Chapter 4: Network Security

4.1 Introduction

Network security consists of the provisions and policies adopted by a network administrator to
prevent and monitor unauthorized access, misuse, modification, or denial of a computer network
and network-accessible resources. Network security involves the authorization of access to data
in a network, which is controlled by the network administrator. Users choose or are assigned an
ID and password or other authenticating information that allows them access to information and
programs within their authority. Network security covers a variety of computer networks, both
public and private, that are used in everyday jobs conducting transactions and communications
among businesses, government agencies and individuals.

4.2 Network attacks

Any method, technique or process used to attack and compromise the security of the network can
be termed as a Network attack.

A Network attack or security incident is defined as a threat, intrusion, denial of service or other
attack on a network infrastructure that will analyze your network and gain information to
eventually cause your network to crash or to become corrupted. In many cases, the attacker
might not only be interested in exploiting software applications, but also try to obtain
unauthorized access to network devices. Unmonitored network devices are the main source of
information leakage in organizations. In most organizations, every email message, every web
page request, every user logon, and every transmittable file is handled by a network device.
Under some setups, telephone service and voice messaging are also handled by network devices.
If the attacker is able to "own" your network devices, then they "own" your entire network.

Types of Network Attacks

The common and popular attacks would be
i) Eavesdropping
ii) Denial-of-Service (DoS) and Distributed DoS
iii) Session Hijacking
iv) Spoofing
v) Man-in-the-Middle Attack
i) Mapping (Eavesdropping)
Eavesdropping is basically the act of secretly listening to the conversation of others, obviously
without their permission. This definition can also be applied to network sniffing. In network
sniffing, attacker secretly sniffs/listens to the data transmitted through the network.

In general, the majority of network communications occur in an unsecured or "clear text" format,
which allows an attacker who has gained access to data paths in your network to "listen in" or

1
interpret the traffic. When an attacker is eavesdropping on your communications, it is referred to
as sniffing or snooping.

Counter measures are strong encryption services that are based on cryptography only. Otherwise
your data can be read by others as it traverses the network.

ii) Denial-of-Service attack (DoS)

A denial of service (DoS) attack is a special kind of Internet attack aimed at large websites. A
denial-of-service attack is an attempt to make a computer resource unavailable to its intended
respondents. It generally consists of the concerted efforts of a person or people to prevent an
Internet site or service from functioning efficiently or at all, temporarily or indefinitely.
It is a type of attack on a network that is designed to bring the network to its knees by flooding it
with useless traffic. Denial of Service can result when a system, such as a Web server, has been
flooded with illegitimate requests, thus making it impossible to respond to real requests or tasks.
A Dos attack can be perpetrated in a number of ways. There are three basic types of attack.
 Consumption of computational resources, such as bandwidth, disk space or CPU time.
 Disruption of configuration information, such as routing information.
 Disruption of physical network components.
The consequences of a DoS attack are the following:
 Unusually slow network performance.
 Unavailability of a particular web site.
 Inability to access any web site.
 Dramatic increase in the amount of spam you receive in your account.
iii) Distributed Denial-of-Service attacks (DDoS)
A distributed denial of service attack (DDoS) occurs when multiple compromised systems or
multiple attackers flood the bandwidth or resources of a targeted system with useless traffic. In
DDoS attacks, the attacker first gains access to user accounts on numerous hosts across the
Internet. These systems are compromised by attackers using a variety of methods. These
compromised machines are called as secondary victims or Zombies. Then these zombies are used
as attack platform to attack the primary victim. The zombies or the secondary victims may not be
aware that they are being used to attack the primary victim. Trojans and viruses give the control
to the attacker to these machines to launch attacks of the victim. This attack is difficult to detect
as the attack comes from several IP address. This is the most deadly attack of all and not easy to
overcome.

iv) Session Hijacking

Session hijacking exploits computer session between two machines. Here, computer session
means connection between two machines.
When a TCP session is established, a cookie is used to verify if the session is active or not. The
attacker can steal these cookies by sniffing or using the saved cookies on victim’s computer.
2
Since most of authentication is done only at the start of the session, this allows the hacker to
assume the identity of the victim and gains the same access to the resources as that of the victim.
Types of Session Hijacking attacks
1. Active
2. Passive
3. Hybrid
In an Active attack, attacker hijacks an existing session on the network by doing a Man-in-the-
middle attack. This allows the attacker to execute a various commands in order to maintain his
access, delete the traces etc. The attacker can create accounts on the network which can be used
to gain access later without having to do session hijack every time.

In Passive attack, attacker monitors the ongoing session in the network. This attack uses sniffer
tools to sniff around the network and find juicy information!

Hybrid attack uses the combination of the above mentioned attacks. This attack is used to sniff
and modify the data simultaneously.

v) Spoofing
Spoofing is a situation in which one person or program successfully imitates another by
falsifying data and thereby gaining an illegitimate advantage.
A. IP Spoofing
Any internet connected device necessarily sends IP datagrams into the network. Such internet
data packets carry the sender's IP address as well as application-layer data. If the attacker obtains
control over the software running on a network device, they can then easily modify the device's
protocols to place an arbitrary IP address into the data packet's source address field. This is
known as IP spoofing, also known as IP address forgery, which makes any payload appear to
come from any source. With a spoofed source IP address on a datagram, it is difficult to find the
host that actually sent the datagram. With this kind of attack, the attacker could gain access to
juicy information such as passwords, credit cards numbers, etc or install malware or alter the
data.

The countermeasure for spoofing is ingress filtering. Routers usually perform this. Routers that
perform ingress filtering check the IP address of incoming datagrams and determine whether the
source addresses that are known to be reachable via that interface. If the source address is not in
the valid range, then such packets will be discarded.

B. DNS Spoofing
Domain Name Service (DNS) basically transforms a domain name, (say www.example.com) to
its IP address (say 11.22.33.44). And DNS spoofing is a technique where in a DNS entry to point
to another IP rather than it is supposed to point to.

3
vi) Man-in-the-Middle (MITM) Attack
In Man-in-the-Middle (MITM) attack the attacker intercepts the traffic between two machines
and makes the victims believe that they are talking directly to each other, when in fact their
conversation is controlled by the attacker.

The attacks starts with sniffing and eavesdropping and after the attacker gains access to the
conversation, he can extract juicy information like passwords, credit cards numbers, etc. or can
alter the data, install malwares.

This is a technique takes advantage of a weakness in the TCP/IP protocol stack, and the way
headers are constructed. When computers are communicating at low levels of the network layer,
the computers might not be able to determine with whom they are exchanging data. Man-in-
middle attacks are like someone assuming your identity in order to read your message.

4.3 E-mail Security

4.3.1 Introduction
In virtually all distributed environments, electronic mail is the most heavily used network-based
application. Users expect to be able to, and do, send e-mail to others who are connected directly
or indirectly to the Internet, regardless of host operating system or communications suite. With
the explosively growing reliance on e-mail, there grows a demand for authentication and
confidentiality services. Two schemes stand out as approaches that enjoy widespread use: Pretty
Good Privacy (PGP) and S/MIME. Both will be discussed later.
4.3.2 Threats to E-mail
Consider threats to electronic mail:
 message interception (confidentiality)
 message interception (blocked delivery)
 message interception and subsequent replay
 message content modification
 message origin modification
 message content forgery by outsider
 message origin forgery by outsider
 message content forgery by recipient
 message origin forgery by recipient
 denial of message transmission
Confidentiality and content forgery are often handled by encryption. Encryption can also help in
a defense against replay, although we would also have to use a protocol in which each message
contains something unique that is encrypted. Symmetric encryption cannot protect against
forgery by a recipient, since both sender and recipient share a common key; however, public key
schemes can let a recipient decrypt but not encrypt. Because of lack of control over the middle
points of a network, senders or receivers generally cannot protect against blocked delivery.
4
4.3.3 Requirements and Solutions
If we were to make a list of the requirements for secure e-mail, our wish list would include the
following protections.
 message confidentiality (the message is not exposed en route to the receiver)
 message integrity (what the receiver sees is what was sent)
 sender authenticity (the receiver is confident who the sender was)
 non-repudiation (the sender cannot deny having sent the message)
Not all these qualities are needed for every message, but an ideal secure e-mail package would
allow these capabilities to be invoked selectively.

One of the design goals for encrypted e-mail was allowing security-enhanced messages to travel
as ordinary messages through the existing Internet e-mail system. This requirement ensures that
the large existing e-mail network would not require change to accommodate security. Thus, all
protection occurs within the body of a message. The encrypted e-mail standard supports multiple
encryption algorithms, using popular algorithms such as DES, triple DES, and AES for message
confidentiality, and RSA and Diffie Hellman for key exchange.

In addition to confidentiality, we may want various forms of integrity for secure e-mail.
Encrypted e-mail messages always carry a digital signature, so the authenticity and non-
repudability of the sender is assured.

The major problem with encrypted e-mail is key management. The certificate scheme is
excellent for exchanging keys and for associating an identity with a public encryption key. The
difficulty with certificates is building the hierarchy. Many organizations have hierarchical
structures. The encrypted e-mail dilemma is moving beyond the single organization to an inter-
organizational hierarchy. Precisely because of the problem of imposing a hierarchy on a
nonhierarchical world, PGP was developed as a simpler form of encrypted e-mail.

Encrypted e-mail provides strong end-to-end security for electronic mail. Triple DES, AES, and
RSA cryptography are quite strong, especially if RSA is used with a long bit key (1024 bits or
more).

4.3.4 Pretty Good Privacy (PGP)

Encryption of e-mails and any other forms of communication is vital for the security,
confidentiality, and privacy of everyone. This is where PGP comes in and this is why PGP is so
popular today. In fact, currently PGP is one of the popular encryption and digital signatures
schemes in personal communication.

Pretty Good Privacy (PGP), developed by Phil Zimmermann, is a public-key cryptosystem.

Secure communication with the receiving party (with a secret key) is achieved by encrypting the

5
message to be sent using the recipient’s public key. This message then can be decrypted only
using the recipient’s secret key.

PGP works by creating a circle of trust among its users. In the circle of trust, users, starting with
two, form a key ring of public key/name pairs kept by each user. Joining this “trust club” means
trusting and using the keys on somebody’s key ring. Unlike the standard PKI infrastructure, this
circle of trust has a built-in weakness that can be penetrated by an intruder. However, since PGP
can be used to sign messages, the presence of its digital signature is used to verify the
authenticity of a document or file. This goes a long way in ensuring that an e-mail message or
file just downloaded from the Internet is both secure and untampered with.

PGP is regarded as hard encryption, that which is impossible to crack in the foreseeable future.
Its strength is based on algorithms that have survived extensive public review and are already
considered by many to be secure. Among these algorithms are RSA which PGP uses for
encryption for public key encryption; and 3DES for conventional encryption. The actual
operation of PGP is based on five services: authentication, confidentiality, compression, e-mail
compatibility, and segmentation.

i) Authentication
PGP provides authentication via a digital signature scheme. The signatures are then attached to
the message or file before sending. PGP, in addition, supports unattached digital signatures. In
this case, the signature may be sent separately from the message.
ii) Confidentiality
PGP provides confidentiality by encrypting messages before transmission. PGP encrypts
messages for transmission and storage using conventional encryption schemes. As in all cases of
encryption, there is always a problem of key distribution; so PGP uses a conventional key once.
This means for each message to be sent, the sender mints a brand new 128-bit session key for the
message. The session key is encrypted with RSA using the recipient’s public key; the message is
encrypted using 3DES together with the session key. The combo is transmitted to the recipient.
Upon receipt, the receiver uses RSA with his or her private key to decrypt and recover the
session key which is used to recover the message.
iii) Compression
PGP compresses the message after applying the signature and before encryption. The idea is to
save space.
iv) E-mail Compatibility
PGP encrypts a message together with the signature (if not sent separately) resulting into a
stream of arbitrary 8-bit octets. But since many e-mail systems permit only use of blocks
consisting of ASCII text, PGP accommodates this by converting the raw 8-bit binary streams
into streams of printable ASCII characters using a radix-64 conversion scheme. On receipt, the
6
block is converted back from radix-64 format to binary. If the message is encrypted, then a
session key is recovered and used to decrypt the message. The result is then decompressed. If
there is a signature, it has to be recovered by recovering the transmitted hash code and
comparing it to the receiver’s calculated hash before acceptance.
v) Segmentation
To accommodate e-mail size restrictions, PGP automatically segments email messages that are
too long. However, the segmentation is done after all the housekeeping is done on the message,
just before transmitting it. So the session key and signature appear only once at the beginning of
the first segment transmitted. At receipt, the receiving PGP strips off all e-mail headers and re-
assemble the original mail.
4.3.5 Secure/Multipurpose Internet Mail Extension (S/MIME)
Secure/Multipurpose Internet Mail Extension (S/MIME) extends the protocols of Multipurpose
Internet Mail Extensions (MIME) by adding digital signatures and encryption to them. MIME is
a technical specification of communication protocols that describes the transfer of multimedia
data including pictures, audio, and video. Because Web contents such as files consist of
hyperlinks that are themselves linked onto other hyperlinks, any e-mail must describe this kind
of inter-linkage. That is what a MIME server does whenever a client requests for a Web
document. When the Web server sends the requested file to the client’s browser, it adds a MIME
header to the document and transmits it.

S/MIME was then developed to add security services that have been missing. It adds two
cryptographic elements: encryption and digital signatures

i) Encryption
S/MIME supports three public key algorithms to encrypt session keys for transmission with the
message. These include Diffie-Hallman as the preferred algorithm, RSA for both signature and
session keys, and triple DES.
ii) Digital Signatures
To create a digital signature, S/MIME uses a hash function of either 160-bit SHA-1 or MD5 to
create message digests. To encrypt the message digests to form a digital signature, it uses either
DES or RSA.

4.3.6 Internet Protocol Security (IPSec)

IPSec is a suite of authentication and encryption protocols developed by the Internet Engineering
Task Force (IETF) and designed to address the inherent lack of security for IP-based networks.
IPSec, unlike other protocols is a very complex set of protocols. It runs transparently to transport
layer and application layer protocols which do not see it. Although it was designed to run in the
new version of the Internet Protocol, IP Version 6 (IPv6), it has also successfully run in the older

7
IPv4 as well. IPSec sets out to offer protection by providing the following services at the
network layer:
• Access control – to prevent an unauthorized access to the resource.
• Connectionless integrity – to give an assurance that the traffic received has not been modified in
any way.
• Confidentiality – to ensure that Internet traffic is not examined by nonauthorized parties. This
requires all IP datagrams to have their data field, TCP, UDP, ICMP, or any other datagram data
field segment, encrypted.
• Authentication – particularly source authentication so that when a destination host receives an IP
datagram, with a particular IP source address, it is possible to be sure that the IP datagram was
indeed generated by the host with the source IP address. This prevents spoofed IP addresses.
• Replay protection – to guarantee that each packet exchanged between two parties is different.
IPSec protocol divides the protocol suite into two main protocols: Authentication Header (AH)
protocol and the Encapsulation Security Payload (ESP) protocol. The AH protocol provides
source authentication and data integrity but no confidentiality. The ESP protocol provides
authentication, data integrity, and confidentiality. Any datagram from a source must be secured
with either AH or ESP.
4.3.7 Web Security
Web sites are unfortunately prone to security risks. And so are any networks to which web
servers are connected. Setting aside risks created by employee use or misuse of network
resources, your web server and the site it hosts present your most serious sources of security risk.
Web Security Threats
• Modification of user data, memory, message traffic in transit, Trojan horse browser, (Integrity)
• Eavesdropping on the net (Confidentiality)
• Theft of info from server, data from client (Confidentiality)
• Info about network configuration, about which client talks to server (Confidentiality)
• Killing of user threads (Denial of Service)
• Flooding machine with bogus requests (Denial of Service)
• Filling up disk or memory (Denial of Service)
• Isolating machine by DNS attacks (Denial of Service)
• Impersonation of legitimate users (Authentication)
• Data forgery (Authentication)
Web Traffic Security Approaches
A number of approaches to providing Web security are possible. The various approaches that
have been considered are similar in the services they provide and, to some extent, in the
mechanisms that they use, but they differ with respect to their scope of applicability and their
relative location within the TCP/IP protocol stack.
use IP security
i)
The advantage of using IPsec is that it is transparent to end users and applications and provides a
general-purpose solution. Furthermore, IPsec includes a filtering capability so that only selected
traffic need incur the overhead of IPsec processing.
8
 ii) implement security just above TCP
The foremost example of this approach is the Secure Sockets Layer (SSL) and the follow-on
Internet standard known as Transport Layer Security (TLS).
For full generality, SSL (or TLS) could be provided as part of the underlying protocol suite and
therefore be transparent to applications. Alternatively, SSL can be embedded in specific
packages. For example, Netscape and Microsoft Explorer browsers come equipped with SSL,
and most Web servers have implemented the protocol. Application-specific security services are
embedded within the particular application. The advantage of this approach is that the service
can be tailored to the specific needs of a given application.