Chapter 7 –Security in Networks Introduction to networks Threats against network applications Controls against network applications Firewalls

Chapter 7 –Security in NetworksChapter 7 –Security in Networks

Introduction to networksIntroduction to networks Threats against network applicationsThreats against network applications Controls against network applicationsControls against network applications FirewallsFirewalls Intrusion detection systemsIntrusion detection systems Private e-mailPrivate e-mail

Terminal-Host SystemsTerminal-Host Systems Created in the 1960sCreated in the 1960s

• Central Central host computerhost computer does all the does all the processingprocessing

• TerminalTerminal is dumb--only a remote screen is dumb--only a remote screen and keyboardand keyboard

• Created in the 1960s, when Created in the 1960s, when microprocessors for terminal intelligence microprocessors for terminal intelligence did not existdid not exist

Terminals Host

PC NetworksPC Networks The Most Common Platform in The Most Common Platform in

OrganizationsOrganizations• Allows PCs to share resourcesAllows PCs to share resources• Both Both WintelWintel (Windows/Intel) PCs and (Windows/Intel) PCs and

MacintoshesMacintoshes

Network

Network

NetworkNetwork

A A NetworkNetwork is an Any-to-Any is an Any-to-Any Communication SystemCommunication System• Can connect any Can connect any stationstation to any to any

otherother

“Connect to GHI”

NetworkNetwork Each Station has a Unique Each Station has a Unique Network Network

AddressAddress• To connect, only need to know the To connect, only need to know the

receiver’s addressreceiver’s address• Like telephone numberLike telephone number

ABC

DEF GHI

JKLMNO

LANs and WANsLANs and WANs Networks Have Different Networks Have Different

Geographical ScopesGeographical Scopes Local Area Networks (LANs)Local Area Networks (LANs)

• Small OfficeSmall Office• Office BuildingOffice Building• Industrial Park / University CampusIndustrial Park / University Campus

Wide Area Networks (WANs)Wide Area Networks (WANs)• Connect corporate sites orConnect corporate sites or• Connect corporate sites with sites of Connect corporate sites with sites of

customers and supplierscustomers and suppliers

Elements of a Simple LANElements of a Simple LAN

Hub or Switch

Wiring

Hub or Switch connects all stations

Wiring is standardbusiness telephone wiring

(4 pairs in a bundle)


Server

Client PC

Client PC

Server

Client PCs are used byordinary managers and

professionals; receive serviceServers provide services

to client PCs

Server


Client PCClient PC• Begin with stand-alone PCBegin with stand-alone PC

• Add a Add a network interface card (NIC)network interface card (NIC) to todeal with the networkdeal with the network

• Networks have many client PCsNetworks have many client PCs

ServerServer• Most PC nets have multiple serversMost PC nets have multiple servers

Wide Area NetworksWide Area Networks WANsWANs Link Link SitesSites (Locations) (Locations)

• Usually sites of the same organizationUsually sites of the same organization• Sometimes, sites of different Sometimes, sites of different

organizationsorganizations

WAN

Site A Site C

Site B

Client/Server ProcessingClient/Server Processing Two ProgramsTwo Programs

• Client programClient program on client machine on client machine• Server programServer program on server machine on server machine• Work together to do the required Work together to do the required

processingprocessing

Client Machine Server

Client ProgramServer

Program

Client/Server ProcessingClient/Server Processing Cooperation Through Message Cooperation Through Message

ExchangeExchange

• Client program sends Client program sends Request Request messagemessage, such as a database , such as a database retrieval requestretrieval request

• Server program sends a Server program sends a ResponseResponse messagemessage to deliver the requested to deliver the requested information or an explanation for information or an explanation for failurefailure

Client Machine Server

Client Program

ServerProgram

Request

Response

Client/Server ProcessingClient/Server Processing Widely Used on the InternetWidely Used on the Internet

For instance, webserviceFor instance, webservice• Client program (browser) sends an Client program (browser) sends an HTTP HTTP

requestrequest asking for a webserver file asking for a webserver file

• Server program (webserver application Server program (webserver application program) sends an program) sends an HTTP responseHTTP response message with the requested webpagemessage with the requested webpage

HTTP Request Message

HTTP Response Message

Client/Server ProcessingClient/Server Processing On the Internet, a Single Client On the Internet, a Single Client

Program--the Program--the BrowserBrowser (also known as (also known as the the client suiteclient suite)--Works with Many )--Works with Many Kinds of C/S server applicationsKinds of C/S server applications• WWW, some E-mail, etc.WWW, some E-mail, etc.

Browser

Webserver

E-mailServer

Standards Organizations and Standards Organizations and ArchitecturesArchitectures

TCP/IP StandardsTCP/IP Standards• Created by the Created by the Internet Engineering Task Internet Engineering Task

Force (IETF)Force (IETF)• Named after its two most widely known Named after its two most widely known

standards, TCP and IPstandards, TCP and IP TCP/IP is the architecture, while TCP and IP are TCP/IP is the architecture, while TCP and IP are

individual standardsindividual standards However, these are not its only standards, even at However, these are not its only standards, even at

the transport and internet layersthe transport and internet layers

• IETF standards dominate in corporations at IETF standards dominate in corporations at the application, transport, and internet layersthe application, transport, and internet layers

However, application, transport, and internet However, application, transport, and internet standards from other architectures are still usedstandards from other architectures are still used

Standards Organizations and Standards Organizations and ArchitecturesArchitectures

OSIOSI Standards Standards• Reference Model of Open Systems Reference Model of Open Systems

InterconnectionInterconnection

• Created by the Created by the International International Telecommunications Union-Telecommunications Union-Telecommunications Standards Sector (ITU-Telecommunications Standards Sector (ITU-T)T)

• And the And the International Organization for International Organization for Standardization (ISO)Standardization (ISO)

• OSI standards dominate the data link and OSI standards dominate the data link and physical layersphysical layers

Other architectures specify the use of OSI Other architectures specify the use of OSI standards at these layersstandards at these layers

OSI Reference ModelUser / Application program

ApplicationLayer 7

PresentationLayer 6

SessionLayer 5

TransportLayer 4

NetworkLayer 3

Data linkLayer 2

PhysicalLayer 1

Physical medium

Figure 1.12 OSI Protocol Layers

TCP/IP versus OSITCP/IP versus OSI Lowest Four Layers are Comparable Lowest Four Layers are Comparable

in Functionalityin FunctionalityTCP/IPTCP/IP OSIOSI

ApplicationApplication ApplicationApplication

PresentationPresentation

SessionSession

TransportTransport TransportTransport

InternetInternet NetworkNetwork

Data Link (use Data Link (use OSI)OSI)

Data LinkData Link

Physical (use Physical (use OSI)OSI)

PhysicalPhysical

Internet StandardsInternet Standards

Accessing the WWW from HomeAccessing the WWW from Home

AppApp

TransTrans

IntInt

DLDL

PhyPhy

User PC

IntInt

DLDL

PhyPhy

Router

AppApp

TransTrans

IntInt

DLDL

PhyPhy

Webserver

HTTP

TCP

IP

PPP

Modem

IP

?

?

IndirectIndirect CommunicationCommunication Application programs on Application programs on

different machines cannot different machines cannot communicate directlycommunicate directly• They are on different machines!They are on different machines!

BrowserBrowser

TransTrans

IntInt

DLDL

PhyPhy

User PC

Web AppWeb App

TransTrans

IntInt

DLDL

PhyPhy

Webserver

HTTP RequestHTTP Request

Layer CooperationLayer Cooperation on the on the Source HostSource Host

Application layer process passes Application layer process passes HTTP-request to transport layer HTTP-request to transport layer processprocess

ApplicationApplication

TransportTransport

InternetInternet

Data LinkData Link

HTTP RequestHTTP Request

PhysicalUser PC

Layer Cooperation on the Layer Cooperation on the Source HostSource Host

Transport layer makes TCP Transport layer makes TCP segmentssegments• HTTP message is the data fieldHTTP message is the data field• Adds TCP header fields shown earlierAdds TCP header fields shown earlier• Transport process “Transport process “encapsulatesencapsulates” ”

HTTP request within a TCP segmentHTTP request within a TCP segment

HTTP RequestHTTP Request TCP-HTCP-H

TCP Segment

DataField

TCPHeader

Layer Cooperation on the Source HostLayer Cooperation on the Source Host Transport layer process passes the Transport layer process passes the

TCP segment down to the internet TCP segment down to the internet layer processlayer process


TransportTransport

InternetInternet

Data LinkData Link

TCP segmentTCP segment

PhysicalUser PC

Layer Cooperation on the Source HostLayer Cooperation on the Source Host The internet layer process passes the The internet layer process passes the

IP packet to the data link layer IP packet to the data link layer processprocess• Internet layer messages are called Internet layer messages are called

packetspackets


TransportTransport

InternetInternet

Data LinkData Link

IP packetIP packet

PhysicalUser PC

Layer Cooperation on the Source HostLayer Cooperation on the Source Host The data link layer process passes the The data link layer process passes the

PPP frame to the physical layer PPP frame to the physical layer process, which delivers it to the process, which delivers it to the physical layer process on the first physical layer process on the first router, one bit at a time (no message router, one bit at a time (no message at the physical layer)at the physical layer)ApplicationApplication

TransportTransport

InternetInternet

Data LinkData Link

Physical (10110 …)User PC

PPP framePPP frameTo firstrouter

PPP-TPPP-T

Layer Cooperation on the Source HostLayer Cooperation on the Source Host

Recap: Adding Headers and Trailers:Recap: Adding Headers and Trailers:


TransportTransport

InternetInternet

Data LinkData Link

HTTP msgHTTP msg

PhysicalUser PC

HTTP msgHTTP msg TCP-HTCP-H

HTTP msgHTTP msg TCP-HTCP-H IP-HIP-H

HTTP msgHTTP msg TCP-HTCP-H IP-HIP-H PPP-HPPP-H

ProtocolsProtocols A A protocolprotocol is a standard for is a standard for

communication between communication between peer peer processesprocesses, that is, processes at the , that is, processes at the same layer,same layer, but on but on different machinesdifferent machines

• TCP, IP, and PPP all have “protocol” as TCP, IP, and PPP all have “protocol” as their final “P;” they are all protocolstheir final “P;” they are all protocols

• TCP (Transmission Control Protocol) is the TCP (Transmission Control Protocol) is the protocol governing communication protocol governing communication between transport layer processes on two between transport layer processes on two hostshosts

TransTrans TransTransTCPMessage

Domain Name System (DNS)Domain Name System (DNS) Only IP addresses are officialOnly IP addresses are official

• e.g., 128.171.17.13e.g., 128.171.17.13• These are 32-bit binary numbersThese are 32-bit binary numbers• Only they fit into the 32-bit Only they fit into the 32-bit

destination and source address fields destination and source address fields of the IP headersof the IP headers

IP Packet

32-bit Source and Destination Addresses (110011...)

Domain Name System (DNS)Domain Name System (DNS)

Users typically only know host namesUsers typically only know host names• e.g., voyager.cba.hawaii.edue.g., voyager.cba.hawaii.edu• More easily remembered, butMore easily remembered, but• Will not fit into the address fields of an Will not fit into the address fields of an

IP packetIP packetIP Packet

voyager.cba.hawaii.eduNO

Internet and Data Link Layer Internet and Data Link Layer AddressesAddresses

Each host and router on a subnet Each host and router on a subnet needs a data link layer address to needs a data link layer address to specify its address on the subnetspecify its address on the subnet• This address appears in the data link This address appears in the data link

layer frame sent on a subnetlayer frame sent on a subnet• For instance, 48-bit 802.3 MAC layer For instance, 48-bit 802.3 MAC layer

frame addresses for LANsframe addresses for LANs

Subnet DADL Frame for Subnet

AddressesAddresses

Each host and router also needs an Each host and router also needs an IP address at the internet layer to IP address at the internet layer to designate its position in the overall designate its position in the overall InternetInternet

Subnet

Subnet

Subnet128.171.17.13

IPv6IPv6

Current version of the Internet Protocol is Current version of the Internet Protocol is Version 4 (v4)Version 4 (v4)• Earlier versions were not implementedEarlier versions were not implemented

The next version will be Version 6 (v6)The next version will be Version 6 (v6)• No v5 was implementedNo v5 was implemented• Informally called IPng (Next Generation)Informally called IPng (Next Generation)

IPv6 is Already DefinedIPv6 is Already Defined• Continuing improvements in v4 may delay its Continuing improvements in v4 may delay its

adoptionadoption

IPv6IPv6

IPv6 will raise the size of the internet IPv6 will raise the size of the internet address from 32 bits to 128 bitsaddress from 32 bits to 128 bits

• Now running out of IP addressesNow running out of IP addresses

• Will solve the problemWill solve the problem

• But current work-arounds are delaying But current work-arounds are delaying the need for IPv6 addressesthe need for IPv6 addresses

What Makes a Network What Makes a Network Vulnerable?Vulnerable?

AnonymityAnonymity Many points of attack (targets & Many points of attack (targets &

origins)origins) SharingSharing Complexity of systemComplexity of system Unknown perimeterUnknown perimeter Unknown pathUnknown path

Who Attacks NetworksWho Attacks NetworksHackersHackers break into organizations break into organizations from the outsidefrom the outside

•ChallengeChallenge•FameFame•Money & EspionageMoney & Espionage•IdeologyIdeology

However, most security breaches However, most security breaches are internal, by employees and are internal, by employees and ex-employeesex-employees

Threat PrecursorsThreat Precursors

Port ScanPort Scan Social EngineeringSocial Engineering

• ReconnaissanceReconnaissance• Bulletin Board / ChatBulletin Board / Chat• DocsDocs

Packet Sniffers (telnet/ftp in Packet Sniffers (telnet/ftp in cleartext)cleartext)

Network Security ThreatsNetwork Security Threats

InterceptionInterception• If interceptor cannot read, have If interceptor cannot read, have confidentialityconfidentiality

((privacyprivacy))• If cannot modify without detection, have If cannot modify without detection, have

message integritymessage integrity

Network Security ThreatsNetwork Security Threats Impostors (Spoofing/ Masquerade)Impostors (Spoofing/ Masquerade)

• Claim to be someone elseClaim to be someone else• Need to Need to authenticateauthenticate the sender-- the sender--

prove that they are who they claim to prove that they are who they claim to bebe

TruePerson

Impostor

Network Security ThreatsNetwork Security Threats Remotely Log in as Root UserRemotely Log in as Root User

• Requires cracking the root login Requires cracking the root login passwordpassword

• Then control the machineThen control the machine• Read and/or steal informationRead and/or steal information• Damage data (erase hard disk)Damage data (erase hard disk)• Create backdoor user account that will Create backdoor user account that will

let them in easily laterlet them in easily later

Root Login Command

Security ThreatsSecurity Threats

ContentContent Threats Threats

• Application layer content may cause Application layer content may cause problemsproblems

VirusesViruses In many ways, most severe security problem In many ways, most severe security problem

in corporations todayin corporations today

Must examine application messagesMust examine application messages

Replay AttackReplay Attack

First, attacker intercepts a messageFirst, attacker intercepts a message• Not difficult to doNot difficult to do

Replay AttackReplay Attack Later, attacker retransmits Later, attacker retransmits

((replaysreplays) the message to the ) the message to the original destination hostoriginal destination host• Does not have to be able to read a Does not have to be able to read a

message to replay itmessage to replay it

Replay AttackReplay Attack Why replay attacks?Why replay attacks?

• To gain access to resources by To gain access to resources by replaying an authentication replaying an authentication messagemessage

• In a denial-of-service attack, to In a denial-of-service attack, to confuse the destination hostconfuse the destination host

Thwarting Replay AttacksThwarting Replay Attacks

Put a time stamp in each message to Put a time stamp in each message to ensure that the message is “fresh”ensure that the message is “fresh”• Do not accept a message that is too oldDo not accept a message that is too old

Place a sequence number in each Place a sequence number in each messagemessage• Do not accept a duplicated messageDo not accept a duplicated message

Message

SequenceNumber

TimeStamp

Thwarting Replay AttacksThwarting Replay Attacks

In In request-responserequest-response applications, applications,• Sender of request generates a Sender of request generates a noncenonce

(random number)(random number)• Places the nonce in the requestPlaces the nonce in the request• Server places the nonce in the responseServer places the nonce in the response• Neither party accepts duplicate noncesNeither party accepts duplicate nonces

Nonce Nonce

Request Response

Network Security ThreatsNetwork Security Threats Denial of Service (DOS) AttacksDenial of Service (DOS) Attacks

• Overload system with a flood of Overload system with a flood of messagesmessages

• Or, send a single message that Or, send a single message that crashes the machinecrashes the machine

Denial of Service (DOS) AttacksDenial of Service (DOS) Attacks Transmission FailureTransmission Failure Connection FloodingConnection Flooding

• Echo-ChargenEcho-Chargen• Ping of DeathPing of Death• SmurfSmurf• Syn FloodSyn Flood• Traffic RedirectionTraffic Redirection• DNS AttacksDNS Attacks

Distributed Denial of ServiceDistributed Denial of Service

VPNsVPNs IETF developing IETF developing IPsecIPsec security security

standardsstandards• IP securityIP security• At the internet layerAt the internet layer• Protects all messages at the transport Protects all messages at the transport

and application layersand application layers

IPsec

TCP UDP

E-Mail, WWW, Database, etc.

VPNsVPNs IPsec Transport ModeIPsec Transport Mode

• End-to-end security for hostsEnd-to-end security for hosts

LocalNetwork

Internet LocalNetwork

Secure Communication

VPNsVPNs IPsec Tunnel ModeIPsec Tunnel Mode

• IPsec server at each siteIPsec server at each site• Secure communication between sitesSecure communication between sites

LocalNetwork



IPsecServer

VPNsVPNs IPsec Modes Can be CombinedIPsec Modes Can be Combined

• End-to-end transport mode connectionEnd-to-end transport mode connection• Within site-to-site tunnel connectionWithin site-to-site tunnel connection

LocalNetwork


Tunnel Mode Transport Mode

VPNsVPNs

Another Security System for VPNs Another Security System for VPNs is the Point-to-Point Tunneling is the Point-to-Point Tunneling Protocol (PPTP)Protocol (PPTP)• For dial-up connections, based on PPPFor dial-up connections, based on PPP• Connects user with securely to a Connects user with securely to a

remote access server at a siteremote access server at a siteInternet Local

Network

Remote Access Server

Dial-UpConnection

PPTP Connection

PKIsPKIs

To use public key methods, an To use public key methods, an organization must establish a organization must establish a comprehensive comprehensive Public Key Public Key Infrastructure (PKI)Infrastructure (PKI)• A PKI automates most aspects of using A PKI automates most aspects of using

public key encryption and public key encryption and authenticationauthentication

• Uses a Uses a PKI ServerPKI ServerPKI

Server

PKIsPKIs PKI Server Creates Public Key-Private PKI Server Creates Public Key-Private

Key PairsKey Pairs• Distributes private keys to applicants Distributes private keys to applicants

securelysecurely• Often, private keys are embedded in Often, private keys are embedded in

delivered softwaredelivered software

PKIServer

Private Key

PKIsPKIs PKI Server Provides CRL ChecksPKI Server Provides CRL Checks

• Distributes digital certificates to Distributes digital certificates to verifiersverifiers

• Checks certificate revocation list before Checks certificate revocation list before sending digital certificatessending digital certificates

PKIServer

Digital Certificate

PKIsPKIs CRL CRL (Certificate Revocation List)(Certificate Revocation List) Checks Checks

• If applicant gives verifier a digital If applicant gives verifier a digital certificate,certificate,

• The verifier must check the certificate The verifier must check the certificate revocation listrevocation list

PKIServer

OK?

OK or Revoked

CRL

Integrated Security SystemIntegrated Security System

When two parties communicate …When two parties communicate …

• Their software usually handles the detailsTheir software usually handles the details

• First, negotiate security methodsFirst, negotiate security methods

• Then, authenticate one anotherThen, authenticate one another

• Then, exchange symmetric session keyThen, exchange symmetric session key

• Then can communicate securely using Then can communicate securely using symmetric session key and message-by-symmetric session key and message-by-message authenticationmessage authentication

SSL Integrated Security SystemSSL Integrated Security System

SSLSSL• Secure Sockets LayerSecure Sockets Layer• Developed by NetscapeDeveloped by Netscape

TLS (now)TLS (now)• Netscape gave IETF control over SSLNetscape gave IETF control over SSL• IETF renamed it TLS (Transport Layer Security)IETF renamed it TLS (Transport Layer Security)• Usually still called SSLUsually still called SSL

Location of SSLLocation of SSL

Below the Application LayerBelow the Application Layer• IETF views it at the transport layerIETF views it at the transport layer• Protects all application exchangesProtects all application exchanges• Not limited to any single applicationNot limited to any single application

WWW transactions, e-mail, etc.WWW transactions, e-mail, etc.

SSL SSL

E-Mail WWW E-Mail WWW

SSL OperationSSL Operation

Browser & Webserver Software Browser & Webserver Software Implement SSLImplement SSL• User can be unawareUser can be unaware

SSL OperationSSL Operation SSL ISS ProcessSSL ISS Process

• Two sides negotiate security Two sides negotiate security parametersparameters

• Webserver authenticates itselfWebserver authenticates itself

• Browser may authenticate itself but Browser may authenticate itself but rarely doesrarely does

• Browser selects a symmetric session Browser selects a symmetric session key, sends to webserverkey, sends to webserver

• Adds a digital signature and encrypts all Adds a digital signature and encrypts all messages with the symmetric keymessages with the symmetric key

Importance of SSLImportance of SSL

Supported by Almost All BrowsersSupported by Almost All Browsers• De facto standard for Internet application De facto standard for Internet application

securitysecurity ProblemsProblems

• Relatively weak securityRelatively weak security

• Does not involve security on merchant Does not involve security on merchant serverserver

• Does not validate credit card numbersDoes not validate credit card numbers

• Viewed as an available but temporary Viewed as an available but temporary approach to consumer securityapproach to consumer security

Other ISSsOther ISSs

SSL is merely an example integrated SSL is merely an example integrated security systemsecurity system

Many other ISSs existMany other ISSs exist• IPsec IPsec • PPP and PPTPPPP and PPTP• Etc.Etc.

Other ISSsOther ISSs

All ISSs have the same general stepsAll ISSs have the same general steps

• Negotiate security parametersNegotiate security parameters

• Authenticate the partnersAuthenticate the partners

• Exchange a session keyExchange a session key

• Communicate with message-by-Communicate with message-by-message privacy, authentication, and message privacy, authentication, and message integritymessage integrity

IPsecIPsec IPsec (IP security)IPsec (IP security) Security for transmission over IP Security for transmission over IP

networksnetworks• The InternetThe Internet

• Internal corporate IP networksInternal corporate IP networks

• IP packets sent over public switched IP packets sent over public switched data networks (PSDN)data networks (PSDN)

LocalNetwork


IPsecIPsec Why do we need IPsec?Why do we need IPsec?

• IP has no securityIP has no security• Add security to create a Add security to create a virtual virtual

private network (VPN)private network (VPN) to give to give secure communication over the secure communication over the Internet or another IP networkInternet or another IP network

LocalNetwork


IPsecIPsec

GenesisGenesis• Being created by the Internet Being created by the Internet

Engineering Task ForceEngineering Task Force• For both IP version 4 and IP version 6For both IP version 4 and IP version 6

IPsecIPsec

Two Two ModesModes of operation of operation Tunnel ModeTunnel Mode

• IPsec serverIPsec server at each site at each site

• Secures messages going through the Secures messages going through the InternetInternet

LocalNetwork



IPsecServer

IPsecIPsec

Tunnel ModeTunnel Mode• Hosts operate in their usual wayHosts operate in their usual way

Tunnel mode IPsec is Tunnel mode IPsec is transparenttransparent to the to the hostshosts

• No security within the site networks No security within the site networks

LocalNetwork



IPsecServer

IPsecIPsec Two Modes of operationTwo Modes of operation Transport ModeTransport Mode

• End-to-end securityEnd-to-end security between the between the hostshosts

• Security within site networks as well Security within site networks as well • Requires hosts to implement IPsecRequires hosts to implement IPsec

LocalNetwork



IPsecIPsec

Transport ModeTransport Mode• Adds a Adds a security headersecurity header to IP packet to IP packet• AfterAfter the main IP header the main IP header• Source and destination addresses of Source and destination addresses of

hosts can be learned by interceptorhosts can be learned by interceptor• Only the original data field is protectedOnly the original data field is protected

ProtectedOriginal Data Field

OriginalIP Header

TransportSecurityHeader

IPsecIPsec Tunnel ModeTunnel Mode

• Adds a Adds a security headersecurity header beforebefore the the original IP headeroriginal IP header

• Has IP addresses of the source and Has IP addresses of the source and destination IPsec servers only, not destination IPsec servers only, not those of the source and destination those of the source and destination hostshosts

• Protects the main IP header Protects the main IP header

ProtectedOriginal Data Field

ProtectedOriginal

IP Header

TunnelSecurityHeader

IPsecIPsec Can combine the two modesCan combine the two modes

• Transport mode for end-to-end Transport mode for end-to-end securitysecurity

• Plus tunnel mode to hide the IP Plus tunnel mode to hide the IP addresses of the source and addresses of the source and destination hosts during passage destination hosts during passage through the Internetthrough the Internet

LocalNetwork


Tunnel Mode Transport Mode

IPsecIPsec Two forms of protectionTwo forms of protection Encapsulating Security Protocol (ESP)Encapsulating Security Protocol (ESP)

security provides security provides confidentialityconfidentiality as well as as well as authenticationauthentication

Authentication Header (AH)Authentication Header (AH) security security provides provides authenticationauthentication but but not not confidentialityconfidentiality• Useful where encryption is forbidden by lawUseful where encryption is forbidden by law• Provides slightly better authentication by Provides slightly better authentication by

providing authentication over a slightly larger providing authentication over a slightly larger part of the message, but this is rarely decisive part of the message, but this is rarely decisive

IPsecIPsec

Modes and protection methods can Modes and protection methods can be applied in any combinationbe applied in any combination

Tunnel Tunnel ModeMode

Transport Transport ModeMode

ESPESP SupportedSupported SupportedSupported

AHAH SupportedSupported SupportedSupported

IPsecIPsec Security Associations (SAs)Security Associations (SAs) are are

agreements between two hosts or agreements between two hosts or two IPsec servers, depending on two IPsec servers, depending on the modethe mode

““Contracts” for how security will be Contracts” for how security will be performedperformed

NegotiatedNegotiated

Governs subsequent transmissionsGoverns subsequent transmissions

Host A Host B

NegotiateSecurity Association

IPsecIPsec Security Associations (SAs) can be Security Associations (SAs) can be

asymmetricalasymmetrical• Different strengths in the two Different strengths in the two

directionsdirections• For instance, clients and servers may For instance, clients and servers may

have different security needshave different security needs

Host A Host B

SA for messagesFrom A to B

SA for messagesFrom B to A

IPsecIPsecPoliciesPolicies may limit what SAs can be may limit what SAs can be

negotiatednegotiated• To ensure that adequately strong SAs To ensure that adequately strong SAs

for the organization’s threatsfor the organization’s threats• Gives uniformity to negotiation Gives uniformity to negotiation

decisionsdecisions

Host A Host B

Security AssociationNegotiations Limited

By Policies

IPsecIPsec First, two parties negotiate First, two parties negotiate IKE IKE

(Internet Key Exchange)(Internet Key Exchange) Security Security AssociationsAssociations• IKE is IKE is not IPsec-specificnot IPsec-specific• Can be used in other security Can be used in other security

protocolsprotocols

Host A Host BCommunication

Governed byIKE SA

IPsecIPsec

Under the protection of Under the protection of communication governed by this IKE communication governed by this IKE SA, negotiate SA, negotiate IPsec-specificIPsec-specific security security associationsassociations

Host A Host BCommunication

Governed byIKE SA

IPsec SA Negotiation

IPsecIPsec Process of Creating IKE SAs (and other Process of Creating IKE SAs (and other

SAs)SAs)

• Negotiate security parameters within Negotiate security parameters within policy limitationspolicy limitations

• Authenticate the parties using SA-agreed Authenticate the parties using SA-agreed methodsmethods

• Exchange a symmetric session key using Exchange a symmetric session key using SA-agreed methodSA-agreed method

• Communicate securely with Communicate securely with confidentiality, message-by-message confidentiality, message-by-message authentication, and message integrity authentication, and message integrity using SA-agreed methodusing SA-agreed method

IPsecIPsec

IPsec has IPsec has mandatory security mandatory security algorithmsalgorithms

• Uses them as Uses them as defaultsdefaults if no other if no other algorithm is negotiatedalgorithm is negotiated

• Other algorithms may be negotiatedOther algorithms may be negotiated

• But these mandatory algorithms But these mandatory algorithms MUSTMUST be supportedbe supported

IPsecIPsec

Diffie-Hellman Key AgreementDiffie-Hellman Key Agreement• To agree upon a symmetric session key To agree upon a symmetric session key

to be used for confidentiality during this to be used for confidentiality during this sessionsession

• Also does authenticationAlso does authentication

Party A Party B

IPsecIPsec

Diffie-Hellman Key AgreementDiffie-Hellman Key Agreement• Each party sends the other a Each party sends the other a noncenonce

(random number)(random number)• The nonces will almost certainly be The nonces will almost certainly be

differentdifferent • Nonces are not sent confidentiallyNonces are not sent confidentially

Party A Party BNonce B

Nonce A

IPsecIPsec Diffie-Hellman Key AgreementDiffie-Hellman Key Agreement

• From the different nonces, each party From the different nonces, each party will be able to compute the same will be able to compute the same symmetric session key for subsequent symmetric session key for subsequent useuse

• No No exchangeexchange of the key; instead, of the key; instead, agreementagreement on the key on the key

Party A Party B

Symmetric Key Symmetric KeyFrom nonces,

independently computesame symmetric

session key

KerberosKerberos

Kerberos was a 3-headed dog in Kerberos was a 3-headed dog in Greek mythologyGreek mythology• Guarded the gates of the deadGuarded the gates of the dead• Decided who might enterDecided who might enter• Talk about strong security!Talk about strong security!

KerberosKerberos

Three Parties are PresentThree Parties are Present• Kerberos serverKerberos server

• Applicant hostApplicant host

• Verifier hostVerifier host

Verifier

Kerberos Server

Applicant

KerberosKerberos

Kerberos Server shares a symmetric Kerberos Server shares a symmetric key with each hostkey with each host• Key shared with the Applicant will be Key shared with the Applicant will be

called Key AS (Applicant-Server)called Key AS (Applicant-Server)• Key shared with verifier will be Key VSKey shared with verifier will be Key VS

Applicant

Verifier

Kerberos Server

Key AS Key VS

KerberosKerberos Applicant sends message to Applicant sends message to

Kerberos serverKerberos server• Logs in and asks for Logs in and asks for ticket-granting ticket-granting

ticket (TGT)ticket (TGT) Authenticates the applicant to the Authenticates the applicant to the

serverserver

• Server sends back ticket-granting Server sends back ticket-granting ticketticket

• TGT allows applicant to request TGT allows applicant to request connectionsconnections

ApplicantKerberos ServerTGT RQ

TGT

KerberosKerberos To connect to the verifierTo connect to the verifier Applicant asks Kerberos server for Applicant asks Kerberos server for

credentialscredentials to introduce the to introduce the applicant to the verifierapplicant to the verifier

Request includes the Ticket-Request includes the Ticket-Granting TicketsGranting Tickets

Applicant

Kerberos Server

Credentials RQ

KerberosKerberos Kerberos server sends the Kerberos server sends the

credentialscredentials• Credential include the session Key Credential include the session Key

AV that applicant and verifier will AV that applicant and verifier will use for secure communicationuse for secure communication

• Encrypted with Key AS so that Encrypted with Key AS so that interceptors cannot read itinterceptors cannot read it

Applicant

Kerberos Server

Credentials=Session Key AVService Ticket

KerberosKerberos Kerberos server sends the Kerberos server sends the

credentialscredentials• Credential also include the Credential also include the Service Service

TicketTicket, which is encrypted with Key , which is encrypted with Key VS; Applicant cannot read or change VS; Applicant cannot read or change itit

Applicant

Kerberos Server

Credentials=Session Key AV,

Service Ticket

KerberosKerberos

Applicant sends the Service Ticket Applicant sends the Service Ticket plus a Authenticator to the Verifierplus a Authenticator to the Verifier• Service ticket contains the symmetric Service ticket contains the symmetric

session key (Key AV)session key (Key AV)• Now both parties have Key AV and so Now both parties have Key AV and so

can communicate with confidentialitycan communicate with confidentiality

Applicant Verifier

Service Ticket(Contains Key AV)

+ Authenticator

KerberosKerberos

Applicant sends the Service Ticket Applicant sends the Service Ticket plus a Authenticator to the Verifierplus a Authenticator to the Verifier• AuthenticatorAuthenticator contains information contains information

encrypted with Key AVencrypted with Key AV Guarantees that the service ticket came Guarantees that the service ticket came

from the applicant, which alone knows Key from the applicant, which alone knows Key AVAV

Service ticket has a time stamp to prevent Service ticket has a time stamp to prevent replayreplay

Service Ticket(Contains Key AV) + Authenticator

KerberosKerberos

Subsequent communication between Subsequent communication between the applicant and verifier uses the the applicant and verifier uses the symmetric session key (Key AV) for symmetric session key (Key AV) for confidentialityconfidentiality

Applicant Verifier

CommunicationEncrypted with

Key AV

KerberosKerberos

The Service Ticket can contain more The Service Ticket can contain more than Key AVthan Key AV

If the applicant is a client and the If the applicant is a client and the verifier is a server, service ticket may verifier is a server, service ticket may containcontain• Verifier’s user name and passwordVerifier’s user name and password• List of rights to files and directories on List of rights to files and directories on

the serverthe server

Verifier

KerberosKerberos

Is the basis for security in Microsoft Is the basis for security in Microsoft Windows 2000Windows 2000

Only uses symmetric key encryption Only uses symmetric key encryption for reduced processing costfor reduced processing cost

FirewallsFirewalls FirewallFirewall sits between the corporate sits between the corporate

network and the Internetnetwork and the Internet• Prevents unauthorized access from the Prevents unauthorized access from the

InternetInternet• Facilitates internal users’ access to the Facilitates internal users’ access to the

InternetInternet

OKNo

Firewall

Access only ifAuthenticated

FirewallsFirewalls Packet FilterPacket Filter Firewalls Firewalls

• Examine each incoming IP packetExamine each incoming IP packet

• Examine IP and TCP header fieldsExamine IP and TCP header fields

• If bad behavior is detected, reject the If bad behavior is detected, reject the packetpacket

• No sense of previous communication: No sense of previous communication: analyzes each packet in isolationanalyzes each packet in isolation

IPFirewall

IP Packet

FirewallsFirewalls Application (Proxy) FirewallsApplication (Proxy) Firewalls

• Filter based on Filter based on applicationapplication behavior behavior• Do Do notnot examine packets in isolation: use examine packets in isolation: use

historyhistory In HTTP, for example, do not accept a In HTTP, for example, do not accept a

response unless an HTTP request has just response unless an HTTP request has just gone out to that sitegone out to that site

Application


• Hide internal internet addressesHide internal internet addresses• Internal user sends an HTTP requestInternal user sends an HTTP request• HTTP proxy program replaces user HTTP proxy program replaces user

internet address with proxy server’s IP internet address with proxy server’s IP address, sends to the webserveraddress, sends to the webserver

HTTPRequest

Request with Proxy

Server’s IP Address


• Webserver sends response to proxy Webserver sends response to proxy server, to proxy server IP addressserver, to proxy server IP address

• HTTP proxy server sends the IP packet HTTP proxy server sends the IP packet to the originating hostto the originating host

• Overall, proxy program acts on behalf of Overall, proxy program acts on behalf of the internal userthe internal user

Response toProxy Server’s

IP Address

HTTPResponse

FirewallsFirewalls Why Hide Internal IP Addresses?Why Hide Internal IP Addresses?

• The first step in an attack usually is to The first step in an attack usually is to find potential victim hostsfind potential victim hosts

• Sniffer programsSniffer programs read IP packet streams read IP packet streams for IP addresses of potential target hostsfor IP addresses of potential target hosts

• With proxy server, sniffers will not learn With proxy server, sniffers will not learn IP addresses of internal hostsIP addresses of internal hosts

False IP Address

HostIP Address

Sniffer

FirewallsFirewalls

Application FirewallsApplication Firewalls

• Need a separate program (proxy) for Need a separate program (proxy) for each applicationeach application

• Not all applications have rules that allow Not all applications have rules that allow filteringfiltering

Intrusion DetectionIntrusion Detection Intrusion detection softwareIntrusion detection software to to

detect and report intrusions as they detect and report intrusions as they are occurringare occurring

• Lets organization stop intruders so that Lets organization stop intruders so that intruders do not have unlimited time to intruders do not have unlimited time to probe for weaknessesprobe for weaknesses

• Helps organization assess security Helps organization assess security threatsthreats

• Audit logs list where intruder has been: Audit logs list where intruder has been: vital in legal prosecutionvital in legal prosecution

Intrusion DetectionIntrusion Detection Signature-based IDS – performs Signature-based IDS – performs

simple pattern-matching and report simple pattern-matching and report situtations that match a pattern situtations that match a pattern corresponding to a known attack corresponding to a known attack typetype

Heuristic IDS (anomaly based) – build Heuristic IDS (anomaly based) – build model of acceptable behavior and model of acceptable behavior and flag exceptions to that modelflag exceptions to that model

Intrusion DetectionIntrusion Detection Network-based IDS – stand-alone Network-based IDS – stand-alone

device attached to the network to device attached to the network to monitor traffic throughout networkmonitor traffic throughout network

Host-based IDS – runs on a single Host-based IDS – runs on a single workstation or client or host, to workstation or client or host, to protect that one hostprotect that one host

Default-Deny PostureDefault-Deny Posture

Perimeter Settings: Perimeter Settings: block all protocols except block all protocols except those expressly permitted [i.e. SMTP(25), those expressly permitted [i.e. SMTP(25), DNS(53), HTTP(80), SSL(443),…]DNS(53), HTTP(80), SSL(443),…]

Internal Settings: Internal Settings: block all unnecessary traffic block all unnecessary traffic between internal network segments, remote & between internal network segments, remote & VPN connectionsVPN connections

Security Configurations: Security Configurations: harden servers & harden servers & workstations to run only necessary services and workstations to run only necessary services and applicationsapplications

Segment NetworksSegment Networks Patch ManagementPatch Management

Secure E-mailSecure E-mail

Message interception (confidentiality)Message interception (confidentiality) Message interception (blocked delivery)Message interception (blocked delivery) Message interception and subsequent replayMessage interception and subsequent replay Message content modificationMessage content modification Message origin modificationMessage origin modification Message content forgery by outsiderMessage content forgery by outsider Message origin forgery by outsiderMessage origin forgery by outsider Message content forgery by recipientMessage content forgery by recipient Message origin forgery by recipientMessage origin forgery by recipient Denial of message transmissionDenial of message transmission

Requirements and SolutionsRequirements and Solutions

Message confidentialityMessage confidentiality Message integrityMessage integrity Sender authenticitySender authenticity nonrepudiationnonrepudiation

Examples of Secure E-mail Examples of Secure E-mail SystemsSystems

PGP (Pretty Good Privacy) – uses PGP (Pretty Good Privacy) – uses public key ring; confidentiality, public key ring; confidentiality, integrityintegrity

S/MIME (Secure Multipurpose Internet S/MIME (Secure Multipurpose Internet Mail Extensions) – uses certificatesMail Extensions) – uses certificates

Multi-Layer SecurityMulti-Layer Security Security Can be Applied at Multiple Security Can be Applied at Multiple

Layers SimultaneouslyLayers Simultaneously

• Application layer security for database, Application layer security for database, e-mail, etc.e-mail, etc.

• Transport layer: SSLTransport layer: SSL

• Internet layer: IPsec Internet layer: IPsec

• Data link layer: PPTP, L2TPData link layer: PPTP, L2TP

• Physical layer: locksPhysical layer: locks

Multi-Layer SecurityMulti-Layer Security

Applying security at 2 or more layers Applying security at 2 or more layers is goodis good

• If security is broken at one layer, the If security is broken at one layer, the communication will still be securecommunication will still be secure

However,However,• Security slows down processingSecurity slows down processing• Multi-Layer security slows down Multi-Layer security slows down

processing at each layerprocessing at each layer

Total SecurityTotal Security

Network Security is Only PartNetwork Security is Only Part Server SecurityServer Security

• Hackers can take down servers with Hackers can take down servers with denial-of-service attackdenial-of-service attack

• Hacker can log in as root user and take Hacker can log in as root user and take over the serverover the server

• Steal data, lock out legitimate users, Steal data, lock out legitimate users, etc.etc.


Server SecurityServer Security

• Occasionally, weakness are discovered Occasionally, weakness are discovered in server operating systemsin server operating systems

• This knowledge is quickly disseminatedThis knowledge is quickly disseminated

• Known security weaknessesKnown security weaknesses


Server SecurityServer Security

• Server operating system (SOS) vendors Server operating system (SOS) vendors create patchescreate patches

• Many firms do not download patchesMany firms do not download patches

• This makes them vulnerable to hackers, This makes them vulnerable to hackers, who quickly develop tools to probe for who quickly develop tools to probe for and then exploit known weaknessesand then exploit known weaknesses


Client PC SecurityClient PC Security

• Known security weaknesses exist but Known security weaknesses exist but patches are rarely downloadedpatches are rarely downloaded

• Users often have no passwords or weak Users often have no passwords or weak passwords on their computerpasswords on their computer

• Adversaries take over client PCs and can Adversaries take over client PCs and can therefore take over control over SSL, therefore take over control over SSL, other secure communication protocolsother secure communication protocols


Application SoftwareApplication Software

• May contain virusesMay contain viruses Must filter incoming messagesMust filter incoming messages

• Database and other applications can Database and other applications can add their own security with passwords add their own security with passwords and other protectionsand other protections


Managing UsersManaging Users

• Often violate security procedures, Often violate security procedures, making technical security worthlessmaking technical security worthless

• Social engineeringSocial engineering: attacker tricks user : attacker tricks user into violating security proceduresinto violating security procedures

Defense in DepthDefense in Depth

FirewallsFirewalls AntivirusAntivirus Intrusion Detection SystemsIntrusion Detection Systems Intrusion Protection SystemsIntrusion Protection Systems

Documents

Chapter 7 –Security in Networks Introduction to networks Threats against network applications Controls against network applications Firewalls