Skip to main content
Department of Information Technology

Network security

Protocol layers in the Internet protocol stack:
5. Application layer (e.g. HTTP, SMTP, DNS...)
4. Transport layer (TCP, UDP, ...)
3. Network layer (IP/ICMP, ...)
2. Link layer (Ethernet, PPP, WLAN, Bluetooth, ...)
1. Physical layer (cables, radio, infrared)

Where to put security?

  • Lower layers: protect against "attacks from the layer below", efficiency
  • But: different layers have different "span":
    • e.g. link layer security can only protect one hop,
    • transport layer security only protects until delivered to application
  • so needed also higher layers! We need to "protect the layer above"!

Examples of INsecurity

All layers:

  • interception (confidentiality, eavesdropping, traffic analysis),
  • interruption (DoS),
  • modification (integrity),
  • fabrication (authenticity).
2.1. Examples
  • Application layer:
    • Email scams: look like the bank asks for your data
    • Email spoofing: e.g. spams sent "from" same type of addresses as "to", and worse.
    • Modem hijacking: present a pop-up which downloads and changes modem settings, calling international high-fee "service".
    • DNS spoofing: give faked translations of addresses and names (attacks hostname-based identification)
  • Transport layer: (see TCP/IP Security by Chambers, Dolske and Iyer)
    • Denial of Service: e.g. SYN flooding (cf. CERT advisory).
    • Connection hijacking, ISN guessing (cf. Gollman section 13.1.3, but much more meat in TCP/IP Security).
  • Network layer:
    • IP spoofing (cf. "ingress filtering"). Faking the source address simple, harder to see response, but not always impossible - cf source routing. Attacks address-based identification.
    • routing: spoofing (changing routing), DoS (overloading routers)
  • Link layer
    • broadcast storms, eavesdropping, MAC-address spoofing.

Note also:

  • Distributed DoS attacks (using viruses)
  • "Host fingerprinting", using properties of TCP/IP implementation and server responses to figure out what type of OS and servers to attack.

Examples of security

3.1. Application layer
  • Secure email (S/MIME, PGP). Provides application-to-application ("user-to-user") integrity/confidentiality/authentication, regardless of lower layers.
  • Secure email transport:
    • SMTP over TLS (RFC3207). Provides confidentiality/authentication between mail servers, when transporting mail from source to destination.
    • IMAP/POP over TLS (RFC2595). Provides confidentiality/authentication when client fetches mail from server.
  • HTTP over TLS (RFC2818). Similar.
  • DNS security extensions (RFC2535). Handles data origin authentication, integrity, key distribution.
  • Application gateways: dedicated machine handling in- and outbound connections for (each) application. E.g. mail server, web proxy (more advanced than simple cache), ssh gateway.
    • client connects to gateway which validates request, and then connect to real (internal) server, fowarding application protocol data (in both directions)

Cf. von Braun: attacks on encrypted web traffic from "the layer above" (in the browser, after/before encryption!)

3.2. Transport layer
  • TLS (RFC2246)/SSL. Provides "layer between" 4/5, providing confidentiality/authentication for any application protocol using TCP.
  • SASL (RFC2222) (Simple Authentication and Security Layer). Provides authentication and an (optional) interface to security mechanisms such as encryption for application protocols.
  • ISN selection
3.3. Network layer
  • VPN (Virtual Private Networks) - many variants, typically using tunnelling (encapsulating and multiplexing traffic over one secure connection)
  • IPsec (both IPv4 and IPv6, RFC2401, RFC2402, RFC2406). Can be seen as a "sub-layer" of network/IP.
    • IP Authentication Header (AH): provides connectionless integrity, data origin authentication, and an optional anti-replay service. [being deprecated (föråldrat)]
    • Encapsulating Security Payload (ESP) protocol: provides confidentiality and limited traffic flow confidentiality. It also may provide connectionless integrity, data origin authentication, and an anti-replay service.
    • Establishes a security association (SA), end-to-end logical one-way connection. SA uniquely determined by AH/ESP identifier, destination IP address, and Security Parameter Index (SPI)
    • Transport mode:
      • AH: | IP hdr (proto=51) | AH hdr | (TCP/UDP) segment/datagram |
      • ESP: | IP hdr (proto=50) | ESP hdr | (TCP/UDP) segment/datagram | ESP trailer | ESP auth |
        (auth: ESP hdr, segment, trailer; encr: segment, trailer)
    • Tunnel mode:
      • whole IP datagram encapsulated in ESP: protects IP header info better, typically between gateway hosts (end hosts need not be aware of IPsec)
    • IKE (Internet Key Exchange) key management protocol
    • ISAKMP (Internet Security Association and Key Management Protocol) for establishing/taking down SAs, and key exchange using e.g. IKE.
    • Need security policy database to select parameters
  • OSPF (RFC2328), BGP (RFC1771). Routing with authentication.
3.4. Link layer
  • Wireless network authentication and confidentiality, protecting at least as good as cables.
  • Network topology and filtering switches to counter problems above (e.g. MAC spoofing, interception).

See also RFC2196, the Site Security Handbook.

Firewalls

  • To be efficient, all traffic has to pass through firewall (including wireless, dial-up etc)
  • Routing (cf. "ingress filtering", above, or "egress filtering" on traffic leaving router)
  • NAT: only ports in use can be connected to, unless specifically configured
  • Packet filtering (examples)
    • Explicit port/protocol blocking (e.g. only let ssh connections come in)
    • DMZ host (DeMilitarised Zone: e.g. send all unused ports to specific host on local net)
    • Stateful Packet Inspection (SPI) understands/inspects the packets at a deeper level
      • filter based on the state of connections, e.g. if there is an outgoing FTP connection, accept incoming FTP data connections, or if I've sent UDP traffic from port n, accept packets to that port)

Simple variants:

  • iptables in Linux
  • Windows ...
  • Home "broadband" router

Intrusion Detection Systems

Remember:

  • prevention
  • detection
  • reaction

Many attacks have been prevented by methods described earlier, but some attacks will will not be prevented - they need to be detected!

5.1. Vulnerability Assessment
  • Examine "security state" of network/system, e.g.
    • open ports
    • network topology
    • installed/active software (versions, patch status...)
  • E.g. port scanners, (manual) audit services/penetration tests

Needs to know what to look for, and how to use the information!

5.2. Intrusion detection
  • Sensors gathering data
  • Management console (analysis, reports, trigger reactions)
  • Misuse detection
    • based on attack signatures: patterns of network activity indicating "suspicious behaviour"
    • rules based on security policies, known attacks, known vulnerabilities
  • Anomaly detection
    • Statistical analysis: need to know what is "normal", then find the anomalous behaviour
      1. analyse system under "normal conditions"
      2. analyse system in "real life"

Host-based vs network-based IDS:

  • Analyse network traffic vs host log files

Must achieve a low rate of false positives (false alarms), and of course also low rate of false negatives (missed attacks).

5.3. Honeypots

Look like a real system which would be great to attack/break into, but isn't really a problem if that succeeds.

Used in order to analyse and collect data about attacks, and possibly to track attackers. Since system isn't used for "real" work, easy to tell attacks apart from "real" use.

Updated  2006-10-05 09:44:30 by Björn Victor.