Chapter 4

Lecture Notes

Network Security
 Network Security
4.1 Introduction
What can a “bad guy” do on Networking?
⚫ Bad guys can do a lot on networking
◦ Eavesdrop: intercept messages
◦ Insert messages into a connection
◦ Impersonation: can fake (spoof) source address in packet (or any field
in packet)
◦ Session Hijacking: “take over” ongoing connection by removing
sender or receiver, inserting itself in place
● The attacker monitors an authenticated session between the client machine and
the server, and takes that session over
● When a TCP connection is established between a client and a server, all
information is transmitted in clear and this can be exploited to hijack the
session
◦ Denial of Service: prevent service from being used by others

2
 Network Security
4.2 What is Network Security?
⚫ Confidentiality: only sender and intended receiver should
“understand” message contents
◦ sender encrypts message
◦ receiver decrypts message
⚫ Authentication: sender and receiver want to confirm
identity of each other
⚫ Message integrity: sender or receiver wants to ensure
message is not altered (in transit, or afterwards) without
detection
⚫ Access and availability: services must be accessible and
available to users

3
 Network Security
4.2 What is Network Security?
⚫ In today’s highly networked world, we can’t talk of
computer security without talking of network security
⚫ Although there are many types of networks, the focus
is this course is on
◦ Internet and intranet security (TCP/IP based networks)
◦ Attacks that use security holes of the network protocols and
their defenses
⚫ We do not discuss attacks that use networks to
perform some crime based on human weaknesses

4
Network Security
4.2 What is Network Security?
Security Features in the TCP/IP Protocol Stack

Use of IP Security (IPSec) (Figure a)

⚫ Transparent to applications
⚫ Provides general purpose solution
⚫ Provides filtering capability (rejection of
replayed packets)
Security just above TCP (Figure b)
⚫ SSL: Secure Sockets Layer
⚫ TLS: Transport Layer Security
⚫ Transparent to applications
⚫ Alternatively, can be embedded into applications
◦ Example: Microsoft Explorer is equipped with SSL

5
Network Security
4.2 What is Network Security?
Security Features in the TCP/IP Protocol Stack

⚫ Application specific security services

(Figure c) Embedded within specific
applications
⚫ ƒExamples are
◦ Electronic mail - S/MIME (Multipurpose
Internet Mail Extensions) and PGP (Pretty
Good Privacy) on SMTP (Simple Mail
Transfer Protocol)
◦ ƒSET (Secure Electronic Transaction) on
top of HTTP
◦ Client/server – Kerberos
6
 Network Security
4.3 Network Protocols and Vulnerabilities

⚫ Attacks on TCP/IP Networks

◦ The Internet was not originally designed with (much) security in
mind
● It was designed to be used by a trusted group of users
● original vision: “a group of mutually trusting users attached to a
transparent network” ☺, i.e., there is no need for security
◦ The protocols are not designed to withstand attacks
◦ Internet is now used by all sorts of people
◦ Attackers exploit vulnerabilities of every protocol to achieve
their goals
◦ Hence, security considerations in all layers is important!
7
 Network Security
4.3.1 Link Layer: ARP Spoofing

⚫ How does ARP work?

◦ A computer that wants to access another computer for which it
knows its IP address broadcasts this address
◦ The owner responds by sending its Ethernet (MAC) address

8
 Network Security
4.3.1 Link Layer: ARP Spoofing

⚫ How does it happen?

◦ Because ARP is a stateless protocol
◦ Hosts will automatically cache any ARP replies they receive,
regardless of whether they requested them. Even ARP entries
which have not yet expired will be overwritten when a new ARP
reply packet is received
◦ There is no method in the ARP protocol by which a host can
authenticate the peer from which the packet originated
◦ This behavior is the vulnerability which allows ARP spoofing to
occur
9
 Network Security
4.3.2 Network Layer Security: IPSec
⚫ IP is vulnerable
⚫ IP packets can be intercepted
◦ In the LAN broadcast
◦ In the router, switch
⚫ Since the packets are not protected they can be easily read
⚫ Since IP packets are not authenticated they can be easily
modified
⚫ Even if the user encrypts his/her data it will still be vulnerable
to traffic analysis attack
⚫ Information exchanged between routers to maintain their
routing tables is not authenticated
⚫ All sorts of problems can happen if a router is compromised
10
 Network Security
4.3.2 Network Layer Security: IPSec
⚫ IP Security (IPSec) Overview
◦ There are application-specific security mechanisms for a number of
application areas
◦ However, security concerns cut across protocol layers
◦ By implementing security at the IP layer, an organization can ensure
secure networking not only for applications that have security
mechanisms but also for the many security-ignorant applications
◦ IPSec provides
● ƒOrigin authentication
● Confidentiality
● Message integrity
● Replay detection
● Key management
at the level of IP packets
11
 Network Security
4.3.2 Network Layer Security: IPSec
⚫ IPSec is a set of security algorithms plus a general framework that
allows a pair of communicating entities to use whichever algorithms
provide security appropriate for the communication
⚫ IPsec provides the capability to secure communications across a
LAN, across private and public WANs, and across the Internet
◦ Secure branch office connectivity over the Internet (secure virtual private
network over the Internet or over a public WAN)
◦ Secure remote access over the Internet
◦ Establishing intranet connectivity with partners: IPsec can be used to secure
communication with other organizations, ensuring authentication and
confidentiality and providing a key exchange mechanism
◦ Enhancing electronic commerce security: Even though some Web and
electronic commerce applications have built-in security protocols, the use of
IPsec enhances that security 12
 Network Security
4.3.2 Network Layer Security: IPSec

⚫ Benefits of IPSec
In addition to supporting end users and protecting premises
systems and networks, IPSec has a role in routing. It assures that
◦ A router advertisement (a new router advertises its presence)
comes from an authorized router
◦ A neighbor advertisement (a router seeks to establish or maintain
a neighbor relationship with a router in another routing domain)
comes from an authorized router
◦ A redirect message comes from the router to which the initial IP
packet was sent
◦ A routing update is not forged
13
 Network Security
4.4 Web Security
Types of Web threats and counter measures
⚫ Integrity
◦ ƒ Data, memory and/or message modification
◦ ƒ Trojan horse browser
⇒ Cryptographic checksums
⚫ Confidentiality
◦ ƒEavesdropping
◦ ƒTheft of data from client & information from server
◦ ƒAccess to information about network configuration
◦ ƒAccess to information about which client is communicating
⇒ Encryption

14
 Network Security
4.4 Web Security
⚫ Denial of Service
◦ ƒKilling of user thread
◦ ƒMachine flooding with bogus requests
◦ ƒFilling up disk/memory
◦ ƒIsolating machine by DNS attacks
⇒ Detection and action (suspicious pattern)
⚫ Authentication
◦ ƒImpersonation of legitimate users
◦ ƒData forgery
⇒Cryptographic techniques

15
 Network Security
4.4 Web Security
⚫ There are three standardized schemes that are becoming increasingly
important as part of Web commerce and that focus on security at the transport
layer: SSL/TLS, HTTPS, and SSH
⚫ SSL/TLS
◦ ƒProvides security services between TCP and applications that use TCP
◦ ƒProvides confidentiality using symmetric encryption and message integrity using a
message authentication code
◦ It includes protocol mechanisms to enable two TCP users to determine the security
mechanisms and services they will use
⚫ HTTPS (HTTP over SSL) refers to the combination of HTTP and SSL to
implement secure communication between a Web browser and a Web server
⚫ Secure Shell (SSH) provides secure remote login and other secure
client/server facilities
16
 Network Security
4.4.1 Secure Sockets Layer
Security-Enhanced Application Protocols
⚫ Solution to most application layer security problems are tackled by
developing security-enhanced application protocols
⚫ Examples
◦ ƒFor FTP - FTPS
◦ ƒFor HTTP - HTTPS
◦ ƒFor SMTP - SMTPS
◦ ƒFor DNS - DNSSEC

17
 Network Security
4.4.2 Secure Electronic Transaction (SET)
E-commerce (Electronic Payment)
⚫ Payment involves a customer, a merchant, and often banks
⚫ How does the customer ensure that the merchant gets paid?
⚫ In general, Payment systems can be organized based on cash (Fig. a), check
(Fig. b), and credit card (Fig. c)

18
 Network Security
4.4.2 Secure Electronic Transaction (SET)
⚫ If the merchant doesn’t know the customer, it may not be willing to ship the
product before paid
⚫ Hence we have payment systems based on money transfer between banks
ƒPayment by money order (Fig. a)
⚫ ƒPayment through debit order (Fig. b); examples are electric and telephone
bills where there is a standing order of authorization

19
 Network Security
4.4.2 Secure Electronic Transaction (SET)
Security in Electronic Payment
⚫ Electronic payment systems are based on the above models
⚫ Secure payment systems are critical to the success of E-commerce
⚫ In cash based systems (using ATM), the main issue is authentication
◦ ƒUse of magnetic card
◦ ƒPIN
⚫ Credit card or check based system
◦ ƒNo tampering/alteration
◦ ƒProtection against repudiation (the buyer denies having made the order)
⚫ There are four essential security requirements for safe electronic payments
(Authentication, Encryption, Integrity and Non-repudiation)

20
 Network Security
SET - Secure Electronic Transaction
⚫ The Secure Sockets Layer (SSL) protocol, implemented in most major Web
browsers used by consumers, has helped create a basic level of security but is
not sufficient
⚫ ƒSSL provides a secure channel between the consumer and the merchant for
exchanging payment information, i.e., it supports confidentiality
⚫ ƒThe cardholder is protected from eavesdroppers but not from the merchant;
some merchants are dishonest.
⚫ ƒThe merchant is not protected from dishonest customers who supply an
invalid credit card number.

21
 Network Security
SET - Secure Electronic Transaction
⚫ SET is an example of application of cryptography
⚫ ƒDeveloped by Visa and MasterCard
◦ ƒCompanies involved: IBM, Microsoft, Netscape, RSA, Terisa and Verisign
⚫ ƒDesigned to protect credit card transactions on the Internet
⚫ ƒSET is not a payment system but enables users to employ the existing credit
card payment infrastructure on an open network (Internet) in a secure manner
⚫ ƒIt is an open encryption and security specification (the entire protocol is
published)

22
 Network Security
SET - Secure Electronic Transaction
SET Features and Business Requirement
⚫ ƒProvide confidentiality of payment and ordering information
⚫ Information made available only when and where necessary (privacy)
⚫ ƒEnsure the integrity of all transmitted data
⚫ ƒProvide authentication that a cardholder is a legitimate user of a credit card
account
⚫ Provide authentication that a merchant can accept credit card transactions
through its relationship with a financial institution
⚫ All parties must have digital certificates (trust)
⚫ ƒProvides a secure communication channel in a transaction

23
 Network Security
SET - Secure Electronic Transaction
SET Participants
⚫ ƒCardholder: Authorized holder of payment card (the customer)
⚫ ƒMerchant: Has goods or services to sell to the Cardholder (the web server)
⚫ ƒIssuer: Financial institution (cardholder’s bank)
⚫ Acquirer: Verifies that a card account is active and the proposed purchase does
not exceed the credit limit – Connected with the Merchant
⚫ ƒPayment gateway: Operated by the acquirer or a designated third party that
processes merchant payment messages
⚫ Certificate Authority (CA): Trusted entity to issue the X.509v3 public key
certificate for card holders, merchants and payment gateways. The success of
SET depends on the CA

24
 Network Security
SET - Secure Electronic Transaction
⚫ Both cardholders and merchants must register with CA first, before they can
buy or sell on the Internet, i.e., The customer opens an account and receives a
certificate; the Merchants have their own certificates

25
 Network Security
SET - Secure Electronic Transaction
Sequence of Events for Transactions in SET
1. Customer browses a website and decides what to purchase
2. Customer sends order and payment information, which includes 2 parts in
one message
a) a. Purchase Order - this part is for the merchant
b) b. Card Information - this pat is for merchant’s bank only
3. Merchant forwards card information (part b) to its bank
4. Merchant’s bank checks with Issuer for payment authorization
5. Issuer sends authorization to Merchant’s bank
6. Merchant’s bank sends authorization to merchant
7. Merchant completes the order and sends confirmation to the customer
8. Merchant captures the transaction from its bank
9. Issuer prints credit card bill (invoice) to customer
26
 Network Security
SET - Secure Electronic Transaction
⚫ SET - Sequence of events for transactions

27
 Network Security
SET - Secure Electronic Transaction
Cookies
⚫ ƒCookies are set by web servers and stored by web browsers
⚫ ƒA cookie set by a server is sent back to the server when the browser visits the
server again
⚫ Cookies can be used to track what sites the user visits (can lead to serious
privacy violation!)
Server Side Risks
⚫ ƒInteractive web sites are based on forms and scripts
⚫ ƒBy writing malicious scripts, the client can
◦ ƒCrash the server (e.g., buffer overflow)
◦ ƒGain control over the server

28
 Network Security
4.6 E-mail Security
⚫ E-mails transit through various servers before reaching their
destinations
⚫ ƒBy default, they are visible by anybody who has access to the
servers
⚫ ƒSMTP protocol has security holes and operational limitations
⚫ ƒE-mail security can be improved using tools and protocols like
PGP and S/MIME
◦ ƒPGP: Pretty Good Privacy
◦ ƒS/MIME: Secure Multi-Purpose Internet Mail Extension

29
 Network Security
4.6 E-mail Security
PGP
⚫ ƒPhilip R. Zimmerman is the creator of PGP
⚫ ƒPGP is an open-source, freely available software package for e-mail security
⚫ ƒThere are several software implementations available as freeware for most
desktop operating systems
⚫ PGP provides confidentiality and authentication services that can be used for
e-mail and file storage applications
⚫ It provides authentication through the use of digital signature, confidentiality
through the use of symmetric encryption, compression using the ZIP
algorithm, and e-mail compatibility using the radix-64 (Base 64) encoding
scheme
⚫ PGP incorporates tools for developing a public-key trust model and public-
key certificate management 30
 Network Security
4.6 E-mail Security
S/MIME Functions
⚫ S/MIME is an Internet standard approach to e-mail security that
incorporates the same functionality as PGP
⚫ Enveloped Data: Encrypted content and encrypted session keys for
recipients
⚫ ƒSigned Data: Message Digest encrypted with private key of
“signer”
⚫ ƒClear-Signed Data: Signed but not encrypted
⚫ ƒSigned and Enveloped Data: Various orderings for encrypting and
signing
31