Data Communication &

Computer Networks
Course Instructor:
Mr. Aizaz Raziq

8-1
Network Security: roadmap
1 What is network security?
2 Principles of cryptography
3 Message integrity, authentication
4 Securing TCP connections: SSL
5 Operational security: firewalls and IDS

8-2
Digital signatures
cryptographic technique analogous to hand-written
signatures:
 sender (Bob) digitally signs document, establishing
he is document owner/creator.
 verifiable, nonforgeable: recipient (Alice) can prove
to someone that Bob, and no one else (including
Alice), must have signed document

8-3
Digital signatures
simple digital signature for message m:
-
 Bob signs m by encrypting with his private key KB,
-
creating “ signed” message, KB(m)

- Bob’s private -
Bob’s message, m KB m,K B(m)
key
Dear Alice
Bob’s message,
Oh, how I have missed Public key m, signed
you. I think of you all the
time! …(blah blah blah) encryption (encrypted) with
algorithm his private key
Bob

8-4
Digital signatures
-
 suppose Alice receives msg m, with signature: m, KB(m)
 Alice verifies
-
m signed by Bob by applying Bob’s public key
+ + -
KB to KB(m) then checks KB(KB(m) ) = m.
+ -
 If KB(KB(m) ) = m, whoever signed m must have used Bob’s
private key.
Alice thus verifies that:
 Bob signed m
 no one else signed m
 Bob signed m and not m‘
non-repudiation:
 Alice can take m, and signature KB(m) to court and prove that
-
Bob signed m

8-5
Message digests large H: Hash
message Function
m
computationally expensive to
public-key-encrypt long
H(m)
messages
goal: fixed-length, easy- to- Hash function properties:
compute digital “ fingerprint  many-to-1
”
 produces fixed-size msg
 apply hash function H to m,
get fixed size message digest (fingerprint)
digest, H(m).  given message digest x,
computationally infeasible
to find m such that x = H(m)

8-6
Internet checksum: poor crypto hash function

Internet checksum has some properties of hash function:

 produces fixed length digest (16-bit sum) of message

 is many-to-one

But given message with given hash value, it is easy to find another
message with same hash value:

message ASCII format message ASCII format

IOU1 49 4F 55 31 IOU9 49 4F 55 39
00.9 30 30 2E 39 00.1 30 30 2E 31
9BOB 39 42 D2 42 9BOB 39 42 D2 42
B2 C1 D2 AC different messages B2 C1 D2 AC
but identical checksums!

8-7
Digital signature = signed message digest
Bob sends digitally signed Alice verifies signature, integrity
message: of digitally signed message:
large
message encrypted
m H(m)
msg digest
-
KB(H(m))
Bob’s large
private message
- Bob’s
key KB m
public
key +
KB
encrypted
msg digest
-
+ KB(H(m))
H(m) H(m)

equal
?
8-8
Network Security: roadmap
1 What is network security?
2 Principles of cryptography
3 Message integrity
4 Securing TCP connections: SSL
5 Operational security: firewalls and IDS

8-9
SSL: Secure Sockets Layer
 widelydeployed security  original goals:
protocol  Web e-commerce
 supported by almost all transactions
browsers, web servers
 encryption (especially
 https credit-card numbers)
 billions $/year over SSL  Web-server authentication
 variation -TLS: transport  optional client
layer security, RFC 2246 authentication
 provides  minimum hassle in doing
 confidentiality business with new
 integrity merchant
 available to all TCP
 authentication
applications
 secure socket interface
8-10
SSL and TCP/IP

Application Application

SSL
TCP
TCP
IP IP

normal application application with SSL

8-11
SSL: a simple secure channel
 handshake: Alice and Bob use their certificates,
private keys to authenticate each other and
exchange shared secret
 key derivation: Alice and Bob use shared secret to
derive set of keys
 data transfer: data to be transferred is broken up
into series of records
 connection closure: special messages to securely
close connection

8-12
Real SSL: handshake
Purpose
1. server authentication

2. negotiation: agree on crypto algorithms

3. establish keys

4. client authentication (optional)

8-13
SSL record format
1 byte 2 bytes 3 bytes
content
type SSL version length

data

MAC

data and MAC encrypted (symmetric algorithm)

8-14
 handshake: ClientHel
Real SSL k e:
lo

ServerHello
connection hands ha
Certificate
handshake:
: S erv e rHe lloDone
handshak e

handshake: ClientK
eyExchange
ChangeCipherS
pec

everything handshake: Finish

e d
henceforth
is encrypted ChangeCipherS
pec

ds ha k e: Finished
han

application_data

ata
application_d

Alert: warning, close

_notify
TCP FIN follows
8-15
Network Security: roadmap
1 What is network security?
2 Principles of cryptography
3 Message integrity
4 Securing TCP connections: SSL
5 Operational security: firewalls and IDS

8-16
Firewalls
firewall
isolates organization’s internal net from larger Internet,
allowing some packets to pass, blocking others

administered public
network Internet
trusted “good guys” untrusted “bad guys”
firewall
8-17
Firewalls: why
prevent denial of service attacks:
 SYN flooding: attacker establishes many bogus TCP
connections, no resources left for “ real” connections
prevent illegal modification/access of internal data
 e.g., attacker replaces CIA’s homepage with something else

allow only authorized access to inside network

 set of authenticated users/hosts
three types of firewalls:
 stateless packet filters
 stateful packet filters
 application gateways

8-18
Stateless packet filtering
Should arriving
packet be allowed in?
Departing packet let
out?

 internal network connected to Internet via router firewall

 router filters packet-by-packet, decision to forward/drop
packet based on:
 source IP address, destination IP address
 TCP/UDP source and destination port numbers
 ICMP message type
 TCP SYN and ACK bits
8-19
Stateless packet filtering: example
 example 1: block incoming and outgoing datagrams with
IP protocol field = 17 and with either source or dest port
= 23
 result: all incoming, outgoing UDP flows and telnet
connections are blocked
 example 2: block inbound TCP segments with ACK=0.
 result: prevents external clients from making TCP
connections with internal clients, but allows internal
clients to connect to outside.

8-20
Stateless packet filtering: more examples
Policy Firewall Setting
No outside Web access. Drop all outgoing packets to any IP
address, port 80
No incoming TCP connections, Drop all incoming TCP SYN packets
except those for institution’s to any IP except 130.207.244.203,
public Web server only. port 80

Prevent Web-radios from eating Drop all incoming UDP packets -

up the available bandwidth. except DNS and router broadcasts.

Prevent your network from being Drop all ICMP packets going to a
used for a smurf DoS attack. “broadcast” address (e.g.
130.207.255.255).
Prevent your network from being Drop all outgoing ICMP TTL expired
tracerouted traffic

8-21
Access Control Lists
 ACL: table of rules, applied top to bottom to incoming
packets: (action, condition) pairs
source dest source dest flag
action protocol
address address port port bit
outside of any
allow 222.22/16 TCP > 1023 80
222.22/16
allow outside of 222.22/16
TCP 80 > 1023 ACK
222.22/16
outside of
allow 222.22/16 UDP > 1023 53 ---
222.22/16
allow outside of 222.22/16
UDP 53 > 1023 ----
222.22/16
deny all all all all all all
8-22
Stateful packet filtering
 stateless packet filter: heavy handed tool
 admits packets that “ make no sense,” e.g., dest port = 80,
ACK bit set, even though no TCP connection established:

source dest source dest flag

action protocol
address address port port bit
allow outside of 222.22/16
TCP 80 > 1023 ACK
222.22/16

 stateful packet filter: track status of every TCP connection

 track connection setup (SYN), teardown (FIN): determine
whether incoming, outgoing packets “ makes sense”
 timeout inactive connections at firewall: no longer admit packets

8-23
Stateful packet filtering
 ACL augmented to indicate need to check connection
state table before admitting packet
source dest source dest flag check
action proto
address address port port bit conxion
outside of any
allow 222.22/16 TCP > 1023 80
222.22/16

allow outside of 222.22/16 x

TCP 80 > 1023 ACK
222.22/16

outside of
allow 222.22/16 UDP > 1023 53 ---
222.22/16

allow outside of 222.22/16 x

UDP 53 > 1023 ----
222.22/16

deny all all all all all all

8-24
Limitations of firewalls, gateways
 IP spoofing: router can’t  filters often use all or
know if data “ really” nothing policy for UDP
comes from claimed  tradeoff: degree of
source communication with
 if multiple app’s. need outside world, level of
special treatment, each has security
own app. gateway  many highly protected
 client software must know sites still suffer from
how to contact gateway. attacks
 e.g., must set IP address
of proxy in Web
browser
8-25
Intrusion detection systems
 packet filtering:
 operates on TCP/IP headers only
 no correlation check among sessions
 IDS: intrusion detection system
 deep packet inspection: look at packet contents (e.g.,
check character strings in packet against database of
known virus, attack strings)
 examine correlation among multiple packets
• port scanning
• network mapping
• DoS attack
8-26
Intrusion detection systems
 multiple IDSs: different types of checking at
different locations

firewall

internal
network
Internet

IDS Web DNS

server FTP server
sensors server
demilitarized
zone
8-27
Q/A
8-28