Professional Documents
Culture Documents
Network Security Basics: IEEE Security and Privacy Magazine December 2005
Network Security Basics: IEEE Security and Privacy Magazine December 2005
net/publication/3437746
CITATIONS READS
72 7,247
1 author:
Gerald Marin
Florida Institute of Technology
25 PUBLICATIONS 231 CITATIONS
SEE PROFILE
All content following this page was uploaded by Gerald Marin on 08 August 2014.
W
riting a basic article on network security is network layer is “unreliable,” mean-
ing it doesn’t guarantee end-to-end
something like writing a brief introduction data delivery. To get reliable end-to-
end service, a user invokes the Trans-
to flying a commercial airliner. Much must port Control Protocol (TCP).
Figure 1 shows the format for an
be omitted, and an optimistic goal is to en- IP datagram; Figure 2 shows the for-
mat for a TCP segment, which is the
able the reader to appreciate the skills required. protocol data unit associated with
the TCP protocol. These formats
G ERALD A. The first question to address is pects of security include computer are essential for understanding net-
MARIN what we mean by “network secu- intrusion detection, traffic analysis, work traffic composition and some-
Florida rity.” Several possible fields of en- and network monitoring. This arti- thing of the methods that can be
Institute of deavor come to mind within this cle focuses on these aspects because used to corrupt them.
Technology broad topic, and each is worthy of a they principally entail a networking TCP/IP traffic accounts for
lengthy article. To begin, virtually all perspective. much of the traffic on the Internet
the security policy issues raised in (although TCP isn’t typically used
Matt Bishop’s book, Computer Secu- Network traffic for voice or video traffic). Figure 3
rity Art and Science,1 apply to network To analyze network traffic, we need illustrates how a tool such as Ethereal
as well as general computer security a basic understanding of its composi- (www.ethereal.com) can help cap-
considerations. In fact, viewed from tion. In this regard, networking peo- ture and analyze traffic.
this perspective, network security is ple often speak of flows and formats. We now have a fairly representa-
a subset of computer security. Flow is a laconic reference to net- tive picture of the traffic flowing
The art and science of cryptogra- working protocols and the messages across the Internet. It consists of IP
phy and its role in providing confiden- that travel back and forth between datagrams (which can be carried in-
tiality, integrity, and authentication their endpoints. Format refers to the side link-layer frames, for example)
represents another distinct focus even structure of the cells, frames, packets, carrying higher-layer information,
though it’s an integral feature of net- datagrams, and segments (the awk- often including TCP segments.
work security policy. Readers looking ward generic term is protocol data Those with malicious intent
for a good introduction (and more) to units) that comprise the flow. could misuse any of the fields shown
this area should consider Practical Cryp- The vast majority of network in Figures 1 and 2. The attackers
tography by Niels Ferguson and Bruce traffic today uses the Internet Proto- would know the protocol’s intent
Schneier.2 col (IP) as its network-layer proto- and the rules to use to interpret the
The topic also includes design col.5 IP addresses represent sources associated formats and flows. They
and configuration issues for both and destinations, and IP routers can create a networking attack by
network-perimeter and computer work together to forward traffic be- changing values in any of the
system security. References in this tween them. Link-layer protocols fields—any ensuing problems con-
area include Stephen Northcutt and such as Ethernet (IEEE 802.3), stitute attacks on the network. Spoof-
colleagues’ Inside Network Perimeter token ring, frame relay, and asyn- ing, or changing the source address,
Security,3 the classic Firewalls and Net- chronous transfer mode (ATM) for- lets an attacker disguise malicious
work Security4 by Steven Bellovin and ward IP packets, called datagrams, traffic’s origin.
William Cheswick, and too many across many types of links.
specific system configuration texts Networks can be attacked at Network intrusions
to list. These are merely starting multiple layers; here, I focus on the Typical network traffic consists of
points for the interested novice. network layer and the layer above it millions of packets per second
The practical networking as- (the transport layer). The Internet being exchanged among hosts on a
68 PUBLISHED BY THE IEEE COMPUTER SOCIETY ■ 1540-7993/05/$20.00 © 2005 IEEE ■ IEEE SECURITY & PRIVACY
Basic Training
Figure 3. Example traffic-analysis output. This screenshot from the Ethereal tool shows a list of 18 packets. The middle
section describes the highlighted packet; the third section displays the packet in hex format. Ethereal is open-source
software released under the GNU General Public License.
generated traffic might seem to be source and destination IP addresses tacks, identify their sources, alert
normal Web browser requests and are identical. Smurf attacks can’t be network administrators, and possibly
other innocent-looking traffic that, detected on the basis of content from mitigate an attack’s effects. An IDS
in fact, differs from valid traffic prin- single packets; only the arrival of an uses one or both of the following
cipally in its intent. This makes iden- unusually large number of ICMP techniques to detect intrusions:
tifying such attacks extremely echo requests and responses would
difficult. For particularly interesting signal such an attack’s presence. We • Signature detection—the IDS
reading, Steve Gibson provides a could respond by killing all echo re- scans packets or audit logs to look
case history of one of the early quests at a gateway router, but doing for specific signatures (sequences
DDoS attacks.7 so would interfere with other net- of commands or events) that were
work functions that might be vital to previously determined to indicate
Intrusion the organization being protected. a given attack’s presence.
detection systems We might discover the teardrop at- • Anomaly detection—the IDS uses
No single technique is likely to de- tack by looking for illegal fragmen- its knowledge of behavior patterns
tect all possible types of network in- tation in arriving packet trains, but that might indicate malicious ac-
trusions—especially because new the router (or firewall) would have to tivity and analyzes past activities to
intrusion types are still waiting to be maintain a significant amount of determine whether observed be-
exploited. Reviewing the attacks state information. haviors are normal.
described here, it’s clear that land at- Intrusion detection systems
tacks can be discovered by looking (IDSs) use particular collections of It’s fairly easy to understand how
for arriving packets in which the analytical techniques to detect at- signature detection can help find
Education, 1994.
5. Internet Protocol, RFC 791, Sept.
1981; www.ietf.org/rfc/rfc791.txt.
6. S. Bonisteel, “Yahoo DoS Attack
20,000
Was Sophisticated,” Computer
User.com, 4 April 2003; www.
computeruser.com/news/00/02/
14/news1.html.
7. S. Gibson, “The Strange Tale of
the Denial of Service Attacks
0 10,000 20,000 30,000
Against grc.com,” Gibson
Seconds
Research, 2002; http://grc.com/
dos/grcdos.htm.
Figure 5. Anomalous port activity on the Lincoln Lab machines. Subtracting all 8. D. Newman, J. Snyder, and R.
(time,port) pairs that were active during the base comparison period in Figure 4 Thayer, “Crying Wolf: False
shows three areas that represent unusual port activity, which could be attacks. Alarms Hide Attacks,” Network
World, 24 June 2002; www.network
world.com/techinsider/2002/062
reside in internal machines that ac- 4security1.html.
cess sensitive data. 9. R. Thayer, “Intrusion Detection
The magazine Techniques for detecting mali- Systems,” Network World, 31 Jan.
that helps cious code bring us back to general 2005; www.networkworld.com/
scientists to computer security issues and meth- reviews/2005/013105rev.html.
ods. Analysis of network activity as- 10. J. Haines et al., 1999 DARPA
apply high- sociated with problems such as Intrusion Detection Evaluation: Design
end software worm infections could complement and Procedures, Lincoln Lab tech.
in their research! other system security work in deter- report 1062, Massachusetts Inst.
mining which machines are in- Technology, 2001.
Peer-Reviewed
fected. Based on both traffic analysis 11. J. Haines, L. Rossey, and R.
Theme & Feature Articles
and system behavioral analysis, for Lippman, “Extending the DARPA
2006
example, sufficiently suspicious ma- Off-Line Intrusion Detection Eval-
Jan/Feb Special-Purpose Computing chines might be isolated from their uations,” Proc. IEEE/DARPA Infor-
Mar/Apr Monte Carlo Method peers via (perhaps new) security pro- mation Survivability Conf. and
May/Jun Noise and Signal Interaction tocols until administrators took steps Exposition (DISCEXII), vol. I, vol.
Jul/Aug Computing in Anatomic Rendering to secure them. Whether such isola- 1, IEEE CS Press, 2001, p. 0035.
tion can be accomplished before a
Sep/Oct Multigrid Computing
critical subset of the Internet be- Gerald A. Marin is a professor at the
Nov/Dec Mechanical Engineering Design and Tools Florida Institute of Technology. His
comes infected is one concern of
research interests include computer com-
current and future research. There
munication networks, system and net-
are others, and they also depend, to work performance, system and network
some extent, on the basics covered in security, and simulation modeling. Marin
this article. has a PhD in mathematics from North
Subscribe to CiSE online at Carolina State University. He has several
years of industry experience, both with
http://cise.aip.org and References IBM and the Center for Naval Analyses.
www.computer.org/cise 1. M. Bishop, Computer Security Art and Contact him at gmarin@fit.edu.