Network Security Flashcards
(Transport Layer Security) The TLS Protocol
The TLS protocol aims primarily to provide privacy and data integrity between two or more communicating computer applications.
When secured by TLS, connections between a client (e.g., a web browser) and a server (e.g., wikipedia.org) should have one or more of the following properties:
- A secure/ private connection because symmetric cryptography is used to encrypt the data transmitted.
- The identity of the communicating parties can be authenticated using public key cryptography
- The connection is reliable because each message transmitted includes a message integrity check using a message authentication code to prevent undetected loss or alteration of the data during transmission.
Which ports is reserved for HTTP and HTTPS over TLS?
Port 443 for HTTPS
Port 80 for HTTP
TLS inspection
Requires an additional root certificate installed on clients.
Two TLS connections are created: Client to Proxy and Proxy to Server.
TLS Handshake Protocol
The handshake protocol:
- Negotiates the encryption to be used
- Establishes a shared session key
- Authenticates the server
- Authenticates the client (optional)
- After the handshake, application data is transmitted securely (encrypted + integrity protected)
TLS: Record protocol overview
The overview provides two services for TLS connections.
Message Confidentiality:
Encrypt the payload using symmetric encryption (e.g. AES)
Message Integrity/Authenticity:
Calculate a MAC to ensure the message was not modified in transmission
For both operations the session key exchanged during the handshake is used
TLS challenges
Many vulnerabilities exist for TLS.
It is important to keep the client and server software up-to-date.
- Configure server to exclude weak algorithms.
- TLS provides security just for a single TCP connection.
- Browser can establish HTTP and HTTPS connections; even to the same server (e.g. HTML via HTTPS, images via HTTP)
- Relies on browser PKI which has many security issues
- No trust indicator
- Phishing and TLS can be easily combined
VPN
TLS secures only a single TCP connection
Sometimes: all communication from a computer shall be secured also non-TCP communication shall be secured
Typical application:
VPN tunnel into a company network
Tunnel can only be established after authentication
All communication is routed (and secured) through the tunnel
Client is virtually part of the local company network
Client gets access to internal services
TOR The Onion Router
An anonymizing routing protocol
Originally sponsored by the US Naval Research Laboratory
From 2004 to 2006 was supported by EFF
Since 2006 independent nonprofit organisation
Creates a multi-hop proxy circuit through the Internet from
client to destination.
next destination.
No cleartext-gap, except at the exit-node.
No node knows end-to-end client-server association
VPN authentication
Tunnel endpoints must be authenticated before secure VPN tunnels can be established. User-created remote-access VPNs may use passwords, biometrics, two-factor authentication or other cryptographic methods. Network-to-network tunnels often use passwords or digital certificates. They permanently store the key to allow the tunnel to establish automatically, without intervention from the administrator.
Firewall
A firewall is a check point that protects the internal networks against attack from outside networks. The check point decides which traffic can pass in & out based on rules.
Stateless packet filter
A packet filter is a network router that can accept/reject packets based on headers. Decisions based on attributes such as:
Source or Destination IP Addresses
Source or Destination Port Numbers
Protocol (UDP, TCP or ICMP)
ICMP message type
And which interface the packet arrived on
Unaware of session states at internal or external hosts
High speed, but primitive filter
Stateful Packet filters
Stateful packet filters track current state of a connection
Stateful packet filters keep track of sessions
Recognise if a particular packet is part of an established
Will add a temporary rule to allow the reply traffic back through
the firewall.
This makes the definition of filtering rules easier to
accomplish and therefore potentially more secure.
High speed, can use relatively advanced filter rules
Requires memory
So can be subject to DOS (Denial of Service) attacks
Honeypot🍯
A honeypot: is a computer configured to detect network attacks or malicious behavior, appears to be part of a network, and seems to contain information or a resource of value to attackers. But honeypots are isolated, are never advertised and are continuously monitored. All connections to honeypots are per definition malicious.
Can be used to extract attack signatures
Honeynet is an international security club, see next slide.
Application Level Gateway
Inspects payload in end-to-end or proxy application connection
Support specific application protocols
e.g. http, telnet, ftp, smtp etc.
each protocol supported by a specific proxy HW/SW module
Can be configured to filter specific user applications
E.g. Facebook, Youtube, LinkedIn
Can filter detailed elements in each specific user application
Can provide intrusion detection and intrusion prevention
Very high processing load in firewall
High volume needs high performance hardware, or else will be slow
Intrusion detection systems
Actions aimed at compromising the security of a target network (confidentiality, integrity, availability of resources).
Intrusion detection:
The identification of possible intrusion through intrusion signatures and network activity analysis
IDS: Intrusion Detection Systems
Intrusion prevention:
The process of both detecting intrusion activities and managing automatic responsive actions throughout the network.
IPS: Intrusion Prevention Systems
IDPS: Intrusion Detection and Prevention Systems
