PRINCESS NORA BINT ABDULRAHMAN UNIVERSITY COLLEGE OF COMPUTER AND INFORMATION SCIENCES NETWORKS DEPARTMENT Network Security Net 536 l.Tahani Aljehani

TCP/IP  Ideally, a secure network architecture is designed before any systems are in place. TPC/IP review: Internet is made up of a wide variety of computers, from supercomputers to personal computers. Each of these computers has its type of software and application running. How do all of these computers understand each other and work together? There are a set of rules to govern communications so each computer understand how to act and how to interpret the actions of the other computers.

TCP/IP When transferring information across a network, TCP breaks information into small pieces (packets). Each packet is sent separately. TCP has support to detect errors, and lost of data. IP handles carrying TCP packets from one computer to the other one based on 4 bytes (destination IP address). Each computer is uniquely identified by a specific IP address. When a client requests a service from a server, it builds a TCP connection with the server.

IP  The IP portion of TCP/IP is responsible for sending packets from node to node on the network until the packets reach their final destinations.  The routing is accomplished through an IP address that is assigned to every computer on the Internet.  There are two standards for IP addresses:  IPv4 and  IPv6.

IPV4  An IPv4 IP address is the 4-byte destination IP address that is included in every packet.  It is usually represented in decimal form as octets of numbers from 0 to 255, such as  For example, is used to broadcast to all hosts on the local network.  An IP address is divided into a portion that identifies a network and another portion that identifies the host or node on a network.  Additionally, a network is assigned to a Class from A through E, and this class representation further delineates which part of the address refers to the network and which part refers to the node.

IPV6  IPv6 uses a 128-bit addressing scheme, so it has more than 79 times as many available addresses as IPv4.  Instead of representing the binary digits as decimal digits, IPv6 uses 8 sets of 4 hexadecimal digits.  IPv6 includes additional security features, including support for built-in authentication and confidentiality.  Most current operating systems include support for IPv6 and systems are expected to gradually migrate to the new standard over several years,

IPV6

 TCP connection:  connection establishment  Data exchange  Connection termination  A port number is used to distinguish various services.  A port is a way to identify a specific service on a computer in a network.

TCP/IP connection Port 80 is used by HTTP (send and retrieve web pages). Port numbers are specified by a 16 bits and enumerated from 0 to End to End communication can be identified by: IP address source, source Port, IP address destination, destination Port. Basic connection: Client browser finds first an unused dynamic port)

TCP/IP connection

Types of attacks  Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not have privileges to run.  Denial of services : an attacker can send a large number of TCP Sync packets to a target. Syn packets are supposed to be the first part of the TCP header. The server normally responds with a Syn- Ack packet, and allocates buffer for new TCP session. However, the attacking host never responds.  Worms and virus : automated attacks, programmed to spread themselves as rapidly, and widely as possible.  Trojan and Spyware: installed with other software. They collect information about the system (password, visited websites,…). Information which has been collected can be send to someone else.

Security principles  1- Least privilege: States that a user should have only the privileges needed to do his job. Least privilege is enforced using a network device, such as a router with an access control list (ACL) which tells a computer operating system which access rights each user has to a particular object.  For example, a backup user does not need to install software: hence, the backup user has rights only to run backup and backup-related applications. Any other privileges, such as installing new software, are blocked.  2- Layered security: Is the concept that security functions should happen at multiple layers.  for example Attacker can send malicious code or instruction to the server and the firewall will not be able to read the payload information in individual packets so we need proxy in the middle

Layered security  Physical layer: traditional security measures such as cameras, walls are used to present unauthorized users.  Data link: unused port can be disabled. We can also rely on VPN.  Network layer: firewalls and ACLs restrict network access. Intrusion detection may base its decision on TCP/UDP port numbers.  Proxies operate between the transport and the application layer.  Top layers are application content inspection services (anti-virus scanners,…).

segmentation  Is based on layered security and the principle of least privilege.  Functional segmentation suggests a design in which the network is partitioned according to user or device function.

segmentation  Each segment may be further divided by academic department.  Segmentation advantage is in preventing the spread of worms such as slammers.

Segmenting a Network  These segments can be theoretically classified into the following: ▲ Public networks ▲ Semi-private networks ▲ Private networks

Public Networks  Public networks allow accessibility to everyone.  The Internet is a perfect example of a public network  On public networks there is a huge amount of unsecured data  Typically, security measures for public access networks are quite limited  Despite the lack of security, large volumes of unprotected data are transmitted worldwide over public networks because of their convenience and the variety of services they provide

Private Networks  Private networks are organizational networks that handle confidential and proprietary data and are the most common type of network.  If the organization is spread over vast geographical distances, the private networks present at each location might be interconnected through the Internet or other public networks.  Generally, most commercial organizations prefer not to lay down dedicated lines over vast geographical distances, mainly due to cost factors.  Private networks might have exclusive addressing and protocols and do not have to be compatible with the Internet.  Address translation schemes and various tunneling protocols can be used to allow incompatible private and public networks to interoperate.  Example : PNU network

Semi-private Networks  Semi-private networks ( demilitarized zone DMZ) sit between public networks and private networks.  From a security standpoint, a semi-private network might carry confidential information but under some regulations.  Semi-private networks are most often exclusive subnets of large public networks such as the Internet.  Example : user need internet access from company private network

Perimeter Defense  In most cases, networks include various types of servers, including infrastructure servers like domain controllers and DNS servers, database servers, file servers, and application servers.  Securing such enormous processing units often requires security solutions to be highly fortified at the network in addition to using individual server-based systems.  In most common environments, firewalls would be placed at the terminal ends of every network segment.  Firewalls (independent or combined with routers) can be ideal choices for securing network perimeters

Firewalls  A firewall is a main gate that the outside world enters in to the internal site. Based on the need of your organization, a firewall can be configured to work in different ways. For example, you can configure a firewall to permit only traffic passing through it and thus protect the internal network against any attacks except for those that attacks against the service

Firewall Architecture Ex external Internet Ex external Internet R3R3 R4R4 R5R5 Internal Network I router R 1 DNS A B router R 2 Internal Network II C D a host F1F1 F2F2 A firewall E R6

Firewalls  There are many reasons for an organization to employ firewalls to secure their networks from other insecure networks, such as the following:  Poor authentication ( Most network services and applications do not directly use authentication and encryption features)  Weak software (not optimized for security features)  Spoofing ( read packets of communication sessions and acknowledge the respective addresses)  Scanners and crackers (attacks on passwords and other sensitive authentication)

Firewall technologies  Packet filtering  Stateful packet  Application proxy

Packet filtering  Packet filtering – Determine whether a packet should be accepted or rejected purely based upon some basic information in the packet’s header (e.g. source IP, destination IP, in or out an interface, protocol type, port number). If the headers’ information matches the rule set defined on the firewall, the packets is allowed to pass; otherwise it is denied

Packet filtering  It doesn’t have detailed knowledge about what a packet is actually talking to or where it actually coming from; therefore it is susceptible to IP or port spoofing attack because the decision is based on IP and port. However it tends to be faster than other firewall technologies and very transparent to users.

Stateful packet  Stateful packet filtering – Attempts to track the state of each network connection and makes the forwarding decision on both the packet content and the connection state when filtering packets.  When the first packet of a connection is inspected and permitted, the firewall adds an entry to a state table.  A subsequent packet is allowed to pass through the firewall when the packet matches an established connection which has satisfied the implemented rules on the firewall.  This means you need only specify the initial connection; the return packets are implied because there is state associated with them (the connection has already been authorized).

Proxying  Proxying – Handles all the communications between users and Internet services and does lots of logging and access control. It takes users’ requests for Internet services (i.e., FTP and Telnet) and forwards them to the actual services or drops them as directed by the site’s security policy. Instead of talking to each other directly, users and services both talk to a server offering proxying – proxy server..

Proxying  Proxy servers permit no direct traffic between networks; thus effectively hides the true network addresses and better protects the internal network. They are able to provide more detailed audit reports and tend to enforce more conservative security models than packet filtering.