Information Security
Unit 5:
Network Security
Slide Credits: Sunil Paudel
Protocol Encapsulation
Encapsulation
Process of wrapping data before sending to next protocol in the stack
Layering
Key concept is to separate function of each layer
SMTP/Telnet/FTP Packet
TCP Packet
Header
IP Packet
Header
Ethernet Packet
Header
Trailer
TCP/IP vs. OSI Model
OSI Model
A
TCP/IP Suite
B
TCP/IP Layers
7 Application
Layers
6 Presentation
WinSock
Application
FTP
NetBIOS
HTTP SMTP APPC
TFTP Telnet SNMP FTAM
5
Session
4
Transport
Host-to-Host
3
Network
Internet
2
Data Link
1
Physical
Network Access
TCP
UDP
DHCP
IP
ICMP
LLC
ARP
MAC
RARP
Physical Layer : Threats
Attacking:
 Once the physical layer is breached, it is very difficult
for other access control to prevent access.
 Copper wire can be attacked by cutting, tapping etc.
 Optical fiber cabling can be attacked by cutting, and tapping.
 Both wired and wireless technologies are susceptible to sniffing
(the collection of signals).
 Wireless can be attacked by jamming, interception, or other
forms of resource (e.g., bandwidth) exhaustion.
 Equipment can be attacked because of weak
authentication, by shutting down, or disturbing/degrading
the signal, by reprogramming, and by tapping.
Physical Layer : Control
 Controls over Physical wiring include:
 Shielding
 Using conduit to reduce the threat of cutting, or using
pressurized conduit to detect a breach.
 A Faraday cage (named for physicist Michael Faraday) is a
device used to block or contain radio and electromagnetic
signals. It generally consists of a thin sheet or mesh of
conducting material enclosing a particular space.

Wireless signal Controls include
 Encryption and
 Authentication.
 Equipment should be placed behind locked doors,
enclosed in cabinets, and shielded.
Data Link Layer : Threats
 An attacker with access to the link may carry out a number of attacks,
including those on:
 Confidentiality - An attacker may:
• Try to discover user identities by sniffing authentication traffic.
• Attempt to recover the pass-phrase by mounting an offline dictionary or
brute force attack.
• Be an employee who installs unapproved (rogue), open wireless access
points that do not conform to the security policy. Employee laptops may
also be configured to allow file sharing or unauthenticated sessions.
 Integrity - An attacker may try to:
• Modify or spoof packets
• Convince the peer to connect to an untrusted network by mounting a
man-in-the-middle attack.
• Disrupt the authentication negotiation in order to force the selection of a
weak authentication method.
 Availability - An attacker may:
• Launch denial of service attacks
Data Link Layer : Controls
 Control mechanism consists of:




Encryption
Authentication
Tunneling
RF Management
 Authentication, Tunneling and Radio Frequency
Management assume that:





Identities are managed properly.
Authentication tokens are created, issued, and revoked properly.
The wired infrastructure is already adequately secure.
Intrusion detection is in place.
Policies are in place and auditing takes place to ensure that policies
are complied with.
Wireless Encryption
 Encrypted transmission is a key building block in WLAN security.
 While it is not uncommon to use VPN connections over WLAN, the
WLAN should provide its own, native protection of content from
eavesdroppers.
 Characteristics of wireless encryption methods:
Network Layer : Threats
 When IP was conceived, there was no need for complex
authentication mechanisms and the security and encryption
technology that we now require was not even available.
 Today’s challenges are not the result of shortcomings in the
architecture, but of a system whose intended use has grown
beyond all original expectations.
 Key shortcomings in IP is its lack of authentication, allowing
spoofing-based attacks.
 IP also has to deal with shortcomings in implementations
that allow attacks based on deliberate misuse of the
protocol.
Internet Protocol (IP)
Allows transmission over long distances
Transfers messages between hosts on
physically different networks
Unreliable
Connectionless
Messages “packetized” into IP datagrams
User Datagram Protocol (UDP)
 Uses “ports” to define ultimate endpoint on machine
 Connectionless
 No retransmission
 No guarantee of delivery
 UDP User Datagram Format:
UDP Source Port
UDP Message Length
UDP Destination Port
UDP Checksum
Data
...
Transmission Control Protocol
(TCP)
 Reliable
 End-to-end connection
(“virtual circuit” )
• Opens a “pipe” between two hosts
• Both systems must agree to communicate
• Guaranteed delivery
TCP/UDP “Ports”
 Allow multiple connections to a machine
 “Well-known” services are assigned ports
 For example, mail is 25, WWW/HTTP is 80
 Usually corresponds to server
 Some ports are assigned dynamically
 “Client” ports
 Certain services
 Some ports are “reserved”
 Other well known services are defined in RFC 1700
LAN Security
 Local area networks facilitate the storage and retrieval of
programs and data used by a group of people. LAN
software and practices also need to provide for the
security of these programs and data.


LAN risk and issues
Dial-up access controls
14
Security Issues in the TCP/IP
Protocol Suite
 Eavesdropping
 IP address spoofing
 Source routing
 ICMP redirects
 TCP connection spoofing
 Connection hijacking
 Protocol spoofing
Eavesdropping
 Traditional Ethernet is a “broadcast” medium implemented with hubs
 All machines will “see” traffic destined for anywhere on the LAN
A
B
X
16
IP Source Address Spoofing
 Example  “A” (10.0.0.1) sends packet to “C” (10.0.0.3),
pretending to be “B” (10.0.0.2)
 Any machine
can make up
 But “B” receives replies
an IP address
Vers
Hlen
Service Type
Total Length
Identification
Time to Live
Flags
Protocol
Fragment Offset
Header Checksum
10.0.0.2
10.0.0.3
IP Options (if any)
Padding
Data
...
17
Source Routing
IP lets source specify exact route to destination
Destination will use same static route to reply
Attacker X can insert:
 Source address of Y
 Source route from X
Packet will go directly to X, not Y
Source routing can lead to IP spoofing
18
Connection Impersonation
Machine X
Machine B
SYN(A,SEQ) A
ACK(B,SEQ) B
ACK(A,SEQ) X
SYN(B,SEQ) B
SYN(C,SEQ) C
Machine A
Connection Hijacking
11
12
73
74
13
14
13
14
Machine A
X can eavesdrop
X has context
No need to predict sequence numbers
X can impersonate A effectively
If X’s packets get to B before
A’s, X will have a connection
Machine X
20
75
Machine B
Countermeasures
TCP connection spoofing
 Packet filters and firewalls
 Lack of trust between systems
Connection hijacking
 Session encryption
• (ssh, vpn, ssl, ipsec)
 Network-level authentication
 Periodic re-authentication of users
21
Protocol Spoofing
DNS (Domain Name System)
 Forge translation between names and addresses
 Resolvers blindly accept name mapping results from
name servers
NIS (Network Information Service)
 Anyone can be an NIS server
 Anyone can query NIS server
• Obtain NIS information (password files, host names)
• Can be done across networks
Protocol Spoofing
 SNMP (Simple Network Mgmt Protocol)
 Relies on “community strings” - simple passwords
 Defaults are “public” and “private” - often not changed
 Anyone can issue an SNMP command
 Routing Protocols (RIP, OSPF, IGRP, EIGRP, BGP4)
 Can be exploited to change the path over which communication
occurs
Major Internet Layer Protocol
 Address Resolution Protocol –
 Matches IP address to Mac address
 Reverse Address Resolution Protocol
 Mac to IP address
 Internet Control Message Protocol (ICMP)
 Is a management protocol
 FTP,TFTP, NFS, SMTP, LPD, X-windows, SNMP
Typical Network Architecture
e-mail,
DNS
Internal
Network
Firewall
www
Router
25
Internet Internet
What Is a Firewall?
A hardware/software system that securely
regulates communication between networks
Typical components of a strong perimeter
defense:





Packet filter
Proxy servers
Screening routers
Secure bastion hosts
Authentication server
26
What Firewalls Can Do
 Provide focused security
 Centralized administration, configuring, logging, auditing
 Focused points of control
 Provide a secure network perimeter
 Separate sensitive portions of the intranet
 Build Virtual Private Networks (VPNs)
 Extensions to the network
What Firewalls Can’t Do
Provide complete confidentiality
 Eavesdropping is still possible
 Firewalls are evolving in this area with VPNs
Provide integrity
 No assurances of traffic content
 Packets can still be tampered with along the way
 Virus checking only beginning to catch on
Prevent packet forgery
 No end-to-end controls
Principles of Firewalls
“That which is not explicitly denied, is allowed”
“That which is not explicitly allowed, is denied”
Firewall building blocks:
 Packet Filters
 Proxy Servers
 Screening Routers
 Secure Bastion Hosts
 Authentication Server
Packet Filter
Router-based or host-based
Access control rules are generally specified by:
 Interface
 Direction
 IP source/destination address
 TCP/UDP source/destination port
 Protocol
 Customized filters
Packet Filter
“telnet mail.COMP.com”
mail.COMP.com
192.193.249.8
shell.COMP.com
163.39.250.195
31
Router-Based Packet Filters
Pros:
 Inexpensive - you need a router anyway
Cons:




Some well-known limitations (e.g., UDP, RPC)
No authentication
Inadequate logging
Difficult configuration
• Order matters
• Syntax is complicated
Network Address Translation
Some sites use unregistered IP addresses
Want to hide bogus addresses and use real
ones
Solution - Network Address Translation
 Described in RFCs 1597 and 1918
There are three ways to translate
 Single External Address
 One-to-one mapping
 Dynamically Allocated Address
Proxy Servers
Internet
Internal Network
External
Router
Bastion Host
Proxy Servers
 Modified server software acts as user “proxy”
 May require modification of client software
 User connects to proxy software but doesn’t access firewall
operating system
 User interacts with proxy; proxy interacts with server
 User and server may not know proxy exists
 Session continues transparently after initial connection
 Generally application specific
Firewall Trends - Doing More
 Firewalls are incorporating more and more technologies
(like UTMS)




Web servers, mail servers, and DNS
Virus checking
Authentication
Encryption
 Increases usefulness
 Increases complexity
 Complexity can be the enemy of security
40
Bastion Host
Machine that is visible to the outside world
 Potential target for attacks
Securing bastion host
 Monitor closely
 Disable all unnecessary services
 Remove other programs (compilers, interpreters,
etc.)
 Turn off “IP forwarding”
 Protect existing services with wrappers
 Use static routes
41
Secure Configuration of Routers
Access should be limited
 Attach a terminal
 Limit access to a few sites (internally)
User/password combination
 Not supported by most routers
Authentication
 TACACS
Routing
 Don’t accept RIP updates
 Static route to service provider
 Turn off source routing
42
 Firewall Security Systems
 Examples of firewall implementations
 Screened-host firewall
 Dual-homed firewall
 Demilitarized zone (DMZ)
 Firewall Security Systems
 Firewall Platforms
 Using hardware or software
 appliances versus normal servers
43
Network Infrastructure Security
 Firewall Security Systems
 Firewall issues
 A false sense of security
 The circumvention of firewall
 Misconfigured firewalls
 What constitutes a firewall
 Monitoring activities may not occur on a regular basis
 Firewall policies
44
Architectures
#1 Bare Bones
 Just A Router with Access Control Lists
 Very Scaled down
 Acceptable, if you are able to control the security on all
hosts of internal network
Internal
Network
Router
45
Internet
Bare Bones Architecture
All your eggs are in the router basket
If the router fails, or if a new attack is devised,
you are vulnerable
Not a fine-level of control, logging, management
Not realistic for significantly sized user base
46
#2 Router and Host Based
Firewall
 Recommend that filtering be done at both router
and firewall
• Extra management, but it’s worth it
Internal
Network
Firewall
Router
47
Internet
Router and Host Firewall
Architecture
Concern about where to put servers
 WWW, DNS, e-mail
Locate them on firewall
 Concerns! If one of the services has a vulnerability,
compromise of the entire firewall is possible
 Add a DMZ could help alleviate concern
48
#3 Router and Host Based
with DMZ
 Add a DeMilitarized Zone (DMZ) for additional services
 DMZ aka “perimeter network”
e-mail,
DNS
Internal
Network
Firewall
www
Router
49
Internet Internet
Router & Host with DMZ
 Keep filtering at both router and firewall
 Concern - if one of the servers on the DMZ fails, other
servers can be taken over
 Attacker grabs the www server and installs a sniffer
 Attacker gets passwords for all other machines
 To minimize this possibility:
 Use a switching hub on the DMZ
 Use encryption where possible
 Another concern - outside systems only protected by router
50
#4 Tri-homed Firewall Host
 Variation of # 3:
 Tri-homed firewall
– All logging, suspicious activity
detection, etc. of the firewall is
available
e-mail,
DNS
www
Internet
Internal
Network
Router
Firewall
51
Tri-homed Firewall Host
Provides greater protection of DMZ servers
 Firewall’s resources can protect and log
 Can control at a greater level of detail all accesses to
servers on DMZ
Single point to administer protection
Single point of failure
52
Accessing Internal Hosts from
the Internet
 Giving access to the public or semi-public to databases
inside the corporation
 Over the Internet!
 Potential for cost-savings is large
 On-Line banking, trading, and Insurance applications
 For any of the following approaches, use encrypted
session (SSL) for transport across Internet
53
Accessing Internal Hosts from
the Internet
 Approach A - Replicate
www DB
Customer
DB
Internet
Firewall
Router
 Somewhat secure, but non-interactive
 Providing update access may be required
54
Internal
Network
Accessing Internal Hosts from
the Internet


Approach B
Use database Replication
www DB
Customer
DB
Internet
Firewall
Router
– Be careful punching holes through the firewall
– Encrypt if possible
– Use switching hub on DMZ
55
Internal
Network
Accessing Internal Hosts from
the Internet
Approach C
www
Customer
Internet
DB
Router
Firewall
Internal
Network
 Very Bad - This bypasses the firewall
 Web server provides potential exposure
network
to the internal
Accessing Internal Hosts from
the Internet
 Approach D
www
Customer
DB
Internet
Router
Firewall
Internal
Network
 WWW server accesses database by going through firewall
 Safer than A, with respect to confidentiality because firewall can more
tightly control access
 Concerns about snooping and hijacking
Firewall Protocol Policy
 Maintain “protocol policy” - identify what is permitted
and what is not
 Easy to update/maintain lists
 Some connections allowed with
security in place:
 Strong authentication
 Access control
 Encryption
 This should be reflected in policy
Firewall Comparison
PROS
CONS
Packet
Filters
• Application Independent
• High Performance
• Scalable
• Low Security
• No Protection Above
Network Layer
ApplicationProxy
Gateways
• Good Security
• Fully Aware of Application
Layer
• Poor Performance
• Limited Application Support
• Poor Scalability
• Good Security
• High Performance
• Scalable
• Fully Aware of Application
Layer
• Extensible
• More Expensive
Stateful
Inspection
59
Sample Protocol Policy
Service
FTP IN
Policy
Justification
Allowed to DMZ server
Public documents need to be available
Allowed using strong
authentication to
specific destinations
Remote users and business partners need
to access information, applications
Telnet
OUT
Allowed by all full-time
employees
Users need to access external information
FTP OUT
Allowed to all users
Users need to access external information
HTTP IN
Allowed to DMZ server
Public documents need to be available
HTTP OUT
Allowed to all users
Users need to access external information
Telnet IN
Remote Management of
Firewalls
Many firewalls support secured remote
management
Or use some form of strong authentication
 One-time passwords
 Cryptographic authentication
SSH (Secure Shell)
 Allows remote login to machine from specific hosts
 All traffic encrypted
 Knowledge of key is necessary to connect
Remote Access Security
Management
 Dialup
 DSL,ISDN, Wireless computing and Cable modems
 Securing Enterprise & Telecommuting Remote
Connectivity
 Securing external connectivity using SSL, VPN and SSH
 Remote Access Authentication systems (TACACS, RADIUS
etc.)
 Authentication Security protocols (PAP), CHAP etc.
 Remote User Management Issues
 User support and inventory magement
Methods of Remote Access
Terminal emulation - single window connects to
remote system
 Such as vt100, other terminal windows
Remote control - direct connection to “captive”
remote host
 Such as pcAnywhere, Citrix, etc.
Remote node - places remote system on local
network
 Such as NT/RAS, PPP, NetWare Connect, VPN,
PPTP
63
Remote Access Architectures
 Local modems - used for remote control or terminal
emulation
 Discouraged - difficult to control and monitor
 Modem pools - provide centralized dial-in access
 Easy to add security/authentication mechanisms
 Dial on demand routing
 Common with ISDN access
 Only connects when traffic is detected
 Access servers
 Centralized access point - similar to a
firewall or router
64
Remote Access Security
 Dialback
 Local authentication
 Authentication servers
 Password authentication
 One-time passwords/tokens
 Authentication protocols




PPP authentication protocols (PAP, CHAP)
PPTP / L2TP
IPSec
Authentication protocols (TACACS, RADIUS, TACACS+)
65
Other Access Methods
 Cable Modems
 Digital Subsciber Loop (DSL)
 Both provide high bandwidth to home users
• “Always on”
• Leads to increased targeting of home systems
• Also enables widespread attacks
 Personal IDS / Firewall systems
• Provide localized protection from remote packets
 Use a secure VPN for remote access
66
IPSec Security Architecture
 Detailed in RFCs 2411
 Two parts:
• Authentication Header (AH)
• Encapsulated Security Payload (ESP)
 Security Parameters Index (SPI)
• Security “associations”
• Pre-negotiated keys, algorithms, Initialization
Vectors (IVs), etc.
VPN Connectivity Models
Lan-2-Lan
Computer
Resource
Laser printer
VPN
Tun
Corporate Network
nel
Computer
Resource
INTERNET
VPN Tunnel
Application
Server
Laser printer
Remote Access
e
Tunn
VPN
Computer
Resource
Laser printer
Computer
Resource
B-2-B
l
Computer
Resource
VPN Benefits & Needs
 VPN is a communication method to leverage the
flexibility and cost advantage of the internet.
 A VPN allows an enterprise to reduce its dependencies
on expensive, leased-line networks and troublesome
remote-access solutions, by establishing virtual
connections across shared-IP networks.
 Internet Service Providers benefit from VPNs by
offering multi-tiered VPN services to their customers.
VPN Connectivity Models (Cont)
Connectivity
Model
Trust
Business
Application
Requirements
Lan-2-Lan/
Intranet
Trusted
Branch to HQ
Transparency
Performance
Availability
Remote
Access
Trusted/
Not-trusted
Telecommuters Connectivity
and mobile
employees
B-2-B/
Extranet
Not-trusted
B-2-B/
Partners
Security
Minimum
Impact on
environment
VPN Types
Firewall-to-Firewall

Data is encrypted when it leaves Firewall #1 and crosses the Internet

The data is authenticated and decrypted when it reaches Firewall #2.
Firewall
Module
#2
Firewall
Module
#1
Payroll
Not Encrypted
PRIVATE
Encrypted
PUBLIC
Not Encrypted
PRIVATE
Sales
VPN Types
Client-to-Firewall
Firewall or Gateway
With Encryption module
Client with
Encryption package installed
Connectivity Fundamentals
 VPN connectivity models rely on creating a Secure
Virtual Tunnel between the access points and the
enterprise networks.
 Tunneling is a protocol that encapsulates various
communication protocols in an IP envelop in order to
fulfill secure communications requirements.
 Most of the current implemented Tunneling protocols
are in layer 2 (Data Link), Layer 3 ( Network) and Layer
5 (Session) of the OSI model.
Point-2-Point Tunneling Protocol
• PPTP is a tunneling protocol that encapsulates network protocol datagrams within
an IP tunnel. This means that any network equipment that treats IP will be able to
route this protocol.
Dial-up/Remote Access
RAS/PPTP enabled
ISP
Resource
INTERNET
E N C R Y P T E D
• Revolves around Remote Access Services -RAS- for windows (i.e. Network must support
a RAS PPTP enabled server and network equipment that support PPTP).
74
IP Security Protocol (IPSec)
An IETF sponsored protocol that addresses the lack of
security in the existing IP infrastructure.
 All devices must share a common key

LAN-2-LAN
INTERNET
E N C R Y P T E D
• Works with the existing IP infrastructure via encapsulation.
• It secures a packet of data by packaging it inside another packet that is then
sent over the Internet.
IPSec Modes
Transport Mode – protects only the payload
portion of sent IP packet (I.e. not the header)
Tunnel Mode – protects the entire header and
payload of the packet
76
VPN Assessment
 Security Considerations.
 Scalability Considerations.
 Support & Management Considerations.
 Cost Considerations.
Security Considerations
 Several machines are NOT under control of the
corporation (e.g. Internet routers, ISP access box and
client workstation).
 Security gateways (firewall, routers) that are on the
boundary between internal segment and external
segment.
 Internal segments that contain fixed hosts and other
routers.
 An external segment (Internet) that carries all types of
traffic.
Scalability Considerations
 With the explosion of the Internet, there is a demand
increase for a VPN infrastructure that can grow rapidly.
 The VPN selected must be able to quickly, and in a cost
effective manner, support large scale proliferation of users.
 Solutions must be scalable from the perspective of
performance, availability, manageability and security.
Support & Management
Considerations
 A VPN solution must be
• easy to use for end users
• centrally operated
• transparent to the user (minimal level of sophistication,
plug and play, support popular platforms, etc.)
• able to take minimum time and effort to modify
business applications to support solution
• able to support Information Security & Audit
requirements
• interoperable with marketplace authentication and
encryption solutions
Cost Considerations
 The objective of a VPN implementation is to increase
connectivity and performance while reducing cost
 Infrastructure Cost
•
•
•
•
•
•
•
•
Network/ Support/ Administration support
Interoperability (routers & firewalls)
Internet Service Providers (ISP)
Security
–Scalability
Business Application Cost
Desktop Client Support (installation, help desk, security..)
Application support
Retrofitting to legacy systems