The telecommunication and network security domain deals with the security of voice and data communications through local area, wide area, and remote access networking. The focus is to understand the networking models such as Open Systems Interconnect (OSI) and TCP/IP models, which are the most important models that follow a layered approach to networking, as well as the security mechanisms for Internet, Intranet, and Extranet in terms of firewalls, routers, and intrusion detection and protection systems.

The telecommunication and network security domain is one of the 10 domains of the Certified Information Systems Security Professional (CISSP) exam.

In this article by M.L.Srinivasan, we will discuss the following topics:

• Different protocols that are in transport layer, network/internet layer, and link layer in the TCP/IP model
• Some threats and vulnerabilities that are prevalent to such protocols
• Common attacks and possible countermeasures
• Important technologies and the security issues associated with them

Transport layer

• The transport layer in the TCP/IP model does two things: it packages the data given out by applications to a format that is suitable for transport over the network, and it unpacks the data received from the network to a format suitable for applications.
• The process of packaging the data packets received from the applications is known as encapsulation. The output of such a process is known as datagram.
• Similarly, the process of unpacking the datagram received from the network is known as abstraction

A transport section in a protocol stack carries the information that is in the form of datagrams, Frames and Bits.

Transport layer protocols

There are many transport layer protocols that carry the transport layer functions. The most important ones are:

• Transmission Control Protocol (TCP): It is a core Internet protocol that provides reliable delivery mechanisms over the Internet. TCP is a connection-oriented protocol.
• User Datagram Protocol (UDP): This protocol is similar to TCP, but is connectionless.

A connection-oriented protocol is a protocol that guarantees delivery of datagram (packets) to the destination application by way of a suitable mechanism. For example, a three-way handshake syn, syn-ack, ack in TCP. The reliability of datagram delivery of such protocol is high.

A protocol that does not guarantee the delivery of datagram, or packets, to the destination is known as connectionless protocol. These protocols use only one-way communication. The speed of the datagram's delivery by such protocols is high.

Other transport layer protocols are as follows:

• Sequenced Packet eXchange (SPX): SPX is a part of the IPX/SPX protocol suit and used in Novell NetWare operating system. While Internetwork Packet eXchange (IPX) is a network layer protocol, SPX is a transport layer protocol.
• Stream Control Transmission Protocol (SCTP): It is a connection-oriented protocol similar to TCP, but provides facilities such as multi-streaming and multi-homing for better performance and redundancy. It is used in Unix-like operating systems.
• Appletalk Transaction Protocol (ATP): It is a proprietary protocol developed for Apple Macintosh computers.
• Datagram Congestion Control Protocol (DCCP): As the name implies, it is a transport layer protocol used for congestion control. Applications include Internet telephony and video or audio streaming over the network.
• Fiber Channel Protocol (FCP): This protocol is used in high-speed networking such as Gigabit networking. One of its prominent applications is Storage Area Network (SAN).

SAN is network architecture that's used for attaching remote storage devices such as tape drives, disk arrays, and so on to the local server. This facilitates the use of storage devices as if they were local devices.

In the following sections we'll review the most important protocols—TCP and UDP.

Transmission Control Protocol (TCP)

TCP is a connection-oriented protocol that is widely used in Internet communications. As the name implies, a protocol has two primary functions. The primary function of TCP is the transmission of datagram between applications, while the secondary function is related to controls that are necessary for ensuring reliable transmissions.

A half-open connection is a vulnerability in TCP implementation. TCP uses a three-way handshake to establish or terminate connections. Refer to the following illustration:

In a three-way handshake, first the client (workstation) sends a request to the server (www.some_website.com). This is known as an SYN request. The server acknowledges the request by sending SYN-ACK and, in the process, creates a buffer for that connection. The client does a final acknowledgement by sending ACK. TCP requires this setup because the protocol needs to ensure the reliability of packet delivery.

If the client does not send the final ACK, then the connection is known as half-open. Since the server has created a buffer for that connection, certain amounts of memory or server resources are consumed. If thousands of such half-open connections are created maliciously, the server resources may be completely consumed resulting in a denial-of-service to legitimate requests.

TCP SYN attacks are technically establishing thousands of half-open connections to consume the server resources. Two actions can be taken by an attacker. The attacker, or malicious software, will send thousands of SYN to the server and withhold the ACK. This is known as SYN flooding. Depending on the capacity of the network bandwidth and the server resources, in a span of time the entire resources will be consumed. This will result in a denial-of-service. If the source IP were blocked by some means, then the attacker, or the malicious software, would try to spoof the source IP addresses to continue the attack. This is known as SYN spoofing.

SYN attacks, such as SYN flooding and SYN spoofing, can be controlled using SYN cookies with cryptographic hash functions. In this method, the server does not create the connection at the SYN-ACK stage. The server creates a cookie with the computed hash of the source IP address, source port, destination IP, destination port, and some random values based on an algorithm, which it sends as SYN-ACK. When the server receives an ACK, it checks the details and creates the connection.

A cookie is a piece of information, usually in a form of text file, sent by the server to client. Cookies are generally stored on a client's computer and are used for purposes such as authentication, session tracking, and management.

User Datagram Protocol (UDP)

UDP is a connectionless protocol similar to TCP. However, UDP does not provide delivery guarantee of data packets.

Ping of death refers to sending a large number of ICMP packets to the server in order to crash the system.

Pinging is a process of sending Internet Control Message Protocol (ICMP) ECHO_REQUEST message to servers or hosts to check whether they are up and running. As the process implies, a server or host on network responds to a ping request which is known as echo.

Network or Internet layer

The Network or Internet layer in the TCP/IP model is for internetworking. This layer has a group of methods, functions, and protocols to facilitate communication between different networks. The communication between networks is achieved through a mechanism known as gateways.

Network/Internet layer protocols

The protocols in this layer primarily carry out the following functions:

• They pass the outgoing packets to the next layer (datalink) through the gateway
• They pass the incoming packets to the transport layer
• They provide error detection and diagnostics for the incoming and outgoing packets

Some of the important protocols in this layer are Internet Protocol (IP), Internet Communication Message Protocol (ICMP), Internet Group Management Protocol (IGMP), and Internet Protocol security (IPsec).

The ICMP is used for error and diagnostic functions, and IGMP is used in multicasting.

Multicasting refers to one-to-many communications. For example, a stock exchange may require sending stock price data to multiple groups or an IPTV to multicast to many users at once.

We'll review some of the important concepts in the Internet Protocol (IP) that are used for packet transmission and IPsec. They provide authentication and encryption services to the IP packets.

Boost your confidence and get a competitive edge to crack the exam A concise quick revision guide for CISSP exam preparation Disciplined study approach a month before exam Complete coverage of the prescribed syllabus Lot of questions on each topic for practice; an extra question bank with the latest questions http://www.packtpub.com/crack-the-cissp-exam-in-21-days/book

Internet Protocol (IP)

A connectionless protocol that is used in packet-switched networks such as the Internet. The primary function of this protocol is to send data from one computer to other.

Internet Protocol version 4 (IPv4) is a widely deployed protocol on the Internet. As the name implies, it is the fourth iteration of the protocol. It uses 32 bits for the length of the address and its maximum limit is up to 232 addresses. The number of publicly available IPv4 addresses is more or less consumed, and the Internet is moving towards IPv6.

Internet Protocol version 6 (IPv6) is designed as a successor to IPv4 address spaces. This protocol uses 128 bits for IP addresses and has an address space of 2128 IP addresses.

IPsec protocols

IPsec is a suit of protocols that is created to secure Internet Protocols (IP). It provides authentication and encryption functions. Compared to the upper-layer security protocols such as SSL or TLS, IPsec is independent of applications. It can be used to protect the application and transport layer protocols.

IPsec uses the following three protocols for various security functions:

• Internet Key Exchange (IKE): It is used to negotiate protocols and algorithms, and also to generate keys for encryption and authentication
• Authentication Header (AH): It is used to provide data origin authentication to datagrams and integrity assurance
• Encapsulation Security Payload (ESP): It is used to support encryption-only and authentication-only configurations

A Virtual Private Network (VPN) is a virtual network that is set up to use larger public network such as the Internet. The VPN uses a concept known as "tunneling" to route the data and the IPsec protocols used for end-to-end encryption.

A tunnel in a computer network, such as the VPN, is a secure path or route for the datagram to pass through an insecure or un-trusted network. Protocols such as the IPsec, the Point-to-Point Tunneling Protocol (PPTP), and Layer 2 Tunneling Protocol (L2TP) are some example of tunneling protocols.

Link layer

The methods, protocols, and specifications that are used to link hosts, or nodes, in a network are grouped as a link layer. A link layer operates close to physical layer components.

Link layer protocols

The following protocols operate on the link layer:

• Address Resolution Protocol (ARP): It is used for resolving hardware address for a given IP address
• Reverse Address Resolution Protocol (RARP): It is used to obtain IP addresses based on hardware address
• Neighbor Discovery Protocol (NDP): It is used to find neighbor nodes in an IPv6 network

Address Resolution Protocol (ARP)

This protocol is a standard method for finding hardware addresses from network layer addresses such as the Internet Protocol (IP).

ARP poisoning refers to overwriting existing entries in the ARP table with malicious addresses.

Media Access Control (MAC) is a unique hardware address that is assigned to the Network Interface Cards (NIC) or the Network Adapters.

Border Gateway Protocol (BGP)

This protocol is a type of "routing protocol" that is used in the Internet. The primary purpose is to decentralize Internet routing.

Message or data injection refers to injecting arbitrary code to the system. This is used to compromise input validation techniques.

Multi Protocol Label Switching (MPLS) is often referred to as a Layer 2.5 protocol, as it lies between Layers 2 and 3 of the OSI model. It provides greater reliability and support for circuit and packet switching based clients.

Ethernet

It is a family of frame-based networking technologies that is used in a Local Area Network (LAN).

Summary

In this article, we focused on the transport, network, and link layers of the TCP/IP model. We discussed different layers and their associated protocols, covered some specific applications related to protocols such as threats, vulnerabilities, attacks, and countermeasures. We started with the transport layer and protocols such as the TCP and UDP operating in the transport layer. It is important to note that the TCP is used where the reliability of datagram's delivery is important, and the UDP where speed of datagram's delivery is important.

We moved on to discuss the Internet Protocol (IP) which is a connectionless protocol that operates on the Internet layer. This protocol tries the best effort method to deliver data packets across the network. In fact, TCP/IP is named after these two important protocols: TCP and IP. We've also discussed the all-important IPsec, which provides end-to-end security and works on the network layer. Remember that IPsec is used for assuring security in the areas of authentication and encryption to the IP-based communications.

We have also discussed about other protocols in the TCP/IP like the Address Resolution Protocol (ARP) that is used to resolve IP addresses, and the Border Gateway Protocol (BGP) that is a routing protocol operating in the link layer..

Boost your confidence and get a competitive edge to crack the exam A concise quick revision guide for CISSP exam preparation Disciplined study approach a month before exam Complete coverage of the prescribed syllabus Lot of questions on each topic for practice; an extra question bank with the latest questions http://www.packtpub.com/crack-the-cissp-exam-in-21-days/book

About the Author

M. L. Srinivasan

Popularly known as MLS, the author is an Information Technology and Information Security professional and has about 18 years experience in various domains of IT such as Software Programming, Hardware Troubleshooting, Networking Technologies, Systems Administration, Security Administration; Information Security-related consulting, audit and training. MLS has been an avid trainer through out his career and has developed many short-term and long-term training programs. One such program is "Certified Vulnerability Assessor (cVa)", which is accredited by a leading ISO certifying agency. He's a prolific speaker and trainer and has presented many papers related to Network Security in International conventions and conferences.

He was the Technical Director of Secure Matrix, an India-based company that provides security consulting and audits. During his tenure in the last four years, he led the team of consultants to implement many ISO 27001-certification projects across India, the Middle East, and Africa.

He is a specialist IT and IS auditor with Det Norske Veritas (DNV), India region. He has performed many quality and information security audits to hundreds of medium and large organizations in the past 10 years.

He is at present the Chairman and CEO of ChennaiNet, a technology company focused on IT and IS-related product development, services, and training.