Professional Documents
Culture Documents
CH 4
CH 4
CH 4
4.1 Introduction
Network security consists of the provisions and policies adopted by a network administrator to
prevent and monitor unauthorized access, misuse, modification, or denial of a computer network
and network-accessible resources. Network security involves the authorization of access to data
in a network, which is controlled by the network administrator. Users choose or are assigned an
ID and password or other authenticating information that allows them access to information and
programs within their authority. Network security covers a variety of computer networks, both
public and private, that are used in everyday jobs conducting transactions and communications
among businesses, government agencies and individuals.
A Network attack or security incident is defined as a threat, intrusion, denial of service or other
attack on a network infrastructure that will analyze your network and gain information to
eventually cause your network to crash or to become corrupted. In many cases, the attacker
might not only be interested in exploiting software applications, but also try to obtain
unauthorized access to network devices. Unmonitored network devices are the main source of
information leakage in organizations. In most organizations, every email message, every web
page request, every user logon, and every transmittable file is handled by a network device.
Under some setups, telephone service and voice messaging are also handled by network devices.
If the attacker is able to "own" your network devices, then they "own" your entire network.
In general, the majority of network communications occur in an unsecured or "clear text" format,
which allows an attacker who has gained access to data paths in your network to "listen in" or
1
interpret the traffic. When an attacker is eavesdropping on your communications, it is referred to
as sniffing or snooping.
Counter measures are strong encryption services that are based on cryptography only. Otherwise
your data can be read by others as it traverses the network.
In Passive attack, attacker monitors the ongoing session in the network. This attack uses sniffer
tools to sniff around the network and find juicy information!
Hybrid attack uses the combination of the above mentioned attacks. This attack is used to sniff
and modify the data simultaneously.
v) Spoofing
Spoofing is a situation in which one person or program successfully imitates another by
falsifying data and thereby gaining an illegitimate advantage.
A. IP Spoofing
Any internet connected device necessarily sends IP datagrams into the network. Such internet
data packets carry the sender's IP address as well as application-layer data. If the attacker obtains
control over the software running on a network device, they can then easily modify the device's
protocols to place an arbitrary IP address into the data packet's source address field. This is
known as IP spoofing, also known as IP address forgery, which makes any payload appear to
come from any source. With a spoofed source IP address on a datagram, it is difficult to find the
host that actually sent the datagram. With this kind of attack, the attacker could gain access to
juicy information such as passwords, credit cards numbers, etc or install malware or alter the
data.
The countermeasure for spoofing is ingress filtering. Routers usually perform this. Routers that
perform ingress filtering check the IP address of incoming datagrams and determine whether the
source addresses that are known to be reachable via that interface. If the source address is not in
the valid range, then such packets will be discarded.
B. DNS Spoofing
Domain Name Service (DNS) basically transforms a domain name, (say www.example.com) to
its IP address (say 11.22.33.44). And DNS spoofing is a technique where in a DNS entry to point
to another IP rather than it is supposed to point to.
3
vi) Man-in-the-Middle (MITM) Attack
In Man-in-the-Middle (MITM) attack the attacker intercepts the traffic between two machines
and makes the victims believe that they are talking directly to each other, when in fact their
conversation is controlled by the attacker.
The attacks starts with sniffing and eavesdropping and after the attacker gains access to the
conversation, he can extract juicy information like passwords, credit cards numbers, etc. or can
alter the data, install malwares.
This is a technique takes advantage of a weakness in the TCP/IP protocol stack, and the way
headers are constructed. When computers are communicating at low levels of the network layer,
the computers might not be able to determine with whom they are exchanging data. Man-in-
middle attacks are like someone assuming your identity in order to read your message.
One of the design goals for encrypted e-mail was allowing security-enhanced messages to travel
as ordinary messages through the existing Internet e-mail system. This requirement ensures that
the large existing e-mail network would not require change to accommodate security. Thus, all
protection occurs within the body of a message. The encrypted e-mail standard supports multiple
encryption algorithms, using popular algorithms such as DES, triple DES, and AES for message
confidentiality, and RSA and Diffie Hellman for key exchange.
In addition to confidentiality, we may want various forms of integrity for secure e-mail.
Encrypted e-mail messages always carry a digital signature, so the authenticity and non-
repudability of the sender is assured.
The major problem with encrypted e-mail is key management. The certificate scheme is
excellent for exchanging keys and for associating an identity with a public encryption key. The
difficulty with certificates is building the hierarchy. Many organizations have hierarchical
structures. The encrypted e-mail dilemma is moving beyond the single organization to an inter-
organizational hierarchy. Precisely because of the problem of imposing a hierarchy on a
nonhierarchical world, PGP was developed as a simpler form of encrypted e-mail.
Encrypted e-mail provides strong end-to-end security for electronic mail. Triple DES, AES, and
RSA cryptography are quite strong, especially if RSA is used with a long bit key (1024 bits or
more).
5
message to be sent using the recipient’s public key. This message then can be decrypted only
using the recipient’s secret key.
PGP works by creating a circle of trust among its users. In the circle of trust, users, starting with
two, form a key ring of public key/name pairs kept by each user. Joining this “trust club” means
trusting and using the keys on somebody’s key ring. Unlike the standard PKI infrastructure, this
circle of trust has a built-in weakness that can be penetrated by an intruder. However, since PGP
can be used to sign messages, the presence of its digital signature is used to verify the
authenticity of a document or file. This goes a long way in ensuring that an e-mail message or
file just downloaded from the Internet is both secure and untampered with.
PGP is regarded as hard encryption, that which is impossible to crack in the foreseeable future.
Its strength is based on algorithms that have survived extensive public review and are already
considered by many to be secure. Among these algorithms are RSA which PGP uses for
encryption for public key encryption; and 3DES for conventional encryption. The actual
operation of PGP is based on five services: authentication, confidentiality, compression, e-mail
compatibility, and segmentation.
i) Authentication
PGP provides authentication via a digital signature scheme. The signatures are then attached to
the message or file before sending. PGP, in addition, supports unattached digital signatures. In
this case, the signature may be sent separately from the message.
ii) Confidentiality
PGP provides confidentiality by encrypting messages before transmission. PGP encrypts
messages for transmission and storage using conventional encryption schemes. As in all cases of
encryption, there is always a problem of key distribution; so PGP uses a conventional key once.
This means for each message to be sent, the sender mints a brand new 128-bit session key for the
message. The session key is encrypted with RSA using the recipient’s public key; the message is
encrypted using 3DES together with the session key. The combo is transmitted to the recipient.
Upon receipt, the receiver uses RSA with his or her private key to decrypt and recover the
session key which is used to recover the message.
iii) Compression
PGP compresses the message after applying the signature and before encryption. The idea is to
save space.
iv) E-mail Compatibility
PGP encrypts a message together with the signature (if not sent separately) resulting into a
stream of arbitrary 8-bit octets. But since many e-mail systems permit only use of blocks
consisting of ASCII text, PGP accommodates this by converting the raw 8-bit binary streams
into streams of printable ASCII characters using a radix-64 conversion scheme. On receipt, the
6
block is converted back from radix-64 format to binary. If the message is encrypted, then a
session key is recovered and used to decrypt the message. The result is then decompressed. If
there is a signature, it has to be recovered by recovering the transmitted hash code and
comparing it to the receiver’s calculated hash before acceptance.
v) Segmentation
To accommodate e-mail size restrictions, PGP automatically segments email messages that are
too long. However, the segmentation is done after all the housekeeping is done on the message,
just before transmitting it. So the session key and signature appear only once at the beginning of
the first segment transmitted. At receipt, the receiving PGP strips off all e-mail headers and re-
assemble the original mail.
4.3.5 Secure/Multipurpose Internet Mail Extension (S/MIME)
Secure/Multipurpose Internet Mail Extension (S/MIME) extends the protocols of Multipurpose
Internet Mail Extensions (MIME) by adding digital signatures and encryption to them. MIME is
a technical specification of communication protocols that describes the transfer of multimedia
data including pictures, audio, and video. Because Web contents such as files consist of
hyperlinks that are themselves linked onto other hyperlinks, any e-mail must describe this kind
of inter-linkage. That is what a MIME server does whenever a client requests for a Web
document. When the Web server sends the requested file to the client’s browser, it adds a MIME
header to the document and transmits it.
S/MIME was then developed to add security services that have been missing. It adds two
cryptographic elements: encryption and digital signatures
i) Encryption
S/MIME supports three public key algorithms to encrypt session keys for transmission with the
message. These include Diffie-Hallman as the preferred algorithm, RSA for both signature and
session keys, and triple DES.
ii) Digital Signatures
To create a digital signature, S/MIME uses a hash function of either 160-bit SHA-1 or MD5 to
create message digests. To encrypt the message digests to form a digital signature, it uses either
DES or RSA.
7
IPv4 as well. IPSec sets out to offer protection by providing the following services at the
network layer:
• Access control – to prevent an unauthorized access to the resource.
• Connectionless integrity – to give an assurance that the traffic received has not been modified in
any way.
• Confidentiality – to ensure that Internet traffic is not examined by nonauthorized parties. This
requires all IP datagrams to have their data field, TCP, UDP, ICMP, or any other datagram data
field segment, encrypted.
• Authentication – particularly source authentication so that when a destination host receives an IP
datagram, with a particular IP source address, it is possible to be sure that the IP datagram was
indeed generated by the host with the source IP address. This prevents spoofed IP addresses.
• Replay protection – to guarantee that each packet exchanged between two parties is different.
IPSec protocol divides the protocol suite into two main protocols: Authentication Header (AH)
protocol and the Encapsulation Security Payload (ESP) protocol. The AH protocol provides
source authentication and data integrity but no confidentiality. The ESP protocol provides
authentication, data integrity, and confidentiality. Any datagram from a source must be secured
with either AH or ESP.
4.3.7 Web Security
Web sites are unfortunately prone to security risks. And so are any networks to which web
servers are connected. Setting aside risks created by employee use or misuse of network
resources, your web server and the site it hosts present your most serious sources of security risk.
Web Security Threats
• Modification of user data, memory, message traffic in transit, Trojan horse browser, (Integrity)
• Eavesdropping on the net (Confidentiality)
• Theft of info from server, data from client (Confidentiality)
• Info about network configuration, about which client talks to server (Confidentiality)
• Killing of user threads (Denial of Service)
• Flooding machine with bogus requests (Denial of Service)
• Filling up disk or memory (Denial of Service)
• Isolating machine by DNS attacks (Denial of Service)
• Impersonation of legitimate users (Authentication)
• Data forgery (Authentication)
Web Traffic Security Approaches
A number of approaches to providing Web security are possible. The various approaches that
have been considered are similar in the services they provide and, to some extent, in the
mechanisms that they use, but they differ with respect to their scope of applicability and their
relative location within the TCP/IP protocol stack.
use IP security
i)
The advantage of using IPsec is that it is transparent to end users and applications and provides a
general-purpose solution. Furthermore, IPsec includes a filtering capability so that only selected
traffic need incur the overhead of IPsec processing.
8
ii) implement security just above TCP
The foremost example of this approach is the Secure Sockets Layer (SSL) and the follow-on
Internet standard known as Transport Layer Security (TLS).
For full generality, SSL (or TLS) could be provided as part of the underlying protocol suite and
therefore be transparent to applications. Alternatively, SSL can be embedded in specific
packages. For example, Netscape and Microsoft Explorer browsers come equipped with SSL,
and most Web servers have implemented the protocol. Application-specific security services are
embedded within the particular application. The advantage of this approach is that the service
can be tailored to the specific needs of a given application.