CHAPTER FIVE

Network Security

1
 Outline

• Network Security services

• Types of attacks
• Network Security/Protocols and vulnerabilities
• Attacks on TCP/IP Networks
• Network Layer security
• IP security (IPSec)
• Transport layer attacks and security solutions

2
 Security - The Big Picture
PSTN
Remote Users
Internet VPN
Remote Connection Server
 Authentication Teammate /
Firewall Telecommuter via
 VPN?
Commercial ISP
Local Users Web Server
 Extranet
 SSL Encryption
 PKI Authentication (Non-repudiation
of transactions)
Anti-Virus SW
E-Commerce Customer
Intranet  PKI
Anti-Virus SW
Firewall/
URL Filtering

Anti-Virus SW

Network Manager
 Network Management System
 Vulnerability Scan
 Intrusion Detection
Mail Server  Risk Assessment
 E-Mail Scan
 Anti-Virus

Network security requires an enterprise-wide perspective and

“defense-in-depth” with layers of protection that work together.
3
 Network Security
• Introduction
• In today’s highly networked world, we can’t talk of computer
security without talking of network security.
• Focus is on:
 Internet/Intranet security (TCP/IP based networks)
 Attacks that use security holes of the network protocol and
 their defense mechanisms

• Applications, systems, and networks can be made secure through

the use of security protocols,
– which provide a wide range of encryption and authentication services.
• Each security protocol is placed within several layers of a computing
infrastructure,
– that is, network, transport, and application layers.

4
 OSI Model
Application
Application Allows
Allowsaccess
accesstotonetwork
networkresources
resources

Presentation
Presentation Translates,
Translates,encrypts
encryptsand
andcompresses
compressesdata
data

Session
Session Establishes,
Establishes,manages
managesand
andterminates
terminatessessions
sessions

Transport
Transport Provides
Providesend-to-end
end-to-endmessage
messagedelivery
delivery&&error
errorrecovery
recovery

Network
Network Moves
Movespackets
packetsfrom
fromsource
sourcetotodestination;
destination;Provides
Provides
internetworking
internetworking
Data
DataLink
Link Organizes
Organizesbits
bitsinto
intoframes;
frames;Provides
Providesnode-to-node
node-to-nodedelivery
delivery

Physical
Physical Transmits
Transmitsbits;
bits; Provides
Providesmechanical
mechanicaland
andelectrical
electrical
specifications
specifications
5
 OSI Model…
Intermediate Intermediate Server
Client Node Node

Application End-to-End protocol (7th layer) Application

End-to-End protocol (6th layer)

Presentation Presentation

End-to-End protocol (5th layer)

Session Session

End-to-End protocol (4th layer)

Transport Transport
3rd 3rd 3rd
Network Network Network Network
2nd 2nd 2nd
Data Link Data Link Data Link Data Link
1st 1st 1st

Physical
6 Physical Physical Physical
 TCP/IP and OSI Model cont’d

Application
Message
Presentation Applications

Session
Segment
Transport TCP UDP

Network Datagram
IP

Frame
Data Link Protocols defined by
the underlying networks
Bits
7 Physical
 TCP/IP and Addressing
Application Processes
layer

Transport Port
Port
TCP UDP address
layer address

Network IP and other IP

IP
layer protocols address
address

Data link
layer Underlying
Physical
Physical
physical
Physical (MAC)
(MAC)
networks
layer address
address
8
 Network Security
TCP/IP Layering
application
HTTP …
…
FTP DNS
SMTP SNMP

transport
TCP
TCP UDP
UDP

network
ICMP
ICMP IP
IP IGMP
IGMP

link
hardware
hardware
ARP
ARP RARP
RARP
interface
interface
9

Media Levente Buttyán

10
11
 Network Security/Protocols and vulnerabilities

• Use of IP Security (IPSec)

- Transparent to applications
- Provide general purpose solution
- Provides filtering capability
• Security just above TCP
- SSL: Secure Socket Layer
- TLS: Transport Layer Security
- SSL/TLS could be provided as part of the underlying protocol suite
=> Transparent to applications
- Alternatively, can be embedded into applications
• Example: Netscape and Microsoft Explorer browsers are
equipped with SSL
• Application specific security services
 Embedded within specific application
 Best examples are SET (Secure Electronic Transaction) on top of
HTTP and MIME on SMTP.
12
Network Security/Protocols and vulnerabilities

Attacks on TCP/IP Networks

• TCP/IP was designed to be used by a trusted group of users
• The protocols are not designed to withstand attacks
• Internet is now used by all sorts of people

• Attackers exploit vulnerabilities of every protocol to achieve

their goals

• The next slides show some attacks at each layer of the TCP/IP
stack

13
 Network Security/ Types of Attacks

• Spoofing attack: a situation in which one person or program

successfully imitate another by falsifying data and thereby
gaining an illegitimate advantage.
 IP spoofing
 Putting a wrong IP address in the source IP address of an IP packet
 DNS spoofing
 Changing the DNS information so that it directs to a wrong machine
 URL spoofing/Webpage phishing
 A legitimate web page such as a bank's site is reproduced in "look
and feel" on another server under control of the attacker

14
 Network Security/ Types of Attacks

URL spoofing/Webpage phishing

• This technique often directs users to enter detailed information
at a fake website which appears almost identical to the
legitimate one.
• Popular method of phishing is:
– sending legitimate looking email containing a link to the fake website.
– Registering fake website with a misspelled URL of popular websites
– (www.microsoft.com www.microshoft.com) or
– a different domain (www.whitehouse.gov www.whitehouse.com)

15
Smurf : Denial of Service
IC M P e c h o ( s p o o f e d s o u r c e a d d r e s s o f v ic t im )
S e n t to IP b ro a d c a s t a d d re s s
IC M P e c h o r e p ly

In te rn e t

P e rp e tra to r V ic t im

16
Network Security/Protocols and vulnerabilities
Network Layer: IPv4 Header

17
Network Security/Protocols and vulnerabilities
• Network Layer: IPv6 Header …

18
 Network Layer: IP security (IPSec)
KEY POINTS
• IP security (IPSec) is a capability that can be added to Internet
Protocol (IPv4 or IPv6), by means of additional headers.
• IPSec encompasses three functional areas: authentication,
confidentiality, and key management.
• Authentication makes use of Hash algorithms (SHA,MD-5,MAC)
• Authentication can be applied to:
– the entire original IP packet ( tunnel mode) or
– to all of the packet except for the IP header (transport mode).
• Confidentiality is provided by an encryption format known as
encapsulating security payload.
• Both tunnel and transport modes can be accommodated.
• IPSec defines a number of techniques for key management.
19
 Network Layer: IP security (IPSec)
• The Internet community has developed application-specific security
mechanisms in a number of application areas, including:
– Electronic mail (S/MIME, PGP),
– client/server (Kerberos),
– Web access (Secure Sockets Layer), and others.
• However, users have some security concerns that cut across protocol
layers.
• For example, an enterprise can run a secure, private TCP/IP network by:
– disallowing links to untrusted sites,
– encrypting packets that leave the organization, and
– authenticating packets that enter the organization.

• By implementing security at the IP level, an organization can ensure

secure networking.

20
 Network Layer: IP security (IPSec)
• IP-level security encompasses three functional areas:
authentication, confidentiality, and key management.

• The authentication mechanism assures that a received packet was

transmitted by the party identified as the source in the packet
header.
– In addition, this mechanism assures that the packet has not been altered
in transit.

• The confidentiality facility enables communicating nodes to encrypt

messages to prevent eavesdropping by third parties.

• The key management facility is concerned with the secure

exchange of keys.

21
Network Layer: IP security (IPSec)

22
 Network Layer: IP security (IPSec)
• IPSec is a protocol suit for securing IP communications
by authenticating and encrypting each IP packet of a
communication session.

• Applications of IPSec
• Secure branch office connectivity over the Internet
• Secure remote access over the Internet
• Establsihing intranet connectivity with partners
• Enhancing electronic commerce security
• The principal feature of IPSec that enables it to support these
varied applications is that it can encrypt and/or authenticate all
traffic at the IP level.
• Thus, all distributed applications, including remote logon,
client/server, e-mail, file transfer, Web access, and so on, can
be secured.
23
 Network Layer: IP security (IPSec)
Benefits of IPSec
• When IPSec is implemented in a firewall or router, it
provides strong security that can be applied to all traffic
crossing the border.
• Traffic within a company or workgroup does not incur the
overhead of security-related processing.

• IPSec is below the transport layer (TCP, UDP) and so is

transparent to applications.
– There is no need to change software on a user or server
system when IPSec is implemented in the firewall or router.
– Even if IPSec is implemented in end systems, upper-layer
software, including applications, is not affected.
24
 Network Layer: IP security (IPSec)
Benefits of IPSec...
• IPSec can be transparent to end users

– There is no need to train users on security mechanisms,

– No need to issue keying material on a per-user basis, or
– No need to revoke keying material when users leave the
organization.

25
 Network Layer: IP security (IPSec)
Benefits of IPSec (Routing application)
• A router advertisement (a new router advertises its presence)
comes from an authorized router
• A neighbor advertisement comes from an authorized router.
• A redirect message comes from the router to which the initial
packet was sent.
• A routing update is not forged.
• Without such security measures, an opponent can disrupt
communications or divert some traffic.
• Routing protocols such as BGP/OSPF should be run on top of
security associations between routers that are defined by
IPSec.
26
Network Layer: IP security (IPSec) scenario

27
 IPSec Documents
• RFC 2401: An overview of a security architecture

• RFC 2402: Description of a packet authentication

extension to IPv4 and IPv6

• RFC 2406: Description of a packet encryption extension

to IPv4 and IPv6

• RFC 2408: Specification of key management

capabilities

28
 IPSec - Security Associations (SA)
• SA is a one way relationship between a sender and a
receiver that provides security services (authentication and
confidentiality)

• SA is uniquely identified by:

 Security Parameters Index (SPI) in the enclosed extension
header of AH or ESP
 AH : Authentication Header (Authentication)
 ESP: Encapsulating Security Payload (both authentication and
confidentiality)
 IP Destination address: in the IPv4/IPv6 header (end
user/router/firewall)
 Security Protocol Identifier: This indicates whether the
association is an AH or ESP security association.

29
Network Layer: IP security (IPSec) Services
• Connectionless integrity
- Ensuring the data has not been read/modified en route.

• Data origin authentication

- Identifying who sent the data

• Rejection of replayed packets

- Detecting packets received more than once to help protect
against DoS.

• Confidentiality (encryption)
- Encryption of user data for privacy
• Access control
- Gives access privileges to end users (done by Admin)
30
 IPSec - Security Associations (SA)
Both AH and ESP support two modes of use:

• Transport Mode:
– The protocol protects the message passed down to IP from the transport
layer.
– The message is processed by AH/ESP and appropriate headers are added in
front of the transport header.
– The IP header is then added in front of that by IP.

• Tunnel Mode:
– IPsec is used to protect a complete encapsulated IP datagram after the IP
header has already been applied to it.
– The IPsec header appears in front of the original IP header and then a new
IP header is added in front of the IPsec header.

31
 IPSec - Security Associations (SA)

Transport mode SA Tunnel mode SA

AH Authenticates IP payload and Authenticates entire inner IP
selected portions of IP packet (inner header
header and IPv6 extension plus IP payload) plus selected
headers. portions of outer IP header and
outer IPv6 extension headers.
ESP Encrypts IP payload and any Encrypts entire inner IP packet.
IPv6 extension
headers following the ESP
header.
ESP with Encrypts IP payload and any Encrypts entire inner IP packet.
Authentication IPv6 extension
headers following the ESP Authenticates inner IP packet.
header.
Authenticates IP
payload but not IP header.

32
 Transport and Tunnel Modes for AH
• Fig. shows two ways in which the IPSec authentication service can be used for AH:
– In one case, authentication is provided directly between a server and client workstations. It uses
transport mode.
– In the other case, a remote workstation authenticates itself to the corporate firewall, for access to
the entire internal network, Tunnel mode.

33
Network Layer: IPSec AH Authentication

(a) Before AH

34
 Network Layer: IPSec AH Authentication…
• For transport mode AH using IPv4, the AH is inserted after the original IP
header and before the IP payload (e.g., a TCP segment).
• Authentication covers the entire packet, excluding mutable fields in the IPv4
header.

(b) Transport mode

In the context of IPv6, AH is viewed as an end-to-end payload;
that is, it is not examined or processed by intermediate routers.

Therefore, the AH appears after the IPv6 base header and the hop-by-hop, 35
routing, and fragment extension headers.
 Network Layer: IPSec AH Authentication…
• For tunnel mode AH, the entire original IP packet is authenticated, and the AH is
inserted between the original IP header and a new outer IP header .
• The inner IP header carries the ultimate source and destination addresses, while
an outer IP header may contain different IP addresses (e.g., addresses of firewalls
or other security gateways).

(c) Tunnel mode

• With tunnel mode, the entire inner IP packet is protected by AH.

• The outer IP header, including the outer IP extension headers is protected
except for mutable and unpredictable fields. 36
 IPSec ESP Encryption and Authentication
Transport mode using IPv4, the ESP header is inserted into the IP packet
immediately prior to the transport-layer header (e.g., TCP, UDP, ICMP).

If authentication is selected, the ESP Authentication Data field is added after the
ESP trailer.

Transport mode

In the context of IPv6, ESP is viewed as an end-to-end payload; that is, it is not
examined or processed by intermediate routers.
37
Therefore, the ESP header appears after the IPv6 base header and the hop-by-
hop, routing, and fragment extension headers.
 IPSec ESP Encryption and Authentication
• Tunnel mode ESP is used to encrypt an entire IP packet .
• the ESP header is prefixed to the packet and then the packet plus the ESP trailer is
encrypted. This method can be used to counter traffic analysis.

38
 Ipsec Implementation
• The IPSec Architecture document lists four examples of
combinations of SAs that must be supported by:
– IPSec hosts (e.g., workstation, server) or
– security gateways (e.g. firewall, router)

• End host implementation: put IPsec into all host devices to

provide the host flexibility and security.

• Router implementation: change is made to few routers

instead of hundreds of clients.
• But this leaves connections outside the routers unsecured.

39
Network Layer SA: End system implementation (host side)

• All security is provided between end systems that implement IPSec.

• For any two end systems to communicate via SA, they must share the
appropriate secret keys. Among the possible combinations:
a. AH in transport mode
b. ESP in transport mode
c. ESP followed by AH in transport mode (an ESP SA inside an AH SA)
d. Any one of a, b, or c inside an AH or ESP in tunnel mode 40
 Network Layer SA: Router implementation

• Security is provided only between gateways (routers, firewalls, etc.) and no

hosts implement IPSec.
• This case illustrates simple virtual private network support.
• The security architecture document specifies that only a single tunnel SA is
needed for this case.
•The tunnel could support AH, ESP, or ESP with the authentication option.
•Nested tunnels are not required because the IPSec services apply to the entire 41
inner packet. * Implements
IPSec
 Network Layer: Combination of Security Associations

• Case 3 builds on Case 2 by adding end-to-end security. The same combinations

discussed for cases 1 and 2 are allowed here.
• The gateway-to-gateway tunnel provides either authentication or confidentiality
or both for all traffic between end systems.
• Individual hosts can implement any additional IPSec services required for given
applications or given users by means of end-to-end SAs.
42
* Implements
IPSec
 Network Layer: Combination of Security Associations

• Case 4 provides:
• support for a remote host
that uses the Internet to
reach an organization's
firewall and
• then to gain access to
some server/workstation
behind the firewall.

•Only tunnel mode is required

between the remote host and
the firewall.

• As in Case 1, one or two SAs

may be used between the
remote host and the local host.

43
* Implements
IPSec
• Three different architectures are defined to describe the
methods for how to get the IPsec into the TCP/IP protocol
stack:
• Integrated architecture - this is simply integrating the IPsec’s
protocols and capabilities directly into the TCP/IP protocols
stack.

• Bump in the stack (BITS) - IPsec is made a separate

architecture layer between IP and the data link layer.

• Bump in the wire (BITW) - hardware device that provide IPsec

service is added.

44
IPsec Architecture
IPSec Bump in the stack

45
IPsec Architecture
IPSec Bump in the wire

46
 IPSec Encryption and Authentication
Summary
• IPSec provides authentication, confidentiality, and key
management at the level of IP packets.

• IP-level authentication is provided by inserting an

Authentication Header (AH) into the packets.

• IP-level confidentiality is provided by inserting an

Encapsulating Security Payload (ESP) header into the
packets.
- An ESP header can also do the job of the AH header by
providing authentication in addition to confidentiality.

47
 IPSec Encryption and Authentication
Summary…

• Before ESP is used, it is necessary for the two ends of a

communication link to exchange the secret key that will be used for
encryption.

• Similarly, AH needs an authentication key.

• Keys are exchanged with a protocol named as the Internet Key

Exchange (IKE).

• IPSec is a specification for the IP-level security features that are built
into the IPv6 internet protocol.
- These security features can also be used with the IPv4 internet protocol.

• IPSec is transparent to applications (functions below transport layer)

48
 TCP Connection Management
Recall: TCP sender, receiver Three way handshake:
establish “connection” before
exchanging data segments
Step 1: client host sends TCP SYN
• initialize TCP variables: segment to server
– seq. #s
• specifies initial seq #
– buffers, flow control info (e.g.
RcvWindow) • no data
• client: connection initiator Step 2: server host receives SYN,
Socket clientSocket = new replies with SYNACK segment
Socket("hostname","port number");

• server: contacted by client

– server allocates buffers
ServerSocket servSock=new – specifies server initial seq. #
ServerSocket("port no");
Step 3: client receives SYNACK,
Socket link= servSock.accept();
replies with ACK segment, which
may contain data

49
 TCP Three phase handshaking: connection
establishment

client server

send SYN seq=x

SYN

receive SYN seq=x

send SYN seq=y,
ACK ACK ack x+1
N+
SY

receive SYN +ACK ACK

seq=y
send ACK
ack=y+1

50
 TCP Connection Management (cont.)

Closing a connection: client server

client closes socket: close

FIN

clientSocket.close();
ACK
Step 1: client sends TCP FIN control close
segment to server FIN

Step 2: server receives FIN, replies ACK

timed wait
with ACK. Closes connection,
sends FIN.

closed

51
 TCP Connection Management (cont.)

Step 3: client receives FIN, client server

replies with ACK.
closing
FIN
• Enters “timed wait” - will
respond with ACK to
received FINs ACK
closing
FIN
Step 4: server, receives ACK.
Connection closed.
ACK

timed wait closed

closed

52
Network Security/Protocols and vulnerabilities
Transport Layer attacks

• TCP SYN Flood attack: TCP operates using synchronized

connections, initiated with 3 way handshake.
• TCP SYN flood attack exploits the vulnerability at this stage of
TCP connection.
– The attacker sends TCP SYN packets by impersonating the IP
address of an inactive host.
– The target machine responds SYN acknowledgment waiting for the
inactive host to respond.
– However, instead of opening a session, the attacker continuously
sends SYN requests and the victim’s buffer will be flooded and
cannot respond to other requests.

53
 Network Security/Protocols and vulnerabilities
Transport Layer : TCP SYNC attack
3 way handshake

client server
SYN = ISNC
SYN = ISNS, ACK(ISNC) ISN – Initial Sequence Number
ACK(ISNS)

data transfer

attacker server
SYN = ISNX, SRC_IP = T trusted host (T)

SYN = ISNS, ACK(ISNX)

ACK(ISNS), SRC_IP = T

SRC_IP = T, nasty_data 54
Network Security/Protocols and vulnerabilities
Transport Layer :
• TCP sequence number attack: Each time a TCP message is
sent, the sender generates a 32 bit sequence number.
• The attacker intercepts and responds with a sequence number
similar to the one used in the original session.
• This means, the attacker hijacks the session and gains access;
hence this type of attack is also called TCP session hijacking.
• Attacker can insert malicious data into the TCP stream, and the
recipient will believe it came from the original source
• Ex. Instead of downloading and running new program, you download a
virus and execute it
• There are some programs, e.g. Wireshark, that allow to view TCP
sequence number.

55
 Network Security/Protocols and vulnerabilities
TCP Attacks…
• Say hello to Alice, Bob and Mr. Big Ears

56
 Network Security/Protocols and vulnerabilities
TCP Attacks…
• Alice and Bob have an established TCP
connection

57
 Network Security/Protocols and vulnerabilities
TCP Attacks…
• Mr. Big Ears lies on the path between Alice and
Bob on the network
– He can intercept all of their packets

58
 Network Security/Protocols and vulnerabilities
TCP Attacks…
• First, Mr. Big Ears must drop all of Alice’s
packets since they must not be delivered to Bob

Packets

The Void

59
 Network Security/Protocols and vulnerabilities
TCP Attacks…
• Then, Mr. Big Ears sends his malicious packet
with the next ISN (sniffed from the network)

ISN, SRC=Alice

60
 Network Security/Protocols and vulnerabilities
TCP Attacks…
• Why are these types of TCP attacks so dangerous?
• Malicious user can send a virus to the trusting web client,
instead of the program they thought they were downloading.

Web server Trusting web client

Malicious user 61
 Network Security/Protocols and vulnerabilities
TCP Attacks…
• How do we prevent this?
• IPSec
– Provides source authentication, so Mr. Big Ears
cannot pretend to be Alice
– Encrypts data before transport, so Mr. Big Ears
cannot talk to Bob without knowing what the session
key is

62