Chapter 4: Network Security

Network security is any system, device, or action designed to protect the safety and reliability of a
network and its data. Like a fence around private land or a lock on a door, network security manages
access to a network by stopping a variety of threats from entering and spreading through a system.
Network security is focused on protecting files, documents, and information from those types of
attacks. Most commonly, network security starts with authentication in the form of a username and
password, but it can also employ other tools like firewalls, anti-virus programs, and virtual private
networks (VPNs) to protect the network’s information.

Benefits of Network Security

Secure and reliable networks protect not just organizational interests and operations, but also any client
or customer who exchanges information with the organization, in addition to the general public. Here
are the top benefits a company stands to gain from improved network security.
 Builds Trust: Security for large systems translates to security for everyone. Network security
boosts client and consumer confidence, and it protects your business from the reputational and
legal fallout of a security breach.
 Mitigates Risk: The right network security solution will help your business stay compliant
with business and government regulations, and it will minimize the business and financial
impact of a breach if it does occur.
 Protects Proprietary Information: clients and customers rely on organizations to protect their
sensitive information. Business relies on that same protection, too. Network security ensures
the protection of information and data shared across the network.
 Enables a more modern workplace: from allowing employees to work securely from any
location using VPN to encouraging collaboration with secure network access, network security
provides options to enable the future of work. Effective network security also provides many
levels of security to scale with your growing business.

Threats and Attacks on Network Security

 Malware: Malware is a program that attacks information systems. There are various types of
malware, each designed to perform specific malicious activities.
For example, ransomware encrypts files and holds it for ransom, spyware covertly spies on
victims, and Trojans infiltrate systems. Threat actors use malware to achieve various
objectives, such as stealing or secretly copying sensitive data, blocking access to files,
disrupting system operations, or making systems inoperable.

1
  Phishing: Phishing is a type of fraud that occurs when a threat actor impersonates a reputable
entity in person, via email, or other communication forms. Threat actors often use phishing
emails to spread malicious attachments or links that perform various functions, such as
extracting the victim’s account information or login credentials.
 Bots: A bot is a small program that automates web requests with various goals. Bots perform
their tasks without any human intervention, for example, scanning website content and testing
stolen credit card numbers.
A bot attack utilizes automated web requests to defraud, manipulate, or disrupt applications,
websites, end-users, or APIs. Bot attacks were originally used primarily for spam and denial of
service, but have evolved into complex enterprises with economies and infrastructure that
enables waging additional, more damaging attacks.
 DDoS Attacks: A Distributed Denial of Service (DDoS) attack employs multiple compromised
computer systems to attack a target and cause a denial of service for the targeted resource’s
users. It sends a flood of messages, malformed packets, or connection requests to the target
system, forcing it to slow down or entirely shut down, denying service to real systems and
users. DDoS attacks can target a website, server, and other network resources.
 Advanced Persistent Threats (APTs): is a targeted and prolonged attack during which
intruders gain unauthorized access to a network, remaining undetected for an extended time.
Threat actors usually launch APT attacks to steal data rather than cause damage to the target’s
network.
 Drive-by Download: is the unintentional download of malicious code to a computer or mobile
device, exposing the victim to a cyberattack. Unlike other cyberattacks, a drive-by does not rely
on a user to actively enable the attack. It exploits an application, web browser, or operating
system containing security flaws, which may occur due to a lack of updates or unsuccessful
updates.
 DNS Attack: occurs when a threat actor exploits vulnerabilities in a domain name
system (DNS). DNS was designed for usability rather than security. As a result, threat actors
can exploit the communication between clients and servers to launch attacks.

Network Security Vulnerabilities

In computer security, vulnerability is a weakness that can be exploited by a threat actor, usually for
malicious purposes. Vulnerabilities can be found in many different areas of a system, including
hardware, software, networks, and even people. There are four main types of security vulnerabilities:
 Misconfigurations: Incorrectly configured systems and applications are often the weakest links
in an organization’s security posture. A poorly configured firewall in cybersecurity, weak

2
 passwords, and leaving default accounts active are all examples of common misconfigurations
that can lead to serious security vulnerabilities.
 Unsecured APIs: Many modern applications rely on application programming interfaces
(APIs) to function properly. However, if APIs are not properly secured, they can be a serious
security vulnerability. Attackers can exploit unsecured APIs to gain access to sensitive data or
even take control of entire systems.
 Outdated or Unpatched Software: Software vulnerabilities are often the root cause of major
security breaches. Outdated software is especially vulnerable, as attackers can exploit known
weaknesses that have already been patched in newer versions. Unpatched software is also a
major security risk, as many organizations fail to apply critical security updates in a timely
manner.
 Zero-Day Vulnerability: Zero-day vulnerability is a previously unknown security flaw
exploited by attackers before the vendor has patched it. These types of vulnerabilities are
extremely dangerous, as there is usually no way to defend against them until after they have
been exploited.

TCP/IP Suite Weaknesses and Buffer Flow

TCP/IP protocol suite is the defacto protocol suite used by the Internet. Common attack techniques that
target TCP/IP protocol suite are the followings:
 Sniffing: Sniffing is eavesdropping on the network. A (packet) sniffer is a wire-tap program.
Sniffing is the act by machine S of making copies of a network packet sent by machine A
intended to be received by machine B. Sniffing can be used for monitoring the health of a
network as well as capturing the passwords used in telnet, rlogin, and FTP connections.
 Buffer Overflow: Many of these server programs run with the privileges of a super user.
Among the many servers that suffer from such bugs are several implementations of FTP
servers, the ubiquitous DNS server program called bind, the popular mail server called
sendmail, and the Web server IIS, to name a few. An attacker supplies cleverly constructed
inputs to such programs causing them to transfer control to executable code they have supplied.
A typical code produces a shell that she can interact with from a remote machine with all the
privileges of the super user.
 Spoofing: Spoofing refers to altering (portions of) a packet so that the overall packet remains
structurally legitimate (e.g., checksums are valid) but the “info” it contains is fake. Spoofing
often accompanies sniffing, but may newly manufacture packets with fake values. Spoofed
packets are injected into the network.
 Poisoning: Many network services are essentially mappings implemented as table lookups. The
mappings are dynamic, and update methods are well-defined. Unfortunately, who is qualified
3
 to provide the updates, and how messages that provide update information are to be
authenticated are ill-defined. An attacker takes advantage of this, and provides fake updates
causing the table to be “poisoned.”
 TCP “SYN” Attack: This attack is caused by the three-way handshake mechanism used
between host and the server to setup connection. A server has limited resources. Once it
responds to a SYN request using SYN ACK it sets aside resources for this connection and
listens for ACK from client. If the attacker sends multiple SYN within very short interval then
the server will exhaust its resources. The attacker does not respond to SYN ACK sent by the
server and the connections are left half opened. This ways server is unable to respond to further
connection request because of exhaustion of resources and denial of service takes place.
 Connection Hijacking: Authentication between two hosts takes place during the initial stages
of the connection setup. Thenceforth no authentication is required. The attacker can take
advantage of this by sending a reset to the client and killing the connection for the client and
then the attacker spoofs the client and continues session with server.

Network Security Protocols

Network security entails securing data against attacks while it is in transit on a network. To achieve
this goal, many real-time security protocols have been designed. Such protocol needs to provide at
least the following primary objectives:
 The parties can negotiate interactively to authenticate each other.
 Establish a secret session key before exchanging information on network.
 Exchange the information in encrypted form.
Interestingly, these protocols work at different layers of networking model. For example, S/MIME
(Secure/Multipurpose Internet Mail Extensions) protocol works at Application layer, SSL (Secure
Socket Layer) protocol is developed to work at transport layer, and IPsec (IP Security) protocol works
at Network layer.

1) Application Layer Security

Email Security
Growing use of e-mail communication for important and crucial transactions demands provision of
certain fundamental security services as the following:
 Confidentiality − E-mail message should not be read by anyone but the intended recipient.
 Authentication − E-mail recipient can be sure of the identity of the sender.
 Integrity − Assurance to the recipient that the e-mail message has not been altered since it was
transmitted by the sender.
4
  Non-repudiation − E-mail recipient is able to prove to a third party that the sender really did
send the message.
 Proof of submission − E-mail sender gets the confirmation that the message is handed to the
mail delivery system.
 Proof of delivery − Sender gets a confirmation that the recipient received the message.
Security services such as privacy, authentication, message integrity, and non-repudiation are usually
provided by using public key cryptography.
Here are the protocols and schemes used in email security.
 Pretty Good Privacy (PGP) is an e-mail encryption scheme. It works at an application layer. It
has become the de-facto standard for providing security services for e-mail communication.
 S/MIME: S/MIME is a secure e-mail standard. It is based on an earlier non-secure e-mailing
standard called MIME.
A secure e-email communication in a captive network can be provided by adapting to PGP. For e-mail
security over Internet, where mails are exchanged with new unknown users very often, S/MIME is
considered as a good option.

Web Security
Secure web browsing is provided by HTTPS (Secured HTTP). It stands for HTTP over SSL. This
protocol is used to provide the encrypted and authenticated connection between the client web browser
and the website server. The secure browsing through HTTPS ensures that the following content are
encrypted:
 URL of the requested web page.
 Web page contents provided by the server to the user client.
 Contents of forms filled in by user.
 Cookies established in both directions.

Secured Shell Protocol (SSH)

 SSH is a network protocol that runs on top of the TCP/IP layer. It is designed to replace the
TELNET which provided unsecure means of remote logon facility.
 SSH provides a secure client/server communication and can be used for tasks such as file
transfer and e-mail.
 SSH2 is a prevalent protocol which provides improved network communication security over
earlier version SSH1.

5
2) Transport Layer Security
The security at this layer is mostly used to secure HTTP based web transactions on a network.
However, it can be employed by any application running over TCP. The main protocols that provides
security scheme at the transport layer are TLS and SSL.

Transport Layer Security (TLS)

TLS protocols operate above the TCP layer. Design of these protocols uses popular Application
Program Interfaces (API) to TCP, called “sockets" for interfacing with TCP layer. Applications are
now interfaced to Transport Security Layer instead of TCP directly. Transport Security Layer provides
a simple API with sockets, which is similar and analogous to TCP's API. TLS is designed to operate
over TCP, the reliable layer 4 protocol (not on UDP protocol), to make design of TLS much simpler,
because it doesn't have to worry about ‘timing out’ and ‘retransmitting lost data’. The TCP layer
continues doing that as usual which serves the need of TLS.

Secure Socket Layer (SSL)

SSL provides network connection security through confidentiality, authentication and reliability. It is
available for all TCP applications and is support by almost all web browsers. It provides ease in doing
business with new online entities. It developed primarily for web e-commerce.

3) Network Layer Security

Internet Protocol Security (IPSec)
The popular framework developed for ensuring security at network layer is Internet Protocol Security
(IPsec). The important security functions provided by the IPsec are as follows:
 Confidentiality: Enables communicating nodes to encrypt messages. Prevents eavesdropping
by third parties.
 Origin authentication and data integrity: Provides assurance that a received packet was
actually transmitted by the party identified as the source in the packet header. Confirms that the
packet has not been altered or otherwise.
 Key Management: Allows secure exchange of keys. Protection against certain types of
security attacks, such as replay attacks.
IPsec provides an easy mechanism for implementing Virtual Private Network (VPN) for medium to
large institutions. VPN technology allows institution’s inter-office traffic to be sent over public
Internet by encrypting traffic before entering the public Internet and logically separating it from other
traffic.

6
4) Link Layer Security
Data link Layer in Ethernet networks is highly prone to several attacks. The most common attacks are
ARP Spoofing (the process of modifying a target host’s ARP cache with a forged entry), MAC
Flooding (the attacker floods the switch with MAC addresses using forged ARP packets until the CAM1
table is full), Port Stealing (an attack that exploits the ability of a switch to bind MAC to ports).
Several methods have been developed to mitigate these types of attacks. Some of the important
methods are:

Port Security
It is a feature available on intelligent Ethernet switches. By default, port security limits the ingress
MAC address count to one. The port can be configured to shut down or block the MAC addresses that
exceed a specified limit.

DHCP Snooping
DHCP spoofing is an attack where the attacker listens for DHCP requests from host on the network
and answers them with fake DHCP response before the authorized DHCP response comes to the host.
DHCP snooping can prevent such attacks. DHCP snooping is a switch feature. Switch can be
configured to determine which switch ports can respond to DHCP requests. Switch ports are identified
as trusted or untrusted ports.

Spanning Tree Protocol (STP)

In order to provide desired path redundancy, as well as to avoid a loop condition, STP defines a tree
that spans all the switches in a network. STP forces certain redundant data links into a blocked state
and keeps other links in a forwarding state.

5) Physical Security
Restricting access to the devices on network is a very essential step for securing a network. Since
network devices comprise of communication as well as computing equipment, compromising these can
potentially bring down an entire network and its resources. Paradoxically, many organizations ensure
excellent security for their servers and applications but leave communicating network devices with
rudimentary security.

1
Content Addressable Memory is a table on a switch that stores the MAC addresses, switch port numbers and other info.
7
An important aspect of network device security is access control and authorization. Many protocols
have been developed to address these two requirements and enhance network security to higher levels.

User Authentication and Authorization

User authentication is necessary to control access to the network systems, in particular network
infrastructure devices. Authentication has two aspects: general access authentication and functional
authorization. General access authentication is the method to control whether a particular user has
“any” type of access right to the system he is trying to connect to. Usually, this kind of access is
associated with the user having an “account” with that system. Authorization deals with individual user
“rights”. For example, it decides what can a user do once authenticated; the user may be authorized to
configure the device or only view the data. User authentication depends up on factors that include
something he knows (password), something he has (cryptographic token/Card), or something he is
(biometric). The use of more than one factor for identification and authentication provides the basis for
Multifactor authentication.

Password Based Authentication

At a minimum level, all network devices should have username-password authentication. The
password should be non-trivial (at least 10 character, mixed alphabets, numbers, and symbols). In case
of remote access by the user, a method should be used to ensure usernames and passwords are not
passed in the clear over the network. Also, passwords should also be changed with some reasonable
frequency.

Centralized Authentication Methods

Individual device based authentication system provides a basic access control measure. However, a
centralized authentication method is considered more effective and efficient when the network has
large number of devices with large numbers of users accessing these devices. Traditionally, centralized
authentication was used to solve problems faced in remote network access. In Remote Access Systems
(RAS), the administration of users on the network devices is not practical. Placing all user information
in all devices and then keeping that information up-to-date is an administrative nightmare.

Centralized authentication systems, such as RADIUS and Kerberos, solve this problem. These
centralized methods allow user information to be stored and managed in one place. These systems can
usually be seamlessly integrated with other user account management schemes such as Microsoft’s
Active Directory or LDAP directories. Most RADIUS servers can communicate with other network

8
devices in the normal RADIUS protocol and then securely access account information stored in the
directories.

Access Control Lists

Many network devices can be configured with access lists. These lists define hostnames or IP
addresses that are authorized for accessing the device. It is typical, for instance, to restrict access to
network equipment from IPs except for the network administrator. This would then protect against any
type of access that might be unauthorized. These types of access lists serve as an important last defense
and can be quite powerful on some devices with different rules for different access protocols.

Wireless Security
Wireless security is the protection of wireless networks, devices and data from unwanted access and
breaches. It involves a variety of strategies and practices designed to preserve the confidentiality,
integrity and availability of wireless networks and their resources. Wireless networks broadcast data
using radio waves, which can be intercepted by anybody within the network range. As a result,
wireless networks are prone to eavesdropping, illegal access and theft. Using security measures such as
encryption protocols, access control rules, and authentication procedures prevents unauthorized access
and safeguards these wireless networks. A wireless network can be a cellular network, wireless LAN
or other sensor or communications network, but Wi-Fi is the wireless network protocol people are
generally most familiar with.

Wireless security protocols encrypt data transmitted over wireless networks to prevent unauthorized
access and eavesdropping. They also provide authentication mechanisms to verify the identity of users
and devices attempting to access the network. These protocols implement access control rules to
determine which users or devices are allowed on the network and what their access level is.
 Wired Equivalent Privacy (WEP): employs a shared key authentication mechanism and the
RC4 encryption algorithm to encrypt data. However, this protocol is outdated and considered
insecure because it is easily hackable.
 Wi-Fi Protected Access (WPA): is an improvement of WEP introduced in 2003. It provides
stronger security measures like message integrity checks and improved key management. WPA
uses the Temporal Key Integrity Protocol (TKIP) encryption algorithm, but is still vulnerable to
attacks.
 Wi-Fi Protected Access II (WPA2): introduced in 2004, remains the most popular wireless
security protocol. It uses the Counter Mode Cipher Block Chaining Message Authentication
Code Protocol (CCMP) based on the Advanced Encryption Standard (AES) encryption

9
 algorithm for stronger security measures. WPA2 is basically an upgraded version of WPA since
it features improved management and is less vulnerable to attacks.
 Wi-Fi Protected Access III (WPA3): is the latest wireless security protocol and offers
enhanced security features such as stronger encryption, protection against dictionary attacks
and individualized data encryption. Announced in 2018 by the Wi-Fi Alliance, WPA3
simplifies the process of configuring devices with little to no display interface, such as IoT
devices, by introducing Wi-Fi Easy Connect. This works by allowing the IoT device to present
a QR code or a Near Field Communication (NFC) tag, which the user can scan with their
device to establish a secure Wi-Fi connection. Despite advances like stronger encryption and
more secure key exchange, WPA3 has yet to gain much traction among users.

10