Network Security
TCP/IP Model
- Physical Layer - ethernet, wifi
- Data Link Layer - ethernet, wifi
- Network Layer - IP, IPSec, ICMP
- Transport Layer - TCP/UDP
- Application Layer - HTTP, SMTP,
Each protocol carries the protocol in the layer above by appending headers to it
IP Security
- IP is connectionless and stateless
- Best effort service
- No delivery guarantee
- No order Guarantee
- IPv4 no guaranteed security support
- IPv6 security support is guaranteed - IPSec
IPSec
- Optional in IPv4, mandatory support in IPv6
- Network layer
- Two major security mechanisms
- IP Authentication Header (AH) - authentication only (less used)
- IP Encapsulation Security Payload (ESP) - Authentication + encryption
- Does not contain any mechanisms to prevent traffic analysis
- Payload Encrypted
- But traffic (packets, source, destinate, etc.) still visible
- (to obfuscate traffic, onion routing)
Encapsulation Security Payload
- Includes an additional header within the IP packet that describes what encryption and authentication is in use
Security Parameter Index
- Stores security parameters e.g. crypto protocol and keys
- Established by Internet Security Association and Key Management Protocol (ISAKMP) during the Internet Key Exchange (IKE) handshake
- Uses Diffie-Hellman for key exchange
- The SPI references the entry in a table that corresponds to this sessions parameters
ESP
- Uses either transport or tunnel modes
Transport
- Transport mode simply encrypts packets, providing host-to-host encryption but using the original IP header
- Prevents contents being read, but doesn't stop traffic analysis or manipulation of the header
Tunnel
- Tunnel Mode (usually gateway-to-gateway) protects some segment of a channel with encryption
- Provides some resistance to traffic analysis, and completely protects manipulation of the payload
- VPNs are commonly implemented this way
VPNs
- Secure connection over unsecure network (e.g. internet)
- Different technologies at different layers
- IPSec ESP Tunnel Mode
- TLS
- SSH
- WireGuard
- Instrumental for remote working
- Can be a security bottleneck, so important to be holistic
- Strong authentication
- Updates
- Monitoring
Address Resolution Protocol (ARP)
- Protocol used in IPv4 to obtain physical MAC addresses for given IPs
- Used prior to constructing IP and TCP packets for communication
- Network Layer
ARP Cache Poisoning
Can send an unrequested ARP reply, and overwrite the MAC address in a host ARP cache with our own (MITM Attack)
Protection
- Some OSs ignore unsolicited ARP replies, or can be configured to use ARP differently
- Some software, such as intrusion detection packages, will include ARP spoofing detection
- Maintaining a log of current MAC:IP assignments and ARP requests/replies
- Allows us to spot suspicious messages such as unsolicited ARP replies
DNS
- Translates domain names into IP address
- Packets are UDP - stateless on the transport layer
- DNS resolvers will cache the IPs for a while
Spoofing
- Can poison the cache of nameserver, and replace with own IP. Achieved through prior ARP cache poisoning, a reply flood or a Kaminsky attack
Protection
- Random query numbers help protect against spoof replies
- Since the Kaminsky attack, most resolvers now randomise the source port too
- DNSSEC aims to tackle DNS exploits by authenticating the name server and providing integrity for the messages
- Not new, and not widespread
TCP Sequence Prediction Attack
- Also TCP session hijacking
- In TCP, sequence numbers used to keep track of order of packets
- TCP sequence numbers used to keep track of order of packets
Defences
- Randomise SNs
- Lower layer information
- Other mitigation include router/firewall stateful config to disallow external sources, and IDS/IPS, or encryption
- Not very common these days, but still motivates safeguards in place