Telecommunications, Network, - PowerPoint PPT Presentation

About This Presentation

Telecommunications, Network,


... refers to the application of Internet technologies within an organization ... source destination of an IP ... Management handles key generation ... – PowerPoint PPT presentation

Number of Views:289
Avg rating:3.0/5.0
Slides: 65
Provided by: compHkbu7


Transcript and Presenter's Notes

Title: Telecommunications, Network,

  • Chapter 7
  • Telecommunications, Network,
  • and Internet Security

Data Networks
  • Data network structures
  • Local area network
  • Wide area networks
  • Internet
  • Intranet refers to the application of Internet
    technologies within an organization
  • Extranet to differentiate between the external
    Internet and the internal intranet
  • World Wide Web a set of services on the Internet
    that provides archives of information accessible
    via browsers and search engines

Local Area Network
  • LAN transmission methods
  • LAN media access methods
  • LAN implementations
  • Ethernet (802.3)
  • Token Ring
  • Wireless LAN (802.11)

Wide Area Network
  • Modems dial-up
  • ISDN integrated services digital network
  • Point-to-point links
  • xDSL
  • Cable modem
  • X.25
  • Frame Relay
  • ATM

Network Threats and Attacks
  • Lots of research have been done by intelligent
    attackers and security practitioners to probe
    systems, understand their intricacies, and find
    new vulnerabilities or attack methods
  • The results are usually implemented into a
    program or script
  • With the predominance of WWW and search engine,
    any person interested in launching an attack can
    find the tools and information on how to do it
  • A less experienced attacker (script kiddy) can
    launch comprehensive and detailed attacks without
    understanding the intricacies of how the attack

Network Mapping and Port Scanning
  • Network mapper
  • To identify the targets operating systems
  • E.g., nmap http//
  • Port scanner
  • To identify the listening ports on a target
  • By conducting a port scan, an attacker can
    identify the services running on the target
    system and then determine how best to attack it
  • E.g., strobe, udp_scan, netcat, portpro, portscan

Vulnerability Scanning
  • After identifying the targets system and
    services, the attacker can research what
    vulnerabilities are likely for the system and
    services, using some scanning tools.
  • Some tools are open source, some are high-quality
    commercial tools for analyzing system

War dialing
  • Attackers use tools called wardialers to find
    modems connected to systems using the telephone
  • Wardialers dial telephone numbers in a defined
    block of numbers looking for computer modem
    tones. In some situations, the modem will not
    require a password to connect and the attacker
    will have access to the system.

Network Exploits(I) Sniffing
  • Sniffers are useful tools for both the network
    manager and the attacker.
  • A sniffer can be a hardware, or software running
    on a computer. It accepts all packets received on
    the network interface(s). When a network
    interface operates in this manner, it is
    configured for promiscuous mode
  • Normally, it will drop those packets that are not
    destined for the local computer.
  • Defenses
  • Data encryption SSH, SSL
  • Use Ethernet switches, and binding the port with
    IP addresses to avoid ARP spoofing.

Network Exploits(II) IP Spoofing
  • IP spoofing is a process to alter the source
    destination of an IP packet to make it appear
    that the packet originated at another system.
  • This can be used to initiate denial-of-service
  • IP spoofing makes it difficult to identify the
    real attacker.
  • Defense
  • Use anti-spoofing configuration on routers

Network Exploits(III) Session Hijacking
  • Session hijacking (or TCP hijacking) allows the
    attacker to assume control over a network
    connection while kicking off the legitimate user.
  • Usually need to monitor the TCP sequence number
  • E.g., Hunt (by
  • Session hijacking tools are used against
    applications with persistent connections, such as
    Telnet, rlogin, or FTP.
  • For more details, pls check
  • http//

Denial-of-Service Attack
  • An attack against the availability of a service
  • Prevent legitimate users from being able to
    access the service
  • Malformed Packet Attacks
  • A few packets that are formatted in an unexpected
  • Ping of death, WinNuke, Land, NewTear, etc.
  • Packet Flood Attacks
  • Send large number of packets to the target until
    it cannot respond to requests any longer
  • SYN floods
  • Smurf
  • DDoS

TCP SYN Flooding
  • Read http//
    l (required!)
  • Normal TCP connection setup
  • The client system begins by sending a SYN message
    to the server. The server then acknowledges the
    SYN message by sending SYN-ACK message to the
    client. The client then finishes establishing the
    connection by responding with an ACK message.
  • Half-open TCP connection
  • the server system has sent an acknowledgment
    (SYN-ACK) back to client but has not yet received
    the ACK message
  • The server has built in its system memory a data
    structure describing all pending connections.
    This data structure is of finite size, and it can
    be made to overflow by intentionally creating too
    many partially-open connections.
  • Attack by creating TCP "half-open" connections
  • The attacking system sends SYN messages to the
    victim server system these appear to be
    legitimate but in fact reference a client system
    that is unable to respond to the SYN-ACK
  • The final ACK message will never be sent to the
    victim server system.
  • The half-open connections will eventually expire
    and the victim server system will recover.
    However, the attacking system can simply continue
    sending IP-spoofed packets requesting new
    connections faster than the victim system can
    expire the pending connections.

Smurf Denial-of-Service Attack
  • Read http//
    l (required!)
  • Two components
  • the use of forged ICMP echo request packets (IP
  • the direction of packets to IP broadcast
  • On IP networks, a packet can be directed to an
    individual machine or broadcast to an entire
  • When a packet is sent to an IP broadcast address
    from a machine on the local network, that packet
    is delivered to all machines on that network.
  • When a packet is sent to that IP broadcast
    address from a machine outside of the local
    network, it is broadcast to all machines on the
    target network (as long as routers are configured
    to pass along that traffic).
  • In the "smurf" attack, attackers are using ICMP
    echo request packets directed to IP broadcast
    addresses from remote locations to generate
    denial-of-service attacks.
  • Three parties the attacker, the intermediary,
    and the victim
  • The attacker creates forged packets (ICMP echo
    request) that contain the spoofed source address
    of the attacker's intended victim.
  • The intermediary receives an ICMP echo request
    packet directed to the IP broadcast address of
    their network.
  • If the intermediary does not filter ICMP traffic
    directed to IP broadcast addresses, many of the
    machines on the network will receive this ICMP
    echo request packet and send an ICMP echo reply
    packet back.
  • They send replies to the victim's machine. The
    victim is subjected to network congestion that
    could potentially make the network unusable.
  • Solutions
  • Disable IP-directed broadcasts at the routers.
  • Configure the operating system to prevent the
    machine from responding to ICMP packets sent to
    IP broadcast addresses.

  • Early DoS attack technology involved simple tools
    that generated and sent packets from a single
    source aimed at a single destination.
  • Today, the most common DoS attack type involves
    sending a large number of packets to a
    destination causing excessive amounts of
    endpoint, and possibly transit, network bandwidth
    to be consumed. Such attacks are commonly
    referred to as packet flooding attacks.
  • TCP floods A stream of TCP packets with various
    flags set are sent to the victim IP address. The
    SYN, ACK, and RST flags are commonly used.
  • ICMP echo request/reply (e.g., ping floods) A
    stream of ICMP packets are sent to a victim IP
  • UDP floods A stream of UDP packets are sent to
    the victim IP address.
  • From 1999, multiple source DoS, or DDoS, tools
    began to be deployed trinoo, TFN2K, mstream,
    t0rnkit, carko, Code Red II, Nimda worm
  • Distributed Denial-of-Service
  • Optional reading
  • http//

Stack-based Buffer Overflow
  • Will be introduced in detail in the next lecture.

Password Cracking
  • Most systems and applications authenticate the
    user using a static password.
  • Most operating systems store the passwords in an
    encrypted (hashed) form.
  • To crack the passwords
  • Acquisition of the password database (without
    shadow, its easy with shadow, may use buffer
  • Knowledge of the password encryption algorithm
  • Having a program that can encrypt and compare the
    passwords (dictionary attack or brute-force)
  • E.g., Crack 5.0a, john the ripper, pwdump2
  • It is important to define a strong password

Trojan Horses and Rootkits
  • The Trojan horse appears to serve some useful
    purpose, yet it is really just disguising the
    malicious operation.
  • A rootkit is a more powerful Trojan horse.
  • The attacker must first get root access, then use
    the rootkit to keep that access by preventing an
    administrator from finding the access.
  • It typically contain a large number of Trojan
    horse programs that replace or patch critical
    system programs. They blind the administrators
    and convince them that nothing is out of the
  • Kernel-level rootkit is even more powerful and
    difficult to handle.

Security Technology and Tools
  • Data Encryption
  • Data encryption can be accomplished at several
  • It hides the information from unauthorized
  • It alerts us when the integrity of the message
    has been corrupted.

  • A method of protecting one network from another
    untrusted network.
  • A firewall has two components one to block
    traffic and another to allow authorized traffic
  • Firewalls can be packet filters, proxies, or a
    combination of the two.
  • Packet filtering focuses on analyzing the packets
    and comparing them to a set of rules to determine
    if the packet should be allowed through or
  • A proxy acts as a middleman in the connection
    process. The users session establishes a
    connection to the proxy, which in turn
    establishes a connection to the external system.

Packet Filter
  • Packet filter firewalls operate at layer 3
    (network layer). Decisions on whether to allow or
    deny the packet are made by examining the packet
    header for the following information
  • Source IP address
  • Destination IP address
  • Source port (UDP, TCP)
  • Destination port (UDP, TCP)
  • Acknowledgement bit (TCP)
  • Packet filters are prone to spoofing of source
    and destination addresses and ports.

Packet Filter
Application Proxy Servers
  • Application-level gateway, or proxy server
  • Proxy servers act as a relay between the source
    and destination systems.
  • Application proxies support authentication very
    well and are often combined with caching services
    to reduce network congestion.
  • There must be a specific proxy for each type of
    service. E.g. a telnet proxy cannot be used for
    FTP service.

Application Proxy Servers
Circuit-Level Gateway
  • Similar to the proxy, there is no direct
    connection between the systems. But at different
  • SOCKS RFC 1928
  • A protocol for handling TCP traffic through a
    proxy server, can be used with virtually any TCP
  • Tow components SOCKS server and SOCKS client
  • It enables hosts on one side of a SOCKS server to
    gain access to hosts on the other side of a SOCKS
    server, without requiring direct IP-reachability.
  • It checks incoming and outgoing packets and hides
    the IP addresses of client applications.

Circuit-Level Gateway
Firewall Platforms
  • Host-based Gateway
  • Use an operating system platform like Unix,
    Linux, and MS Windows to provide the underlying
    operating resources.
  • Appliance
  • Use specialized hardware, often running some form
    of proprietary operating system.
  • Desktop Firewalls
  • Reside on the users workstation and provides
    firewall services between the host and the

Firewall Limitations
  • cannot protect from attacks bypassing it
  • eg sneaker net, utility modems, trusted
    organisations, trusted services (eg SSL/SSH)
  • cannot protect against internal threats
  • eg disgruntled employee
  • cannot protect against transfer of all virus
    infected programs or files
  • because of huge range of O/S file types

Remote Access Security
  • Remote access technologies consist of any
    technology and application that allow a user
    access to the organizational network when he does
    not has a physical LAN connection.
  • Security elements
  • Authentication login credentials
  • Access restrictions what resources the user can
  • Time restrictions when and for what duration
  • Connection restrictions limits of simultaneous
    connections per user, consecutive failed login
  • Protocol restrictions restrict what protocols
    and services are available

Link-level Security
  • Remote access services must include the ability
    to authenticate a user and establish a reliable
  • Point-to-Point Protocol (PPP) can be used for
    establishing the connection.
  • The following protocols can be used for
  • Password Authentication Protocol (PAP) RFC1334
    (in 1992)
  • Use a handshake between the client and the
    server. User ID and password are transmitted in
  • Challenge Handshake Protocol (CHAP) RFC1334
  • Use a three-way handshake. Upon connection, the
    server sends the connecting system a random
    challenge. The client than encrypts the challenge
    with its password.
  • Extensible Authentication Protocol (EAP) RFC2284
    (in 1998)
  • A general protocol for PPP authentication which
    supports multiple authentication mechanisms.

Securing Network Services
  • In 1980s, Sun Microsystems developed the
  • Network Information Service (NIS)
  • Network File Systems (NFS)
  • Remote Procedure Call (RPC)
  • Allow networked workstations to operate as if
    they were a single system.
  • HP, DEC, and IBM all implemented NIS, NFS, RPC on
    their UNIX implementations.

Remote Procedure Call (RPC)
  • RPC provides the ability to execute a function on
    another computer in a reasonably transparent
    fashion. It allows for distributed programs.
  • RPC authentication
  • Client programs must be able to authenticate
    themselves to an RPC server before the server
    executes the requested function.
  • There are several different RPC authentication
  • AUTH_NONE no authentication, anonymous access
  • AUTH_UNIX the RPC clients send the Unix UID and
    GID to the server. The server implicitly trusts
    the user is who he claims to be.
  • AUTH_DES authentication based on public key
    cryptography and DES, not widely available except
    in Sun Microsystems implementations
  • AUTH_KERB authentication based on Kerberos, but
    depends on a Kerberos server being available in
    the network

Secure RPC
  • Sun Microsystems later developed Secure RPC to
    address the security weaknesses.
  • Use Diffie-Hellman key exchange mechanism and DES
    for encrypting information sent over the network.
  • When coupled with higher-level protocols like
    NFS, Secure RPC can create a very secure network.
  • Secure RPC authentication
  • Use Diffie-Hellman key exchange.
  • Each Secure RPC entity has a public and private
    key, both of which are stored on the Secure RPC
    server. The public key is stored unencrypted the
    secret key is stored encrypted with the entitys

Network Information Services (NIS)
  • NIS is a distributed database system allowing
    network users the capability to share password
    files, group files, host tables, and other files
    over the network.
  • The files appear to be available on every
    computer, but they actually store on only a
    single computer called the NIS server.
  • With NIS, a large network can be managed more
    easily because all of the account and
    configuration information needs to be stored on
    only a single machine.

Limitations with NIS
  • NIS stores the encrypted password values in the
    passwd map, which can be downloaded by any user.
  • Spoofing NIS
  • NIS clients get information from a NIS server
    through RPC calls.
  • Under early SunOS version of the NIS service, it
    was possible for an attacker to supply his own
    version of the password file to a login request,
    therefore access to the system.

  • NIS provides increased security.
  • Each NIS domain has one and only one NIS root
    domain server. It contains the master copy of the
    information stored in the NIS root domain.
  • There may also be NIS server for sub-domains.
  • Entities that communicate using NIS are called
    NIS principals. Each NIS principal has a public
    key and a secret key stored on an NIS server.
    All communications between NIS servers and NIS
    principals use Secure RPC.

Virtual Private Networks (VPN)
  • WANs are used to build private networks for
    organizations to transfer their private data.
  • X.25 ? Frame Relay ? ATM
  • Very expensive
  • Internet connections are comparatively cheap, but
    it is a publicly shared network.
  • Eavesdropping, packet manipulation, spoofing,
  • VPN addresses these security concerns by
    implementing encryption, data integrity, and
  • The VPN consortium (http//
    supports the following standards
  • Point-to-Point Tunneling Protocol (PPTP)
  • IPSec with encryption
  • Layer 2 Tunneling Protocol (L2TP) over IPSec

  • Based on Microsofts Remote Access Services
    (RAS), first included in Windows NT.
  • PPTP is a layer 2 protocol, also containing
    data-link information. PPP is often used over
  • With PPTP, authentication is done using PPP with
    CHAP, PAP, or EAP.

  • IPSec is a collection of protocols forming an
    extension to the Internet Protocol. It provides
    authentication and encryption services.
  • The specification is quite complex
  • defined in numerous RFCs RFC 2401/2402/2406/2408
  • It is mandatory in IPv6, optional in IPv4
  • Three protocols are used to provide the IPSec
  • Authentication Header (AH)
  • Encapsulating Security Payload (ESP)
  • Internet Key Exchange (IKE) (RFC 2409)

IPSec Services
  • Access control
  • Connectionless integrity
  • Data origin authentication
  • Rejection of replayed packets
  • Confidentiality
  • Limited traffic flow confidentiality

IPSec Services
Security Association
  • IPSec provides many options for performing
    network encryption and authentication
  • Lots of information to manage
  • SA security association
  • a relationship between two or more entities that
    describes how the entities will use security
    services to communicate securely
  • Unidirectional
  • Identified by a randomly chosen unique number
    called SPI (security parameter index) and the IP
    address of the destination

IPSec Authentication Header (AH)
  • provides support for data integrity
    authentication of IP packets
  • end system/router can authenticate user/app
  • prevents address spoofing attacks
  • prevents replay attacks by tracking sequence
  • Authentication is based on use of a MAC
  • HMAC-MD5-96 or HMAC-SHA-1-96
  • parties must share a secret key

IPSec Ahtentication Header
Scope of AH Authentication
Transport mode, IPv4 The AH is inserted after
the original IP header and before the IP payload.
Authentication covers the entire packet,
excluding mutable fields in the IPv4 header that
are set to zero for MAC calculation. Tunnel mode,
IPv4 The entire original IP packet is
authenticated, and the AH is inserted between the
original IP header and a new outer IP header. The
inner IP header carries the ultimate source
destination addresses, while outer IP header
contain different IP addresses.
IPSec Encapsulating Security Payload (ESP)
  • provides message content confidentiality
    limited traffic flow confidentiality
  • can optionally provide the same authentication
    services as AH
  • supports range of ciphers, modes, padding
  • DES, Triple-DES, RC5, IDEA, CAST, etc
  • CBC most common
  • pad to meet blocksize, for traffic flow

IPSec ESP Format
Scope of ESP Encryption and Authentication
Transport Mode ESP The ESP header is inserted
into the IP packet immediately prior to the
transport-layer header, and an ESP trailer is
placed after the IP packet. Tunnel Mode ESP The
ESP header is prefixed to the packet, and then
the packet plus the ESP trailer is encrypted.
Transport and Tunnel Modes
  • Both AH and ESP support two modes of use
  • Transport mode
  • Provide protection to the payload of an IP
  • Used for end-to-end communication between two
  • Tunnel mode
  • Provide protection to the entire IP packet.
  • After the AH or ESP fields are added to the IP
    packet, the entire packet is treated as the
    payload of new outer IP packet with a new outer
    IP header.
  • Commonly used on security gateways or firewalls.

IPSec Key Management
  • handles key generation distribution
  • typically need 2 pairs of keys
  • 2 per direction for AH ESP
  • manual key management
  • sysadmin manually configures every system
  • automated key management
  • automated system for on demand creation of keys
    for SAs in large systems
  • has Oakley ISAKMP elements

IPSec Oakley
  • a key exchange protocol
  • based on Diffie-Hellman key exchange
  • adds features to address weaknesses
  • cookies, groups (global params), nonces, DH key
    exchange with authentication
  • can use arithmetic in prime fields or elliptic
    curve fields

  • Internet Security Association and Key Management
  • provides framework for key management
  • defines procedures and packet formats to
    establish, negotiate, modify, delete SAs
  • independent of key exchange protocol, encryption
    alg, authentication method

  • Microsoft and Cisco co-developed L2TP as an open
    standard for secure multi-protocol routing.
  • It is a layer 2 protocol with stringent
    authentication, including the use of
  • Typically, L2TP packet is encapsulated with IPSec
    ESP and AH, followed by another PPP encapsulation
    for transmission over the data-link layer.

  • Secure Socket Layer (SSL)
  • transport layer security service
  • originally developed by Netscape
  • version 3 designed with public input
  • subsequently became Internet standard known as
    TLS (Transport Layer Security)
  • uses TCP to provide a reliable end-to-end service
  • SSL has two layers of protocols

SSL Architecture
SSL Architecture
  • SSL session
  • an association between client server
  • created by the Handshake Protocol
  • define a set of cryptographic parameters
  • may be shared by multiple SSL connections
  • SSL connection
  • a transient, peer-to-peer, communications link
  • associated with 1 SSL session

SSL Record Protocol
  • confidentiality
  • using symmetric encryption with a shared secret
    key defined by Handshake Protocol
  • IDEA, RC2-40, DES-40, DES, 3DES, Fortezza,
    RC4-40, RC4-128
  • message is compressed before encryption
  • message integrity
  • using a MAC with shared secret key
  • similar to HMAC but with different padding

SSL Change Cipher Spec Protocol
  • one of 3 SSL specific protocols which use the SSL
    Record protocol
  • a single message
  • causes pending state to become current
  • hence updating the cipher suite in use

SSL Alert Protocol
  • conveys SSL-related alerts to peer entity
  • severity
  • warning or fatal
  • specific alert
  • unexpected message, bad record mac, decompression
    failure, handshake failure, illegal parameter
  • close notify, no certificate, bad certificate,
    unsupported certificate, certificate revoked,
    certificate expired, certificate unknown
  • compressed encrypted like all SSL data

SSL Handshake Protocol
  • allows server client to
  • authenticate each other
  • to negotiate encryption MAC algorithms
  • to negotiate cryptographic keys to be used
  • comprises a series of messages in phases
  • Establish Security Capabilities
  • Server Authentication and Key Exchange
  • Client Authentication and Key Exchange
  • Finish

TLS (Transport Layer Security)
  • IETF standard RFC 2246 similar to SSLv3
  • with minor differences
  • in record format version number
  • uses HMAC for MAC
  • a pseudo-random function expands secrets
  • has additional alert codes
  • some changes in supported ciphers
  • changes in certificate negotiations
  • changes in use of padding

Application Layer Security
  • Secure Electronic Transactions (SET)
  • Privacy Enhanced Mail (PEM)
  • Secure Hypertext Transfer protocol (S-HTTP/HTTPS)
  • S/MIME

Network Availability and Network Disaster
Recovery Planning
  • Network Reliability
  • Star topology
  • The failure of a single link doesnt affect other
  • The hub/switch is the weak link, can be improved
    by redundant power supplies, backplane, control
  • Ring topology
  • In token-ring, a link failure or node failure
    will fail the whole network.
  • In MAN or WAN, ring topology is reliable and
  • Bus topology
  • A link failure will fail the entire network.
Write a Comment
User Comments (0)