Unit1.pdf

Full Transcript

COMPUTER NETWORK SECURITY
Unit 1
CIA Triad
The CIA triad highlights three key objectives in Computer Security namely confidentiality,
integrity, and availability.
Confidentiality: Ensures that private information is only accessible to authorized
people. It also allows individuals to control who can collect, store, and share their
personal information thereby enforcing privacy.
A loss of confidentiality is the unauthorized disclosure of information.
Integrity: Ensures that data and systems can only be modified in authorized ways.
A loss of integrity is the unauthorized modification or destruction of information.
Availability: Ensures that systems and information are accessible to authorized users
without delay or interruption.
A loss of availability is the disruption of access to information or an information
system.

Cybersecurity Framework
The Cybersecurity framework provides the following five key steps for managing security
risks:
Identify: Recognizing security risks to systems, data, and assets.
Protect: Implementing safeguards to protect critical services and information.
Detect: Finding out when a security event or breach occurs.
Respond: Taking action to handle the detected security event.
Recover: Restoring systems after a security event has occurred.
Data Link Layer (MAC Layer) & Attacks:
An Ethernet frame is the basic unit of data transmitted in Ethernet networks.
A MAC address is a unique identifier assigned to the Network Interface Card (NIC) of a
device. The MAC address is used to identify devices on a local network and enabling these
devices to communicate within the network. No two devices on the same network share the
same MAC address.

The structure of the Ethernet frame consists of:
Destination MAC Address (6 bytes): The MAC address of the device that receives
data.
Source MAC Address (6 bytes): The MAC address of the device that sends data.
Ether Type (2 bytes): Indicates the protocol type being carried (IPv4, IPv6).
Data/Payload (46-1500 bytes): Contains the actual data being transmitted.
Cyclic Redundancy Check (CRC) (4 bytes): Checksum used for error detection.

The MAC (Media Access Control) header is part of the Ethernet frame and contains the
Destination MAC Address, Source MAC Address and Ether Type.

MAC Address Tracking and Privacy Concerns:
 Mobile devices constantly scan for nearby Wi-Fi access points and broadcast their
MAC addresses to these access points, even without connecting thereby posing as a
security risk.
 Adversaries with access to multiple Wi-Fi access points can collect and correlate
MAC addresses, potentially identifying the true owner, thus raising privacy concerns.
To address such privacy concerns, data transmission takes place in stages, called hop-by-hop
transmission.
Hop-By-Hop transmission.
At each hop (router or network device), the MAC address used in the packet header is
updated as the packet moves closer to its destination, making it difficult for adversaries to
track the packet based solely on its MAC address.

Host A sends a packet destined for Host B on another network. A creates an Ethernet frame,
containing the packet, and sets the destination MAC address to Router R1's MAC address.
Router R1 processes the packet, performs routing, and forwards it to Router R2. The Ethernet
frame is updated by setting the source MAC address to R1's address and destination MAC to
R2's.
Similarly, the Ethernet frame is modified at each stage where the Source and Destination
MAC addresses are updated, forwarding the packet to the next router.
The final router directly connected to Host B (Rk) changes the source MAC address to its
own and the destination MAC to Host B’s MAC. Host B then accepts the packet as the
destination MAC matches its own.

ARP (Address Resolution Protocol)
The ARP protocol is a Layer 2 protocol that provides mapping of IP addresses to MAC
addresses.
When device Host A has to send data another device Host B on a local network, an ARP
request is broadcasted by Host A using Host B’s IP address to identify it’s MAC address.
Host B responds with an ARP reply containing the MAC address.
Host A saves the MAC address in the ARP Cache to improve efficiency for further
communication.
ARP Cache
The MAC address is temporarily stored in an ARP cache on the device to improve efficiency
by avoiding repeated ARP requests for the same IP address.
Since IP addresses can change dynamically, ARP cache entries time out after a certain period
to ensure fresh mappings are used.
Commands:
View cache: Use arp -n.
Delete entry: Use sudo arp -d to remove a specific entry. After deletion, the entry will
appear as incomplete until updated.

ARP Cache Poisoning
Includes injecting forged MAC addresses into a device’s ARP cache. By mapping incorrect
MAC addresses and IP addresses, attackers can intercept or alter incoming traffic of other
devices.
Methods of Poisoning:
ARP Request: An attacker sends a fake ARP request, and the receiver updates its
cache with incorrect information.
ARP Reply: The receiver blindly updates its cache when it receives a forged ARP
reply.
Gratuitous ARP: A computer broadcasts its own MAC and IP address upon joining a
network. Attackers can misuse this mechanism to inject false information.
This is possible as ARP is a simple protocol and lacks security mechanisms such as
encryption or integrity checks. ARP is a stateless protocol.
Man-in-the-Middle (MITM) Attack
A cyberattack where an attacker secretly intercepts, alters, or eavesdrops on communication
between two parties.
The attacker redirects traffic between two parties to their own device. After modifying or
inspecting the traffic, they forward it to the intended recipient.
Traffic can be redirected in 3 ways:
Layer 2: Using ARP Cache Poisoning.
Layer 3: Through ICMP Redirect messages.
Application Layer: Via DNS Cache Poisoning.

MITM Attack via ARP Cache Poisoning

Host A is the source device, Host B is the destination device and M is the attacker.
Attacker M manipulates A’s ARP cache so that B’s MAC address is replaced with M’s MAC
address such that when A sends a packet to B, M receives the packet instead.
If M is a Router device, M can route and forward the traffic to B by enabling IP forwarding.
If M is a Host device, the packet will be dropped because B’s IP is the destination. However,
if M wants to capture the packet, IP forwarding can be disabled, a raw socket can open to
read the packet contents.
Countermeasures:
 Encryption:
Even if the attacker intercepts the traffic, they cannot modify or read encrypted
data, thereby making MITM attacks ineffective despite successful ARP
cache poisoning.
 ARP Cache Poisoning Detection Tools:
Use tools like Wireshark to monitor ARP requests and detect poisoning
attempts.
 Packet Filters:
Analyse incoming packets using packet filters to identify malicious or altered
packets.
 Static ARP Entries:
Add fixed ARP entries manually for each device on the network. This solution
involves a lot of administrative overhead and is only recommended for smaller
networks.

Network Interfaces
A Network Interface Card (NIC) connects a computer to a network. There are two common
types of NICs: Ethernet and Wi-Fi.
A device can have multiple NICs, allowing it to connect to different networks. These NICs
are assigned IP addresses. Each NIC is assigned a unique MAC address for identification on a
local network.
In modern systems, NICs can also be virtual, such as Virtual Network Interfaces used in
virtual machines (VMs).
Virtual Network Interfaces
In virtualized environments, VMs need virtual hardware to interact with the physical
network, including virtual network adapters to access the internet or communicate with other
machines.
Primary types of Virtual Network Adapters include:
1. NAT (Network Address Translation) Adapters:
NAT adapters allow a virtual machine to access the internet through the host
machine’s network adapter, using the same external IP address as the host.
2. Bridged Adapters:
With a bridged adapter, the virtual machine appears as a distinct node on the network,
getting its own IP address. This mode replicates the behaviour of a physical device on
the network.
3. Host-Only Adapters:
Host-Only adapters create a virtual network between the host and the virtual machine.
The VM can communicate directly with the host and any other VMs running on the
same host, but cannot access external networks like the internet unless additional
routing or proxy configurations are set up. This is useful for local network simulations
or testing between VMs.

Journey of a Network Packet
A packet is the smallest unit of communication over a computer network. When any data has
to be transmitted over the computer network, it is broken down into smaller units at the
sender’s node called data packets and reassembled at receiver’s node in original format.

Packet Construction:
1. Application Layer: Data is written to the socket by a user program using the socket
interface API.
2. Socket Layer: Identifies the type of protocol (e.g., TCP, UDP) and directs control to
the appropriate protocol-specific function.
3. Transport Layer: Adds the transport layer header to the data. The destination port
number is provided by the application, while the source port number is randomly
selected by the OS.
4. Network Layer (IP Layer): Adds the IP header. The destination IP address is
provided by the application, while the source IP address is chosen by the OS based on
the network interface being used. Performs routing to determine how to deliver the
packet.
 5. Data Link Layer (MAC Layer): Adds the MAC layer header, including the source
and destination MAC addresses. Most of the data link layer's work is performed by
the hardware of the NIC (Network Interface Card).
6. Physical Layer: The packet is translated into electrical signals or radio waves by the
NIC hardware and transmitted over the physical network.

Packet Reception:
Each NIC has a unique MAC address. All NICs on a network hear all packets, but only those
with a matching MAC address are copied into the memory of the NIC.
The NIC uses Direct Memory Access (DMA) to copy packets into a ring buffer in the kernel.
The NIC then interrupts the CPU to inform it of the new packet's arrival.
The CPU copies the packets from the ring buffer to a queue for further processing. Based on
the packet's protocol, different callback handler functions are invoked by the kernel. These
handlers dispatch the packet to the relevant user-space programs.
Packet Sniffing
The act of capturing data packet across the computer network.
Promiscuous Mode:
Normally, a NIC discards frames not destined for its MAC address. Promiscuous mode
allows a NIC to pass all frames, regardless of the destination MAC address, to the kernel.
This enables packet sniffing by forwarding all captured frames to a sniffer program, which
requires elevated privileges (root access) to activate.
Monitor Mode:
In wireless networks, monitor mode allows a NIC to capture all 802.11 frames on the
channel it listens to. Most Wireless NICs do not support the monitor mode or have the mode
disabled by their manufacturers.

Packet Spoofing
The act of manipulating or altering packet data during transmission of packets.
Examples of Packet Spoofing Attacks:
ARP Spoofing:
Attacker sends false ARP messages on a network.
As a result of this, the attacker's MAC address is mapped with the IP address of a legitimate
device, allowing the attacker to intercept data meant for that device.
It can lead to data theft, account compromise, and various other malicious outcomes.
DNS Spoofing:
Attacker corrupts the DNS resolution process. The attacker redirects domain names to
incorrect IP addresses, often leading users to malicious servers.

IP Spoofing:
Attacker sends packets with an incorrect source IP address.
This can be used to disguise the attacker’s identity, conduct Denial of Service (DoS) attacks
by overwhelming a server with fake traffic, or bypass IP-based authentication.
Another method involves sending packets from a spoofed address to flood the target with
responses.

Measures to avoid Spoofing Attacks
 Packet filtering should be implemented so that all packets are filtered and scanned for
inconsistencies to further avoid spoofing attempts.
 Using secure encryption protocols such as Secure Shell (SSH), Transport Layer
Security (TLS), and HTTP Secure (HTTPS) help avoid many types of spoofing
attacks.
 Avoid all types of trust relationships, as trust relationships only use IP address
verification, opening users up to easy spoofing attacks.
 Use spoofing-detection programs, which inspect and certify data before transmitting it
to avoid attacks, especially ARP spoofing attacks.