Information Security

Unit 5:
Network Security
 TCP/IP vs. OSI Model
OSI Model TCP/IP Suite
A B
TCP/IP Layers
7 Application WinSock NetBIOS
6 Presentation Application
FTP HTTP SMTP APPC
TFTP Telnet SNMP FTAM
Layers

5 Session

4 Transport Host-to-Host TCP UDP

3 Network Internet DHCP IP ICMP

2 Data Link LLC ARP

Network Access
1 Physical MAC RARP
 Physical Layer : Threats
 Attacking:
 Once the physical layer is breached, it is very difficult
for other access control to prevent access.
 Copper wire can be attacked by cutting, tapping etc.
 Optical fiber cabling can be attacked by cutting, and tapping.
 Both wired and wireless technologies are susceptible to sniffing
(the collection of signals).
 Wireless can be attacked by jamming, interception, or other
forms of resource (e.g., bandwidth) exhaustion.
 Equipment can be attacked because of weak
authentication, by shutting down, or disturbing/degrading
the signal, by reprogramming, and by tapping.
 Physical Layer : Control
 Controls over Physical wiring include:
 Shielding
 Using conduit to reduce the threat of cutting, or using
pressurized conduit to detect a breach.
 A Faraday cage (named for physicist Michael Faraday) is a
device used to block or contain radio and electromagnetic
signals. It generally consists of a thin sheet or mesh of
conducting material enclosing a particular space.
 Wireless signal Controls include
 Encryption and
 Authentication.
 Equipment should be placed behind locked doors,
enclosed in cabinets, and shielded.
 Data Link Layer : Threats
 An attacker with access to the link may carry out a number of attacks,
including those on:
 Confidentiality - An attacker may:
• Try to discover user identities by sniffing authentication traffic.
• Attempt to recover the pass-phrase by mounting an offline dictionary or
brute force attack.
• Be an employee who installs unapproved (rogue), open wireless access
points that do not conform to the security policy. Employee laptops may
also be configured to allow file sharing or unauthenticated sessions.
 Integrity - An attacker may try to:
• Modify or spoof packets
• Convince the peer to connect to an untrusted network by mounting a
man-in-the-middle attack.
• Disrupt the authentication negotiation in order to force the selection of a
weak authentication method.
 Availability - An attacker may:
• Launch denial of service attacks
 Data Link Layer : Controls
 Control mechanism consists of:
 Encryption
 Authentication
 Tunneling
 RF Management
 Authentication, Tunneling and Radio Frequency
Management assume that:
 Identities are managed properly.
 Authentication tokens are created, issued, and revoked properly.
 The wired infrastructure is already adequately secure.
 Intrusion detection is in place.
 Policies are in place and auditing takes place to ensure that policies
are complied with.
 Wireless Encryption
 Encrypted transmission is a key building block in WLAN security.
 While it is not uncommon to use VPN connections over WLAN, the
WLAN should provide its own, native protection of content from
eavesdroppers.
 Characteristics of wireless encryption methods:
 Network Layer : Threats
 When IP was conceived, there was no need for complex
authentication mechanisms and the security and encryption
technology that we now require was not even available.
 Today’s challenges are not the result of shortcomings in the
architecture, but of a system whose intended use has grown
beyond all original expectations.
 Key shortcomings in IP is its lack of authentication, allowing
spoofing-based attacks.
 IP also has to deal with shortcomings in implementations
that allow attacks based on deliberate misuse of the
protocol.
 Protocol Encapsulation
Encapsulation
 Process of wrapping data before sending to next protocol in the stack
Layering
 Key concept is to separate function of each layer

SMTP/Telnet/FTP Packet

TCP Packet
Header

IP Packet
Header

Ethernet Packet
Header Trailer
 Internet Protocol (IP)
 Allows transmission over long distances
 Transfers messages between hosts on
physically different networks
 Unreliable
 Connectionless
 Messages “packetized” into IP datagrams
 IP Datagram Format

Vers Hlen Service Type Total Length

Identification Flags Fragment Offset
Time to Live Protocol Header Checksum
Source IP Address
Destination IP Address
IP Options (if any) Padding
Data
...
 User Datagram Protocol (UDP)
 Uses “ports” to define ultimate endpoint on machine
 Connectionless
 No retransmission
 No guarantee of delivery
 UDP User Datagram Format:

UDP Source Port UDP Destination Port

UDP Message Length UDP Checksum
Data
...
 Transmission Control Protocol
(TCP)
 Reliable
 End-to-end connection
(“virtual circuit” )
• Opens a “pipe” between
two hosts
• Both systems must agree
to communicate
• Guaranteed delivery
 TCP/UDP “Ports”
 Allow multiple connections to a machine
 “Well-known” services are assigned ports
 For example, mail is 25, WWW/HTTP is 80
 Usually corresponds to server
 Some ports are assigned dynamically
 “Client” ports
 Certain services
 Some ports are “reserved”
 Other well known services are defined in RFC 1700
 TCP/IP

TCP UDP

IP

Link Layer

Ethernet

15
 LAN Security
 Local area networks facilitate the storage and retrieval of
programs and data used by a group of people. LAN
software and practices also need to provide for the
security of these programs and data.
 LAN risk and issues
 Dial-up access controls

16
 Security Issues in the TCP/IP
Protocol Suite

 Eavesdropping
 IP address spoofing
 Source routing
 ICMP redirects
 TCP connection spoofing
 Connection hijacking
 Protocol spoofing
 Eavesdropping

 Traditional Ethernet is a “broadcast” medium implemented with hubs

 All machines will “see” traffic destined for anywhere on the LAN

A B

X 18
 IP Source Address Spoofing
 Example -
 “A” (10.0.0.1) sends packet to “C” (10.0.0.3),
 Any machine pretending to be “B” (10.0.0.2)
can make up  But “B” receives replies
an IP address
Vers Hlen Service Type Total Length
Identification Flags Fragment Offset

Time to Live Protocol Header Checksum

10.0.0.2

10.0.0.3

IP Options (if any) Padding

Data
...

19
 Source Routing
 IP lets source specify exact route to destination
 Destination will use same static route to reply
 Attacker X can insert:
 Source address of Y
 Source route from X
 Packet will go directly to X, not Y
 Source routing can lead to IP spoofing

20
 Connection Impersonation

Machine X Machine B
SYN(A,SEQ) A

ACK(B,SEQ) B

ACK(A,SEQ) X
SYN(B,SEQ) B

SYN(C,SEQ) C

Machine A
 Connection Hijacking

11 73
12 74
13
14 13 75
14
Machine A Machine B

X can eavesdrop
X has context
No need to predict sequence numbers
X can impersonate A effectively
If X’s packets get to B before
A’s, X will have a connection

Machine X
22
 Countermeasures

 TCP connection spoofing

 Packet filters and firewalls
 Lack of trust between systems
 Connection hijacking
 Session encryption
• (ssh, vpn, ssl, ipsec)
 Network-level authentication
 Periodic re-authentication of users

23
 Protocol Spoofing

 DNS (Domain Name System)

 Forge translation between names and addresses
 Resolvers blindly accept name mapping results from
name servers
 NIS (Network Information Service)
 Anyone can be an NIS server
 Anyone can query NIS server
• Obtain NIS information (password files, host names)
• Can be done across networks
 Protocol Spoofing
 SNMP (Simple Network Mgmt Protocol)
 Relies on “community strings” - simple passwords
 Defaults are “public” and “private” - often not changed
 Anyone can issue an SNMP command

 Routing Protocols (RIP, OSPF, IGRP, EIGRP, BGP4)

 Can be exploited to change the path over which communication
occurs
 Major Internet Layer Protocol
 Address Resolution Protocol –
 Matches IP address to Mac address
 Reverse Address Resolution Protocol
 Mac to IP address
 Internet Control Message Protocol (ICMP)
 Is a management protocol
 FTP,TFTP, NFS, SMTP, LPD, X-windows, SNMP
 Typical Network Architecture

e-mail,
www
DNS

Internal Firewall Router Internet Internet

Network

27
 What Is a Firewall?
 A hardware/software system that securely
regulates communication between networks
 Typical components of a strong perimeter
defense:
 Packet filter
 Proxy servers
 Screening routers
 Secure bastion hosts
 Authentication server

28
 What Firewalls Can Do
 Provide focused security
 Centralized administration, configuring, logging, auditing
 Focused points of control
 Provide a secure network perimeter
 Separate sensitive portions of the intranet
 Build Virtual Private Networks (VPNs)
 Extensions to the network
 What Firewalls Can’t Do
 Provide complete confidentiality
 Eavesdropping is still possible
 Firewalls are evolving in this area with VPNs
 Provide integrity
 No assurances of traffic content
 Packets can still be tampered with along the way
 Virus checking only beginning to catch on
 Prevent packet forgery
 No end-to-end controls
 Principles of Firewalls
 “That which is not explicitly denied, is allowed”
 “That which is not explicitly allowed, is denied”
 Firewall building blocks:
 Packet Filters
 Proxy Servers
 Screening Routers
 Secure Bastion Hosts
 Authentication Server
 Packet Filter
 Router-based or host-based
 Access control rules are generally specified by:
 Interface
 Direction
 IP source/destination address
 TCP/UDP source/destination port
 Protocol
 Customized filters
 Packet Filter

“telnet mail.COMP.com”

mail.COMP.com
192.193.249.8

shell.COMP.com
163.39.250.195

33
 Packet Filter
 Some limitations:
 FTP data traffic, UDP, RPC, X Windows
 Subject to certain attacks
 Stealth Scanning, IP Fragmentation
 Configuration and management are difficult
 No easy way to upload new rules
 No centralized management of security
 Routers have limited security capabilities
 Other Packet Filtering Limitations
 RPC
 UDP-based, too many programs to assign given ports
 Port numbers dynamically assigned by “portmapper”
 RealAudio
 Uses TCP ports for initiation
 Also uses range of 200 UDP ports (6970-7170)
 Dynamic allocation; similar to RPC problem
 XWindows
 Requires inbound connection
 Difficult to filter

35
 Sample Cisco Router Packet
Filter Script

# Allow mail, telnet, ftp into specific local machines # Deny X-window and NFS
access-list 101 permit tcp any 10.0.60.11 0.0.0.0 access-list 101 deny tcp any any eq 6000
eq 25 access-list 101 deny udp any any eq 2049
access-list 101 permit tcp any 10.0.60.2 0.0.0.0 eq
23
access-list 101 permit tcp any 10.0.60.3 0.0.0.0 eq # Deny most other services
21 access-list 101 deny tcp any any lt 1024

# Allow all NNTP, NTP, domain traffic and ICMP # Deny outgoing SNMP traps
access-list 101 permit tcp any any eq 119 access-list 102 deny udp any any eq 162
access-list 101 permit udp any any eq 123
access-list 101 permit udp any any eq 53
# Allow everything else out
access-list 101 permit tcp any any eq 53
access-list 102 permit ip any any
access-list 101 permit icmp any any

# Allow return traffic for outbound connections

access-list 101 permit ip any any established

36
 Router-Based Packet Filters
 Pros:
 Inexpensive - you need a router anyway
 Cons:
 Some well-known limitations (e.g., UDP, RPC)
 No authentication
 Inadequate logging
 Difficult configuration
• Order matters
• Syntax is complicated
 Network Address Translation
 Some sites use unregistered IP addresses
 Want to hide bogus addresses and use real ones
 Solution - Network Address Translation
 Described in RFCs 1597 and 1918
 There are three ways to translate
 Single External Address
 One-to-one mapping
 Dynamically Allocated Address
 Proxy Servers

Internet Internal Network

External
Router

Bastion Host
 Proxy Servers
 Modified server software acts as user “proxy”
 May require modification of client software
 User connects to proxy software but doesn’t access firewall
operating system
 User interacts with proxy; proxy interacts with server
 User and server may not know proxy exists
 Session continues transparently after initial connection
 Generally application specific
 Proxy Servers - Summary
 Pros:  Cons:
 Semi-transparent to users  May require
 Good logging and auditing of specialized client
connections software
 Allows user-based security  Separate proxy
 Single point of control required for each
 No user accounts required in service
 Not totally transparent
operating system
 Strong authentication is possible to users

41
 Firewall Trends - Doing More
 Firewalls are incorporating more and more technologies
(like UTMS)
 Web servers, mail servers, and DNS
 Virus checking
 Authentication
 Encryption
 Increases usefulness
 Increases complexity
 Complexity can be the enemy of security

42
 Bastion Host
 Machine that is visible to the outside world
 Potential target for attacks
 Securing bastion host
 Monitor closely
 Disable all unnecessary services
 Remove other programs (compilers, interpreters, etc.)
 Turn off “IP forwarding”
 Protect existing services with wrappers
 Use static routes

43
 Secure Configuration of Routers
 Access should be limited
 Attach a terminal
 Limit access to a few sites (internally)
 User/password combination
 Not supported by most routers
 Authentication
 TACACS
 Routing
 Don’t accept RIP updates
 Static route to service provider
 Turn off source routing

44
 Firewall Security Systems
 Examples of firewall implementations
 Screened-host firewall
 Dual-homed firewall
 Demilitarized zone (DMZ)
 Firewall Platforms
 Using hardware or software
 appliances versus normal servers

45
 Firewall issues

 A false sense of security

 The circumvention of firewall
 Misconfigured firewalls
 What constitutes a firewall
 Monitoring activities may not occur on a regular basis
 Firewall policies

46
 Architectures #1 Bare Bones
 Just A Router with Access Control Lists
 Very Scaled down
 Acceptable, if you are able to control the security on all
hosts of internal network

Internal Router Internet

Network

47
 Bare Bones Architecture
 All your eggs are in the router basket
 If the router fails, or if a new attack is devised,
you are vulnerable
 Not a fine-level of control, logging, management
 Not realistic for significantly sized user base

48
 #2 Router and Host Based
Firewall
 Recommend that filtering be done at both router
and firewall
• Extra management, but it’s worth it

Internal
Network Router Internet
Firewall

49
 Router and Host Firewall
Architecture

 Concern about where to put servers

 WWW, DNS, e-mail
 Locate them on firewall
 Concerns! If one of the services has a vulnerability,
compromise of the entire firewall is possible
 Add a DMZ could help alleviate concern

50
 #3 Router and Host Based
with DMZ
 Add a DeMilitarized Zone (DMZ) for additional services
 DMZ aka “perimeter network”

e-mail,
www
DNS

Internal Firewall Router Internet Internet

Network

51
 Router & Host with DMZ
 Keep filtering at both router and firewall
 Concern - if one of the servers on the DMZ fails, other
servers can be taken over
 Attacker grabs the www server and installs a sniffer
 Attacker gets passwords for all other machines
 To minimize this possibility:
 Use a switching hub on the DMZ
 Use encryption where possible
 Another concern - outside systems only protected by router

52
 #4 Tri-homed Firewall Host

 Variation of # 3:
 Tri-homed firewall – All logging, suspicious activity
detection, etc. of the firewall is
available

e-mail,
www
DNS

Internet
Internal Firewall Router
Network
53
 Tri-homed Firewall Host
 Provides greater protection of DMZ servers
 Firewall’s resources can protect and log
 Can control at a greater level of detail all accesses to
servers on DMZ
 Single point to administer protection
 Single point of failure

54
 Accessing Internal Hosts from
the Internet
 Giving access to the public or semi-public to databases
inside the corporation
 Over the Internet!
 Potential for cost-savings is large
 On-Line banking, trading, and Insurance applications
 For any of the following approaches, use encrypted
session (SSL) for transport across Internet

55
 Accessing Internal Hosts from
the Internet
 Approach A - Replicate

Customer www DB
DB

Internet Router Firewall Internal

Network

 Somewhat secure, but non-interactive

 Providing update access may be required

56
 Accessing Internal Hosts from
the Internet
 Approach B - Use database Replication

Customer www DB
DB

Internet Router Firewall Internal

Network

– Be careful punching holes through the firewall

– Encrypt if possible
– Use switching hub on DMZ
57
 Accessing Internal Hosts from
the Internet
 Approach C

www
Customer DB

Internet Router Firewall Internal

Network

 Very Bad - This bypasses the firewall

 Web server provides potential exposure to the internal
network
 Accessing Internal Hosts from
the Internet

 Approach D

Customer www
DB

Internet Router Firewall Internal

Network
 WWW server accesses database by going through firewall
 Safer than A, with respect to confidentiality because firewall can more
tightly control access
 Concerns about snooping and hijacking
 Firewall Protocol Policy
 Maintain “protocol policy” - identify what is permitted
and what is not
 Easy to update/maintain lists
 Some connections allowed with
security in place:
 Strong authentication
 Access control
 Encryption
 This should be reflected in policy
 Firewall Comparison

PROS CONS
• Application Independent • Low Security
Packet • High Performance • No Protection Above
Filters • Scalable Network Layer

Application- • Good Security • Poor Performance

Proxy • Fully Aware of Application • Limited Application
Gateways Layer Support
• Poor Scalability
• Good Security • More Expensive
Stateful • High Performance
Inspection • Scalable
• Fully Aware of
Application
Layer
• Extensible 61
 Sample Protocol Policy

Service Policy Justification

FTP IN Allowed to DMZ server Public documents need to be available

Allowed using strong Remote users and business partners need

Telnet IN
authentication to to access information, applications
specific destinations

Telnet Allowed by all full-time Users need to access external information

OUT employees

FTP OUT Allowed to all users Users need to access external information

Allowed to DMZ server Public documents need to be available

HTTP IN

HTTP OUT Allowed to all users Users need to access external information
 Remote Management of
Firewalls
 Many firewalls support secured remote
management
 Or use some form of strong authentication
 One-time passwords
 Cryptographic authentication
 SSH (Secure Shell)
 Allows remote login to machine from specific hosts
 All traffic encrypted
 Knowledge of key is necessary to connect
 Remote Access:
Security Management
 Dialup
 DSL,ISDN, Wireless computing and Cable modems
 Securing Enterprise & Telecommuting Remote
Connectivity
 Securing external connectivity using SSL, VPN and SSH
 Remote Access Authentication systems (TACACS, RADIUS etc.)
 Authentication Security protocols (PAP), CHAP etc.
 Remote User Management Issues
 User support and inventory management
 Remote Access: Methods
 Terminal emulation - single window connects to
remote system
 Such as vt100, other terminal windows
 Remote control - direct connection to “captive”
remote host
 Such as pcAnywhere, Citrix, etc.
 Remote node - places remote system on local
network
 Such as NT/RAS, PPP, NetWare Connect, VPN,
PPTP

65
 Remote Access: Architectures
 Local modems - used for remote control or terminal
emulation
 Discouraged - difficult to control and monitor
 Modem pools - provide centralized dial-in access
 Easy to add security/authentication mechanisms
 Dial on demand routing
 Common with ISDN access
 Only connects when traffic is detected
 Access servers
 Centralized access point - similar to a
firewall or router

66
 Remote Access: Security

 Local authentication
 Authentication servers
 Password authentication
 One-time passwords/tokens
 Authentication protocols
 PPP authentication protocols (PAP, CHAP)
 PPTP / L2TP
 IPSec
 TACACS, RADIUS, TACACS+

67
 Other Access Methods

 Cable Modems
 Digital Subscriber Loop (DSL)
 Both provide high bandwidth to home users
• “Always on”
• Leads to increased targeting of home systems
• Also enables widespread attacks
 Personal IDS / Firewall systems
• Provide localized protection from remote packets
 Use a secure VPN for remote access

68
 VPN Connectivity Models
Lan-2-Lan
Computer
Resource

VPN T
Corporate Network
Laser printer unnel

Computer
Resource Application
INTERNET Server

VPN Tunnel Laser printer

Remote Access

Computer
el
Tunn Resource
VPN

Computer
Resource

Laser printer

Computer
Resource

B-2-B
 VPN Benefits & Needs
 VPN is a communication method to leverage the
flexibility and cost advantage of the internet.
 A VPN allows an enterprise to reduce its dependencies
on expensive, leased-line networks and troublesome
remote-access solutions, by establishing virtual
connections across shared-IP networks.
 Internet Service Providers benefit from VPNs by
offering multi-tiered VPN services to their customers.
 VPN Connectivity Models (Cont)
Connectivity Trust Business Requirements
Model Application

Lan-2-Lan/ Trusted Branch to HQ Transparency

Intranet Performance
Availability
Remote Trusted/ Telecommuters Connectivity
Access Not-trusted and mobile
employees
B-2-B/ Not-trusted B-2-B/ Security
Extranet Partners Minimum
Impact on
environment
 VPN Types
Firewall-to-Firewall
 Data is encrypted when it leaves Firewall #1 and crosses the Internet
 The data is authenticated and decrypted when it reaches Firewall #2.

Firewall Firewall
Module Module
#1 #2

Not Encrypted Encrypted Not Encrypted

Payroll PRIVATE PUBLIC PRIVATE Sales
 VPN Types
Client-to-Firewall

Firewall or Gateway Client with

With Encryption module Encryption package installed
 Connectivity Fundamentals
 VPN connectivity models rely on creating a Secure
Virtual Tunnel between the access points and the
enterprise networks.
 Tunneling is a protocol that encapsulates various
communication protocols in an IP envelop in order to
fulfill secure communications requirements.
 Most of the current implemented Tunneling protocols
are in layer 2 (Data Link), Layer 3 ( Network) and Layer
5 (Session) of the OSI model.
 Point-2-Point Tunneling Protocol

• PPTP is a tunneling protocol that encapsulates network protocol datagrams within

an IP tunnel. This means that any network equipment that treats IP will be able to
route this protocol.
Dial-up/Remote Access
RAS/PPTP enabled
ISP
Resource

INTERNET

E N C R Y P T E D
• Revolves around Remote Access Services -RAS- for windows (i.e. Network must support
a RAS PPTP enabled server and network equipment that support PPTP).

75
 IP Security Protocol (IPSec)

 An IETF sponsored protocol that addresses the lack of

security in the existing IP infrastructure.
 All devices must share a common key

LAN-2-LAN

INTERNET

E N C R Y P T E D
• Works with the existing IP infrastructure via encapsulation.
• It secures a packet of data by packaging it inside another packet that is then
sent over the Internet.
 IPSec Security Architecture
 Detailed in RFCs 2411
 Two parts:
• Authentication Header (AH)
• Encapsulated Security Payload (ESP)
 Security Parameters Index (SPI)
• Security “associations”
• Pre-negotiated keys, algorithms, Initialization
Vectors (IVs), etc.
 IPSec Modes
 Transport Mode – protects only the payload
portion of sent IP packet (I.e. not the header)
 Tunnel Mode – protects the entire header and
payload of the packet

78
 VPN Assessment

 Security Considerations.

 Scalability Considerations.

 Support & Management Considerations.

 Cost Considerations.
 Security Considerations
 Several machines are NOT under control of the
corporation (e.g. Internet routers, ISP access box and
client workstation).
 Security gateways (firewall, routers) that are on the
boundary between internal segment and external
segment.
 Internal segments that contain fixed hosts and other
routers.
 An external segment (Internet) that carries all types of
traffic.
 Scalability Considerations
 With the explosion of the Internet, there is a demand
increase for a VPN infrastructure that can grow rapidly.

 The VPN selected must be able to quickly, and in a cost

effective manner, support large scale proliferation of users.

 Solutions must be scalable from the perspective of

performance, availability, manageability and security.
 Support & Management
Considerations
 A VPN solution must be
• easy to use for end users
• centrally operated
• transparent to the user (minimal level of sophistication,
plug and play, support popular platforms, etc.)
• able to take minimum time and effort to modify
business applications to support solution
• able to support Information Security & Audit
requirements
• interoperable with marketplace authentication and
encryption solutions
 Cost Considerations
 The objective of a VPN implementation is to increase
connectivity and performance while reducing cost
 Infrastructure Cost
• Network/ Support/ Administration support
• Interoperability (routers & firewalls)
• Internet Service Providers (ISP)
• Security
–Scalability
• Business Application Cost
• Desktop Client Support (installation, help desk, security..)
• Application support
• Retrofitting to legacy systems