Network Security : Master Post

Network, Transport layer security

Key Points

Security applied between two hosts, two router or and host and router.

IPSec is operated in two modes tunning mode and transport mode. In tunnling mode the entire IP header is encapsulated by adding IPsec header and Trailer and a new IP payload is created. Where as in transport mode, transport-layer payload is encapsulated in between IPsec header and trailer

Transport mode is used when we need host-to-host protection where as tunnel mode is normally used between two routers, between host and router or router and a host

IPSec has two protocols, Authentication Header (AH) protocol and Encapsulating Security Payload (ESP) Protocol. Authentication provides authentication and integrity but not confidentiality.


  • B2:​ ​Behrouz A. Foruzan, ​“Data Communication and Networking”​, ​Tata McGraw-Hill​,​ (5th Edition), (2013).

IP security : IPSec is a collection of protocols designed by the internet engineering task force to provide security for a packet at the network level. IPSec operates in one of two different modes: transport mode or tunnel mode.

IPSec in transport mode does not protect the IP header, it only protects the payload coming from transport layer.

The sending host uses IPSec to authenticate and/or encrypt the payload delivered from the transport layer.

The receiving host uses IPSec to check the authentication and/or decrypt the IP packet and deliver it to the transport layer.

Tranport mode
Tunnel Mode
Eh, this works

Authentication Header Protocol

The authentication header protocol is designed to authenticate the source host and to ensure the integrity of the payload carried in IP packet

The protocol uses a hash function and a symmetric (secret) key to create a message digest; the digest is inserted in the authentication header (see MAC). The AH is then placed in the appropriate location, based on the mode (transport or tunnel).

When an IP datagram carries an authentication header, the original value in the protocol field of the IP header is replaced by the value 51.

mnemonic : National Public Radio Sought Secure Authorities

Data Communications & Networking

  • Next Header. The 8-bit next header field defines the type of payload carried by the IP datagram (such as TCP, UDP, ICMP, or OSPF).
  • Payload Length. The name of this 8-bit field is misleading. It does not define the length of the payload; it defines the length of the authentication header in 4-byte multiples, but it does not include the first 8 bytes.
  • Security Parameter Index. The 32-bit security parameter index (SPI) field plays the role of a virtual circuit identifier and is the same for all packets sent during a connection called a Security Association (discussed later).
  •  Sequence Number. A 32-bit sequence number provides ordering information for a sequence of datagrams. The sequence numbers prevent a playback. Note that the sequence number is not repeated even if a packet is retransmitted. A sequence number does not wrap around after it reaches 232; a new connection must be established.
  • Authentication Data. Finally, the authentication data field is the result of applying a hash function to the entire IP datagram except for the fields that are changed dur- ing transit (e.g., time-to-live).

Encapsulating Security Payload Protocol

The AH protocol does not provide confidentiality, only source authentication and data integrity. IPSec later defined an alternative protocol, Encapsulating Security Payload (ESP), that provides source authentication, integrity, and confidentiality.

IPSec Services

Access controlYesYes
Message authentication (message integrity)YesYes
Entity authentication (data source authentication)YesYes
Replay attack protectionYesYes


A private datagram, including the header, is encapsulated in an ESP packet. The router at the border of the sending site uses its own IP address and the address of the router at the destination site in the new datagram

SSL : Secure Socket Layer and Firewall

Key Points

SSL is designed to provide security and compression services to data generated from the application layer. Typically

The data received from the application is compressed (optional), signed, and encrypted.

A firewall can be used as a packet filter. It can forward or block packets based on the Information in the network-layer and transport- layer headers: source and destination IP addresses, source and destination port addresses, and type of protocol (TCP or UDP).


  • B2:​ ​Behrouz A. Foruzan, ​“Data Communication and Networking”​, ​Tata McGraw-Hill​,​ (5th Edition), (2013).

Two protocols are dominant today for providing security at the transport layer: the Secure Sockets Layer (SSL) protocol and the Transport Layer Security (TLS) pro- tocol.

SSL provides several services on data received from the application layer.

  • Fragmentation. First, SSL divides the data into blocks of 214 bytes or less.
  • Compression. Each fragment of data is compressed using one of the lossless com- pression methods negotiated between the client and server. This service is optional.
  • Message Integrity. To preserve the integrity of data, SSL uses a keyed-hash function to create a MAC.
  • Confidentiality. To provide confidentiality, the original data and the MAC are encrypted using symmetric-key cryptography.
  • Framing. A header is added to the encrypted payload. The payload is then passed to a reliable transport-layer protocol.

Mnemonic : For Crying (out loud) Make Cinema Famous again

mnemonic : All Hot Crispy Almonds Require Time

ARP spoofing and attack on DNS

Key Points

Construct spoofed ARP replies.

A target computer could be convinced to send frames destined for computer A to instead go to computer B.

Computer A will have no idea that this redirection took place.

This process of updating a target computer’s ARP cache is referred to as “ARP poisoning”.

Three types of DoS Attacks (VPA)

  • Volume Based : Compromised Bandwidth – UDP Floods
  • Protocol Attack : Compromised Server or Router – SYN Flood
  • Application Layer Attack: Crash the webserver – Soloris

1.Sniffing By using ARP spoofing, all the traffic can be directed to the hackers.
It is possible to perform sniffing on a switched network now.
2.DoS Updating ARP caches with non-existent MAC addresses will cause frames to be dropped. These could be sent out in a sweeping fashion to all clients on the network in order to cause a Denial of Service attack (DoS).
3.MITM Attack: This could also be a post-MiM attacks: target computers will continue to send frames to the attacker’s MAC address even after they remove themselves from the communication path.
In order the perform a clean MiM attack, the hacker will restore the ARP entries.
4.Session Hijacking By using MiM attack, all the traffic of a TCP connection will go through the hacker.
Now it is much easier to hijack the session as compared to the method we discussed earlier in TCP exploits.

Protecting against Session Hijacking

  1. Use Encryption
  2. Use a secure protocol
  3. Limeit incomeing connections 4. Minimeize remeote access
  4. Have strong authentication.
Virus Worms
They Attach themselves to OSThey don’t attack themselves to OS
Require User prompt to start actingDoesn’t require user prompt, they are self sufficient strong independent worms and they can slither on their own
Damage is localisedThey are a Global Phenomenon
Spread Relatively SlowlyFast af!

Leave a Reply

%d bloggers like this: