Network Security and OSI Model

Network Security refers to the measures taken by any enterprise or organization to secure its
computer network and data using both hardware and software systems. Network security
refers to all hardware and software functions, characteristics, features, operational
procedures, accountability measures, access controls, administrative and management policy
required to provide an acceptable level of protection for hardware, software, and information
in a network. This aims at securing the confidentiality, integrity and accessibility of the data
and network. There are three reasons as the main forces driving this continued increase in the
need for security:
There are three primary vulnerabilities or weaknesses:
 Technology weaknesses
 Configuration weaknesses
 Security policy weaknesses
Technological Weaknesses: Computer and network technologies have intrinsic
security weaknesses. These include TCP/IP protocol weaknesses, operating system
weaknesses, and network equipment weaknesses.
Configuration Weaknesses: Network administrators or network engineers need to learn what
the configuration weaknesses are and correctly configure their computing and network
devices to compensate.
Security policy weaknesses can create unforeseen security threats. The network may pose
security risks to the network if users do not follow the security policy.
Threats are the people eager, willing, and qualified to take advantage of each security
weakness, and they continually search for new exploits and weaknesses. Finally, the threats
use a variety of tools, scripts, and programs to launch attacks against networks and network
devices. In this paper we will discuss the two primary classes of threats to network security,
there are internal threats and external threats. Internal threats to a network are a major source
of strain on the level of security attained by that network. These threats generally stem from
either disgruntled or unethical employees.
External threats to network security, generally referred to as hackers, can be equally and
sometimes more dangerous than internal threats. To obtain entry into a network or view
sensitive information, hackers must use some tools such as: 1- password sniffers, 2- IP
snooping, 3- E-Mail attacks. Password sniffers actually work with the execution of a packet
sniffer that monitors traffic on a network passing through the machine on which the sniffer
resides. The sniffer acquires the password and log-on name used when the source machine
attempts to connect to other machines and saves this information in a separate file later
obtained by the hacker. IP spoofing involves the capturing of the information in an
Information Packet (IP) to obtain the necessary address name of a workstation that has a
trusted relationship with yet another workstation. In doing so, a hacker can then act as one of
the workstation and use the trusted relationship to gain entry into the other workstation where
any number of actions can be performed. Finally, E-Mail is extremely vulnerable and quite
susceptible to a number of different attacks
OSI model is a reference model to understand how computer networks operate and
communicate. Using this ISO standard, organizations can understand where network
vulnerabilities may exist within their infrastructure and apply controls appropriately. OSI is
hierarchical model which supports in understanding of how packets move throughout a
network and how attacks and can disrupt can occur at any level.
Layer 1 : Physical Layer Security
Layer 1 refers to the physical aspect of networking disrupting this service, primarily resulting
in Denial of Service (DoS) attacks. Network vulnerabilities/threats which occur at this level
are the following:
1) Access Control
 Permitting only authorized personnel to access.
 Physical security keeps safe from unauthorized access.
 Restricting access to critical servers and using strong passwords can prevent many
attacks.
2) Damage data bits
3) Environmental issues
 Environmental issues at the Physical layer include fire, smoke, water.
 Less control over environmental factors such as temperature, humidity, dust, and
ventilation can cause frequent failures.
4) Disconnection of Physical Links.
5) Backup
 
Layer 2 : Data Link security (Switch Security)
acts as a medium for communication between two directly connected hosts. At the sending
front, it transforms the data stream into signals bit by bit and transfers it to the hardware.  On
the contrary, as a receiver, it receives data in the shape of electrical signals and transforms
them into an identifiable frame. Normally, this consists of switches utilizing protocols such as
the Spanning Tree Protocol (STP) and the Dynamic Host Configuration Protocol (DHCP).
Switches provide LAN connectivity and majority of threats come from internal LAN
MAC can be classified as a sublayer of the data link layer that is accountable for physical
addressing. MAC address is a unique address for a network adapter allocated by the
manufactures for transmitting data to the destination host. If a device has several network
adapters i.e., Ethernet, Wi-Fi, Bluetooth, etc., there would be different MAC addresses for
each standard.
1) ARPs/ARP spoofing
Address Resolution Protocol (ARP) is a protocol or procedure that connects an ever-changing
Internet Protocol (IP) address to a fixed physical machine address, also known as a media
access control (MAC) address, in a local-area network (LAN). 
This mapping procedure is important because the lengths of the IP and MAC addresses differ,
and a translation is needed so that the systems can recognize one another. The most used IP
today is IP version 4 (IPv4). An IP address is 32 bits long. However, MAC addresses are 48
bits long. ARP translates the 32-bit address to 48 and vice versa. ARP caches are kept on all
operating systems in an IPv4 Ethernet network. Every time a device requests a MAC address
to send data to another device connected to the LAN, the device verifies its ARP cache to see
if the IP-to-MAC-address connection has already been completed.
ARP spoofing is a type of malicious attack in which a cyber criminal sends fake ARP
messages to a target LAN with the intention of linking their MAC address with the IP address
of a legitimate device or server within the network. The link allows for data from the victim's
computer to be sent to the attacker's computer instead of the original destination. 
To prevent these attack, configuration is performed to ignore gratuitous ARPs. Edge VLAN
(Private VLANs) segregation and ARP inspection to mitigate this threat.
 2) MAC Flooding
MAC (Media Access Control) Flooding is a cyber-attack in which an attacker floods network
switches with fake MAC addresses to compromise their security. A switch does not broadcast
network packets to the whole network and maintains network integrity by segregating data
and making use of VLANs (Virtual Local Area Network). To rapidly saturate the table, the
attacker floods the switch with a huge number of requests, each with a fake MAC address.
When the MAC table reaches the allocated storage limit, it begins removing old addresses
with the new ones. After removing all the legitimate MAC addresses, the switch starts
broadcasting all the packets to every switch port and takes on the role of network hub. Now,
when two valid users attempt to communicate, their data is forwarded to all available ports,
resulting in a MAC table flooding attack.
All the legitimate users will now be able to make an entry until this is completed. In these
situations, malicious entities make them a part of a network and send malicious data packets
to the user’s computer. As a result, the attacker will be able to capture all the ingoing and
outgoing traffic passing through the user’s system and can sniff the confidential data it
contains. The following snapshot of the sniffing tool, Wireshark, displays how the MAC
address table is flooded with bogus MAC addresses. An access control list (ACL) contains
rules that grant or deny access to certain digital environments.

3) Spanning Tree Attacks

Occurs when an attacker inserts itself into a data stream and causes a DoS attack. STP attack
begins with a physical attack by a malicious user who inserts an unauthorized switch (rogue).
Attacker assigns a lower root priority. Assigning the lower root priority causes the network
connection between two switches to be dropped. The attacker’s switch thereby becomes the
root switch, and the attacker get full control to data transmitted between all switches. One-
way of mitigating this problem is configuring a network’s root switch with Root Priority = 0.
DHCP Attack:
Dynamic Host Configuration Protocol (DHCP) is not a datalink protocol but solutions to
DHCP attacks are also useful to link layer attacks. DHCP is used to dynamically allocate IP
addresses to computers for a explicit time period. It is possible to attack DHCP servers by
causing denial of service in the network or by impersonating the DHCP server. In DHCP
spoofing attack, the attacker can deploy a rogue DHCP server to provide addresses to the
clients. Here, the attacker can deliver the host machines with a rouge default gateway with
the DHCP responses. Data frames from the host are now directed to rouge gateway where the
attacker can intercept all package and reply to actual gateway or drop them. When a client
without an Internet protocol (IP) address enters a network, he may choose to contact the
DHCP server and request an address. If the network supports DHCP, the server will respond
with an address and the lease period of time for the address. An attacker may wish to take
advantage of DHCP by flooding the network with requests for addresses 
Layer 3 : Network Security (Router Security)
The Network Layer is the third layer of the OSI model. It handles the service requests from
the transport layer and further forwards the service request to the data link layer. The network
layer translates the logical addresses into physical addresses. It determines the route from the
source to the destination and also manages the traffic problems such as switching, routing and
controls the congestion of data packets. The main role of the network layer is to move the
packets from sending host to the receiving host.
Logical Addressing: The data link layer implements the physical addressing and network
layer implements the logical addressing. Logical addressing is also used to distinguish
between source and destination system. The network layer adds a header to the packet which
includes the logical addresses of both the sender and the receiver.
Internetworking: This is the main role of the network layer that it provides the logical
connection between different types of networks.
Fragmentation: The fragmentation is a process of breaking the packets into the smallest
individual data units that travel through different networks.This layer routes packets across
networks. IP is the fundamental network layer protocol for TCP/IP. Other commonly used
protocols at the network layer are the Internet Control Message Protocol (ICMP) and the
Internet Group Management Protocol (IGMP)
NETWROK LAYER ATTACKS
1) IP Address Spoofing Internet Protocol (IP) spoofing is a type of malicious attack where
the threat actor hides the true source of IP packets to make it difficult to know where they
came from. The attacker creates packets, changing the source IP address to impersonate a
different computer system, disguise the sender's identity or both. The spoofed packet's header
field for the source IP address contains an address that is different from the actual source IP
address. IP spoofing is a technique often used by attackers to launch distributed denial of
service (DDoS) attacks and man-in-the-middle attacks against targeted devices or the
surrounding infrastructures.
 2)  Back Hole
This attack occurs when attacking nodes claim that they have an ideal route to a node that is
going to be affected by malicious nodes by the interruption in its packets. When malicious
nodes get success in receiving the request, sends fake reply with extremely short route. When
the malicious node succeeded in placing itself in the network of communicating nodes, now it
can do anything with the packets being passed in the network
Layer 4 : Transport Layer Security
The main role of the transport layer is to provide the communication services directly to the
application processes running on different hosts. The transport layer provides a logical
communication between application processes running on different hosts. Although the
application processes on different hosts are not physically connected, application processes
use the logical communication provided by the transport layer to send the messages to each
other. The transport layer protocols are implemented in the end systems but not in the
network routers. A computer network provides more than one protocol to the network
applications. All transport layer protocols provide multiplexing/demultiplexing service. It
also provides other services such as reliable data transfer, bandwidth guarantees, and delay
guarantees.Port scanning is a method to identify vulnerable or open network port.
SYN Flooding Attack:
The SYN flooding attack is a denial-of-service attack. The attacker generates a large number
of half-opened TCP connections with a victim node, but never concludes the handshake to
fully open the connection. There are two nodes to communicate using TCP, they should start
a TCP connection using a three-way handshake. The three messages exchanged during the
handshake allow both nodes to absorb that the other is ready to communicate and to agree on
primary sequence numbers for the conversation. During the attack, a malicious node sends a
large amount of SYN packets to a victim node, spoofing the return addresses of the SYN
packets. The SYN-ACK packets are sent out from the victim right after it receives the SYN
packets from the attacker and then the victim waits for the reply of ACK packet. Without
receiving the ACK packets, the half open data structure remains in the victim node.
B. Session Hijacking:
Session hijacking is a critical error and gives an chance to the malicious node to behave as a
legitimate system. All the communications are authentic only at the beginning of session
setup. The attacker may take the advantage of this and commit session hijacking attack. At
first, he or she spoofs the IP address of target machine and controls the correct sequence
number. After that he performs a DoS attack on the victim. As a result, the target system
becomes absent for some time. Thus the attacker imitates the victim node and continues the
session. Hijacking a session over UDP is the same as over TCP, except that UDP attackers
not to concern about the overhead of dealing sequence numbers and other TCP mechanisms.
Since UDP is connectionless, edging into a session without being detected much easier than
the TCP session attacks.
C. SSL Stripping:
Various attacks attempt to eliminate the use of Secure Socket Layer/Transport Layer Security
(SSL/TLS) overall by modifying unencrypted protocols that request the use of TLS. These
attacks are known together as “SSL Stripping” (a form of the additional generic “downgrade
attack”) and were first presented by Moxie Marlinspike. In the framework of web traffic,
these attacks are only effective if the client initially contact a web server using HTTP. In SSL
Strip, all the traffic flow from the victim’s machine is routed through a proxy designed by the
hacker and can be thought as a Man-In-the-Middle (MITM) attack.
Layer 5 : Session layer Security

The session layer allows users on different machines to establish sessions between them.
Sessions offer various services, including dialog control (keeping track of whose turn it is to
transmit), token management (preventing two parties from attempting the same critical
operation simultaneously), and synchronisation (checkpointing long transmissions to allow
them to pick up from where they left off in the event of a crash and subsequent recovery).

1) Session Hijacking
  Security attack on a user session. A session hijacking attack works when it
compromises the token by guessing what an authentic token session will be, thus
acquiring unauthorized access to the Web server.
Layer 6 : Presentation Layer Security
The presentation layer is responsible for how data is presented to the user. Presentation of
various forms of information like graphics, text, audio, video etc in various forms to the user
is the major duty of this layer. Data encryption is also one of the functions of the presentation
layer to ensure data security. The presentation layer is working as the intermediate between
the Application layer and Session layer in OSI
SSL Hijacking
Superfish uses a process called SSL hijacking to get user’s encrypted data. When Internet
browser connects to the HTTP (insecure) site, HTTP server redirects to the HTTPS (secure)
version. HTTPS server provides a certificate, this certificate provides an identification to user
to get in and access to server. The connection is completed now.
Layer 7 : Application Layer Security
This layer is responsible for the actual physical connection between the devices by
identifying the equipment involved in the data transfer. Layer 1 defines the hardware
equipment, cabling, wiring, frequencies and pulses. The information is contained in the form
of bits and transmitted from one node to another.
The problem is that hardware security goes neglected; existing security software solutions do
not cover the Physical Layer of the OSI model (Layer 1). Without Layer 1 visibility, the
physical specifications of the network are not captured. Hence, network implants – Rogue
Devices which operate on the Physical Layer – are not detected. Similarly, spoofed
peripherals – Rogue Device manipulated on the Physical Layer – are identified as legitimate
HIDs. Without Layer 1 visibility, enterprises are at risk of Rogue Devices infiltrating their
network and conducting harmful attacks. As Layer 1 is the first of the OSI layers, it is crucial
to have adequate physical level security protection at this level to stop the attacks originating
from Rogue Devices at the very first instant; before being carried out. Safeguarding this layer
needs bio-metric security, camera-based surveillance, key cards, and other physical
monitoring.

NETWORK SECURITY PROTOCOLS

Network security protocols are primarily designed to prevent any unauthorized user,
application, service or device from accessing network data. This applies to virtually all data
types regardless of the network medium used. Network security protocols generally
implement cryptography and encryption techniques to secure the data so that it can only be
decrypted with a special algorithm, logical key, mathematical formula and/or a combination
of all of them. Some of the popular network security protocols include Secure File Transfer
Protocol (SFTP), Secure Hypertext Transfer Protocol (HTTPS) and Secure Socket Layer
(SSL).

RADIUS SERVER (RADIUS AUTHENTICATION)

Remote Authentication Dial-In User Service (RADIUS) is a client-server networking

protocol that runs in the application layer. The RADIUS protocol uses a RADIUS Server and
RADIUS Clients. A RADIUS Client (or Network Access Server) is a networking device
(like a VPN concentrator, router, switch) that is used to authenticate users. A RADIUS
Server is a background process that runs on a UNIX or Windows server. It lets you maintain
user profiles in a central database. Hence, if you have a RADIUS Server, you have control
over who can connect with your network.
When a user tries to connect to a RADIUS Client, the Client sends requests to the RADIUS
Server. The user can connect to the RADIUS Client only if the RADIUS Server authenticates
and authorizes the user. The working of the RADIUS Server depends on the exact nature of
the RADIUS ecosystem. However, all servers have AAA capabilities (Authentication,
Authorization, and Accounting). In some RADIUS ecosystems, a RADIUS Server can also
act as a proxy client to other RADIUS Servers. RADIUS Servers offer businesses the ability
to preserve the privacy and security of their system and their users, thus helping in security
management and in creating policies for server administration.

How does RADIUS Server authentication and authorization work?

A RADIUS Server supports a variety of methods to authenticate a user. RADIUS Server

authentication and authorization go hand in hand and usually start when a user tries to
connect to the RADIUS Client using a username and password. A basic RADIUS
authentication and authorization process include the following steps:
 1. The RADIUS Client tries to authenticate to the RADIUS Server using user credentials
(username and password).
2. The Client sends an Access-Request message to the RADIUS Server. The message
comprises a shared secret. Passwords are always encrypted in the Access-Request
message.
3. The RADIUS Server reads the shared secret and ensures that the Access-Request
message is from an authorized Client. If the Access-Request is not from an authorized
Client, then the message is discarded.
4. If the Client is authorized, the RADIUS Server reads the authentication method
requested.
5. If the authentication method used is allowed, then the RADIUS Server reads the user
credentials from the message. It matches the user credentials against the user
database. If there is a match, the RADIUS Server extracts additional user details from
the user database.
6. The RADIUS server now checks to see if there is an access policy or a profile that
matches the user credentials.
7. If there is no matching policy, then the server sends an Access-Reject message. The
RADIUS transaction ends, and the user is denied access to the system.
8. If there is a matching policy, the RADIUS Server sends an Access-Accept message to
the device.
9. The Access-Accept message consists of a shared secret and a Filter ID attribute. If the
shared secret does not match, the RADIUS Client rejects the message.
10. If the shared secret matches, the Client reads the value of the Filter ID attribute. The
Filter ID is a string of text. The RADIUS Client connects the user to a particular
RADIUS Group using this Filter ID. A RADIUS Group is a group of users who have
the same FilterID value. Practically, a RADIUS group makes it easier to categorize
users in functional groups (like Sales, Networking, System, HR, IT, etc.).
11. The user is finally authenticated and authorized and will obtain access to the RADIUS
Client.
KERBEROS AUTHENTICATION
Here are the principal entities involved in the typical Kerberos workflow:
 Client: The client acts on behalf of the user and initiates communication for a service
request
 Server: The server hosts the service the user wants to access
  Authentication Server (AS): The AS performs the desired client authentication. If the
authentication happens successfully, the AS issues the client a ticket called TGT
(Ticket Granting Ticket). This ticket assures the other servers that the client is
authenticated
 Key Distribution Center (KDC): In a Kerberos environment, the authentication server
logically separated into three parts: A database (db), the Authentication Server (AS),
and the Ticket Granting Server (TGS). These three parts, in turn, exist in a single
server called the Key Distribution Center
 Ticket Granting Server (TGS): The TGS is an application server that issues service
tickets as a service
Kerberos uses symmetric key cryptography and a key distribution center (KDC) to
authenticate and verify user identities. A KDC involves three aspects:
1. A ticket-granting server (TGS) that connects the user with the service server (SS)
2. A Kerberos database that stores the password and identification of all verified users 
3. An authentication server (AS) that performs the initial authentication 
During authentication, Kerberos stores the specific ticket for each session on the end-user's
device. Instead of a password, a Kerberos-aware service looks for this ticket. Kerberos
authentication takes place in a Kerberos realm, an environment in which a KDC is authorized
to authenticate a service, host, or user.  Kerberos authentication is a multistep process that
consists of the following components: 
1. The client who initiates the need for a service request on the user's behalf 
2. The server, which hosts the service that the user needs access to
3. The AS, which performs client authentication. If authentication is successful, the client is
issued a ticket-granting ticket (TGT) or user authentication token, which is proof that the
client has been authenticated. 
4. The KDC and its three components: the AS, the TGS, and the Kerberos database
5. The TGS application that issues service tickets 
SSL and TLS
SSL stands for Secure Sockets Layer, a security protocol that creates an encrypted link
between a web server and a web browser. SSL IS apredecessor of TLS. They are
cryptographic techniques used to secure data over the network. Companies and organizations
need to add SSL certificates to their websites to secure online transactions and keep customer
information private and secure. SSL keeps internet connections secure and prevents criminals
from reading or modifying information transferred between two systems. When you see a
padlock icon next to the URL in the address bar, that means SSL protects the website you are
visiting. Currently only TLS version 1.2 and 1.3 exists
TLS is widely used in the Web. HTTP and TLS is HTTPs, SMTP and TLS is SMTPs, FTP
and TLS is FTPs. TLS is important because
 Authentication verify the identity of the communicating parties using asymmetrical
cryptography
 Confidentiality protect the exchanged data from unauthorised accesswith symmetric
cryptography
 Integrity prevent alteration of data during transmission by checking the authorisation
code
How do SSL certificates work?
An SSL or TLS certificate is a digital certificate that authenticates a website's identity and
enables an encrypted connection. SSL or TLS works by ensuring that any data transferred
between users and websites, or between two systems, remains impossible to read. It uses
encryption algorithms to scramble data in transit, which prevents hackers from reading it as it
is sent over the connection. This data includes potentially sensitive information such as
names, addresses, credit card numbers, or other financial details.
It consist pf two phases
Handshake protocol
 Negotiate TLS version
 Select cryptographic algorithm, ciher suites
 Authentic by assymetric cryptographic
 Establish a secret key for semmetric encyption
 The main purpose of handshake is authentic and key exchange
Record protocol
 Encrypt outgoing message with the secret key
 Transmit the encrypted message
 Decrypt incoming messages with secret key
 Verify that the messages are not modified or not. If not the message is decrypted with
the same symmetric secret key. So both confidentiality and integrity is achieved.
Why does TLS uses both assymetric and symetric cryptograhic
How to check whether message was modified
The process works like this:
 1. A browser or server attempts to connect to a website (i.e., a web server) secured with
SSL.
2. The browser or server requests that the web server identifies itself.
3. The web server sends the browser or server a copy of its SSL certificate in response.
4. The browser or server checks to see whether it trusts the SSL certificate. If it does, it
signals this to the webserver.
5. The web server then returns a digitally signed acknowledgment to start an SSL
encrypted session.
6. Encrypted data is shared between the browser or server and the webserver.

Individual assignment
1. Examine other network security techniques like firewall, VPN, IDS and data backups
2. Suppose that you are responsible for designing a secure Internet banking application
a. What is network security protocol, and what is its purpose
b. Explain the security services that can be provided by security protocols.
c. Explain the commonly used security protocols in internet banking ie SET