Title: Network and Internet Security
1Network and Internet Security
2The OSI Model
- Developed in the early 1980's by the Open Systems
Interconnect group - Became a standard for discussing and detailing
how network operations actually function - Before OSI many different conflicting standards.
3The OSI Stack
Networked applications 7. Application
Networked applications 6. Presentation
Networked applications 5. Session
Network overhead and end to end addressing 4. Transport
Network overhead and end to end addressing 3. Network
LAN WAN delivery systems 2. Data Link
LAN WAN delivery systems Physical
How to remember People Dont Need To See Paula Abdul Please Do Not Throw Sausage Pizza Away How to remember People Dont Need To See Paula Abdul Please Do Not Throw Sausage Pizza Away
4OSI and TCP/IP
5Protocol
- What is a protocol?
- - A set of rules we adhere to
- - Specifies how things will work
6Physical Layer
- Bits, bytes, and electrical signals
- Means of moving information from point A to point
B - Could be wireless, ethernet, modem, phone line.
7Data Link Layer
- Where frames are built
- Frame - A logical organization / packaging of the
data - Protocols
- Address Resolution Protocol (ARP)
- Reverse Address Resolution Protocol (RARP)
- Point-to-Point Protocol (PPP)
- Serial Line Internet Protocol (SLIP)
8Network Layer
- It's all about IP and routing
- IP will only deliver.
- Protocols
- Internet Protocol (IP)
- Internet Control Message Protocol (ICMP)
- Internet Group Management Protocol (IGMP)
- Routing Information Protocol (RIP)
- Open Shortest Path First (OSPF)
- Novel Internetwork Packet Exchange (IPX)
9Transport Layer
- Provides end-to-end transport services and
establishes logical connection between
communicating computers - Protocols
- TCP - Reliable protocol, connection oriented
- UDP- Fast Protocol, connection less
- SSL
- SPX
10Session Layer
- Establishes and maintains the session and traffic
between two computers - Session Layer keeps track of what data goes where
- Analogy Traffic Cop
- Protocols
- Network File System (NFS)
- NetBIOS
- Structured Query Language (SQL)
- Remote procedure call (RPC)
11Session Layer
- Communication between two applications to in
three different modes - Simplex
- Communication takes place in one direction.
- Half-duplex
- Communication takes place in both directions, but
only one application can send information at a
time. - Full-duplex
- Communication takes place in both directions, and
both applications can send information at the
same time.
12Presentation Layer
- Deals with how data is formatted how users see
it - Services encryption, decryption, compression,
decompression - Presentation Layer Standards
- ASCII
- EBCDIC
- TIFF
- JPEG
- MPEG
- MIDI
13Application Layer
- Application layer formats the data and displays
it - Protocols
- FTP
- TFTP
- SNMP
- SMTP
- Telnet
- HTTP
14Network Security
- Security can be implemented at different layers
of the OSI model to provide a more robust
architecture - Goal - defense and depth
15Physical Layer Security
- Secure
- Cable
- Fiber
- Wireless
16Network Layer Security
- IP Security or IPsec
- A set of protocols developed by the (Internet
engineering task force)IETF to support secure
exchange of packets at the IP layer - Widely used to protect VPNs
17Transport Layer Security
- Guarantees privacy and data integrity between
client server applications communicating over the
Internet
18Session Layer Security
- Encryption at the session layer protects data
19Application Layer Security
- The level of security provided by applications
varies - Some are more secure and have encryption built in
(e.g., secure shell) - Others are less secure and send information in
clear text (e.g., FTP)
20TCP/IP Protocol Stack
7 Process layer
6 Process layer
5 Host-to-host
4 Host-to-host
3 Internet
2 Network Access Layer
1 Network Access Layer
21Network Access Layer
- All things physical
- Includes cabling, framing, hardware equipment
22Internet Layer
- All things logical i.e., software
- Where Internet Protocol (IP) fits in
- Makes sure frames from network layer reach the
correct destination - IP postman- Determines the best route from
source to target network - Different types of frames for internal and
external routing - Analogy Interoffice envelope Vs FedEx envelope
23Host to Host Layer
- Ensures that packets are delivered quickly and/or
reliably - Two protocols reside at this layer
- - TCP - Reliable
- - UDP Quick
- Think about TCP (professional) and UDP (your
friends) as moving services
24Host to Host Layer
- TCP
- Connection-oriented protocol
- Provides reliable communication using
- Handshaking
- Acknowledgments
- Error detection
- Session teardown
- TCP data is referred as segments
- TCP moves data in segments
- Each segment is verified as it moves across the
network
25Host to Host Layer
- User Datagram Protocol (UDP)
- - A protocol without a connection
- - Offers speed and low overhead
- - Datagram
- - No set up or shutdown
- UDP is fast but unrealiable
- VOIP, video-conferencing
26Process or Application Layer
- Telnet Port 23
- SMTP Port 25
- HTTP Port 80
- DNS port 53
- FTP Port 20, Port 21
- TFTP (trivial FTP) Port 69
- SNMP Port 61
27Signaling Types
- Analog
- Digital
- Robust and can recover from errors
- Widely used
28Data Transmission Methods
- Synchronous communications
- High speed data synchronized by electronic clock
signals - Takes place between two devices that are
synchronized via a clocking mechanism - Asynchronous communications
- Transfer data by sending bits sequentially
- used when two devices are not synchronized
- Data transfer can take place at any time
29Signaling Methods
- Broadband
- More than one signal at a time
- Cable 160 TV channels Internet
- DSL Phone internet
- Baseband - One signal at a time
- Ethernet
- Dial up phone line
30Transmission Methods
- unicast transmission
- packet goes from source computer to one
particular system - Multicast
- packet goes to a specific group of systems
- Broadcast
- If a system wants all computers on its subnet to
receive a message
31Transmission Methods
- IP multicast protocols use a Class D address
- special address space designed especially for
multicasting - used to send out information, multimedia data,
real-time video and voice clips. - IGMP is used to report multicast group
memberships to routers. - When a user chooses to accept multicast traffic,
- User becomes a member of a particular multicast
group. - IGMP allows a computer to inform the local
routers that user is part of a group and to send
traffic with a specific multicast address to her
system.
32Network Topologies
33Topologies
- Bus
- linear, single line
- Ring
- Linear and closed loop
- Star
- All systems connected to a single point
- Tree
- Bus topologies, multiple braches
- Mesh
- Multi connection of systems
- Provides redundancy and multiple routes to
systems
34Ethernet
- Shares media
- Broadcast and collision domains
- CSMA/CD access method
- Implemented on
- -10 base-2(thin net)
- -10 base-5 (coax cable)
- -10 base-T (twisted pair, RJ45 connector)
35Fast Ethernet-
- 100Mbps
- CSMA/CD
- Twisted pair
- Support 10/100 Mbps
36Token Rings
- Token passing technology
- Multistation access unit (MAU)
- Each computer connected to a Central hub
- LAN networks
- Mechanisms to deal with problems
- Active Monitor removes frames continuously
circulating on the network - beaconing if a computer detects a problem with
the network it sends a beacon frame.
37FDDI
- Fiber Distributed Data Interface
- Ring topology
- Dual ring for redundancy
- Data transmission speed of 100 mbps
- Token passing
- Used for distances up to 100 kilometers
- MAN networks
38Network Cabling
- Required for the modern network
- Different types of cable have
- - Specific speeds
- - Maximum cable runs
- - Connectivity issues
39Common Cable Specs
Ethernet Name Cable Specifications Distance Supported Topology
10Base5 50-ohm Thick Coaxial 500 Meters Bus
10Base2 50-ohm RG-58 A/U 185 Meters Bus
10BaseT Cat 3 UTP (or better) 100 Meters Star
100BaseTX Cat 5 UTP (or better) 100 Meters Star
Gigabit Ethernet Cat 6 UTP (or better) Depends Star
40Fiber Cable
- Multimode fiber optic cable
- Uses LED to transmit data
- 200 meters Max
- Singlemode fiber optic cable
- Laser
- 200 miles max
41Cabling Issues
- Noise
- Caused by surrounding devices
- Caused by motors, computers, copy machines,
fluorescent lighting - Distortion of signal
- Attenuation
- Loss of signal strength as it travels
- Length of cable
- Use repeater
- Can also be caused by cable breaks
- Crosstalk
- Signals from one wire spill over to other
- UTP is susceptible to crosstalk
42Cabling Issues
- Fire rating
- Non plenum rated cables polyvinyl chloride (PVC)
jacket covering - plenum-rated cables jacket covers made of
fluoropolymers - will not produce and release harmful chemicals in
case of a fire - pressurized conduits
- if someone attempts to access a wire the pressure
of the conduit will change, causing an alarm
43LAN Protocols
- Address Resolution Protocol (ARP)
- Reverse Address Resolution Protocol (RARP)
- Internet Control Messaging Protocol (ICMP)
44Address Resolution Protocol (ARP)
- Resolves known IP addresses to unknown MAC
addresses - ARP maps the MAC address and associated IP
addresses - Mapping is stored in a table
- ARP Table poisoning
- Attacker alters a systems ARP table
- IP address is mapped to a different MAC address
- type of masquerading attack.
45 Reverse Address Resolution Protocol (RARP)
- Diskless environments
- Clients connecting to the mainframes
- Workstation broadcasts its MAC addresses and RARP
server assigns IP address - RARP evolved into BOOTP which evolved into DHCP
46Internet Control Messaging Protocol (ICMP)
- Designed for logical errors and diagnostics
- Most commonly seen as a ping
- Ping to check connectivity
- Malicious use to check if a device is up and
running to attack it - Ping DoS
47Routing Protocols
- Vector-distancing
- List of destination networks with direction and
distance in hops - Router has a table with the destination and the
number of hops data will make to get to the
destination - Use if the network has 2 or 3 segments
- Link-state routing
- Topology map of network identifies all routers
and sub networks - Route is determined from shortest path to
destination - Use if network is highly meshed with multiple
subnetworks - Routes that can be manually loaded (static) or
dynamically maintained router - Routing path is loaded manually in a command line
or GUI - Router uses the path entered to route data
48Routing Protocols
- RIP
- Distance vector
- RIP based on hop counts
- Interior Gateway Protocol
- Noisy not the most efficient
- Broadcast routes every 30 seconds
- Lowest cost / closest route always best even is
the route is congested - Physical limitation Cannot route beyond 16
points - No security anyone can pretend to be arouter
- Masquerading attack
49Routing Protocols
- Open Shortest Path First (OSPF)
- Link-state routing
- Interior Gateway Protocol
- Routers elect a Designated Router (DR)
- All routers establish a topology database using
DR as gateway between areas - A replacement for outdated RIP
50Routing Protocols
- Border Gateway Protocol (BGP)
- Core of Internet
- Used to exchange high volume of data between
routers - Exterior Gateway Protocol (EGP)
- Used to exchange routing data with core and other
autonomous systems - Routes data to subsystems
- Interior Gateway Protocol (IGP)
- Used within autonomous systems
- Organization with multiple networks
- Data routed within multiple networks
51Routing Protocols
- Border Gateway Protocol (BGP)
- Exterior Gateway Protocol
- Can support multiple paths between autonomous
systems - Most ISPs use BGP
- Can detect and suppress routing loops
- Lacks security, authentication
- Internet recently went down because of
incorrectly configured BGP on an ISP router
52Domain Name Service (DNS)
- Resolves known Fully Qualified Domain Names
(FQDNs) to unknown IP addresses - Example Domain Name Yahoo.com
- DNS will resolve the IP address for us
53- Networking Equipment and routing protocols
-
54Data Network Devices
- Hubs / repeaters / concentrators
- Provides physical interconnection
of multiple nodes to a network - Bridge
- Connects two network segments
- Layer 2 device
-
55Data Network Devices
- Router
- Contains network management protocols that
enhance network functionality - Operates in network layer 3
- Handles packet traffic across the networks
56Data Network Devices
- Brouter
- A router that can bridge, merging both
capabilities into a single box - Routes selected protocols
- Bridges all other traffic
- Bridge two networks at layer 2 and also add some
routing capabilities - Gateway
- Acts as a translator between networks using
incompatible protocols - Operates in any layer from 4 to 7
57Switch
- Multiport connection device
- Each port provides dedicated bandwidth to the
device attached to it - Multilayer switches combine data link layers,
network layer and other layer functionalities
58Switch
- Layer 2 routing based on MAC address
- Layer 3/4 Like a router.
- Routing based on IP address
- Routes are chosen based on availability and
performance - Tags are assigned to each destination network or
subnet - Switch appends tags to the packet
- Switches between the source and destination
review tag information. - Multiprotocol label switching (MPLS)
- Priority information is placed in tags
- E.g. Video conferencing
59Switch and VLANS
- Switch makes it difficult for intruders to sniff
and monitor network traffic - No broadcast and collision information
- VLANS
- Use switches
- Logically (instead of physically) segment users
and computers based on - Resource requirements
- Security policies
- Business needs
60Firewall Types
- Packet Filtering
- Stateful
- Proxy
- Dynamic packet filtering
- Kernel proxy
61Firewall Architecture
- Screened Hosts
- Dual Home
- Screened subnet
62Packet Filtering Firewall
- Packet-filtering router
- Most Common
- Uses access control lists (ACLs)
- Port
- Source/ destination address
63Stateful Inspection Firewalls
- Stateful inspection
- State and context analyzed on every packet in
connection - Only looks at a sampling of packets and not all
packets of a connection - When a packet is received firewall looks in its
state table to check if connection was
established and if data was requested - Works at network and transport layers
- Vcitims of DoS attack
- Dynamic state tables are flooded with bogus
information - Firewall freezes or reboots
64Proxy Firewalls
- Second Generation firewalls
- Stands between the trusted and untrusted networks
- Proxy server only has a valid IP address
- Network address translation (NAT)
- internal addresses are unreachable from external
network - Private IPs for internal networks instead of
internet routable IPs - De-militarized zone (DMZ)
- Hosts are directly reachable from untrusted
networks - Host in semi-untrusted network
- Could be application or circuit level proxy
65Application Proxy
- Inspect the entire packet and make access
decision based on the contents of the packet - One proxy per firewall is required
- One portion of the firewall dedicated to
understand how a specific protocol works and how
to filter it for suspicious data. - Application proxy firewalls for FTP, SMTP,
TELNET
66Circuit Level Proxy
- Secure circuit between the client and server
- Protection at the sessions layer
- Provides a wider variety of protocols and
services than an application proxy - Less degree of granular control than application
proxy - Similar to packet filtering and decision is based
on address, port and protocol type - Looks at data within the payload of the packet
- E.g. SOCKS
67Dynamic packet filtering
- Combination of IP address and higher port
- Firewall creates an ACL that allows the external
entity to communicate with an internal entity via
a high port - 4th generation firewall
- Gives control to allow any type of outbound
traffic and only response traffic inbound
68Kernel Proxy Firewall
- 5th generation
- Creates dynamic, customized TCP/IP stacks for
evaluating packets - Every layer of the stack is scrutinized
- Packet is discarded is anything deemed unsafe at
any of the layers
69(No Transcript)
70Firewall Architecture Bastion Host
- Locked down or Hardened system
- Highly exposed, front line device
- Existence known on the internet
- Extremely secure
- Choke router
- A router with packet filtering rules (ACLs)
enabled
71Dual-homed host
- 2 interfaces one facing external one facing
internal - Firewall software installed to make packet
forwarding decisions - Underlying operating system turned off to apply
necessary ACL rules - Multihomed
- Several NICs connect several different computers
72Screened host
- Communicates with a perimeter router and the
internal network
73Screened subnet
- More protection than a screened host
- Typical DMZ implementation
74Firewall Rules
- Masquerading or spoofing of packets is a common
firewall attack - Packets from outside with internal host address
DENY - Packets from inside going outside with internal
host address DENY - DDoS attack internal hosts are used as zombies
- Packets leaving the network with different source
address
75Firewall Rules
- When security is top priority
- Firewall assembles packets and makes access
decision based on the entire packet - Deny source routing
- Packet decides route to get to destination not
the router
76Intrusion Detection
- Host or network-based
- Context and content monitoring
- Positioned at network boundaries
- For defense in depth, deploy sensors at multiple
segments - A sniffer with capability to detect traffic
patterns (attack signatures)
77Data Transmission Methods
- Leased line networks
- Dedicated private facilities
- Organization leases the network and they have
dedicated lines for certain facilities. - Dedicated line
- A private or leased line
- Lease a line that is dedicated to the
organization - Common carriers
- A common carrier voice line ATT, verizon etc
- Digital communications
- Passes data encoded in on-off pulses
78Web Security
- Secure sockets layer (SSL)
- Transport layer security (TCP based)
- Widely used for Web-based applications
- By convention - https\\
- Secure hypertext transfer protocol (S-HTTP)
- Less popular than SSL
- Used for individual messages rather than
sessions
79Web Security
- Secure electronic transactions (SET)
- PKI
- Mostly used for Financial data
- Supported by VISA, MasterCard, Microsoft
80- Voice and Data Communications - LANs, WANs, and
Remote Access -
-
81VOIP Security Issues
- VOIP vulnerabilities
- Gateways issues
- Because VOIP utilizes UDP traffic
- DoS attacks
- Voice communications
- Eavesdropping
- Open network to UDP traffic
- Do not open ports for a wide range of systems
82Gateways Issues
- IP PBX gateways
- Open to DOS attacks
- Single point of failure
- Interconnection authentication
- PBX can be fooled to believe that it is talking
to another PBX
83Eavesdropping
- Voice packets over IP
- Uses UDP
- Sniffing
- Replay
- Packet injection
84Open Network
- Multiple IP phones
- Open port services
- Utilizes wide range of ports from 7000 - 8000
- UDP transmission
- Inefficient firewall access control
85Remote Networks
- Remote access
- VPN
- Authentication
- Remote access guidelines
86Remote Access
- Dialup/RAS
- ISDN
- DSL
- Cable modems
87VPN
- Tunneling protocols
- Point to point tunneling protocol (PPTP)
- Layer 2 forwarding (L2F)
- Works at layer 2
- Forwards packets from layer 2 and does not
consider upper IP stacks - Layer 2 tunneling protocol (L2TP)
- Establishes a tunnel at layer 2
- IPSec
- Most secure and widely used
-
88IPSEC
- IP Security
- Set of protocols developed by IETF
- Standard used to implement VPNs
- Two modes
- Transport mode
- Encrypted pay load (data)
- Clear text header
- Tunnel mode
- Encrypted payload and header
- Requires shared public key
89Authentication Remote Access
- Password authentication protocol (PAP)
- Challenge handshake authentication protocol
(CHAP) - Extensible authentication protocol (EAP)
90Wireless Standards
- 802.11b
- 802.11a
- 802.11g
- 802.16
- Wimax
- Blue tooth
- WAP
91WLAN Components
- Access points (AP)
- Service set ID (SSI)
- Authentication
- OSA
- SKA
- WEP
- Encryption process for wireless transmission
- - Weak encryption due to repetition of key
- War driving
92Network Security Services
- Network layer security
- Transport layer security
- Application layer security
- Identification and authentication
93Network Layer Security
- ISO / OSI layer 3
- Provides IP security
- Enables host to send encrypted IP packet without
prior message exchange - Protocols include -
- - IPSEC
- - SKIP
- - SWIPE
94Transport Layer Security
- ISO / OSI layer 4
- Secure Socket Layer (SSL)
- Used for TCP applications
- Two-layered protocol
- - One for records
- - The other for handshakes (TCP does the
handshake) - Uses public key encryption
- Supports Message Authentication Code (MAC)
- SSL primarily used for TCP
95Application Layer Security
- Secure Electronic Transactions (SET)
- Secure protocol for messages and transactions
- Protocol defines a public key infrastructure
(PKI) - Usually used to protect financial data
96Application Layer Security
- Privacy Enhanced Mail (PEM)
- Internet standard for secure electronic mail
- Limits disclosure of message only to privileged
user - Contains origin authenticity and integrity check
to prevent tampering
97Application Layer Security
- Secure Hypertext Transfer Protocol (SHTTP)
- Secure HTTP server
- Supports encryption and authentication of
documents over the Internet - Provides similar service like SSL
- SSL and SET are used more instead of a secure
http server
98Application Layer Security
- Secure Remote Procedure Call (SRPC)
- Uses Diffie-Hellman key generation
- Server provides encryption services and
authentication - Used for secure connections between the remote
procedure and initiator - Authentication server contains all keys for users
and services - Self contained unit
- Authenticates the server and the client
99 100Network Security Issues
- Types of attacks
- Spoofing
- Sniffing
- Session hijacking
- IDS attacks
- Syn floods
101Spoofing Attacks
- TCP Sequence number prediction
- After establishment TCP session, a sequential
number is initiated for data transfer. - The hacker will craft packets to guess the
sequence number. - One the sequence number is known packets are
injected into the session. - UDP- Easy to spoof because no handshake
- DNS - Spoof and manipulation IP/ hostname pairing
- Hacker will spoof the IP to establish a session
with another domain having the same hostname - Source routing
- Spoofing of paths the packets will take to reach
the destination
102Sniffing Attacks
- Passive attacks
- Information is gathered in wired or wireless
networks - Monitors the wire for all traffic
- Most effective in shared media networks
- Sniffers used to be hardware
- Now software tool
- Can be deployed from a laptop, PC or any other
computing device
103Session Hijacking Attacks
- Hacker uses sniffers to
- Detect sessions
- Acquire pertinent session info
- Actively injects packets
- Spoofs the client side of the connection
- Takes over session with server
- Bypasses Identification and Authentication
controls - Countermeasures
- Encryption
- Stateful inspection
104IP Fragmentation Attacks
- TCP/IP weakness
- Big packets are fragmented
- Uses fragmentation options in the IPheader
- Forces data in the fragmented packet to be
overwritten upon reassembly - Code is injected while packets are assembled
- Used to circumvent packet filters
105IDS Attacks
- Insertion attacks
- inserts information to confuse pattern matching
- Used for attacking pattern matching IDS
- Evasion attacks
- Tricks the IDS into not detecting traffic
- Send a packet with Short Time to Live. Once time
expires, IDS will not recognize the packet - Open ports
- Stealth Syn attcks
106SYN Flood Attacks
- 3 way TCP handshake
- Syn Originator an initial packet called a "SYN"
to establish communication and "synchronize"
sequence numbers in counting bytes of data which
will be exchanged. - Syn-Ack - The destination then sends a "SYN/ACK"
which again "synchronizes" his byte count with
the originator and acknowledges the initial
packet. - Ack - The originator then returns an "ACK" which
acknowledges the packet the destination just sent
him. - Sends a lot of Syns
- Doesn't send Acks
- Victim
- Has a lot of open connections
- Can't accept any more incoming connections
- Eventually crashing the TCP/IP system
- Denial of service (DoS)