This document provides an overview of network security topics including diffing, sniffing, session hijacking, spoofing, SSL, TLS, IPSec, and VPNs. It discusses how these attacks work and methods to protect against them, such as encryption. Network layer security protocols like IPSec are described, which uses authentication headers or encapsulating security payloads to provide security services to packets. Transport layer security protocols SSL and TLS are also summarized, including how they establish encrypted sessions between clients and servers.

1. 241-427-SV-2-2553-COE-PSU 1
241-427 Computer Security
Chapter VI: Network Security
Dr. Sangsuree Vasupongayya

2. 241-427-SV-2-2553-COE-PSU 2
Outline
o Attacks
n Diffing
n Sniffing
n Session Hijacking
n Spoofing
o Protocols
n SSL
n TLS
n IPsec
o VPN

3. 241-427-SV-2-2553-COE-PSU 3
Diffing
o Practice of comparing two things for differences
especially after some change has been made
o To determine the portion of the file or the memory
location of the item of interest
E.g., finding a portion of the file containing
information of interests
o Decoding information rather than changing it
o Example commands
n Fc
n Diff
n Hex editors
n Hackman

4. 241-427-SV-2-2553-COE-PSU 4
Sniffing
o Program or tool that passively monitors a computer
network for key information that the attacker is
interested in
n Authentication information e.g., usernames &
passwords
o E.g., protocols that have been reported
n Telnet (port 23), FTP (port 21), HTTP (port 80), POP
(port 110), IMAP (port 143)
o E.g., sniffing tools
n TCPDump, dsniff, esniff, wireshark

5. 241-427-SV-2-2553-COE-PSU 5
Protection under sniffing
o Encryption
o Secure Shell (SSH)
n Secure replacement for Telnet, rlogin, rsh, rcp
o Detection
n Checking whether a network interface is running in
promiscuous mode
n Network detections
o Latency in the host’s response
o Network monitoring

6. 241-427-SV-2-2553-COE-PSU 6
Session Hijacking
o The act of taking over a connection of some sort (or
one that is in the process of being set up)
o To steal trust
o How it works
n Jump into a middle of the conversation
n Get your packet to the host before the legitimate one
n ACK storm:
o the real host gets duplicate packet
o the original sender keeps sending packages
o Protection
n Encryption (e.g., SSL)
n Storm watchers

7. 241-427-SV-2-2553-COE-PSU 7
Spoofing
o Providing false information about a principal’s
identity to obtain unauthorized access to systems
and their services
o Sending a message that is not what it claims to be
o Operate at all layers in between the client and the
server
o No content-level spoofing is taking place, although
the falsified headers are clearly representing a
spoof of their own
o Spoofing is always intentional

8. 241-427-SV-2-2553-COE-PSU 8
Attacks on Server
o Denial of Service
n Reduce the usefulness of the server
o How the remote user can gain access to the system
n Daemon/service: OS provides network services
e.g., mail services, Web servers, name servers,
remote access services
n Program interaction: vulnerability caused by the
unintentional modify
n Flaws in the protocols or programs
o How to prevent DoS
n Defined the goal
n Auditing system (log)
n IDSs

9. 241-427-SV-2-2553-COE-PSU 9
Attacks on Clients
o Vulnerability:
n errors or unintended behavior in programs acting as
a client
n any program that can receive data from an outside
sources
o How to secure your clients
n Minimize use
n Anti-Virus software
n Limiting trust
n Client configuration

10. 241-427-SV-2-2553-COE-PSU 10
Security at the Transport Layer
o Provides end-to-end security services
E.g., transaction on the internet
n Entity authentication: the customer needs to be sure
that the server belongs to the actual vendor
n Message integrity: the contents of the message are
not modified during transmission
n Confidentiality: no one can intercept sensitive
information
o SSL & TLS are the two protocols
n SSL: Secure Sockets Layer Protocol
n TLS: Transport Layer Security Protocol

11. 241-427-SV-2-2553-COE-PSU 11
Secure Sockets Layer Protocol
o Designed to provide security and compression
services to data generated from the application
layer (usually HTTP)
o The data is compressed (optional), signed, and
encrypted and then passed to a reliable transport
layer protocol such as TCP

12. 241-427-SV-2-2553-COE-PSU 12
Sessions vs connections

13. 241-427-SV-2-2553-COE-PSU 13
Sessions vs Connections
o Client – server
o To create a new session
a negotiation process
must be done
o A session can consist of
many connections
o Both parties have
common information
o Defined by a session
state parameter
o Peer-peer
o To create a new
connection (resume a
session), the two parties
can skip part of the
negotiation process
o Defined by a connection
state parameter

14. 241-427-SV-2-2553-COE-PSU 14
SSL defines 4 protocols

15. 241-427-SV-2-2553-COE-PSU 15
SSL defines 4 protocols (cont)
o The record protocol carries message from 3 other
protocols as well as the data coming from the
application layer
o The handshake protocol provides security
parameters by establishing a cipher set and
providing keys and authenticating
o The ChangeCipherSpec for signaling the readiness
of cryptographic secrets
o The Alert protocol to report abnormal conditions

16. 241-427-SV-2-2553-COE-PSU 16
Handshake Protocol

17. 241-427-SV-2-2553-COE-PSU 17
Handshake Protocol: Phase I

18. 241-427-SV-2-2553-COE-PSU 18
Handshake Protocol: Phase II

19. 241-427-SV-2-2553-COE-PSU 19
Handshake Protocol: Phase III

20. 241-427-SV-2-2553-COE-PSU 20
Handshake Protocol: Phase IV

21. 241-427-SV-2-2553-COE-PSU 21
SSL actions
o Fragmentation: divides the data into block of 214
bytes or less
o Compression (option): using one of the lossless
compression methods negotiated between the
client and server
o Message integrity: uses keyed-hash function to
create a MAC
o Confidentiality: the data & MAC are encrypted using
symmetric-key
o Framing: a header is added to the payload before
passed to TCP

22. 241-427-SV-2-2553-COE-PSU 22
Algorithms in SSL
o 8-byte initialization vector (IV) except 20-byte IV is
used in Fortezza

23. 241-427-SV-2-2553-COE-PSU 23
Key-exchange in SSL

24. 241-427-SV-2-2553-COE-PSU 24
SSL message formats
Record Protocol header
ChangeCipherSpec Protocol
Alert Protocol
Generic header for Handshake Protocol

25. 241-427-SV-2-2553-COE-PSU 25
Types of Handshake message

26. 241-427-SV-2-2553-COE-PSU 26
Transport Layer Security
o TLS does not support Fortezza
o Generation of Cryptographic secrets
n More complex than SSL
n Data-expansion
o To expand a secret into a longer one
o To make some dependency, the second seed is the
output of the first
n Pseudorandom function

27. 241-427-SV-2-2553-COE-PSU 27
Data-expansion

28. 241-427-SV-2-2553-COE-PSU 28
Pseudorandom function

29. 241-427-SV-2-2553-COE-PSU 29
Master secret generation
o Pre-master secret same as SSL
o Use Pseudorandom function to create master secret

30. 241-427-SV-2-2553-COE-PSU 30
Key materials
o Generated by Pseudorandom function

31. 241-427-SV-2-2553-COE-PSU 31
Alert Protocol
o Support all in SSL except NoCertificate
o Additional alerts

32. 241-427-SV-2-2553-COE-PSU 32
Handshake Protocol
CertificateVerify
message
Finished message

33. 241-427-SV-2-2553-COE-PSU 33
Record Protocol

34. 241-427-SV-2-2553-COE-PSU 34
Security at the Network Layer
Security at the above layers may not be enough
o Not all client/server programs are protected at the
application layer
o Not all client/server programs at the application
layer use the service of TCP to be protected by SSL
or TLS
n E.g., UDP
o Many application such as routing protocols directly
use the service of IP
n Security at IP layer is needed

35. 241-427-SV-2-2553-COE-PSU 35
IPSec
o A collection of protocols designed by the Internet
Engineering Task Force to provide security for a
packet at the network level
o Create authenticated and confidential packets for
the IP layer

36. 241-427-SV-2-2553-COE-PSU 36
IPSec
o Has two modes
n Transport mode
n Tunnel mode
o Has two security protocols
n Authentication header (AH) protocol
n Encapsulating security payload (ESP)

37. 241-427-SV-2-2553-COE-PSU 37
IPSec: transport mode
o IPSec protects what is delivered from the transport
layer to the network layer
o The IP header does not protect under the transport
mode
o The IPSec header (and trailer) are added to the
information
o It only protects the packet from the transport layer
o Use when we need host-to-host (end-to-end)
protection of data

38. 241-427-SV-2-2553-COE-PSU 38
IPSec: transport mode

39. 241-427-SV-2-2553-COE-PSU 39
IPSec: tunnel mode
o IPSec protects the entire IP packet
o A new IP header is added (different information
than the original IP header)
o Use between two routers or host to router or router
to host

40. 241-427-SV-2-2553-COE-PSU 40
IPSec: tunnel mode

41. 241-427-SV-2-2553-COE-PSU 41
Comparison of the two modes

42. 241-427-SV-2-2553-COE-PSU 42
Authentication Header Protocol

43. 241-427-SV-2-2553-COE-PSU 43
Authentication Header Protocol
o Purpose
n To authenticate the source host
n To ensure the integrity of the payload carried in the
IP packet
o Action
n Uses a hash function and a symmetric key to create a
message digest
n The digest is inserted in the authentication header
n The AH is then placed in the appropriate location
based on the mode

44. 241-427-SV-2-2553-COE-PSU 44
Encapsulating Security Payload (ESP)
o Purpose
n Provides source authentication, integrity, privacy

45. 241-427-SV-2-2553-COE-PSU 45
Encapsulating Security Payload (ESP)
o Action: ESP adds a header and a trailer
1. ESP trailer is added to the payload
2. The payload and the trailer are encrypted
3. The ESP header is added
4. The ESP header, payload, and ESP trailer are used
to create the authentication data
5. The authentication data are added to the end of the
ESP trailer
6. the IP header is added after changing the protocol
value to 50

46. 241-427-SV-2-2553-COE-PSU 46
Remarks
o IPv4 and IPv6
n IPSec supports both IPv4 and IPv6 (AH & ESP are
parts of the Extension header)
o Why do we need AH?
n ESP was designed after AH was already included in
some commercial products
o IPSec services
n Access control
n Message integrity
n Entity authentication
n Confidentiality (except AH)
n Replay attack protection

47. 241-427-SV-2-2553-COE-PSU 47
Security Association (SA)
o is a logical relationship between two hosts
o is an aspect of IPSec
Idea:
n SA is a contact between two hosts (one inbound SA
and one outbound SA)
n SA can be very complex, when the party wants to
communicate with many people (a database of a set
of SAs)

48. 241-427-SV-2-2553-COE-PSU 48
Typical SA parameters

49. 241-427-SV-2-2553-COE-PSU 49
Security Policy (SP)
o Is an aspect of IPSec
o Defines the type of security applied to a packet
when it is to be sent or when it has arrived
o Security policy database (SPD)
n Each host that is using the IPSec protocol needs to
keep a SPD (inbound, outbound).
n Each entry in the SPD can be accessed using a
sixtuple index
< source address, destination address, name, protocol,
source port, and destination port>

50. 241-427-SV-2-2553-COE-PSU 50
Security policy database (SPD)
o Address (unicast, multicast, wildcard)
o Name (defines a DNS entity)
o Protocol (AH, ESP)

51. 241-427-SV-2-2553-COE-PSU 51
Outbound processing

52. 241-427-SV-2-2553-COE-PSU 52
Outbound processing
o Drop: packet cannot be sent
o Bypass: packet is sent w/o security
because there is no policy for the packet
o Apply
n Case 1: outbound SA is already established
the packet is transmitted accordingly
n Case 2: outbound SA is not established
the Internet Key Exchange (IKE) is called to create
an outbound and an inbound SA

53. 241-427-SV-2-2553-COE-PSU 53
Inbound processing

54. 241-427-SV-2-2553-COE-PSU 54
Inbound processing
o Discard: packet is dropped
o Bypass: the packet is delivered to the transport
layer w/o security
o Apply
n Case 1: inbound SA is already established
the packet is processed accordingly
n Case 2: inbound SA is not established
the packet must be discarded

55. 241-427-SV-2-2553-COE-PSU 55
Virtual Private Networks (VPN)
o A mechanism of employing encryption,
authentication and integrity protection
o Offers high amount of security
o No require any special cabling
o Combine advantages of
n a public network
o Cheap
o Easily available
n A private network
o Secure
o Reliable
o A mechanism to simulate a private network over a
public network such as the Internet
o Connections made up of packets and are temporary

56. 241-427-SV-2-2553-COE-PSU 56
Network Address Translation (NAT)
1
2
NATClient
From 172.47.9.6,
Port 59789 From 60.168.34.2,
Port 63472
Internet
Server
Host
IP Addr
172.47.9.6
…
Port
59789
…
IP Addr
60.168.34.2
…
Port
63472
…
Internal ExternalTranslation Table

57. 241-427-SV-2-2553-COE-PSU 57
Network Address Translation (NAT)
4
3NATClient
Internet
Server
Host
To 172.47.9.6,
Port 59789
To 60.168.34.2,
Port 63472
Translation Table
IP Addr
172.47.9.6
…
Port
59789
…
IP Addr
60.168.34.2
…
Port
63472
…
Internal External