Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
https://www.tutorialspoint.com/network_security/network
_security_quick_guide.htm
SSL is specific to TCP and it does not work with UDP. SSL provides Application
Programming Interface (API) to applications. C and Java SSL libraries/classes
are readily available.
o Alert Protocol.
These three protocols manage all of SSL message exchanges and are discussed
later in this section.
o It is the most complex part of SSL. It is invoked before any application data
is transmitted. It creates SSL sessions between the client and the server.
o Multiple secure TCP connections between a client and a server can share
the same session.
ChangeCipherSpec Protocol
o Simplest part of SSL protocol. It comprises of a single message exchanged
between two communicating entities, the client and the server.
o The cipher parameters pending state is copied into the current state.
o Exchange of this Message indicates all future data exchanges are encrypted
and integrity is protected.
o It is also used for other purposes – such as notify closure of the TCP
connection, notify receipt of bad or unknown certificate, etc.
Server sends certificate. Client software comes configured with public keys of
various “trusted” organizations (CAs) to check certificate.
It also sends the Pre-master Secret (PMS) encrypted with the server’s public key.
Phase 4 − Finish.
Client and server send Change_cipher_spec messages to each other to cause the
pending cipher state to be copied into the current state.
All four phases, discussed above, happen within the establishment of TCP
session. SSL session establishment starts after TCP SYN/ SYNACK and
finishes before TCP Fin.
An SSL (Secure Sockets Layer) certificate is a digital certificate that authenticates the
identity of a website and encrypts information sent to the server using SSL technology.
Encryption is the process of scrambling data into an undecipherable format that can
only be returned to a readable format with the proper decryption key.
Features of IPsec
IPsec is not designed to work only with TCP as a transport protocol. It works with
UDP as well as any other protocol above IP such as ICMP, OSPF etc.
IPsec protects the entire packet presented to IP layer including higher layer
headers.
Since higher layer headers are hidden which carry port number, traffic analysis is
more difficult.
IPsec works from one network entity to another network entity, not from
application process to application process. Hence, security can be adopted
without requiring changes to individual user computers/applications.
The most common use of IPsec is to provide a Virtual Private Network (VPN),
either between two locations (gateway-to-gateway) or between a remote user
and an enterprise network (host-to-gateway).
Security Functions
The important security functions provided by the IPsec are as follows −
Confidentiality
Key management.
TCP/IP protocols are commonly used with other protocols such as HTTP, FTP,
SSH at application layer and Ethernet at the data link/physical layer.
It was developed for a communication in the limited trusted network.
However, over a period, this protocol became the de-facto standard for the
unsecured Internet communication.
HTTP is an application layer protocol in TCP/IP suite used for transfer files that
make up the web pages from the web servers. These transfers are done in plain
text and an intruder can easily read the data packets exchanged between the
server and a client.
Another HTTP vulnerability is a weak authentication between the client and the
web server during the initializing of the session. This vulnerability can lead to a
session hijacking attack where the attacker steals an HTTP session of the
legitimate user.
Detailed Answer:
Following are the vulnerabilities in TCP/IP
1. ARP Spoofing:
ARP spoofing is a type of attack in which a malicious actor sends falsified ARP
(Address Resolution Protocol) messages over a local area network.
This results in the linking of an attacker’s MAC address with the IP address of a
legitimate computer or server on the network.
Once the attacker’s MAC address is connected to an authentic IP address, the
attacker will begin receiving any data that is intended for that IP address.
ARP spoofing can enable malicious parties to intercept, modify or even stop data
in-transit. ARP spoofing attacks can only occur on local area networks that utilize
the Address Resolution Protocol.
The effects of ARP spoofing attacks can have serious implications for
enterprises.
In their most basic application, ARP spoofing attacks are used to steal sensitive
information. Beyond this, ARP spoofing attacks are often used to facilitate other
attacks such as:
1. Denial-of-service attacks:
DoS attacks often leverage ARP spoofing to link multiple IP addresses with a
single target’s MAC address. As a result, traffic that is intended for many different
IP addresses will be redirected to the target’s MAC address, overloading the
target with traffic.
2. Session hijacking:
Session hijacking attacks can use ARP spoofing to steal session IDs, granting
attacker’s access to private systems and data.
3. Man-in-the-middle attacks:
MITM attacks can rely on ARP spoofing to intercept and modify traffic between
victims.
2. Port scanning
Port Scanning is one of the most popular techniques attackers use to discover
services that they can exploit to break into systems.
All systems that are connected to a LAN or the Internet via a modem run services
that listen to well-known and not so well-known ports.
By port scanning, the attacker can find the following information about the
targeted systems: what services are running, what users own those services,
whether anonymous logins are supported, and whether certain network services
require authentication.
Port scanning is accomplished by sending a message to each port, one at a time.
The kind of response received indicates whether the port is used and can be
probed for further weaknesses.
Port scanners are important to network security technicians because they can
reveal possible security vulnerabilities on the targeted system.
Port Scan Techniques
1.1 Address Resolution Protocol (ARP)
o The Vanilla TCP connect scan is the most basic scanning technique.
o The scan uses the connect system call of an operating system on a target
system to open a connection to every port that is open.
o The scan is extremely noisy and easily detectable. The targeted system
logs will show connection requests and error messages for the services
that accepted the connections.
o The TCP FIN scan has the ability to pass undetected through most
firewalls, packet filters, and scan detection programs.
o The attacking system sends FIN packets to the targeted system. The
closed ports will respond with an RST. The open ports will ignore the
packets. The attacking system will take note of which ports it received an
RST on and report on the ports that did not respond with an RST.
TCP SYN flood is a type of Distributed Denial of Service (DDoS) attack that
exploits part of the normal TCP three-way handshake to consume resources on
the targeted server and render it unresponsive.
Essentially, with SYN flood DDoS, the offender sends TCP connection requests
faster than the targeted machine can process them, causing network saturation.
Attack description
When a client and server establish a normal TCP “three-way handshake,” the
exchange looks like this:
In a SYN flood attack, the attacker sends repeated SYN packets to every port on
the targeted server, often using a fake IP address.
The server, unaware of the attack, receives multiple, apparently legitimate
requests to establish communication. It responds to each attempt with a SYN-
ACK packet from each open port.
The malicious client either does not send the expected ACK, or—if the IP
address is spoofed—never receives the SYN-ACK in the first place. Either way,
the server under attack will wait for acknowledgement of its SYN-ACK packet for
some time.
During this time, the server cannot close down the connection by sending an
RST packet, and the connection stays open.
Before the connection can time out, another SYN packet will arrive. This leaves
an increasingly large number of connections half-open – and indeed SYN Food
attacks are also referred to as “half-open” attacks.
Eventually, as the server’s connection overflow tables fill, service to legitimate
clients will be denied, and the server may even malfunction or crash.
A normal connection between a user (Alice) and a server. The three-way handshake is
correctly performed.
SYN Flood. The attacker sends several packets but does not send the "ACK" back to
the server. The connections are hence half-opened and consuming server resources.
Alice, a legitimate user, tries to connect but the server refuses to open a connection
resulting in a denial of service.
4. IP spoofing
IP address spoofing is one of the most frequently used spoofing attack methods.
In an IP address spoofing attack, an attacker sends IP packets from a false (or
“spoofed”) source address in order to disguise itself.
Denial-of-service attacks often use IP spoofing to overload networks and devices
with packets that appear to be from legitimate source IP addresses.
IP spoofing is the action of masking a computer IP address so that it looks like it
is authentic.
During this masking process, the fake IP address sends what appears to be a
malevolent message coupled with an IP address that appears to be authentic
and trusted.
In IP spoofing, IP headers are masked through a form of Transmission Control
Protocol (TCP) in which spoofers discover and then manipulate vital information
contained in the IP header such as IP address and source and destination
information.
This type of attack takes place when the attacker is on the same subnet as the
victim. The sequence and acknowledgement numbers can be sniffed, eliminating
the potential difficulty of calculating them accurately.
The biggest threat of spoofing in this instance would be session hijacking. This is
accomplished by corrupting the data stream of an established connection, then
re-establishing it based on correct sequence and acknowledgement numbers
with the attack machine.
Using this technique, an attacker could effectively bypass any authentication
measures taken place to build the connection.
Blind Spoofing