Network and Internet Security

1
Network and Internet Security
2
The OSI Model

• Developed in the early 1980's by the Open Systems
  Interconnect group
• Became a standard for discussing and detailing
  how network operations actually function
• Before OSI many different conflicting standards.

3
The OSI Stack
Networked applications 7. Application
Networked applications 6. Presentation
Networked applications 5. Session
Network overhead and end to end addressing 4. Transport
Network overhead and end to end addressing 3. Network
LAN WAN delivery systems 2. Data Link
LAN WAN delivery systems Physical
How to remember People Dont Need To See Paula Abdul Please Do Not Throw Sausage Pizza Away How to remember People Dont Need To See Paula Abdul Please Do Not Throw Sausage Pizza Away

4
OSI and TCP/IP
5
Protocol

• What is a protocol?
• - A set of rules we adhere to
• - Specifies how things will work

6
Physical Layer

• Bits, bytes, and electrical signals
• Means of moving information from point A to point
  B
• Could be wireless, ethernet, modem, phone line.

7
Data Link Layer

• Where frames are built
• Frame - A logical organization / packaging of the
  data
• Protocols
• Address Resolution Protocol (ARP)
• Reverse Address Resolution Protocol (RARP)
• Point-to-Point Protocol (PPP)
• Serial Line Internet Protocol (SLIP)

8
Network Layer

• It's all about IP and routing
• IP will only deliver.
• Protocols
• Internet Protocol (IP)
• Internet Control Message Protocol (ICMP)
• Internet Group Management Protocol (IGMP)
• Routing Information Protocol (RIP)
• Open Shortest Path First (OSPF)
• Novel Internetwork Packet Exchange (IPX)

9
Transport Layer

• Provides end-to-end transport services and
  establishes logical connection between
  communicating computers
• Protocols
• TCP - Reliable protocol, connection oriented
• UDP- Fast Protocol, connection less
• SSL
• SPX

10
Session Layer

• Establishes and maintains the session and traffic
  between two computers
• Session Layer keeps track of what data goes where
• Analogy Traffic Cop
• Protocols
• Network File System (NFS)
• NetBIOS
• Structured Query Language (SQL)
• Remote procedure call (RPC)

11
Session Layer

• Communication between two applications to in
  three different modes
• Simplex
• Communication takes place in one direction.
• Half-duplex
• Communication takes place in both directions, but
  only one application can send information at a
  time.
• Full-duplex
• Communication takes place in both directions, and
  both applications can send information at the
  same time.

12
Presentation Layer

• Deals with how data is formatted how users see
  it
• Services encryption, decryption, compression,
  decompression
• Presentation Layer Standards
• ASCII
• EBCDIC
• TIFF
• JPEG
• MPEG
• MIDI

13
Application Layer

• Application layer formats the data and displays
  it
• Protocols
• FTP
• TFTP
• SNMP
• SMTP
• Telnet
• HTTP

14
Network Security

• Security can be implemented at different layers
  of the OSI model to provide a more robust
  architecture
• Goal - defense and depth

15
Physical Layer Security

• Secure
• Cable
• Fiber
• Wireless

16
Network Layer Security

• IP Security or IPsec
• A set of protocols developed by the (Internet
  engineering task force)IETF to support secure
  exchange of packets at the IP layer
• Widely used to protect VPNs

17
Transport Layer Security

• Guarantees privacy and data integrity between
  client server applications communicating over the
  Internet

18
Session Layer Security

• Encryption at the session layer protects data

19
Application Layer Security

• The level of security provided by applications
  varies
• Some are more secure and have encryption built in
  (e.g., secure shell)
• Others are less secure and send information in
  clear text (e.g., FTP)

20
TCP/IP Protocol Stack
7 Process layer
6 Process layer
5 Host-to-host
4 Host-to-host
3 Internet
2 Network Access Layer
1 Network Access Layer
21
Network Access Layer

• All things physical
• Includes cabling, framing, hardware equipment

22
Internet Layer

• All things logical i.e., software
• Where Internet Protocol (IP) fits in
• Makes sure frames from network layer reach the
  correct destination
• IP postman- Determines the best route from
  source to target network
• Different types of frames for internal and
  external routing
• Analogy Interoffice envelope Vs FedEx envelope

23
Host to Host Layer

• Ensures that packets are delivered quickly and/or
  reliably
• Two protocols reside at this layer
• - TCP - Reliable
• - UDP Quick
• Think about TCP (professional) and UDP (your
  friends) as moving services

24
Host to Host Layer

• TCP
• Connection-oriented protocol
• Provides reliable communication using
• Handshaking
• Acknowledgments
• Error detection
• Session teardown
• TCP data is referred as segments
• TCP moves data in segments
• Each segment is verified as it moves across the
  network

25
Host to Host Layer

• User Datagram Protocol (UDP)
• - A protocol without a connection
• - Offers speed and low overhead
• - Datagram
• - No set up or shutdown
• UDP is fast but unrealiable
• VOIP, video-conferencing

26
Process or Application Layer

• Telnet Port 23
• SMTP Port 25
• HTTP Port 80
• DNS port 53
• FTP Port 20, Port 21
• TFTP (trivial FTP) Port 69
• SNMP Port 61

27
Signaling Types

• Analog
• Digital
• Robust and can recover from errors
• Widely used

28
Data Transmission Methods

• Synchronous communications
• High speed data synchronized by electronic clock
  signals
• Takes place between two devices that are
  synchronized via a clocking mechanism
• Asynchronous communications
• Transfer data by sending bits sequentially
• used when two devices are not synchronized
• Data transfer can take place at any time

29
Signaling Methods

• Broadband
• More than one signal at a time
• Cable 160 TV channels Internet
• DSL Phone internet
• Baseband - One signal at a time
• Ethernet
• Dial up phone line

30
Transmission Methods

• unicast transmission
• packet goes from source computer to one
  particular system
• Multicast
• packet goes to a specific group of systems
• Broadcast
• If a system wants all computers on its subnet to
  receive a message

31
Transmission Methods

• IP multicast protocols use a Class D address
• special address space designed especially for
  multicasting
• used to send out information, multimedia data,
  real-time video and voice clips.
• IGMP is used to report multicast group
  memberships to routers.
• When a user chooses to accept multicast traffic,
• User becomes a member of a particular multicast
  group.
• IGMP allows a computer to inform the local
  routers that user is part of a group and to send
  traffic with a specific multicast address to her
  system.

32
Network Topologies
33
Topologies

• Bus
• linear, single line
• Ring
• Linear and closed loop
• Star
• All systems connected to a single point
• Tree
• Bus topologies, multiple braches
• Mesh
• Multi connection of systems
• Provides redundancy and multiple routes to
  systems

34
Ethernet

• Shares media
• Broadcast and collision domains
• CSMA/CD access method
• Implemented on
• -10 base-2(thin net)
• -10 base-5 (coax cable)
• -10 base-T (twisted pair, RJ45 connector)

35
Fast Ethernet-

• 100Mbps
• CSMA/CD
• Twisted pair
• Support 10/100 Mbps

36
Token Rings

• Token passing technology
• Multistation access unit (MAU)
• Each computer connected to a Central hub
• LAN networks
• Mechanisms to deal with problems
• Active Monitor removes frames continuously
  circulating on the network
• beaconing if a computer detects a problem with
  the network it sends a beacon frame.

37
FDDI

• Fiber Distributed Data Interface
• Ring topology
• Dual ring for redundancy
• Data transmission speed of 100 mbps
• Token passing
• Used for distances up to 100 kilometers
• MAN networks

38
Network Cabling

• Required for the modern network
• Different types of cable have
• - Specific speeds
• - Maximum cable runs
• - Connectivity issues

39
Common Cable Specs
Ethernet Name Cable Specifications Distance Supported Topology
10Base5 50-ohm Thick Coaxial 500 Meters Bus
10Base2 50-ohm RG-58 A/U 185 Meters Bus
10BaseT Cat 3 UTP (or better) 100 Meters Star
100BaseTX Cat 5 UTP (or better) 100 Meters Star
Gigabit Ethernet Cat 6 UTP (or better) Depends Star
40
Fiber Cable

• Multimode fiber optic cable
• Uses LED to transmit data
• 200 meters Max
• Singlemode fiber optic cable
• Laser
• 200 miles max

41
Cabling Issues

• Noise
• Caused by surrounding devices
• Caused by motors, computers, copy machines,
  fluorescent lighting
• Distortion of signal
• Attenuation
• Loss of signal strength as it travels
• Length of cable
• Use repeater
• Can also be caused by cable breaks
• Crosstalk
• Signals from one wire spill over to other
• UTP is susceptible to crosstalk

42
Cabling Issues

• Fire rating
• Non plenum rated cables polyvinyl chloride (PVC)
  jacket covering
• plenum-rated cables jacket covers made of
  fluoropolymers
• will not produce and release harmful chemicals in
  case of a fire
• pressurized conduits
• if someone attempts to access a wire the pressure
  of the conduit will change, causing an alarm

43
LAN Protocols

• Address Resolution Protocol (ARP)
• Reverse Address Resolution Protocol (RARP)
• Internet Control Messaging Protocol (ICMP)

44
Address Resolution Protocol (ARP)

• Resolves known IP addresses to unknown MAC
  addresses
• ARP maps the MAC address and associated IP
  addresses
• Mapping is stored in a table
• ARP Table poisoning
• Attacker alters a systems ARP table
• IP address is mapped to a different MAC address
• type of masquerading attack.

45
Reverse Address Resolution Protocol (RARP)

• Diskless environments
• Clients connecting to the mainframes
• Workstation broadcasts its MAC addresses and RARP
  server assigns IP address
• RARP evolved into BOOTP which evolved into DHCP

46
Internet Control Messaging Protocol (ICMP)

• Designed for logical errors and diagnostics
• Most commonly seen as a ping
• Ping to check connectivity
• Malicious use to check if a device is up and
  running to attack it
• Ping DoS

47
Routing Protocols

• Vector-distancing
• List of destination networks with direction and
  distance in hops
• Router has a table with the destination and the
  number of hops data will make to get to the
  destination
• Use if the network has 2 or 3 segments
• Link-state routing
• Topology map of network identifies all routers
  and sub networks
• Route is determined from shortest path to
  destination
• Use if network is highly meshed with multiple
  subnetworks
• Routes that can be manually loaded (static) or
  dynamically maintained router
• Routing path is loaded manually in a command line
  or GUI
• Router uses the path entered to route data

48
Routing Protocols

• RIP
• Distance vector
• RIP based on hop counts
• Interior Gateway Protocol
• Noisy not the most efficient
• Broadcast routes every 30 seconds
• Lowest cost / closest route always best even is
  the route is congested
• Physical limitation Cannot route beyond 16
  points
• No security anyone can pretend to be arouter
• Masquerading attack

49
Routing Protocols

• Open Shortest Path First (OSPF)
• Link-state routing
• Interior Gateway Protocol
• Routers elect a Designated Router (DR)
• All routers establish a topology database using
  DR as gateway between areas
• A replacement for outdated RIP

50
Routing Protocols

• Border Gateway Protocol (BGP)
• Core of Internet
• Used to exchange high volume of data between
  routers
• Exterior Gateway Protocol (EGP)
• Used to exchange routing data with core and other
  autonomous systems
• Routes data to subsystems
• Interior Gateway Protocol (IGP)
• Used within autonomous systems
• Organization with multiple networks
• Data routed within multiple networks

51
Routing Protocols

• Border Gateway Protocol (BGP)
• Exterior Gateway Protocol
• Can support multiple paths between autonomous
  systems
• Most ISPs use BGP
• Can detect and suppress routing loops
• Lacks security, authentication
• Internet recently went down because of
  incorrectly configured BGP on an ISP router

52
Domain Name Service (DNS)

• Resolves known Fully Qualified Domain Names
  (FQDNs) to unknown IP addresses
• Example Domain Name Yahoo.com
• DNS will resolve the IP address for us

53

• Networking Equipment and routing protocols

54
Data Network Devices

• Hubs / repeaters / concentrators
• Provides physical interconnection
  of multiple nodes to a network
• Bridge
• Connects two network segments
• Layer 2 device

55
Data Network Devices

• Router
• Contains network management protocols that
  enhance network functionality
• Operates in network layer 3
• Handles packet traffic across the networks

56
Data Network Devices

• Brouter
• A router that can bridge, merging both
  capabilities into a single box
• Routes selected protocols
• Bridges all other traffic
• Bridge two networks at layer 2 and also add some
  routing capabilities
• Gateway
• Acts as a translator between networks using
  incompatible protocols
• Operates in any layer from 4 to 7

57
Switch

• Multiport connection device
• Each port provides dedicated bandwidth to the
  device attached to it
• Multilayer switches combine data link layers,
  network layer and other layer functionalities

58
Switch

• Layer 2 routing based on MAC address
• Layer 3/4 Like a router.
• Routing based on IP address
• Routes are chosen based on availability and
  performance
• Tags are assigned to each destination network or
  subnet
• Switch appends tags to the packet
• Switches between the source and destination
  review tag information.
• Multiprotocol label switching (MPLS)
• Priority information is placed in tags
• E.g. Video conferencing

59
Switch and VLANS

• Switch makes it difficult for intruders to sniff
  and monitor network traffic
• No broadcast and collision information
• VLANS
• Use switches
• Logically (instead of physically) segment users
  and computers based on
• Resource requirements
• Security policies
• Business needs

60
Firewall Types

• Packet Filtering
• Stateful
• Proxy
• Dynamic packet filtering
• Kernel proxy

61
Firewall Architecture

• Screened Hosts
• Dual Home
• Screened subnet

62
Packet Filtering Firewall

• Packet-filtering router
• Most Common
• Uses access control lists (ACLs)
• Port
• Source/ destination address

63
Stateful Inspection Firewalls

• Stateful inspection
• State and context analyzed on every packet in
  connection
• Only looks at a sampling of packets and not all
  packets of a connection
• When a packet is received firewall looks in its
  state table to check if connection was
  established and if data was requested
• Works at network and transport layers
• Vcitims of DoS attack
• Dynamic state tables are flooded with bogus
  information
• Firewall freezes or reboots

64
Proxy Firewalls

• Second Generation firewalls
• Stands between the trusted and untrusted networks
• Proxy server only has a valid IP address
• Network address translation (NAT)
• internal addresses are unreachable from external
  network
• Private IPs for internal networks instead of
  internet routable IPs
• De-militarized zone (DMZ)
• Hosts are directly reachable from untrusted
  networks
• Host in semi-untrusted network
• Could be application or circuit level proxy

65
Application Proxy

• Inspect the entire packet and make access
  decision based on the contents of the packet
• One proxy per firewall is required
• One portion of the firewall dedicated to
  understand how a specific protocol works and how
  to filter it for suspicious data.
• Application proxy firewalls for FTP, SMTP,
  TELNET

66
Circuit Level Proxy

• Secure circuit between the client and server
• Protection at the sessions layer
• Provides a wider variety of protocols and
  services than an application proxy
• Less degree of granular control than application
  proxy
• Similar to packet filtering and decision is based
  on address, port and protocol type
• Looks at data within the payload of the packet
• E.g. SOCKS

67
Dynamic packet filtering

• Combination of IP address and higher port
• Firewall creates an ACL that allows the external
  entity to communicate with an internal entity via
  a high port
• 4th generation firewall
• Gives control to allow any type of outbound
  traffic and only response traffic inbound

68
Kernel Proxy Firewall

• 5th generation
• Creates dynamic, customized TCP/IP stacks for
  evaluating packets
• Every layer of the stack is scrutinized
• Packet is discarded is anything deemed unsafe at
  any of the layers

69
(No Transcript)
70
Firewall Architecture Bastion Host

• Locked down or Hardened system
• Highly exposed, front line device
• Existence known on the internet
• Extremely secure
• Choke router
• A router with packet filtering rules (ACLs)
  enabled

71
Dual-homed host

• 2 interfaces one facing external one facing
  internal
• Firewall software installed to make packet
  forwarding decisions
• Underlying operating system turned off to apply
  necessary ACL rules
• Multihomed
• Several NICs connect several different computers

72
Screened host

• Communicates with a perimeter router and the
  internal network

73
Screened subnet

• More protection than a screened host
• Typical DMZ implementation

74
Firewall Rules

• Masquerading or spoofing of packets is a common
  firewall attack
• Packets from outside with internal host address
  DENY
• Packets from inside going outside with internal
  host address DENY
• DDoS attack internal hosts are used as zombies
• Packets leaving the network with different source
  address

75
Firewall Rules

• When security is top priority
• Firewall assembles packets and makes access
  decision based on the entire packet
• Deny source routing
• Packet decides route to get to destination not
  the router

76
Intrusion Detection

• Host or network-based
• Context and content monitoring
• Positioned at network boundaries
• For defense in depth, deploy sensors at multiple
  segments
• A sniffer with capability to detect traffic
  patterns (attack signatures)

77
Data Transmission Methods

• Leased line networks
• Dedicated private facilities
• Organization leases the network and they have
  dedicated lines for certain facilities.
• Dedicated line
• A private or leased line
• Lease a line that is dedicated to the
  organization
• Common carriers
• A common carrier voice line ATT, verizon etc
• Digital communications
• Passes data encoded in on-off pulses

78
Web Security

• Secure sockets layer (SSL)
• Transport layer security (TCP based)
• Widely used for Web-based applications
• By convention - https\\
• Secure hypertext transfer protocol (S-HTTP)
• Less popular than SSL
• Used for individual messages rather than
  sessions

79
Web Security

• Secure electronic transactions (SET)
• PKI
• Mostly used for Financial data
• Supported by VISA, MasterCard, Microsoft

80

• Voice and Data Communications - LANs, WANs, and
  Remote Access

81
VOIP Security Issues

• VOIP vulnerabilities
• Gateways issues
• Because VOIP utilizes UDP traffic
• DoS attacks
• Voice communications
• Eavesdropping
• Open network to UDP traffic
• Do not open ports for a wide range of systems

82
Gateways Issues

• IP PBX gateways
• Open to DOS attacks
• Single point of failure
• Interconnection authentication
• PBX can be fooled to believe that it is talking
  to another PBX

83
Eavesdropping

• Voice packets over IP
• Uses UDP
• Sniffing
• Replay
• Packet injection

84
Open Network

• Multiple IP phones
• Open port services
• Utilizes wide range of ports from 7000 - 8000
• UDP transmission
• Inefficient firewall access control

85
Remote Networks

• Remote access
• VPN
• Authentication
• Remote access guidelines

86
Remote Access

• Dialup/RAS
• ISDN
• DSL
• Cable modems

87
VPN

• Tunneling protocols
• Point to point tunneling protocol (PPTP)
• Layer 2 forwarding (L2F)
• Works at layer 2
• Forwards packets from layer 2 and does not
  consider upper IP stacks
• Layer 2 tunneling protocol (L2TP)
• Establishes a tunnel at layer 2
• IPSec
• Most secure and widely used

88
IPSEC

• IP Security
• Set of protocols developed by IETF
• Standard used to implement VPNs
• Two modes
• Transport mode
• Encrypted pay load (data)
• Clear text header
• Tunnel mode
• Encrypted payload and header
• Requires shared public key

89
Authentication Remote Access

• Password authentication protocol (PAP)
• Challenge handshake authentication protocol
  (CHAP)
• Extensible authentication protocol (EAP)

90
Wireless Standards

• 802.11b
• 802.11a
• 802.11g
• 802.16
• Wimax
• Blue tooth
• WAP

91
WLAN Components

• Access points (AP)
• Service set ID (SSI)
• Authentication
• OSA
• SKA
• WEP
• Encryption process for wireless transmission
• - Weak encryption due to repetition of key
• War driving

92
Network Security Services

• Network layer security
• Transport layer security
• Application layer security
• Identification and authentication

93
Network Layer Security

• ISO / OSI layer 3
• Provides IP security
• Enables host to send encrypted IP packet without
  prior message exchange
• Protocols include -
• - IPSEC
• - SKIP
• - SWIPE

94
Transport Layer Security

• ISO / OSI layer 4
• Secure Socket Layer (SSL)
• Used for TCP applications
• Two-layered protocol
• - One for records
• - The other for handshakes (TCP does the
  handshake)
• Uses public key encryption
• Supports Message Authentication Code (MAC)
• SSL primarily used for TCP

95
Application Layer Security

• Secure Electronic Transactions (SET)
• Secure protocol for messages and transactions
• Protocol defines a public key infrastructure
  (PKI)
• Usually used to protect financial data

96
Application Layer Security

• Privacy Enhanced Mail (PEM)
• Internet standard for secure electronic mail
• Limits disclosure of message only to privileged
  user
• Contains origin authenticity and integrity check
  to prevent tampering

97
Application Layer Security

• Secure Hypertext Transfer Protocol (SHTTP)
• Secure HTTP server
• Supports encryption and authentication of
  documents over the Internet
• Provides similar service like SSL
• SSL and SET are used more instead of a secure
  http server

98
Application Layer Security

• Secure Remote Procedure Call (SRPC)
• Uses Diffie-Hellman key generation
• Server provides encryption services and
  authentication
• Used for secure connections between the remote
  procedure and initiator
• Authentication server contains all keys for users
  and services
• Self contained unit
• Authenticates the server and the client

99

• Network Attacks

100
Network Security Issues

• Types of attacks
• Spoofing
• Sniffing
• Session hijacking
• IDS attacks
• Syn floods

101
Spoofing Attacks

• TCP Sequence number prediction
• After establishment TCP session, a sequential
  number is initiated for data transfer.
• The hacker will craft packets to guess the
  sequence number.
• One the sequence number is known packets are
  injected into the session.
• UDP- Easy to spoof because no handshake
• DNS - Spoof and manipulation IP/ hostname pairing
• Hacker will spoof the IP to establish a session
  with another domain having the same hostname
• Source routing
• Spoofing of paths the packets will take to reach
  the destination

102
Sniffing Attacks

• Passive attacks
• Information is gathered in wired or wireless
  networks
• Monitors the wire for all traffic
• Most effective in shared media networks
• Sniffers used to be hardware
• Now software tool
• Can be deployed from a laptop, PC or any other
  computing device

103
Session Hijacking Attacks

• Hacker uses sniffers to
• Detect sessions
• Acquire pertinent session info
• Actively injects packets
• Spoofs the client side of the connection
• Takes over session with server
• Bypasses Identification and Authentication
  controls
• Countermeasures
• Encryption
• Stateful inspection

104
IP Fragmentation Attacks

• TCP/IP weakness
• Big packets are fragmented
• Uses fragmentation options in the IPheader
• Forces data in the fragmented packet to be
  overwritten upon reassembly
• Code is injected while packets are assembled
• Used to circumvent packet filters

105
IDS Attacks

• Insertion attacks
• inserts information to confuse pattern matching
• Used for attacking pattern matching IDS
• Evasion attacks
• Tricks the IDS into not detecting traffic
• Send a packet with Short Time to Live. Once time
  expires, IDS will not recognize the packet
• Open ports
• Stealth Syn attcks

106
SYN Flood Attacks

• 3 way TCP handshake
• Syn Originator an initial packet called a "SYN"
  to establish communication and "synchronize"
  sequence numbers in counting bytes of data which
  will be exchanged. 
• Syn-Ack - The destination then sends a "SYN/ACK"
  which again "synchronizes" his byte count with
  the originator and acknowledges the initial
  packet. 
• Ack - The originator then returns an "ACK" which
  acknowledges the packet the destination just sent
  him. 
• Sends a lot of Syns
• Doesn't send Acks
• Victim
• Has a lot of open connections
• Can't accept any more incoming connections
• Eventually crashing the TCP/IP system
• Denial of service (DoS)