Introduction to Computer SecurityNetwork Security

Pavel LaskovWilhelm Schickard Institute for Computer Science

Circuit switching vs. packet switching

A

B

A

A

B

B

B

A

A

B

A

A

A

A

A

B

B

B

A

OSI and TCP/IP layered models

TCP/IP encapsulation

TCP connection synchronization

Initial handshake

Host A Host B

Send SYN seq=x

Receive SYN

Send SYN seq=y, ACK x+1

Receive SYN + ACK

Send ACK y+1

Receive ACK

...data

transmission

Termination

Host A Host B

Send FIN seq=x

Receive FIN

Send ACK x+1

Receive ACK

Send FIN seq=y, ACK x+1

Receive FIN + ACK

Send ACK y+1

Receive ACK

What can go wrong: TCP session hijacking

Seq: x PSH/ACK: y (60)

Seq: y PSH/ACK: x+60 (20)

Seq: x+60 PSH/ACK: y+20 (30)

Seq: y+20 PSH/ACK: x+90 (20)

Seq: x+90 PSH/ACK: y+40 (30)

Seq: y+40 PSH/ACK: x+120 (20)

A

A

A

A

C(A)

A

B

B

B

B

B

B

Example: SYN flood

Normal TCP handshake SYN flood

Placement of security instruments

Network layer Transport layer Application layer

IP layer security: IPsec

Objectives:secure connectivity of branch officessecure remote access

Advantages:bypass resistencetransparency to end users and applications

Disadvantages:infrastructure support neededperformance degradation

IPsec application example

IPHeader

IPPayload

IPHeader

IPSecHeader

Secure IPPayload

IPHe

ader

IPSe

cHe

ader

Secu

re IP

Payl

oad

IPHead

erIPS

ecHead

erSe

cure

IPPa

yload

IPHeader

IPPayload

Networking devicewith IPSec

User systemwith IPSec

Networking devicewith IPSec

Figure 6.1 An IP Security Scenario

Public (Internet)or PrivateNetwork

IPsec services and protocols

Services / Protocols AH ESP ESP + auth.Access control X X X

Connectionless integrity X XData origin authentication X X

Replay protection X X XConfidentiality X X

Traffic flow confidentiality X X

IPsec modes

Transport modeProtection of packet payloadUsed for end-to-end communicationSmall performance overhead

Tunnel modeProtection of entire packet (payload and headers)Communication between gatewaysInvisible to intermediate routersConsiderable performance overhead

AH service

Transport mode

orig IPhdr

hop-by-hop, dest,routing, fragment AH dest TCP DataIPv6

authenticated except for mutable fields

orig IPhdr AH TCP DataIPv4

authenticated except for mutable fields

orig IPhdr

New IPhdr AH TCP DataIPv4

authenticated except for mutablefields in the new IP header

(b) Transport Mode

orig IPhdr

extension headers(if present) TCP DataIPv6

orig IPhdr TCP DataIPv4

(a) Before Applying AH

new IPhdr

orig IPhdrAH

extheaders

extheaders TCP DataIPv6

authenticated except for mutable fields innew IP header and its extension headers

(c) Tunnel Mode

Figure 6.6 Scope of AH Authentication

Tunnel mode

orig IPhdr

hop-by-hop, dest,routing, fragment AH dest TCP DataIPv6

authenticated except for mutable fields

orig IPhdr AH TCP DataIPv4

authenticated except for mutable fields

orig IPhdr

New IPhdr AH TCP DataIPv4

authenticated except for mutablefields in the new IP header

(b) Transport Mode

orig IPhdr

extension headers(if present) TCP DataIPv6

orig IPhdr TCP DataIPv4

(a) Before Applying AH

new IPhdr

orig IPhdrAH

extheaders

extheaders TCP DataIPv6

authenticated except for mutable fields innew IP header and its extension headers

(c) Tunnel Mode

Figure 6.6 Scope of AH Authentication

ESP service

Transport mode

orig IPhdr

hop-by-hop, dest,routing, fragmentIPv6

orig IPhdrIPv4

New IPhdrIPv4

(a) Transport Mode

new IPhdr

extheadersIPv6

authenticatedencrypted

authenticatedencrypted

authenticatedencrypted

authenticatedencrypted

(b) Tunnel Mode

Figure 6.9 Scope of ESP Encryption and Authentication

orig IPhdr

extheaders TCP Data

ESPtrlr

ESPauth

ESPhdr

ESPauth

orig IPhdr TCP Data

ESPtrlr

ESPauth

ESPhdr

dest TCP Data

TCP Data

ESPtrlr

ESPauth

ESPtrlr

ESPhdr

ESPhdr

Tunnel mode

orig IPhdr

hop-by-hop, dest,routing, fragmentIPv6

orig IPhdrIPv4

New IPhdrIPv4

(a) Transport Mode

new IPhdr

extheadersIPv6

authenticatedencrypted

authenticatedencrypted

authenticatedencrypted

authenticatedencrypted

(b) Tunnel Mode

Figure 6.9 Scope of ESP Encryption and Authentication

orig IPhdr

extheaders TCP Data

ESPtrlr

ESPauth

ESPhdr

ESPauth

orig IPhdr TCP Data

ESPtrlr

ESPauth

ESPhdr

dest TCP Data

TCP Data

ESPtrlr

ESPauth

ESPtrlr

ESPhdr

ESPhdr

Transport layer security: SSL/TLS

Objectives:secure information transmission in Internet applicationsmutual authentication in Internet applications

Advantages:secure end-to-end communication over TCP (not limited toHTTP)

Disadvantages:PKI support neededpotential use of weak cryptographic algorithms (e.g. RC4)

SSL architecture

SSL connection corresponds toTCP connections.SSL sessions represent anassociation between a cliend anda server. Sessions defineparameters that can be sharebetween connections.

SSL Record Protocol

Carries out information transferProvides confidentiality and message integrity services.

SSL handshake protocol

Client Server

Random numberCrypto info

Random numberCrypto info

Server certificateRequest client auth.

Extract server public key

Client certificateHash over prev. messages

Extract client public key

Random pre-master secret

Calculate master secret Calculate master secret

Switch to master secretEnd handshake

Switch to master secretEnd handshake

Application layer security: SSH

Applicationssecure remote loginsecure services (e.g. FTP, copy) over an insecure networksecure port forwarding

Advantagesvarious authentication methodsa neat way to circumvent firewalls

Disadvantagespoint-to-point onlysome security vulnerabilities

SSH architecture

SSH functionality

Remote LoginUsername / passwordPublic key

Remote command executionRemote copying (rcp)Secure ftp service (sftp)Remote synchronization (rsync)Port forwarding and tunnelingSecure file system mounting (sshfs)

SSH port forwarding

Syntax:

Local forwarding:ssh -L 1521:localhost:23 username@host

Remote forwarding:ssh -R 1521:localhost:23 username@host

SSH port forwarding: examples

IMAP requiests for an intermal IMAP server:

ssh -L 8143:exchange.first.fraunhofer.de:993

laskov@vnc00.first.fraunhofer.de

Sending mail over an internal server:

ssh -L 8025:smtpserv.uni-tuebingen.de:25

laskov@smb1.cs.uni-tuebingen.de

Browsing with an external IP address:

ssh -L 8081:proxy0.first.fraunhofer.de:3128 -L

8080:proxy0.first.fraunhofer.de:3128

laskov@vnc00.first.fraunhofer.de

Summary

Network security technologies can be deployed at all layersof network protocols.IP layer security provides a transparent security service;needs, however, infrastructure support.Trasport layer security provides a reliable end-to-endsecurity services.Application layer security mechanisms can be tailored tospecific application needs.