Network securityPacket switchingPacketsReasons to use packet-switchingNetworking stacksOSI modelPacket encapsulation and decapsulationEncapsulationDecapsulationProtocol data unitsNetwork interfacesMAC addressesSwitchOperation of a switchCombining switchesInternet Protocol (IP)IP functionsAddressingRoutingAddressesAddress subdivisionsBroadcast addressesPrivate networksPacketsRoutingInternet Control Message Protocol (ICMP)Tools using ICMPSmurfingPreventionAddress Resolution Protocol (ARP)Caching (look-up table)FunctionalityPoisoning attacksUser Datagram Protocol (UDP)AdvantagesDisadvantagesTransmission Control Protocol (TCP)FunctionalityPacket structurePortsSYN flagEstablishing connectionsTerminating connectionsData transferSYN floodingAdvantages of SYN flooding (as an attack)Disadvantages of SYN flooding (as an attack)Forging packets (spoofing)Advantages of packet forging (as an attack)Disadvantages of packet forging (as an attack)Application layer and DNSProtocolsURLsDomain Name System (DNS)DomainsDomain nameTop-level domain (TLD)ICANNDNS treeName serversName resolutionIterative name resolutionRecursive name resolutionGlue recordsCircular referencesExampleCachingLocal DNS cacheDNS cache poisoningDNS query mechanismVulnerability to cache poisoningDefences against cache poisoningSSL/TLSPosition in the stackDifferences between SSL and TLSTLS building blocksFunctionalityBasic key exchangeForward secrecyDiffie-Hellman key exchangeProblemsFirewalls and intrusion detectionFirewall policiesExampleStateless firewallsStateful firewallsPort scanningApplication layer firewallsPersonal firewallsNetwork Address Translation (NAT)IPv4Address space exhaustionIntrusion Detection Systems (IDS)AlarmsRule-based intrusion detectionStatistical intrusion detectionNumber of alarmsResources

Network security

Communication in modern networks is characterised by the following fundamental principles:

Packet switching

Packet switching is a mode of data transmission in which a message is:

  1. Divided into a number of parts.
  2. Each part is sent independently through a network (over whatever route is optimum for each packet).
  3. Reassembled at the destination.


Figure 1: Packet switching with 3 packets. (source)

Packets

Packets typically consist of a header and a payload.

Reasons to use packet-switching

If a message is sent all at once (as one packet), an attacker would have access to the whole message if it was intercepted.

Dividing it into packets prevents this, by only allowing a single packet or division of the message (which is often useless alone) to be intercepted by the attacker.

Networking stacks

Network communication models typically use a stack of layers to divide network communications.

A network layer takes care of a specific job, and passes the data onto the next layer.


Figure 2: Linux networking stack. (source)

OSI model

The OSI model is a specific standard for network communication layering - it defines a networking framework to implement protocols in seven layers.

Most communications systems implement the OSI model in one way or another, often combining two or three layers into one.


Figure 3: OSI networking model. (source)
More information on the individual layers

Packet encapsulation and decapsulation

As packets travel through a networking stack, the protocols at each layer either add or remove fields from the basic header.

Encapsulation

When a protocol on the sending host adds data to the packet header, the process is called data encapsulation. This occurs when going down the stack, towards the physical layer.

Data that the host typically adds to the packet header includes:

Decapsulation

When a protocol on the sending host removes data from the packet header, the process is called data decapsulation. This occurs when going up the stack, towards the application layer.

Protocol data units

A protocol data unit (PDU) is a single unit of information transmitted between layers in a network stack.

In network stacks, each of the layers implement protocols tailored to the specific type of data exchange. For example:

These are all different types of PDUs, just with specific names on specific layers.


Figure 4: TCP/IP network stack.
The PDUs are displayed on the right, and change when moving between layers (encapsulation and decapsulation). (source)
More information on frames, datagrams, packets, segments and PDUs.

Network interfaces

Network interfaces are devices that connect a computer to a network. Packets are transmitted between network interfaces, and computers may have multiple network interfaces. Some examples are:

As discussed in the Protocol Data Units section, most local area networks (such as Ethernet and WiFi) broadcast frames.

MAC addresses

Most network interfaces come with a predefined MAC address. A Media Access Control (MAC) address is a 48-bit number usually represented in hexadecimal. These addresses are used in the data link layer of the OSI model.

Example: 00-1A-92-D4-BF-86

The first three octets of any MAC address are IEEE-assigned Organisationally Unique Identifiers (OUIs), which are labels that identify which organisation created the interface:

Example:

The remaining three octets of the MAC address can be assigned by organisations as they wish, with uniqueness being the only constraint.

Switch

A network switch is a computer networking device that connects devices on a network by using packet switching to receive, process and forward data to the destination device.

Operation of a switch

  1. Learn the MAC addresses of each device connected to it.
  2. Forward frames only to the destination device.


Figure 5: Operation of a network switch in a typical network. (source)

Combining switches

Switches can be combined and arranged into a tree. Each switch forwards frames for the MAC addresses of the machines in the segments (subtrees) connected to it.


Figure 6: Combining switches (tree diagram). (source)

Internet Protocol (IP)

The Internet Protocol (IP) is the principal set of digital message formats and rules for exchanging messages between devices across a single network or a series of interconnected networks, using the Internet Protocol Suite (often referred to as TCP/IP).

The IP is used as the primary protocol in the TCP/IP stack's internet layer (a subset of the OSI stack's network layer).

IP functions


Figure 7: A typical data-link frame. (source)

Addressing

In order to deliver data, IP needs to be aware of the destination of the data, and hence includes addressing systems.

Routing

IP might be required to communicate across networks, and communicate with networks not directly connected to the current network.

Addresses

An IP address is a numerical label assigned to each device connected to a computer network that uses the Internet Protocol for communication. These addresses are used in the network layer of the OSI model.

IP addresses come in two forms:

IPv6 was introduced to solve the issue of IPv4 address exhaustion (a limitation on the ~4.3 billion IPv4 addresses available).

Address subdivisions

IP addresses are divided into separate segments: network, subnet and host.

Broadcast addresses

A broadcast address is a network address at which all devices connected to a network are enabled to receive packets.

Analogy: There is often a need to send a datagram to all stations connected to the same medium, or the same link, without even knowing their own addresses. It is like shouting aloud in a room to speak to all present persons at once, without knowing their names. This is broadcasting.

Private networks

Private networks are networks which are not routed outside of a LAN.

Example:

Packets

The headers of IP packets typically include the following fields:

Routing

A router bridges two or more networks.


Figure 8: Routers bridging two networks. (source)

Routers operate at the network layer, and have two main tasks:

  1. Maintain routing tables to forward packets to the appropriate network.
  2. Forward decisions based solely on the destination address.

A routing table maps ranges of addresses to LANs or other gateway routers.

Internet Control Message Protocol (ICMP)

Internet Control Message Protocol (ICMP) is a protocol that is used for network testing and debugging. Messages for this protocol are simple, and encapsulated in single IP packets.

ICMP is considered a network layer protocol.

Tools using ICMP

Smurfing

Smurfing is a form of Denial of Service (DoS) attack that exploits the ICMP, whereby remote hosts respond to echo packets to say they are alive (ping).

The idea behind smurfing is:

  1. Large numbers of ICMP requests are sent to the victim's IP address.
  2. The source IP address is spoofed (to make tracing the attacker harder).
  3. The hosts on the victim's network respond to the ICMP requests.
  4. This creates a significant amount of traffic on the victim's network, resulting in consumption of bandwidth and ultimately causing the victim's server to crash.


Figure 9: Typical smurf attack. (source)

Prevention

Address Resolution Protocol (ARP)

The Address Resolution Protocol (ARP) is a protocol responsible for connecting the network layer and data link layer together by mapping IP addresses to physical machine addresses (MAC addresses) that are recognised in the local network.

Caching (look-up table)

Systems keep an ARP look-up table where they store information about what IP addresses are associated with what MAC addresses.

Example: Running the command arp -a displays the ARP table:

IP AddressPhysical AddressType
128.148.31.100-00-0c-07-ac-00dynamic
128.148.31.1500-0c-76-b2-d7-1ddynamic
128.148.31.7100-0c-76-b2-d0-d2dynamic

Functionality

If a source device wants to send a packet to another device:

  1. The source device checks its ARP cache (look-up table) to find if it already has a resolved MAC address that corresponds to the requested device's IP address.

    If there is a MAC address, it is used for sending the packet.

  2. If there is no record for the requested device's IP address in the ARP look-up table, the source device generates an ARP message with the following fields:

    • Sender hardware address: The source device's MAC address
    • Sender protocol address: The source device's IP address
    • Target hardware address: Blank - To be determined
    • Target protocol address: The target device's IP address
  3. The source device broadcasts the ARP message to the local network.

  4. The ARP message is received by each device on the LAN since it is a broadcast.

    Each device compares the target protocol address on the ARP message with its own IP address. Those devices which do not match these two addresses will drop the packet without any action.

  5. When the targeted device checks the target protocol address, it will find a match and will generate an ARP reply message, essentially filling in the blank target hardware address with the devices own MAC address.

  6. The ARP reply message is sent from the target device back to the source device (as a unicast message, NOT broadcast - to save network resources).

  7. The source device processes the ARP reply from the target device, and adds a new cache entry to the ARP look-up table with the new target hardware address and target protocol address.

  8. The source device will then send the requested packet to the now known target hardware address.

Poisoning attacks

An ARP poisoning attack (also known as ARP spoofing or ARP cache poisoning) is a type of attack in which a malicious man-in-the-middle sends false ARP reply messages over a local area network.

Essentially in step 5 of the ARP functionality description, although the attacker's device won't match the target protocol address, the attacker can still send back a spoofed reply message with its own MAC address, acting as if it were the intended target device.

This results in the linking of an attacker's MAC address with the IP address of a legitimate device on the network.

User Datagram Protocol (UDP)

The User Datagram Protocol (UDP) is a stateless, unreliable datagram protocol built on top of IP - that is, it lies at the transport layer of the OSI model.

Example: VoIP and streaming (audio/video) all use UDP.

Advantages

Disadvantages

Transmission Control Protocol (TCP)

Transmission Control Protocol (TCP) is a transport layer (OSI model) protocol that enables/offers:

Example: HTTP and SSH are built on top of TCP.

Functionality

Packet structure


Figure 10: Structure of a TCP packet (160+ bits).
The blue-outlined section is the packet header. (source)

Ports

Both TCP and UDP support concurrent applications running on the same server. In order to do this, ports are used to identify where data is directed.

A port is simply represented as a 16 bit number (0-65535).

SYN flag

SYN is a binary flag field in the TCP packet header, which indicates whether a particular packet is part of a SYN exchange during the handshake.

Establishing connections

A TCP connection involves a client and server, where the server is generally a passive listener, waiting for a connection request. However, the server is just another client.

TCP connections are established through a three-way handshake, known as SYN, SYN-ACK, ACK (SSAA):

  1. The client requests a connection by sending out a SYN packet.
  2. The server responds by sending a SYN-ACK packet, acknowledging the connection.
  3. The client responds by sending an ACK packet to the server, thus establishing the connection.
Created with Raphaël 2.2.0ClientClientServerServerEstablishing aTCP connectionListening forconnection requestsWants to establisha TCP connectionSYNSeq=xAcknowledgingconnectionSYN-ACKSeq=y, Ack=x+1EstablishingconnectionACKSeq=x+1, Ack=y+1TCP connectionestablished

Terminating connections

Created with Raphaël 2.2.0ClientClientServerServerTerminating a TCP connectionFINSeq=xACKSeq=x+1FINSeq=yACKSeq=y+1TCP connection terminated

Data transfer

Data transfer with TCP works the same way as terminating connections, but replacing the FIN's with DATA's.

SYN flooding

SYN flooding is a form of TCP attack in which lots of requests (SYN packets) are sent to the victim in order to overload them.

  1. A basic three-part handshake is used to initiate a TCP connection to the victim.

  2. Many SYN packets are sent to the victim (without acknowledging any replies).

    As a result, the victim accumulates more SYN packets than they can handle.

Advantages of SYN flooding (as an attack)

Disadvantages of SYN flooding (as an attack)

Forging packets (spoofing)

TCP packet forging is another form of TCP attack, which is exactly the same as SYN flooding - except the source of the TCP packet is forged.

Advantages of packet forging (as an attack)

Disadvantages of packet forging (as an attack)

Application layer and DNS

The application layer is a layer in the OSI network model that is used for managing human-computer interactions.

This layer is typically where applications (such as web browsers) can access the network services.

Protocols

Examples of protocols that lie in the application layer are:

URLs

Uniform Resource Locators (URLs) are a standardised format for describing the location and access method of resources via the internet.

URLs are of the format:

Where:

Example:

Domain Name System (DNS)

The Domain Name System (DNS) is an application-layer protocol. The basic function of DNS is to map domain names to IP addresses—this mapping is many-to-many.

Examples:

More generally, a DNS is a distributed database that stores resource records such as:

Resource nameAbbreviationDescription
AddressAIP address associated with a host name.
Mail exchangeMXMail server of a domain.
Name serverNSAuthoritative server for a domain.

Domains

Domain name

A domain name consists of two or more labels, separated by dots.

Example: google.com, inf.ed.ac.uk

Top-level domain (TLD)

Top-level domains can be any of:

ICANN

The Internet Corporation for Assigned Names and Numbers (ICANN) is a non-profit corporation that:

DNS tree

TLD (e.g. ac.uk) -> Domain (e.g. ed.ac.uk) -> Resource records

Alternatively, if a domain has subdomains:

TLD (e.g. ac.uk) -> Domain (e.g. ed.ac.uk) -> Subdomain (e.g. inf.ed.ac.uk) -> Resource records (e.g. A, MX)

Name servers

A name server is a server on the internet responsible for handling queries regarding a domain name.

A name server:

An authoritative name server stores a reference version of DNS records for a zone (subtree of the DNS tree).

Example:

Name resolution

A name resolver is a program that retrieves DNS records.

A name resolver:


Figure 11: An example of iterative name resolution with the query omnisecu.com. (source)

Iterative name resolution

In iterative name resolution, when a DNS server is queried, it returns an answer without querying other DNS servers—even if it cannot provide a definite answer. This answer can be:

Recursive name resolution

In recursive name resolution, when a DNS server is queried, it will query subsequent DNS servers (on behalf of the client/requester) until a definitive answer is returned to the requester.

Note: The queries made to subsequent DNS servers from the first DNS server are iterative queries.

Glue records

A glue record is a DNS record of type A (IP address) for a name server referred to by a NS record.

This is used to break circular references.

Circular references

Sometimes the authoritative name server for a domain may be within the same domain (a subdomain).

Example: dns0.inf.ed.ac.uk is authoritative for inf.ed.ac.uk

Example

In the below table, the second record represents a glue record.

NameTypeLocation
inf.ed.ac.ukNSdns0.inf.ed.ac.uk
dns0.inf.ed.ac.ukA129.215.160.240

Caching

If a path in the DNS tree was simply traversed for each requested query, there would be too much network traffic, meaning that root servers and TLD servers would quickly become overloaded.

DNS servers cache records that are results of queries, for a specified amount of time. This amount is specified as a time-to-live field.

  1. Resolver looks in the cache for an A record of the query domain.
  2. Resolver looks in the cache for a NS record of the longest suffix of the query domain.

Local DNS cache

The local DNS cache is maintained by the operating system. This is shared among all running applications and can be displayed to all users.

This may cause privacy issues—namely:

DNS cache poisoning

DNS cache poisoning is a cyber attack that exploits DNS vulnerabilities by diverting internet traffic away from legitimate servers and towards fake ones.

The basic idea behind the attack is to give a DNS server a false address A record and get it cached.

DNS query mechanism
Vulnerability to cache poisoning

A DNS server is vulnerable to cache poisoning if its resolver:

Defences against cache poisoning

SSL/TLS

SSL and TLS are both cryptographic protocols that establish an encrypted, bidirectional network tunnel for arbitrary data to travel between two hosts through the use of public-key cryptography. These protocols are often used in conjunction with other internet protocols such as HTTPS, SSH, FTPS and secure email.

These protocols provide:

In addition to providing an encrypted channel, these protocols are also used to authenticate communicating parties. This is crucial for such applications as online transactions because a client must be sure that money is being transferred to the person or company who they claim to be.

Position in the stack

SSL and TLS lie on top of TCP/IP, and below application layer protocols (in the OSI model). In the TCP/IP stack, these protocols lie in the application layer (as seen in Figure 12).


Figure 12: TLS/SSL consists of two layers within the application layer of the TCP/IP stack. (source)

Differences between SSL and TLS

SSL is the predecessor to TLS. TLS was introduced in 1999 as a new version of SSL, and was based on SSLv3.

TLS building blocks

 ConfidentialityIntegrityAuthentication
SetupPublic-key based key-exchanged (RSA and DH)Public-key digital signature (e.g. RSA)Public-key digital signature (e.g. RSA)
Data transmissionSymmetric encryption (e.g. AES in CBC mode)Hash-based MACS (e.g. HMAC using SHA256) 

Functionality

When a connection is established between a client (typically a web browser) and a server :

  1. sends its supported cryptographic algorithms to .

  2. picks the strongest algorithms that it supports.

  3. sends its SSL/TLS certificate to .

    This certificate contains 's public encryption key.

  4. The certificate is checked by against a trusted CA. As a certificate cannot be falsified, may be certain that they are communicating with the right server.

  5. and perform a key exchange for symmetric encryption and hash-based authentication of subsequent data transfer.

  6. and exchange data bidirectionally.

Before a message is encrypted, a MAC is appended to each HTTP message. The resulting message is encrypted and sent.

This symmetric cryptosystem provides confidentiality, and the use of MAC provides integrity of the HTTP requests and responses.

Basic key exchange

The basic key exchange performed in step 5 described above used to be done with RSA:

  1. generates a public-private key pair and sends to .
  2. generates a random secret value .
  3. encrypts with public key and sends this message to .
  4. decrypts with their private key , giving , which is later used to encrypt messages.

Forward secrecy

Forward secrecy is provided by a crypto-system if a compromise of private keys in a key exchange does not break the confidentiality of past messages.

TLS with the basic key exchange described above does not provide forward secrecy.

As a result, the basic RSA key exchange is not used since an attacker can uncover the value of and use it to derive encryption keys.

Diffie-Hellman key exchange

An alternate key exchange method used that provides forward secrecy is the Diffie-Hellman key exchange.

  1. Fix a prime and generator of .
  2. generates a random and computes .
  3. generates a random and computes .
  4. and exchange and .
  5. calculates .
  6. calculates .
  7. Observe that .

Problems

Although Diffie-Hellman provides forward secrecy, it is open to an man-in-the-middle attack.

This attack can be prevented by signing and before sending them.

Note: This approach requires both and to know each other's public key.

Firewalls and intrusion detection

A firewall is a security measure designed to prevent unauthorised electronic access to a networked computer system.

Firewall policies

Firewalls prevent unauthorised access by monitoring and controlling incoming an outgoing traffic based on predetermined security rules.

These rules are called firewall policies. Based on these rules, it allows or denies traffic.

Example

RuleProtocolSource addressDestination addressDestination portAction
1TCP*192.168.1.*22Permit
2UDP*192.168.1.*69Permit
3TCP192.168.1.**80Permit
4TCP8192.168.1.1880Permit
5UDP*192.168.1.**Deny

Stateless firewalls

A stateless firewall does not maintain any remembered context (state) with respect to the packets it is processing.

Instead, it treats each packet attempting to travel through it in isolation without considering packets that it has processed previously—if a packet matches the filter's set of rules, the packet filter will drop or accept it.

Note: Stateless firewalls may have to be fairly restrictive in order to prevent most attacks.

Stateful firewalls

Stateful firewalls can tell when packets are part of legitimate sessions originating within a trusted network. They maintain a record of all connections passing through it and can determine if a packet is either:

Stateful firewalls maintain tables containing information on each active connection, including the IP addresses, ports, and sequence numbers of packets involved in a connection.

Using these tables, stateful firewalls can allow only inbound TCP packets that are in response to a connection initiated from the internal network.

Port scanning

A port scanner is a tool that provides information regarding open ports in a target system. An example of a port-scanning tool is nmap.

Port scanning can be a useful tool in the arsenal of an attacker, as it can identify ports which are open to attacks.

Application layer firewalls

An application layer firewall works like a proxy—it can understand certain applications and protocols, and as a result effectively simulates the effects of an application at OSI level 7.

This type of firewall acts as a protective man-in-the-middle that screens information at the application layer. It may inspect the contents of the traffic, blocking what it views as inappropriate content. For example:

Personal firewalls

A personal firewall runs on the workstation that it protects, as software. It provides basic protection—especially for home or mobile devices.

Any rootkit type software can disable the firewall.

Network Address Translation (NAT)

Network Address Translation (NAT) is a method of remapping one IP address space into another.

IPv4

IPv4 is the fourth version of the Internet Protocol. The addressing system used in this protocol is 32-bit, which limits the address space to addresses.

Address space exhaustion

There are less than 4.3 billion IPv4 addresses available. This is an issue as we do not have enough addresses for every device on the planet.

The solution to this problem is NAT, where the internal IP address of a device is different from its external IP address.

Intrusion Detection Systems (IDS)

Firewalls are used as a preventative measure. An Intrusion Detection System (IDS) can be used to detect a potential incident in progress.

At some point, some traffic must be allowed to move into and out of a network. However, most security incidents are caused by a user letting something into the network that is malicious, or being an insider threat themselves. Situations such as these cannot be prevented or anticipated in advance.

The next step is to identify that something bad is happening quickly so it can be addressed. This is when IDS comes in.

Alarms

An IDS can either sound an alarm or not, depending on whether it thinks it has detected an intrusion attack.

This leads to TP, FP, FN and TN.

Rule-based intrusion detection

In rule-based intrusion detection, a set of rules identify the types of actions that match certain known intrusion attacks. These rules encode a signature for such attacks.

BenefitsDrawbacks
High accuracy (low false positives)Admin must anticipate attack patterns in advance
 An attacker may test an attack on common signatures
 Impossible to detect a new type of attack

Statistical intrusion detection

In statistical intrusion detection, a statistical model of acceptable or normal behavior is dynamically built, and any other non-matching behaviour is flagged.

BenefitsDrawbacks
Admin does not need to anticipate potential attacksSystem needs time to warm up to new behaviour
Can detect new types of attacksLower accuracy (higher false positives)

Number of alarms

In the 2013 Target breach, the IDS did correctly identify that there was an attack on the Target network. However, there were too many alarms going off to investigate all of them in great depth.

Some cyberattack insurance policies state that if you know about an attack and do nothing, they will not cover the attack—meaning that having a noisy IDS can potentially be a liability.

Resources