Chapter Three

Network Security
Network Security
 Network Security
Security Services

Confidentiality
Authentication
Integrity
Non Repudiation
Access Control
Availability
 Network Security
Model
Trusted
Third Party

Information Channel

Security Security
Related Related
Transmition Transmition

Opponent
 Network Security
Introduction

In today’s highly networked world, we can’t talk of

computer security without talking of network security
Focus is on:
 Internet and Intranet security (TCP/IP based networks)
 Attacks that use security holes of the network protocol and
their defenses
Does not include attacks that use networks to perform
some crime based on human weaknesses (such as scams)
 Network Security/ Types of Attacks
Passive attacks

Listen to the network and make use of the information without

altering
 Passive wiretapping attack
 Traffic analysis
Most networks use a broadcast medium and it is easy to access other
machines packets
 Utilities such as etherfind and tcpdump
 Network management utilities such as SnifferPro
Defense
 Using switching tools rather than mere repeating hubs limits this
possibility
 Using cryptography; does not protect against traffic analysis
 Network Security/ Types of Attacks
Active attacks
An active attack threatens the integrity and availability of data being
transmitted
 The transmitted data is fully controlled by the intruder
 The attacker can modify, extend, delete or play any data
This is quite possible in TCP/IP since the frames and packets are not
protected in terms of authenticity and integrity

Denial of service or degrading of service attack

 Prevention of authorized access to resources
 Examples
 E-mail bombing: flooding someone's mail store
 Smurf attack: Sending a “ping” multicast or broadcast with a spoofed IP of a
victim. The recipients will respond with a “pong” to the victim
 There had been reports of incidences of distributed denial attacks against major
sites such as Amazon, Yahoo, CNN and eBay
 Network Security/ Types of Attacks
Active attacks …
Spoofing attack: a situation in which one person or
program successfully imitate another by falsifying
data and thereby gaining an illegitimate advantage.
 IP spoofing
 Putting a wrong IP address in the source IP address of an IP
packet
 DNS spoofing
 Changing the DNS information so that it directs to a wrong
machine
 URL spoofing/Webpage phishing
 A legitimate web page such as a bank's site is reproduced in "look
and feel" on another server under control of the attacker
 E-mail address spoofing
 Network Security/ Types of Attacks
Active attacks …

Session hijacking
 When a TCP connection is established between a
client and a server, all information is transmitted
in clear and this can be exploited to hijack the
session
 Network Security/ Protocols and vulnerabilities
Attacks on TCP/IP Networks

TCP/IP was designed to be used by a trusted

group of users
The protocols are not designed to withstand
attacks
Internet is now used by all sorts of people

Attackers exploit vulnerabilities of every protocol

to achieve their goals
The next slides show some attacks at each layer of
the TCP/IP stack
 Network Security/ Protocols and vulnerabilities
Link Layer: ARP spoofing
Request 08:00:20:03:F6:42 00:00:C0:C2:9B:26
.1 .2 .3 .4 .5

140.252.13
arp req | target IP: 140.252.13.5 | target eth: ?

Reply
08:00:20:03:F6:42 00:34:CD:C2:9F:A0 00:00:C0:C2:9B:26
.1 .2 .3 .4 .5

140.252.13

arp rep | sender IP: 140.252.13.5 | sender eth: 00:34:CD:C2:9F:A0

 Network Security/ Protocols and vulnerabilities
Network Layer: IP Vulnerabilities
IP packets can be intercepted
 In the LAN broadcast
 In the router, switch
Since the packets are not protected they can be easily read
Since IP packets are not authenticated they can be easily
modified
Even if the user encrypts his/her data it will still be
vulnerable to traffic analysis attack
Information exchanged between routers to maintain their
routing tables is not authenticated
 All sort of problems can happen if a router is compromised
 Network Security/ Protocols and vulnerabilities
Network Layer: IPv4 Header …
 Network Security/ Protocols and vulnerabilities
Network Layer: IP security (IPSec) overview

IPSec is a set of security algorithms plus a general

framework that allows a pair of communicating
entities to use whichever algorithms provide
security appropriate for the communication.
Applications of IPSec
 Secure branch office connectivity over the Internet
 Secure remote access over the Internet
 Establsihing extranet and intranet connectivity with
partners
 Enhancing electronic commerce security
 Network Security/ Protocols and vulnerabilities
Network Layer: IP security (IPSec) overview …

Benefits of IPSec
 Transparent to applications (below transport layer)
(TCP, UDP)
 Provide security for individual users

IPSec can assure that:

 A router or neighbor advertisement comes from an
authorized router
 A redirect message comes from the router to which the
initial packet was sent
 A routing update is not forged
 Network Security/ Protocols and vulnerabilities
Network Layer: IP security (IPSec) services

Access Control
Connectionless integrity
Data origin authentication
Rejection of replayed packets
Confidentiality (encryption)
 Network Security/ Protocols and vulnerabilities
Network Layer: IP security scenario …
 Network Security/ Protocols and vulnerabilities
Network Layer: IPSec - Security Associations (SA)

SA is a one way relationship between a sender and a

receiver that provides security services (authentication and
confidentiality)
SA is uniquely identified by:
 Security Parameters Index (SPI) in the enclosed extension header
of AH or ESP
 AH: Authentication Header (Authentication)
 ESP: Encapsulating Security Payload (both authentication and
confidentiality)
 IP Destination address in the IPv4/IPv6 header

Both AH and ESP support two modes of use

 Transport Mode: Protection for upper layer protocols (TCP, UDP)
 Tunnel Mode: Protection to the entire IP packet
 Network Security/ Protocols and vulnerabilities
Network Layer: IPSec AH Authentication

(a) Before AH
 Network Security/ Protocols and vulnerabilities
Network Layer: IPSec AH Authentication …

(b) Transport Mode

 Network Security/ Protocols and vulnerabilities
Network Layer: IPSec AH Authentication …

(c) Tunnel Mode

 Network Security/ Protocols and vulnerabilities
Network Layer: IPSec ESP Encryption and Authentication
 Network Security/ Protocols and vulnerabilities
Network Layer: IPSec ESP Encryption and Authentication…
 Network Security/ Protocols and vulnerabilities
Network Layer: Combination of Security Associations

* Implements IPSec
 Network Security/ Protocols and vulnerabilities
Network Layer: Combination of Security Associations …

* Implements IPSec
 Network Security/ Protocols and vulnerabilities
Network Layer: Combination of Security Associations …

* Implements IPSec
 Network Security/ Protocols and vulnerabilities
Network Layer: Combination of Security Associations …

* Implements IPSec
 Network Security/ Protocols and vulnerabilities
IPSec ESP Encryption and Authentication… Summary
IPSec provides authentication, confidentiality, and key management at
the level of IP packets.
IP-level authentication is provided by inserting an Authentication
Header (AH) into the packets.
IP-level confidentiality is provided by inserting an Encapsulating
Security Payload (ESP) header into the packets. An ESP header can also
do the job of the AH header by providing authentication in addition to
confidentiality.
Before ESP can be used, it is necessary for the two ends of a
communication link to exchange the secret key that will be used for
encryption. Similarly, AH needs an authentication key. Keys are
exchanged with a protocol named as the Internet Key Exchange (IKE).
IPSec is a specification for the IP-level security features that are built
into the IPv6 internet protocol. These security features can also be used
with the IPv4 internet protocol.
IPSec is transparent to applications (functions below transport layer)
 Network Security/ Protocols and vulnerabilities
Transport Layer : TCP SYNC attack

The use of Sequence Number: monotonically increasing

32 bits long counter that provides anti-replay function
Sequence numbers are initialized with a “random”
value during connection setup
The RFC suggests that the ISN (Initial Sequence
Number) is incremented by one at least every 4 ms
In many implementations, it is computationally feasible
to guess the next ISN number
If successful, an attacker can impersonate a trusted host
 Network Security/ Protocols and vulnerabilities
Transport Layer : TCP SYNC attack …
3 way handshake

client server
SYN = ISNC
SYN = ISNS, ACK(ISNC)
ISN – Initial Sequence Number
ACK(ISNS)

data transfer

attacker server
SYN = ISNX, SRC_IP = T trusted host (T)

SYN = ISNS, ACK(ISNX)

ACK(ISNS), SRC_IP = T

SRC_IP = T, nasty_data
 Network Security/ Protocols and vulnerabilities
Application layer: DNS spoofing

If the attacker has access to a name server it

can modify it so that it gives false
information
 Ex: redirecting www.ebay.com to map to own
(attacker’s) IP address
The cache of a DNS name server can be
poisoned with false information using some
simple techniques
 Network Security/ Protocols and vulnerabilities
Application layer: Web browsers as threats

We obtain most of our browsers on-line

 How do we make sure that some Trojan horse is not inserted
Potential problems that can come from malicious code
within the browser
 Inform the attacker of the activities of the user
 Inform the attacker of passwords typed in by the user
 Downgrade browser security
Helper applications are used by browsers
 Example: MS Word, Ghost view, etc
 The helpers can have Trojan horse code
 Downloaded data can exploit vulnerabilities of helpers
 Network Security/ Protocols and vulnerabilities
Application layer: Web browser …
Mobile code
 Java applets and ActiveX controls
 normally run within a controlled environment (sandbox) and
access to local resources is strictly controlled by a security
manager
 however, an applet may escape from the sandbox due to some
bugs in the implementation of the Java Virtual Machine for
example
Cookies
 cookies are set by web servers and stored by web
browsers
 A cookie set by a server is sent back to the server when
the browser visits the server again
 Cookies can be used to track what sites the user visits
 Network Security/ Protocols and vulnerabilities
Application layer: Web browser …

Interactive web sites are based on

forms and scripts
 By writing malicious scripts the client can
 Crash the server (ex. Buffer overflow)
 Gain control over the server
 Network Security/ Protocols and vulnerabilities
Application layer: E-mail Security

E-mails transit through various servers before

reaching their destinations
By default, they are visible by anybody who has
access to the servers
SMTP protocol itself has some security holes
E-mail security can be improved using some tools
and protocols
 Example: PGP, S-MIME
PGP: Pretty Good Privacy
S-MIME: Secure Multi-Purpose Internet Mail Extension
 Network Security/ Protocols and vulnerabilities
Application layer: Security-enhanced application protocols

Solution to most application layer security

problems have been found by developing security-
enhanced application protocols
Examples
 For FTP => FTPS
 For HTTP => HTTPS
 For SMTP => SMTPS
 For DNS => DNSSEC