1

A computer network is an
interconnected group of autonomous
computing nodes which use a well
defined, mutually agreed set of rules and
conventions known as protocols;
interact with one another meaningfully
and allow resource sharing preferably in
a predictable and controllable manner.
Study of methods of analysis of security
requirements and needs of such systems
and consequent design, implementation
and deployment is the Network Security.
2
Figure: Threats to Network Security 6
 using this model requires us to:
1. design a suitable algorithm for the security
transformation
2. generate the secret information (keys) used
by the algorithm
3. develop methods to distribute and share
the secret information
4. specify a protocol enabling the principals
to use the transformation and secret
information for a security service
 Disruptions are the loss or reduction in
network service.
Some disruptions may also be caused by
or result in the destruction of data.
Natural (or manmade) disasters may
occur that destroy host computers or
large sections of the network.
Unauthorized access is often viewed as
hackers gaining access to organizational
data files and resources. However, most
unauthorized access incidents involve
employees.

11
 Developing a secure network means
developing mechanisms that reduce or
eliminate the threats to network security,
called controls.
There are three types of controls:
Preventative controls - mitigate or stop a person
from acting or an event from occurring (e.g.
passwords).
Detective controls - reveal or discover unwanted
events (e.g., auditing software).
Corrective controls - rectify an unwanted event
or a trespass (e.g., reinitiating a network circuit).

12
 It is not enough to just establish a series of
controls; personnel need to be designated
as responsible for network control and
security.
This includes developing controls, ensuring
that they are operating effectively, and
updating or replacing controls.
Controls must also be periodically reviewed
to:
ensure that the control is still present
(verification)
determine if the control is working as
specified (testing)

13
 Risk assessment is the process of making a
network more secure, by comparing each
security threat with the control designed to
reduce it.
One way to do this is by developing a
control spreadsheet .
Network assets are listed down the side.
Threats are listed across the top of the
spreadsheet.
The cells of the spreadsheet list the controls
that are currently in use to address each
threat.

14
 Network assets are the network components
including hardware, software and data files.
The value of an asset is not simply its
replacement cost, it also includes personnel
time to replace the asset along with lost
revenue due to the absence of the asset.
For example, lost sales because a web
server is down.
Mission critical applications are also
important assets. These are programs on an
information system critical to business
operations.

15
Hardware Servers, such as mail servers, web servers, DNS servers, DHCP servers, and LAN file
servers
Client computers
Devices such as hubs, switches, and routers

Circuits Locally operated circuits such LANs and backbones

Contracted circuits such as MAN and WAN circuits
Internet access circuits

Network Software Server operating systems and system settings

Applications software such as mail server and web server software

Client Software Operating systems and system settings

Application software such as word processors

Organizational Databases with organizational records

Data

Mission critical For example, for an Internet bank, the Web site is mission critical
applications

16
 A network security threat is any
potentially adverse occurrence that can
harm or interrupt the systems using the
network, or cause a monetary loss to an
organization.
Once the threats are identified they are
then ranked according to their
occurrence.

17
 Preventing disruptions, destructions
and disasters mean addressing a
variety of threats including:
Creating network redundancy
Preventing natural disasters
Preventing theft
Preventing computer virus attacks
Preventing denial-of-service attacks

18
 The key to in preventing or reducing
disruption, destruction and disaster - is
redundancy.
Examples of components that provide
redundancy include:
Uninterruptible power supplies (UPS)
Fault-tolerant servers
Disk mirroring
Disk duplexing
Redundancy can be built into other
network components as well.

19
 Disasters are different from disruptions since
the entire site can be destroyed.
The best solution is to have a completely
redundant network that duplicates every
network component, but in a different
location.
Generally speaking, preventing disasters is
difficult. The most fundamental principle is
to decentralize the network resources.
Other steps depend on the type of disaster
to be prevented.

20
 Equipment theft can also be a problem if
precautions against it are not taken.
Industry sources indicate that about $1
billion is lost each year to theft of
computers and related equipment.
For this reason, security plans should
include an evaluation of ways to prevent
equipment theft.

21
 Special attention must be paid to
preventing viruses that attach themselves
to other programs and spread when the
programs are executed.
Macroviruses attach themselves to
documents and become active when the
files are opened are also common. Anti-virus
software packages are available to check
disks and files to ensure that they are virus-
free.
Incoming e-mail messages are the most
common source of viruses. Attachments to
incoming e-mail should be routinely
checked for viruses.
The use of filtering programs that clean
incoming e-mail is also becoming common.

22
 A worm is a special type of virus that
spreads itself without human
intervention.
Most viruses attach themselves to
other programs but a worm copies
itself from computer to computer.
Worms spread when the install
themselves on a computer and then
send copies to other computer, such
as by e-mail or by using a security
hole in the target computers
operating system.
23
 One function of network monitoring
software is to alert network managers to
problems so that these can be corrected.
Detecting minor disruptions can be more
difficult.
The network should also routinely log fault
information to enable network managers to
recognize minor service problems.
In addition, there should be a clear
procedure by which network users can
report problems.

24
 The goal of the disaster recovery plan (DRP)
is to plan responses to possible disasters,
providing for partial or complete recovery of
all data, application software, network
components, and physical facilities.
Critical to the DRP are backup and recovery
controls that enable an organization to
recover its data and restart its application
software should some part of the network
fail.
The DRP should also address what to do in a
variety of situations, such as, if the main
database is destroyed or if the data center
is destroyed.
25
 Names of responsible individuals
Staff assignments and responsibilities
List of priorities of fix-firsts
Location of alternative facilities.
Recovery procedures for data
communications facilities, servers and
application systems.
Actions to be taken under various
contingencies.
Manual processes.
Updating and Testing procedures.
Safe storage of data, software and the
disaster recovery plan itself.

26
 Most large organizations have a two-
level disaster recovery plan.
Level 1: When they build networks they
build enough capacity and have
enough spare equipment to recover
from a minor disaster, such as loss of a
major server or portion of the network.
Level 2: most large organizations rely on
professional disaster recovery firms to
provide second level support for major
disasters.

27
 Many large organizations outsource their
disaster recovery efforts to disaster
recovery firms.
Disaster recovery firms offer a range of
services from secure storage for
backups, to a complete networked data
center that clients can use should their
network be destroyed by some disaster.
Full services are not cheap, but may be
worthwhile when millions of dollars of lost
revenue may be at stake.

28
 Encryption
Decryption
Encryption in network

29
30
 Conceptually, each host has peer at
each layer and peers communicate with
peers at same layer
Link and End-to-End Protocols
Let hosts C0, , Cn be such that Ci and Ci+1 are
directly connected, for 0 i < n. A communications
protocol that has C0 and Cn as its endpoints is
called an end-to-end protocol.
A communications protocol that has Cj and Cj+1 as
its endpoints is called a link protocol.
The difference between an end-to-end protocol
and a link protocol is that the intermediate hosts
play no part in an end-to-end protocol other than
forwarding messages. Whereas, a link protocol
describes how each pair of intermediate hosts
processes each message. 31
Link Encryption:
Each host enciphers message and next
hop that a host can read i.e. intermediate
hosts can read the message.
For e.g. In PPP Encryption Control Protocol
host gets message, deciphers it, figures out
where to forward it, enciphers it in
appropriate key and forwards it.
Here each host shares key with neighbor
and can be set on per-host or per-host-pair
basis. Link encryption can protect headers
of packets and it is possible to hide source
and destination but, source can be
deduced from traffic flows.
32
End-to-End Encryption:
Host enciphers message so host at other
end of communication can read it i.e.
message cannot be read at
intermediate hosts for e.g. TELNET
protocol where messages between
client, server enciphered, and
encipherment, decipherment occur only
at these hosts.
In this approach each host shares key
with destination and can be set on per-
host or per-host-pair basis. This approach
cannot hide packet headers and
attacker can read source, destination.
33
The function of a strong position is to make
the forces holding it practically
unassailable
On War, Carl Von Clausewitz
 seen evolution of information systems
now everyone want to be on the Internet
and to interconnect networks
has persistent security concerns
cant easily secure every system in org
typically use a Firewall
to provide perimeter defence
as part of comprehensive security strategy
 a choke point of control and monitoring
interconnects networks with differing trust
imposes restrictions on network services
only authorized traffic is allowed
auditing and controlling access
can implement alarms for abnormal
behavior
provide NAT & usage monitoring
implement VPNs using IPSec
must be immune to penetration
 cannot protect from attacks bypassing it
eg sneaker net, utility modems, trusted
organisations, trusted services (eg SSL/SSH)
cannot protect against internal threats
eg disgruntled or colluding employees
cannot protect against transfer of all
virus infected programs or files
because of huge range of O/S & file types
 simplest, fastest firewall component
foundation of any firewall system
examine each IP packet (no context)
and permit or deny according to rules
hence restrict access to services (ports)
possible default policies
that not expressly permitted is prohibited
that not expressly prohibited is permitted
 IP address spoofing
fake source address to be trusted
add filters on router to block
source routing attacks
attacker sets a route other than default
block source routed packets
tiny fragment attacks
split header info over several tiny packets
either discard or reassemble before check
 traditional packet filters do not examine
higher layer context
ie matching return packets with outgoing
flow
stateful packet filters address this need
they examine each IP packet in context
keep track of client-server sessions
check each packet validly belongs to one
hence are better able to detect bogus
packets out of context
 have application specific gateway /
proxy
has full access to protocol
user requests service from proxy
proxy validates request as legal
then actions request and returns result to
user
can log / audit traffic at application level
need separate proxies for each service
some services naturally support proxying
others are more problematic
 relays two TCP connections
imposes security by limiting which such
connections are allowed
once created usually relays traffic
without examining contents
typically used when trust internal users by
allowing general outbound connections
SOCKS is commonly used
 highly secure host system
runs circuit / application level gateways
or provides externally accessible services
potentially exposed to "hostile" elements
hence is secured to withstand this
hardened O/S, essential services, extra auth
proxies small, secure, independent, non-
privileged
may support 2 or more net connections
may be trusted to enforce policy of trusted
separation between these net connections
 Part of an overall Firewall strategy
Sits between the local network and the external
network
Originally used primarily as a caching strategy to minimize
outgoing URL requests and increase perceived browser
performance
Primary mission is now to insure anonymity of internal users
Still used for caching of frequently requested files
Also used for content filtering
Acts as a go-between, submitting your requests to
the external network
Requests are translated from your IP address to the Proxys
IP address
E-mail addresses of internal users are removed from
request headers
Cause an actual break in the flow of communications
 Terminates the TCP connection before relaying to target
host (in and out)

Hide internal clients from external network

Blocking of dangerous URLs

Filter dangerous content

Check consistency of retrieved content

Eliminate need for transport layer routing between

networks

Single point of access, control and logging

 Both the outgoing and incoming TCP connections are
terminated
prevents a hacker from hijacking a stale connection on a
service that is being proxied
ex . HTTP page request

request packet
request
Use packet
Proxy Serve
r r

response response packet

packet

Connection left open until Connection only left open until

the proxy closes it after server closes the connection
receiving response packet and after sending the response packet
sending it back to user
 Transport layer packets dont need to be routed
because the entire request must be regenerated
Prevents transport layer exploits
source routing
fragmentation
several DoS attacks
Since some protocols dont have proxies available
many admins will enable routing , this alleviates
any benefit gained
Most good proxy servers will allow you to create
generic proxies using SOCKS or the redir utility
 Caching
By keeping local copies of frequently accessed file the
proxy can serve those files back to a requesting browser
without going to the external site each time, this
dramatically improves the performance seen by the end
user
Only makes sense to implement this at the ISP rather than
the small business level because of the number of pages
available
Because of dynamic content many pages are invalidated
in the cache right away
Load balancing
A proxy can be used in a reverse direction to balance the
load amongst a set of identical servers (servers inside the
firewall and users outside)
Used especially with web dynamic content (.asp,
.php,.cfm,.jsp)
 Single point of failure
if the proxy dies , no one can get to the external network

Client software must usually be designed to use a proxy

Proxies must exist for each service

Doesnt protect the OS

proxies run at the application level

Usually optimized for performance rather than security

WINGATE was installed to be easy to configure; opened a
winsock proxy to the external interface, which let hackers
essentially hijack the machine
Create a service bottleneck
solved via parallelism (more proxies, and load balance)
 Transparent both parties (local/remote) are
unaware that the connection is being proxied
Zorp - application layer proxy is transparent

Opaque the local party must configure client

software to use the proxy
client software must be proxy-aware software
Netscape proxy server is opaque

With all of the things modern firewalls can do in the

area of redirection you could configure the firewall
to redirect all http requests to a proxy
no user configuration required (transparent)
 Since some protocols require a real connection between
the client and server, a regular proxy cant be used
Windows Media Player, Internet Relay Chat (IRC), or Telnet
Circuit-level proxy servers were devised to simplify matters.
Instead of operating at the Application layer, they work as a "shim"
between the Application layer and the Transport layer, monitoring TCP
handshaking between packets from trusted clients or servers to
untrusted hosts, and vice versa. The proxy server is still an intermediary
between the two parties, but this time it establishes a virtual circuit
between them.
By using SOCKS (RFC 1928) this can be done
SOCKS defines a cross-platform standard for accessing circuit-level
proxies
SOCKS Version 5 also supports both username/password (RFC 1929)
and API-based (RFC 1961) authentication. It also supports both public
and private key encryption.
SOCKS 5 is capable of solving this problem by establishing TCP
connections and then using these to relay UDP data.
 RFC 1928
Not a true application layer proxy
SOCKS protocol provides a framework for developing
secure communications by easily integrating other
security technologies
SOCKS includes two components
SOCKS server
implemented at the application layer
SOCKS client
implemented between the application and transport layers
The basic purpose of the protocol is to enable hosts
on one side of a SOCKS server to gain access to hosts
on the other side of a SOCKS Server, without requiring
direct IP-reachability.
Copies packet payloads through the proxy
 Use a Real Firewall

Disable Routing

Secure the Base Operating System

harden the OS

Disable External Access

Disable unneeded Services

Fig. Typical network design using firewalls.
58
 In computer networks, a DMZ
(demilitarized zone) is a computer host or
small network inserted as a "neutral zone"
between a company's private network
and the outside public network.
It prevents outside users from getting
direct access to a server that has
company data.
A DMZ is an optional and more secure
approach to a firewall and effectively
acts as a proxy server as well.
59
Internet DMZ
Web server, email
server, web proxy,
Firewall etc

Firewall
Intranet

60
 Used by a company to
host its own Internet
services without sacrificing
unauthorized access to its
private network
Sits between Internet and
internal networks line of
defense, usually some
combination of firewalls
and bastion hosts
Traffic originating from it
should be filtered

continued
 Your web
server
The Internet

DMZ
Firewall set up Firewall set up
to protect your to protect your
web server LAN
Your
production
LAN
 Typically contains devices accessible to
Internet traffic
Web (HTTP) servers
FTP servers
SMTP (e-mail) servers
DNS servers
Optional, more secure approach to a
simple firewall; may include a proxy
server
 A standard way to configure multiple
firewalls for a single organization
Used when organization runs
machines with different openness
needs
And security requirements
Basically, use firewalls to divide your
network into segments
 Can customize firewalls for different
purposes
Can customize traffic analysis in different
areas of network
Keeps inherently less safe traffic away
from critical resources
 Things in the DMZ arent well protected
If theyre compromised, provide a
foothold into your network
One problem in DMZ might compromise
all machines there
Vital that main network doesnt treat
machines in DMZ as trusted
Must avoid back doors from DMZ to
network
Figure: Intrusion Detection System
67
If a secret piece of news is divulged by a
spy before the time is ripe, he must be
put to death, together with the man to
whom the secret was told.
The Art of War, Sun Tzu
 have a range of application specific
security mechanisms
eg. S/MIME, PGP, Kerberos, SSL/HTTPS
however there are security concerns that
cut across protocol layers
would like security implemented by the
network for all applications
 general IP Security mechanisms
provides
authentication
confidentiality
key management
applicable to use over LANs, across
public & private WANs, & for the Internet
 Secure branch office connectivity over
internet
Secure remote access over the internet
Establishing extranet and intranet
connectivity with partners
Enhancing electronic commerce
security
 in a firewall/router provides strong
security to all traffic crossing the
perimeter
in a firewall/router is resistant to bypass
is below transport layer, hence
transparent to applications
can be transparent to end users
can provide security for individual users
secures routing architecture
 specification is quite complex
defined in numerous RFCs
incl. RFC 2401/2402/2406/2408
many others, grouped by category
mandatory in IPv6, optional in IPv4
have two security header extensions:
Authentication Header (AH)
Encapsulating Security Payload (ESP)
 Access control
Connectionless integrity
Data origin authentication
Rejection of replayed packets
a form of partial sequence integrity
Confidentiality (encryption)
Limited traffic flow confidentiality
 a one-way relationship between sender
& receiver that affords security for traffic
flow
defined by 3 parameters:
Security Parameters Index (SPI)
IP Destination Address
Security Protocol Identifier
has a number of other parameters
seq no, AH & EH info, lifetime etc
have a database of Security
Associations
 provides support for data integrity &
authentication of IP packets
end system/router can authenticate
user/app
prevents address spoofing attacks by
tracking sequence numbers
based on use of a MAC
HMAC-MD5-96 or HMAC-SHA-1-96
parties must share a secret key
 Authentication Header provides authentication, integrity, and
anti-replay protection for the entire packet . It does not
provide confidentiality
Integrity and authentication are provided by the placement
of the AH header between the IP header and the IP payload.
IP Authenticatio IP Payload
Header n Header

AH signs the entire packet for integrity, with the exception of

some fields in the IP header which might change in transit (for
example, the Time to Live and Type of Service fields)
IP Authenticati IP Payload
Header on Header

Signed by AH
 ESP provides confidentiality for the IP payload.
ESP in transport mode does not sign the entire packet.
Only the IP payload is protected.
ESP can be used alone or in combination with AH.

IP ESP IP Payload ESP Esp Auth

Head Header Trailer Trailer
er
Encrypted with ESP header

Signed by ESP Auth Trailer

 provides protection to the entire IP packet.

IPSec encrypts the IP header and the payload.

an entire IP packet is encapsulated with an AH or ESP

header and an additional IP header.
 IP Packet

New AH Org IP Payload

IP Header IP
Header Header

Signed byAuthentication Header

AH tunnel mode encapsulates an IP packet with an AH and

IP header and signs the entire packet for integrity and
authentication.[4]
 IP Packet

New ESP Org IP Payload ESP Esp

IP Header Head IP Header Trailer Auth
er Trailer

Encrypted with ESP header

Signed by ESP Auth Trailer

Because a new header for tunneling is added to the packet,

everything that comes after the ESP header is signed. The
entire packet is appended with an ESP trailer before
encryption occurs.
Secure

Insecure

85
 Transport Mode

Router Router

Tunnel Mode

86
 A virtual private network (VPN) is a
computer network that is constructed by
using public networks or wires such as
Internet to provide remote offices or
individual users to get secure access to
their organization's network.
Virtual
It is not a physically distinct network
Private
Tunnels are encrypted to provide
confidentiality
87
 This network uses encryption and other
security mechanisms to ensure that only
authorized users be able to participate in
the communications and that the data
cannot be intercepted.
It aims to avoid an expensive system of
privately owned or leased lines that can
be used by only one organization.
The use of a public network, usually the
Internet, to connect securely to a private
network, is the basis of a VPN.

88
 It encapsulates data transfers using a
secure cryptographic method between
two or more networked devices which
are not on the same private network so
as to keep the transferred data private
from other devices on one or more
intervening local or wide area networks.
There are many different classifications,
implementations, and uses for VPNs.

89
 Client Server Architecture
Securely connected tunnel
Virtual network between client and server
Data is transferred in encrypted form
Need VPN client to connect the VPN
server.

90
91
92
 TCP : Port 80, Client IP is Changed
UDP : Port 53, Client IP is Changed
ICMP : Port 1, Client IP is Changed
DNS : Client IP remains same but DNS
changed

93
94
 Bad Networking or wiring
Firewall Block (Port block)
TCP
UDP
ICMP
DNS

95
 information security is increasingly important
have varying degrees of sensitivity of information
cf military info classifications: confidential, secret etc
subjects (people or programs) have varying
rights of access to objects (information)
known as multilevel security
subjects have maximum & current security level
objects have a fixed security level classification
want to consider ways of increasing confidence
in systems to enforce these rights
 one of the most famous security models
implemented as mandatory policies on
system
has two key policies:
no read up (simple security property)
a subject can only read/write an object if the
current security level of the subject dominates
(>=) the classification of the object
no write down (*-property)
a subject can only append/write to an object if
the current security level of the subject is
dominated by (<=) the classification of the
object