proxy server sends packet to destination;
packet appears to come from proxy server
5. Returned packet is sent to proxy server, which
inspects it again and compares it against its
rule base
6. Proxy server rebuilds returned packet and
sends it to originating computer; packet
appears to come from external host 57
 Goals of Proxy Servers
• Conceal internal clients
• Block URLs
• Block and filter content
• Protect e-mail proxy
• Improve performance
• Ensure security
• Provide user authentication
• Redirect URLs

58
 Circuit-Level Gateway
• SOCKS (RFC 1928) refers to a circuit-level gateway.

• It is a networking proxy mechanism that enables hosts on one

side of a SOCKS server to gain full access to hosts on the other
side without requiring direct IP reachability.

• The client connects to the SOCKS server at the firewall.

– Then the client enters a negotiation for the authentication

method to be used, and authenticates with the chosen method.
59
 Circuit-Level Gateway…
• The client sends a connection relay request to the SOCKS server,
containing the desired destination IP address and transport port.

• The server accepts the request after checking that the client meets the
basic filtering criteria.

• Then, on behalf of the client, the gateway opens a connection to the

requested untrusted host and then closely monitors the TCP handshaking
that follows.

• The SOCKS server informs the client, and in case of success, starts relaying
the data between the two connections.

• Circuit level gateways are used when the organization trusts the internal 60
 IDS/IPS
• It's a network security program that looks for harmful
activity on a network or system.

• IDS/IPS: main functions are detecting malicious behavior,

collecting information about it, reporting it, and trying to block or
stop it.

• Intrusion prevention systems and intrusion detection systems

both monitor network traffic and system operations for malicious
behavior.

• IDS is a ‘visibility’ tool whereas IPS is considered as a ‘control’ tool

61
 Types of IDS

 Signature-based IDS

• It needs a database of known attacks with their signatures.

• Signature is defined by types and order of packets

characterizing a particular attack.

• Limitation of this type of IDS is that only known attacks can be

detected. This IDS can also throw up a false alarm.

• False alarm can occur when a normal packet stream matches

the signature of an attack.
• Well-known public open-source IDS example is “Snort” IDS.
62
 Types of IDS…
 Anomaly-based IDS

• This type of IDS creates a traffic pattern of normal network

operation.

• During IDS mode, it looks at traffic patterns that are

statistically unusual.

• Detection of any unusual traffic pattern generates the alarm.

• The major challenge faced in this type of IDS deployment is

the difficulty in distinguishing between normal traffic and
unusual traffic.
63
 Virtual Private Network(VPN )

• It allows you to connect your computer to a private network, creating an

encrypted connection that masks your IP address to securely share data

• A virtual private network, or VPN, is an encrypted connection over the

Internet from a device to a network.

• The encrypted connection helps ensure that sensitive data is safely

transmitted.

• It prevents unauthorized people from eavesdropping on the traffic and

allows the user to conduct work remotely.
64
VPN connection figure

65