Scribd
Upload
22 views30 pages

Lecture#4

The document outlines the course CSE345/545 on Network Basics and Security Concerns, taught by Dr. Arun Balaji Buduru. It covers key topics such as the OSI model, IP addressing (IPv4 and IPv6), DNS design and caching, security issues in TCP/IP, and the architecture of IPSec and firewalls. The document emphasizes the importance of understanding network protocols, their vulnerabilities, and the measures to secure them.

Uploaded by

LEMPUU JJJ
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
22 views30 pages

Lecture#4

The document outlines the course CSE345/545 on Network Basics and Security Concerns, taught by Dr. Arun Balaji Buduru. It covers key topics such as the OSI model, IP addressing (IPv4 and IPv6), DNS design and caching, security issues in TCP/IP, and the architecture of IPSec and firewalls. The document emphasizes the importance of understanding network protocols, their vulnerabilities, and the measures to secure them.

Uploaded by

LEMPUU JJJ
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 30

CSE345/545 - Winter 2025

Network Basics and Security Concerns

Dr. Arun Balaji Buduru


Founding Head, Usable Security Group (USG)
Associate Professor, Dept. of CSE | HCD, IIIT-Delhi, India
Visiting Faculty, Indiana University – Bloomington, USA
OSI Network Model
1
Encapsulation
2

 Each protocol has its own “envelope”


 each protocol attaches its header to the packet
 so we have a protocol wrapped inside another protocol

 each layer of header contains a protocol demultiplexing


field to identify the “packet handler” the next layer up, e.g.,
◼ protocolnumber
◼ port number
IP Addressing: Introduction
3
IPv4 Addressing
4
NAT
5
IPv6
6
 Initial motivation: 32-bit address space exhaustion
 Additional motivation:
 header format helps speed processing/forwarding
 fixed-length 40 byte header (0.06% overhead)
 header checksum: removed entirely to reduce processing time at each
hop
 options: allowed, but outside of header, indicated by “next header”
field
 header changes to facilitate QoS:
 priority: identify priority among datagrams in flow (ToS bit)
 flow label: identify datagrams in the same “flow” (concept of “flow” not
well defined, originally these were “reserved” bits)
 Next header identifies “upper layer” protocol or IPv6 options:
 hop-by-hop option, destination option, routing, fragmentation,
authentication, encryption
IPv6 Addresses
7

 What does an IPv6 address look like?


 128 bits written as 8 16-bit integers seperated by ’:’
 each 16 bit integer is represented by 4 hex digits

 Example: FEDC:BA98:7654:3210:FEDC:BA98:7654:3210

 Abbreviations:
 actual: 1080:0000:0000:0000:0008:0800:200C:417A
 skip 0’s: 1080:0:0:0:8:800:200C:417A

 double ’::’: 1080::8:800:200C:417A


DNS Design Points
8

 DNS serves a core Internet function


 host,
routers, and name servers communicate to resolve
names (name to address translation)
 complexity at network’s “edge”

 Why not centralize DNS?


 single point of failure
 traffic volume
 performance: distant centralized database
 maintenance
 doesn’t scale!
 DNS can be “exploited” for server load balancing
DNS Caching
9

 Once a (any) name server learns mapping, it caches


mapping
 to reduce latency in DNS translation
 Cache entries timeout (disappear) after some time (TTL)
 TTL assigned by the authoritative server responsible for the
host name
 Local name servers typically also cache
 TLD name servers to reduce visits to root name servers
 all other name server referrals

 both positive and negative results


Security Issues in TCP/IP
10

 There are a number of serious security flaws inherent in


the protocols, regardless of the correctness of any
implementations
 There are variety of attacks based on these flaws, some
of them are as follows,
 Sequence number spoofing
 Routing attacks

 Authentication attacks
TCP Sequence Number Prediction
11

 The normal TCP connection establishment sequence


involves a 3-way handshake.
 The exchange may be shown schematically as follows:
C→S:SYN(ISNC)
S→C:SYN(ISNS), ACK(ISNC)
C→S:ACK(ISNS)
C→S:data
and/or
S→C:data
TCP Sequence Number Prediction
12

 Suppose, that there was a way for an intruder X to


predict ISNS
 In that case, it could send the following sequence to
impersonate trusted host T:
X→S:SYN(ISNX ) , SRC = T
S→T:SYN(ISNS ) , ACK(ISNX )
X→S:ACK(ISNS ) , SRC = T
X→S:ACK(ISNS ) , SRC = T, nasty − data
TCP Sequence Number Prediction
13

How, then, to predict the random ISN?


 If the initial sequence number variable is incremented by

a constant amount once per second, one can initiates a


legitimate connection to observe the ISNS and calculate,
with a high degree of confidence, ISNS′ used on the next
connection attempt
 The TCP specification requires that this variable be

incremented approximately 250,000 times per second


 Defense is due to high refresh rate
Routing attacks
14

 A number of the attacks described below can also be


used to accomplish denial of service by confusing the
routing tables on a host or gateway.
 Some of them are listed below,
 Source Routing
 Routing Information Protocol Attacks

 Exterior Gateway Protocol


Security Issues in IP
15

 source spoofing
 replay packets • DOS attacks
 no data integrity or • Replay attacks
• Spying
confidentiality • and more…

Fundamental Issue:
Networks are not (and will never be)
fully secure
Goals of IPSec
16

 to verify sources of IP packets


 authentication

 to prevent replaying of old packets


 to protect integrity and/or confidentiality of packets
 data Integrity/Data Encryption
Secure

Insecure
IPSec Architecture
17

ESP AH

Encapsulating Security Authentication Header


Payload
IPSec Security Policy

IKE

The Internet Key Exchange


IPSec Architecture
18

 IPSec provides security in three situations:


 Host-to-host, host-to-gateway and gateway-to-gateway
 IPSec operates in two modes:
 Transportmode (for end-to-end)
 Tunnel mode (for VPN)

Transport Mode

Router Router

Tunnel Mode
IPSec
19

 A collection of protocols (RFC 2401)


 Authentication Header (AH)
◼ RFC 2402
 Encapsulating Security Payload (ESP)
◼ RFC 2406
 Internet Key Exchange (IKE)
◼ RFC 2409
 IP Payload Compression (IPcomp)
◼ RFC 3137
ESP Packet Details
20

IP header

Next Payload
Reserved
header length

Security Parameters Index (SPI)


Sequence Number
Authenticated
Initialization vector
TCP header
Data Encrypted TCP
packet
Pad Pad length Next

Authentication Data
How It Works
21

 IKE operates in two phases


 Phase 1: negotiate and establish an auxiliary end-to-end secure
channel
◼ Used by subsequent phase 2 negotiations
◼ Only established once between two end points!
 Phase 2: negotiate and establish custom secure channels
◼ Occurs multiple times
 Both phases use Diffie-Hellman key exchange to establish a
shared key
22

Firewalls
Firewalls
23

 Two primary types of firewalls are


 packet filtering firewalls
 proxy-server firewalls

 Sometimes both are employed to protect a network


 With a proxy-server based firewall, all network traffic
in a host is routed through the proxy server
 Packet filtering firewalls, on the other hand, take
advantage of the fact that direct support for TCP/IP is
built into the kernels of all major operating systems now
Firewalls
24

 In Linux, a packet filtering firewall is configured with the


Iptables modules.
 In a Windows machine, graphical interfaces are
provided through the Control Panel
 The latest packet filtering framework in Linux is known as
nftables.
 Meant as a more modern replacement for iptables, nftables
was merged into the Linux kernel mainline
Firewalls
25

 Iptables supports four tables: filter, mangle, nat, and


raw
Firewall Implementations
26
Firewall Implementations
27
Firewall Implementations
28
Firewall Implementations
29

You might also like