Breaking the Kubernetes Kill Chain: Host Path Mount
Network security at_osi_layers
1. Network Security at OSI Layers
Muhammad Muzammil
Syed Zeeshan Nasir
Department of computer science FUUAST, Islamabad
1-OSI Model: Network Routing and routable
protocols such as IP and
Open Shortest Path
In 1983, the International Organization for
First (OSPF). Path control
Standardization (ISO) and the International
and best effort at delivery
Telegraph and Telephone Consultative
Data link Network interface cards,
Committee (CCITT) merged documents and
Media Access Control (MAC)
developed the OSI model, which is based on
addresses,
a specific hierarchy where each layer builds
framing, formatting, and
on the output of each adjacent layer.
organizing data
The OSI model is a protocol stack where the
Physical Transmission media such as
lower layers deal primarily with hardware,
twisted-pair cabling,
and the upper layers deal primarily with
wireless systems,
software. The OSI model’s seven layers are
and fiber-optic cable
designed so that control is passed down
from layer to layer. The seven layers of the
OSI model are shown:
Layers Functionality 1.2-Functions of OSI Model:
Application Application support such as
File Transfer Protocol (FTP), The OSI model functions as follows:
Telnet, and 1. Information is introduced into the
Hypertext Transfer Protocol application layer and passed down until it
(HTTP) ends up at the physical layer.
Presentation Encryption, Server Message 2. Next, it is transmitted over the physical
Block (SMB), American medium (i.e., wire, coax, or wireless) and
Standard Code sent to the target device.
for Information Interchange 3. Once at the target device, it proceeds
(ASCII), and formatting back up the stack to the application layer.
Session Data flow control, startup,
shutdown, and error
detection/
Correction
Transport End-to-end
communications, UDP and
TCP services
2. send data either quickly or reliably.
1.3-Explanation of Layers: Transport layer responsibilities include end-
to-end error recovery and flow control. The
The Application Layer: two primary protocols found on this layer
Layer 7 is known as the application layer. include:
Recognized as the official top layer of the • TCP A connection-oriented protocol;
OSI model, this layer serves as the window provides reliable communication
for application services. using handshake acknowledgments,
error detection, and session
The Presentation Layer: teardown.
Layer 6 is known as the presentation layer. • UDP A connectionless protocol;
The main purpose of the presentation layer offers speed and low overhead as its
is to deliver and present data to the primary advantage.
application layer. This data must be
formatted so that the application layer can The Network Layer:
understand and interpret it. The Layer 3 is known as the network layer,
presentation layer is responsible for items which is fixed to software and deals with
such as: packets. The network layer is the home of
• Encryption and decryption of the IP, which offers best effort at delivery
messages and seeks to find the best route from the
• Compression and deCompression of source to the target network. Network-
messages, format translation layer components include:
• Handling protocol conversion • Routers
• Stateless inspection/packet filters
The Session Layer:
Layer 5 is known as the session layer. Its The Data Link Layer:
purpose is to allow two applications on Layer 2 is known as the data link layer and
different computers to establish and is focused on traffic within a single local
coordinate a session. It is also responsible area network (LAN).The data link layer
for managing the session while information formats and organizes the data before
and data are being moved. When a data sending it to the physical layer. Because it is
transfer is complete, the session layer tears a physical scheme, hard-coded Mandatory
down the session. Session-layer protocols Access Control (MAC) addresses are
include: typically used. The data link layer organizes
• Remote Procedure Call (RPC) the data into frames. When a frame reaches
• Structured Query Language (SQL) the target device, the data link layer strips
off the data frame and passes the data
The Transport Layer: packet up to the network layer. Data-link-
Layer 4 is known as the transport layer. layer components include:
Whereas the application, presentation, and • Bridges
session layers are primarily concerned with • Switches
data, the transport layer is focused on • Network Interface Card (NIC)
segments. Depending on the application • MAC addresses
protocol being used, the transport layer can
3. The Physical Layer:
Layer 1 of the OSI model is known as the Telnet:
physical layer. Bit-level communication Telnet is a TCP shell service that
takes place at layer 1. Bits have no defined operates on port 23.Telnet enables a client
meaning on the wire; however, the physical at one site to establish a session with a host
layer defines how long each bit lasts and at another site. The program passes the
how it is transmitted and received. Physical information typed at the client’s keyboard
layer components include copper cabling, to the host computer system. While Telnet
fiber cabling, wireless system components, can be configured to allow unidentified
and Ethernet hubs. The physical layer in this connections, it should also be configured to
book has been extended to include: require usernames and passwords.
• Perimeter security Unfortunately, even then, Telnet sends
• Device Security them in clear text. When a user is logged in,
• Identification and authentication he or she can perform any allowed task.
Simple Mail Transfer Protocol (SMTP):
This application is a TCP service that
2-Attacks at OSI operates on port 25, and is designed to
Layers: exchange electronic mail between
networked systems. Messages sent through
SMTP have two parts: an address header
Let see the attacks on all layers of OSI
and the message text. All types of
Model.
computers can exchange messages with
The Application Layer: SMTP. Spoofing and spamming are two of
Most of the applications listed in this the vulnerabilities associated with SMTP.
section are totally insecure because they
were written for a different time. Here’s a Domain Name Service (DNS):
short list of some of the insecure This application operates on port 53,
applications and high-level protocols: and performs address translation. DNS
converts fully qualified domain names
FTP: (FQDNs) into a numeric IP address and
FTP is a TCP service that operates on converts IP addresses into FQDNs. DNS uses
ports 20 and 21 and is used to move files UDP for DNS queries and TCP for zone
from one computer to another. Port 20 is transfers. DNS is subject to poisoning and if
used for the data stream, and transfers the misconfigured, can be solicited to perform a
data between the client and the server. Port full zone transfer.
21 is the control stream, and is used to pass
commands between the client and the FTP Trivial File Transfer Protocol (TFTP):
server. Attacks on FTP target misconfigured TFTP operates on port 69, and is
directory permissions and compromised or a connectionless version of FTP that uses
sniffed clear text passwords. FTP is one of UDP to reduce overhead and reliability. It
the most commonly hacked services. connectionless version of FTP that uses UDP
to reduce overhead and reliability. It does
4. so without TCP session management or proved to be an example of weak
authentication, which can pose a big encryption (i.e., many passwords encrypted
security risk. It is used to transfer router with this system could be cracked in less
configuration files and to configure cable than 1 second because of the way Microsoft
modems. People hacking those cable stored the hashed passwords).
modems are known as uncappers. An NTLM password is uppercase,
padded to 14 characters, and divided into
Hypertext Transfer Protocol (HTTP): seven character parts. The two hashed
HTTP is a TCP service that operates on results are concatenated and stored as a
port 80. HTTP helped make the Web the LAN Manager (LM) hash, which is stored in
popular service that it is today. The HTTP the SAM. The session layer is also
connection model is known as a stateless vulnerable to attacks such as session
connection. HTTP uses a request response hijacking. Network Basic Input/output
protocol where a client sends a request and System (NetBIOS) is another service located
a server sends a response. Attacks that in this area of the stack.
exploit HTTP can target the server, browser, NetBIOS was developed for IBM and
or scripts that run on the browser. Nimda is adopted by Microsoft, and has become an
an example of the code that targeted a Web industry standard. It allows applications on
server. different systems to communicate through
the LAN. On LANs, hosts using NetBIOS
Simple Network Management Protocol systems identify themselves using a 15-
(SNMP): character unique name. Since NetBIOS is
SNMP is a UDP service that operates non-routable, Microsoft adapted it to run
on ports 161 and 162, and was designed to over Transmission Control Protocol/Internet
be an efficient and inexpensive way to Protocol (TCP/IP).
monitor networks. The SNMP protocol NetBIOS is used in conjunction with
allows agents to gather information (e.g., SMB, which allows for the remote access of
network statistics) and report back to their shared directories and files. This key feature
management stations. Some of the security of Windows makes file and print sharing
problems that plague SNMP are caused by and the Network Neighborhood possible. It
the fact that community strings are passed also introduced other potential
as cleartext and the default community vulnerabilities into the stack by giving
strings (public/private) are well known. attackers the ability to enumerate systems
SNMP version 3 is the most current and and gather user names and accounts, and
offers encryption for more robust security. share information. Almost every script
kiddie and junior league hacker has
The Session Layer: exploited the net use command.
There is a weakness in the security
controls at the presentation and session The Transport Layer:
layers. Let’s look at the Windows NT The transport layer is common with
LanMan (NTLM) authentication system. vulnerabilities, because it is the home of
Originally developed for Windows systems UDP and TCP. Because UDP is
and then revised for Windows NT post connectionless, it’s open for attackers to
service pack 2 systems, this security control use for a host of denial of service (DoS)
5. attacks. It’s also easy to spoof and requires
no confirmation.TCP is another used and
abused protocol. Port scanning and TCP The Physical Layer:
make the hacker trade possible. An attacker gaining access to the
Before a hacker can launch an attack, telecommunications closet, an open port in
he or she must know what is running and the conference room, or an unused office,
what to target.TCP makes this possible. could be the foothold needed to breach the
From illegal flag settings, NULL, and XMAS, network or, even worse, gain physical
to more common synchronous (SYN) and access to a server or piece of equipment.
reset (RST) scans, TCP helps attackers It’s a generally accepted fact that if
identify services and operating systems. someone gains physical access to an item,
they can control it.
The Network Layer:
At the network level are services such
as IP and ICMP. IPv4 has no security services 3-Countermeasures
built in, which is why Secure Internet Found in Each Layer:
Protocol (IPSec) (a component of IPv6) was
developed. Without IPSec, IP can be
Security countermeasures are the
targeted for many types of attacks (e.g.,
controls used to protect the confidentiality,
DOS), abused through source routing, and
integrity, and availability of data and
tricked into zombie scanning “IPID Scan.”
information systems.
While ICMP was developed for diagnostics
There is a wide array of security
and to help with logical errors, it is also the
controls available at every layer of the
target of misuse. ICMP can be used to
stack. Overall security can be greatly
launch Smurf DoS attacks or can be
enhanced by adding additional security
subverted to become a covert channel with
measures, removing unneeded services,
programs such as Loki.
hardening systems, and limiting access.
The Data Link Layer:
• Virus Scanners: Antivirus programs
The dangers are real at the data link
can use one or more techniques to
layer. Conversion from logical to physical
check files and applications for
addressing must be done between the
viruses. While virus programs didn’t
network and data link layers. Address
exist as a concept until 1984, they
Resolution Protocol (ARP) resolves logical to
are now a persistent and constant
physical addresses.
problem, which makes maintaining
While critical for communication, it is
antivirus software a requirement.
also used by attackers to bypass switches
These programs use a variety of
and monitor traffic, which is known as ARP
techniques to scan and detect
poisoning. Even without ARP poisoning,
viruses, including signature
passive sniffing can be a powerful tool if the
scanning, heuristic scanning,
attacker positions himself or herself in the
integrity checks, and activity
right place on the network.
blocking.
6. • Pretty Good Privacy (PGP): In 1991, • Secure Electronic Transmission
Phil Zimmerman initially developed (SET): SET is a protocol standard that
PGP as a free e-mail security was developed by MasterCard, VISA,
application, which also made it and others to allow users to make
possible to encrypt files and folders. secure transactions over the
PGP works by using a public-private Internet. It features digital
key system that uses the certificates and digital signatures,
International Data Encryption and uses of Secure Sockets Layer
Algorithm (IDEA) algorithm to (SSL).
encrypt files and email messages. • Terminal Access Controller Access
• Secure Multipurpose Internet Mail Control System (TACACS): Available
Extensions (S/MIME): S/MME in several variations, including
secures e-mail by using X.509 TACACS, Extended TACACS
certificates for authentication. The (XTACACS), and TACACS+.TACACS is
Public Key Cryptographic Standard is a centralized access control system
used to provide encryption, and can that provides authentication,
work in one of two modes: signed authorization, and auditing (AAA)
and enveloped. Signing provides functions.
integrity and authentication. • Kerberos: Kerberos is a network
Enveloped provides confidentiality, authentication protocol created by
authentication, and integrity. the Massachusetts Institute of
• Privacy Enhanced Mail (PEM): PEM Technology (MIT) that uses secret-
is an older e-mail security standard key cryptography and facilitates
that provides encryption, single sign-on. Kerberos has three
authentication, and X.509 parts: a client, a server, and a
certificate-based key management. trusted third party to mediate
• Secure Shell (SSH): SSH is a secure between them.
application layer program with • SSL: Netscape Communications
different security capabilities than Corp. initially developed SSL to
FTP and Telnet. Like the two provide security and privacy
aforementioned programs, SSH between clients and servers over the
allows users to remotely log into Internet. It’s application-
computers and access and move independent and can be used with
files. The design of SSH means that HTTP, FTP, and Telnet. SSL uses
no clear text usernames/passwords Rivest, Shamir, & Adleman (RSA)
can be sent across the wire. All of public key cryptography and is
the information flowing between capable of client authentication,
the client and the server is server authentication, and
encrypted, which means network encrypted SSL connection.
security is greatly enhanced. Packets • Transport Layer Security (TLS): TLS
can still be sniffed but the is similar to SSL in that it is
information within the packets is application independent. It consists
encrypted. of two sub layers: the TLS record
7. protocol and the TLS handshake 128-bit keys. A 24-bit Initialization
protocol. Vector (IV) is used to provide
• Windows Sockets (SOCKS): SOCKS is randomness; therefore, the “real
a security protocol developed and key” may be no more than 40 bits
established by Internet standard RFC long. There have been many proven
1928. It allows client-server attacks based on the weaknesses of
applications to work behind a WEP.
firewall and utilize their security • Wi-Fi Protected Access (WPA): WPA
features. was developed as a replacement for
• IPSec: IPSec is the most widely used WEP. It delivers a more robust level
standard for protecting IP of security.WPA uses Temporal Key
datagram’s. Since IPSec can be Integrity Protocol (TKIP), which
applied below the application layer, scrambles the keys using a hashing
it can be used by any or all algorithm and adds an integrity-
applications and is transparent to checking feature that verifies that
end users. It can be used in channel the keys haven’t been tampered
mode or transport mode. with. Next, WPA improves on WEP
• Point-to-point Tunneling Protocol by increasing the IV from 24 bits to
(PPTP): Developed by a group of 48 bits.WPA also prevents rollover
vendors including Microsoft, 3Com, (i.e., key reuse is less likely to occur).
and Ascend, PPTP is comprised of Finally, WPA uses a different secret
two components: the transport that key for each packet.
maintains the virtual connection and • Packet Filters: Packet filtering is
the encryption that insures configured through access control
confidentiality. PPTP is widely used lists (ACLs). ACL’s allow rule sets to
for virtual private networks (VPNs). be built that will allow or block
• Challenge Handshake traffic based on header information.
Authentication Protocol (CHAP): As traffic passes through the router,
CHAP is an improvement over each packet is compared to the rule
previous authentication protocols set and a decision is made whether
such as Password Authentication the packet will be permitted or
Protocol (PAP) where passwords are denied.
sent in clear text. CHAP uses a • Network Address Translation (NAT):
predefined secret and a pseudo NAT can be used to translate
random value that is used only once. between private and public
This facilitates security because the addresses. PrivateIP addresses are
value is not reused and the hash those considered non-routable (i.e.,
cannot be reversed-engineered. public Internet routers will not route
• Wired Equivalent Privacy (WEP): traffic to or from addresses in these
While not perfect, WEP attempts to ranges).
add some measure of security to • Fiber Cable: The type of
wireless networking. It is based on transmission media used can make a
the RC4 symmetric encryption difference in security. Fiber is much
standard and uses either 64-bit or more secure than wired alternatives
8. and unsecured wireless transmission Authentication is the process of proving
methods. your identity. Various authentication
• Secure Coding: It is more cost- schemes have been developed over the
effective to build secure code up years and can be divided into three broad
front than to try and go back and fix categories:
it later. Just making the change from • Something You Know Passwords
C to a language such as .NET or • Something You Have Tokens, smart
CSharp can have a big security cards, and certificates
• Something You Are Biometrics
impact. The drive for profits and the
additional time that QA for security
would introduce, causes many
companies to not invest in secure
code. 5- Defending the
Data-Link Layer:
4-Defending the Protocol define at this layer provide security.
Physical Layer:
Ethernet LAN Security:
There is no security protocol that will The Ethernet LAN has many security
defend physical layer, but several natural weaknesses when facing attacks externally
methods are utilized to perform our job. and internally. Security measures must be
taken to ensure a secured environment for
The security controls on physical layer communications ever the Ethernet LAN. The
have three primary goals: following are some key risks in an Ethernet
• Deter (Discourage): Two methods LAN:
used to deter intruders are security
lighting and “Beware of Dog” signs. • The primary weakness with Ethernet
• Delay: Some of the techniques used is that it is a broadcast system. Every
to delay an intruder include fences, message sent out by any computer
gates, locks, access controls, and on an Ethernet LAN segment
mantraps. reaches all parts of that segment
• Detect: Two systems used to detect and potentially could be read by any
intruders are intrusion detection computer on the segment. Sniffing
systems (IDSes) and alarms. type programs can record, read and
analyze all the messages on a
Physical security focuses on intruders segment. Actually others can read
and thieves. Some main concern to security your password and subsequently
are follow: login to any account. They can also
Identification and Authentication: change the information and forge
Identification is the process of totally different messages.
identifying yourself, and is commonly • Peer-to-Peer networking systems
performed by entering a username. (both Windows and Macintosh
9. AppleTalk) for Workgroups allow snooper" is on one side of a bridge
people on the network to share files or router they will not see any traffic
and printers, which open up your passing between computers on the
files to anyone using another other side of the filter.
computer in the group. • Lan Security Architecture (LSA): a
• Some applications, such as FTP proprietary technique where twisted
program which allows you to get pair hubs inspect incoming
files from and send files to another messages and will only transmit
computer, may have an option in them unscrambled to the
their configuration which allows destination computer. All other
other computers to get into your computers on the hub receive
computer and have access to your scrambled messages.
files while the program is running.
• It is relatively easy in an Ethernet Software Solutions for Ethernet LAN
LAN to fake an Email message and Security
other messages which purports to
come from someone else. It is also • Encryption: Encrypting the data
possible to fake a login session by passing between your computer and
recording a legitimate one and its destination. There are many
running the recording later on. encryption technologies and product
available which effective protect
There are many hardware and software information and data privacy. The
solutions to address the above Ethernet popular encryption methods used
LAN security issues: are PGP (Pretty Good Privacy).
• Authentication: Use user name and
Hardware Solutions for Ethernet LAN password to authenticate users. It is
Security necessary to encrypt the password
and implement timestamps making
• Use a switched network: A switch forgery extremely difficult.
can segregate a network into many • Combination technologies: Many
parts which can effectively new technologies are available
preventing snooping and sniffing on which doing both authentication
a network. These switches also and encryption. One of such
reduce network traffic by limiting technologies is Kerberos which uses
messages to only the parts of the tokens, timestamps, tickets and
network on which they are needed encryption to make transactions
to improve the efficiency of the between computers secure.
whole network.
• Bridges and Routers: Bridges and
routers are electronic filters which
only pass a network message
through themselves if the
destination lies on the other side of VLAN: Virtual Local Area Network and IEEE
the filter. Consequently if "the 802.1Q
10. Virtual LAN (VLAN) refers to a group of Passwords
logically networked devices on one or more Sensitive information
LANs that are configured so that they can Information gathering
communicate as if they were attached to • Broadcast Attacks
the same wire, when in fact they are • Man-In-the-Middle (MIM) Attack:
located on a number of different LAN Man-in-the-Middle (MIM) is a very common
segments. Because VLANs are based on type of attack, in which an attacker inserts
logical instead of physical connections, it is his computer between the communication
very flexible for user/host management, paths of two target computers by Sniffs
bandwidth allocation and resource packets from Network, modified them and
optimization. then insert them back into the Network.
• Denial of Services (DoS) Attack:
There are the following types of Virtual A “Denial of Service (DoS)” attack is a flood
LANs: of packets that consumes network
resources and causes deadlock.
1. Port-Based VLAN: each physical
• Session Hijacking:
switch port is configured with an
Session Hijacking is a process by which an
access list specifying membership in
attacker sees/ listen an active TCP
a set of VLANs.
connection between two other hosts and
2. MAC-based VLAN: a switch is then insert fake packets (in one or both
configured with an access list directions) and takes control of the
mapping individual MAC addresses
connection. This method is similar to the
to VLAN membership.
MIM attack.
3. ATM VLAN - using LAN Emulation
• Sniffing (Passwords, Sensitive
(LANE) protocol to map Ethernet
Information and Information
packets into ATM cells and deliver
Gathering):
them to their destination by
Sniffing is a process of monitoring all
converting an Ethernet MAC address
information or reading the packets that are
into an ATM address.
being transmitted on a network.
An attacker can sniff network traffic and
ARP:
can also passively intercept network traffic.
Address Resolution Protocol
Then, through packet analysis, he might be
Types of ARP Attacks:
able to determine login IDs and passwords
There are many ways an attacker can gain
and collect other sensitive data. There are
access or exploit your system. It is not
so many tools available for Sniffing like
important how attacker gain access into the
Hunt, Sniffit, Ettercap, Snort and Dsniff.
system. Once the intruder breaks into your
system he can use it according to his way.
They work as follows:
Following are some types of attacks that
a) Ethernet was built around a "shared"
can be resulted from ARP Spoofing:
principle: all machines on a local network
• Man-in-the-Middle (MIM)
share the same wire.
• Denial of Services (DoS)
b) This implies that all machines are able to
• Session Hijacking "see" all the traffic on the same wire.
• Sniffing
11. c) Thus, Ethernet hardware is built with a key security risks at the Network Layer
"filter" that ignores all traffic that doesn't associated with the IP:
belong to it. It does this by ignoring all
frames whose MAC address doesn't match. • IP Spoofing: The intruder sends
• Broadcast Attacks: messages to a host with an IP
This technique is used to send a large address (not its own IP address)
amount of ICMP echo request (Ping) traffic indicating that the message is
to all known IP broadcast addresses with coming from a trusted host to gain
the spoofed source address of the victim. un-authorized access to the host or
other hosts. To engage in IP
spoofing, a hacker must first use a
Strategy to overcome the constraints: variety of techniques to find an IP
address of a trusted host and then
• Network Analyzer Tools and modify the packet headers so that it
Sniffers: appears that the packets are coming
It allows you to inspect network from that host.
traffic at every level of the network stack in • Routing (RIP) attacks : Routing
various degrees of detail. Information Protocol (RIP) is used to
• Encryption: distribute routing information within
Encryption is an effective way to networks, such as shortest-paths,
defend against Sniffing and ARP Spoofing. and advertising routes out from the
Encryption prevents any non-authorized local network. RIP has no built in
party from reading or changing data. authentication, and the information
• Intrusion Detection Systems (IDS): provided in a RIP packet is often
IDS identify attacker’s attempts to used without verifying it
attack or break into the network and • ICMP Attacks: ICMP is used by the IP
misuse it. IDSs may monitor packets passing layer to send one-way informational
over the network, monitor system files, messages to a host. There is no
monitor log files, or set up deception authentication in ICMP, which leads
systems that attempt to trap hackers. Port to attacks using ICMP that can result
Scans and Denial-of-Service Attacks are an in a denial of service, or allowing the
ongoing threat. attacker to intercept packets. Denial
of service attacks primarily use
either the ICMP "Time exceeded" or
6- Defending the Network Layer:
"Destination unreachable" message.
Both of these ICMP messages can
Every layer of communication has its cause a host to immediately drop a
own unique security challenges. The connection
Network Layer is especially weak for many • PING Flood (ICMP Flood): PING is
Denial of Service attacks and information one of the most common uses of
privacy problems. The most popular ICMP which sends an ICMP "Echo
protocol used in the network layer is IP Request" to a host, and waits for
(Internet Protocol). The following are the that host to send back an ICMP
"Echo Reply" message. Attacker
12. simply sends a huge number of connectionless integrity, data origin
"ICMP Echo Requests" to the victim authentication, rejection of replayed
to cause its system crash or slow packets (a form of partial sequence
down. This is an easy attack because integrity), confidentiality (encryption), and
many ping utilities support this limited traffic flow confidentiality. Because
operation, and the hacker doesn't these services are provided at the IP layer,
need much knowledge. they can be used by any higher layer
• Packet Sniffing: Because most protocol, e.g., TCP, UDP, ICMP, BGP, etc.
network applications distribute
network packets in clear text, a These objectives are met through the use of
packet sniffer can provide its user two traffic security protocols, the
with meaningful and often sensitive Authentication Header (AH) and the
information, such as user account Encapsulating Security Payload (ESP), and
names and passwords. A packet through the use of cryptographic key
sniffer can provide an attacker with management procedures and
information that is queried from the protocols. The set of IPSec protocols
database, as well as the user employed in any context, and the ways in
account names and passwords used which they are employed, will be
to access the database. This cause determined by the security and system
serious information privacy requirements of users, applications, and/or
problems as well as tools for crimes. sites/organizations.
IPSec:
Internet Protocol Security (IPSec) is a Protocol Structure:
protocol suite for securing Internet Protocol
(IP) communications by authenticating and
encrypting each IP packet of a data stream.
IPSec provides security services at the
network layer by enabling a system to
select required security protocols,
determine the algorithm(s) to use for the
service(s), and put in place any
cryptographic keys required to provide the
requested services. IPSec can be used to
protect one or more "paths" between a pair
of hosts, between a pair of security
gateways, or between a security gateway
and a host.
The set of security services that IPSec can
provide includes access control,
13. 7- Defending the providing endpoint authentication
Transport Layer: and encryption. One faulty SSL client
implementation Microsoft I
Explorer, allows for transparent SSL
The transport Layer is especially weak for
attacks. SSL that would warn the
the Denial of Service (DOS) attack or
user about problems with the server
Distributed Denial of Service (DDOS) attack.
certificate.
Two most popular protocols used in the
• TCP Connecting Hijacking is also
transport layer are TCP (Transmission
known as Man-in-the-Middle attack.
Control Protocol) and UDP (User Datagram
With this attack, an attacker can
Protocol). The following are the key security
allow normal authentication to
risks at the Transport Layer associated with
proceed between the two hosts, and
TCP and UDP:
then seize control of the connection.
There are two possible ways to do
• TCP "SYN" attack is also known as
this: one is during the TCP three-way
SYN Flooding. It takes advantage of a
handshake, and the other is in the
flaw in how most hosts implement
middle of an established connection.
the TCP three-way handshake.
• UDP Flood Attack: UDP is a
When Host B receives the SYN
connectionless protocol and it does
request from A, it must keep track of
not require any connection setup
the partially opened connection in a
procedure to transfer data. A UDP
"listen queue" for at least 75
Flood Attack is possible when an
seconds. Many implementations can
attacker sends a UDP packet to a
only keep track of a very limited
random port on the victim system.
number of connections. A malicious
When the victim system receives a
host can exploit the small size of the
UDP packet, it will determine what
listen queue by sending multiple
application is waiting on the
SYN requests to a host, but never
destination port. When it realizes
replying to the SYN&ACK the other
that there is no application that is
host sends back. By doing so, the
waiting on the port, it will generate
other host's listen queue is quickly
an ICMP packet of destination
filled up, and it will stop accepting
unreachable to the forged source
new connections, until a partially
address. If enough UDP packets are
opened connection in the queue is
delivered to ports on victim, the
completed or times out. This ability
system will go down.
of removing a host from the
network for at least 75 seconds can
The three-way handshake: in Transmission
be used as a denial-of-service attack,
or it can be used as a tool to Control Protocol is the method used to
implement other attacks, like IP
establish and tear down network
Spoofing.
• SSL Man-in-the-Middle Attacks: connections. This handshaking technique is
SSL/TLS was supposed to mitigate
referred to as the 3-way handshake or as
that risk for web transactions by
14. "SYN-SYN-ACK" (or more accurately SYN, store sensitive data such as medical
SYN-ACK, ACK). The TCP handshaking information, or collect confidential
mechanism is designed so that two information from the users on the network,
computers attempting to communicate can and can also be used by other businesses
negotiate the parameters of the network that want to secure network connections
connection before beginning between the client and the server.
communication.
Transport Layer Security involves the use of
• Host A sends a TCP SYNchronize an encryption system which utilizes a digital
packet to Host B certificate which is formulated to identify
• Host B receives A's SYN
• Host B sends a SYNchronize- the network owner, as well as create public
ACKnowledgement keys that are used to encrypt
• Host A receives B's SYN-ACK
• Host A sends ACKnowledge communications over the network. The
• Host B receives ACK. TCP connection certificate is installed on the portion of the
is ESTABLISHED.
server that requires encryption.
When the client logs onto the network, a
Transport Layer Security:
message is sent to the server that identifies
Transport Layer Security provides a way for the client. The server will then return a
you to create a secure network connection message and list the cryptographic methods
between a client and a server by encrypting that are to be used for communication to
the connection between both entities. ensure the client and the server are
Transport Layer Security is similar to communicating in the same language.
Security Socket Layers because both
• Different Types of Transport Layer
protocols provide security for applications Security
such as email, Instant Messaging, Web
There are several different types of
browsing, VoIP (Voice over Internet
Transport Layer Security depending upon
Protocol).
the encryption requirements for the
Transport Layer Security is used within organization.
organizations that use payment processes,
15. • Web Server Transport Layer 8- Defending the
Security: This type of encryption
Session Layer:
protects the data when the client
connects to the Internet to send
data through a Web browser or Protocols that assist it are discussed.
website. The TLS encryption
provides a secure Web server and NetBIOS:
prevents the data from being NetBIOS is a protocol that Microsoft
intercepted by an unauthorized
Windows systems use to share
user.
resources. For example, if a PC
• Email Server Transport Layer running Windows wants to connect
Security: To secure to and access a share on a file
communications between the server, it probably uses NetBIOS.
email client and the server, a SMB, the method used to access file
digital certificate is installed on
and printer shares, can also run
the email server to provide
encrypted communications when independently of NetBIOS over TCP
sending and receiving confidential ports 139 and 445. Both of these
information via email. approaches, however, tend to
increase the attack surface of a
• Virtual Private Network Security: network.
Transport Layer Security works to
secure a virtual private network
The ports that we’d have to open to
appliance by installing a digital
certificate on the VPN appliance the Internet are UDP/137, UDP/138,
that provides an encrypted and TCP/139. Unfortunately, the
connection between the remote most popular attacker target is
user and the network that they NetBIOS and against these ports.
are accessing.
Once an attacker discovers an active
• Database and Directory Security:
Organizations deploy Transport port 139 on a device, he can run
Layer Security to encrypt server NBSTAT to begin the very important
queries for databases and first step of an attack—foot printing.
directories that contain sensitive With the NBSTAT command, he can
data and information obtain some or all of the following
information:
• Computer name
• Contents of the remote
name cache, including IP
addresses
16. • A list of local NetBIOS names o Perform malware scanning
• A list of names resolved by on end user stations after
broadcast or via WINS decryption.
o Use message content
• Contents of the session table
scanners specifically
with the destination IP designed to check the
addresses content of encrypted.
Defending against external NetBIOS
connections
10-Defending the
• Disabling the system’s ability to
Application Layer:
support null sessions
• Defining very strong passwords for
the local administrator accounts 1. SMTP: Simple Mail Transfer
Protocol
• Defining very strong passwords for
shares, assuming you absolutely Simple Mail Transfer Protocol (SMTP) is a
have to have shares on exposed protocol designed to transfer electronic
systems mail reliably and efficiently. SMTP is a mail
service modeled on the FTP file transfer
service. SMTP transfers mail messages
between systems and provides notification
9-Defending the regarding incoming mail.
Presentation Layer:
SMTP is independent of the particular
transmission subsystem and requires only a
S/MIME security: reliable ordered data stream channel. An
important feature of SMTP is its capability
S/MIME support is one of Outlook's to transport mail across networks, usually
unheralded important features. It gives you referred to as "SMTP mail relaying". Using
end-to-end protection: SMTP, a process can transfer mail to
another process on the same network or to
• S/MIME is tailored for end to end some other network via a relay or gateway
security. Encryption will not only process accessible to both networks.
encrypt your messages, but also
malware. Thus if your mail is In this way, a mail message may pass
scanned for malware anywhere but through a number of intermediate relay or
at the end points, such as your gateway hosts on its path from sender to
company's gateway, encryption will ultimate recipient. The Mail eXchanger
defeat the detector and successfully mechanisms of the domain name system
deliver the malware. Solutions: are used to identify the appropriate next-
hop destination for a message being
transported.
17. • Security: node that contains an SNMP agent and that
resides on a managed network. Managed
One of the ways to restrict access to devices collect and store management
an outgoing mail server is to verify information and make this information
that the computer is on the ISP's available to NMSs using SNMP. Managed
local network. When you dial your devices, sometimes called network
modem and connect to your ISP, elements, can be routers and access
your computer is given an IP address servers, switches and bridges, hubs,
that identifies you as being a part of computer hosts, or printers. An agent is a
that ISP's network. If you have two network management software module
ISPs and dial up to one and then that resides in a managed device. An agent
connect to the other's mail server, it has local knowledge of management
may prevent you from relaying mail information and translates that information
because your computer is not into a form compatible with SNMP. An NMS
identified as being on the local executes applications that monitor and
network for the provider whose mail control managed devices.
server you are sending through. In
this case, you should try to use the • SNMP v1 Basic Operations and
SMTP server for the provider you Features
have used to dial up and connect to • SNMP v2 Additional Operations
the Internet.
• SNMP v3 Security Enhancement
Why Security is Important in SNMP:
2. SNMP: Simple Network
Management Protocol The need for security in SNMP is obvious
because the MIB objects being
Simple Network Management Protocol communicated contain critical information
(SNMP) is the protocol developed to about network devices. We don't want just
manage nodes (servers, workstations, anyone “snooping” into our network to find
routers, switches and hubs etc.) on an IP out our IP addresses, or how long our
network. SNMP enables network machines have been running, or whether
administrators to manage network our links are down, or pretty much anything
performance, find and solve network else.
problems, and plan for network growth.
Network management systems learn of 3. DHCP
problems by receiving traps or change
notices from network devices implementing DHCP spoofing
SNMP.
DHCP spoofing is a type of attack on DHCP
An SNMP managed network consists of server to obtain IP addresses using spoofed
three key components: managed devices, DHCP messages. In the cases where the
agents, and network-management systems DHCP server is on a remote network, and an
(NMSs). A managed device is a network IP address is required to access the
18. network, but since the DHCP server supplies when requesting a DHCP IP address and
the IP address, the requester is at an thus is not able to access the network.
impasse. To supply access to the network, DHCP starvation may be purely a denial of
when the Pipeline receives a DHCP Discover service (DoS) mechanism or may be used in
packet (a request for an IP address from a conjunction with a malicious rogue server
PC on the network), it responds with a attack to redirect traffic to a malicious
DHCP Offer packet containing the computer ready to intercept traffic.
configured (spoofed) IP address and a
renewal time, which is set to a few seconds. When the normal DHCP server is down, the
The requester then has access to the DHCP network attacker can then set up a rogue
server and gets a real IP address. (Other DHCP server on his or her system and
variations exist in environments where the respond to new DHCP requests from clients
APP server utility is running.) on the network. An intruder may issue an
address with DNS server information or
DHCP Starvation default gateway information that redirects
traffic to a computer under the control of
A DHCP starvation attack works by the intruder.
broadcasting DHCP requests with spoofed
MAC addresses. This is easily achieved with DHCP Starvation Attack Mitigation
attack tools such as gobbler. If enough
requests are sent, the network attacker can By limiting the number of MAC addresses
exhaust the address space available to the on a switch port will reduce the risk of
DHCP servers for a period of time. This is a DHCP starvation attack. When more
simple resource starvation attack just like a systems implement the RFC 3118,
SYN flood is a starvation attack. The Authentication for DHCP Messages, DHCP
network attacker can then set up a rogue starvation attacks will become more
DHCP server on his or her system and difficulty.
respond to new DHCP requests from clients
on the network. Exhausting all of the DHCP Adding Security to DHCP
addresses is not required to introduce a
rogue DHCP server, though. Since DHCP runs over UDP and IP, one could
use IPSec at layer three to provide
authentication.
DHCP Starvation Attack
DHCP starvation attack works by 4. FTP: File Transfer Protocol
broadcasting DHCP requests with spoofed
MAC addresses. This is easily achieved with File Transfer Protocol (FTP) enables file
attack tools such as gobbler. If enough sharing between hosts. FTP uses TCP to
requests are sent, the network attacker can create a virtual connection for control
exhaust the address space available to the information and then creates a separate
DHCP servers for a period of time. TCP connection for data transfers. The
Subsequently, a legitimate user is denied control connection uses an image of the
19. TELNET protocol to exchange commands sensitive information should be
and messages between hosts. transferred with SFTP .
The key functions of FTP are:
1) To promote sharing of files (computer
programs and/or data),
S-FTP, or Secure FTP, S/FTP
2) To encourage indirect or implicit (via
programs) use of remote computers, Secure FTP (S-FTP or S/FTP) is the enhanced
version of the File Transfer Protocol (FTP)
3) To shield a user from variations in file with security features. Mainly, S-FTP adds
storage systems among hosts, and encryption to the FTP contents which is
send in clear text in the original FTP version.
4) To transfer data reliably and efficiently. S-FTP is available on almost all operating
FTP, though usable directly by a user at a systems including Windows, UNIX, and
terminal, is designed mainly for use by Macintosh.
programs.
5. Hypertext Transfer Protocol Secure
FTP has little security protection when (HTTPS)
performing file transfer: both user
password and the data are exposed to HTTP is a combination of the Hypertext
public. To make the file transfer more Transfer Protocol with the SSL/TLS
secure, some enhancements have been protocol to provide encryption and
made on the FTP, including SFTP SSH
secure (website security testing)
protected FTP and BBFTP.
identification of the server.
• The data that is transferred, it
should only be used to transfer small S-HTTP: Secure Hypertext Transfer
(1-10KB) files containing sensitive Protocol
data. Large files that do not contain
sensitive information should be Secure HTTP (S-HTTP) is a secure message-
transferred via a method that does oriented communications protocol
not encrypt data. designed for use in conjunction with HTTP.
S-HTTP is designed to coexist with HTTP's
• SSH protected FTP: This transfer messaging model and to be easily
method encrypts the password integrated with HTTP applications.
information but does NOT encrypt
the data being transferred. As a Secure HTTP provides a variety of security
result, it should only be used to mechanisms to HTTP clients and servers,
transfer large (and small) files that providing the security service options
do NOT contain sensitive appropriate to the wide range of potential
information. File that contains end uses possible for the World-Wide Web
(WWW). S-HTTP provides symmetric
20. capabilities to both client and server (in that
equal treatment is given to both requests
and replies, as well as for the preferences of
both parties) while preserving the
transaction model and implementation
characteristics of HTTP.
11- References:
• Web Sites
• http://www.infosecwriters.com
• http://www.javvin.com
• http://www.spamlaws.com
• http://www.inetdaemon.com
• http://blogs.techrepublic.com.com
• http://en.wikipedia.org
• Books
• Hack The Stack
• Network Management Fundamental
• Network Security Essential