PRINCESS NORA BINT ABDULRAHMAN UNIVERSITYCOLLEGE OF COMPUTER AND

INFORMATIONSCIENCES

NETWORKS DEPARTMENT

Network Security Net 536

l.Tahani Aljehani

TCP/IP Ideally, a secure network architecture is designedbefore any systems are in place.TPC/IP review:• Internet is made up of a wide variety of computers,from supercomputers to personal computers. Each ofthese computers has its type of software andapplication running. How do all of these computersunderstand each other and work together?• There are a set of rules to govern communications soeach computer understand how to act and how tointerpret the actions of the other computers.

TCP/IPWhen transferring information across a network, TCPbreaks information into small pieces (packets). Eachpacket is sent separately.• TCP has support to detect errors, and lost of data.• IP handles carrying TCP packets from one computerto the other one based on 4 bytes (destination IPaddress).• Each computer is uniquely identified by a specific IPaddress.• When a client requests a service from a server, itbuilds a TCP connection with the server.

IP The IP portion of TCP/IP is responsible for

sending packets from node to node on the network until the packets reach their final destinations.

The routing is accomplished through an IP address that is assigned to every computer on the Internet.

There are two standards for IP addresses: IPv4 and IPv6.

IPV4 An IPv4 IP address is the 4-byte destination IP address that is

included in every packet. It is usually represented in decimal form as octets of numbers

from 0 to 255, such as 160.192.226.135. For example, 255.255.255.255 is used to broadcast to all hosts

on the local network. An IP address is divided into a portion that identifies a

network and another portion that identifies the host or node on a network.

Additionally, a network is assigned to a Class from A through E, and this class representation further delineates which part of the address refers to the network and which part refers to the node.

IPV6 IPv6 uses a 128-bit addressing scheme, so it has

more than 79 times as many available addresses as IPv4.

Instead of representing the binary digits as decimal digits, IPv6 uses 8 sets of 4 hexadecimal digits.

IPv6 includes additional security features, including support for built-in authentication and confidentiality.

Most current operating systems include support for IPv6 and systems are expected to gradually migrate to the new standard over several years,

IPV6

TCP connection: connection establishment Data exchange Connection termination

A port number is used to distinguish various services.

A port is a way to identify a specific service on a computer in a network.

TCP/IP connection Port 80 is used by HTTP (send and retrieve webpages).• Port numbers are specified by a 16 bits and

enumerated from 0 to 65535.• End to End communication can be identified by: IPaddress source, source Port, IP address destination,destination Port.• Basic connection: Client browser finds first an

unuseddynamic port)

TCP/IP connection

Types of attacks Remote code execution: occurs when an attacker exploits a

software and runs a program that the user does not have privileges to run.

Denial of services: an attacker can send a large number of TCP Sync packets to a target. Syn packets are supposed to be the first part of the TCP header. The server normally responds with a Syn-Ack packet, and allocates buffer for new TCP session. However, the attacking host never responds.

Worms and virus: automated attacks, programmed to spread themselves as rapidly, and widely as possible.

Trojan and Spyware: installed with other software. They collect information about the system (password, visited websites,…). Information which has been collected can be send to someone else.

Security principles

1- Least privilege:States that a user should have only the privileges neededto do his job. Least privilege is enforced using anetwork device, such as a router with an access controllist (ACL) which tells a computer operating systemwhich access rights each user has to a particular object.

For example, a backup user does not need to install software: hence, the backup user has rights only to run backup and backup-related applications. Any other privileges, such as installing new software, are blocked.

2- Layered security:Is the concept that security functions should happen at multiple layers. for example Attacker can send malicious code or instruction to the

server and the firewall will not be able to read the payload information in individual packets so we need proxy in the middle

Layered security Physical layer: traditional security measures such ascameras, walls are used to present unauthorized users. Data link: unused port can be disabled. We can alsorely on VPN. Network layer: firewalls and ACLs restrict networkaccess. Intrusion detection may base its decision onTCP/UDP port numbers. Proxies operate between the transport and theapplication layer. Top layers are application content inspection services(anti-virus scanners,…).

segmentation Is based on layered security and the

principle of least privilege. Functional segmentation suggests a

design in which the network is partitioned according to user or device function.

segmentation Each segment may be further divided by

academic department. Segmentation advantage is in

preventing the spread of worms such as slammers.

Segmenting a Network These segments can be theoretically

classified into the following:▲ Public networks▲ Semi-private networks▲ Private networks

Public Networks Public networks allow accessibility to everyone. The Internet is a perfect example of a public

network On public networks there is a huge amount of

unsecured data Typically, security measures for public access networks

are quite limited

Despite the lack of security, large volumes of unprotected data are transmitted worldwide over public networks because of their convenience and the variety of services they provide

Private Networks Private networks are organizational networks that handle

confidential and proprietary data and are the most common type of network.

If the organization is spread over vast geographical distances, the private networks present at each location might be interconnected through the Internet or other public networks.

Generally, most commercial organizations prefer not to lay down dedicated lines over vast geographical distances, mainly due to cost factors.

Private networks might have exclusive addressing and protocols and do not have to be compatible with the Internet.

Address translation schemes and various tunneling protocols can be used to allow incompatible private and public networks to interoperate.

Example : PNU network

Semi-private Networks Semi-private networks ( demilitarized zone

DMZ) sit between public networks and private networks.

From a security standpoint, a semi-private network might carry confidential information but under some regulations.

Semi-private networks are most often exclusive subnets of large public networks such as the Internet.

Example : user need internet access from company private network

Perimeter Defense In most cases, networks include various types of

servers, including infrastructure servers like domain controllers and DNS servers, database servers, file servers, and application servers.

Securing such enormous processing units often requires security solutions to be highly fortified at the network in addition to using individual server-based systems.

In most common environments, firewalls would be placed at the terminal ends of every network segment.

Firewalls (independent or combined with routers) can be ideal choices for securing network perimeters

Firewalls A firewall is a main gate that the outside

world enters in to the internal site. Based on the need of your organization, a firewall can be configured to work in different ways. For example, you can configure a firewall to permit only email traffic passing through it and thus protect the internal network against any attacks except for those that attacks against the email service

Firewall Architecture

Ex external Internet

R3

R4

R5InternalNetwork

I

routerR1

DNSA

B

DNS

routerR2

InternalNetwork

II

C

D

a host

F1F2

A firewall

E

R6

Firewalls There are many reasons for an organization to employ

firewalls to secure their networks from other insecure networks, such as the following:

Poor authentication (Most network services and applications do not directly use authentication and encryption features)

Weak software (not optimized for security features) Spoofing (read packets of communication sessions

and acknowledge the respective addresses) Scanners and crackers (attacks on passwords and

other sensitive authentication)

Firewall technologies Packet filtering Stateful packet Application proxy

Packet filtering Packet filtering – Determine whether a

packet should be accepted or rejected purely based upon some basic information in the packet’s header (e.g. source IP, destination IP, in or out an interface, protocol type, port number). If the headers’ information matches the rule set defined on the firewall, the packets is allowed to pass; otherwise it is denied

Packet filtering It doesn’t have detailed knowledge

about what a packet is actually talking to or where it actually coming from; therefore it is susceptible to IP or port spoofing attack because the decision is based on IP and port. However it tends to be faster than other firewall technologies and very transparent to users.

Stateful packet Stateful packet filtering – Attempts to track the state of

each network connection and makes the forwarding decision on both the packet content and the connection state when filtering packets.

When the first packet of a connection is inspected and permitted, the firewall adds an entry to a state table.

A subsequent packet is allowed to pass through the firewall when the packet matches an established connection which has satisfied the implemented rules on the firewall.

This means you need only specify the initial connection; the return packets are implied because there is state associated with them (the connection has already been authorized).

Proxying Proxying – Handles all the

communications between users and Internet services and does lots of logging and access control. It takes users’ requests for Internet services (i.e., FTP and Telnet) and forwards them to the actual services or drops them as directed by the site’s security policy. Instead of talking to each other directly, users and services both talk to a server offering proxying – proxy server. .

Proxying Proxy servers permit no direct traffic

between networks; thus effectively hides the true network addresses and better protects the internal network. They are able to provide more detailed audit reports and tend to enforce more conservative security models than packet filtering.