Introduction to Computer SecurityNetwork Security
Pavel LaskovWilhelm Schickard Institute for Computer Science
Circuit switching vs. packet switching
A
B
A
A
B
B
B
A
A
B
A
A
A
A
A
B
B
B
A
OSI and TCP/IP layered models
TCP/IP encapsulation
TCP connection synchronization
Initial handshake
Host A Host B
Send SYN seq=x
Receive SYN
Send SYN seq=y, ACK x+1
Receive SYN + ACK
Send ACK y+1
Receive ACK
...data
transmission
Termination
Host A Host B
Send FIN seq=x
Receive FIN
Send ACK x+1
Receive ACK
Send FIN seq=y, ACK x+1
Receive FIN + ACK
Send ACK y+1
Receive ACK
What can go wrong: TCP session hijacking
Seq: x PSH/ACK: y (60)
Seq: y PSH/ACK: x+60 (20)
Seq: x+60 PSH/ACK: y+20 (30)
Seq: y+20 PSH/ACK: x+90 (20)
Seq: x+90 PSH/ACK: y+40 (30)
Seq: y+40 PSH/ACK: x+120 (20)
A
A
A
A
C(A)
A
B
B
B
B
B
B
Example: SYN flood
Normal TCP handshake SYN flood
Placement of security instruments
Network layer Transport layer Application layer
IP layer security: IPsec
Objectives:secure connectivity of branch officessecure remote access
Advantages:bypass resistencetransparency to end users and applications
Disadvantages:infrastructure support neededperformance degradation
IPsec application example
IPHeader
IPPayload
IPHeader
IPSecHeader
Secure IPPayload
IPHe
ader
IPSe
cHe
ader
Secu
re IP
Payl
oad
IPHead
erIPS
ecHead
erSe
cure
IPPa
yload
IPHeader
IPPayload
Networking devicewith IPSec
User systemwith IPSec
Networking devicewith IPSec
Figure 6.1 An IP Security Scenario
Public (Internet)or PrivateNetwork
IPsec services and protocols
Services / Protocols AH ESP ESP + auth.Access control X X X
Connectionless integrity X XData origin authentication X X
Replay protection X X XConfidentiality X X
Traffic flow confidentiality X X
IPsec modes
Transport modeProtection of packet payloadUsed for end-to-end communicationSmall performance overhead
Tunnel modeProtection of entire packet (payload and headers)Communication between gatewaysInvisible to intermediate routersConsiderable performance overhead
AH service
Transport mode
orig IPhdr
hop-by-hop, dest,routing, fragment AH dest TCP DataIPv6
authenticated except for mutable fields
orig IPhdr AH TCP DataIPv4
authenticated except for mutable fields
orig IPhdr
New IPhdr AH TCP DataIPv4
authenticated except for mutablefields in the new IP header
(b) Transport Mode
orig IPhdr
extension headers(if present) TCP DataIPv6
orig IPhdr TCP DataIPv4
(a) Before Applying AH
new IPhdr
orig IPhdrAH
extheaders
extheaders TCP DataIPv6
authenticated except for mutable fields innew IP header and its extension headers
(c) Tunnel Mode
Figure 6.6 Scope of AH Authentication
Tunnel mode
orig IPhdr
hop-by-hop, dest,routing, fragment AH dest TCP DataIPv6
authenticated except for mutable fields
orig IPhdr AH TCP DataIPv4
authenticated except for mutable fields
orig IPhdr
New IPhdr AH TCP DataIPv4
authenticated except for mutablefields in the new IP header
(b) Transport Mode
orig IPhdr
extension headers(if present) TCP DataIPv6
orig IPhdr TCP DataIPv4
(a) Before Applying AH
new IPhdr
orig IPhdrAH
extheaders
extheaders TCP DataIPv6
authenticated except for mutable fields innew IP header and its extension headers
(c) Tunnel Mode
Figure 6.6 Scope of AH Authentication
ESP service
Transport mode
orig IPhdr
hop-by-hop, dest,routing, fragmentIPv6
orig IPhdrIPv4
New IPhdrIPv4
(a) Transport Mode
new IPhdr
extheadersIPv6
authenticatedencrypted
authenticatedencrypted
authenticatedencrypted
authenticatedencrypted
(b) Tunnel Mode
Figure 6.9 Scope of ESP Encryption and Authentication
orig IPhdr
extheaders TCP Data
ESPtrlr
ESPauth
ESPhdr
ESPauth
orig IPhdr TCP Data
ESPtrlr
ESPauth
ESPhdr
dest TCP Data
TCP Data
ESPtrlr
ESPauth
ESPtrlr
ESPhdr
ESPhdr
Tunnel mode
orig IPhdr
hop-by-hop, dest,routing, fragmentIPv6
orig IPhdrIPv4
New IPhdrIPv4
(a) Transport Mode
new IPhdr
extheadersIPv6
authenticatedencrypted
authenticatedencrypted
authenticatedencrypted
authenticatedencrypted
(b) Tunnel Mode
Figure 6.9 Scope of ESP Encryption and Authentication
orig IPhdr
extheaders TCP Data
ESPtrlr
ESPauth
ESPhdr
ESPauth
orig IPhdr TCP Data
ESPtrlr
ESPauth
ESPhdr
dest TCP Data
TCP Data
ESPtrlr
ESPauth
ESPtrlr
ESPhdr
ESPhdr
Transport layer security: SSL/TLS
Objectives:secure information transmission in Internet applicationsmutual authentication in Internet applications
Advantages:secure end-to-end communication over TCP (not limited toHTTP)
Disadvantages:PKI support neededpotential use of weak cryptographic algorithms (e.g. RC4)
SSL architecture
SSL connection corresponds toTCP connections.SSL sessions represent anassociation between a cliend anda server. Sessions defineparameters that can be sharebetween connections.
SSL Record Protocol
Carries out information transferProvides confidentiality and message integrity services.
SSL handshake protocol
Client Server
Random numberCrypto info
Random numberCrypto info
Server certificateRequest client auth.
Extract server public key
Client certificateHash over prev. messages
Extract client public key
Random pre-master secret
Calculate master secret Calculate master secret
Switch to master secretEnd handshake
Switch to master secretEnd handshake
Application layer security: SSH
Applicationssecure remote loginsecure services (e.g. FTP, copy) over an insecure networksecure port forwarding
Advantagesvarious authentication methodsa neat way to circumvent firewalls
Disadvantagespoint-to-point onlysome security vulnerabilities
SSH architecture
SSH functionality
Remote LoginUsername / passwordPublic key
Remote command executionRemote copying (rcp)Secure ftp service (sftp)Remote synchronization (rsync)Port forwarding and tunnelingSecure file system mounting (sshfs)
SSH port forwarding
Syntax:
Local forwarding:ssh -L 1521:localhost:23 username@host
Remote forwarding:ssh -R 1521:localhost:23 username@host
SSH port forwarding: examples
IMAP requiests for an intermal IMAP server:
ssh -L 8143:exchange.first.fraunhofer.de:993
Sending mail over an internal server:
ssh -L 8025:smtpserv.uni-tuebingen.de:25
Browsing with an external IP address:
ssh -L 8081:proxy0.first.fraunhofer.de:3128 -L
8080:proxy0.first.fraunhofer.de:3128
Summary
Network security technologies can be deployed at all layersof network protocols.IP layer security provides a transparent security service;needs, however, infrastructure support.Trasport layer security provides a reliable end-to-endsecurity services.Application layer security mechanisms can be tailored tospecific application needs.