Introduction to

Network Security.

A. Vimal Babu

© 2004 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice
Network Security
Agenda

• Introduction
• Threats & Attacks
• Security Policy – Introduction
• AAA
• VPN
• IPSEC
• Firewalls
HP 2
 Network Security
Introduction

© 2004 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice
HP 3
 Network Security
IT Security plays a major role in building a business.
IT Security includes,
• Network security
• Server and workstation security
• Physical security

• What is a Security Violation?

When any of the above is compromised and which
could lead to a disruption of service
HP 4
Network Security

• Why security?

To prevent

• Damage or destruction of computer systems.

• Damage or destruction of internal data.
• Loss of sensitive information
• Misuse of sensitive information for monetary value.
• Damage to the reputation of an organization.
• To prevent unauthorized access and theft of infrastructure.

HP 5
Network Security

• What is Vulnerability?

Vulnerability may be any loophole in the process, policy or

Network and IT infrastructure or physical security which
may be utilized by an unauthorized person to gain the access.

HP 6
Network Security
Sample Network

HP 7
 Network Security
Threats and Attacks

© 2004 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice
HP 8
Network Security – Threats & Attacks

Vulnerable points.

Attacks can occur at various points in a network

• LAN – Servers and Workstations

• Routers and Firewalls – At the perimeter of the network
• WAN – Data sent to a different destination via WAN
• Wireless – Unauthorized access through Wireless network
• Physical Security – Uncontrolled access to Data Centers, copying of restricted
data in CDs, Hard disks, pen drives etc.

HP 9
Network Security – Threats & Attacks
Information Security Threats experienced

HP 10
Network Security – Threats & Attacks
Types of threats

•Structured Threats
Preplanned threats and focusing specific target.

•Unstructured threats
Random Threats looking for vulnerable targets.
These are most common threats

HP 11
Network Security – Threats & Attacks
Types of Attacks
•Reconnaissance attack
Not to gain immediate access. Search for vulnerabilities to exploit later.
Eg., DNS query, Ping sweep, Port scanning
•Access attacks
To gain access to a network or computer. Having gained unauthorized
access the data may be tampered using any of the following methods.
Interception -May able to read, write copy or move the confidential data.
Modification-Modify confidential data. Change file contents and the
authorization level
Fabrication-
Create false objects to mislead, inserting virus, worm or Trojan Horse which may
affect the network or the computer.

HP 12
Network Security – Threats & Attacks

•Types of Attacks – Contd

•DoS Attack
It's denial of service attack. Designed to deny specific services and
by blocking or overwhelming the system or network by generating
huge traffic.
DDoS Attack
Distributed Denial of Service Multiple devices overload the network
access to or CPU utilization of a target system. More difficult to
contain.

HP 13
Network Security – Threats & Attacks

HP 14
Network Security – Threats & Attacks
Security Attack Description
Masquerade An unauthorized user pretends to be a valid user. For example,
a user assumes the IP address of a trusted system and uses it to
gain the access rights that are granted to the impersonated
device or system.
Replay attack The intruder records a network exchange between a user and a
server and plays it back at a later time to impersonate the user.

Data interception If data is moved across the network as plaintext, unauthorized

persons can monitor and capture the data.
Manipulation The intruder causes network data to be modified or corrupted.
Unencrypted network financial transactions are vulnerable to
manipulation. Viruses can corrupt network data.

Repudiation Network-based business and financial transactions are

compromised if the recipient of the transaction cannot be
certain who sent the message.
HP 15
Network Security – Threats & Attacks
Virus A virus is one type of malicious code that tries to propagate itself
across a network. It is normally attached to other programs and
executes a particular unwanted function on a user workstation when
that program executes
Worm A worm is another type of malicious code that executes arbitrary
code and installs copies of itself in the memory of the infected
computer. It can then spread to and infect other hosts from the
infected computer. a worm can spread itself automatically over the
network from one computer to the next.
Trojan horse This is a general term for a malicious program that masquerades as
a desirable and harmless tool. For example, a screen saver that
mimics a logon dialog box in order to acquire a users name and
password and then secretly sends that password to an attacker.

Social Sometimes breaking into a network is as simple as calling new

engineering employees, telling them you are from the IT department, and asking
attack them to verify their password for your rec

HP 16
Network Security

•Questions?

HP 17
 Network Security
Security Policy

© 2004 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice
HP 18
Network Security – Security Policy

HP 19
Network Security

Security Policy
What is a security policy?

Security Policy is a formal statement that specifies the rules required

for granting access to the company assets. It is a business document
that defines the permitted and restricted activities, tasks and
responsibilities
Security policy is a document which should be prepared balancing
risks and benefits.

HP 20
Network Security – Security Policy

It should contain the following objectives.

Analyze the threats based on the type of business and network access
needed.
Determine the organization's security requirements
Document the network infrastructure and identify potential security
breach points.
Identify
the devices that require protection and develop a security
implementation plan.
It must also include physical security policy.

HP 21
Network Security – Security Policy
Security Policy – Contd
Building a security policy is continuous process

HP 22
Network Security – Security Policy
Security Policy – Contd
Secure
The purpose here is to prevent the unauthorized access.
Implement the Network security design. This should
include securing the network systems by installing
firewalls, Intrusion Detection Devices and AAA servers.
Firewalls on the perimeter prevent unwanted traffic from
entering the network and allows only authorized traffic for
intranet users.
IDS/IPS devices identifies any attempt to breach the
network.
AAA - restricts the access to authorized users

HP 23
Network Security – Security Policy
• Secure – Contd
Security policy must contains
a) Minimum Password Length
b)Frequency of Password Change
c) Access of Devices
d)User Creation / Deletion Process
e) Standard Guidelines for devices protection (Ex: Telnet
prohibited, SSH mandatory)

HP 24
Network Security – Security Policy
Security Policy – Contd
Monitor
After securing the network, it should be monitored to detect
security incidents. Both internal and external traffic should
be monitored. Logs should be checked on firewalls,
authentication servers for any attacks.
Test
Test the effectiveness of the security design. Verify for
proper configuration of devices, use suitable tools to
identify the vulnerabilities and document the test results.
Improve
Use the data obtained from monitoring and testing the
network to improve the security. suitably modify the
procedures and policies and document the potential threats
and vulnerabilities.

HP 25
Network Security – Security Policy

•Questions?

HP 26
 Network Security
AAA – Authentication
Authorization
Accounting

© 2004 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice
HP 27
Network Security - AAA
What is AAA?
AAA – Authentication, Authorization and Accounting.
Authentication - The process of establishing the digital identity from
the client to any other entity. Authentication is accomplished via the
presentation of an identity and its corresponding credentials.
Eg. Passwords, one-time tokens, digital certificates

Authorization - It's granting of specific privileges to the user based on

their authentication. Authorizing the privilege constitutes the ability to
use a certain type of service.

Accounting - Accounting refers to the tracking of the usage of network

resources. This information may be used for management, planning,
billing etc.

HP 28
 Network Security - AAA
Authentication:
• Refers to confirmation that a user who is requesting a service is a
valid user.
• Accomplished via the presentation of an identity and credentials.
• Examples of credentials are passwords, one-time tokens, digital
certificates, and phone numbers (calling/called).

HP 29
Network Security - AAA

Authorization:
• Refers to the granting of specific types of service (including "no
service") to a user, based on their authentication.
• May be based on restrictions, for example time-of-day restrictions,
or physical location restrictions, or restrictions against multiple
logins by the same user.
• Examples of services - IP address filtering, address assignment,
route assignment, encryption, QoS/differential services,
bandwidth control/traffic management.

HP 30
Network Security - AAA

• Accounting:
• Refers to the tracking of the consumption of network resources by
users.
• Typical information that is gathered in accounting is the identity
of the user, the nature of the service delivered, when the service
began, and when it ended.
• May be used for management, planning, billing etc.
• AAA server provides all the above services to its clients.

HP 31
Network Security
AAA Protocols

Terminal Access Controller Access Control System (TACACS):

TACACS is a remote authentication protocol that is used to

communicate with an authentication server commonly used in
UNIX networks. TACACS allows a remote access server to
communicate with an authentication server in order to determine
if the user has access to the network

HP 32
Network Security

TACACS+ :

TACACS+ is a protocol which provides access control for routers,

network access servers and other networked computing devices
via one or more centralized servers. It uses TCP and provides
separate authentication, authorization and accounting services.
Port is 49.

HP 33
Network Security - AAA
RADIUS

Remote Authentication Dial In User Service is an AAA protocol

for applications such as Network Access or IP Mobility. It’s an
open standard protocol.

Radius uses,
UDP – 1812 or 1645 for Authentication
UDP – 1813 or 1646 for Accounting

HP 34
Network Security

Key features of RADIUS:

Client/Server Model:
NAS will work as a client for RADIUS server.
RADIUS server is responsible for getting user
connection requests, authenticating the user and then
returning all configuration information necessary for the
client to deliver service to the user.

HP 35
Network Security
oTransactions between client and server are
authenticated through the use of a shared key
and this key is never sent over the network.
oPassword is encrypted before sending it over
network.

HP 36
Network Security - AAA
Flexible Authentication Mechanisms:

RADIUS supports following protocols for authentication

purpose:
Point-to-Point Protocol - PPP
Password authentication protocol - PAP
Challenge-handshake authentication protocol - CHAP
Extensible Protocol:
RADIUS is extensible; most vendors of RADIUS
hardware and software implement their own dialects.

HP 37
Network Security

Radius Operations

Client starts with Access-Request.

Server sends either Access-Accept, Access-Reject
or Access-Challenge.
Access-Accept keeps all required attribute to
provide a service to user.

HP 38
Network Security

•Questions?

HP 39
 Network Security
VPN – Virtual Private Networks

© 2004 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice
HP 40
 Network Security - VPN
What Is A VPN?
A virtual private network (VPN) is a mode of network in
which some of the links between nodes are carried by
open connections or virtual circuits in some larger
network (e.g., the Internet) instead of physical wires
One common application is secure communications
through the public Internet.

HP 41
Network Security - VPN
• Types of VPN

• Overlay VPN

Layer 1 VPN
•Layer 2 VPN Peer to Peer VPN
•Layer 3 VPN
Dedicated Circuits
X.25
T1/n x DS 0 ACL’s
GRE
Frame Relay
E1/n x DS 0 Split Routing
ATM IPSEC

• MPLS VPN

Virtual Dial up
• VLANs

Virtual Networks
Network

HP 42
 Network Security - VPN

Modes of Use

A VPN supports at least three different modes of use:

Remote access client connections

LAN-to-LAN internetworking
Controlled access within an intranet

HP 43
 Network Security - VPN
IntranetVPN
Intranet VPN
Lowcost,
cost,tunneled
tunneled •Home
Low
connectionswith
connections withrich
rich
VPNservices,
services,like
like Office
VPN
IPSecencryption
IPSec encryptionandand
QoStotoensure
QoS ensurereliable
reliable
throughput
throughput •Main
•POP Office

•Remote

•Office

•POP Remote
RemoteAccess
AccessVPN
VPN
Secure,
Secure,scalable,
scalable,
encrypted
encryptedtunnels
tunnelsacross
acrossaa
ExtranetVPN
VPN public
publicnetwork,
network,client
client
Extranet software
software
ExtendsWANs
Extends WANstoto •Business
businesspartners
business partners
•Partner •Mobile

•Worker
 Network Security

• Advantages
A VPN can save an organization money in several situations:

 Eliminating the need for expensive long-distance leased lines

 Reducing long-distance telephone charges
 Offloading support costs
 Network Scalability

HP 45
 Network Security
Disadvantages
Itrequires detailed understanding of network security issues
and careful installation / configuration.

The reliability and performance of an Internet-based VPN is

not under an organization's direct control. Instead, the solution
relies on an ISP and their quality of service.

The encryption, compression and decryption processes can

slow down the performance

HP 46
Network Security - VPN

VPN Protocols
PPTP
L2TP
IPsec

HP 47
 Network Security - VPN
PPTP

Generally PPTP is considered as Microsoft developed. PPTP does

not provide confidentiality or encryption; It relies on the protocol
being tunneled to provide privacy.

L2TP
Layer Two Tunneling Protocol (L2TP)
It is a tunneling protocol used to support virtual private networks
(VPNs). It does not provide any encryption or confidentiality by
itself; It relies on the encryption protocol. It was developed by
Cisco

HP 48
Network Security - VPN
IPSEC
Internet Protocol Security (IPsec)
It is a suite of protocols for securing Internet Protocol (IP)
communications by authenticating and encrypting each IP
packet of a data stream.

IPsec can be used to protect data flows between a pair of

hosts (e.g. computer users or servers), between a pair of
security gateways (e.g. routers or firewalls), or between a
security gateway and a host.

HP 49
 Network Security
IPSEC

© 2004 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice
HP 50
Network Security - IPSEC
IPSEC – IP Security
• Set of features that protects IP data as it travels from
one location to another.
• IPsec can protect only the IP layer and up, cannot
protect data link layer.

HP 51
Network Security - IPSEC
Data Confidentiality (Optional)
Protect an identity or data from being read

Data Integrity
Protect data from being modified

Data Origin Authentication

Assure data originates from a particular party

Anti-Replay (Optional)
Ensures no packets are duplicated

HP 52
Network Security - IPSEC
IPSEC Protocols
Internet Key Exchange (IKE)
• Internet Key Exchange (IKE) is a framework for the negotiation and
exchange of security parameters and authentication keys.

Encapsulating Security Payload (ESP)

ESP provides the framework for the data confidentiality, data integrity, data origin
authentication, and optional anti-replay features of Ipsec
Uses DES, 3DES,AES for Encryption the data which provides data confidentiality

Authentication Header (AH)

AH provides the framework for the data integrity, data origin authentication, and
optional anti-replay features of IPsec.
Does Not Provides Data Confidentiality
HP 53
Network Security - IPSEC
Both AH and ESP use a Hash-based Message
Authentication Code (HMAC) as the authentication
and integrity check
Hash Algorithms
MD5 – Message Digest 5
SHA -1 – Secure Hash Algorithm
MD5 and SHA-1 use a shared secret key for both the
calculation and verification of the message
authentication values.

HP 54
Network Security - IPSEC
IPSEC Modes
Tunnel Mode
• the entire original IP packet is protected including the IP header is protected.

L2 New IP ESP or TCP/UDP

Header Header AH IP Header Header Data

Transport Mode
• packet contents are protected between the VPN endpoints
• Original IP packet is exposed and unprotected
• Data at transport and higher layer is protected
de L2 Header IP Header ESP or AH TCP/UDP Header Data
L2 ESP or TCP/UDP
Header IP Header AH Header Data
HP 55
Network Security - IPSEC
• IKE – Internet Key Exchange
Protocols
 ISAKMP - Internet Security Association and Key Management Protocol
defines procedures on how to establish, negotiate, modify, and delete Sas
Does not involve in Key Exchanges, but performs peer authentication.
 Oakley - Oakley protocol uses the Diffie-Hellman algorithm to manage key
exchanges across IPsec SAs. Diffie-Hellman is a cryptographic protocol that permits
two end points to exchange a shared secret over an insecure channel

HP 56
Network Security - IPSEC
• IKE Phases
• IKE Phase 1 –
 A bidirectional SA is established between IPsec peers in phase 1.
 Phase 1 may also perform peer authentication to validate the identity of the IPsec
endpoints
 Two Modes to establish bidirectional SA's main mode and aggressive mode

IKE Phase 2
Implements unidirectional SAs between the IPsec endpoints using the parameters
agreed upon in Phase 1.
Phase 2 uses IKE quick mode to establish each of the unidirectional SAs.

Option Phase 1.5 – for Extended Authentication

HP 57
Network Security - IPSEC
IKE Modes
Main Mode
Six messages exchanged between the IPsec peers and they are broken in to three pairs
IPsec parameters and security policy—The initiator sends one or more proposals, and
the responder selects the appropriate one.
Diffie-Hellman public key exchange—Public keys are sent between the two IPsec
endpoints.

ISAKMP session authentication—Each end is authenticated by the other.

Aggressive Mode
More condensed than Main mode

HP 58
Network Security - IPSEC
 The initiator sends all data, including IPsec parameters, security policies, and Diffie-
Hellman public keys.
 The responder authenticates the packet and sends the parameter proposal, key
material, and identification back.
 The initiator authenticates the packet.

Quick Mode
 Follows Main or Aggressive Mode
 Used for IKE Phase 2
 Quick mode negotiates the SAs used for data encryption across the IPsec connection.
 It also manages the key exchange for those SAs

HP 59
Network Security - IPSEC
IKE Phase 1 Parameters
 IKE encryption algorithm (DES, 3DES, or AES)
 IKE authentication algorithm (MD5 or SHA-1)
 IKE key (preshare, RSA signatures)
 Diffie-Hellman version (1, 2, or 5)
 IKE tunnel lifetime (time and/or byte count)

IKE Phase 2 Parameters

 IPsec protocol (ESP or AH)
 IPsec encryption type (DES, 3DES, or AES)
 IPsec authentication (MD5 or SHA-1)
 IPsec mode (tunnel or transport)
 IPsec SA lifetime (seconds or kilobytes)

HP 60
 Network Security
Firewalls

© 2004 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice
HP 61
Network Security - Firewalls
Firewall
 A firewall is a system or group of systems that manages access between two
networks. It provides the first line of perimeter defense.

 It prevents unauthorized access to a network.

 It protects the trusted network from attacks.

 It manages the information flow and restrict dangerous free access.

 It can permit, deny, encrypt, decrypt or proxy the traffic.

 Provides ability to expose internet services in a limited ability to the outside world
via a DMZ.
Network Security - Firewalls
Firewall – Cotd

A firewall can be deployed -

•At the edge of the network.
•Within the intranet to create isolated networks (Eg. LABs).
It has the following interfaces
•Inside – Protected Network
•Outside – Unprotected Network (eg, Internet, Labs etc)
•DMZ – A buffer zone.
HP 63
Network Security - Firewalls
DMZ – Demilitarized Zones

 It acts as a buffer zone between two networks.

 Firewall can have multiple interfaces and each interface can be used as an
 independent network.

 As a rule traffic will not traverse between these zones. Access lists should be
 defined for allowing the specific traffic.

 Used to host publicly accessible servers and applications (Web servers,

 Corporate Mail servers accessible from Internet etc.)
Network Security - Firewalls
Firewall Technologies

There are 3 basic types of Firewall Technologies

• Packet Filtering

• Application Gateway Proxy

• Stateful Inspection
Network Security - Firewalls
Packet Filtering

 Limits information into a network based on static packet header information.

 The Packet Filtering Firewall looks at each packet and determines what to do with It
based on a rule based defined.

 It’s inexpensive, transparent to applications and is quicker than most application

layer gateways.

 It provides low security, has a limited ability to manipulate information, is difficult to

configure, and is subject to IP Spoofing.

 This type of Firewall can usually be found on routers.

Network Security - Firewalls
Application Layer Gateway, or better known as Proxies,

 They function on the application level.

 They work by terminating the external connection at a special service within the
firewall.

 The service acts as a proxy for the real server. It forms a connection to the internal
server, only passing on application protocol elements that pass it's rulebase.

 These are expensive and require constant software updates.

Network Security
Stateful Inspection

 Most common type of firewalls used today.

 Stateful Inspection gathers, stores, and manipulates information pertaining to all

communication layers and from other applications.

 In other words, imagine a giant spreadsheet. Every packet that is allowed through
the firewall is entered into that spreadsheet and kept there for a pre-determined
amount of time, creating a ‘Stateful Inspection Table.’

 The benefits of this are excellent security, full application-layer awareness, high
performance and scalability.
Network Security
NAT – Network Address Translation.

• Though it’s not a firewall technology, it is used extensively in FW deployments.

• It is a pragmatic solution to the issue of IP address limitations.

• NAT works similar to stateful inspection technique, but with a twist that the Firewall
modifies the address part of all packets on the way through.

• NAT is a technique that hides an entire address space, usually consisting of private
network addresses, behind a single IP address in another, often public address space.
Network Security - Firewalls
Benefits of NAT
• It is a practical solution to the impending exhaustion of IPv4 address space.
• Networks that previously required a block of addresses can be connected to
the Internet with a single IP address.
• Internal networks can have private IP class ranges (Non routable) and these
can be mapped to a single public address (routable).
Drawbacks of NAT
• Hosts behind NAT-enabled devices cannot have end-to-end connectivity
Unless the the device makes a specific effort to support such protocols.

• NAT tables are short-lived, the public IP may change resulting in

connectivity issues.
Network Security
Types of NAT
NAT can be broadly classified as follows

• Static NAT
One2one translation based on a STATIC table - (explained later)

• Dynamic NAT
Dynamically translate a source address to an address selected from a GLOBAL address
pool
Network Security
Types of NAT –Contd

NAT that are available on Firewalls can be further classified as

• Source Static
• Source Hide
• Destination Static
• Destination Port Static.

They can be mixed and matched as necessary:

Network Security - Firewalls

Source Static:

• It Translates the source IP address in an IP packet to a specific IP address.

• It is a one-to-one address translation. Return traffic, as necessary, is allowed back

through without additional NAT rules.

• However, for connectivity from either side of the firewall, a corresponding

Destination Static NAT rule is needed.
Network Security
Source Hide
• Makes more than one host appear as a single host (i.e., a many-to-one transl
ation).

• Well suited for hosts that require access to the Internet but should not be acc
essed from the Internet.

• Firewall changes the source TCP or UDP port of the packet so that it can keep
track of which host the connection belongs to (and, consequently, know wher
e to send reply packets).

• Most standard applications (e.g., Telnet, HTTP, FTP, HTTPS) work fine, but a
ny application that requires a connection initiated from the outside or require
s that a connection happen on a specific source port will not work in hide mo
de. An example of such is how Internet Key Exchange (IKE) is implemented i
n some VPN products.
Network Security
Destination Static:

• It translates the destination IP address in an IP packet to a specified IP address.

• This is a one-to-one address translation for connections.

• Return traffic, as necessary, is allowed back through without additional NAT rules.
However, if you need to initiate connectivity from either side of the firewall, a
corresponding Source Static NAT rule is needed.
 Network Security - Firewalls
Destination Port Static

• Translates only the destination (or service) port number to a different port.

• Example; It allows you to transparently request going from port 8080 to port
80.

• It also allows you to make services on other machines accessible from the fir
ewall's IP address.
Network Security - Firewalls
Firewall – Types
Firewalls can be Hardware or Software based.
Hardware Firewall
•Comparatively faster as it has it’s own processor.
•Costly

Eg; PIX, ASA, Netscreen, Sonicwall

Software Firewall
•Can be installed on any existing server or OS
•Less cost compared to hardware firewalls
•OS vulnerabilities also need to be taken care
Eg; Checkpoint, Linux based firewalls.

HP 77
Network Security - Firewalls

Questions?

HP 78
Security Starts with Every one.

HP 79