This chapter covers foundational concepts in the communication security domain. Security in communication channels—security requirements in voice, data, multimedia, and remote access—and virtualized networks are covered. An overview of attacks on communication networks, prevention and mitigation of such attacks, including widely used security controls, is also covered.
Communication and the network security domain deals with the security of voice and data communications through local area, Wide area, and Remote access networking. Candidates are expected to have knowledge in the areas of secure communications: securing networks, threats, vulnerabilities, attacks, and countermeasures to the communication networks and protocols that are used in remote access.
Observe the following illustration. We have already covered the application, presentation, and session layer in the OSI model. In this chapter, we will cover transport, networks, data links, and the physical layers of the OSI model:
Transport layer does two things. One is to package the data given out by applications to a format that is suitable for transport over the network, and the other thing is to unpack the data received from the network and then format it suitable for applications.
In the transport layer, some of the important protocols are Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Stream Control Transmission Protocol (SCTP), Datagram Congestion Control Protocol (DCCP), and Fiber Channel Protocol (FCP).
The process of packaging the data packets received from the applications is called encapsulation, and the output of such a process is called a datagram.
Similarly, the process of unpacking the datagram received from the network is called decapstulation.
When moving from layer 7 down to 4, when the layer 4 header is placed on the data, it becomes a datagram. When the datagram is encapsulated with a layer 3 header, it becomes a packet; the packet encapsulated becomes a frame, and it is put on the wire as bits.
The upcoming section describes some of the important protocols in this layer along with the security concerns and their countermeasures.
This is a core Internet protocol that provides reliable delivery mechanisms over the Internet. TCP is a connection-oriented protocol. A protocol that guarantees delivery of datagram (packets) to the destination application by way of a suitable mechanism (for example, a three-way handshake of SYN, SYN-ACK, and ACK in TCP) is called a connection-oriented protocol. The reliability of the datagram delivery of such a protocol is high due to the acknowledgment part of the receiver.
This protocol has two primary functions. The primary function of TCP is the transmission of datagrams between applications; and the secondary one is in terms of the controls that are necessary to ensure reliable transmission.
Applications where the delivery needs to be assured, such as e-mail, World Wide Web (WWW), file transfer and more, use TCP for transmission
One of the common threats to TCP is a service disruption. A common vulnerability is half-open connections exhausting the server resources.
Denial of service attacks, such as TCP SYN attacks as well as connection hijacking as IP Spoofing attacks, are also possible.
A1 half-open connection is a vulnerability in the TCP implementation. As discussed earlier, TCP uses a three-way handshake to establish or terminate connections. Refer to the following illustration:
In a three-way handshake, first the client (workstation) sends a request to the server (for example, www.some_website.com). This is called an SYN request. The server acknowledges the request by sending a SYN-ACK, and in the process, it creates a buffer for this connection. The client does a final acknowledgement by ACK. TCP requires this setup, since the protocol needs to ensure the reliability of the packet delivery.
If the client does not send the final ACK, then the connection is called half open. Since the server has created a buffer for this connection, a certain amount of memory or server resource is consumed. If thousands of such half-open connections are created maliciously, then the server resources may be completely consumed, resulting in Denial-of-Service to legitimate requests.
TCP SYN attacks technically establish thousands of half-open connections to consume the server resources. There are two actions that an attacker might perform. One is that the attacker or malicious software will send thousands of SYN attacks to the server and withheld ACK. This is called SYN flooding. Depending on the capacity of the network bandwidth and server resources, in a span of time, the entire resources will be consumed, resulting in denial-of-service. If the source IP were blocked by some means, then the attacker or the malicious software would try to spoof the source IP addresses to continue the attack. This is called SYN spoofing.
SYN attacks, such as SYN flooding and SYN spoofing, can be controlled using SYN cookies with cryptographic hash functions. In this method, the server does not create the connection at the SYN-ACK stage. The server creates a cookie with the computed hash of the source IP address, source port, destination IP, destination port, and some random values based on an algorithm. Then, the source sends it as SYN-ACK. When the server receives an ACK, it checks the details and creates the connection.
UDP is a connectionless protocol and is similar to TCP. However, UDP does not provide the delivery guarantee of data packets. A protocol that does not guarantee the delivery of datagram (packets) to the destination is called a connectionless protocol. In other words, the final acknowledgment is not mandatory in UDP.
UDP uses one-way communication. The speed of the delivery of the datagram by UDP is high. UDP is predominantly used where a loss of intermittent packets is acceptable, such as with video or audio streaming.
ICMP is used to discover service availability in network devices or servers. ICMP expects response messages from devices or systems to confirm the service availability.
Service disruptions are common threats. Validation weaknesses facilitate such threats.
ICMP flood attacks, such as the Ping of Death, causes these service disruptions; and controlling ICMP packet size acts as a countermeasure to such attacks.
Note
Pinging is a process of sending an Internet Control Message Protocol (ICMP) ECHO_REQUEST message to servers or hosts to check whether they are up and running. In this process, a server or host on a network responds to a ping request, and such a response is called an echo.
Ping of death refers to sending large numbers of ICMP packets to the server to crash the system.
- Stream Control Transmission Protocol (SCTP): This is a connection-oriented protocol similar to TCP, but it provides facilities such as multi-streaming and multi-homing for better performance and redundancy. It is used in UNIX-like operating systems.
- Datagram Congestion Control Protocol (DCCP): As the name implies, this is a transport layer protocol that is used for congestion control. Applications here include Internet telephony and video/audio streaming over the network.
- Fiber Channel Protocol (FCP): This protocol is used in high-speed networking. One of the prominent applications is Storage Area Network (SAN).
The Network or Internet layer in the TCP/IP model is used for internetworking. This layer has a group of methods, functions, and protocols to facilitate communication between different networks. In this layer, communication between networks is achieved through mechanisms called gateways.
Protocols in this layer carry out the following functions:
- Passing the outgoing packets through gateways to the next layer (the data link layer)
- Passing the incoming packets to the transport layer
- Providing error detection and diagnostics for incoming and outgoing packets
IP is a connectionless protocol and is used in packet-switched networks such as the Internet. The primary function of this protocol is to send data from one computer to another. IP works in the network layer of OSI and the Internet layer of the TCP/IP model.
The primary function of this layer is to send data packets across the network to the destination computer. The computers, in such networks, are called hosts. IP tries the best effort method of delivery for packets, but it does not guarantee it. Transmission Control Protocol (TCP) manages the reliability of the transmission.
Two versions are being used in the Internet. One is Internet Protocol version 4 (IPv4) and the other is Internet Protocol version 6 (IPv6).
Some of the common threats in this layer are the non-delivery of packets or some corrupted data. Vulnerabilities that these threats could exploit include lack of validation mechanisms and a lack of sequencing procedures and processes.
The most common attack on this layer is data theft. Information or data packets can be captured during transmission and decoded. Unauthorized access and privilege escalation entry points are possible in this layer.
Countermeasures is by way of using appropriate security features in Transmission Control Protocol, Address Resolution Protocols (ARP), IPv6 security controls, and most importantly Internet Protocol Security (IPSec).
Note
Internet Protocol version 4 (IPv4) is a widely deployed protocol on the Internet. As the name implies, it is the fourth iteration of the protocol. It uses 32 bits for the length of the address and is limited to 232 addresses. The number of publicly available IPv4 addresses is more or less consumed, and the Internet is moving toward IPv6.
Internet Protocol version 6 (IPv6) is designed as a successor to the IPv4 address space. This protocol uses 128 bits for the IP addresses and has an address space of 2128 IP addresses.
IPsec is a suit of protocols that is created to secure Internet Protocols (IP). They provide authentication, integrity, and encryption functions. Compared to the upper-layer security protocols, such as SSL or TLS, IPsec is an independent application, and it can be used to protect the application and transport layer protocols as a whole.
IPsec uses the following three protocols for various security functions:
- Internet Key Exchange (IKE): This is used to negotiate protocols, algorithms, and generate keys for encryption and authentication
- Authentication Header (AH): This is used to provide the data origin authentication to datagrams and integrity assurance
- Encapsulation Security Payload (ESP): This is used to support encryption-only and authentication-only configurations
Threats such as spoofing and unauthorized connections materialize due to weak authentication and a lack of connection checks in this protocol. Such vulnerabilities are exploited through Man-in-the-Middle attacks. These attacks can be countered by proper IPsec policies and by deploying additional IPsec connection checks. Using Virtual Private Networks (VPN) enables a secure communication in this layer.
Note
Virtual Private Network (VPN) is a virtual network that is set up to use a larger public network, such as the Internet. VPN uses a concept called tunneling to route the data, and IPsec protocols are used for an end-to-end encryption.
A tunnel in a computer network, such as VPN, is a secure path, or route for the datagram to pass through an insecure or un-trusted network. Protocols such as IPsec, Point-to-Point Tunneling Protocol (PPTP), and Layer2 Tunneling Protocol (L2TP) are some of the examples of tunneling protocols.
The methods, protocols, and specifications that are used to link hosts or nodes in a network are grouped as a data link layer. The link layer operates close to the physical layer components.
In data link layer some of the important protocols are Point-to-Point Protocol (PPP), Address Resolution Protocol (ARP), and Serial Line Internet Protocol (SLIP). Fiber channel and Ethernet also work in this layer.
The following protocols operate on the link layer:
- Address Resolution Protocol (ARP): This is used to resolve the hardware address (Layer 2, MAC address, 48 bits, 12 HEX characters) for a given IP address
- Reverse Address Resolution Protocol (RARP): This is used to obtain IP addresses based on the hardware address
- Neighbor Discovery Protocol (NDP): This is used to find neighbor nodes in an IPv6 network
This protocol is a standard method of finding hardware addresses from network layer addresses, such as Internet Protocol (IP). The primary application of ARP is to translate IP addresses to ethernet Media Access Control (MAC) addresses.
The primary purpose of this protocol is to resolve hardware addresses such that communication can be established between two computers within the same network or over the Internet. This is necessary because as you go down the OSI model stack from 7 -> 1, you know that IP address 1 is trying to send to IP address 2. But to encapsulate this at layer 2, you need to know the MAC address of IP address 2.
Some of the common threats in this layer include sniffing and spoofing. Unsolicited ARP reply is a common vulnerability. Attacks such as ARP poisoning, ARP poison routing, and Denial-f-Service (DOS) are prevalent in this layer. Countermeasures include MAC to IP-mapping processes.
This is a type of routing protocol that is being used on the Internet. The primary purpose is to decentralize the Internet routing. Internet Service Providers (ISP) predominantly use this protocol for routing the data and information between them.
Routing protocols exist so that routers can tell each other about the routes they own (otherwise, having to manually insert routes in ever router for EVERY network, that is static routes). Interior routing protocols called RIP, OSPF, EIGRP, and ISIS are used inside the organizations. They are fast but don't scale to the Internet size. Exterior protocols, such as BGP, are used to tell backbone routers where all the routes on the Internet are. BGP is very slow, but it can obviously scale to the entire Internet.
Some of the common threats include the misuse of network resources, network congestion, packet delays, and the violation of local routing policies. Another issue with BGP is that it advertises networks that are not its own.
Vulnerabilities that help these threats to materialize include misconfigured routers and software flaws. Such vulnerabilities are exploited through spoofing and message-injection attacks.
Multi Protocol Label Switching (MPLS) is often referred to as layer 2.5 protocol, as it lies between layer 2 and 3 of the OSI model. It provides more reliability and support for T1, ATM, the Frame relay, and DSL.
This is a family of frame-based networking technologies that is used in Local Area Network (LAN). Ethernet operates in the Link layer as well as the Physical layer of the TCP/IP model. Ethernet initially used coaxial cables for networking. However, the present-day technologies include switches and twisted pair cabling.
Present-day switches can provide layer 3 functions such as support for routing protocols as well.
Ethernet technologies have predominantly replaced other LAN standards such as token ring, FDDI, and ARC net.
Threats in this layer include spoofing, while a common vulnerability is the reuse of frame buffers. Attacks such as eavesdropping and Denial of Service (DOS) are possible due to the vulnerabilities. Segmentation, filtering, and encryption methods act as countermeasures to such attacks.
The physical layer is the lowest layer in the OSI stack. It is concerned with the transmission of bits from one computer to another. The components in the physical layer are concerned with a physical connection between the computers. The transmission and receiving of signals in bit stream is the primary function.
Some of the important components in this layer include RS-232, RJ45, and 802.11a/b/g/n, Universal Serial Bus (USB), and Bluetooth.
Security in the physical layer is predominantly used to deal with physical disconnections, damage of the physical components, and theft.