Network Security: TCP/IP Security
Hello. So, we will be discussing on Network Security or rather we will be continuing ourdiscussion on network security; for last couple of lectures we are discussing aboutnetwork security what are the different aspects of the security. So, today we will seesome of the things which are more related to TCP/IP layer alright. So, as we mentionedthat security per say is a phenomena which need to be ensured across the layer right likeit; like they are stacked in at different levels like starting from top from application layerto the physical layer.However, security comes as a vertical type of things right it is some sort of a end to endphenomena should be there otherwise it is; making it fully effective will be very difficultright. So, and as also we understand that when we the TCP/IP or OSI model came up andwhen or the devices or which are communicating based on these protocols which aredefined for different layers, they are not initially made for security purpose right; theyare made to communicate.And whenever we put any security aspects, that becomes more as a hindrance to thatthings right. Once you any say for physical security also if you go on checking, thetraffic flow decreases, the number of processes increases and type of things. So, that isneed of more computational power, need to handle this congestion and type of thingswill come into play right.So, so there may be some devices which are security enabled; that means, theyunderstand that what is a security, some devices which are still not security enabled right.So that means, if you if you if we change the basic protocol stack or the format; thensome of the intermediate devices may fail to understand that what is what is theirinterventions; in others sense it may drop the packet like say IP packet. IP packet has aspecific format or specification based on the guideline or the protocol standardizedstandard protocol. Now for the security purpose embedding the security if I change this
IP packet; some of the routers may not able to understand that what is there in the IPpacket.In other sense it may drop; it will drop the packet it will not recognise the IP packet. So,whatever we do with this stack protocol stack whether OSI or TCP/IP; we need to keepin mind that a device which is not able to decipher these security information should ableto forward this packet right; as it was doing earlier right. So, the whole process came uplike that.Another thing we will see slowly another thing is important see; if we look at the wholeprotocol stack; so, there are different layers right known application layer if I look at theTCP/IP protocol stack what say, so there is a application layer, then transport, then IP,then data link and physical layer right. So, these are have a peer to peer connectivityright transport layer of system 1 when we are communicating to a system 6 in somethingthat is a peer to peer connectivity.So, the security at that level should have a also a peer to peer way of handling that orconnectivity or handling those security things that has to be there right. So, with thisnotion let us look at that what are the different aspects of security of means today’snetworking and the need of security need not to be explained again. And we do undermeans from a personal day to day experiences or working experiences in office and othereplatforms we understand there is a security is a must phenomena which need to bethere.So, today mostly we will be concentrating on TCP/IP security has to have it has a back toback things for the OSI. So, if we look at our common OSI TCP/IP protocol stack; sothere are here 7 layers or here 5 layers now.
(Refer Slide Time: 05:03)
Now see what we try to say that one is that there should be a end to end phenomena ifyou want to put security in the things. Another thing you see physical layer is basically aconnectivity right; in some of the cases physical layer is not in some (Refer Time: 05:23)is not considering the protocol stack; it is more of a communication phenomena right.So, any way that it is a point to point means hop to hop connectivity here also data linklayer hop to hop connectivity. So, per se the security of this traffic is something under thejurisdiction of some authority right like if the; if the physical layer layout in the IIT,Kharagpur; so, that is a within the administrative control of the IIT Kharagpur authorityand there is a more physical security is most required that it is not tempered and type ofthing. Similarly data link layer is also hop to hop connectivity; so, as such the security ofthis is also not what we say a wide concerned as such because it is a only hop to hopthings type of things it can be ensured by the 2 communicating party right.The challenge has come from the network here right because you have a path which isnot exactly in your control; it is outside the your network and it you do not know that thepath which are the routers and other devices intermediate devices it is following. So,from that context what we see that from network layer transport layer application layer;here the security phenomena are more predominant. So, our discussion will be moreconcentrating on this that what are the different phenomena or what are the things we putit in different literature and so and so forth right.
(Refer Slide Time: 06:51)
So, if you look at the generic protocol stack. So, there should be these are the differentstandard layer that IP, TCP, SMTP is the application layer and type of things and belowthat there is a MAC is there and the trailer security protocol and things. So, this is thisMAC is not yours; this MAC is not basically the MAC what we have seen in the layer 2.So, this is more message authentication code or the code which is required toauthenticate this message and type of thing right.So, in other sense what we say this becomes encapsulated in a bigger packet; which has aheader for the security protocol trailer for the security protocol, but the overall packetwhen moves along a layer it should be able to decipher by a router or a device which isnot security enabled right; which is not able to understand this what is this high headersecurity protocol or trailer security protocol, but still it is able to able to forward thispacket otherwise it will drop the packet right.So, any layer any layer say it whether it is IP or transport or application has to follow thisphilosophy. So; that means, the actual packet is somewhere encapsulated along with thewrapped along the security things.
(Refer Slide Time: 08:25)
So, IP level the IP security or IPSec is the predominant protocol is a collection ofprotocol designed by the IETF to provide security packets to the network level; so, this isIPSec designed to provide security level. In other sense it is instead of IP it is IPSec andthe other layers basically able to intercept interpret that things in the similar fashion.(Refer Slide Time: 08:53)
So, there are 2 mode of 2 modes for IPSec one what is called transport mode, another isthe tunnel mode; so, these 2 mode of communication. So, in case of transport mode thetransport this is this transport mode is related to the IP layer not the transport layer per se.
So, these becomes a payload to the thing right and it is if the actual IP header comes inthe form (Refer Time: 09:22) and the IPSec header and trailer are added.So, primarily it protects the payload or in the transport layer payload of the things right.So, it is transported across the network so, but the IP header is not protected; in a in caseof a IPSec tunnel mode here the IPSec header IP header is updated to a new IP header;so, that is also protected. So, it is sort of a virtual tunnel is made between these 2 partiesand the things goes to the things right.So, only thing we need to take care there are some of the fields which are mutable orsome of the fields that is source destination etcetera has to be taken care at the new IPheader. We are not going to the details of the protocol it is left to you to those who areinterested can look into the things, but we this is the basic philosophy.(Refer Slide Time: 10:15)
So, in transport mode IPSec in the transport mode does not protect the IP header; it onlyprotects the information coming from the transport layer or the payload which is gettingfrom the things right here the it is structure is like this; so, it is there at the host B it isdeciphered or extracted in this per se.
(Refer Slide Time: 10:35)
Whereas, in case of tunnel mode protects the original IP header because it comes with anew IP header and moves like that; so, it is a form a tunnel thing between the 2 devicesor 2 parties.(Refer Slide Time: 10:49)
So, there are different services access control, message authentication or messageintegrity, entity authenticity confidentiality, replay attack protection these are supportedby this. So, this AH and ESP we are not going into details; so, the things that those are
some of the things like authenticated; authentication header and encapsulated securityprotocol header ESP header.So, these are the things two type of headers what the IPSec will have; we are not goinginto those formatting, but there are different services which can provide and ESP canprovide. But if we even keep this part aloof; so we can see these are the IPSec relatedservices which are provided by the IPSec right.(Refer Slide Time: 11:35)
Next come transport layer security or SSL or TLS. So, we are used to the SL SSL; so thiswas the generic version or the IETF supported version or standardized version is the TLSits of the of the SSL basic protocol. So, it acts on the TCP; so, it basically providessecurity at the TCP level. So, it is designed to provide security at the transport layer. So,it goes on and at the peer transport layer should understand that how to extract thesecured information; so, this is the SSL or TLS type of traffic security.
(Refer Slide Time: 12:19)
So, there also 4 protocols or sub protocols are there. Handshaking protocol so have somenegotiation between the parties; there is a change cipherspec protocol for finding out thatwhich is the what sort of cipher parameters or the things will be there. There is alertprotocol for any type of alert generation things and finally, the record protocol whichbasically handles the thing and talk with the what we say integrate with the basictransport layer.So, again we are not going details into those things. So, these are the different type of 4protocols; 4 sub protocols as you say that the at the SSL or TSL level which allows it tohandle the security right; so, 4 SSL protocols.
(Refer Slide Time: 13:11)
So, this provides a security at the transport layer the other thing is the application layer orPGP protocol. Like PGP is a example scenario that is say in application layer; these arethe applications which are talking to each other right. So, there is a server application,there is a client application which talks to each other this can be mail application this canbe something say FTP type of file transfer application, this can be something which isDHCP or type of DNS type of application; so, there can be different sort of applicationswhich can be there. Now, this the application is there has the different type ofrequirement at there in. Now in order to handle those requirements; so, there are way ithandles the security aspects may differ from one to another right.And the other the major one of the I should not say means I should; I it maybeadvantages or convenience for the application layer is the application layer talks to theapplication layer it has a more resourceful layer where you can do security decipher atthe other end type of things right. So, at the; at the top it is a layer 7 or layer 5 in theTCP/IP protocol OSI or TCP/IP protocol.So, that way application layer may be more resourceful thing. So, in these case it is areference is from the pretty good privacy that is a PGP protocol for mail transfer. So,PGP designed to create authenticate and confidential emails right; so, pretty goodprivacy email transfer the PGP protocol is there. So, this is a example scenario or typical
scenario where these security can be and the security of the of the application layer canbe demonstrated.(Refer Slide Time: 15:21)
So, if you if you look at that PGP protocol per se; so, there are email message isauthenticated and encrypted. So, it is a something at the at the email message it is hashedand a digest is created over that the encryption thing is there; that there is a session keywhich is passed to the which is generated. So, it is Alice and Bob are communicated; so,to communicating. So, Alice private key is embedded or encrypted with a onetimesession key and pass to the other end and the on the other end Bob decrypt it and workwith that protocol with the key.So, what we see here that I can basically create a message and encrypt it or encapsulate itwith appropriate crypto phenomena and then communicate to the other end to decrypt itthe thing. Now this is possible at the application layer because the application layer haslot of resource and the things and it can be guaranteed, it can be shown that these 2 whatlevel of security it provides that the message cannot be deciphered right. So, this is at theapplication layer and if there are different other type of application layer protocols; theymay have some variant of the thing, but the basic philosophy remains the same.
Network Security: TCP/IP Security - Part 2
Now, with this thing we come to a phenomena like. So, we have the standard layers fromone end the standard layers at the intermediate sources. So, I I need to put the security atthe layer wise because the whole protocol understands via the peer to peer connectivity.Now the intermediate devices say I have a router which is not IPSec enabled right; so,either it has to drop the packet if it does not understand what is the header or it need tohandle the packet as the as it is going through the things. Now, the if the router it mayunderstand this is the packet, but it may not be able to decipher what is inside becausethat is the payload it may be encapsulated. But if the header is tampered or header ischanged in such a way that the intermediate router does not understand; if it is not IPSecenabled then it will drop the packet. So, those are things need to be taken care at everylayer that what it is done.So, another thing what we have seen that on the network layer onwards the things aremore externally or what we say in a more in a distributed fashion or distributed controlthings are there right. So, there is more security is more important whereas, in the datalink layer or the physical layer that is more internal controls are there right. So, these arethe 2 things with this we come to another phenomena called firewall which are we areaccustomed with we here at the layout say a network or a organisation network shouldhave firewalls.
So, firewall as the name suggest it protects the internal network from the external attackright; it can be both way also some of the things going out of this firewall also can behandled. So, it is a something a logical wall between the 2 networks right.
Now, firewall are effective to protect local systems or meant to protect local systems,protects network based security threats, provide secured and controlled access to internetprovide restricted and controlled access to the internet to the local thing right. So, all alltype of things; try to protect the local system, protect network based security threatswhich are network enabled security threats provide security and controlled access to theinternet right.So, that is for outgoing traffic for incoming traffic provide restricted and controlledaccess from the internet to the local servers or systems right. So, this is the overall thehow the firewall as supposed to do right. Now, obvious question may come that whichlayer the firewall works right; whether it is works in the IP layer, transport layer or someother layers etcetera.
So, accordingly if we look at that there can be different variety or flavours of firewall.One is packet filter one is application level gateway or sometimes also a proxy firewall,another is circuit level gateways or circuit level firewalls here we will see one by one.
So, if in case of a packet filter we want what we want to do? We want to filter the IPpacket based on my policies. So, firewall say if we if I say that it filters traffic betweenthis outgoing and internet on what basis? So, there should be some policy. So, thereshould be some policy some implementation of that policies in this firewall by based onwhich it filters the traffic right; so, that that is the thing we need to have.So, in case of a packet filter firewall; so, traffic is filtered based on the specific rulesright including source and destination IP address, packet type, port type etcetera. So,these are things which are filtered based on the this rule. Now if we if you see it is notonly IP layer, it also have some thing do with the transport layer. So, nevertheless, but itdoes not look at the application type of things; so, IP plus transport gives me the things.So, unknown traffic is only allowed to a level particular level in the network stacketcetera. So, it is allowed up to this and it is checked either it is blocked or passed to theoutgoing traffic.
So, if you if we see that there are 2 interfaces of a particular packet filter firewall and thisis the maybe the rule. So, any source IP this one anything is allowed or this anythingcoming from these are allowed or say blocked; so, which way the things are there it isallow or block or anything coming for destination port 23 are blocked anything comingfor source port, so, let us see that this is the allow list.So, anything coming from IP address source it is allowed, anything coming from the fordestination 23 is allowed anything any; request coming from this destination is allowedor IP port any source IPs port 80 is allowed; that means, if it is allowed that the HTTPtraffic.So, it allows the HTTP traffic to go out nothing else; it allows any type of traffic to goesin and type of things. So, that the thing is that is the this is the allow metric though itallow the things. The other way in this form I can basically restrict the how things aregoing. So, it is something which is called which is also synonymous to this accesscontrol lists like so, how this access to this internal systems will be done this accesscontrol list.
Now, packet filter router packet filter router or packer filter firewall a applies set of rulesfor incoming IP traffic and then forward the and discard traffics filter traffics on bothdirection. The packet filter typically setup for a list of list of rules based on the matcheswith the IP or the TCP header; that means, IP address port number etcetera; so, it candiscard or allow or forward.
So, advantages simplicity transparency to user, higher transparent to user, higher speeddisadvantage difficult for setting up packet filter rules right; so, what should be the
packet filters rules a large organisation may have, huge amount of IP or subnet blocksand then setting these rules are cumbersome and lack of authentication whether thesource is authenticated source authenticated etcetera are not there.
The next come the application level gateway or at the higher level. So, it is alsosomething proxing or the proxy firewall as relay of application level traffic right. It isservice specific like telnet FTP SMTP HTTP has different type of requirement and thingsso that so it is service specific. So, similarly traffic is filtered based on specifiedapplication rules such as specified applications; such as a browser or a protocol FTP andcombination of those things and type of things; so, that is at the higher level.
So, if we see that a typical HTTP firewall; so, if it request comes it goes to that all HTTPpackets to this thing; if there is a error it goes to the return back to the firewall or it is notallowed otherwise it is accepted packet to the HTTP server to serve the things. So, that isevery traffic coming for this HTTP is pushed into the HTTP firewall right; like we lookat the mail security every traffic come to that that mail security firewall which takes acall that whether it is a correct traffic or not right; so, that is the way it works.
So, application level firewall also proxy server or proxy firewall relay of applicationtraffic, acts as a relay. (Refer Time: 25:50) Advantages, higher security than packet filtersonly need to scrutinize a few allowable applications easy to log and audit all incomingtraffic right. So, disadvantages additional processing overhead on connection gateway asits spike point etcetera. So, that is the more application more processing things arerequired.
There is another type of things circuit level gateway. So, may not be very popular;popular in the sense we may not be seen this very everywhere, but that there is a thingthis can be a standalone system or specialized system. So, it does not permit an end toend TCP connections right; so, usually TCP connections are end to end phenomena. So,this circuit level gateway it does not permit TCP connection rather gateway sets up 2TCP connections; once the TCP connection are established, the gateway relays TCPsegment from one connection to the other without examining the contents. So, that is itbreaks the things and create a connection like this so, that it moves like that.
So, it is again it acts at a transport layer; traffic is filtered based on the specific sessionrules such as when a session is initiated or by a recognised computer and type of things;so, based on that TCP session. So, as it is a phenomena of the transport layer it is mostlycontrolled by the transport layer.
So, stand alone system set up 2 TCP connection; security function consists ofdetermining which connections will be allowed. Typically use situation in which systemadministrator trusts the internal user; so this socks package is one of such example.
(Refer Slide Time: 27:39)
Now regarding firewall configuration in addition to use simple configuration of a singlesystem, more complex configurations are possible 3 common there are very popularuses.(Refer Slide Time: 27:55)
So, one is the screened firewall like here the traffic comes and then it goes to this packetfiltering router and goes to the things right. So, the traffic is connection like this sorry;so, there is a bastion host which is more controlled system the controlled host; where theservices which are only needed are enabled the it goes to that traffic for filtering there is
a information server which says that what sort of security filtering or security featureneeds to be energized.(Refer Slide Time: 28:39)
So, as we have seen that it consists of 2 system one is the packet filtering router and thebastion host and the bastion host perform authentication and the proxy function. Thegreater security than single configuration because of 2 reason implements both packetfilter and application filter filtering intruder must generally penetrate to systems to and tocompromise the firewall.So, other one is a screened host firewall dual homed; so, the configuration physicallyprevents security breach right here the breach is there. So, it goes there and it goes to bethere; so it is a physically it is not logically forwarding the packet it is physically protectsthe things.
(Refer Slide Time: 29:25)
And the packet filtering router is not completely compromised and traffic between theinternet and other host on the private network has to flow through the bastion host cannotavoid that things; so, that is the way it looks that.(Refer Slide Time: 29:43)
And another is the screened subnet firewall where there we have another internal routerso; that means, dual home things are there. So, it is a private and a this is the external andthis is the internal router so; that means, 2 layer protection is there. So, a screened
subnet; so I can have now 3 domain right one is the external one is the intermediate andin the another is the on the private network or the internal network on the things right.This helps us in keeping several severs like say DMZ zone etcetera can be created outhere right which need not only goes through these outer firewall; also while connectingto the internal thing has to be connect has to be goes to a internal firewall. So, this is athis is a much better configuration, but as we see that it requires more hardwarespecification and more configuration issues and increases the host cost and managementof the whole system.(Refer Slide Time: 30:51)
And finally, if we try to look at a typical scenario that what today’s systems tries to do.One side is that internet connectivity with a ideas that is your intrusion detectionsystems. Another side is the internal network where things are; there are 2 firewall outerfirewall and inner firewall in between there are several things. One the things one thethings which are should be in the DMZ row like DNS server, mail server, web server orany other server with that DMZ zone.It also has a intrusion detection things which are which could have compromise these orpass this, but there is a intrusion detection based on the whatever it receive in the switch.There is a honeypot as we discussed sometime back; so that it is a where you areexpecting the attacks and learn the signatures of the things. So, this is in the DMZ zoneand then we have this inner firewall for the external connectivity.
So, with this let us conclude our discussion on this network security. As I mentioned thenetwork security per se is not part a core part of the course. So, may not be important foryour exam point of view, but it is a important for our networking concepts or look meansor for practical implementation on it. So, that is why we thought that we should havecouple of lectures on the network security to give you some the pointers. Because this ismuch deep into the things every subject some pointers those who are interested can gointo the things. So, as this is the last lecture of our series of courses.So, first of all let me thank you that you have taken up this course. So, what we tried thattoo look at different aspects of the computer networks and internet protocols at layerwise. We followed a top down approach starting from the application and going comingdown the things and I tried to see that important factor at a different level. Neverthelessto say that is there are lot of things which are still need to be explored what we believethat this will give you a means as I was mentioning some pointers to look into differentaspects of the things.And all with these days several simulators etcetera available and also some many of youhaving some practical implementation at your workplace or college and type of things.So, it will be nice to explore some of the things, but be careful that you should not dosomething which bring harm to the network because after all we make this network tohave resources shared and able to work together or have that more accessibility to theresource.So, with this let us conclude this today’s talk and also let me thank you again for thetaking up this course.Thank you.
Log in to save your progress and obtain a certificate in Alison’s free Advanced Diploma in Computer Networks and Internet Protocol online course
Sign up to save your progress and obtain a certificate in Alison’s free Advanced Diploma in Computer Networks and Internet Protocol online course
Please enter you email address and we will mail you a link to reset your password.