1. TCP/IP Protocol Suite1 Lecturer 8

2. TCP/IP Protocol Suite2 INTRODUCTION We are living in the information age. We need to keep information about every aspect of our lives. In other words, information is an asset that has a value like any other asset. As an asset, information needs to be secured from attacks. To be secured, information needs to be hidden from unauthorized access (confidentiality), protected from unauthorized change (integrity), and available to an authorized entity when it is needed (availability). This is called network security.

3. Computer and Network Security Requirements Confidentiality – Requires information in a computer system only be accessible for reading by authorized parties – Message confidentiality or privacy means that the sender and the receiver expect confidentiality. – The transmitted message must make sense to only the intended receiver. – To all others, these messages must be garbage Integrity – Assets can be modified by authorized parties only Availability – Assets be available to authorized parties Authenticity – Requires that a computer system be able to verify the identity of a user

4. Threat, attacker and hacker  Threat: is also called a malicious actor, is an entity that is partially or wholly responsible for a security incident that impacts – or has the potential to impact – an organization’s security.  Hacker: in computing, a hacker is any skilled computer expert that uses their technical knowledge to overcome a problem. While “hacker” can refer to any computer programmer, the term has become associated in popular culture with a “security hacker“, someone who, with their technical knowledge, uses bugs or exploits to break into computer systems.  Attacker: According to Wikipedia, “In computer and computer networks an attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset.” Thus, an attacker is the individual or organization performing these malicious activities.

5. Types of Threats Interruption: – An asset of the system is destroyed of becomes unavailable or unusable – Attack on availability – Destruction of hardware – Cutting of a communication line – Disabling the file management system

6. Types of Threats Interception: – An unauthorized party gains access to an asset – Attack on confidentiality – Wiretapping to capture data in a network – Illicit copying of files or programs

7. Types of Threats Modification: – An unauthorized party not only gains access but tampers with an asset – Attack on integrity – Changing values in a data file – Altering a program so that it performs differently – Modifying the content of messages being transmitted in a network

8. Types of Threats Fabrication: – An unauthorized party inserts counterfeit objects into the system – Attack on authenticity – Insertion of spurious messages in a network – Addition of records to a file

9. Ancient Ciphers to Modern Cryptosystems  Cryptography:- it a word with Greek origins, means "secret writing." However, we use the term to refer to the science and art of transforming messages to make them secure and immune to attacks

10. Ancient Ciphers to Modern Cryptosystems  Some terminologies in cryptosystem plaintext - original message Cipher text - coded message cipher - algorithm for transforming plaintext to cipher text key – is set of numbers or information used in cipher known only to sender/receiver encipher (encrypt) - converting plaintext to cipher text decipher (decrypt) - recovering cipher text from plaintext cryptanalysis (code breaking) - study of principles/ methods of deciphering cipher text without knowing key cryptology - field of both cryptography and cryptanalysis

11. Network Security The language of cryptography m plaintext message K A (m) ciphertext, encrypted with key K A m = K B (K A (m)) plaintext ciphertext K A encryption algorithm decryption algorithm Alice’s encryption key Bob’s decryption key K B

12. TCP/IP Protocol Suite12 A substitution cipher replaces one symbol with another. Note Encryption schemes

13. Network Security Simple encryption scheme substitution cipher: substituting one thing for another – Mono alphabetic cipher: substitute one letter for another – If key is a=m plaintext: abcdefghijklmnopqrstuvwxyz ciphertext: mnbvcxzasdfghjklpoiuytrewq Plaintext: bob. i love you. alice ciphertext: nkn. s gktc wky. mgsbc e.g.: Encryption key: mapping from set of 26 letters to set of 26 letters

14. Network Security

15. TCP/IP Protocol Suite15 In additive cipher, the plaintext, cipher text, and key are integers in modulo 26.

16. TCP/IP Protocol Suite16 Use the additive cipher with key = 15 to encrypt the message “hello”. Solution We apply the encryption algorithm to the plaintext, character by character. The result is “WTAAD”. Note that the cipher is monoalphabetic because two instances of the same plaintext character (ls) are encrypted as the same character (A). Example Example encrypt

17. TCP/IP Protocol Suite17 Use the additive cipher with key = 15 to decrypt the message “WTAAD”. Solution We apply the decryption algorithm to the plaintext character by character. The result is “hello”. Note that the operation is in modulo 26, which means that we need to add 26 to a negative result (for example  15 becomes 11). Example Example decrypt

18. TCP/IP Protocol Suite18 Transposition cipher reorder symbols

19. TCP/IP Protocol Suite19 Categories of Cryptography  Symmetric-key cryptography  is based on sharing secrecy;  symmetric-key cryptography, symbols are permuted or substituted;  Asymmetric-key cryptography  Asymmetric-key cryptography is based on personal secrecy.  In asymmetric-key cryptography, numbers are manipulated  Asymmetric-key ciphers are sometimes called public-key ciphers

20. Network Security Public Key Cryptography symmetric key crypto requires sender, receiver know shared secret key Traditional cypher public key crypto  radically different approach  sender, receiver do not share secret key  public encryption key known to all  private decryption key known only to receiver

21. TCP/IP Protocol Suite21 Locking and unlocking in asymmetric-key cryptosystem

22. Network Security Ways to breaking an encryption scheme cipher-text only attack: attacker has ciphertext he/she can analyze two approaches: – brute force: search through all keys – statistical analysis known-plaintext attack: attacker has plaintext corresponding to ciphertext – e.g., in monoalphabetic cipher, attacker determines pairings for a,l,i,c,e,b,o, chosen-plaintext attack: attacker can get ciphertext for chosen plaintext

23. Securing TCP connections: SSL(secure Socket Layer)

24. Network Security SSL and TCP/IP Application TCP IP normal application Application SSL TCP IP application with SSL  SSL provides application programming interface (API) to applications  C and Java SSL libraries/classes readily available

25. Network Security Toy SSL: a simple secure channel handshake: Alice and Bob use their certificates, private keys to authenticate each other and exchange shared secret key derivation: Alice and Bob use shared secret to derive set of keys data transfer: data to be transferred is broken up into series of records connection closure: special messages to securely close connection

26. Network Security What is network-layer confidentiality ? between two network entities: sending entity encrypts datagram payload, payload could be: – TCP or UDP segment, ICMP message, OSPF message …. all data sent from one entity to other would be hidden: – web pages, e-mail, P2P file transfers, TCP SYN packets …

27. Network Security Two IPsec protocols Authentication Header (AH) protocol – provides source authentication & data integrity but not confidentiality Encapsulation Security Protocol (ESP) – provides source authentication, data integrity, and confidentiality – more widely used than AH

28. Operational Network security: firewalls and IDS(Intrusion Detection System)

29. Network Security Firewalls isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others firewall administered network public Inter net firewall trusted “good guys” untrusted “bad guys”

30. Network Security Firewalls: why? prevent denial of service attacks:  SYN flooding: attacker establishes many bogus TCP connections, no resources left for “real” connections prevent illegal modification/access of internal data  e.g., attacker replaces CIA’s homepage with something else allow only authorized access to inside network  set of authenticated users/hosts three types of firewalls:  stateless packet filters  stateful packet filters  application gateways

31. Network Security Stateless packet filtering internal network connected to Internet via router firewall router filters packet-by-packet, decision to forward/drop packet based on: – source IP address, destination IP address – TCP/UDP source and destination port numbers – ICMP message type – TCP SYN and ACK bits Should arriving packet be allowed in? Departing packet let out?

32. Stateless packet filtering: example Network Security example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23 – result: all incoming, outgoing UDP flows and telnet connections are blocked example 2: block inbound TCP segments with ACK=0. – result: prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside. Looks at the incoming packet and permits or denies it based strictly on the rule base

33. Network Security PolicyFirewall Setting No outside Web access. Drop all outgoing packets to any IP address, port 80 No incoming TCP connections, except those for institution’s public Web server only. Drop all incoming TCP SYN packets to any IP except 130.207.244.203, port 80 Prevent Web-radios from eating up the available bandwidth. Drop all incoming UDP packets - except DNS and router broadcasts. Prevent your network from being used for a smurf DoS attack. Drop all ICMP packets going to a “broadcast” address (e.g. 130.207.255.255). Prevent your network from being tracerouted Drop all outgoing ICMP TTL expired traffic Stateless packet filtering : more examples

34. Network Security Stateful packet filtering stateless packet filter: heavy handed tool – admits packets that “make no sense,” e.g., dest port = 80, ACK bit set, even though no TCP connection established: action source address dest address protocol source port dest port flag bit allowoutside of 222.22/16 TCP80> 1023ACK  stateful packet filter: track status of every TCP connection  track connection setup (SYN), teardown (FIN): determine whether incoming, outgoing packets “makes sense”  timeout inactive connections at firewall: no longer admit packets

35. Network Security action source address dest address proto source port dest port flag bit check conxion allow222.22/16 outside of 222.22/16 TCP> 102380 any allowoutside of 222.22/16 TCP80> 1023ACK x allow222.22/16 outside of 222.22/16 UDP> 102353--- allowoutside of 222.22/16 UDP53> 1023---- x denyall Stateful packet filtering con’d…  ACL(Access Control List) augmented to indicate need to check connection state table before admitting packet

36. Network Security Application gateways filters packets on application data as well as on IP/TCP/UDP fields. example: allow select internal users to telnet outside. host-to-gateway telnet session gateway-to-remote host telnet session application gateway router and filter 1. require all telnet users to telnet through gateway. 2. for authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections 3. router filter blocks all telnet connections not originating from gateway.

37. Network Security Intrusion detection systems Intrusion: An illegitimate user gains access to someone else’s computer systems. Intrusion detection is a technology for detecting intrusion incidents. Closing TCP and UDP ports that may be exploited by intruders can also help reduce intrusions packet filtering: – operates on TCP/IP headers only IDS: intrusion detection system – deep packet inspection: look at packet contents (e.g., check character strings in packet against database of known virus, attack strings) – examine correlation among multiple packets port scanning network mapping DoS: Denial of Service

38. Network Security Web server FTP server DNS server Internet demilitarized zone firewall IDS sensors Intrusion detection systems multiple IDSs: different types of checking at different locations internal network

39. Proxy Server Clients never directly connect to the Internet This saves bandwidth, because one copy of a popular Web page can be used many times Allows a company to block forbidden Web sites It also prevents many attacks the same way NAT does Reverse proxy – Does not serve clients but instead routes incoming requests to the correct server

40. Reverse Proxy Connect to Web server 1

41. Henric Johnson41 Methods of Defence Encryption Software Controls (access limitations in a data base, in operating system protect each user from other users) Hardware Controls (smartcard) Policies (frequent changes of passwords) Physical Controls

42. Thank you!!!