Student Library

Network Security

13 min read

Part 1: TLS/SSL

  • SSL (Secure Sockets Layer): This is the older protocol. The versions 1.0, 2.0, 3.0 are considered insecure nowadays.
  • TLS (Transport Layer Security): This is the successor to SSL and the current standard. Some common versions are TLS 1.2 and TLS 1.3.
  • It primarily provides confidentiality, integrity, and authentication over a network (primarily the internet).
  • The HTTPS protocol uses TLS to ensure secure connection to that website.

The TLS Handshake

This is a series of messages exchanged between the client and the server at the beginning of a connection to establish security parameters.

The process begins as follows:

  1. ClientHello
    • The client initiates the connection by sending a ClientHello message to the server.
    • This message contains:
      • The highest TLS version that the client supports
      • A list cipher suites the client supports
      • A random number (the “client random”)
      • The Session ID to resume the last session (optional)
  2. ServerHello
    • The server responds with a ServerHello message.
    • It includes:
      • The TLS version that the server has chosen (based on the client’s supported versions).
      • The cipher suite the server has chosen (based on the client’s list)
      • A random number (the “client random”)
      • The server’s certificate
  3. Certificate Verification
    • The client then verifies the server’s certificate.
      • If the certificate is valid, the client trusts the server’s public key.
  4. Key Exchange
    • Varies depending on the chosen cipher suite.
    • RSA Key Exchange
      • The client generates a pre-master secret then encrypts it with the server’s public key.
      • The client then sends the encrypted pre-master secret to the server.
      • The server can only decrypt the pre-master secret using its own private key.
      • It is then used to derive the master secret and then the session keys.
    • Diffie-Hellman Key Exchange
      • Uses DHE/ECDHE to agree on a shared secret without ever sending the secret itself over the network.
      • The shared secret is then used to derive the master secret and the secret keys.
  5. ChangeCipherSpec
    • The client and the server both send a ChangeCipherSpec message.
    • It indicates that all future messages are encrypted in the negotiated keys and cipher suite.
  6. Finished
    • The client and the server both send a Finished message, which is a hash of all of the previous handshake messages, encrypted with the newly established session keys

Cipher Suites

A cipher suite is a combination of algorithms used in a TLS connection, which specifies the following:

  • Key Exchange Algorithm: (e.g., RSA, DHE, ECDHE)
  • Bulk Encryption Algorithm: (e.g., AES, ChaCha20)
    • Used in the encryption of the actual data
  • MAC Algorithm: (e.g., HMAC-SHA256)
    • For message integrity and authenticity
  • **Pseudorandom Function
    • Used for key derivation

Forward Secrecy

It is a property of some key exchange methods that ensures that even if the server’s long-term private key is compromised in the future, past communication sessions would still not be decrypted.

  • They use ephemeral keys for each session, which is where session keys are derived.
  • These keys are discarded after each session.
  • Even if the private key might be compromised, the attacker would not be able to recover the keys, and hence can’t decrypt past sessions.
  • Cipher suits like DHE and ECDHE provide forward secrecy.

Part 2: Virtual Private Networks (VPNs)

A VPN creates a secure, encrypted tunnel between your device and a VPN server. This tunnel protects your internet traffic from eavesdropping and tampering, especially when you’re using an untrusted network (like a public Wi-Fi).

Reasons for VPN Use

  • Privacy: Hides your IP address, and encrypts your traffic, making it harder for websites, advertisers, and other third parties to track you online.
  • Security: Protects your data from interception, especially on public Wi-Fi hotspots.
  • Bypassing Geo-restrictions: Allows you to access content that might be blocked or restricted in your location by routing your traffic through a server in a different location.
  • Secure Remote Access: It allows employees to securely connect to a corporate network from remote locations.

Process

  • Client Software: The user installs VPN client software on their device.
  • Connection: The VPN client connects to a VPN server (either operated by the VPN provider or an organization). This is established using a secure protocol like IPsec or OpenVPN.
  • Encryption: All internet traffic is encrypted by the client before it leaves the device.
  • Tunneling: The encrypted traffic is sent through a secure tunnel to the VPN server.
  • Decryption: The VPN server decrypts the traffic.
  • Routing to Destination: The VPN server the forwards the decrypted traffic to its intended destination on the internet.
  • Return Traffic: The response from the destination is sent back to the VPN server, which encrypts it and sends it back through a tunnel to the user’s device, which is finally decrypted by the VPN client.

One key point is that form the outside world, the network traffic comes from the VPN server, not from your device.

Key VPN Protocols

  • IPsec (Internet Protocol Security)
    • A suite of protocols that operate in the network layer
    • Has three key components:
      • IKE (Internet Key Exchange): Used in establishing a secure connection between the client and the server, negotiating cryptographic keys, and authenticating the parties.
        • It uses Diffie-Hellman for key exchange.
      • ESP (Encapsulating Security Payload): It provides confidentiality, integrity, and authentication of data packets.
      • AH (Authentication Header): Provides data integrity and authentication but not confidentiality. Less commonly used than ESP.
    • It also has two modes of operation:
      • Transport Mode: Only the payload of the IP header is encrypted/authenticated. For end-to-end communication between two hosts.
      • Tunnel Mode: The entire IP packet is encrypted/authenticated and encapsulated within a new IP packet. Used in creating VPN tunnels between two networks, or between a host and a network.
    • It has strong security when configured correctly, and has wide support among operating systems and network devices.
    • It can be complex to configure or slower than OpenVPN.
  • OpenVPN
    • It is open-source, popular, and a highly configurable VPN protocol.
    • Uses SSL/TLS for key exchange and encryption.
    • It uses the OpenSSL library for cryptographic operations.
    • It works over TCP and UDP.
    • It can bypass firewalls and NAT easily.
    • It is cross-platform.
    • Requires third-party software.

Encryption/Authentication Process within the Tunnel

  • For encryption, VPNs use symmetric-key encryption algorithms like AES or ChaCha20 to encrypt data within the tunnel.
    • This is negotiated during the initial connection setup.
  • For authentication:
    • The VPN client typically authenticates the user to the VPN server through a username/password system, a certificate, or other credentials.
    • The VPN protocol itself provides data origin authentication and integrity checking.

Part 3: Firewalls

They are network security devices that monitor incoming and outgoing network traffic and blocks or allows traffic based on a set of predefined security rules.

Purpose

  • Prevent Unauthorized Access: Block malicious traffic from the internet reaching your network
  • Control Outbound Traffic: Restrict what traffic can leave your network.
  • Network Segmentation: Divide a network into different security zones and control the traffic flow between them.

How They Work

  • Rule-based Filtering: Firewalls operate based on a set of rules, which define which traffic is allowed and which is blocked.
  • Rule Criteria: These rules typically specify criteria based on the source and destination IP address, source and destination port, protocol, and the application where the traffic is coming from.
  • Default Deny and Default Allow
    • Default Deny: The firewalls blocks all traffic except what is explicitly allowed by the rules; it is the most secure approach.
    • Default Allow: The firewall allows all traffic except what is explicitly blocked by the rules; it is less secure and generally not recommended.

Types of Firewalls

  • Packet Filtering (Stateless)
    • These firewalls examine each network packet individually without considering the context of previous packets/
    • They make decisions based on the packet’s header information.
    • Advantages: simple and fast, uses relatively low resources.
    • Disadvantages: doesn’t track the state of the connections, limited ability to control complex protocols, vulnerable to spoofing attacks.
  • Stateful Inspection (Stateful)
    • These firewalls keep track of the state of the network connections.
    • They remember which connections has been established and only allows packets that are part of an established, legitimate connection.
    • Advantages: more secure than packet filtering, can prevent many types of attacks that stateless can’t
    • Disadvantages: more complex, requires more processing power and memory.
  • Proxy Firewalls (Application-Level Gateways)
    • These firewalls act as intermediaries between clients and servers.
    • They examine the traffic at the application layer.
    • They terminate the connection form the client, inspect the traffic, and then establish a new connection to the server (or vice versa)
    • Advantages: High level of security, can control traffic based on application-specific rules, can perform deep packet inspection.
    • Disadvantages: slow, more complex to configures, may not support all applications.
  • Next Generation Firewalls (NGFW)
    • These combines the features of traditional firewalls with additional capabilities.
    • Additional Capabilities
      • Intrusion Prevention System: Detects and blocks malicious traffic based on signatures and behavioral analysis.
      • Application Control: Identifies and controls specific applications, regardless of port and protocol.
      • Deep Packet Inspection: Examines the content of the packets to identify malware, policy violations, etc.
      • Sandboxing: Executes suspicious files in a virtual environment to observe their behavior.
      • Threat Intelligence Integration: Uses threat intelligence feed to stau up-to-date on the latest threats.
    • Advantages: has very comprehensive security, protects against a wide range of threats
    • Disadvantage: more expensive than traditional firewalls, more complex to manage
  • Hardware and Software Firewalls
    • Hardware Firewalls: Dedicated physical devices often used in enterprise networks. Equipped with high performance and specialized security features.
    • Software Firewalls: Software applications that run on a computer or server. Often used in personal computers and in smaller networks.

Part 4: Secure Shell (SSH)

It is a network protocol that provides a secure way to access and manage remote computer over an unsecured network like the internet.

It replaces older, insecure protocols like Telnet and rlogin.

Purpose

  • Secure Remote Login: Log in to a remote server’s command line (shell) securely.
  • Secure File Transfer: Transfer files securely between your computer and the remote server (via SCP or SFTP, which are built on top of SSH)
  • Secure Command Execution: Execute commands on a remote server securely.
  • Port Forwarding

How SSH Works

  • SSH uses a client-server architecture
    • SSH Client: the software you run on your computer to connect to a remote server
    • SSH Server: The software running on the remote server that listens for oncoming SSH connections
  • All communication between the SSH client and the SSH server is encrypted.
  • SSH also supports several methods for authentication:
    • Password Authentication
      • Uses a username/password entry system.
      • Less secure than key-based authentication
      • Vulnerable to brute-force or dictionary attacks if it’s weak
    • Key-based Authentication
      • Uses public-key cryptography
      • It generates a key pair on your local computer (public/private keys).
      • Your SSH client then digitally signs a challenge to the server using your private key.
      • Your server then verifies the signature using your public key.
      • If the signature is valid, then the server knows that you possess the corresponding private key, and thus you are authenticated.
  • SSH Handshake
    1. The client and server agree on the SSH protocol version
    2. They negotiate which cipher suite to use.
    3. They use a key-exchange algorithm.
    4. The server sends its host key (a public key that identifies the server itself) to the client. The client verifies the key to ensure that it’s connecting to the correct server. It typically checks the host key against a list of known hosts,
    5. The client authenticates the user to the server using the preferred mode of authentication.

Port Forwarding (Tunneling)

  • This is a feature of SSH that allows you to create secure, encrypted tunnels for other applications.
  • There are three main types of port forwarding:
    • Local Port Forwarding: It allows you to direct traffic from a port on your local machine to a port on the remote server.
    • Remote Port Forwarding: It allows you to connect to a port on the remote server and direct the traffic towards a port on your own local machine.
    • Dynamic Port Forwarding: It lets you route traffic from multiple applications through the SSH tunnel. Your applications must be configured to use the SOCKS proxy.

Part 5: Wireless Security

Early Wi-Fi networks were often completely open and with no security, meaning anyone within the range could connect and intercept traffic.

It uses radio waves which broadcast in all directions, which makes it easy for an attacker to eavesdrop on a Wi-Fi network than on a wired network.

Wireless Security Protocols

  • Wired Equivalent Privacy (WEP)
    • Original Wi-Fi security protocol.
    • Uses the RC4 stream cipher.
    • Has many fundamental flaws:
      • Short IV: WEP uses a 24-bit IV, which is far too small. This leads to IV reuse, and with enough traffic, the key can be recovered.
      • Weak Key Scheduling: The way that the RC4 key is derived from the WEP key is also weak
      • No Key Management: WEP uses a single static key that is shared by all devices on the network
    • Broken, can be cracked within minutes.
  • Wi-Fi Protected Access (WPA)
    • Introduces as a temporary fix while WPA2 was being developed.
    • Uses Temporal Key Integrity Protocol (TKIP) for encryption.
      • Better than WEP, but still uses RC4
    • Some key improvements over WEP:
      • Larger IV: Now uses a 48-bit IV. Reduces chance of IV reuse.
      • Per-Packet Key Mixing: TKIP mixes a new encryption key for each packets, making it harder to crack than WEP’s static key.
      • Message Integrity Check: Provides better protection against message tampering than WEP.
    • Currently deprecated.
  • Wi-Fi Protected Access 2 (WPA2)
    • The current standard.
    • Uses AES-CCMP (AES block cipher in CCMP mode)
    • Key Improvements
      • Has stronger encryption than RC4
      • CCMP provides both confidentiality and authenticity.
    • Vulnerabilities
      • Key Reinstallation Attack: A vulnerability discovered in 2017 that affects the WPA2 four-way handshake. This allows attackers to decrypt traffic and potentially inject data in some cases.
      • Weak Passwords: WPA2 relies on a strong password (PSK) for security. If users choose weak passwords, it can be vulnerable of dictionary attacks or brute-force attacks to crack the password.
    • Still-widely used.
  • Wi-Fi Protected Access 3 (WPA3)
    • Newest standard.
    • Key Improvements
      • Uses Simultaneous Authentication of Equals (SAE) to replace the WPA2 four-way handshake with a much secure protocol. This makes it resistant to offline dictionary attacks, even if the user chooses a weak password.
      • Uses Forward Secrecy. Even if the Wi-Fi password is compromised, past traffic cannot be decrypted.
      • Has stronger encryption for WPA3-Enterprise, which uses a 192-bit encryption (GCMP-256).
    • Becoming more common, but adaption is still ongoing.

Personal vs. Enterprise Modes

  • Personal Mode
    • Most common mode for home networks
    • All users share the same password (pre-shared key/PSK) to connect to the network.
    • Simpler to set up.
  • Enterprise Mode
    • Used in larger organizations
    • Uses 802.1X authentication with EAP (Extensible Authentication Protocol)
    • Each user has unique credentials
    • Authentication is handled by a RADIUS server
    • Provides stronger security and better management capabilities.

Graph View