Network security CIS534 l1

1.1 Extended example: how the Internet protocols fetch a web page 1.2 The concept of protocol layering 1.3 Internetworking and routing 1.4 The OSI seven layer model... 1.1 Internet Proto

Network Security

Lecture 1, Part 1 Introduction to Networking

Objectives of Lecture

• Show how networks can be understood using a

layered approach

• Introduce the OSI seven layer reference model

• Introduce the concepts of internetworking and routing

• Understand the difference between network

protocols and services.

1.1 Extended example: how the Internet

protocols fetch a web page

1.2 The concept of protocol layering

1.3 Internetworking and routing

1.4 The OSI seven layer model

1.1 Internet Protocols

Network

Web Browser

Web Server

How does a web browser application

retrieve data from a web server?

Application Layer

• Users invoke applications which “speak” using application protocol

• Applications interact with a transport protocol to

send or receive data

• Application protocol in our example: Hypertext Transfer Protocol (HTTP)

• Other application protocols: FTP, SMTP, DNS,

SMB, …

Application Layer Example

Transport Layer

• Provides end-to-end communication between

applications.

• Transport Protocol: Transport Control Protocol (TCP)

– a reliable, connection-oriented transport protocol.

• Divides stream of application messages into packets.

• Interacts with Internet Layer to send or receive data.

• In general, a transport protocol may be

– reliable or unreliable,

– connection-oriented or connectionless,

– and flow may or may not be regulated.

• Others: UDP, ICMP.

Transport Layer Example

HTTP Message TCP payload TCP header

Internet Layer

• Responsible for routing communications

between one machine and another

• Accepts requests to send packets to

destination address

• Internet Protocol (IP) encapsulates packets in

IP datagram with IP header and uses routing algorithm to decide whether to send directly or indirectly

Internet Layer Example

Src: 192.168.0.40 Dst: 192.168.0.50 TTL: 128

HTTP Message TCP header

Network Interface Layer

• Accepts IP datagrams and prepares for

transmission over specific physical network

• Maybe a simple device driver (e.g an Ethernet

driver) or a complex subsystem with further

data link protocols (e.g in an ATM network)

• Output of network interface layer is a signal

suitable for transmission on a particular

physical medium

Src: 00:e0:81:10:19:fc Dst: 00:a0:cc:54:1d:4e Type: IP

Network Interface Layer Example

Src: 192.168.0.40 Dst: 192.168.0.50 TTL: 128

Ethernet Frame

Physical Layer

• A layer representing the actual communications medium

– Could be an ethernet cable, optical fibre, wireless

link, telephone wire or even a carrier pigeon (http://www.ietf.org/rfc/rfc1149.txt)

– Sometimes not considered as a separate layer in

TCP/IP networking; sometimes not considered part

of TCP/IP at all.

– Thus creating confusion over whether there are

really 4 or 5 layers in TCP/IP.

At The Server

• The server contains a set of layers matching those at the client:

– The physical signal is presented to the server’s network

interface layer which reconstructs the ethernet frame

– The network interface layer extracts an IP datagram and

passes it up to the Internet layer.

– The Internet layer checks the datagram, extracts a TCP

segment and passes it up to the transport layer.

– The transport layer checks for errors and passes the TCP

payload (an http message) onto the application layer.

– The web server at the application layer receives the http

message and processes it.

• Return messages from web server to web browser are handled in the same way.

Protocol Hierarchies

• Protocols are stacked vertically as series of

‘layers’

• Each layer offers services to layer above

through an interface, shielding implementation

details

• Layer n on one machine communicates with

layer n on another machine (they are peer

processes/entities) using Layer n Protocol.

• The entire hierarchy is called a protocol stack

– e.g the TCP/IP protocol stack

Layers, Protocols & Interfaces

Physical communications medium Layer 1 Layer 1 protocol Layer 1

Layer 1/2

interface

Layer 1/2 interface

Layer and Interface Design

• An important design objective is ‘clean’

interfaces, having minimal set of well-defined services

• Use of protocol layering and clean-cut

interfaces enables:

– easy replacement of individual layers

– designers and implementers to focus on solving one sub-problem at a time

– independent implementations of the same layer to inter-operate

– minimisation of inter-layer communications

– diagnosis of faults, errors, congestion,…

Virtual & Actual Communications

• Important to understand difference between:

– virtual and actual communications,

– protocols and interfaces.

• Peer processes ‘think’ of communications as being ‘horizontal’ using protocol

• Actual communications is via interfaces (and

the physical communications medium)

• Peer process idea is key to network design

Protocol Layering – The Downside

• Protocol layering does not solve all networking problems!

• Some issues need to be addressed at many

layers, e.g:

– need to address data (say who it’s for),

– possible need for setting up connections,

– data transfer rules (simplex, half-duplex, ),

1.3 Internetworking and Routing

requirements

without understanding underlying mechanisms

• Internetworking is the process by which a

group of disparate, heterogenous networks can

be linked to form a single logical network

– universal interconnection is achieved through use of coordination of IP addressing and use of IP protocol.

Network B

Routing is the mechanism used to transfer data

between networks to reach the correct

destination

In TCP/IP, routing takes place

at the IP layer: routers are not aware of transport and

Protocol Layering and Routing

Ethernet Frame

Router

1.4 The OSI Reference Model

• OSI Reference Model – an internationally

standardised network architecture

• An abstract representation of an ideal network

protocol stack; not used in real networks

• OSI = Open Systems Interconnection

• Specified in ISO 7498-1

• Model has 7 layers

The OSI Model

Layer 7 Layer 6 Layer 5 Layer 4 Layer 3 Layer 2 Layer 1

Application Layer Presentation Layer Session Layer

Transport Layer Network Layer Data Link Layer Physical Layer

Lower/Upper Layers

• Layers 1-4 often referred to as lower layers.

• Layers 5-7 are the upper layers.

• Lower layers relate more closely to the

• Layers 4 – 7 are true ‘end-to-end’ protocols

• Upper layers relate to application

Layer 7: Application Layer

• Home to wide variety of protocols for specific user needs, e.g.:

– virtual terminal service,

– file transfer,

– electronic mail,

– directory services.

Layer 6: Presentation Layer

• Concerned with representation of transmitted data

• Deals with different data representations.

– ASCII or EBCDIC,

– one’s complement or two’s complement,

– byte ordering conventions,

– floating point conventions (IEEE or proprietary).

• Also deals with data compression

Layer 5: Session Layer

• Allows establishment of sessions between

machines, e.g to

– allow remote logins

– provide file transfer service.

Layer 4: Transport Layer

• Basic function is to take data from Session

Layer, split it up into smaller units, and ensure that the units arrive correctly

• Concerned with efficient provision of service

– maybe multiple connections per session or multiple sessions per connection.

• The Transport Layer also determines the ‘type

of service’ to provide to the Session Layer

– most commonly, error-free, point-to-point, with

guarantee of correct ordering of data.

– could be transport of isolated messages only (no ordering guarantees) or broadcast.

Layer 3: Network Layer

network addresses

layers

– static tables,

– determined at start of session,

– highly dynamic (varying for each packet depending

on network load).

usage monitoring

Layer 2: Data Link Layer

• Provides reliable, error-free service on top of raw Layer 1 service

– corrects errors at the ‘bit’ level.

• Breaks data into frames

– requires creation of frame boundaries using special bit sequences.

• Frames used to manage errors via

acknowledgements and selective frame

retransmission

Layer 1: Physical Layer

• Concerned with bit transmission over physical channel

Internet Protocols vs OSI

Application Presentation Session Transport Network Data Link Physical

Application

TCP IP Network Interface

Hardware 1

2 3 4 5

1 2 3 4

6 5 7

Services in the OSI Model

• In OSI model, each layer provide services to layer above, and ‘consumes’ services provided

by layer below

• Active elements in a layer are called entities.

• Entities in same layer in different machines are

called peer entities.

Services and Protocols

• Service = set of primitives provided by one

layer to layer above

• Service defines what layer can do (but not how

it does it)

• Protocol = set of rules governing data

communication between peer entities, i.e

format and meaning of frames/packets

• Service/protocol decoupling very important

n+1 PDU

Layer n+1 protocol

SDU

PDU - Protocol Data Unit

n PDU

• Layers can offer connection-oriented or

connectionless services

• Connection-oriented like telephone system.

• Connectionless like postal system.

– not all applications need connections.

• Each service has an associated service (e.g reliable or unreliable)

Quality-of-Reliability Issues

• Reliable services never lose/corrupt data

• Reliable service costs more

• Typical application for reliable service is file

transfer

• Typical application not needing reliable service

is voice traffic

IC3 - Network Security

Lecture 1, Part 2 Introduction to Network Security

Objectives of Lecture

• Understand why security should be a

fundamental consideration when designing and operating networks

• Examine the primary enabling threats and

fundamental threats to security for networks.

• Introduce security services and mechanisms,

and show how they can be used to counter threats

• Study the provision of security services at

different network layers in ISO7498-2

1.5 Why network security?

1.6 Security policies for networks

1.7 Security threats for networks

1.8 Security services and mechanisms1.9 Security services and layers

1.5 Why Network Security?

• Organisations and individuals are increasingly reliant

on networks of all kinds for day-to-day operations:

– e-mail used in preference to letter, fax, telephone for many routine communications.

– B2B and C2B e-commerce still growing rapidly.

– the Internet is a vast repository of information of all kinds: competitors and their prices, stock markets, cheap flights,… – increased reliance on networks for supply chains of all kinds: from supermarkets to aircraft components.

– utility companies control plant, banks move money,

governments talk to citizens over networks.

– growth of mobile telephony for voice and data.

Why Network Security?

• Networks are becoming increasingly inter-connected and their security consequently more complex:

– if I send sensitive data over my internal network, then who else can see it or even alter it? My employees? My competitors?

– can a hacker who gets into my internal network then get

access to other resources (computer accounts, stored data)? Can he use my network as a stepping-off point for further

attacks? I am then liable?

– a compelling Internet presence is essential for my company, but if someone can see my website, can they alter it too?

– how can consumers trust that a given website is that of a

reputable company and not one who will mis-use their credit card details?

Why Network Security?

• Safeguarding the confidentiality, integrity and

availability of data carried on these various networks is therefore essential.

• Authenticity and accountability are often also important: who did what and when?

• It’s not only about security of Internet-connected

systems.

– Insider threats are often more potent than threats originating

on the Internet.

• It’s not only about TCP/IP networks.

– Many networks use special-purpose protocols and

architectures.

– However TCP/IP dominates in LANs and the Internet.

1.6 Security Policies for Networks

• In this and the following sections, we follow the approach of ISO7498-2

– a companion document to ISO7498-1 (the seven layer model),

– provides a useful overview of the security issues

pertinent to networks, – equips us with a handy set of definitions to fix our terminology.

Security Policies for Networks

• In a secure system, the rules governing

security behaviour should be made explicit in

the form of an Information Security Policy.

• Security policy: ‘the set of criteria for the

provision of security services’

– essentially, a set of rules

– may be very high level or quite detailed.

• Security domain: the scope of application of a

security policy

– where, to what information and to whom the policy applies.

Security Policies for Networks

• A network security policy should interpret the

overall Information Security Policy in the

context of the networked environment:

• Defines what is the responsibility of the network and what is not

• Describes what security is to be available from the network

• Describes rules for using the network

• Describes who is responsible for the

management and security of the network

Generic Security Policy

• A generic authorisation policy (from ISO 2):

7498-‘Information may not be given to, accessed by, nor permitted to be inferred by, nor may any resource be used by, those not appropriately authorised.’

• Possible basis for more detailed policy: needs lots of refinement to produce final document:

– What information?

– What resources?

– Who is authorised and for what?

– What about availability?

The Security Life-Cycle

• A generic model for the security life-cycle,

including network security issues, is as follows:

– define security policy,

– analyse security threats (according to policy) and associated risks, given existing safeguards,

– define security services to meet/reduce threats, in order to bring risks down to acceptable levels,

– define security mechanisms to provide services,

– provide on-going management of security.

• Security policy in general will be covered in

more detail in IC1

1.7 Security Threats for Networks

• A threat is:

– a person, thing, event or idea which poses some

danger to an asset (in terms of confidentiality, integrity, availability or legitimate use).

– a possible means by which a security policy may be breached.

• An attack is a realisation of a threat.

• Safeguards are measures (e.g controls,

procedures) to protect against threats

• Vulnerabilities are weaknesses in safeguards.

• Risk is a measure of the cost of a vulnerability (taking into account probability of a successful attack)

• Risk analysis determines whether expenditure

on new or better safeguards is warranted

• Risk analysis can be quantitative or qualitative

• Risk analysis will be covered in more detail in

IC1

Threats can be classified as:

• deliberate (e.g hacker penetration);

• accidental (e.g a sensitive file being sent to the

wrong address)

Deliberate threats can be further sub-divided:

• passive (e.g monitoring, wire-tapping);

• active (e.g changing the value of a financial

transaction)

• In general passive threats are easier to realise than active ones