Skip to main content

Network Security

TCP/IP Model

  1. Physical Layer - ethernet, wifi
  2. Data Link Layer - ethernet, wifi
  3. Network Layer - IP, IPSec, ICMP
  4. Transport Layer - TCP/UDP
  5. Application Layer - HTTP, SMTP,

Each protocol carries the protocol in the layer above by appending headers to it

IP Security

  • IP is connectionless and stateless
    • Best effort service
    • No delivery guarantee
    • No order Guarantee
  • IPv4 no guaranteed security support
  • IPv6 security support is guaranteed - IPSec

IPSec

  • Optional in IPv4, mandatory support in IPv6
  • Network layer
  • Two major security mechanisms
    • IP Authentication Header (AH) - authentication only (less used)
    • IP Encapsulation Security Payload (ESP) - Authentication + encryption
  • Does not contain any mechanisms to prevent traffic analysis
    • Payload Encrypted
    • But traffic (packets, source, destinate, etc.) still visible
    • (to obfuscate traffic, onion routing)

Encapsulation Security Payload

  • Includes an additional header within the IP packet that describes what encryption and authentication is in use

Security Parameter Index

  • Stores security parameters e.g. crypto protocol and keys
  • Established by Internet Security Association and Key Management Protocol (ISAKMP) during the Internet Key Exchange (IKE) handshake
  • Uses Diffie-Hellman for key exchange
  • The SPI references the entry in a table that corresponds to this sessions parameters

ESP

  • Uses either transport or tunnel modes

Transport

  • Transport mode simply encrypts packets, providing host-to-host encryption but using the original IP header
  • Prevents contents being read, but doesn't stop traffic analysis or manipulation of the header

Tunnel

  • Tunnel Mode (usually gateway-to-gateway) protects some segment of a channel with encryption
  • Provides some resistance to traffic analysis, and completely protects manipulation of the payload
  • VPNs are commonly implemented this way

VPNs

  • Secure connection over unsecure network (e.g. internet)
  • Different technologies at different layers
    • IPSec ESP Tunnel Mode
    • TLS
    • SSH
    • WireGuard
  • Instrumental for remote working
  • Can be a security bottleneck, so important to be holistic
    • Strong authentication
    • Updates
    • Monitoring

Address Resolution Protocol (ARP)

  • Protocol used in IPv4 to obtain physical MAC addresses for given IPs
    • Used prior to constructing IP and TCP packets for communication
    • Network Layer

ARP Cache Poisoning

Can send an unrequested ARP reply, and overwrite the MAC address in a host ARP cache with our own (MITM Attack)

Protection

  • Some OSs ignore unsolicited ARP replies, or can be configured to use ARP differently
  • Some software, such as intrusion detection packages, will include ARP spoofing detection
    • Maintaining a log of current MAC:IP assignments and ARP requests/replies
    • Allows us to spot suspicious messages such as unsolicited ARP replies

DNS

  • Translates domain names into IP address
  • Packets are UDP - stateless on the transport layer
  • DNS resolvers will cache the IPs for a while

Spoofing

  • Can poison the cache of nameserver, and replace with own IP. Achieved through prior ARP cache poisoning, a reply flood or a Kaminsky attack

Protection

  • Random query numbers help protect against spoof replies
  • Since the Kaminsky attack, most resolvers now randomise the source port too
  • DNSSEC aims to tackle DNS exploits by authenticating the name server and providing integrity for the messages
    • Not new, and not widespread

TCP Sequence Prediction Attack

  • Also TCP session hijacking
  • In TCP, sequence numbers used to keep track of order of packets
  • TCP sequence numbers used to keep track of order of packets

Defences

  • Randomise SNs
  • Lower layer information
  • Other mitigation include router/firewall stateful config to disallow external sources, and IDS/IPS, or encryption
  • Not very common these days, but still motivates safeguards in place