Crash Course Network Security
Attacking and defending our Interconnected world
In order to understand how fundamental networking technology influences security, we must first gain a solid understanding of how our Internet works.
The Internet is a network of interconnected machines, passing messages (via “packets”) to and from each other to communicate.
I intend to dive into different aspects of computer networking in the future, but today, let’s get a brief overview of what network security is, and the components of networking technology that influences security the most.
What does network security mean?
A network is secure when it can ensure the authentication, confidentiality, integrity, and availability of the communication happening on the network.
First, secure communication on the network means secure authentication. All sides of the communication need to be able to ensure the identity of who they are communicating with.
A secure network also ensures the confidentiality of the communication, meaning that only intended recipients should be able to understand the messages.
Integrity is also an important component of secure communication: the content of the messages being passed around should not be altered by third parties during transmission.
Lastly, the network should be available: it should be accessible and usable for its users without interruption.
What can an attacker do?
So what can an attacker do to attack a network? We will go into these attacks in detail later in the post, but here is an overview of how attackers compromise the authentication, confidentiality, integrity, and availability of a network!
On an insecure network, attackers might be able to impersonate and hijack communication between parties and cause miscommunications to happen. They can also eavesdrop on messages discretely to leak confidential information.
They can intercept and alter messages on the fly to change what is communicated. And lastly, they can launch denial of service attacks to make the network unusable.
Who is communicating with each other?
So who are these communicating parties attackers are trying to mess with on the Internet? Most commonly, they are web browsers and web servers communicating webpages, DNS servers exchanging IP address information, and routers exchanging routing table updates.
As you can see, if an attacker can mess with these communications, she can potentially wreak havoc on the network that is the very basis of our digital lives.
Protecting message confidentiality and integrity: Cryptography
One of the biggest security concerns on an open network like the Internet is confidentiality. How can we ensure that our communications are private when others on the network can capture and intercept our messages?
It is also important to make sure that the messages that we send cannot be altered by anyone during transmission. This is where cryptography comes in. Cryptography is a way of obscuring communication in ways that prevent third parties from reading or altering private messages.
There are two types of crypto used in modern communications: symmetric-key cryptography and public-key cryptography.
Symmetric-key cryptography
Symmetric-key cryptography is a form of encryption in which the same key is used for both encryption and decryption.
Symmetric key ciphers could be either block ciphers or stream ciphers. A stream cipher encrypts individual characters in the plaintext, whereas block cipher encrypts input in blocks of plaintext.
For example, a simple form of a symmetric-key stream cipher is the substitution cipher. The substitution cipher works by substituting every character in the alphabet for another. This type of encryption could be easily broken by brute-forcing.
Modern variations: DES and AES
The Data Encryption Standard (DES, especially the 3-DES variant) and the Advanced Encryption Standard (AES) are modern block ciphers that are popular in practical use. They are used in a variety of modern applications, including ATM encryption, to e-mail encryption and secure remote access.
Challenges of symmetric-key cryptography
Using symmetric-key cryptography can be a great way to secure sensitive communications, but there are two major pitfalls that can compromise the encryption. First, if the encryption key is not complex enough, it can be easily found by brute-forcing. Second, symmetric-key cryptography requires the sender and the receiver to both know the shared secret key. So the two communicating parties using symmetric-key encryption need a secure way to agree on the value of the encryption key. If the key is stolen during the exchange, the encryption would be compromised.
Public-key cryptography
Whereas in public-key cryptography, a public key is used for encryption and a secret private key is used for decryption. It has an advantage over symmetric-key cryptography because the communicating parties do not need to share a secret key in advance in order to communicate.
Public key encryption makes use of two keys: a public key that is known to everyone and a private key that is known only to the message receiver. For more about how the public-key cryptography system works, read this wiki page about RSA: https://en.wikipedia.org/wiki/RSA_(cryptosystem).
Public-key cryptography is a fundamental technology that powers the modern Internet. It enables random parties on the Internet to communicate with each other securely without the need to exchange keys in advance.
Attacking and protecting network availability
A very common way attackers can impact an organization is by compromising the availability of their services. They do this by launching a denial-of-service (DoS) attack.
When performing a DoS attack, the attacker generates a flood of maliciously generated packets to swamp the targetted receiver. A simple DoS can be stopped by identifying the malicious source and blocking traffic from that source using a firewall.
Distributed DoS (DDoS) attacks are a more complex variant of DoS attacks: in a DDoS attack, the attacker utilizes multiple coordinated sources to swamp the targetted receiver. This makes it more difficult for the firewall to pinpoint and block the sources of malicious traffic.
Firewalls
Firewalls are an essential part of the network architecture of modern organizations. They isolate an organization’s internal network from the larger Internet, allowing some packets to pass through while blocking others.
Why use firewalls?
So what kind of attacks do firewalls help prevent? First of all, firewalls can help prevent denial-of-service attacks by filtering out bogus packets and connection attempts.
A firewall also provides an additional layer of protection around the data stored on an organization’s servers and make it harder to reach.
Lastly, a firewall can be a convenient way of enforcing access control. It can filter out packets that are not allowed to access the internal network as well as enforce more fine-grained access control according to different roles within the organization.
How they work
There are two different types of firewalls: packet-filtering firewalls and application-level firewalls.
Packet-filtering firewalls filter traffic packet-by-packet and make a decision to forward or drop the packet based on predesignated criteria such as source IP address, destination IP address, TCP/UDP source, destination port numbers, ICMP message type, TCP SYN and ACK bits and more.
Packet-filtering firewalls are useful for performing useful actions such as:
- Blocking all incoming and outgoing telnet connections, and
- Preventing external clients from making TCP connections with internal clients, but allows internal clients to connect to machines outside.
Whereas application-level firewalls filter based on application data in addition to the criteria utilized by packet-filtering firewalls. For example, application-level firewalls can be used to filter packets based on username.
Limitations of firewalls
A firewall is only as strong as the filtering rules that it uses. If a firewall uses ill-defined rules and misses important criteria, it can become vulnerable to attacks.
Spoofing is also an issue for firewalls. A firewall has no way of discerning whether the data sent along with packets, such as IP address, is accurate or spoofed by an attacker. So an IP address should never be the sole criterion for determining network access.
