Network Data Transmission and Link Security
In most network topologies and configurations (for example, Ethernet), when a computer communicates with another over the network, the data travels on the network in cleartext and is available for examination to all computers that share that network path.
A computer equipped with sniffing software can be easily used to eavesdrop or alter the transmitted data on a network. This vulnerability has greater impact when a network is connected with another network or to the Internet.
In interconnected networks—for example, the Internet—the data might go through several other networks and computers that might attack it, violating its confidentiality and integrity.
The confidentiality and integrity of data transferred over a network link is even more crucial when it is transferred between two or more points over the Internet. When data travels through the Internet, it is available to many more computers to examine before it reaches the intended recipient.
Purchasing merchandise over the Internet using a credit card is an example of such a case. If credit card information is not transmitted confidentially, it can be hacked by anyone successfully able to sniff the data packets containing the credit card information.
Similarly, corporate data transferred or exchanged over the Internet, if not secure, is vulnerable to attack. To better understand transmission security, let's assume that we have a network A in which Alice is a network user and a network B in which Bob is a user.
The two networks are connected with each other using the Internet. We also have Eve, a hacker, who is connected to the Internet using a dialup connection and is able to examine the traffic that flows between networks A and B. This scenario is illustrated in Figure 1.
Let's assume that Alice sends Bob a message suggesting that he should send her his credit card info so that she can make reservations for the trip to Hawaii.
Bob replies to Alice's message thanking her for her help and includes his credit card information in the message that he sends to Alice.
Eve, using her sniffing software, gains access to both messages and therefore is in possession of Bob's credit card information.
Eve uses Bob's credit card to arrange the next Hackers Conference on the same day when Alice and Bob plan to be in Hawaii on vacation. The scenario we just presented shows the vulnerability that messages transmitted as plaintext over the network suffer.
Eve was able to understand the messages because they were transmitted without any security, which allowed her to understand the message and successfully exploit the vulnerability of the exchange between Bob and Alice.
There are many different types of attack possible when data is transmitted as plaintext. Our scenario of Bob, Alice, and Eve was the simplest example of transmitted message vulnerability.
Just imagine if the entire traffic of two networks was to go through the Internet! A network operating in plaintext over the Internet would be completely insecure no matter how much money was spent to build the security infrastructure.
Securing Network Transmission
As shown in the last example, transmitting precious data over the Internet could result in total disaster. In this section, we briefly discuss the common methods used to ensure the confidentiality of data transmitted over the Internet or over a public network of similar nature where data transmitted is subject to the goodwill of other network users.
At present, the network transmission is secured by authenticating the users and the devices that communicate with each other to ensure user identity and by encrypting the transmitted data to provide privacy.
Whether the communicating entities are two distinct networks or two individual computers, there are two common measures that are used to provide privacy and encryption.
Typical methods used to provide network transmission security are hardware link encrypters and virtual private networks (VPNs). In this section, we briefly talk about the authentication protocols that are used to authenticate users and devices, and that link encrypters and VPNs that provide confidentiality over a network.
Authentication over an Insecure Medium
A network communication medium is considered insecure if the users with whom the communication medium is shared cannot be trusted. Primary examples of such media include the Internet and wireless LANs. In this tutorial, we briefly talk about significance of authentication in an insecure medium.
Generally speaking, anytime a data packet leaves a workstation, it is assumed to be traveling in an insecure medium, as it is vulnerable to at least eavesdropping. Authentication involves presenting credentials (for example, username and password) to verify one's identity.
If these credentials are transmitted over an insecure medium as plaintext, the result is equivalent to presenting your credentials to all the computers in the network (or the Internet, if authentication is performed over the Internet) instead of the entity (for example, the authentication server) you wanted to authenticate yourself to.
For example, if user Alice logs on to a corporate network and types her user−name and password to authenticate herself, her credentials are then transmitted as plaintext over the network.
Eve, a hacker working in the same company, can get Alice's username and password by listening to the network traffic from Alice's workstation to the authentication server. Figure 2 shows an example of a cleartext authentication attack.
To ensure the security of an authentication mechanism, authentication protocols use cryptographic primitives to add privacy during authentication.
Depending on the authentication protocol used, credentials are normally transmitted in encrypted form. Commonly used authentication protocols are: PAP/CHAP, Extensible Authentication Protocol (EAP), and Kerberos.
Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP)
Password authentication protocol (PAP) is typically used over a popular link layer protocol known as Point−to−Point Protocol (PPP). PPP is perhaps the most common protocol used to communicate over dialup connect in TCP/IP−based networks such as the Internet or corporate Intranets.
PAP is a challenge−response type of authentication mechanism, as described earlier. There are two main weaknesses in PAP:
- PAP authenticates only the client and not the server;
- PAP sends passwords in cleartext over the network.
Challenge Handshake Authentication Protocol (CHAP) was designed to address these concerns. In CHAP both the client and server authenticate each other using secret words that have been preinstalled in each system.
In CHAP all user information including logins and passwords are encrypted. Technically PAP and CHAP authenticate machines talking to each other not the user on the system.
Extensible Authentication Protocol (EAP) is a more robust authentication protocol that is used in PPP. EAP supports multiple authentication mechanisms.
Unlike CHAP, which does authentication at the onset of the communication at the stage known as Link Control Phase, EAP first sets up the connection using the Link Control Phase but delays the authentication to a later stage known as the Authentication Phase.
Doing this allows the authenticator to request additional information, which is used to determine the specific authentication mechanism that should be used in a particular session. This also permits the separation of the communications and the authentication servers.
In this scenario the communications server is solely responsible for maintaining the communication link, while all the authentication responsibilities can be delegated to a separate server that performs the actual authentication process.
Such a scheme is most commonly used by ISPs, which have thousands of communication servers connected to telephone lines all over the world, but may have only a few central authentication servers.
Kerberos
Kerberos is a freely available authentication protocol developed and invented by Massachusetts Institute of Technology (MIT) as a solution to network security problems.
Strong cryptography is used in Kerberos for both clients and server to prove their identities over insecure network connections. To assure privacy, data integrity, and security, both the client and the server encrypt all transmissions after a client and server have used Kerberos to prove their identity.
Kerberos has been around for a while but has been unsuccessful in gaining a widespread acceptance due to the complexity involved in deploying it in a network environment.
Data Confidentiality over an Insecure Medium
All data that is transmitted over an insecure medium (wired LAN, Internet, or wireless LAN) should be transmitted in encrypted form. Without encryption, any data transmitted over such a medium can be easily compromised, resulting in disasters of varying magnitude.
For example, if a macaroni−and−cheese recipe is exchanged over the Internet in plaintext, it might not be too risky, but if two government entities exchange plans about their nuclear warheads over the Internet, the information could be very damaging in the wrong hands.
Insecurity of a medium is, therefore, determined by the type of data that is transmitted over the medium and the parties that might have access to the information while it is being transmitted.
Prior to the widespread use of the Internet, most individuals and corporations either used dialup connections or private lines to communicate over long distances.
Today, due to the lower cost of using the Internet as a transmission link compared to private lines and dialup connections, most individuals and companies are using the Internet to remotely connect with each other.
Wired LANs are considered to be a relatively secure medium, and the use of encryption is reduced to authentication processes only. Sensitive data transmission over the Internet between two entities or two corporate networks interconnected using the Internet is almost always encrypted.
The most common way to perform data encryption between two entities includes hardware−level link encrypters and the virtual private networks (VPNs).
Hardware−Level Link Encrypters
Hardware−level link encrypters normally function as ciphers between the transmitting workstations or other network devices. Each end needing to encrypt the data is attached with a link−encrypter hardware device.
All data leaving the workstation is encrypted using a cryptographic key that is pre−shared (using a secure medium of choice—for example, over the phone or a personal meeting) between the two entities engaging in encrypted transmission.
Figure 3 shows the use of link encrypters.
The link encrypters normally use a symmetric algorithm to encrypt the data before transmitting the data over the network.
The receiving entity uses the shared key to decrypt the data received and hands it over to the workstation as data received.
The wired equivalent privacy (WEP) standard used by the IEEE 802.11 standard uses a flavor of link−level encryption technique to provide confidentiality.
Virtual Private Networks (VPNs)
Today, virtual private networks (VPNs) are the most commonly used means of ensuring confidential data transmission.
As the name suggests, VPNs enable an entity (workstation, a computing device, or a remote gateway) to interconnect with a remote network over an insecure medium using a TCP/IP protocol.
VPNs provide an encrypted channel to the connected entities, and all the data exchanged between the entities is encrypted. VPNs, therefore, act like a gatekeeper between an insecure network and a LAN where they provide encrypted traffic originating from an authenticated VPN to go through a protected LAN.
Most VPNs available in the market today include a robust authentication mechanism that solves the authentication problem as well. VPNs are not only used to enable remote workstations to connect with a LAN over an insecure medium, they can also be used to interconnect two separate networks to form a single virtual private network.
In this section, we briefly talk about various components of a VPN, basic operation of VPN involving a VPN gateway and a VPN client over the Internet, and the different types of VPN solutions that are available today.
A Generic VPN Configuration
Components that are required to establish a VPN depend on the deployment and usage scenario. A generic VPN normally consists of a workstation installed with VPN client and TCP/IP network software, a VPN gateway (may consist of software or hardware), and a network link (dialup connection, the Internet, or private line) that connects the VPN client with the VPN gateway (see Figure 4).
The VPN client software normally contains cryptographic modules and network software necessary to establish a VPN session with a VPN gateway.
A VPN gateway contains cryptographic modules and network software just like the VPN client, but it also contains the VPN authentication database or uses an authentication server for authenticating the VPN clients.
VPN gateways are almost always connected with the network that the remote user wants to be connected with upon successful authentication. VPN gateways are often protected with a firewall to avoid DoS attacks.
Basic VPN Operation
Assuming a scenario where a corporate network is equipped with a VPN gateway that is connected with both the Internet and the corporate network, a VPN client installed with VPN client software and connected to the Internet via a dialup connection, a basic VPN operation can be summarized as follows:
- VPN client uses the credentials provided by the VPN user to authenticate him or her to the VPN gateway.
- Upon successful authentication, VPN gateway negotiates a cipher−suite (set of cryptographic algorithms and encryption keys) with the client VPN software in a secure manner.
- VPN gateway assigns an unused IP address to the VPN client. VPN client uses this IP address to identify itself when communicating with the remote network.
- Encrypted session between the client and server begins. Client can now access the network resource behind the VPN gateway as VPN gateway forwards any transmission that it receives from the VPN client to the corporate network it is securing.
Commonly Used VPN Implementations and Protocols
There are many different VPN protocols and implementations available today. The most commonly used VPN implementations are based on two major protocols: Point−to−Point Tunneling Protocol (PPTP) and the Internet Protocol Security (IPSec).
Point−to−Point Tunneling Protocol (PPTP)
The Point−to−Point Tunneling Protocol (PPTP) was sponsored by Microsoft Corporation, and it is implemented in Microsoft Windows 2000, Windows 98, and the newer version of Windows as well as Linux and other operating systems and popular network security equipment such as Cisco and Watchguard.
PPTP is basically an extension to PPP and allows one network to be routed over another network to connect to a private IP address space in a VPN environment.
For example, a particular organization may use one set of unrouted IP address range 10.168.0.1 to 10.168.0.254 at its main offices but may want its remote employees to connect to it through the Internet using 192.168.0.1 to 192.168.0.254.
In such a case the employee would first connect to a local ISP and would be allocated an IP address for that session. This IP address would of course be in the range of addresses serviced by that ISP, and to successfully communicate with the rest of the computers in his or her office, this user needs an IP address in the range of addresses serviced by the head office.
Using a PPTP connection, this user will establish a link to the computers in his or her office. PPTP does not use encryption, but a separate encryption protocol may be used with PPTP.
Internet Protocol Security (IPSec)
Internet Protocol Security (IPSec) is an Internet Engineering Task Force (IETF) standard, and it is documented in Request for Comments (RFC) rfc2401 [4]. This protocol is used in a manner similar to PPTP.
IPSec is a much more robust protocol and has greater flexibility and features than PPTP. The security levels in IPSec are also very high, and it allows for a variety of cryptographic mechanisms and varying key sizes.
Unlike PPTP, the security keys and secret words between the client and servers must be exchanged in advance of making the connection. IPSec is the most widely deployed VPN protocol.
Securing Network Data
To add data security features to a network, all important documents and communication must be encrypted. To ensure network data security, besides practicing a strict operational network security policy, at least the following practices must also be adopted:
- The files placed on a server must always be encrypted.
The directories containing the file must require authentication with appropriate permissions. For example, all patent pending documents should be kept on a secure file server in encrypted form with read permissions to few and modify permissions to only the inventor and the legal team.
- All important email messages must be sent in encrypted form.
When sent in encrypted form, email messages are safe from eavesdropping and integrity attacks.
- All external network connections must be secured through the use of VPN.
This allows only authorized personnel to access the network remotely. In addition to authentication−based security, the encryption feature of VPNs must be used to ensure that transmitted data is not eavesdropped upon or tampered with.