37 Need for Security in Networks

epgp books

 

 

 

Outline

  • To learn about the OSI Layer
  • To understand the differences between OSI vs TCP/IP
  • To discuss about the OSI Layer and Security Issues
  • To highlight the Security Problems in the TCP/IP Protocol Suite
  • To specify various attacks on different Layers

1.  TCP/ IP and Open Systems Interconnection (OSI) Model

 

The TCP/IP and Open Systems Interconnection (OSI) model defines a networking framework for communication among the devices and to implement protocols in layers. This divides computer network architecture into seven layers. The lower layers such as physical, datalink layers deal with electrical signals, chunks of binary data, and routing of these data across networks. Higher levels from network to application includes network requests and responses, representation of data, and network protocols as the part of implementation.

Moreover, the last three layers of the OSI Model are alluded to as the Media Layers, while the rest four layers are the Host layers. The layers are numbered from 1 through 7 starting at the base as shown in the figure 1. The layers are:

Application (layer 7) – Network Process to Application. This end-client layer bundles the information got from the Presentation Layer in the organization required by the application or end-client process that gets it. Cases incorporate programs, SMTP, HTTP, and FTP. This layer likewise makes what is to be sent back to the Presentation Layer.

 

•               The introduction (layer 6) – Data Representation and Encryption, including position transformations. Think about this layer as the interpreter. Cases incorporate ASCII, TIFF, JPEG, MIDI, and MPEG.

  •             Session (layer 5) – Interhost Communication. This layer deals with various sorts of interchanges and sends information to coherent ports, including those utilizing NFS and SQL.
  •        Transport (layer 4) – End-to-End Connections and Reliability. As the name infers, this layer moves information crosswise over system associations, more often than not utilizing TCP. It additionally handles mistake recuperation and re-transmissions.
  •          Network (layer 3) – Path Determination, IP, and Routing. Layer 3 groups information as parcels. Guides the information to the right physical way.
  •           Data Link (layer 2) – This is the most complex layer in the OSI model, and it is infrequently isolated into two sections: one for media get to control and one for sensible connection control.
  •             The physical (layer 1) – Media, Signal and Binary Transmission. Illustrations incorporate centers, repeaters, and Ethernet links. Information is transmitted by an electric voltage, radio frequencies, infrared or normal light.

Layer 1 includes the cabling and framework utilized for systems. Layer 1 mainly concentrate on upsetting this administration, fundamentally use the Denial of Service (DoS) assaults.

 

2.  Need for Security

The OSI or TCP/IP model was designed only for network connectivity, initially, it was assumed to have lots of trust in the network environment. The host are implementation with more vulnerabilities due to Software bugs and some elements in the specification were left to the implementers.

 

  1. OSI Layer and Security Issues:

  2. From the figure 2, it is understood that the OSI layer has various security issues in each layer and described below:

    Layer 1 refers to the physical part of systems administration, the cabling and framework utilized for system. Layer 1 mainly concentrate on upsetting this administration in any way conceivable, fundamentally bringing about Denial of Service (DoS) attacks. This interruption could be caused by physically slicing link directly through remote.

     

     

    Layer 2 of the OSI describes is the information interface layer and concentrates on the strategies for communicating the information pieces. Frequently, this comprises of switches using conventions, for example, ARP /MAC spoofing which is utilized all through systems for dynamic IP task. In addition, it may incorporate ARP assessment, devastating unused ports and authorizing powerful security on VLAN’s.

     

    Layer 3 is the system layer and uses various regular conventions to perform route of the packet in the networks. In this layer, the attacker comprises of the Internet Protocol (IP), parcel sniffing and DoS attacks, for example, Ping surges and ICMP attacks. Due to their layer 3 nature, these sorts of attacks can be performed remotely finished the Internet.

     

    Layer 4 is the Transport layer and uses basic transport conventions to empower organize correspondences. This may incorporate the Transport Control Protocol (TCP) and Universal Data Protocol (UDP). Port examining, a technique by which the attacker analysis the open ports, works at layer 4 of the OSI model. Realizing powerful firewalls and securing ports can protect against the dangers at this level.

     

     

    The layer above layer 4 ie transport layer , takes the advantage of the application and services running in the system. Due to vulnerabilities in applications can be abused through various attack, for example, SQL injection, where the designer has neglected to guarantee that client input is approved against an attacks.

     

    The attacker use the information code to remove information from the database (e.g. SELECT * from USERS). As the application neglects to approve this info, the charge is run and information removed. To lessen this hazard, the programmer must guarantee that best practice improvement guides during the design.

Some of the known attacks in TCP/IP Model are

  • IP Attacks
  • ICMP Attacks
  • Routing Attacks
  • TCP Attacks
  • Application Layer Attacks

The OSI show is how critical is the systems communicate from the wire through to the application. Additionally, understanding importance of providing security at each layers is the basic goal to security Engineers.

 

4.      Ping flood

 

A ping flood is a straightforward DoS attack where the attack overpowers the server to down with very high volume of ICMP “” (ping) message as shown in figure 3. Ping flood, also known as ICMP flood, is a common used mechanism to create the Denial of Service (DoS) attack in which an attacker takes down a victim’s computer by overwhelming it with ICMP echo requests, also known as pings.

  1. ICMP attacks:

 

The Smurf attack is a dispersed Dos attack in which substantial quantities of Internet Control Message Protocol (ICMP) bundles with the casualty’s mock source IP are communicated to a PC arrange utilizing an IP communicate address. By default, the ICMP is not enabled with authentication. In ICMP, the redirect messages are used to redirect the packet to another server whenever the server is down. This can cause the host to switch gateways where this benefit the attacker to divert to the attacker server. This kind of attacks can be implemented using Man in the middle attack, sniffing etc. In addition, the ICMP uses the destination unreachable can cause the host to drop connection. The attacker can use these messages to drop the legitimate connection. In Distance Vector Routing, the attacker router will announce 0 distance to all other nodes can create a Blackhole traffic attacks and Eavesdrop the messages over the transmission channels.

 

Routing Attacks

In Networks, router play important role to route the packet to the best path. If the router is under the control of the intruder, then they can modify the routing protocols. This can affect the entire network with serve security problem. Particularly, in Link State Routing

The attacker can drop links randomly and can claim direct link to any other routers. But this kind of attacks are very harder compare the Distance Vector routing protocols.

In Border Gateway Protocols (BGP), the Autonomous System can announce arbitrary prefix to the router in the domain which causes the route instability of the networks.

6. TCP Layer attacks

a. TCP SYN Flooding is exploit state allocated at server after initial SYN packet. When a client sends a SYN and don’t reply with ACK. Then, the server will wait for 511 seconds for ACK. The server has a Finite queue size to handle incomplete connections maximum of 1024. Once the queue is full it doesn’t accept requests. The Authentication server can provide an alter path.

b. TCP Session Poisoning is process of sending RST packet to the server. The server will tear down connection with the clients. Do you have to guess the exact sequence number? Anywhere in window is fine for 64k window it takes 64k packets to reset about 15 seconds for a T1 connection. Applications don’t authenticate properly.

 

  1. Security Flaws in IP

Basically, the Internet Protocol(IP) is used in the network layer with any additional security features. The IP addresses are filled in by the originating host during the transmission. IP packet is the formation of Internet Protocol (IP) bundles with a false source IP address, with the end goal of concealing the information of the sender is known as spoofing. IP Address spoofing is one of the most common attack in the IP packets. Using source address for authentication with different tools such as r-utilities (rlogin, rsh, rhosts etc..) helps to overcome from these kinds of attacks. Another type of attack in the IP is IP fragmentation attack where end hosts need to keep the fragments till all the fragments arrive to overcome these attacks.

•      IP fragmentation attack

A Tiny Fragment attack is IP fracture that is the way toward separating a solitary Internet Protocol (IP) datagram into different packets of little size. Each system interface has a trademark size of messages that might be transmitted, called the greatest transmission unit (MTU). Traffic amplification attack

  1. SPOOFING ATTACK: IP, DNS & ARP

What is a Spoofing Attack?

 

A spoofing attack is a malicious party impersonates another device or user to launch attacks against network hosts, steal data, spread malware or bypass access controls. There are several different types of spoofing attacks, some of the most common methods include IP address spoofing attacks, ARP spoofing attacks and DNS server spoofing attacks.

 

  1. IP Address Spoofing Attacks

IP address spoofing is one of the spoofing attack methods. In an IP address spoofing attack, an attacker sends IP packets from a false source address. Denial-of-service attacks often use IP spoofing to overload networks with packets that appear to be from legitimate IP addresses. IP spoofing attacks can also be used to bypass IP address-based authentication. This process is very difficult to identify.

  1. ARP Spoofing Attacks

ARP is Address Resolution Protocol, a protocol that is used to resolve IP addresses to MAC (Media Access Control) addresses for transmitting data. Using ARP spoofing attack, a malicious user sends spoofed ARP messages across a local area network in order to connect the attacker’s MAC address with the IP address of a legitimate member of the network.

 

  1. DNS Server Spoofing Attacks

The Domain Name System (DNS) is a system that associates domain names with IP addresses. Devices that connect to the internet rely on the DNS for resolving URLs, email addresses and other human-readable domain names into their corresponding IP addresses. In a DNS spoofing attack, a malicious node modifies the DNS server in order to redirect a specific domain name to a different IP address. DNS server spoofing attacks are used to spread computer worms and viruses.

 

  1. Spoofing Attack Prevention and Mitigation

There are many tools can employ to reduce the threat of spoofing attacks. Common measures can take for spoofing attack prevention include:

Packet filtering: Packet filters inspect packets as they are transmitted through a network. Packet filters are useful in IP address spoofing attack prevention. They are capable of filtering out and blocking packets with conflicting source address from outside the network that show source addresses from inside the network and vice-versa.

Use cryptographic network protocols: Transport Layer Security (TLS), Secure Shell (SSH), HTTP Secure (HTTPS) and other secure communications to prevent by encrypting data and authenticating data as it is received.

13. Denial of Service (DOS)

A DoS attack is implemented with the attacker to flood a server with packets. Denial of service attack is to overload the targeted server’s resource and bandwidth. Due to this, the server inaccessible to other legitimate clients.

 

 

14.   Distributed Denial of Service ( DDoS)

 

DDoS is short for Distributed Denial of Service. DDoS is a type of DOS attack where multiple host are compromised, which are often infected with a Trojan horse virus, are used to target a single system causing a Denial of Service (DoS) attack. Victims of a DDoS attack consist of both the end targeted system and all systems maliciously used and controlled by the hacker in the distributed attack.

Summary

 

TCP/IP security

vulnerabilities Spoofing

Flooding attacks

TCP session poisoning

DoS and D-DoS

you can view video on Need for Security in Networks