Master in Cybersecurity 2022-2023

Secure Communications

Introduction to Security in
Communication Networks

Antonio Pastor antopast@inf.uc3m.es

Review of TCP/IP network stack
 TCP/IP protocol suite

TCP/IP hourglass model

Sources: www.tcpipguide.com, Wikipedia 3

OSI and TCP/IP network stacks

Source: Cisco Systems 4

 Layers of OSI model (I)

u L1 – Physical layer (part of TCP/IP Network layer):

v Delivers an structured set of bits across a transmission medium:
ü Defines signal/symbols to represent a 0 or an 1 (e.g. -5V, +5V)
ü Specifies bit duration à Maximum data rate
v Enables full-duplex, semi-duplex or simplex communications.
v Defines the required electrical/optical characteristics of the
transmission media, as well as physical characteristics of connectors.
v It may also define functional and procedure aspects (e.g. RS-232).

u L2 – Link layer (part of TCP/IP Network layer):

v Delivers a set of bytes across a single link.
v Organises L1 bits in frames and control who uses a shared medium:
ü Data framing, i.e. where a frame start and ends
ü Medium Access Control (MAC) and addressing
v Detects transmission errors, and may also have recovery and flow
control mechanisms:
ü Cyclic Redundancy Code (CRC)
ü Forward Error Correction (FEC)
ü Automatic Repeat reQuest (ARQ)

5
 Layers of OSI model (II)

u L3 – Network layer (TCP/IP Internet layer):

v Delivers packets (a.k.a. datagrams) through a network with multiple
(potentially heterogeneous) links:
v Addressing: identify network endpoints (hosts)
v Routing: Computes a path through the network
v Forwarding: Delivers packets though those paths, usually in a best-
effort basis:
ü Lost packets
ü Out of order packet delivery
ü Packet duplication
v Prevents network congestion

u L4 – Transport layer (TCP/IP Transport layer):

v (Reliable) transmission of Session layer data between two end systems
(hosts) across an (unreliable) network
v Data segmentation to fit in network datagrams
v Ordered and reliable delivery of transport segments:
ü Sequence numbers
ü Ordered delivery
ü Request retransmission of missing segments
v Open and tear down transport connections
6
 Layers of OSI model (&III)

u L5 – Session layer (part of TCP/IP Application layer):

v Allows users on different machines to establish long-lived sessions
between them.
v Manages dialogue control (interrupt a session and resume it later at a
specific point).
v Token management.
v Synchronization.

u L6 – Presentation layer (part of TCP/IP Application layer):

v Encodes application data in a canonical format (system independent)
v Defines syntax and semantics of the information.
v Data compression.
v Data encryption.

u L7 – Application layer (part of TCP/IP Application layer):

v It is the level the user interacts with
v Common applications:
ü Web surfing
ü File transfer
ü eMail
7
 Protocol Data Units (PDUs)

Source: www.tcpipguide.com 8
 End-to-End (e2e) communications?

Client Server
Web browser Web server

TCP TCP

IPv4 Router IPv4

WiFi WiFi Eth Switch Ethernet

Client Proxy Server

Web browser Web proxy Web server

TCP NAT, FW TCP TCP

IPv4 Router IPv4 IPv4

WiFi WiFi Eth Switch Ethernet Ethernet

9
Security definitions and concepts
IETF, NIST, ITU-T
 Security Definitions

u A Vulnerability is a weakness in a system or its design that can be

exploited by a Threat.
u A Threat is an external menace to that system.
u A Threat Agent is the entity that identifies a Vulnerability and uses it to
attack the victim.
u A Risk is the likelihood that a particular threat, using a specific attack,
exploits a particular vulnerability of a system, which results in an
undesirable consequence (Incident).
u An Exploit is a tool developed to take advantage of a Vulnerability.
u Exposure is the potential to experience losses from a Threat Agent.
u Countermeasures are the techniques or methods used to defend
against attacks and to solve or compensate Vulnerabilities in networks
or systems.
If you have a Vulnerability, but there is no Threat towards it, then
you have no Risk.

Source: Implementing Cisco IOS Network security, 2009. 11

 Security concepts and relationships

Gives rise to
Threat
Exploits
Agent
Threat Leads to

Vulnerability

Risk
Directly affects

Asset
Can damage

Exposure Causes

Countermeasure
Can be safeguarded by

Source: CCNA Security, Cisco Learning Institute.

12
 Risk Matrix from analysis

Impact

High High Risk

Medium Medium
Risk

Low Low Risk

Low Medium High

Likelihood

13
 The security requirements CIA Triad

Computer Security
“The protection afforded to an
automated information system
in order to attain the applicable
objectives of preserving the
integrity, availability and
confidentiality of information
system resources (includes
hardware, software, firmware,
information/data, and
telecommunications)”
http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
14
 Main security requirements

• Confidentiality:
– Preserving authorized restrictions on information
access and disclosure, including means for protecting
personal data and proprietary information.

• Integrity:
– Guarding against information modifications or
destruction, including ensuring information non-
repudiation and authenticity.

• Availability:
– Ensuring timely and reliable access and use of
information

15
 Additional concepts

Authenticity Accountability
• Verifying that users • The security goal
are who they say that generates the
they are and that requirement for
each input arriving at actions of an entity
the system came to be traced
from a trusted source uniquely to that entity

16
 Security Attacks vs. Security Requirements

Availability Confidentiality

Integrity Authenticity
17
 Security attacks, mechanisms & services

• Security Attack:
– Any active or passive action that compromises the security of
information in some way.
• Security Mechanism:
– A process / device that is designed to detect, prevent or recover from a
security attack.
• Security Service:
– A service intended to counter security attacks, typically by implementing
one or more mechanisms.

… so Threat and Attack are used almost interchangeably

18
 Security Services (X.800)

u Authentication (AuthN):
v The assurance that the communicating entity is the one it
claims to be.
u Access Control or Authorization (AuthZ):
v The prevention of unauthorized use of a resource:
ü Who can have access to a resource,
ü under what conditions access can occur,
ü what those accessing the resource are allowed to do
u Data Confidentiality:
v The protection of data from unauthorized disclosure
u Data Integrity:
v The assurance that data received are exactly as sent by an
authorized entity (i.e., contains no modification, insertion,
deletion or replay).
u Non-Repudiation:
v Provides protection against denial by one of the entities
involved in a communication of having participated in all/part
of the communication.
19
Security Mechanisms (X.800) (&II)

Security
Mechanisms
(X.800)

20
Security Services vs. Mechanisms (X.800)

http://www.itu.int/rec/T-REC-X.800-199103-I/e

21
2
network security assessments (X.805 )

u Systematic, organized

22
3
ITU-T Rec. X.805 (10/2003)

u Provides a systematic, organized way of performing

network security assessments and planning

23
 Model for Network Security

Alice Bob
Eve / Mallory

24
Security Model for Network Access

25
 Passive Attacks (I)

A Passive Attack attempts to learn or make use of information

from the system but does not affect system resources.

• Eavesdropping or monitoring
transmissions
• The goal of the opponent is to
obtain information that is being
transmitted
• Hard to detect, so emphasis on
prevention

26
 Passive Attacks (&II)

Release of • Plaintext messages

message exchanged between the
parties may contain sensitive
contents / or confidential information.
Interception

• Even if contents are

encrypted, an opponent
Traffic might still be able to observe
the pattern of these
Analysis messages (location, identity,
frequency and length of
messages)

27
 Active Attacks (I)
An Active Attack attempts to alter system resources
or affect their operation:
u Involves some modification of the data
stream or the creation of a false stream.
u Difficult to prevent because of the wide
variety of potential physical, software,
and network vulnerabilities.
u Goal is to detect attacks and to recover
from any disruption or delays caused by
them.

• Takes place when one entity

Masquerade pretends to be a different entity
(Spoofing) • Usually includes one of the
other forms of active attack

• Involves the passive capture of

a data unit and its subsequent
Replay retransmission to produce an
unauthorized effect

28
 Active Attacks (&II)

• Some portion of a
legitimate message is
Modification
altered, or messages
of
are delayed or
messages
reordered to produce
an unauthorized effect

• Prevents or inhibits
Denial of the normal use or
Service management of
(DoS) communications
facilities

29
Network communications attacks
 (in)Security in TCP/IP
u TCP/IP was initially developed for research and academia, and
originally included no built-in strong security capabilities.

u The traditional TCP/IP protocol suite provides no means for ensuring

the confidentiality, integrity, and authentication of any data transmitted
across the network.

u Without confidentiality and integrity controls, when you send a packet

across the Internet, TCP/IP allows any other user to see or modify
your data.

u Furthermore, without authentication, an attacker can send data to you

that appears to come from other trusted sources on the network.

31
 Reconnaissance attacks

u Port Scanning is a process that reveals the TCP ports on which a host is
listening for Internet traffic. Open ports provide a hole through which a
system cracker can launch an attack.
u Countermeasures:
v On all hosts close all ports not in use, by shutting down the services
(applications or OS daemons) that run on those ports.
v Block traffic for all unnecessary ports using a firewall on your edge
router, which acts as a proxy and hiding the servers’ actual IP
addresses from the Internet.

u Network Mapping is the process of discovering the IP addresses of

computers that are actually functioning and, if possible, the OS they are
running (e.g. ping is the most basic tool).
u Countermeasures: Block scans to the internal network (not to DMZ) from
the Internet. Detect port scans inside the network.

32
 Packet Sniffing or Eavesdropping

u Eavesdropping is the act of surreptitiously listening to a private

conversation, typically between hosts on a network.
u Many applications send data unencrypted
v FTP and Telnet send passwords in the clear
u Network interface card (NIC) in “promiscuous mode” reads all
flooded data in LAN.

network

u Countermeasure: encryption at different levels, i.e., HTTP over TLS,

SSH/SFTP (instead of Telnet/FTP), IPSec.
33
 Spoofing attacks
u Spoofing (aka masquerading, header forgery): a malicious party
impersonates another device or user on a network in order to launch
attacks against victims. Flavours: IP, ARP, DNS, email, web.
u IP spoofing: In an IP address spoofing attack, an attacker sends IP
packets from a false (or “spoofed”) source address in order to disguise
itself.

u Countermeasure: Filter packets from outside the network that show

source addresses from inside the network [BCP38], and vice-versa. 34
 Man-in-the-Middle Attack (MitM)
u MitM attack can be active (alters messages) or almost-passive (only
forwards them).

u A hacker inserts himself between a client program and a server on a

network, pretending to be one endpoint to the other. Online fashion.
u The attacker interacts with both endpoints after having eavesdropped
or even tampered the information.

u Countemeasure: Encrypt traffic, authenticate the endpoints.

35
 Replay Attack (I)

u A hacker executes a replay attack by intercepting and storing a legitimate

message between two systems and retransmitting it at a later time.
v Theoretically, this attack can even be successful against encrypted
transmissions.

u First, attacker intercepts a message (not so difficult)

36
 Replay Attack (II)
u Later, the attacker retransmits (replays) the message to the original
destination host
v The attacker does not have to be able to read a message to replay it.
v Usually, used to gain access to resources by replaying an
authentication message

u Countermeasure: the best defense to this attack is to use session

keys, nonces, check the time stamp on all transmissions, and employ
time-dependent message digests, to provide a freshness property.
37
 DoS (Denial of Service) Attacks

u A Denial of service (DoS) attack attempts to prevent legitimate users

from accessing a computing resource.
u DoS can take several forms:
v Overwhelm a network: The attack can flood a nework with so many
packets that legitimate traffic slows to a crawl.
v Overwhelm a server: The attack can flood a single server with so much
traffic that legitimate users can’t access the server.
v Bring down a server: The attack can cause a server to crash.

Examples: SYN Flood, UDP Flood attack, Smurf attack, Ping of Death.

u DDoS (Distributed DoS):

v Uses multiple source computers to disrupt its victims. This does not mean
that the attack is coming from multiple attackers, however. The most typical
architecture, in fact, is a single attacker or small group of attackers who
trigger the attack by activating malware previously installed on computers
throughout the world (a.k.a. botnet). It may be also amplified by spoofing
the victim IP address.

38
 TCP Syn Flooding Attack
u Attacker sends many connection requests with spoofed source addresses.
u Victim allocates resources for each request
v Connection state maintained until timeout (half-open connections)
u Once resources exhausted, requests from legitimate clients are denied.
u Common pattern: it costs nothing to TCP initiator to send a connection request, but TCP
responder must allocate state for each request (asymmetry!)

Countermeasure: TCP
Syn+ACK Cookies to do not
allocate state until final ACK
is received (for anti-spoofing)

Source: Network Security

Technologies and Solutions,
Cisco 2008.
39
 DDoS Attacks
u DDoS flood: The attacker first takes over a large number of victim machines, often
referred to as zombies. The attacker uses one or more client machines to tell all of the
zombies to execute a command simultaneously, to conduct a Distributed DoS attack
against the target.
u e.g. 620 Gbps against Krebs on Security (2016) [1], 3.47 Tbps attack against Azure [2]

[1] B. Krebs. "The Democratization of Censorship".

Krebs on Security blog. 25 September 2016.

[2] Azure DDoS protection

40
 Reflected/amplified DDoS attack
u The attacker takes advantage of or connection-less protocols (e.g. ICMP, UDP),
bouncing an attack off of innocent servers using a spoofed source address
(victim).
u Amplification: Short requests, large responses (e.g. DNS, NTP).

Victim à Amplifier: DNS.Rqst (ANY?)

Amplifier à Victim: DNS.Resp(A, AAAA, MX, RRSIG, …)

u Countermeasures: Hire ($$$) a Content Delivery Network (CDN).

Deploy anti-spoofing mechanisms [BCP38] in all Internet.
41
 Application layer attacks

u Application attacks (out of scope of this particular course):

v Remote Code Execution (RCE) ß Denial of Service (DoS)
ü Buffer overflows
ü Integer overflow

v Cross-Site Scripting (XSS)

v SQL injection (SQLi):

42