Successfully reported this slideshow.

Network security at_osi_layers


Published on

Published in: Technology

Network security at_osi_layers

  1. 1. Network Security at OSI Layers Muhammad Muzammil Syed Zeeshan Nasir Department of computer science FUUAST, Islamabad 1-OSI Model: Network Routing and routable protocols such as IP and Open Shortest Path In 1983, the International Organization for First (OSPF). Path control Standardization (ISO) and the International and best effort at delivery Telegraph and Telephone Consultative Data link Network interface cards, Committee (CCITT) merged documents and Media Access Control (MAC) developed the OSI model, which is based on addresses, a specific hierarchy where each layer builds framing, formatting, and on the output of each adjacent layer. organizing data The OSI model is a protocol stack where the Physical Transmission media such as lower layers deal primarily with hardware, twisted-pair cabling, and the upper layers deal primarily with wireless systems, software. The OSI model’s seven layers are and fiber-optic cable designed so that control is passed down from layer to layer. The seven layers of the OSI model are shown: Layers Functionality 1.2-Functions of OSI Model: Application Application support such as File Transfer Protocol (FTP), The OSI model functions as follows: Telnet, and 1. Information is introduced into the Hypertext Transfer Protocol application layer and passed down until it (HTTP) ends up at the physical layer. Presentation Encryption, Server Message 2. Next, it is transmitted over the physical Block (SMB), American medium (i.e., wire, coax, or wireless) and Standard Code sent to the target device. for Information Interchange 3. Once at the target device, it proceeds (ASCII), and formatting back up the stack to the application layer. Session Data flow control, startup, shutdown, and error detection/ Correction Transport End-to-end communications, UDP and TCP services
  2. 2. send data either quickly or reliably. 1.3-Explanation of Layers: Transport layer responsibilities include end- to-end error recovery and flow control. The The Application Layer: two primary protocols found on this layer Layer 7 is known as the application layer. include: Recognized as the official top layer of the • TCP A connection-oriented protocol; OSI model, this layer serves as the window provides reliable communication for application services. using handshake acknowledgments, error detection, and session The Presentation Layer: teardown. Layer 6 is known as the presentation layer. • UDP A connectionless protocol; The main purpose of the presentation layer offers speed and low overhead as its is to deliver and present data to the primary advantage. application layer. This data must be formatted so that the application layer can The Network Layer: understand and interpret it. The Layer 3 is known as the network layer, presentation layer is responsible for items which is fixed to software and deals with such as: packets. The network layer is the home of • Encryption and decryption of the IP, which offers best effort at delivery messages and seeks to find the best route from the • Compression and deCompression of source to the target network. Network- messages, format translation layer components include: • Handling protocol conversion • Routers • Stateless inspection/packet filters The Session Layer: Layer 5 is known as the session layer. Its The Data Link Layer: purpose is to allow two applications on Layer 2 is known as the data link layer and different computers to establish and is focused on traffic within a single local coordinate a session. It is also responsible area network (LAN).The data link layer for managing the session while information formats and organizes the data before and data are being moved. When a data sending it to the physical layer. Because it is transfer is complete, the session layer tears a physical scheme, hard-coded Mandatory down the session. Session-layer protocols Access Control (MAC) addresses are include: typically used. The data link layer organizes • Remote Procedure Call (RPC) the data into frames. When a frame reaches • Structured Query Language (SQL) the target device, the data link layer strips off the data frame and passes the data The Transport Layer: packet up to the network layer. Data-link- Layer 4 is known as the transport layer. layer components include: Whereas the application, presentation, and • Bridges session layers are primarily concerned with • Switches data, the transport layer is focused on • Network Interface Card (NIC) segments. Depending on the application • MAC addresses protocol being used, the transport layer can
  3. 3. The Physical Layer: Layer 1 of the OSI model is known as the Telnet: physical layer. Bit-level communication Telnet is a TCP shell service that takes place at layer 1. Bits have no defined operates on port 23.Telnet enables a client meaning on the wire; however, the physical at one site to establish a session with a host layer defines how long each bit lasts and at another site. The program passes the how it is transmitted and received. Physical information typed at the client’s keyboard layer components include copper cabling, to the host computer system. While Telnet fiber cabling, wireless system components, can be configured to allow unidentified and Ethernet hubs. The physical layer in this connections, it should also be configured to book has been extended to include: require usernames and passwords. • Perimeter security Unfortunately, even then, Telnet sends • Device Security them in clear text. When a user is logged in, • Identification and authentication he or she can perform any allowed task. Simple Mail Transfer Protocol (SMTP): This application is a TCP service that 2-Attacks at OSI operates on port 25, and is designed to Layers: exchange electronic mail between networked systems. Messages sent through SMTP have two parts: an address header Let see the attacks on all layers of OSI and the message text. All types of Model. computers can exchange messages with The Application Layer: SMTP. Spoofing and spamming are two of Most of the applications listed in this the vulnerabilities associated with SMTP. section are totally insecure because they were written for a different time. Here’s a Domain Name Service (DNS): short list of some of the insecure This application operates on port 53, applications and high-level protocols: and performs address translation. DNS converts fully qualified domain names FTP: (FQDNs) into a numeric IP address and FTP is a TCP service that operates on converts IP addresses into FQDNs. DNS uses ports 20 and 21 and is used to move files UDP for DNS queries and TCP for zone from one computer to another. Port 20 is transfers. DNS is subject to poisoning and if used for the data stream, and transfers the misconfigured, can be solicited to perform a data between the client and the server. Port full zone transfer. 21 is the control stream, and is used to pass commands between the client and the FTP Trivial File Transfer Protocol (TFTP): server. Attacks on FTP target misconfigured TFTP operates on port 69, and is directory permissions and compromised or a connectionless version of FTP that uses sniffed clear text passwords. FTP is one of UDP to reduce overhead and reliability. It the most commonly hacked services. connectionless version of FTP that uses UDP to reduce overhead and reliability. It does
  4. 4. so without TCP session management or proved to be an example of weak authentication, which can pose a big encryption (i.e., many passwords encrypted security risk. It is used to transfer router with this system could be cracked in less configuration files and to configure cable than 1 second because of the way Microsoft modems. People hacking those cable stored the hashed passwords). modems are known as uncappers. An NTLM password is uppercase, padded to 14 characters, and divided into Hypertext Transfer Protocol (HTTP): seven character parts. The two hashed HTTP is a TCP service that operates on results are concatenated and stored as a port 80. HTTP helped make the Web the LAN Manager (LM) hash, which is stored in popular service that it is today. The HTTP the SAM. The session layer is also connection model is known as a stateless vulnerable to attacks such as session connection. HTTP uses a request response hijacking. Network Basic Input/output protocol where a client sends a request and System (NetBIOS) is another service located a server sends a response. Attacks that in this area of the stack. exploit HTTP can target the server, browser, NetBIOS was developed for IBM and or scripts that run on the browser. Nimda is adopted by Microsoft, and has become an an example of the code that targeted a Web industry standard. It allows applications on server. different systems to communicate through the LAN. On LANs, hosts using NetBIOS Simple Network Management Protocol systems identify themselves using a 15- (SNMP): character unique name. Since NetBIOS is SNMP is a UDP service that operates non-routable, Microsoft adapted it to run on ports 161 and 162, and was designed to over Transmission Control Protocol/Internet be an efficient and inexpensive way to Protocol (TCP/IP). monitor networks. The SNMP protocol NetBIOS is used in conjunction with allows agents to gather information (e.g., SMB, which allows for the remote access of network statistics) and report back to their shared directories and files. This key feature management stations. Some of the security of Windows makes file and print sharing problems that plague SNMP are caused by and the Network Neighborhood possible. It the fact that community strings are passed also introduced other potential as cleartext and the default community vulnerabilities into the stack by giving strings (public/private) are well known. attackers the ability to enumerate systems SNMP version 3 is the most current and and gather user names and accounts, and offers encryption for more robust security. share information. Almost every script kiddie and junior league hacker has The Session Layer: exploited the net use command. There is a weakness in the security controls at the presentation and session The Transport Layer: layers. Let’s look at the Windows NT The transport layer is common with LanMan (NTLM) authentication system. vulnerabilities, because it is the home of Originally developed for Windows systems UDP and TCP. Because UDP is and then revised for Windows NT post connectionless, it’s open for attackers to service pack 2 systems, this security control use for a host of denial of service (DoS)
  5. 5. attacks. It’s also easy to spoof and requires no confirmation.TCP is another used and abused protocol. Port scanning and TCP The Physical Layer: make the hacker trade possible. An attacker gaining access to the Before a hacker can launch an attack, telecommunications closet, an open port in he or she must know what is running and the conference room, or an unused office, what to target.TCP makes this possible. could be the foothold needed to breach the From illegal flag settings, NULL, and XMAS, network or, even worse, gain physical to more common synchronous (SYN) and access to a server or piece of equipment. reset (RST) scans, TCP helps attackers It’s a generally accepted fact that if identify services and operating systems. someone gains physical access to an item, they can control it. The Network Layer: At the network level are services such as IP and ICMP. IPv4 has no security services 3-Countermeasures built in, which is why Secure Internet Found in Each Layer: Protocol (IPSec) (a component of IPv6) was developed. Without IPSec, IP can be Security countermeasures are the targeted for many types of attacks (e.g., controls used to protect the confidentiality, DOS), abused through source routing, and integrity, and availability of data and tricked into zombie scanning “IPID Scan.” information systems. While ICMP was developed for diagnostics There is a wide array of security and to help with logical errors, it is also the controls available at every layer of the target of misuse. ICMP can be used to stack. Overall security can be greatly launch Smurf DoS attacks or can be enhanced by adding additional security subverted to become a covert channel with measures, removing unneeded services, programs such as Loki. hardening systems, and limiting access. The Data Link Layer: • Virus Scanners: Antivirus programs The dangers are real at the data link can use one or more techniques to layer. Conversion from logical to physical check files and applications for addressing must be done between the viruses. While virus programs didn’t network and data link layers. Address exist as a concept until 1984, they Resolution Protocol (ARP) resolves logical to are now a persistent and constant physical addresses. problem, which makes maintaining While critical for communication, it is antivirus software a requirement. also used by attackers to bypass switches These programs use a variety of and monitor traffic, which is known as ARP techniques to scan and detect poisoning. Even without ARP poisoning, viruses, including signature passive sniffing can be a powerful tool if the scanning, heuristic scanning, attacker positions himself or herself in the integrity checks, and activity right place on the network. blocking.
  6. 6. • Pretty Good Privacy (PGP): In 1991, • Secure Electronic Transmission Phil Zimmerman initially developed (SET): SET is a protocol standard that PGP as a free e-mail security was developed by MasterCard, VISA, application, which also made it and others to allow users to make possible to encrypt files and folders. secure transactions over the PGP works by using a public-private Internet. It features digital key system that uses the certificates and digital signatures, International Data Encryption and uses of Secure Sockets Layer Algorithm (IDEA) algorithm to (SSL). encrypt files and email messages. • Terminal Access Controller Access • Secure Multipurpose Internet Mail Control System (TACACS): Available Extensions (S/MIME): S/MME in several variations, including secures e-mail by using X.509 TACACS, Extended TACACS certificates for authentication. The (XTACACS), and TACACS+.TACACS is Public Key Cryptographic Standard is a centralized access control system used to provide encryption, and can that provides authentication, work in one of two modes: signed authorization, and auditing (AAA) and enveloped. Signing provides functions. integrity and authentication. • Kerberos: Kerberos is a network Enveloped provides confidentiality, authentication protocol created by authentication, and integrity. the Massachusetts Institute of • Privacy Enhanced Mail (PEM): PEM Technology (MIT) that uses secret- is an older e-mail security standard key cryptography and facilitates that provides encryption, single sign-on. Kerberos has three authentication, and X.509 parts: a client, a server, and a certificate-based key management. trusted third party to mediate • Secure Shell (SSH): SSH is a secure between them. application layer program with • SSL: Netscape Communications different security capabilities than Corp. initially developed SSL to FTP and Telnet. Like the two provide security and privacy aforementioned programs, SSH between clients and servers over the allows users to remotely log into Internet. It’s application- computers and access and move independent and can be used with files. The design of SSH means that HTTP, FTP, and Telnet. SSL uses no clear text usernames/passwords Rivest, Shamir, & Adleman (RSA) can be sent across the wire. All of public key cryptography and is the information flowing between capable of client authentication, the client and the server is server authentication, and encrypted, which means network encrypted SSL connection. security is greatly enhanced. Packets • Transport Layer Security (TLS): TLS can still be sniffed but the is similar to SSL in that it is information within the packets is application independent. It consists encrypted. of two sub layers: the TLS record
  7. 7. protocol and the TLS handshake 128-bit keys. A 24-bit Initialization protocol. Vector (IV) is used to provide • Windows Sockets (SOCKS): SOCKS is randomness; therefore, the “real a security protocol developed and key” may be no more than 40 bits established by Internet standard RFC long. There have been many proven 1928. It allows client-server attacks based on the weaknesses of applications to work behind a WEP. firewall and utilize their security • Wi-Fi Protected Access (WPA): WPA features. was developed as a replacement for • IPSec: IPSec is the most widely used WEP. It delivers a more robust level standard for protecting IP of security.WPA uses Temporal Key datagram’s. Since IPSec can be Integrity Protocol (TKIP), which applied below the application layer, scrambles the keys using a hashing it can be used by any or all algorithm and adds an integrity- applications and is transparent to checking feature that verifies that end users. It can be used in channel the keys haven’t been tampered mode or transport mode. with. Next, WPA improves on WEP • Point-to-point Tunneling Protocol by increasing the IV from 24 bits to (PPTP): Developed by a group of 48 bits.WPA also prevents rollover vendors including Microsoft, 3Com, (i.e., key reuse is less likely to occur). and Ascend, PPTP is comprised of Finally, WPA uses a different secret two components: the transport that key for each packet. maintains the virtual connection and • Packet Filters: Packet filtering is the encryption that insures configured through access control confidentiality. PPTP is widely used lists (ACLs). ACL’s allow rule sets to for virtual private networks (VPNs). be built that will allow or block • Challenge Handshake traffic based on header information. Authentication Protocol (CHAP): As traffic passes through the router, CHAP is an improvement over each packet is compared to the rule previous authentication protocols set and a decision is made whether such as Password Authentication the packet will be permitted or Protocol (PAP) where passwords are denied. sent in clear text. CHAP uses a • Network Address Translation (NAT): predefined secret and a pseudo NAT can be used to translate random value that is used only once. between private and public This facilitates security because the addresses. PrivateIP addresses are value is not reused and the hash those considered non-routable (i.e., cannot be reversed-engineered. public Internet routers will not route • Wired Equivalent Privacy (WEP): traffic to or from addresses in these While not perfect, WEP attempts to ranges). add some measure of security to • Fiber Cable: The type of wireless networking. It is based on transmission media used can make a the RC4 symmetric encryption difference in security. Fiber is much standard and uses either 64-bit or more secure than wired alternatives
  8. 8. and unsecured wireless transmission Authentication is the process of proving methods. your identity. Various authentication • Secure Coding: It is more cost- schemes have been developed over the effective to build secure code up years and can be divided into three broad front than to try and go back and fix categories: it later. Just making the change from • Something You Know Passwords C to a language such as .NET or • Something You Have Tokens, smart CSharp can have a big security cards, and certificates • Something You Are Biometrics impact. The drive for profits and the additional time that QA for security would introduce, causes many companies to not invest in secure code. 5- Defending the Data-Link Layer: 4-Defending the Protocol define at this layer provide security. Physical Layer: Ethernet LAN Security: There is no security protocol that will The Ethernet LAN has many security defend physical layer, but several natural weaknesses when facing attacks externally methods are utilized to perform our job. and internally. Security measures must be taken to ensure a secured environment for The security controls on physical layer communications ever the Ethernet LAN. The have three primary goals: following are some key risks in an Ethernet • Deter (Discourage): Two methods LAN: used to deter intruders are security lighting and “Beware of Dog” signs. • The primary weakness with Ethernet • Delay: Some of the techniques used is that it is a broadcast system. Every to delay an intruder include fences, message sent out by any computer gates, locks, access controls, and on an Ethernet LAN segment mantraps. reaches all parts of that segment • Detect: Two systems used to detect and potentially could be read by any intruders are intrusion detection computer on the segment. Sniffing systems (IDSes) and alarms. type programs can record, read and analyze all the messages on a Physical security focuses on intruders segment. Actually others can read and thieves. Some main concern to security your password and subsequently are follow: login to any account. They can also Identification and Authentication: change the information and forge Identification is the process of totally different messages. identifying yourself, and is commonly • Peer-to-Peer networking systems performed by entering a username. (both Windows and Macintosh
  9. 9. AppleTalk) for Workgroups allow snooper" is on one side of a bridge people on the network to share files or router they will not see any traffic and printers, which open up your passing between computers on the files to anyone using another other side of the filter. computer in the group. • Lan Security Architecture (LSA): a • Some applications, such as FTP proprietary technique where twisted program which allows you to get pair hubs inspect incoming files from and send files to another messages and will only transmit computer, may have an option in them unscrambled to the their configuration which allows destination computer. All other other computers to get into your computers on the hub receive computer and have access to your scrambled messages. files while the program is running. • It is relatively easy in an Ethernet Software Solutions for Ethernet LAN LAN to fake an Email message and Security other messages which purports to come from someone else. It is also • Encryption: Encrypting the data possible to fake a login session by passing between your computer and recording a legitimate one and its destination. There are many running the recording later on. encryption technologies and product available which effective protect There are many hardware and software information and data privacy. The solutions to address the above Ethernet popular encryption methods used LAN security issues: are PGP (Pretty Good Privacy). • Authentication: Use user name and Hardware Solutions for Ethernet LAN password to authenticate users. It is Security necessary to encrypt the password and implement timestamps making • Use a switched network: A switch forgery extremely difficult. can segregate a network into many • Combination technologies: Many parts which can effectively new technologies are available preventing snooping and sniffing on which doing both authentication a network. These switches also and encryption. One of such reduce network traffic by limiting technologies is Kerberos which uses messages to only the parts of the tokens, timestamps, tickets and network on which they are needed encryption to make transactions to improve the efficiency of the between computers secure. whole network. • Bridges and Routers: Bridges and routers are electronic filters which only pass a network message through themselves if the destination lies on the other side of VLAN: Virtual Local Area Network and IEEE the filter. Consequently if "the 802.1Q
  10. 10. Virtual LAN (VLAN) refers to a group of Passwords logically networked devices on one or more Sensitive information LANs that are configured so that they can Information gathering communicate as if they were attached to • Broadcast Attacks the same wire, when in fact they are • Man-In-the-Middle (MIM) Attack: located on a number of different LAN Man-in-the-Middle (MIM) is a very common segments. Because VLANs are based on type of attack, in which an attacker inserts logical instead of physical connections, it is his computer between the communication very flexible for user/host management, paths of two target computers by Sniffs bandwidth allocation and resource packets from Network, modified them and optimization. then insert them back into the Network. • Denial of Services (DoS) Attack: There are the following types of Virtual A “Denial of Service (DoS)” attack is a flood LANs: of packets that consumes network resources and causes deadlock. 1. Port-Based VLAN: each physical • Session Hijacking: switch port is configured with an Session Hijacking is a process by which an access list specifying membership in attacker sees/ listen an active TCP a set of VLANs. connection between two other hosts and 2. MAC-based VLAN: a switch is then insert fake packets (in one or both configured with an access list directions) and takes control of the mapping individual MAC addresses connection. This method is similar to the to VLAN membership. MIM attack. 3. ATM VLAN - using LAN Emulation • Sniffing (Passwords, Sensitive (LANE) protocol to map Ethernet Information and Information packets into ATM cells and deliver Gathering): them to their destination by Sniffing is a process of monitoring all converting an Ethernet MAC address information or reading the packets that are into an ATM address. being transmitted on a network. An attacker can sniff network traffic and ARP: can also passively intercept network traffic. Address Resolution Protocol Then, through packet analysis, he might be Types of ARP Attacks: able to determine login IDs and passwords There are many ways an attacker can gain and collect other sensitive data. There are access or exploit your system. It is not so many tools available for Sniffing like important how attacker gain access into the Hunt, Sniffit, Ettercap, Snort and Dsniff. system. Once the intruder breaks into your system he can use it according to his way. They work as follows: Following are some types of attacks that a) Ethernet was built around a "shared" can be resulted from ARP Spoofing: principle: all machines on a local network • Man-in-the-Middle (MIM) share the same wire. • Denial of Services (DoS) b) This implies that all machines are able to • Session Hijacking "see" all the traffic on the same wire. • Sniffing
  11. 11. c) Thus, Ethernet hardware is built with a key security risks at the Network Layer "filter" that ignores all traffic that doesn't associated with the IP: belong to it. It does this by ignoring all frames whose MAC address doesn't match. • IP Spoofing: The intruder sends • Broadcast Attacks: messages to a host with an IP This technique is used to send a large address (not its own IP address) amount of ICMP echo request (Ping) traffic indicating that the message is to all known IP broadcast addresses with coming from a trusted host to gain the spoofed source address of the victim. un-authorized access to the host or other hosts. To engage in IP spoofing, a hacker must first use a Strategy to overcome the constraints: variety of techniques to find an IP address of a trusted host and then • Network Analyzer Tools and modify the packet headers so that it Sniffers: appears that the packets are coming It allows you to inspect network from that host. traffic at every level of the network stack in • Routing (RIP) attacks : Routing various degrees of detail. Information Protocol (RIP) is used to • Encryption: distribute routing information within Encryption is an effective way to networks, such as shortest-paths, defend against Sniffing and ARP Spoofing. and advertising routes out from the Encryption prevents any non-authorized local network. RIP has no built in party from reading or changing data. authentication, and the information • Intrusion Detection Systems (IDS): provided in a RIP packet is often IDS identify attacker’s attempts to used without verifying it attack or break into the network and • ICMP Attacks: ICMP is used by the IP misuse it. IDSs may monitor packets passing layer to send one-way informational over the network, monitor system files, messages to a host. There is no monitor log files, or set up deception authentication in ICMP, which leads systems that attempt to trap hackers. Port to attacks using ICMP that can result Scans and Denial-of-Service Attacks are an in a denial of service, or allowing the ongoing threat. attacker to intercept packets. Denial of service attacks primarily use either the ICMP "Time exceeded" or 6- Defending the Network Layer: "Destination unreachable" message. Both of these ICMP messages can Every layer of communication has its cause a host to immediately drop a own unique security challenges. The connection Network Layer is especially weak for many • PING Flood (ICMP Flood): PING is Denial of Service attacks and information one of the most common uses of privacy problems. The most popular ICMP which sends an ICMP "Echo protocol used in the network layer is IP Request" to a host, and waits for (Internet Protocol). The following are the that host to send back an ICMP "Echo Reply" message. Attacker
  12. 12. simply sends a huge number of connectionless integrity, data origin "ICMP Echo Requests" to the victim authentication, rejection of replayed to cause its system crash or slow packets (a form of partial sequence down. This is an easy attack because integrity), confidentiality (encryption), and many ping utilities support this limited traffic flow confidentiality. Because operation, and the hacker doesn't these services are provided at the IP layer, need much knowledge. they can be used by any higher layer • Packet Sniffing: Because most protocol, e.g., TCP, UDP, ICMP, BGP, etc. network applications distribute network packets in clear text, a These objectives are met through the use of packet sniffer can provide its user two traffic security protocols, the with meaningful and often sensitive Authentication Header (AH) and the information, such as user account Encapsulating Security Payload (ESP), and names and passwords. A packet through the use of cryptographic key sniffer can provide an attacker with management procedures and information that is queried from the protocols. The set of IPSec protocols database, as well as the user employed in any context, and the ways in account names and passwords used which they are employed, will be to access the database. This cause determined by the security and system serious information privacy requirements of users, applications, and/or problems as well as tools for crimes. sites/organizations. IPSec: Internet Protocol Security (IPSec) is a Protocol Structure: protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream. IPSec provides security services at the network layer by enabling a system to select required security protocols, determine the algorithm(s) to use for the service(s), and put in place any cryptographic keys required to provide the requested services. IPSec can be used to protect one or more "paths" between a pair of hosts, between a pair of security gateways, or between a security gateway and a host. The set of security services that IPSec can provide includes access control,
  13. 13. 7- Defending the providing endpoint authentication Transport Layer: and encryption. One faulty SSL client implementation Microsoft I Explorer, allows for transparent SSL The transport Layer is especially weak for attacks. SSL that would warn the the Denial of Service (DOS) attack or user about problems with the server Distributed Denial of Service (DDOS) attack. certificate. Two most popular protocols used in the • TCP Connecting Hijacking is also transport layer are TCP (Transmission known as Man-in-the-Middle attack. Control Protocol) and UDP (User Datagram With this attack, an attacker can Protocol). The following are the key security allow normal authentication to risks at the Transport Layer associated with proceed between the two hosts, and TCP and UDP: then seize control of the connection. There are two possible ways to do • TCP "SYN" attack is also known as this: one is during the TCP three-way SYN Flooding. It takes advantage of a handshake, and the other is in the flaw in how most hosts implement middle of an established connection. the TCP three-way handshake. • UDP Flood Attack: UDP is a When Host B receives the SYN connectionless protocol and it does request from A, it must keep track of not require any connection setup the partially opened connection in a procedure to transfer data. A UDP "listen queue" for at least 75 Flood Attack is possible when an seconds. Many implementations can attacker sends a UDP packet to a only keep track of a very limited random port on the victim system. number of connections. A malicious When the victim system receives a host can exploit the small size of the UDP packet, it will determine what listen queue by sending multiple application is waiting on the SYN requests to a host, but never destination port. When it realizes replying to the SYN&ACK the other that there is no application that is host sends back. By doing so, the waiting on the port, it will generate other host's listen queue is quickly an ICMP packet of destination filled up, and it will stop accepting unreachable to the forged source new connections, until a partially address. If enough UDP packets are opened connection in the queue is delivered to ports on victim, the completed or times out. This ability system will go down. of removing a host from the network for at least 75 seconds can The three-way handshake: in Transmission be used as a denial-of-service attack, or it can be used as a tool to Control Protocol is the method used to implement other attacks, like IP establish and tear down network Spoofing. • SSL Man-in-the-Middle Attacks: connections. This handshaking technique is SSL/TLS was supposed to mitigate referred to as the 3-way handshake or as that risk for web transactions by
  14. 14. "SYN-SYN-ACK" (or more accurately SYN, store sensitive data such as medical SYN-ACK, ACK). The TCP handshaking information, or collect confidential mechanism is designed so that two information from the users on the network, computers attempting to communicate can and can also be used by other businesses negotiate the parameters of the network that want to secure network connections connection before beginning between the client and the server. communication. Transport Layer Security involves the use of • Host A sends a TCP SYNchronize an encryption system which utilizes a digital packet to Host B certificate which is formulated to identify • Host B receives A's SYN • Host B sends a SYNchronize- the network owner, as well as create public ACKnowledgement keys that are used to encrypt • Host A receives B's SYN-ACK • Host A sends ACKnowledge communications over the network. The • Host B receives ACK. TCP connection certificate is installed on the portion of the is ESTABLISHED. server that requires encryption. When the client logs onto the network, a Transport Layer Security: message is sent to the server that identifies Transport Layer Security provides a way for the client. The server will then return a you to create a secure network connection message and list the cryptographic methods between a client and a server by encrypting that are to be used for communication to the connection between both entities. ensure the client and the server are Transport Layer Security is similar to communicating in the same language. Security Socket Layers because both • Different Types of Transport Layer protocols provide security for applications Security such as email, Instant Messaging, Web There are several different types of browsing, VoIP (Voice over Internet Transport Layer Security depending upon Protocol). the encryption requirements for the Transport Layer Security is used within organization. organizations that use payment processes,
  15. 15. • Web Server Transport Layer 8- Defending the Security: This type of encryption Session Layer: protects the data when the client connects to the Internet to send data through a Web browser or Protocols that assist it are discussed. website. The TLS encryption provides a secure Web server and NetBIOS: prevents the data from being NetBIOS is a protocol that Microsoft intercepted by an unauthorized Windows systems use to share user. resources. For example, if a PC • Email Server Transport Layer running Windows wants to connect Security: To secure to and access a share on a file communications between the server, it probably uses NetBIOS. email client and the server, a SMB, the method used to access file digital certificate is installed on and printer shares, can also run the email server to provide encrypted communications when independently of NetBIOS over TCP sending and receiving confidential ports 139 and 445. Both of these information via email. approaches, however, tend to increase the attack surface of a • Virtual Private Network Security: network. Transport Layer Security works to secure a virtual private network The ports that we’d have to open to appliance by installing a digital certificate on the VPN appliance the Internet are UDP/137, UDP/138, that provides an encrypted and TCP/139. Unfortunately, the connection between the remote most popular attacker target is user and the network that they NetBIOS and against these ports. are accessing. Once an attacker discovers an active • Database and Directory Security: Organizations deploy Transport port 139 on a device, he can run Layer Security to encrypt server NBSTAT to begin the very important queries for databases and first step of an attack—foot printing. directories that contain sensitive With the NBSTAT command, he can data and information obtain some or all of the following information: • Computer name • Contents of the remote name cache, including IP addresses
  16. 16. • A list of local NetBIOS names o Perform malware scanning • A list of names resolved by on end user stations after broadcast or via WINS decryption. o Use message content • Contents of the session table scanners specifically with the destination IP designed to check the addresses content of encrypted. Defending against external NetBIOS connections 10-Defending the • Disabling the system’s ability to Application Layer: support null sessions • Defining very strong passwords for the local administrator accounts 1. SMTP: Simple Mail Transfer Protocol • Defining very strong passwords for shares, assuming you absolutely Simple Mail Transfer Protocol (SMTP) is a have to have shares on exposed protocol designed to transfer electronic systems mail reliably and efficiently. SMTP is a mail service modeled on the FTP file transfer service. SMTP transfers mail messages between systems and provides notification 9-Defending the regarding incoming mail. Presentation Layer: SMTP is independent of the particular transmission subsystem and requires only a S/MIME security: reliable ordered data stream channel. An important feature of SMTP is its capability S/MIME support is one of Outlook's to transport mail across networks, usually unheralded important features. It gives you referred to as "SMTP mail relaying". Using end-to-end protection: SMTP, a process can transfer mail to another process on the same network or to • S/MIME is tailored for end to end some other network via a relay or gateway security. Encryption will not only process accessible to both networks. encrypt your messages, but also malware. Thus if your mail is In this way, a mail message may pass scanned for malware anywhere but through a number of intermediate relay or at the end points, such as your gateway hosts on its path from sender to company's gateway, encryption will ultimate recipient. The Mail eXchanger defeat the detector and successfully mechanisms of the domain name system deliver the malware. Solutions: are used to identify the appropriate next- hop destination for a message being transported.
  17. 17. • Security: node that contains an SNMP agent and that resides on a managed network. Managed One of the ways to restrict access to devices collect and store management an outgoing mail server is to verify information and make this information that the computer is on the ISP's available to NMSs using SNMP. Managed local network. When you dial your devices, sometimes called network modem and connect to your ISP, elements, can be routers and access your computer is given an IP address servers, switches and bridges, hubs, that identifies you as being a part of computer hosts, or printers. An agent is a that ISP's network. If you have two network management software module ISPs and dial up to one and then that resides in a managed device. An agent connect to the other's mail server, it has local knowledge of management may prevent you from relaying mail information and translates that information because your computer is not into a form compatible with SNMP. An NMS identified as being on the local executes applications that monitor and network for the provider whose mail control managed devices. server you are sending through. In this case, you should try to use the • SNMP v1 Basic Operations and SMTP server for the provider you Features have used to dial up and connect to • SNMP v2 Additional Operations the Internet. • SNMP v3 Security Enhancement Why Security is Important in SNMP: 2. SNMP: Simple Network Management Protocol The need for security in SNMP is obvious because the MIB objects being Simple Network Management Protocol communicated contain critical information (SNMP) is the protocol developed to about network devices. We don't want just manage nodes (servers, workstations, anyone “snooping” into our network to find routers, switches and hubs etc.) on an IP out our IP addresses, or how long our network. SNMP enables network machines have been running, or whether administrators to manage network our links are down, or pretty much anything performance, find and solve network else. problems, and plan for network growth. Network management systems learn of 3. DHCP problems by receiving traps or change notices from network devices implementing DHCP spoofing SNMP. DHCP spoofing is a type of attack on DHCP An SNMP managed network consists of server to obtain IP addresses using spoofed three key components: managed devices, DHCP messages. In the cases where the agents, and network-management systems DHCP server is on a remote network, and an (NMSs). A managed device is a network IP address is required to access the
  18. 18. network, but since the DHCP server supplies when requesting a DHCP IP address and the IP address, the requester is at an thus is not able to access the network. impasse. To supply access to the network, DHCP starvation may be purely a denial of when the Pipeline receives a DHCP Discover service (DoS) mechanism or may be used in packet (a request for an IP address from a conjunction with a malicious rogue server PC on the network), it responds with a attack to redirect traffic to a malicious DHCP Offer packet containing the computer ready to intercept traffic. configured (spoofed) IP address and a renewal time, which is set to a few seconds. When the normal DHCP server is down, the The requester then has access to the DHCP network attacker can then set up a rogue server and gets a real IP address. (Other DHCP server on his or her system and variations exist in environments where the respond to new DHCP requests from clients APP server utility is running.) on the network. An intruder may issue an address with DNS server information or DHCP Starvation default gateway information that redirects traffic to a computer under the control of A DHCP starvation attack works by the intruder. broadcasting DHCP requests with spoofed MAC addresses. This is easily achieved with DHCP Starvation Attack Mitigation attack tools such as gobbler. If enough requests are sent, the network attacker can By limiting the number of MAC addresses exhaust the address space available to the on a switch port will reduce the risk of DHCP servers for a period of time. This is a DHCP starvation attack. When more simple resource starvation attack just like a systems implement the RFC 3118, SYN flood is a starvation attack. The Authentication for DHCP Messages, DHCP network attacker can then set up a rogue starvation attacks will become more DHCP server on his or her system and difficulty. respond to new DHCP requests from clients on the network. Exhausting all of the DHCP Adding Security to DHCP addresses is not required to introduce a rogue DHCP server, though. Since DHCP runs over UDP and IP, one could use IPSec at layer three to provide authentication. DHCP Starvation Attack DHCP starvation attack works by 4. FTP: File Transfer Protocol broadcasting DHCP requests with spoofed MAC addresses. This is easily achieved with File Transfer Protocol (FTP) enables file attack tools such as gobbler. If enough sharing between hosts. FTP uses TCP to requests are sent, the network attacker can create a virtual connection for control exhaust the address space available to the information and then creates a separate DHCP servers for a period of time. TCP connection for data transfers. The Subsequently, a legitimate user is denied control connection uses an image of the
  19. 19. TELNET protocol to exchange commands sensitive information should be and messages between hosts. transferred with SFTP . The key functions of FTP are: 1) To promote sharing of files (computer programs and/or data), S-FTP, or Secure FTP, S/FTP 2) To encourage indirect or implicit (via programs) use of remote computers, Secure FTP (S-FTP or S/FTP) is the enhanced version of the File Transfer Protocol (FTP) 3) To shield a user from variations in file with security features. Mainly, S-FTP adds storage systems among hosts, and encryption to the FTP contents which is send in clear text in the original FTP version. 4) To transfer data reliably and efficiently. S-FTP is available on almost all operating FTP, though usable directly by a user at a systems including Windows, UNIX, and terminal, is designed mainly for use by Macintosh. programs. 5. Hypertext Transfer Protocol Secure FTP has little security protection when (HTTPS) performing file transfer: both user password and the data are exposed to HTTP is a combination of the Hypertext public. To make the file transfer more Transfer Protocol with the SSL/TLS secure, some enhancements have been protocol to provide encryption and made on the FTP, including SFTP SSH secure (website security testing) protected FTP and BBFTP. identification of the server. • The data that is transferred, it should only be used to transfer small S-HTTP: Secure Hypertext Transfer (1-10KB) files containing sensitive Protocol data. Large files that do not contain sensitive information should be Secure HTTP (S-HTTP) is a secure message- transferred via a method that does oriented communications protocol not encrypt data. designed for use in conjunction with HTTP. S-HTTP is designed to coexist with HTTP's • SSH protected FTP: This transfer messaging model and to be easily method encrypts the password integrated with HTTP applications. information but does NOT encrypt the data being transferred. As a Secure HTTP provides a variety of security result, it should only be used to mechanisms to HTTP clients and servers, transfer large (and small) files that providing the security service options do NOT contain sensitive appropriate to the wide range of potential information. File that contains end uses possible for the World-Wide Web (WWW). S-HTTP provides symmetric
  20. 20. capabilities to both client and server (in that equal treatment is given to both requests and replies, as well as for the preferences of both parties) while preserving the transaction model and implementation characteristics of HTTP. 11- References: • Web Sites • • • • • • • Books • Hack The Stack • Network Management Fundamental • Network Security Essential