Reference:

https://www.tutorialspoint.com/network_security/network
_security_quick_guide.htm

Security Mechanisms at Networking Layers

Several security mechanisms have been developed in such a way that they
can be developed at a specific layer of the OSI network layer model.

 Security at Application Layer − Security measures used at this layer are

application specific. Different types of application would need separate security
measures. In order to ensure application layer security, the applications need to
be modified.

It is considered that designing a cryptographically sound application protocol is

very difficult and implementing it properly is even more challenging. Hence,
application layer security mechanisms for protecting network communications are
preferred to be only standards-based solutions that have been in use for some
time.

An example of application layer security protocol is Secure Multipurpose Internet

Mail Extensions (S/MIME), which is commonly used to encrypt e-mail messages.
DNSSEC is another protocol at this layer used for secure exchange of DNS query
messages.

 Security at Transport Layer − Security measures at this layer can be used to

protect the data in a single communication session between two hosts. The most
common use for transport layer security protocols is protecting the HTTP and FTP
session traffic. The Transport Layer Security (TLS) and Secure Socket Layer (SSL)
are the most common protocols used for this purpose.

 Network Layer − Security measures at this layer can be applied to all

applications; thus, they are not application-specific. All network communications
between two hosts or networks can be protected at this layer without modifying
any application. In some environments, network layer security protocol such as
Internet Protocol Security (IPsec) provides a much better solution than transport
 or application layer controls because of the difficulties in adding controls to
individual applications. However, security protocols at this layer provides less
communication flexibility that may be required by some applications.

Incidentally, a security mechanism designed to operate at a higher layer

cannot provide protection for data at lower layers, because the lower layers
perform functions of which the higher layers are not aware. Hence, it may be
necessary to deploy multiple security mechanisms for enhancing the network
security.

Secure Socket Layer (SSL)

SSL is specific to TCP and it does not work with UDP. SSL provides Application
Programming Interface (API) to applications. C and Java SSL libraries/classes
are readily available.

SSL protocol is designed to interwork between application and transport layer

as shown in the following image −

Salient Features of SSL

The salient features of SSL protocol are as follows −

 SSL provides network connection security through −

o Confidentiality − Information is exchanged in an encrypted form.

 o Authentication − Communication entities identify each other through the
use of digital certificates. Web-server authentication is mandatory whereas
client authentication is kept optional.

o Reliability − Maintains message integrity checks.

 SSL is available for all TCP applications.

 Supported by almost all web browsers.

 Provides ease in doing business with new online entities.

 Developed primarily for Web e-commerce.

Three SSL related protocol components are −

o SSL Handshake Protocol

o Change Cipher Spec Protocol

o Alert Protocol.

 These three protocols manage all of SSL message exchanges and are discussed
later in this section.

 SSL Handshake Protocol

o It is the most complex part of SSL. It is invoked before any application data
is transmitted. It creates SSL sessions between the client and the server.

o Establishment of session involves Server authentication, Key and algorithm

negotiation, Establishing keys and Client authentication (optional).

o A session is identified by unique set of cryptographic security parameters.

o Multiple secure TCP connections between a client and a server can share
the same session.

o Handshake protocol actions through four phases. These are discussed in

the next section.

 ChangeCipherSpec Protocol
 o Simplest part of SSL protocol. It comprises of a single message exchanged
between two communicating entities, the client and the server.

o As each entity sends the ChangeCipherSpec message, it changes its side

of the connection into the secure state as agreed upon.

o The cipher parameters pending state is copied into the current state.

o Exchange of this Message indicates all future data exchanges are encrypted
and integrity is protected.

 SSL Alert Protocol

o This protocol is used to report errors – such as unexpected message, bad

record MAC, security parameters negotiation failed, etc.

o It is also used for other purposes – such as notify closure of the TCP
connection, notify receipt of bad or unknown certificate, etc.

Establishment of SSL Session

As discussed above, there are four phases of SSL session establishment.
These are mainly handled by SSL Handshake protocol.

Phase 1 − Establishing security capabilities.

 This phase comprises of exchange of two messages

– Client_hello and Server_hello.

 Client_hello contains of list of cryptographic algorithms supported by the client, in

decreasing order of preference.
  Server_hello contains the selected Cipher Specification (CipherSpec) and a
new session_id.

 The CipherSpec contains fields like −

o Cipher Algorithm (DES, 3DES, RC2, and RC4)

o MAC Algorithm (based on MD5, SHA-1)

o Public-key algorithm (RSA)

o Both messages have “nonce” to prevent replay attack.

Phase 2 − Server authentication and key exchange.

 Server sends certificate. Client software comes configured with public keys of
various “trusted” organizations (CAs) to check certificate.

 Server sends chosen cipher suite.

 Server may request client certificate. Usually it is not done.

 Server indicates end of Server_hello.

Phase 3 − Client authentication and key exchange.

  Client sends certificate, only if requested by the server.

 It also sends the Pre-master Secret (PMS) encrypted with the server’s public key.

 Client also sends Certificate_verify message if certificate is sent by him to prove

he has the private key associated with this certificate. Basically, the client signs
a hash of the previous messages.

Phase 4 − Finish.

 Client and server send Change_cipher_spec messages to each other to cause the
pending cipher state to be copied into the current state.

 From now on, all data is encrypted and integrity protected.

  Message “Finished” from each end verifies that the key exchange and
authentication processes were successful.

All four phases, discussed above, happen within the establishment of TCP
session. SSL session establishment starts after TCP SYN/ SYNACK and
finishes before TCP Fin.

What is an SSL certificate?

An SSL (Secure Sockets Layer) certificate is a digital certificate that authenticates the
identity of a website and encrypts information sent to the server using SSL technology.
Encryption is the process of scrambling data into an undecipherable format that can
only be returned to a readable format with the proper decryption key.

A certificate serves as an electronic "passport" that establishes an online entity's

credentials when doing business on the Web. When an Internet user attempts to send
confidential information to a Web server, the user's browser accesses the server's
digital certificate and establishes a secure connection.

An SSL certificate contains the following information:

 The certificate holder's name

 The certificate's serial number and expiration date
 A copy of the certificate holder's public key
 The digital signature of the certificate-issuing authority

Security in Network Layer

Any scheme that is developed for providing network security needs to be
implemented at some layer in protocol stack as depicted in the diagram below
−

Layer Communication Protocols Security Protocols

 Application Layer HTTP FTP SMTP PGP. S/MIME, HTTPS

Transport Layer TCP /UDP SSL, TLS, SSH

Network Layer IP IPsec

The popular framework developed for ensuring security at network layer is

Internet Protocol Security (IPsec).

Features of IPsec
 IPsec is not designed to work only with TCP as a transport protocol. It works with
UDP as well as any other protocol above IP such as ICMP, OSPF etc.

 IPsec protects the entire packet presented to IP layer including higher layer
headers.

 Since higher layer headers are hidden which carry port number, traffic analysis is
more difficult.

 IPsec works from one network entity to another network entity, not from
application process to application process. Hence, security can be adopted
without requiring changes to individual user computers/applications.

 Though widely used to provide secure communication between network entities,

IPsec can provide host-to-host security as well.

 The most common use of IPsec is to provide a Virtual Private Network (VPN),
either between two locations (gateway-to-gateway) or between a remote user
and an enterprise network (host-to-gateway).

Security Functions
The important security functions provided by the IPsec are as follows −

 Confidentiality

o Enables communicating nodes to encrypt messages.

o Prevents eavesdropping by third parties.

 Origin authentication and data integrity.

 o Provides assurance that a received packet was actually transmitted by the
party identified as the source in the packet header.

o Confirms that the packet has not been altered or otherwise.

 Key management.

o Allows secure exchange of keys.

o Protection against certain types of security attacks, such as replay attacks.

Question: List and explain the different TCP/IP vulnerabilities.

TCP/IP Protocol
Transmission Control Protocol (TCP) and Internet Protocol (IP) are two
distinct computer network protocols mostly used together. Due to their
popularity and wide adoption, they are built in all operating systems of
networked devices.

IP corresponds to the Network layer (Layer 3) whereas TCP corresponds to

the Transport layer (Layer 4) in OSI. TCP/IP applies to network
communications where the TCP transport is used to deliver data across IP
networks.

TCP/IP protocols are commonly used with other protocols such as HTTP, FTP,
SSH at application layer and Ethernet at the data link/physical layer.
It was developed for a communication in the limited trusted network.
However, over a period, this protocol became the de-facto standard for the
unsecured Internet communication.

Some of the common security vulnerabilities of TCP/IP protocol suits are −

 HTTP is an application layer protocol in TCP/IP suite used for transfer files that
make up the web pages from the web servers. These transfers are done in plain
text and an intruder can easily read the data packets exchanged between the
server and a client.

 Another HTTP vulnerability is a weak authentication between the client and the
web server during the initializing of the session. This vulnerability can lead to a
session hijacking attack where the attacker steals an HTTP session of the
legitimate user.

 TCP protocol vulnerability is three-way handshake for connection establishment.

An attacker can launch a denial of service attack “SYN-flooding” to exploit this
 vulnerability. He establishes lot of half-opened sessions by not completing
handshake. This leads to server overloading and eventually a crash.

 IP layer is susceptible to many vulnerabilities. Through an IP protocol header

modification, an attacker can launch an IP spoofing attack.

Detailed Answer:
Following are the vulnerabilities in TCP/IP
1. ARP Spoofing:

 ARP spoofing is a type of attack in which a malicious actor sends falsified ARP
(Address Resolution Protocol) messages over a local area network.
 This results in the linking of an attacker’s MAC address with the IP address of a
legitimate computer or server on the network.
 Once the attacker’s MAC address is connected to an authentic IP address, the
attacker will begin receiving any data that is intended for that IP address.
 ARP spoofing can enable malicious parties to intercept, modify or even stop data
in-transit. ARP spoofing attacks can only occur on local area networks that utilize
the Address Resolution Protocol.

1. ARP Spoofing attack:

 The effects of ARP spoofing attacks can have serious implications for
enterprises.
 In their most basic application, ARP spoofing attacks are used to steal sensitive
information. Beyond this, ARP spoofing attacks are often used to facilitate other
attacks such as:
1. Denial-of-service attacks:
DoS attacks often leverage ARP spoofing to link multiple IP addresses with a
single target’s MAC address. As a result, traffic that is intended for many different
 IP addresses will be redirected to the target’s MAC address, overloading the
target with traffic.
2. Session hijacking:
Session hijacking attacks can use ARP spoofing to steal session IDs, granting
attacker’s access to private systems and data.
3. Man-in-the-middle attacks:
MITM attacks can rely on ARP spoofing to intercept and modify traffic between
victims.
2. Port scanning

 Port Scanning is one of the most popular techniques attackers use to discover
services that they can exploit to break into systems.
 All systems that are connected to a LAN or the Internet via a modem run services
that listen to well-known and not so well-known ports.
 By port scanning, the attacker can find the following information about the
targeted systems: what services are running, what users own those services,
whether anonymous logins are supported, and whether certain network services
require authentication.
 Port scanning is accomplished by sending a message to each port, one at a time.
The kind of response received indicates whether the port is used and can be
probed for further weaknesses.
 Port scanners are important to network security technicians because they can
reveal possible security vulnerabilities on the targeted system.
Port Scan Techniques
1.1 Address Resolution Protocol (ARP)

o ARP scans discover active devices on the local network segment by

sending a series of ARP broadcasts and incrementing the value for the
target IP address field in each broadcast packet.
o This type of scan will have every IP device on the network respond with its
own IP address in response. This scan will effectively map out an entire
network.

1.2 TCP connect

o The Vanilla TCP connect scan is the most basic scanning technique.
o The scan uses the connect system call of an operating system on a target
system to open a connection to every port that is open.
o The scan is extremely noisy and easily detectable. The targeted system
logs will show connection requests and error messages for the services
that accepted the connections.

1.3 TCP SYN

 o The TCP SYN (Half Open) scans are called half open because the
attacking system doesn’t close the open connections.
o The attacking scanner will send a SYN packet to the target and wait for a
response. If the port is open, the target will send a SYN|ACK.
o If the port is closed, the target will send an RST.
o This type of scan is difficult to detect. The target system is in charge of
closing the open connections and the target, most likely, will not have the
proper logging set up to detect this type of scan.

1.4 TCP FIN

o The TCP FIN scan has the ability to pass undetected through most
firewalls, packet filters, and scan detection programs.
o The attacking system sends FIN packets to the targeted system. The
closed ports will respond with an RST. The open ports will ignore the
packets. The attacking system will take note of which ports it received an
RST on and report on the ports that did not respond with an RST.

3. TCP syn flood attack

 TCP SYN flood is a type of Distributed Denial of Service (DDoS) attack that
exploits part of the normal TCP three-way handshake to consume resources on
the targeted server and render it unresponsive.
 Essentially, with SYN flood DDoS, the offender sends TCP connection requests
faster than the targeted machine can process them, causing network saturation.

Attack description

 When a client and server establish a normal TCP “three-way handshake,” the
exchange looks like this:

1. Client requests connection by sending SYN (synchronize) message to the server.

2. Server acknowledges by sending SYN-ACK (synchronize-acknowledge)
message back to the client.
3. Client responds with an ACK (acknowledge) message, and the connection is
established.

 In a SYN flood attack, the attacker sends repeated SYN packets to every port on
the targeted server, often using a fake IP address.
 The server, unaware of the attack, receives multiple, apparently legitimate
requests to establish communication. It responds to each attempt with a SYN-
ACK packet from each open port.
 The malicious client either does not send the expected ACK, or—if the IP
address is spoofed—never receives the SYN-ACK in the first place. Either way,
 the server under attack will wait for acknowledgement of its SYN-ACK packet for
some time.
 During this time, the server cannot close down the connection by sending an
RST packet, and the connection stays open.
 Before the connection can time out, another SYN packet will arrive. This leaves
an increasingly large number of connections half-open – and indeed SYN Food
attacks are also referred to as “half-open” attacks.
 Eventually, as the server’s connection overflow tables fill, service to legitimate
clients will be denied, and the server may even malfunction or crash.

A normal connection between a user (Alice) and a server. The three-way handshake is
correctly performed.

SYN Flood. The attacker sends several packets but does not send the "ACK" back to
the server. The connections are hence half-opened and consuming server resources.
Alice, a legitimate user, tries to connect but the server refuses to open a connection
resulting in a denial of service.
4. IP spoofing
  IP address spoofing is one of the most frequently used spoofing attack methods.
In an IP address spoofing attack, an attacker sends IP packets from a false (or
“spoofed”) source address in order to disguise itself.
 Denial-of-service attacks often use IP spoofing to overload networks and devices
with packets that appear to be from legitimate source IP addresses.
 IP spoofing is the action of masking a computer IP address so that it looks like it
is authentic.
 During this masking process, the fake IP address sends what appears to be a
malevolent message coupled with an IP address that appears to be authentic
and trusted.
 In IP spoofing, IP headers are masked through a form of Transmission Control
Protocol (TCP) in which spoofers discover and then manipulate vital information
contained in the IP header such as IP address and source and destination
information.

Types of Spoofing attacks

Non-Blind Spoofing

 This type of attack takes place when the attacker is on the same subnet as the
victim. The sequence and acknowledgement numbers can be sniffed, eliminating
the potential difficulty of calculating them accurately.
 The biggest threat of spoofing in this instance would be session hijacking. This is
accomplished by corrupting the data stream of an established connection, then
re-establishing it based on correct sequence and acknowledgement numbers
with the attack machine.
 Using this technique, an attacker could effectively bypass any authentication
measures taken place to build the connection.

Blind Spoofing

 This is a more sophisticated attack, because the sequence and

acknowledgement numbers are unreachable.
 In order to circumvent this, several packets are sent to the target machine in
order to sample sequence numbers. While not the case today, machines in the
past used basic techniques for generating sequence numbers.
 It was relatively easy to discover the exact formula by studying packets and TCP
sessions. Today, most OSs implement random sequence number generation,
making it difficult to predict them accurately.
 If, however, the sequence number was compromised, data could be sent to the
target. Several years ago, many machines used host-based authentication
services (i.e. Rlogin). A properly crafted attack could add the requisite data to a
system (i.e. a new user account), blindly, enabling full access for the attacker
who was impersonating a trusted host.

Man In the Middle Attack

  Both types of spoofing are forms of a common security violation known as a man
in the middle (MITM) attack. In these attacks, a malicious party intercepts a
legitimate communication between two friendly parties.
 The malicious host then controls the flow of communication and can eliminate or
alter the information sent by one of the original participants without the
knowledge of either the original sender or the recipient.
 In this way, an attacker can fool a victim into disclosing confidential information
by “spoofing” the identity of the original sender, who is presumably trusted by the
recipient.

Denial of Service Attack

 IP spoofing is almost always used in what is currently one of the most difficult
attacks to defend against – denial of service attacks, or DoS.
 Since crackers are concerned only with consuming bandwidth and resources,
they need not worry about properly completing handshakes and transactions.
 Rather, they wish to flood the victim with as many packets as possible in a short
amount of time. In order to prolong the effectiveness of the attack, they spoof
source IP addresses to make tracing and stopping the DoS as difficult as
possible.
 When multiple compromised hosts are participating in the attack, all sending
spoofed traffic, it is very challenging to quickly block traffic.
5. DNS Spoofing
 The Domain Name System (DNS) is a system that associates domain names
with IP addresses.
 Devices that connect to the internet or other private networks rely on the DNS for
resolving URLs, email addresses and other human-readable domain names into
their corresponding IP addresses.
 In a DNS server spoofing attack, a malicious party modifies the DNS server in
order to reroute a specific domain name to a different IP address.
 In many cases, the new IP address will be for a server that is actually controlled
by the attacker and contains files infected with malware. DNS server spoofing
attacks are often used to spread computer worms and viruses.