Lecturer: Binod Chandra Shrestha

 Computer networks are typically a shared

resource used by many applications representing
different interests.
 The Internet is particularly widely shared, being
used by competing businesses, mutually
antagonistic governments, and opportunistic
criminals.
 Unless security measures are taken, a network
conversation or a distributed application may be
compromised by an adversary.
 Network security is required to protect data
during transmission.

Introduction to Network Security 2

 Who is vulnerable?
◦ Financial institutions and banks
◦ Internet service providers
◦ Pharmaceutical companies
◦ Government and defense agencies
◦ Contractors to various government agencies
◦ Multinational corporations
◦ ANYONE ON THE NETWORK

Introduction to Network Security 3

 Common security attacks and their
countermeasures
◦ Finding a way into the network
 Firewalls
◦ Exploiting software bugs, buffer overflows
 Intrusion Detection Systems
◦ Denial of Service
 Ingress filtering, IDS
◦ TCP hijacking
 IPSec
◦ Packet sniffing
 Encryption (SSH, SSL, HTTPS)
◦ Social problems
 Education

Introduction to Network Security 4

 Network Encryption (Network Layer or Network Level
Encryption)
◦ Network encryption (sometimes called network layer, or
network level encryption) is a network security process that
applies crypto services at the network transfer layer - above
the data link level, but below the application level.
◦ The network transfer layers are layers 3 and 4 of the Open
Systems Interconnection (OSI) reference model, the layers
responsible for connectivity and routing between two end
points.
◦ Using the existing network services and application
software, network encryption is invisible to the end user
and operates independently of any other encryption
processes used. Data is encrypted only while in transit,
existing as plaintext on the originating and receiving hosts.

Introduction to Network Security 5

◦ Network encryption is implemented through Internet
Protocol Security (IPSec), a set of open Internet
Engineering Task Force (IETF)standards that, used in
conjunction, create a framework for private
communication over IP networks.
◦ IPSec works through the network architecture, which
means that end users and applications don't need to be
altered in any way.
◦ Encrypted packets appear to be identical to unencrypted
packets and are easily routed through any IP network.
◦ Network encryption products and services are offered by
a number of companies, including Cisco, Motorola, and
Oracle.

Introduction to Network Security 6

 Demilitarized Zone (DMZ)
Inner Firewall

Intranet Mail Server DNS Server(DMZ)

orporate data subnet

Customer data subnet Web Server Log Server

Internal Outer Firewall

Mail server DNS Server(internal)

Development subnet Internet

Introduction to Network Security 7

 Network Regions
◦ Internet
◦ Internal Network( Intranet)
◦ DMZ
 Network Boundaries
◦ Firewall
 Filtering firewall: Based on packet headers
 ex: preventing BackOrifice
◦ Proxy
 Proxy firewall: Gives external view that hides intranet
 ex: mail proxy

Introduction to Network Security 8

 Conceal the addresses of the internal
network
◦ Internal addresses can be real
◦ Fake addresses: 10.b.c.d, 172.[16-31].c.d,
192.168.c.d
 Network Address Translation Protocol maps internal to
assigned address
 Mail Server
◦ Hide internal addresses
◦ Map incoming mail to “real” server
◦ Additional incoming/outgoing checks

Introduction to Network Security 9

 Outer Firewall
◦ What traffic allowed
 External source: IP restrictions
 What type of traffic: Ports (e.g., SMTP, HTTP)
◦ Proxy between DMZ servers and internet
 Internal Firewall
◦ Traffic restrictions: Ports, From/to IP
◦ Proxy between intranet and outside

Introduction to Network Security 10

 “DMZ” stands for “demilitarized zone.”
 The DMZ is a portion of a network that separates a
purely internal network from an external network.
 When information moves from the Internet to the
internal network, confidentiality is not at issue.
However, integrity is.
 The guards between the Internet and the DMZ, and
between the DMZ and the internal network, must not
accept messages that will cause servers to work
incorrectly or to crash.
 When information moves from the internal network to
the Internet, confidentiality and integrity are both at
issue.

Introduction to Network Security 11

 DMZ Mail Server
 performs address and content checking on all electronic
mail messages
 When it receives a letter from the Internet, it performs the
following Steps
 reassembles the message into a set of headers, a letter, and
any attachments
 scans the letter and attachments for any computer virus or
malicious logic.
 Restore the attachments to transmit
 Rescan it for any violation of SMTP specification
 Scans the recipient address lines.
 Addresses that directed the mail to the drib are rewritten to
direct the mail to the internal mail server

Introduction to Network Security 12

 DMZ Mail Server
 When it receives a outgoing letter from the internal
mail server
 Steps 1 and 2 are the same
 In step 3 the mail proxy scans the header lines.
 All lines that mention internal hosts are rewritten to identify
the host as “drib.org”, the name of the outside firewall.

Introduction to Network Security 13

 DMZ WWW Server
◦ Identifies itself as “www.drib.org” and uses IP
address of the outside firewall
 DMZ DNS Server
◦ It contain entries for
 DMZ mail, Web and log hosts
 Internal trusted administrative host
 Outer firewall
 Inner firewall
 DMZ Log Server

Introduction to Network Security 14

 A firewall is a host that mediates access to a
network, allowing and disallowing certain types
of access on the basis of a configured security
policy.
 A firewall accepts or rejects messages on the
basis of external information, such as destination
addresses or ports, rather than on the basis of
the contents of the message.
 A filtering firewall performs access control on the
basis of attributes of the packet headers, such as
destination addresses, source addresses, and
options.

Introduction to Network Security 15

 Basic problem – many network applications
and protocols have security problems that are
fixed over time
◦ Difficult for users to keep up with changes and
keep host secure
◦ Solution
 Administrators limit access to end hosts by using a
firewall
 Firewall is kept up-to-date by administrators

Introduction to Network Security 16

 A firewall is like a castle with a drawbridge
◦ Only one point of access into the network
◦ This can be good or bad
 Can be hardware or software
◦ Ex. Some routers come with firewall functionality
◦ ipfw, ipchains, pf on Unix systems, Windows XP and
Mac OS X have built in firewalls

Introduction to Network Security 17

Internet DMZ
Web server, email
server, web proxy,
etc
Firewall

Firewall
Intranet

Introduction to Network Security 18

 A proxy is an intermediate agent or server that
acts on behalf of an endpoint without allowing a
direct connection between the two endpoints.
 A proxy (or applications level) firewall uses
proxies to perform access control. A proxy
firewall can base access control on the contents
of packets and messages, as well as on attributes
of the packet headers.
 A proxy firewall adds to a filtering firewall the
ability to base access on content, either at the
packet level or at a higher level of abstraction.

Introduction to Network Security 19

 Packet Filtering,
 State-full Packet Filtering
 Circuit Level Gateway,
 Application level/proxy

Introduction to Network Security 20

Introduction to Network Security 21
 Simplest of components
 Uses transport-layer information only
◦ IP Source Address, Destination Address
◦ Protocol/Next Header (TCP, UDP, ICMP, etc)
◦ TCP or UDP source & destination ports
◦ TCP Flags (SYN, ACK, FIN, RST, PSH, etc)
◦ ICMP message type
 Examples
◦ DNS uses port 53
 No incoming port 53 packets except known trusted servers

Introduction to Network Security 22

 Filtering
with incoming or outgoing
interfaces
◦ E.g., Ingress filtering of spoofed IP
addresses
◦ Egress filtering
 Permits or denies certain services
◦ Requires intimate knowledge of TCP and UDP port
utilization on a number of operating systems

Introduction to Network Security 23

 Start with a security policy
 Specify allowable packets in terms of logical
expressions on packet fields
 Rewrite expressions in syntax supported by
your vendor
 General rules - least privilege
◦ All that is not expressly permitted is prohibited
◦ If you do not need it, eliminate it

Introduction to Network Security 24

 Tiny fragment attacks
◦ Split TCP header info over several tiny packets
◦ Either discard or reassemble before check
 Degradation depends on number of rules applied
at any point
 Order rules so that most common traffic is dealt
with first
 Correctness is more important than speed

Introduction to Network Security 25

 Traditional packet filters do not examine
transport layer context
◦ ie matching return packets with outgoing flow
 Stateful packet filters address this need
 They examine each IP packet in context
◦ Keep track of client-server sessions
◦ Check each packet validly belongs to one
 Hence are better able to detect bogus packets
out of context

Introduction to Network Security 26

Introduction to Network Security 27
 Firewall runs set of proxy programs
◦ Proxies filter incoming, outgoing packets
◦ All incoming traffic directed to firewall
◦ All outgoing traffic appears to come from firewall
 Policy embedded in proxy programs
 Two kinds of proxies
◦ Application-level gateways/proxies
 Tailored to http, ftp, smtp, etc.
◦ Circuit-level gateways/proxies
 Working on TCP level

Introduction to Network Security 28

Introduction to Network Security 29
 Has full access to protocol
◦ user requests service from proxy
◦ proxy validates request as legal
◦ then actions request and returns result to user
 Need separate proxies for each service
◦ E.g., SMTP (E-Mail)
◦ NNTP (Net news)
◦ DNS (Domain Name System)
◦ NTP (Network Time Protocol)
◦ custom services generally not supported

Introduction to Network Security 30

 FTP
Telnet proxy SMTP
proxy proxy

Telnet FTP SMTP

daemon daemon daemon
Network Connection

Daemon spawns proxy when communication detected

Introduction to Network Security 31

 E.g., Virus scanning for SMTP
◦ Need to understand MIME, encoding, Zip archives

Introduction to Network Security 32

Bastion Host: highly secure host system
 Potentially exposed to "hostile" elements
 Hence is secured to withstand this
◦ Disable all non-required services; keep it simple
 Runs circuit / application level gateways
◦ Install/modify services you want
 Or provides externally accessible services

Introduction to Network Security 33

Introduction to Network Security 34
Introduction to Network Security 35
 Useless against attacks from the inside
◦ Evildoer exists on inside
◦ Malicious code is executed on an internal machine
 Organizations with greater insider threat
◦ Banks and Military
 Cannot protect against transfer of all virus
infected programs or files
◦ because of huge range of O/S & file types

Introduction to Network Security 36

Today's Internet is primarily comprised of :

 Public
 Un-trusted
 Unreliable IP networks

Because of this inherent lack of security,

the Internet is subject to various types of
threats…

Introduction to Network Security 37

 Data integrity
The contents of a packet can be accidentally or deliberately
modified.
 Identity spoofing
The origin of an IP packet can be forged.
 Anti-reply attacks
Unauthorized data can be retransmitted.
 Loss of privacy
The contents of a packet can be examined in transit.

Introduction to Network Security 38

OSI Reference Model

Application Layer Application

Presentation Layer

SNMP
SMTP
HTTP

DNS

NFS
FTP

FTP
Session Layer

Transport Layer TCP, UDP

Network Layer IP

Logical Link Layer Device Driver

Physical Layer Network Adapter

Introduction to Network Security 39

Encapsulation of Data for Network Delivery

Original
Application Layer
Message

Introduction to Network Security 40

Encapsulation of Data for Network Delivery

Original
Application Layer
Message

Transport Layer Data 3

(TCP, UDP)

Introduction to Network Security 41

Encapsulation of Data for Network Delivery

Original
Application Layer
Message

Transport Layer Header 3 Data 3

(TCP, UDP)

Introduction to Network Security 42

Encapsulation of Data for Network Delivery

Original
Application Layer
Message

Transport Layer Header 3 Data 3

(TCP, UDP)

Network Layer Data 2

(IP)

Introduction to Network Security 43

Encapsulation of Data for Network Delivery

Original
Application Layer
Message

Transport Layer Header 3 Data 3

(TCP, UDP)

Network Layer Header 2 Data 2

(IP)

Introduction to Network Security 44

Encapsulation of Data for Network Delivery

Original
Application Layer
Message

Transport Layer Header 3 Data 3

(TCP, UDP)

Network Layer Header 2 Data 2

(IP)

Data Link Data 1

Layer

Introduction to Network Security 45

Encapsulation of Data for Network Delivery

Original
Application Layer
Message

Transport Layer Header 3 Data 3

(TCP, UDP)

Network Layer Header 2 Data 2

(IP)

Data Link Header 1 Data 1

Layer

Introduction to Network Security 46

Packet Sent by Host A

Packet

Data Link Header 1 Data 1

Layer

Introduction to Network Security 47

Packet Received by intermediary Router

Network Layer

Data Link Layer

Introduction to Network Security 48

Packet Received by Host B

Packet

Data Link Header 1 Data 1

Layer

Introduction to Network Security 49

De-capsulation of Data from Network Delivery

Data Link Header 1 Data 1

Layer

Introduction to Network Security 50

De-capsulation of Data from Network Delivery

Data Link Data 1

Layer

Introduction to Network Security 51

De-capsulation of Data from Network Delivery

Network Layer Header 2 Data 2

(IP)

Introduction to Network Security 52

De-capsulation of Data from Network Delivery

Network Layer Data 2

(IP)

Introduction to Network Security 53

De-capsulation of Data from Network Delivery

Transport Layer Header 3 Data 3

(TCP, UDP)

Introduction to Network Security 54

De-capsulation of Data from Network Delivery

Transport Layer Data 3

(TCP, UDP)

Introduction to Network Security 55

De-capsulation of Data from Network Delivery

Original
Application Layer
Message

Introduction to Network Security 56

De-capsulation of Data from Network Delivery

Original
Application Layer
Message

Introduction to Network Security 57

Application Layer PGP, Kerberos, SSH, etc.

Transport Layer Transport Layer Security (TLS)

Network Layer IP Security

Data Link Layer Hardware encryption

Introduction to Network Security 58

(PGP, Kerberos, SSH, etc.)

 Implemented in end-hosts
 Advantages
- Extend application without involving operating system.
- Application can understand the data and can provide the
appropriate security.
 Disadvantages
- Security mechanisms have to be designed independently of
each application.

Introduction to Network Security 59

Transport Layer Security (TLS)

 Implemented in end-hosts
 Advantages
- Existing applications get security seamlessly
 Disadvantages
- Protocol specific

Introduction to Network Security 60

IP Security (IPSec)

 Advantages
- Provides seamless security to application and transport layers
(ULPs).
- Allows per flow or per connection security and thus allows for
very fine-grained security control.
 Disadvantages
- More difficult to to exercise on a per user basis on a multi-
user machine.

Introduction to Network Security 61

 (Hardware encryption)
 Need a dedicated link between host/routers.

 Advantages
- Speed.
 Disadvantages
- Not scalable.
- Need dedicated links.

Introduction to Network Security 62

 IPSec is a framework of open standards
developed by the Internet Engineering Task
Force (IETF).

Creates secure, authenticated, reliable

communications over IP networks

Introduction to Network Security 63

 Connectionless integrity
Assurance that received traffic has not been
modified. Integrity includes anti-reply defenses.
 Data origin authentication
Assurance that traffic is sent by legitimate party
or parties.
 Confidentiality (encryption)
Assurance that user’s traffic is not examined by
non-authorized parties.
 Access control
Prevention of unauthorized use of a resource.

Introduction to Network Security 64

 Transport Mode: protect the upper layer protocols

Original IP IP TCP Data

Datagram Header Header

Transport Mode IP IPSec TCP Data

protected packet Header Header Header

protected
 Tunnel Mode: protect the entire IP payload

Tunnel Mode New IP IPSec Original IP TCP Data

protected packet Header Header Header Header

protected

Introduction to Network Security 65

 Host-to-Network, Network-to-Network

Applicatio Applicatio
n n
Layer Protected Protected Layer
Transport Data Data Transport
Layer Layer
Intern
IP et IP
Layer Layer

Host A IPSec IPSec Host B

IP Layer IP Layer
SG SG

SG = Security Gateway

Introduction to Network Security 66

 Host-to-Host

Application Layer Application Layer

Transport Layer Transport Layer

IPSec IPSec
IP Layer IP Layer
Data Link Layer Data Link Layer

Host A Host B

Introduction to Network Security 67

 Authentication Header (AH) provides:
- Connectionless integrity
- Data origin authentication
- Protection against replay attacks
 Encapsulating Security Payload (ESP)
provides:
- Confidentiality (encryption)
- Connectionless integrity
- Data origin authentication
- Protection against reply attacks

 Both protocols may be used alone or applied in

combination with each other.

Introduction to Network Security 68

 The inbound and the outbound IPSec
processing are completely independent.

Packet

Introduction to Network Security 69

 SPD
IPSec policies

Packet SAD

SAout

1. Drop the packet.

2. Bypass IPSec.
SPD = Security Policy Database 3. Apply IPSec.
SAD = Security Association Database
SA = Security Association

Introduction to Network Security 70

 Case 1:
Packet If IPSec headers exists
1. Headers are processed.
2. SPD is consulted to
determine if the packet
can be admitted based on
the Sain.

SPD
IPSec policies
SPD = Security Policy Database
SAD = Security Association Database
SA = Security Association

Introduction to Network Security 71

 Case 2:
Packet If IPSec headers are absent
1. SPD is consulted to
determine the type of
service to afford this packet.
2. If certain traffic is required
to be IPSec protected and its
not it must be dropped.

SPD
IPSec policies
SPD = Security Policy Database
SAD = Security Association Database
SA = Security Association

Introduction to Network Security 72

 VPNs
Encrypted / Authenticated

Internet

SG
 Wireless

Internet

Introduction to Network Security 73

Introduction to Network Security 74
 Virtual
Private Network is a type of private
network that uses public telecommunication,
such as the Internet, instead of leased lines
to communicate.

 Became popular as more employees worked

in remote locations.

 Terminologies to understand how VPNs

work.

Introduction to Network Security 75

 Employeescan access the network (Intranet)
from remote locations.

 Secured networks.

 The Internet is used as the backbone for VPNs

 Saves
cost tremendously from reduction of
equipment and maintenance costs.

 Scalability

Introduction to Network Security 76

(From Gartner Consulting) Introduction to Network Security 77
 Two connections – one is made to the
Internet and the second is made to the VPN.
 Datagrams – contains data, destination and
source information.
 Firewalls – VPNs allow authorized users to
pass through the firewalls.
 Protocols – protocols create the VPN tunnels.

Introduction to Network Security 78

 Authentication – validates that the data was sent
from the sender.
 Access control – limiting unauthorized users
from accessing the network.
 Confidentiality – preventing the data to be read
or copied as the data is being transported.
 Data Integrity – ensuring that the data has not
been altered

Introduction to Network Security 79

 Encryption-- is a method of “scrambling”
data before transmitting it onto the Internet.

 Public Key Encryption Technique

 Digital signature – for authentication

Introduction to Network Security 80

A virtual point-to-point connection
made through a public network. It transports
encapsulated datagrams.
Original Datagram

Encrypted Inner Datagram

Datagram Header Outer Datagram Data

Area
Data Encapsulation [From Comer]

Two types of end points:

 Remote Access
 Site-to-Site
Introduction to Network Security 81
 PPTP -- Point-to-Point Tunneling Protocol

 L2TP -- Layer 2 Tunneling Protocol

 IPsec -- Internet Protocol Security

 SOCKS – is not used as much as the ones

above

Introduction to Network Security 82

Introduction to Network Security 83
What does “implementation” mean in VPNs?

3 types
Intranet – Within an organization
Extranet – Outside an organization
Remote Access – Employee to Business

Introduction to Network Security 84

Introduction to Network Security 85
 3 types
◦ Hardware
◦ Firewall
◦ Software

Introduction to Network Security 86

1. What is network security? Differentiate network
security with computer security.
2. Why network security is needed?
3. Explain the principal methods of protecting
network.
4. Explain the components of network organization.
5. Define firewall and explain how firewall protects the
network.
6. List the characteristics of firewall. Explain different
types of firewall in brief.
7. What do you mean by DMZ? Explain functions of
different DMZ servers
8. What is IPSec? Differentiate between IPSec and VPN.

Introduction to Network Security 87