1. 1
241-427-SV-2-2553-COE-PSU 1
241-427 Computer Security
Chapter VI: Network Security
Dr. Sangsuree Vasupongayya
241-427-SV-2-2553-COE-PSU 2
Outline
o Attacks
n Diffing
n Sniffing
n Session Hijacking
n Spoofing
o Protocols
n SSL
n TLS
n IPsec
o VPN
241-427-SV-2-2553-COE-PSU 3
Diffing
o Practice of comparing two things for differences
especially after some change has been made
o To determine the portion of the file or the memory
location of the item of interest
E.g., finding a portion of the file containing
information of interests
o Decoding information rather than changing it
o Example commands
n Fc
n Diff
n Hex editors
n Hackman
2. 2
241-427-SV-2-2553-COE-PSU 4
Sniffing
o Program or tool that passively monitors a computer
network for key information that the attacker is
interested in
n Authentication information e.g., usernames &
passwords
o E.g., protocols that have been reported
n Telnet (port 23), FTP (port 21), HTTP (port 80), POP
(port 110), IMAP (port 143)
o E.g., sniffing tools
n TCPDump, dsniff, esniff, wireshark
241-427-SV-2-2553-COE-PSU 5
Protection under sniffing
o Encryption
o Secure Shell (SSH)
n Secure replacement for Telnet, rlogin, rsh, rcp
o Detection
n Checking whether a network interface is running in
promiscuous mode
n Network detections
o Latency in the host’s response
o Network monitoring
241-427-SV-2-2553-COE-PSU 6
Session Hijacking
o The act of taking over a connection of some sort (or
one that is in the process of being set up)
o To steal trust
o How it works
n Jump into a middle of the conversation
n Get your packet to the host before the legitimate one
n ACK storm:
o the real host gets duplicate packet
o the original sender keeps sending packages
o Protection
n Encryption (e.g., SSL)
n Storm watchers
3. 3
241-427-SV-2-2553-COE-PSU 7
Spoofing
o Providing false information about a principal’s
identity to obtain unauthorized access to systems
and their services
o Sending a message that is not what it claims to be
o Operate at all layers in between the client and the
server
o No content-level spoofing is taking place, although
the falsified headers are clearly representing a
spoof of their own
o Spoofing is always intentional
241-427-SV-2-2553-COE-PSU 8
Attacks on Server
o Denial of Service
n Reduce the usefulness of the server
o How the remote user can gain access to the system
n Daemon/service: OS provides network services
e.g., mail services, Web servers, name servers,
remote access services
n Program interaction: vulnerability caused by the
unintentional modify
n Flaws in the protocols or programs
o How to preventDoS
n Defined the goal
n Auditing system (log)
n IDSs
241-427-SV-2-2553-COE-PSU 9
Attacks on Clients
o Vulnerability:
n errors or unintended behavior in programs acting as
a client
n any program that can receive data from an outside
sources
o How to secure your clients
n Minimize use
n Anti-Virus software
n Limiting trust
n Client configuration
4. 4
241-427-SV-2-2553-COE-PSU 10
Security at the Transport Layer
o Provides end-to-end security services
E.g., transaction on the internet
n Entity authentication: the customer needs to be sure
that the server belongs to the actual vendor
n Message integrity: the contents of the message are
not modified during transmission
n Confidentiality: no one can intercept sensitive
information
o SSL & TLS are the two protocols
n SSL: Secure Sockets Layer Protocol
n TLS: Transport Layer Security Protocol
241-427-SV-2-2553-COE-PSU 11
Secure Sockets Layer Protocol
o Designed to provide security and compression
services to data generated from the application
layer (usually HTTP)
o The data is compressed (optional), signed, and
encrypted and then passed to a reliable transport
layer protocol such as TCP
241-427-SV-2-2553-COE-PSU 12
Sessions vs connections
5. 5
241-427-SV-2-2553-COE-PSU 13
Sessions vs Connections
o Client – server
o To create a new session
a negotiation process
must be done
o A session can consist of
many connections
o Both parties have
common information
o Defined by a session
state parameter
o Peer-peer
o To create a new
connection (resume a
session), the two parties
can skip part of the
negotiation process
o Defined by a connection
state parameter
241-427-SV-2-2553-COE-PSU 14
SSL defines 4 protocols
241-427-SV-2-2553-COE-PSU 15
SSL defines 4 protocols (cont)
o The record protocol carries message from 3 other
protocols as well as the data coming from the
application layer
o The handshake protocol provides security
parameters by establishing a cipher set and
providing keys and authenticating
o The ChangeCipherSpec for signaling the readiness
of cryptographic secrets
o The Alert protocol to report abnormal conditions
7. 7
241-427-SV-2-2553-COE-PSU 19
Handshake Protocol: Phase III
241-427-SV-2-2553-COE-PSU 20
Handshake Protocol: Phase IV
241-427-SV-2-2553-COE-PSU 21
SSL actions
o Fragmentation: divides the data into block of 214
bytes or less
o Compression (option): using one of the lossless
compression methods negotiated between the
client and server
o Message integrity: uses keyed-hash function to
create a MAC
o Confidentiality: the data & MAC are encrypted using
symmetric-key
o Framing: a header is added to the payload before
passed to TCP
8. 8
241-427-SV-2-2553-COE-PSU 22
Algorithms in SSL
o 8-byte initialization vector (IV) except 20-byte IV is
used in Fortezza
241-427-SV-2-2553-COE-PSU 23
Key-exchange in SSL
241-427-SV-2-2553-COE-PSU 24
SSL message formats
Record Protocol header
ChangeCipherSpec Protocol
Alert Protocol
Generic header for Handshake Protocol
9. 9
241-427-SV-2-2553-COE-PSU 25
Types of Handshake message
241-427-SV-2-2553-COE-PSU 26
Transport Layer Security
o TLS does not supportFortezza
o Generation of Cryptographic secrets
n More complex than SSL
n Data-expansion
o To expand a secret into a longer one
o To make some dependency, the second seed is the
output of the first
n Pseudorandom function
241-427-SV-2-2553-COE-PSU 27
Data-expansion
11. 11
241-427-SV-2-2553-COE-PSU 31
Alert Protocol
o Support all in SSL exceptNoCertificate
o Additional alerts
241-427-SV-2-2553-COE-PSU 32
Handshake Protocol
CertificateVerify
message
Finished message
241-427-SV-2-2553-COE-PSU 33
Record Protocol
12. 12
241-427-SV-2-2553-COE-PSU 34
Security at the Network Layer
Security at the above layers may not be enough
o Not all client/server programs are protected at the
application layer
o Not all client/server programs at the application
layer use the service of TCP to be protected by SSL
or TLS
n E.g., UDP
o Many application such as routing protocols directly
use the service of IP
n Security at IP layer is needed
241-427-SV-2-2553-COE-PSU 35
IPSec
o A collection of protocols designed by the Internet
Engineering Task Force to provide security for a
packet at the network level
o Create authenticated and confidential packets for
the IP layer
241-427-SV-2-2553-COE-PSU 36
IPSec
o Has two modes
n Transport mode
n Tunnel mode
o Has two security protocols
n Authentication header (AH) protocol
n Encapsulating security payload (ESP)
13. 13
241-427-SV-2-2553-COE-PSU 37
IPSec: transport mode
o IPSec protects what is delivered from the transport
layer to the network layer
o The IP header does not protect under the transport
mode
o The IPSec header (and trailer) are added to the
information
o It only protects the packet from the transport layer
o Use when we need host-to-host (end-to-end)
protection of data
241-427-SV-2-2553-COE-PSU 38
IPSec: transport mode
241-427-SV-2-2553-COE-PSU 39
IPSec: tunnel mode
o IPSec protects the entire IP packet
o A new IP header is added (different information
than the original IP header)
o Use between two routers or host to router or router
to host
15. 15
241-427-SV-2-2553-COE-PSU 43
Authentication Header Protocol
o Purpose
n To authenticate the source host
n To ensure the integrity of the payload carried in the
IP packet
o Action
n Uses a hash function and a symmetric key to create a
message digest
n The digest is inserted in the authentication header
n The AH is then placed in the appropriate location
based on the mode
241-427-SV-2-2553-COE-PSU 44
Encapsulating Security Payload (ESP)
o Purpose
n Provides source authentication, integrity, privacy
241-427-SV-2-2553-COE-PSU 45
Encapsulating Security Payload (ESP)
o Action: ESP adds a header and a trailer
1 . ESP trailer is added to the payload
2 . The payload and the trailer are encrypted
3 . The ESP header is added
4 . The ESP header, payload, and ESP trailer are used
to create the authentication data
5 . The authentication data are added to the end of the
ESP trailer
6 . the IP header is added after changing the protocol
value to 50
16. 16
241-427-SV-2-2553-COE-PSU 46
Remarks
o IPv4 and IPv6
n IPSec supports both IPv4 and IPv6 (AH & ESP are
parts of the Extension header)
o Why do we need AH?
n ESP was designed after AH was already included in
some commercial products
o IPSec services
n Access control
n Message integrity
n Entity authentication
n Confidentiality (except AH)
n Replay attack protection
241-427-SV-2-2553-COE-PSU 47
Security Association (SA)
o is a logical relationship between two hosts
o is an aspect of IPSec
Idea:
n SA is a contact between two hosts (one inbound SA
and one outbound SA)
n SA can be very complex, when the party wants to
communicate with many people (a database of a set
of SAs)
241-427-SV-2-2553-COE-PSU 48
Typical SA parameters
17. 17
241-427-SV-2-2553-COE-PSU 49
Security Policy (SP)
o Is an aspect of IPSec
o Defines the type of security applied to a packet
when it is to be sent or when it has arrived
o Security policy database (SPD)
n Each host that is using the IPSec protocol needs to
keep a SPD (inbound, outbound).
n Each entry in the SPD can be accessed using a
sixtuple index
< source address, destination address, name, protocol,
source port, and destination port>
241-427-SV-2-2553-COE-PSU 50
Security policy database (SPD)
o Address (unicast, multicast, wildcard)
o Name (defines a DNS entity)
o Protocol (AH, ESP)
241-427-SV-2-2553-COE-PSU 51
Outbound processing
18. 18
241-427-SV-2-2553-COE-PSU 52
Outbound processing
o Drop: packet cannot be sent
o Bypass: packet is sent w/o security
because there is no policy for the packet
o Apply
n Case 1: outbound SA is already established
the packet is transmitted accordingly
n Case 2: outbound SA is not established
the Internet Key Exchange (IKE) is called to create
an outbound and an inbound SA
241-427-SV-2-2553-COE-PSU 53
Inbound processing
241-427-SV-2-2553-COE-PSU 54
Inbound processing
o Discard: packet is dropped
o Bypass: the packet is delivered to the transport
layer w/o security
o Apply
n Case 1: inbound SA is already established
the packet is processed accordingly
n Case 2: inbound SA is not established
the packet must be discarded
19. 19
241-427-SV-2-2553-COE-PSU 55
Virtual Private Networks (VPN)
o A mechanism of employing encryption,
authentication and integrity protection
o Offers high amount of security
o No require any special cabling
o Combine advantages of
n a public network
o Cheap
o Easily available
n A private network
o Secure
o Reliable
o A mechanism to simulate a private network over a
public network such as the Internet
o Connections made up of packets and are temporary
241-427-SV-2-2553-COE-PSU 56
Network Address Translation (NAT)
1
2
NATClient
From 172.47.9.6,
Port 59789 From 60.168.34.2,
Port 63472
Internet
Server
Host
IP Addr
172.47.9.6
…
Port
59789
…
IP Addr
60.168.34.2
…
Port
63472
…
Internal ExternalTranslation Table
241-427-SV-2-2553-COE-PSU 57
Network Address Translation (NAT)
4
3NATClient
Internet
Server
Host
To 172.47.9.6,
Port 59789
To 60.168.34.2,
Port 63472
Translation Table
IP Addr
172.47.9.6
…
Port
59789
…
IP Addr
60.168.34.2
…
Port
63472
…
Internal External