Network Security

CIA Triad

Parties (e.g., sender/receiver) need to be able to validate each other at any time (authentication)

Sender can (not?) refute/deny authorship of a message (non-repudiation)

Each action can be traced back to the originator (accountability)

Reconstruction or linkage of personal or factual data points practically

impossible (anonymization)or weaker pseudonymization, a data management and de-identification procedure by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers. Still allows linkage of data points based on those artificial identifiers.

Can see traffic that passes by

*might* be able to manipulate traff

Does not see traffic from either parties, but can communicate with them

• Spoofing

• Denial-of-Service

• No Confidentiality

• No Integrity

• Weak binding, missing liability

Sequence number, Acknowledgement are protections (somewhat, but weak) against forgery.

When sequence numbers are predictable, an attacker can take over an existing connection or insert own data between client and server (Session Hijacking) Sequence numbers can also be visible for an on-path attacker by monitoring the network.

Desynchronization of a connection through inserting of old sequence numbers.

Initial sequence number randomization

The server port is often obvious, but the client port might not.

“A "firewall" is an agent which screens network traffic in some way, blocking traffic it believes to be inappropriate, dangerous, or both.”[…] The introduction of a firewall and any associated tunneling or access negotiation facilities MUST NOT cause unintended failures of legitimate and standards-compliant usage that would work were the firewall not present.” (RFC2979)

“An internetwork gateway that restricts data communication traffic to and from one of the connected networks (the one said to be "inside" the firewall) and thus protects that network's system resources

A packet filter is "... a product that is able to filter nework traffic based on defined rules, so that only desired network packets reach their destination."

various technologies, such as…

• Static packet filter

• Dynamic packet filter

• Firewalls with "stateful inspection"

• Proxy firewalls

• Intrusion Detection and Prevention systems

at least two (virtual) interfaces in different networks

functions as a router, meaning IP forwarding is enabled

TCP/UDP/IP packets are filtered using defined rules

Distinction between static and dynamic packet filters

used on routers

accept or reject IP packets based on their source and destination IP addresses

Two types of reject: a silent one (drop), and one that returns an error to the sender (e.g., “ICMP port unreachable”)

source and destination ports can also be used for filtering

ICMP message type can be used for filtering

Certain products support the evaluation of individual flags in the TCP

based on a set of rules

processed from top to bottom

until a rule either allows or denies

Default Policy/Catch-All Rule

a major weakness: they are stateless

A Connection requires two Rules (incoming, outgoing)

TCP Source Ports are Difficult to Restrict (client random number > 1023)

Weak protection against fragmentation attacks

Does no high-level abstraction

two set of rules for IPv4 and IPv6

The attacker splits the payload into several very small fragments.

As a result, the TCP header is divided across multiple fragments, making it impossible for static packet filters to analyze.

For example, port information can no longer be evaluated.

In the first fragment, the port number of the "attack packet" is changed to an "allowed" port.

The fragment offset of a subsequent packet is manipulated, partially overwriting the TCP header of the first packet (allowed port number) with that of the second packet during reassembly.