Iyke Ezeugo, Feb.

2013

The feasibility of a universal one-layer IP security solution

Introduction

This write-up presents my personal view about the feasibility of building a universal security architect within one layer of the protocol stack. Given the intricate and fluid nature of information security in our rapidly evolving digital age, a straight forward YES or NO answer to the feasibility of implementing a one-layer security solution will not do much good without attempting to first x-ray the vital components of a standard security model in a distributed environment. Therefore, I will start by taking a snapshot of the relevant layers of the OSI model with particular attention to the S/MIME, XML and IPSec protocols. The aim is solely to demonstrate my position, show how it relates to the functionalities of network and open an avenue for discussions and further examination of the notion.

Quick overview of the Internet Protocol (IP) and its security evolutions:
The Internet Protocol (IP), being part of TCP/IP protocol suite of todays Internet is predominantly used in interconnecting the various networks that the internet is comprised of. Perhaps, the above is for reasons of its proven efficiency, even in heterogeneous networking environments. However, because the Internet was not originally designed with security in mind, certain inherent security holes in the IP have subsisted and therefore consistently been exploited through streams of attacks of diverse natures, including the following: DoS, IP spoofing, Session hijacking, Man-in-the-middle, DDoS (Distributed Denial of Services), etc. Consequently, it became necessary that ingenious additional mechanisms be added to the upper application layer (in line with the applications peculiar needs) in order to mitigate the inherent security weaknesses of the IP. This therefore led to the invention of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) this being cryptographic protocols designed for securing data communications on the web; the said protocols quickly found usefulness in providing security supports for web browsing, instant messaging, e-mails, and other internet-related transactions involving data exchange. SSH (Secure Shell), also a cryptographic network protocol was later introduced to replace telnet and, SFTP (Secure File Transfer Protocol) in the place of the unsecured FTP. Thereafter and with the consolidation on the digital signature and public key cryptography, S/MIME (Secure Multipurpose Internet Mail Extension) came into the scene and became popular.

Understanding the IP layer (IPSec) security protocol concept:

ICT solutions Strategic application

Iyke Ezeugo, Feb. 2013

Making progress, the above security protocols became the main machineries for providing authentication and confidentiality for data communication over distributed infrastructures at the application end. However, as they could not still offer direct solutions to some of the earlier listed IP network layer threats; the Internet Protocol Security (IPSec) was invented. In the IPSec concept, cryptography was used to add security to the IP by instituting a mechanism that validates message senders and recipients for accessing encrypted IP datagrams as the message contents. The entrance of IPSec then was able to introduce a reasonably dependable authentication, confidentiality, and integrity mechanism. And, instead of introducing this at the application layer of the OSI protocol stack, IPSec is implemented at the IP network layer of the TCP/IP suite; this made the IP datagram self-dependent. For efficiency, altering the TCP/IP protocol suite and the other protocols at the upper layer was carefully avoided by wrapping the IP datagram meant to be protected in another protected datagram that have been modified to stand integrity, encryption, and authentication proves. This meant the encapsulation of the regular IP packet in a specially protected IP packet. By reason of the above, it can be said that (all things being equal) a reasonable level of protection can be guaranteed for all IP packets without the need for re-engineering any of the applications, and also without being affected by the upper layer protocol transported by the packet payloads. However, there is still the challenge of the huge requirements of layering cryptography below the application layer of the OSI protocol stack; this is in view of the fact that the usual client/server model is nonexistent within the IP layer. According to Hyung-Joon Kim, IPSec brought in many multifaceted, conceptual, extensive components in the architecture to enable it use the cryptographic techniques for achieving security protection within the IP network layer (Hyung-Joon Kim, 2006), Appreciating the application layer (e.g. XML and S/MIME) concept Application layer is the 7th layer of the OSI protocol stack which also interfaces the user. As internet became universal and also the major carrier for valuable assets, attacks on Web applications began to manifest and grow in magnitude and dimensions. This made obvious the need to also achieve protection at the applications against these many malicious attacks and also unauthorized access targeted at preventing the exploitation of vulnerabilities at this layer. Fundamentally, this popularised the cryptographic protocols and their use for securing distributed systems at the application level. Despite its pervasive uses, there have been worries about the effective management and performance of cryptographic protocols; I believe is a key motivation for the search for the feasibility of building all these into a universal singlelayered protocol. However, not much can be talked about securing distributed systems without measurable attention to the application layer: this is warranted by the fact that any successful attack on these directly and significantly impact productivity. More so, the internet applicationlayer has in the recent times witnessed an increased wave of attacks. Besides the fact that the application layer supports a lot of protocols which inherently provides attackers with multiple access points thereby creating avenue for increased vulnerabilities; meaningful information that remains valuable to the attackers resides mainly at the application

ICT solutions Strategic application

Iyke Ezeugo, Feb. 2013

layer. These creates very attractive incentives for intensified and consistent attack at the application layer; some of these may be companys/valuable targets financial reports, an ecommerce sites stock-in-trade, database application, ERP system, CRM system, etc. Successful attacks on any of these can result into huge losses to the owners and significant gains to the attacker.

The focus of application-layer security solution

In addressing all of the above, the IP security seeks to create a secure, authenticated, reliable communications over IP networks; it provides connectionless integrity; Data origin authentication, confidentiality through encryption and access control. On the other hand, security solutions applied at application-layer extends application without involving operating system thereby allowing the application to provide enhanced security as they understand the data. Whereas the possibility of designing a universal one-layer security solution for distributed infrastructures is not in doubt, I dont consider this ideal and effective. In examining this same notion, Mike Chapple has argued that securing Web infrastructure with SSL will technically mean a single layer of the OSI model since SSL works at the transport layer (Mike ChappleTechTarget, 2011). But, the reliability and efficiency of in the face of growing innovations in
attacks remain debatable.

However, an appropriately layered security protection approach that is capable of effectively defending the network at every relevant points of attack is the only logical way forward in the face of growing arrays of attacks.

References
1. Hyung-Joon Kim (2006), IP Network Security: IPsec (Internet Protocol Security); avaialble at: th http://www.ibluemojo.com/contents/IP_Network_Security.pdf (Accessed 15 August 2011). 2. Kalpana Sharma and M.K. Ghose (2011), Cross Layer Security Framework for Wireless Sensor Networks; [International Journal of Security and Its Applications Vol. 5 No. 1, January, 2011]; available at: th http://www.sersc.org/journals/IJSIA/vol5_no1_2011/4.pdf (Accessed 15 August 2011). 3. Mike Chapple (2011), Can S/MIME, XML and IPsec operate in one protocol layer? Available at: http://searchsecurity.techtarget.com/answer/Can-S-MIME-XML-and-IPsec-operate-in-one-protocol-layer th (Accessed 15 August 2011). 4. Nortel Networks (2005), Application-layer security: What it takes to enable the next generation of security services [online White Paper]; http://www.nortel.com/products/01/alteon/2224/collateral/nn105560th 010605.pdf (Accessed 15 August 2011).

ICT solutions Strategic application