Network Security Essentials

Applications and Standards

Third Edition

William Stallings
Unit 1
Introduction
Outline: Topics
1. Security Trends
2. The OSI Security Architecture
3. Security Attacks
4. Security Services
5. Security Mechanisms
6. A Model for Internetwork Security
Introduction:
This book focuses on internet security consisting of
measures to deter, prevent, detect & correct security
violations that involve transmission of information.
Cases where security is needed:
1. AB, C who is unauthorized monitor & capture data
during transmission.
2. D(Mngr)  E(Comp), F(Intruder) adds/deletes/alters
during transmission.
3. F(Intruder) alter message before reaching from D to E.
4. Fired employee inserts delay on msgs of mngr to reach
system server to invalidate employee’s account.
5. Customer sends msg to broker for purchase & when
share value degrades, denies his prior transactions
made with broker.
Internetwork Security is both,
Fascinating &
Complex
Reasons:
Confidentiality, Authentication, Non-repudiation, Integrity.
Develop security mechanism or algorithm which always
consider potential attacks or security features, exploiting
unexpected weakness in algo.
Procedures providing particular services are counter
intuitive.
Imp to decide when & where to use designed algo or
security mechanism. i.e Physical or Logical layer.
N no. of algo. Use encryption key at creation, distribution &
protection, time limits.
Information Security
Requirements
Computer Security (System Security)
Network Security (Internet Security)
Security Violations
2. The OSI Security Architecture
Requirement:
To access effectively the security needs, choose &
evaluate security products & Policies, systematic
approach is needed.
Solution?Security Architecture for OSI.
OSI Security Architecture focuses on
Security Attacks
Security Mechanisms
Security Service
Security Attack: Any action that compromises the
security of information.
Security Mechanism: A mechanism that is designed to
detect, prevent, or recover from a security attack.
Security Service: A service that enhances the security of
data processing systems and information transfers. A
security service makes use of one or more security
mechanisms.

RFC.2828: Threats & Attacks ……

 3. Security Attacks
Use both, X.800 & RFC 2828
Classified as:
Passive Attacks
Active Attacks
1. Passive Attacks
Is the nature of eavesdroppers
Goal: Obtain Information
Types:
 Release of message contents (Fig 1.3 a)
 Traffic analysis (Fig 1.3 b)
 Solution?
Mask content using encryption.
Passive attacks are very difficult to detect because they do
not involve any alteration of the data.
How to deal with passive attacks?
Prevention rather than detection.
2. Active Attacks
Involve some modifications of the data stream or creation
of false stream.
Categorized into:
 Masquerade
 Replay
 Modification of message
 Denial of service
Masquerade (1.4 a): One entity pretends to be a different
entity. Obtain extra privileges by impersonating an entity.
Replay (1.4 b): Passive capture of a data unit & its
Subsequent Retransmission.
Modification of Messages (1.4 c): Some portion of message
is altered eg: “Allow John Smith” altered to “Allow Darth”.
Denial of Service (1.4 d): Entity may suppress all messages
directed to particular destination.
Conclusion:
Prevention of active attacks is difficult.
So, goal should be to deter them & to recover from
any disruption or delays caused by them.
Deter needs detection, detection contribute to
prevention indirectly.
Security Goals (CIA)
Confidentiality

Integrity Availability
4. Security Services
 X.800 defines a security service that is provided by
protocol layer of communicating open system.
Security Service implement security policies and are
implemented by security mechanism.
X.800 divides services into 5 categories and fourteen
specific services. (Table 1.2)
 Data Confidentiality (privacy)
 Authentication (who created or sent the data)
 Data Integrity (has not been altered)
 Non-repudiation (the order is final)
 Access Control (prevent misuse of resources)
 Availability (permanence, non-erasure)
 Denial of Service Attacks
 Virus that deletes files
Availability Service:
Both X.800 & RFC2828 defined availability property
of system.
System is available if it provides services according to
the system design whenever user request them.
Attacks results in loss of or reduction in availability.
Can be associated with services property.
Address security concerns raised by denial-of-
services attacks.
Depends upon:
 Management & Control of system resources
 Access control service.
5 Security Mechanisms
Defined in X.800.
Classification 1:
1. Reversible Encipherment Mechanism:
Simply encryption algorithm.
Allows data encryption & subsequent decryption.
2. Irreversible Encipherment Mechanism:
Include hash algorithms.
Include message authentication codes.
Used in digital signature & message authentication
application.
Classification 2:
1. Specific Security Mechanisms
May be incorporated into the appropriate protocol
layer in order to provide some of the OSI security
services
2. Pervasive Security Mechanisms
Mechanisms that are not specific to any particular
OSI security service or protocol layer
6. A Model for Network Security:
The sender and receivers are Principals in transaction and
they should co-operate.
Logical channel using TCP/IP is developed between
principals and needs security.
Two components of technique providing security are:
 Encryption of the message.
 Encryption Key.
General model shows that there are four basic tasks in
designing a particular security service:
Which four? Lets see...
1. Design an algorithm for performing the security-
related transformation. The algorithm should be such
that an opponent cannot defeat its purpose.
2. Generate the secret information to be used with the
algorithm.
3. Develop methods for the distribution and sharing of
the secret information.
4. Specify a protocol to be used by the two principals
that makes use of the security algorithm and the secret
information to achieve a particular security service.
Need? Protect information system from
unwanted access like...
Human Attack:
Hacker: Someone who with no malign(harmful)
intent, simply gets satisfaction from breaking and
entering a computer system.
Intruder: seeks to exploit computer assets for financial
gain.
Software Attack:
Virus & Worms: attacks can be introduced into a
system by means of a disk that contains the unwanted
logic concealed in otherwise useful software.
Solution? Defensive Methods
Methods of Defense
Gate-Keeper function: It includes password-based login
procedures that are designed to deny access to all but
authorized users and screening logic that is designed to
detect and reject worms, viruses, and other similar
attacks. See figure.
System activity monitoring.
Encryption
Software Controls (access limitations in a data base, in
operating system protect each user from other users)
Hardware Controls (smartcard)
Policies (frequent changes of passwords)
Physical Controls
Network Devices (Hub, Repeater, Bridge, Switch,
Router, Gateways )

1. Repeater – A repeater operates at the physical

layer. Its job is to regenerate the signal over the
same network before the signal becomes too weak or
corrupted so as to extend the length to which the
signal can be transmitted over the same network. An
important point to be noted about repeaters is that
they do not amplify the signal. When the signal
becomes weak, they copy the signal bit by bit and
regenerate it at the original strength. It is a 2 port
device.
2. Hub – A hub is basically a multiport repeater. A hub
connects multiple wires coming from different
branches, for example, the connector in star topology
which connects different stations. Hubs cannot filter
data, so data packets are sent to all connected devices.

In other words, the collision domain of all hosts

connected through Hub remains one. Also, they do not
have the intelligence to find out the best path for data
packets which leads to inefficiencies and wastage.
3. Bridge – A bridge operates at the data link layer. A
bridge is a repeater, with add on the functionality of
filtering content by reading the MAC addresses of source
and destination. It is also used for interconnecting two
LANs working on the same protocol. It has a single input
and single output port, thus making it a 2 port device
4. Switch – A switch is a multiport bridge with a buffer
and a design that can boost its efficiency(a large
number of ports imply less traffic) and performance. A
switch is a data link layer device.

The switch can perform error checking before

forwarding data, which makes it very efficient as it
does not forward packets that have errors and forward
good packets selectively to the correct port only. In
other words, the switch divides the collision domain of
hosts, but broadcast domain remains the same.
5. Routers – A router is a device like a switch that
routes data packets based on their IP addresses. The
router is mainly a Network Layer device. Routers
normally connect LANs and WANs together and have a
dynamically updating routing table based on which they
make decisions on routing the data packets. Router
divide broadcast domains of hosts connected through it.
6. Gateway – A gateway, as the name suggests, is a
passage to connect two networks together that may
work upon different networking models. They basically
work as the messenger agents that take data from one
system, interpret it, and transfer it to another system.
Gateways are also called protocol converters and can
operate at any network layer. Gateways are generally
more complex than switches or routers. Gateway is also
called a protocol converter.
Working of DNS

All computers on the Internet, from your smart phone

or laptop to the servers that serve content for massive
retail websites, find and communicate with one
another by using numbers. These numbers are known
as IP addresses. When you open a web browser and go
to a website, you don't have to remember and enter a
long number. Instead, you can enter a domain
name like example.com and still end up in the right
place.
A DNS service such as Amazon Route 53 is a globally
distributed service that translates human readable names
like www.example.com into the numeric IP addresses like
192.0.2.1 that computers use to connect to each other.
The Internet’s DNS system works much like a phone book
by managing the mapping between names and numbers.

DNS servers translate requests for names into IP

addresses, controlling which server an end user will reach
when they type a domain name into their web browser.
These requests are called queries.
Types of DNS Service

Authoritative DNS: An authoritative

DNS service provides an update mechanism that
developers use to manage their public DNS names.
It then answers DNS queries, translating domain
names into IP address so computers can
communicate with each other.

Authoritative DNS has the final authority over a

domain and is responsible for providing answers
to recursive DNS servers with the IP address
information. Amazon Route 53 is an authoritative
DNS system.
Recursive DNS: Clients typically do not make
queries directly to authoritative DNS services.
Instead, they generally connect to another type of
DNS service known a resolver, or a recursive
DNS service. A recursive DNS service acts like a
hotel concierge: while it doesn't own any DNS
records, it acts as an intermediary who can get the
DNS information on your behalf.

If a recursive DNS has the DNS reference cached,

or stored for a period of time, then it answers the
DNS query by providing the source or IP information.
If not, it passes the query to one or more
authoritative DNS servers to find the information.
DHCP

Dynamic Host Configuration Protocol (DHCP) is

a client/server protocol that automatically
provides an Internet Protocol (IP) host with its
IP address and other related configuration
information such as the subnet mask and default
gateway.

RFCs 2131 and 2132 define DHCP as an Internet

Engineering Task Force (IETF) standard based
on Bootstrap Protocol (BOOTP), a protocol with
which DHCP shares many implementation details.
DHCP allows hosts to obtain required TCP/IP
configuration information from a DHCP server.
IDS Intrusion Detection System
An Intrusion Detection System (IDS) is a monitoring
system that detects suspicious activities and generates
alerts when they are detected. Based upon these alerts,
a security operations center (SOC) analyst or incident
responder can investigate the issue and take the
appropriate actions to remediate the threat.

Host-Based IDS (HIDS): A host-based IDS is

deployed on a particular endpoint and designed to
protect it against internal and external threats. Such an
IDS may have the ability to monitor network traffic to
and from the machine, observe running processes, and
inspect the system’s logs. A host-based IDS’s visibility
is limited to its host machine, decreasing the available
context for decision-making, but has deep visibility into
Network-Based IDS (NIDS): A network-based
IDS solution is designed to monitor an entire
protected network. It has visibility into all traffic
flowing through the network and makes
determinations based upon packet metadata and
contents. This wider viewpoint provides more
context and the ability to detect widespread
threats; however, these systems lack visibility into
the internals of the endpoints that they protect.
IPS Intrusion Prevention System

An intrusion prevention system (IPS) is a

network security tool (which can be a hardware device
or software) that continuously monitors a network for
malicious activity and takes action to prevent it,
including reporting, blocking, or dropping it, when it
does occur.
Firewall and its types

A Firewall is a network security device that

monitors and filters incoming and outgoing network
traffic based on an organization’s previously
established security policies. At its most basic, a
firewall is essentially the barrier that sits between
a private internal network and the public Internet.
A firewall’s main purpose is to allow non-
threatening traffic in and to keep dangerous
traffic out.
There are mainly three types of firewalls, such
as software firewalls, hardware firewalls, or both,
depending on their structure. Each type of firewall has
different functionality but the same purpose. However,
it is best practice to have both to achieve maximum
possible protection.

1.Packet Filtering

A packet filtering firewall controls data flow to and from a

network. It allows or blocks the data transfer based on the
packet's source address, the destination address of the
packet, the application protocols to transfer the data, and
so on.
2.Proxy Service Firewall

This type of firewall protects the network by filtering

messages at the application layer. For a specific
application, a proxy firewall serves as the gateway from
one network to another.

3.Stateful Inspection

Such a firewall permits or blocks network traffic

based on state, port, and protocol. Here, it decides
filtering based on administrator-defined rules and
context.
4.Next-Generation Firewall
According to Gartner, Inc.’s definition, the next-
generation firewall is a deep-packet inspection firewall
that adds application-level inspection, intrusion prevention,
and information from outside the firewall to go beyond
port/protocol inspection and blocking.

5.Unified Threat Management (UTM) Firewall

A UTM device generally integrates the capabilities of a
stateful inspection firewall, intrusion prevention, and
antivirus in a loosely linked manner. It may include
additional services and, in many cases, cloud management.
UTMs are designed to be simple and easy to use.
5.Threat-Focused NGFW
These firewalls provide advanced threat detection and
mitigation. With network and endpoint event correlation,
they may detect evasive or suspicious behavior.

Internet Security Protocols

In today’s computer network world, internet security has

achieved great importance. Since internet technology is vast
and encompasses many years, there are various aspects
associated with internet security. Various security
mechanisms exist for specialized internet services like
email, electronic commerce, and payment, wireless internet,
etc. To provide the security to this internet various
protocols have been used like SSL (Secure Socket Layer),
TLS ( Transport Layer Security), etc.
1. SSL Protocol

SSL Protocol stands for Secure Socket Layer protocol,

which is an internet security protocol used for
exchanging the information between a web browser and
a web server in a secure manner. It provides two basic
security services like authentication and confidentiality.
SSL protocol has become the world’s most popular web
security mechanism, all major web browsers support
SSL. Secure socket layer protocol is considered as an
additional layer in TCP/IP protocol suite. It is located
between the application layer and the transport layer.
2. TLS Protocol

TLS stands for Transport Layer Security, which is an

internet security protocol. TLS is an IETF
standardization initiative whose goal is to come out with
an internet standard version of SSL. To standardized
SSL, Netscape handed the protocol to IETF.

The idea and implementation are quite similar. Transport

layer security protocol uses a pseudo random function to
create a master secret. TLS also has three sub protocols
same as SSL protocol – Handshake Protocol, Record
Protocol, and Alert Protocol.
3. SHTTP

SHTTP stands for Secure HyperText Transfer

Protocol, is a set of security mechanism defined for
protecting internet traffic. It also includes data entry
forms and internet based transaction.

Services provided by SHTTP are quite similar to SSL

protocol. Secure HyperText Transfer Protocol works at
the application layer, and therefore tightly coupled with
HTTP. SHTTP supports both authentication and
encryption of HTTP traffic between the client and the
server.
4. SET Protocol

SET Protocol stands for Secure Electronic Transaction

protocol is an open encryption and security mechanism
designed for protecting the eCommerce transaction over
the internet. SET is not a payment system, it is a
security protocol used over the internet for secure
transaction.
5. PEM Protocol

PEM Protocol stands for privacy enhanced mail, used

for email security over the internet. If we adopted by
IAB ( Internet Architecture Board) to provide secure
electronic mail communication over the internet. It was
initially developed by the IRTF (Internet Research
Task Force) PSRG (Privacy Security Research Group).

Then they handed over the PEM to the IETF (Internet

Engineering Task Force) PEM working group Privacy
Enhanced Mail protocol is described in four specific
documents RFC 1421, RFC 1422, RFC 1423, and RFC
1424.
6. PGP Protocol

PGP Protocol stands for Pretty Good Privacy, which we

developed by Phil Zimmerman. PGP protocol is easy to use
and free including its source code documentation. It also
supports the basic requirements of cryptography.

However, for those organizations that require support, a

low-cost commercial version Of PGP protocol is available
from an organization called viacrypt. PGP protocol
becomes extremely popular and more widely used as
compared to PEM protocol.
over

Thank You