SlideShare a Scribd company logo

Module 6 Wireless Network security

nikshaikh786, profile picture
nikshaikh786

The document discusses wireless network security. It covers topics like Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), and virtual private networks (VPNs). WEP was an early security standard with flaws that led to the development of WPA and WPA2 with stronger encryption. The document discusses wireless attacks and defenses, as well as secure wireless network design considerations like using encryption, mutual authentication, and intrusion detection systems. It also covers mobile IP and VPN tunneling protocols like PPTP and L2TP that allow secure remote access.

Engineering
1 of 137
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
WIRELESS NETWORK SECURITY MODULE 6
COURSE OUTCOME Students shall be able to justify security measures, standards, services and layer wise security considerations in wireless networks.
OUTLINE The need, attacks, security serviced, WEP, Mobile IP, VPN( PPTP, LLTP, IPSec), Network Layer Security, Transport Layer Security, Email Security: PGP, S/ MIME, Internet Firewalls for Trusted System Book Wireless Mobile Internet Security, 2nd Edition, Man, Young Rhee, Wiley- IEEE press
WIRED EQUIVALENT PRIVACY (WEP) Module 6
WIRELESS NETWORKS SECURITY More problematic than wired networks Open transmission media Susceptible for sniffing Wide area of coverage Higher bit error rate Needs isolation from sensitive data Requires encryption in transient
WHAT IS ENCRYPTION? The process of encoding a message or information Only authorized parties can access information Cryptography is the science Decryption is the reverse Encryption= Data Cipher Decryption= Cipher Data Sometimes requires a KEY
WIRED EQUIVALENT PRIVACY WEP Built to suit the IEEE 802.11 Wi-Fi Targets preserving data confidentiality Recognizable by its key of 10 or 26 hexadecimal digits (40 or 104 bits) Included a method for encrypting data using: a shared secret and the RC4 encryption algorithm Was at one time widely in use
TAXONOMY OF 802.11 AUTHENTICATION TECHNIQUES
SHARED-KEY AUTHENTICATION MESSAGE FLOW
SHARED-KEY AUTHENTICATION MESSAGE FLOW Shared key authentication is a cryptographic technique for authentication. It is a simple “challenge response” scheme based on whether a client has knowledge of a shared secret. In this scheme, a random challenge is generated by the access point and sent to the wireless client. The client, using a cryptographic key that is shared with the AP, encrypts the challenge (or “nonce,” as it is called in security vernacular) and returns the result to the AP. The AP decrypts the result computed by the client and allows access only if the decrypted value is the same as the random challenge transmitted.
WEP DRAWBACKS Shared secrets do not remain secretive Inability to rotate WEP keys Produced stagnant shared secret implementations Accelerated WEP cracking becoming common In 2003 the Wi-Fi Alliance announced that WEP had been superseded Eliminate WEP from choices
WPA AND AES Module 6
WI-FI PROTECTED ACCESS (WPA) Announced by the Wi-Fi alliance in 2003 Security standard for wireless internet connections or Wi-Fi Improved upon and replaced the Wired Equivalent Privacy (WEP) Provides more sophisticated data encryption than WEP Offers user authentication Two versions of WPA WPA I in 2003 WPA II in 2004
WPA I The most common WPA configuration is WPA-PSK (Pre-Shared Key) The keys used by WPA are 256-bit Significant increase over the 64-bit and 128-bit keys used in the WEP system Message integrity checks (to determine if an attacker captured or altered packets between access point and client) Temporal Key Integrity Protocol (TKIP) TKIP employs a per-packet key system
WPA I DRAWBACKS WPA, like its predecessor WEP, has been shown to be vulnerable to intrusion via Proof-of-concept Applied public demonstrations The process by which WPA is breached is not a direct attack on the WPA algorithm Although such attacks have been successfully demonstrated Attacks on a supplementary system that was rolled out with WPA Wi-Fi Protected Setup (WPS) Designed to make it easy to link devices to modern access points.
WPA II WPA1 has, as of 2006, been officially superseded by WPA2 Significant changes between WPA and WPA1 The mandatory use of Advanced Encryption Standard AES algorithms The introduction of CCMP (Counter Cipher Mode with Block Chaining Message Authentication Code Protocol) as a replacement for TKIP TKIP is still preserved in WPA2 as a fallback system and for interoperability with WPA Security implications of the known WPA2 vulnerabilities are limited Recommended to be used on wireless networks now Available by all wireless devices vendors
WIRELESS SECURITY MISCONCEPTIONS Module 6
GENERAL MISCONCEPTIONS We aren’t using wireless for sensitive data I don’t need to worry about security We don’t have any wireless Organizations often discover that they have Rogue Access Point Unauthorized access points deployed with little or no security What about Ad-hoc networks?
MISCONCEPTIONS We cloak(hide) our SSID (Service set Identifier), so people cannot join our wireless network By passively listening to the network, an attacker can capture the network name There are some software like NSSinssider are free and it is used to show the broadcasted SSID and hidden SSID MAC-based access control restricts access to authorized users An attacker can monitor the network to identify valid MAC addresses and spoof Mac address with another valid Mac address and fools your Mac address control WEP is safe WEP is unsafe DoS attacks require expensive hardware that is not easily accessible An attacker can launch DoS attacks with  $10 wireless card  Readily-available software  Can jam your traffic and u find that your machine is not reaching access point
WIRELESS ATTACKS AND MITIGATION Module 6
TAXONOMY OF SECURITY ATTACKS Figure provides a general taxonomy of security attacks to help organizations and users understand some of the attacks against WLANs.
SECURITY ATTACKS Network security attacks are typically divided into passive and active attacks. These two broad classes are then subdivided into other types of attacks. All are defined below. Passive Attack—An attack in which an unauthorized party gains access to an asset and does not modify its content (i.e., eavesdropping). Passive attacks can be either eavesdropping or traffic analysis (sometimes called traffic flow analysis). These two passive attacks are described below. – Eavesdropping—The attacker monitors transmissions for message content. An example of this attack is a person listening into the transmissions on a LAN between two workstations or tuning into transmissions between a wireless handset and a base station. – Traffic analysis—The attacker, in a more subtle way, gains intelligence by monitoring the transmissions for patterns of communication. A considerable amount of information is contained
SECURITY ATTACKS Active Attack—An attack whereby an unauthorized party makes modifications to a message, data stream, or file. It is possible to detect this type of attack but it may not be preventable. Active attacks may take the form of one of four types (or combination thereof): masquerading, replay, message modification, and denial-of- service (DoS). These attacks are defined below. – Masquerading—The attacker impersonates an authorized user and thereby gains certain unauthorized privileges. – Replay—The attacker monitors transmissions (passive attack) and retransmits messages as the legitimate user. – Message modification—The attacker alters a legitimate message by deleting, adding to, changing, or reordering it. – Denial-of-service—The attacker prevents or prohibits the normal use or
EAVESDROPPING MITIGATION Use strong encryption in the lowest layer protocol possible Design your wireless networks with caution Minimize coverage area Audit your network with a packet sniffer What can an attacker see? method by which authorized and unauthorized users are able to get around normal security measures and gain high level user access (aka root access) on a computer system, network or software application. close the backdoors
MASQUERADING AND MITIGATION An attacker spoofs his identity as a legitimate node or AP Tricks unsuspecting users to giving up sensitive information Tricks an AP into authenticating malicious users Use mutual-authentication wireless protocols like PEAP or TTLS Use SSL/TLS for passing sensitive information to Web applications
DOS MITIGATION Upgrade the firmware of faulty WiFi cards Understand the impact of a DoS attack against your environment Deploy wireless intrusion detection systems IDS Prepare a response strategy
ROGUE AP AND MITIGATION Unauthorized APs connected to a private network Often installed with default settings, and without security Permits full access to a network for an unauthorized user Perform rogue AP detection Use mutual authentication wireless protocols such as PEAP or TTLS Deploy wireless intrusion detection systems Deploy a strong wireless LAN
SECURE WIRELESS DESIGN Module 6
DESIGN WITH WIRELESS
WIRELESS SECURITY Consider design at all layers of the OSI model Identify specific areas for coverage Audit the WLAN for rogues and unauthorized clients Consider wireless IDS Migrate to WPA II
INSSIDER Tool used to locate access points and determine their SSIDs MAC address: The hardware address of the device's network adapter SSID: A 32-character ID that acts like a password on a wireless LAN Name: The name of the access point, if it is available Channel: The channel that the device is using Vendor: The vendor of the device Encryption: Whether WEP is enabled or disabled
INSSIDER
INSSIDER https://www.metageek.com/products/inssider/
ACTIVITY www.menti.com
INSSIDER New in Version 5.0: channel utilization break down to show device (AP and client) airtime utilization; see connected client devices and info about client such as utilization and signal strength Gathers information from wireless card and software Helps choose the best wireless channel available Wi-Fi network information such as SSID, MAC, vendor, data rate, signal strength, and security Graphs signal strength over time Shows which Wi-Fi network channels overlap
MOBILE IP Module 6
MOBILE IP SCENARIO
MOBILE IP Mobile IP is designed to support host mobility on the internet. User is connected to one or more applications across the internet, the user’s point of attachment changes dynamically and that all connections are automatically maintained despite the change.  Server X transmits an IP datagram for mobile nodes A with A’s address in IP header. IP datagram is routed to A’s home network.  At home N/w the incoming IP datagram is intercepted by home agent. The home agent encapsulates the entire datagram inside a new IP datagram. The use of an outer IP datagram with a different destination IP address is known as “tunneling”. This IP datagram is routed to foreign agent.  Foreign agent strips off the outer IP header, encapsulates the original IP datagram in a N/w level packet data unit(PDU) and delivers the original datagram to A across the foreign network.  When A sends the IP datagram to X, it uses X’s IP address. This is a fixed address that is X is not a mobile node. Each IP datagram is sent by A to a router on the foreign network to X. This router is also a foreign agent.  The IP datagram from A to X travels directly across the Internet to X, using X’s IP address.
MOBILE IP CAPABILITIES Registration Discovery Tunneling
VPN Module 6
VPN A VPN is a private connection between two machines or networks over a shared or public network. VPN technology lets an organization securely extend its network services over the Internet to remote users, branch offices, and partner companies. VPN turn the Internet into a simulated private WAN. VPN allows users working at home or office to connect in a secure fashion to a remote corporate server using the routing infrastructure provided by a public inter-network (such as the Internet) The Internet connection over the VPN is encrypted and secure. New authentication and encryption protocols are enforced by the remote access server. Sensitive data is hidden from the public, but it is securely accessible to appropriate users through a VPN
VPN ARCHITECTURE
VPN CONNECTION There are following two ways to create a VPN connection: By dialing an Internet service provider (ISP): If you dial-in to an ISP, your ISP then makes another call to the private network's remote access server to establish the PPTP or L2TP tunnel after authentication, you can access the private network. By connecting directly to the Internet: If you are already connected to an Internet, on a local area network, a cable modem, or a digital subscriber line (DSL), you can make a tunnel through the Internet and connects directly to the remote access server. After authentication, you can access the corporate network. Host x wishes to send data a data packet to Host y. The data packet at Host A has the IP address of Host y. Host A transmits the data packet. When the data packet receives Router Rx, the IP Packet is removed. The Router inserts the payload field and sends it to Router Ry. On receiving the packet Router Ry removes the IP Packets and sends it to Host y in an Ethernet frame.
TUNNELING
TUNNELING PROTOCOL Today for secure data transmission the following tunneling protocols are used as a result of developments in VPN. PPTP (Point to Point Tunneling): This is the most commonly and widely used tunneling protocol. It is available easily in all the windows operating systems. It can be easily setup and does processing at high speeds. For including the PPP data packets the PPTP uses a control channel. It is dependent on the PPP (Point to point protocol) to provide encryption and authentication, security to the data packets. The PPTP protocol tunnels a PP session over and IP network. It is called point-to-point protocol (PPP) and TCP/IP protocol.
TUNNELING PROTOCOL Layer 2 Tunneling Protocol (L2TP): L2TP is tunneling protocol. It is an improved version of PPTP protocol. It supports LAN-LAN and user-to-LAN connectivity. It provides data integrity and confidentiality. However it does not provide any encryption or authentication i.e. it lacks in providing security. Internet Protocol Security (IPSEC): It is a collection of multiple related protocols like PPTP, L2TP, it is the most important protocol used in VPNs. IPSEC is a layer 3 protocol that authenticates every IP packet. It uses standard cryptographic methods. It provides good security.
FEATURES OF A TYPICAL VPN Keep data confidential (encryption): - Data carried on the public network must be rendered unreadable to unauthorized clients on the network. Ensure the identities of two parties communicating (authentication): The solution must verify the user's identity and restrict VPN access to authorized users only. It must also provide audit and accounting records to show who accessed what information and when. Address Management: It must assign a client's address on the private net and ensure that private addresses are kept private. Key Management: It must generate and refresh encryption keys for the client and the server. Multiprotocol Support: The solution must handle common protocols used in the public network. These include IP, Internet Packet Exchange (IPX), and so on.
DISADVANTAGES OF VPN The performance of a VPN will be more unpredictable and generally slower than dedicated lines due to public Net traffic Likewise, many more points of failure can affect a Net-based VPN than in a closed private system.
VPN DESIGN AVPN is connectivity deployed on a shared infrastructure with the same policies, security, and performance as a private network, but typically with lower total cost of ownership. The infrastructure used can be the Internet, an IP infrastructure, or any WAN infrastructure, such as a Frame Relay network or an ATM WAN. The following sections discuss these topics: ■ VPN applications ■ VPN connectivity options ■ VPN benefits
VPN APPLICATIONS VPNs can be grouped according to their applications: ■ Access VPN: Access VPNs provide access to a corporate intranet (or extranet) over a shared infrastructure and have the same policies as a private network. Remote-access connectivity is through dial-up, ISDN, DSL, wireless, or cable technologies. Access VPNs enable businesses to outsource their dial or other broadband remote access connections without compromising their security policy. The two access VPN architectures are client-initiated and Network Access Server (NAS)– initiated connections. With client-initiated VPNs, users establish an encrypted IP tunnel from their PCs across an SP’s shared network to their corporate network. With NAS-initiated VPNs, the tunnel is initiated from the NAS; in this scenario, remote users dial into the local SP point of presence (POP), and the SP initiates a secure, encrypted tunnel to the corporate network.
VPN APPLICATIONS ■ Intranet VPN: Intranet VPNs link remote offices by extending the corporate network across a shared infrastructure. The intranet VPN services are typically based on extending the basic remote-access VPN to other corporate offices across the Internet or across the SP’s IP backbone. Note that there are no performance guarantees with VPNs across the Internet—no one organization is responsible for the performance of the Internet. The main benefits of intranet VPNs are reduced WAN infrastructure needs, which result in lower ongoing leased line, Frame Relay, or other WAN charges, and operational savings. ■ Extranet VPN: Extranet VPNs extend the connectivity to business partners, suppliers, and customers across the Internet or an SP’s network. The security policy becomes very important at this point; for example, the company does not want a hacker to spoof any orders from a business partner. The main benefits of an extranet VPN are the ease of securely connecting a business partner as needed, and the ease of severing the connection with the business partner (partner today, competitor tomorrow), which becomes as simple as shutting down the VPN tunnel. Very granular rules can be created for what traffic is shared with the peer network in the extranet.
VPN CONNECTIVITY OPTIONS The following sections describe three connectivity options that provide IP access through VPNs: ■ Overlay VPNs ■ Virtual private dial-up networks (VPDN) ■ Peer-to-peer VPNs
OVERLAY VPNS With overlay VPNs, the provider’s infrastructure provides virtual point-to-point links between customer sites. Overlay VPNs are implemented with a number of technologies, including traditional Layer 1 and Layer 2 technologies (such as ISDN, SONET/SDH, Frame Relay, and ATM) overlaid with modern Layer 3 IP-based solutions (such as Generic Routing Encapsulation [GRE] and IPsec).
OVERLAY VPNS EXTEND THE ENTERPRISE NETWORK ■ Every individual virtual circuit must be provisioned. ■ Optimum routing between customer sites requires a full mesh of virtual circuits between sites. ■ Bandwidth must be provisioned on a site-to-site basis.
VPDNS VPDNs enable an enterprise to configure secure networks that rely on an ISP for connectivity. With VPDNs, the customers use a provider’s dial-in (or other type of connectivity) infrastructure for their private connections. A VPDN can be used with any available access technology. Ubiquity is important, meaning that VPDNs should work with any technology, including a modem, ISDN, xDSL, or cable connections.
VPDN FOR REMOTE ACCESS Access VPN connectivity involves the configuration of VPDN tunnels. Following are the two types of tunnels: ■ The client PC initiates voluntary tunnels. The client dials into the SP network, a PPP session is established, and the user logs on to the SP network. The client then runs the VPN software to establish a tunnel to the network server. ■ Compulsory tunnels require SP participation and awareness, giving the client no influence over tunnel selection. The client still dials in and establishes a PPP session, but the SP (not the client) establishes the tunnel to the network server.
PEER-TO-PEER VPNS In a peer-to-peer VPN, the provider actively participates in customer routing. Traditional peer-to-peer VPNs are implemented with packet filters on shared provider edge (PE) routers, or with dedicated per- customer PE routers. In addition to high maintenance costs for the packet filter approach or equipment costs for the dedicated per- customer PE-router approach, both methods require the customer to accept the provider-assigned address space or to use public IP addresses in the private customer network.
BENEFITS OF VPN The benefits of using VPNs include the following: ■ Flexibility: VPNs offer flexibility because site-to-site and remote-access connections can be set up quickly and over existing infrastructure to extend the network to remote users. Extranet connectivity for business partners is also a possibility. A variety of security policies can be provisioned in a VPN, thereby enabling flexible interconnection of different security domains. ■ Scalability: VPNs allow an organization to leverage and extend the classic WAN to more remote and external users. VPNs offer scalability over large areas because IP transport is universally available. This arrangement reduces the number of physical connections and simplifies the underlying structure of a customer’s WAN. ■ Lower network communication cost: Lower cost is a primary reason for migrating from traditional connectivity options to a VPN connection. Reduced dialup and dedicated bandwidth infrastructure and service provider costs make VPNs attractive. Customers can reuse existing links and take advantage of the statistical packet multiplexing features.
BENEFITS OF VPN Low Cost: The main benefit of a VPN is the potential for significant cost savings compared to traditional leased lines or dial up networking. Security: VPNS secure the data access by hackers and unauthorized users by supporting different authentication methods and encryption methods. Scalability: VPNS allow more number of users to be added to their network easily without modifications in the system infrastructure. Compatibility with broadband technology: VPN provides efficient and flexible methods of accessing the network like broadband, ISDN, DSL, wireless technologies. These connections provide a cost effective method to connect to the remote offices.
IP SECURITY: IPSEC AND MODES OF IPSEC IP SECURITY: ( IPSEC ) IPSEC is a protocol to provide security for a packet at a Network layer which is often referred to as the Internet Protocol or IP layer. IPSEC helps to create confidential & authenticated packets for the IP layer. It can enhance the security of those client / server programs such as electronic mail, that use their own security protocol. It can enhance the security of those client / server programs such as HTTP, that use the security services provided at the transport layer. It can also be used to provide security to those client /server programs that do not use the security services provided at the transport layer. It can provide security for node to node communication programs such as routing protocols.
MODES OF IPSEC Modes of IPSEC Transport mode: - (it only protects the information coming from Transport layer) In this mode, IPSEC protects only the packet from the transport layer not the whole IP packet. Here the IPSEC header & trader are added to the information coming from the transport layer. The IP header is added later. This mode is normally used when we need host to host (end to end protection of data)
MODES OF IPSEC Tunnel Mode : ( IPSEC in this mode protects the original IP header )  In this mode, IPSEC protects the entire IP packet. It takes an IP packet, including the header , applies IPSEC security methods to the entire packet & then adds a new IP header.  The new IP header, has different information than the original IP header.  Tunnel mode is normally used between two route, between a host & a router or between a router & a host.
PROTOCOLS OF IPSEC Protocols of IPSEC : IPSEC defines two protocols  a. the Authentication Header (AH)  b. Encapsulation Security Payload (ESP) to provide authentication and for encryption for the packets at the IP level.
THE AUTHENTICATION HEADER (AH) 1.Authentication Header (AH) (provide source authentication & data integrity but not privacy) AH protocol is designed to authenticate the source host & to ensure the integrity of the payload carried in the IP packet. This protocol uses a hash function & a symmetric key to create a message digest; the digest is inserted via the authentication header. The AH is then placed on the appropriate location , based on the mode i .e transport or tunnel. When an IP datagram carries an authentication header, the original value in the protocol of the IP header is replaced by the value 51.
THE AUTHENTICATION HEADER (AH)
THE AUTHENTICATION HEADER (AH) The addition of an authentication header follows following steps : An AH is added to the payload with authentication data field set to 0. Padding may be added to make the total length ever for a particular hashing algorithm. Hashing is based on the total packet. However only those fields of the IP header that do not change during transmission are included in the calculation of the message digest i.e authentication data. The authentication data are inserted in the authentication header. The IP header is added after changing the value of the protocol filed to 51.
THE AUTHENTICATION HEADER (AH) Description of every field of AH protocol 1.Next header : The 8 bit header field defines the type of payload carried by the IP datagrams (such as TCP , UDP, ICMP ). The process copies the value of the protocol field in the IP datagram to this field. The value of the protocol field in the new IP datagram is now set to 51 to show that the packet carried an AH. 2.Payload length : It defined the length of the AH in 4 -byte multiples, but it does not include the first 8 bytes. 3.Security Parameter index : The 32 but SPI field plays the role of a virtual circuit identifier & is the same for all packets sent during a connection called Security Association. 4.Sequence Number : A 32 bit sequence number provides ordering information for a sequence of datagrams. It prevents a playback. Sequence number is not repeated even if a packet is retransmitted. 5.Authentication data : This field is the result of applying a hash function to the entire IP datagram except for the fields that are changed during transit.
ENCAPSULATING SECURITY PROTOCOL (ESP) Encapsulating Security Protocol (ESP) (privacy achieved here)  As AH protocol does not provide privacy , IPSEC comes up with ESP protocol.  It provides source authentication , integrity & privacy.  It adds a header & trailer.  ESP's authentication data are added at the end of the packet which makes its calculation easier.  When an IP datagram carries an ESP header & trailer, the value of the protocol field in the IP header is 50.  A field inside the ESP trailer ( next header field) holds the original value of the protocol field ( the type of payload being carried by the IP datagram such as TCP or UDP )
ENCAPSULATING SECURITY PROTOCOL (ESP) •ESP procedure follows the following steps : •An ESP trailer is added to the payload. •The payload & the trailer are encrypted. •The ESP header is added. •The ESP header, payload & ESP trailer are used to create the authentication data. •The authentication data are added to the end of the ESP trailer. •The IP header is added after changing the protoco value of 50.
ENCAPSULATING SECURITY PROTOCOL (ESP) Description for the fields of ESP are as follow : a. Security parameter index : - The 32 bit security parameter index field is similar to that defined for the AH protocol. b. Sequence number : - 32 bit sequence number is also similar to AH protocol. This variable length field (0 to 25 bytes) of 0s. c. Padding : Serves as padding. d. Pad length : The 8 bit pad length field defines the number of padding bytes, the value is between 0 & 255, the max value is rare. e. Next header : - The 8 bit next header field is similar to that defined in AH protocol. It serves the same purpose as the protocol field in the IP header before encapsulation. f. Authentication data: Finally authentication data field is the result of applying an Authentication scheme to parts of the datagram. In AH part of IP header is included in the calculation of the authentication data whereas in ESP it is not.
INTERNET SECURITY PROTOCOL: SECURE SOCKET LAYER SSL ( Secure socket Layer ) This protocol is used for secure communication between the web browser & web server. SSL protocol is located between the application layer & transport layer of the TCP/IP protocol suite i.e the application layer does not forward the data directly to the transport layer but it forwards to the SSL layer & the SSL layer performs encryption. There are three protocols which are used by SSL :  Handshake Protocol  Record Protocol  Alert Protocol Handshake Protocol This is the 1st protocol which is used between the client & the server for communications.
HANDSHAKE PROTOCOL MESSAGE •Type indicated the type of message exchanged between the client & server •Length indicates the length of the message •Content indicates the actual message or the parameters
PHASES OF HANDSHAKE PROTOCOL The handshake protocol consists of four phases : i. Establish security capabilities ii. Server authentication 7 key exchange iii. Client authentication & key exchange iv. Finish
PHASES OF HANDSHAKE PROTOCOL Step 1: Establishing security capabilities This phase is limited by the client by sending a client Hello Message
PHASES OF HANDSHAKE PROTOCOL Step 2 : Server authentication & Key exchange In this phase the server initiated the communication : There server first sends its own digital certificates to the client If the server does not send its own digital certificates to the client in step 1 The server requires for client’s digital certificate, however this request id optional. There server Hello done message indicated the client that the server portion of Hello message is complete After sending all these messages, the server waits for the client’s response.
PHASES OF HANDSHAKE PROTOCOL Step 3 : Client authenticated & key exchange This phase is initiated by the client, The client sends its own certificate to the server, if & only if the server has requested it. The client generated a symmetric key which both the parties will use during the session, It is called as master key secret & the client encrypts it with the server’s public key & then it sends to the server.  This step is for client authentication for this client continues the master key secret with the random no which was agreed by the client & server earlier to generate a has & the client signs it with its own private key.
PHASES OF HANDSHAKE PROTOCOL Step 4: Finish This phase is initiated by the client.  The client sends a finish message to the server & the server replies finish message to the client.
INTERNET SECURITY PROTOCOL: TRANSPORT LAYER SECURITY(TLS) TLS protocol is the IETF standard version of SSL protocol. Whose goal is to come out with an internet version of SSL & TLS are very similar with slight difference. Following are the differences between TLS & SSL 1. Version : the current version of SSL is 3.0 & TLS is 1.0. 2. Cipher suite : SSL supports an algorithm called Fortezza whereas TLS does not support Fortezza. 3. Generation of Cryptographic secrets : TLS has more complex process of generation of cryptographic secrets than SSL. TLS uses pseudorandom function to create master secret. 4. Alert protocol : TLS supports all of the alerts defined in SSL except for no certificate, TLS also added some new ones like decryption failed, export restriction, protocol
INTERNET SECURITY PROTOCOL: TRANSPORT LAYER SECURITY(TLS) 5. Handshake protocol : TLS has made some changes in Handshake protocol, The details of the certificate verify message & the finished message have been changed. •Certificate verify message in SSL . The hash used in the certificate verify message is the two step hash of the handshake message plus a pad and the master secret, TLS has simplified the process by using hashes only over the handshake messages. •Finished messages: Hash calculation for the finished message has also been changed, TLS uses the PRF (pseudorandom function) to calculate two hashed used for finished message. 6. Record protocol : The only change in this protocol is the use of HMAC, instead of MAC for signing the message.
HANDSHAKE PROTOCOL Pseudorandom Function (PRF)  PRF is the combination of two date expansion functions, one using MD5 & the other SHA -1  PRF takes three input, a secret a label and a seed.  The label & the seed are concatenated & serves as the seed for each date- expansion function The secret is divided into two halves ; each half is used as the secret for each data expansion function. The output of two data expansion function is exclusive – ored together to create the final expanded secret.  As the hashes created froMD5 & SHA-1 are of different sized, extra section of md5 – based function must be created to make the two outputs the same size.
HANDSHAKE PROTOCOL
EMAIL SECURITY: PGP, S/ MIME MODULE 6
SECURE MAIL: PGP(PRETTY GOOD PRIVACY)  It provide email with privacy, integrity &authentication.  It can be used to create a secure e-mail message or to store a file securely for future retrieval.  PGP provides following services :  Message integrity  Message compression.  Confidentiality with one time session key.  Code conversion.  Segmentation  Most email systems allow the message to consist of only ASCII characters. To translate other characters not in the ASCII set , PGP uses Radix 64 conversion. Each character to be sent (after encryption) is converted to Radix 64 code.  PGP allows segmentation of the message after it has been converted to Radix 64 to make each transmitted unit the uniform size as allowed by underlying e-mail protocol.  PGP uses following algorithms :  Public Key Algorithms : RSA ( for signing, encryption ) , Elgamel for encryption only, DSS.  Symmetric - Key Algorithm : Blowfish, triple DES.
PGP : - (PRETTY GOOD PRIVACY) PGP Packets: -A message in PGP consists of one or more packets -PGP has generic header that applies to every packets
PGP : - (PRETTY GOOD PRIVACY) a. Tag : - This field defines a tag as an 8-bit flag, the 1st bit that is the most significant is always 1, 2nd bit is 1 if we are using the latest version. The remaining six bits can define up to 64 different packet types. b. Length: The length field defines the length of the entire packet in bytes. The size of this field is variable, it can be 1,2,or 5 bytes. The receiver can determine the number of bytes of the length field by looking at the value of the byte immediately following tag field.  Case 1: if the value of the byte after the tag field is <192, the length of the field is only byte.  Case 2: If the value of the byte after tag field is between 192 to 223 (inclusive ) the length field is two bytes.  Case 3: If the value of the byte after tag field is between 224 & 254 (inclusive) the length field is one byte. This type of length field defines only the length of part of the body o .e partial body length.  Case 4: If it is 255, then length field is of 5 bytes.
PGP : - (PRETTY GOOD PRIVACY) Types of data packets: a. Literal : This type of data packet carries or holds the actual data that is being transmitted or stored. It is most elementary types of message, it cannot carry any other packet.
PGP : - (PRETTY GOOD PRIVACY) b. Compressed Data Packet : This packet carries compressed data packets. Here the data field can be single packet or two or more packets.
PGP : - (PRETTY GOOD PRIVACY) c. Data Packet Encrypted with Secret Key : - This packet carries data from one packet or a combination of packets that have been encrypted using conventional symmetric key algorithm & before this packet is sent, a packet carrying one time session key is sent.
PGP : - (PRETTY GOOD PRIVACY) d. Signature packet : This packet protects the integrity of the data.
WORKING OF PGP In PGP, the sender of the message needs to include. the identifiers of the algorithm used in the message, along with the value of the keys. PGP starts with a digital signature. which is followed by compression, then by encryption, then by digital enveloping and finally. by Base-64 encoding. PGP allows for four security options when sending an email message, These Options are :  Signature only (Steps 1 and 2 )  Signature and Base 64 encoding (Steps 1,2 and 5 )  Signature, Encryption ,Enveloping and Base 64 encoding (Steps 1,2 and 5 )
PGP OPERATION
PGP OPERATION The receiver has to perform these four steps in the reverse direction to retrieve the original plain text email message. Step 1: Digital Signature : This is a typical process of digital signature, which we have studied many times before. In PGP, it consists of the creation of a message digest of the email message using the SHA -1 algorithm. The resulting message digest is then encrypted with the sender's private key. The result is the sender's digital signature.
PGP OPERATION Step 2: Compression : This is an additional step in PGP, Here, the input message as well as the digital signature are compressed together to reduce the size of the final message that will be transmitted. For this , the famous ZIP program is used. ZIP is based on the Lempel Ziv algorithm. The Lempel Ziv algorithm looks for repeated strings or words and stores them in variables. It then replaces the actual occurrence of the repeated words to string with a pointer to the corresponding variable . Since a pointer requires only a few bits of memory as compared to the original string, this method results in the data being compressed. For instance , consider the following string : What is your name ? My name is Atul. Using the Lempel Ziv algorithm, we would create two variables, say A and B and replace the words is and name by pointers to A and B respectively. This is shown in the figure
PGP OPERATION As we can see, the resulting string What 1 your 2 ? My 2 1 Atul is smaller compared to the original string, What is your name ? My name is Atul. Of course , the bigger the original string, the better the compression gets The same process works for PGP.
PGP OPERATION Step 3 : Encryption : In this step, the compressed output of step 2 (i .e the compressed form of the original email and the digital signature together ) are encrypted with a symmetric key. For this, generally the IDEA algorithm in CFB mode is used. Step 4 : Digital Enveloping : In this case, the symmetric key is used for encryption with the receiver's public key. The output of step 3 and step 4 together form a digital envelope.
PGP OPERATION Step 5 : Base 64 encoding : The output of step 4 is Base-64 and is encoded now.
PGP MESSAGES -In PGP, a message is a combination of sequenced and/or nested packets. All the combinations of packets cant make a message, but still some examples are shown below to give some idea. a. Encrypted Message: It can be a sequence of two packets, a session key packet & a symmetrically encrypted packet.
PGP MESSAGES b. Signed Message : It can be the combination of a signature packet & a literal packet as shown below
PGP MESSAGES c. Certificate Message: Certificate can take many forms, one simple example is the combination of user ID packet & a public - key packet as shown below Signature is calculated on the concatenation of the key & user ID.
APPLICATION Extensively used for personal e-mails.
SECURE MAIL: S/MIME (SECURE/MULTIPURPOSE INTERNET MAIL EXTENSION) It is an enhancement of MIME protocol. –S / MIME adds some new content types to include security service to the MIME. All these new types include the parameter " application / pkcs7-mime", in which 'pkcs' defines "Public Key cryptography Specification" Cryptographic Message Syntax (cms) S/MIME has defined CMS, the syntax in each case defined the exact encoding scheme for each content type. following content type describe the type of message & different sub types that are created from the messages. a.Data content types: - This is an arbitrary string. The object created is called Data. b.Signed- Data content type: - This type provides only integrity of data. It contains any type & zero or more signature values. The encoded result is called signed data. figure below shows the process of creating an object of this type. following are the steps in the process
following are the steps in the process 1.for each signer ,a message digest is created from the content using a specific header algorithm chosen by that signer. 2.Each message digest is signal with the private key of the signs. 3.The content signature values , certificates are then collected to create the 'signed data object'.
c.Enveloped -Data content type : This type is used to provide privacy for the message. It contains any type & zero or more encrypted keys & certificated. The encoded result is an object called enveloped data . Below figure shows the process of creating an object of this type. 1. A pseudorandom session key is created for the symmetric key algorithm to be used. 2. For each recipient, a copy of the session key is encrypted with the public key of each recipient. 3. The content is encrypted using the defined Algorithm & created session key. 4. The encrypted contents, encrypted session keys, algorithm used & certificate are encoded using radix 64 .
SECURE MAIL: S/MIME (SECURE/MULTIPURPOSE INTERNET MAIL EXTENSION) d.Encrypted data type content type : This type is used to create an encrypted session of any content type. This is similar to the enveloped data content type, the encrypted data content type has no recipient. It can be used to store the encrypted data instead of transmitting it. The process is very simple , the user employs any key & any algorithm to encrypt the content. The encrypted content is stored without including the key or the algorithm.The object created is called encrypted data.
Authenticated -Data content type: This type is used to provide authentication of the data. The object is called authenticated Data. figure below shows the process. 1.using a pseudorandom generator, a MAC key is generated for each recipient. 2.The MAC key is encrypted with the public key of the recipient. 3. A MAC is created for the content. 4.The content MAC, algorithms & other information are collected together to for the authenticated Data object.
KEY MANAGEMENT The key management in S/MIME is a combination of key management used by X.509 & PGP. S/MIME uses public-key certificates signed by the certificate authorities defined by X.509. However, the user is responsible to maintain the web of trust to verify the signature as defined by PGP.
APPLICATIONS OF S/MIME It is predicted that S/MIME will become the industry choice to provide security for commercial email.
WHY USING FIREWALLS? Module 6
WHAT IS FIREWALL? Firewall is one of the most effective security tools Protects internal network users from external threats Resides between two or more networks Controls the traffic between networks Helps prevent unauthorized access
WHY FIREWALLS?
FIREWALLS BENEFITS Protect internal/external systems from attack Filter communications based on content Perform NAT (Network Address Translation) Logging to aid in intrusion detection and forensics
SHORTCOMINGS OF FIREWALLS Attacks at the application layer may sneak through Some connections may bypass firewalls like: Dial-up Virtual Private Network (VPN) Extranet Organizations may let down their guard in other security areas such as: Passwords Patches Encryption
FIREWALL PLACEMENT
FIREWALL IN WIRELESS NETWORK MODULE 6
FIREWALLS A firewall is a term used for a ``barrier'' between a network of machines and users that operate under a common security policy and generally trust each other, and the outside world. In recent years, firewalls have become enormously popular on the Internet. In large part, this is due to the fact that most existing operating systems have essentially no security, and were designed under the assumption that machines and users would trust each other. A firewall is a system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both.
FIREWALLS
REASONS TO USE FIREWALLS There are two basic reasons for using a firewall at present: To save money in concentrating your security on a small number of components, and to simplify the architecture of a system by restricting access only to machines that trust each other. Firewalls are often regarded as some as an irritation because they are often regarded as an impediment to accessing resources. This is not a fundamental flaw of firewalls, but rather is the result of failing to keep up with demands to improve the firewall.
HOW ARE FIREWALLS USED? Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.
FIREWALLS RULES MODULE 6
DEFAULT RULE Firewall rule controls the decision of the firewall on inspected traffic Controls what happens when a packet does not match an existing rule: Default deny- more restrictive Default allow- more permissive
DEFAULT RULE EFFECT Default deny helps protect against previously unknown: Attacks Vulnerabilities Consider the effect that the default rule will have on your security posture Default Allow is more suitable for educational and training organizations Default Deny is more suitable for security authorities and banks
EXAMPLE FIREWALL RULES IF Source IP==163.121.25.10 AND Destination IP==163.121.11.12 AND Source Port==2050 AND Destination Port==80 Then ACCEPT IF Source IP==163.121.25.10 AND Destination IP==163.121.11.12 AND Source Port==2050 AND Destination Port==80 Then REJECT These are detected inside the header of the packet
FIREWALL ACTION Filtering: Egress filtering (filter outgoing traffic); Ingress filtering (filter incoming traffic)
MANAGED ACCESS
TYPICAL FIREWALL DESIGNS Default-deny approach (white-list): Have a list of allowable traffic and block the rest. Default-allow approach (black-list): Have a list of non allowable traffic and allow the rest. – A good design needs to have a hybrid of these two approaches
TYPES OF FIREWALLS Following are the types of Firewalls Firewalls are used to protect both home and corporate networks. A typical firewall program or hardware device filters all information coming through the Internet to your network or computer system. There are several types of firewall techniques that will prevent potentially harmful information from getting through:
PACKET FILTER A packet filter firewall is a stateless firewall that looks at only the packet headers to decide whether or not to drop a packet. Stateless means it does not keep track of the decisions taken on any packet. The decision taken on a packet is independent of the decision taken on the preceding packets. The code for packet filters will become lengthy as we want to block traffic belonging to specific networks, IP addresses and transport layer protocols.
PACKET FILTER Thus, need efficient filtering algorithms. The packet filter firewall applies a set of rules to each & every packet & based on the rule it will decide whether to accept the packet or reject the packet. It receives each packet & checks with the rule. Suppose the rule is to block all the packets coming from a port other than 80 then the firewall will block all the packets entering the internal system.
PACKET FILTER Attacks Detected by Packet Filters • IP Spoofing Attacks: Have the packet filter configured not to let in packets having a source address that corresponds to the internal network. For example, the attacker has spoofed the source IP address to be the IP address of a machine belonging to the network being protected by the firewall. • Source routing attacks: where source specifies the route that a packet should take to bypass security measures, should discard all source routed packets • Tiny fragment attacks: Intruder uses the IP fragmentation option to create extremely small fragments and force the TCP header information into fewer separate fragments to circumvent filtering rules needing full header info; can enforce minimum fragment size to include full header.
PACKET FILTER Looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing. Packet-filtering firewalls validate packets based on protocol, source and/or destination IP addresses, source and/or destination port numbers, time range, Differentiate Services Code Point (DSCP), type of service (ToS), and various other parameters within the IP header. Advantages The primary advantage of packet-filtering firewalls is that they are located in just about every device on the network. Routers, switches, wireless access points, Virtual Private Network (VPN) concentrators, and so on may all have the capability of being a packet-filtering firewall.
PROXY FIREWALLS Maintains complete TCP connection state and sequencing through 2 connections User to proxy session Proxy to destination server session Process table manages to keep the connections straight The most secure form of firewall Slower performance
APPLICATION GATEWAY Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose performance degradation. Application-layer firewalls work on the application level of the TCP/IP stack (i.e., all browser traffic, or all telnet or ftp traffic), and may intercept all packets traveling to or from an application. They block other packets (usually dropping them without acknowledgment to the sender). It inspects all packets for improper content, firewalls can restrict or prevent outright the spread of networked computer worms and trojans. The additional inspection criteria can add extra latency to the forwarding of packets to their destination.
APPLICATION GATEWAY Application Gateway firewall is also called as 'Proxy Server' The internal user first requests the application gateway such as HTTP, FTP, telnet Etc. The application gateway will track the IP address of the user & provide access to the remote host on behalf of the user.
CIRCUIT-LEVEL GATEWAY Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking. Most circuit-gateway firewalls are implemented using SOCKS, a tool that includes a set of client libraries for proxy interfaces with clients. SOCKS receives an incoming connection from clients, and if the connections are allowed, it provides the data necessary for each client to connect to the application. Each client then invokes a set of commands to the gateway. The circuit-gateway firewall imposes all predefined restrictions, such as the particular commands that can be executed, and establishes a connection to the destination on the client's behalf. To users, this process appears transparent
PROXY SERVER Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses. A proxy server (running either on dedicated hardware or as software on a general-purpose machine) may act as a firewall by responding to input packets (connection requests, for example) in the manner of an application, while blocking other packets. A proxy server is a gateway from one network to another for a specific network application, in the sense that it functions as a proxy on behalf of the network user.
STATEFUL INSPECTION FIREWALL Unlike packet filtering firewall stateful firewall keeps track of state of a connection which may be initiation data transfer. A drawback of packet filters is that they are stateless and they have no memory of previous packets which makes them vulnerable to spoofing attacks. Stateful inspection firewall examines a group of packets at the same time. Stateful firewall operates at following layers of OSI model.  Session  Transport  Network
THANK YOU

More Related Content

PDF
Security Delivery Platform: Best practices
Mihajlo Prerad
 
PPTX
Wireless network security
Aurobindo Nayak
 
PPTX
Wireless Networks-ASH-NEW
Ash Technologies
 
PPT
Wireless networks
Derick Ochia
 
PPTX
Module 5 Wireless Network Design Considerations
nikshaikh786
 
PDF
Wireless Lan Security
SANDEEPONSLIDESHARE
 
PPTX
Wireless LAN Security
Abu Rayhan Ahmmed Rimu
 
PPSX
WI FI
ajaya024
 
Security Delivery Platform: Best practices
Mihajlo Prerad
 
Wireless network security
Aurobindo Nayak
 
Wireless Networks-ASH-NEW
Ash Technologies
 
Wireless networks
Derick Ochia
 
Module 5 Wireless Network Design Considerations
nikshaikh786
 
Wireless Lan Security
SANDEEPONSLIDESHARE
 
Wireless LAN Security
Abu Rayhan Ahmmed Rimu
 
WI FI
ajaya024
 

What's hot (20)

PPTX
2020 wifi Ready
vandanamahatha1
 
PPTX
WLAN SECURITY BY SAIKIRAN PANJALA
Saikiran Panjala
 
PPT
Wireless LAN security
Rajan Kumar
 
PPTX
Wireless LAN Security by Arpit Bhatia
Arpit Bhatia
 
PPTX
Wireless lan security
Ankit Anand
 
PPT
Wlan networking and security
akki_hearts
 
PPSX
Security & Privacy in WLAN - A Primer and Case Study
Mohammad Mahmud Kabir
 
PPTX
Wifi- technology_moni
MD MONIRUZZAMAN
 
PDF
Wi-fi Hacking
Paul Gillingwater, MBA
 
PPTX
Wi-fi technology-ppt-13p61a0558
Praveen Reddy
 
PDF
Module 15 (hacking wireless networks)
Wail Hassan
 
PDF
SECURING IEEE 802.11G WLAN USING OPENVPN AND ITS IMPACT ANALYSIS
IJNSA Journal
 
PPT
Wlan security
Sajan Sahu
 
PPTX
Wireless security
paripec
 
PPTX
Wireless standards
Ajay Suresh
 
PDF
Carrier grade wi fi integration architecture
Satish Chavan
 
PPTX
Wlan security
Upasona Roy
 
PPT
VPN
Shiraz316
 
PPT
Vp npresentation 2
Swarup Kumar Mall
 
PPT
Wireless networksppt
dxmuthu
 
2020 wifi Ready
vandanamahatha1
 
WLAN SECURITY BY SAIKIRAN PANJALA
Saikiran Panjala
 
Wireless LAN security
Rajan Kumar
 
Wireless LAN Security by Arpit Bhatia
Arpit Bhatia
 
Wireless lan security
Ankit Anand
 
Wlan networking and security
akki_hearts
 
Security & Privacy in WLAN - A Primer and Case Study
Mohammad Mahmud Kabir
 
Wifi- technology_moni
MD MONIRUZZAMAN
 
Wi-fi Hacking
Paul Gillingwater, MBA
 
Wi-fi technology-ppt-13p61a0558
Praveen Reddy
 
Module 15 (hacking wireless networks)
Wail Hassan
 
SECURING IEEE 802.11G WLAN USING OPENVPN AND ITS IMPACT ANALYSIS
IJNSA Journal
 
Wlan security
Sajan Sahu
 
Wireless security
paripec
 
Wireless standards
Ajay Suresh
 
Carrier grade wi fi integration architecture
Satish Chavan
 
Wlan security
Upasona Roy
 
VPN
Shiraz316
 
Vp npresentation 2
Swarup Kumar Mall
 
Wireless networksppt
dxmuthu
 
Ad

Similar to Module 6 Wireless Network security (20)

PPT
4 wifi security
al-sari7
 
PPTX
Wireless security
vinay chitrakathi
 
PPTX
Wireless network security
Vishal Agarwal
 
PDF
Analysis Of Security In Wireless Network
Steven Wallach
 
PPTX
Chương 2_2_Final (1).pptxfffffffffffffffffffffff
tranviethung30503
 
PPT
chapter 8.ppt
KidaneKenenisa1
 
PPTX
Security standard
lyndyv
 
PPTX
Wpa2 psk security measure
Shivam Singh
 
PDF
ECE560 Wireless and Mobile Security Fall2020..pdf
TuulTriyason
 
PPT
chapter 7 -wireless network security.ppt
abenimelos
 
PPTX
WIRELESS_SECURITY.pptx
AdityaKulkarni571462
 
PPT
254460979-ishant abcd-098765432222-1.ppt
zainabsaiyad566
 
PPT
Shashank wireless lans security
Shashank Srivastava
 
PPT
5169 wireless network_security_amine_k
Rama Krishna M
 
PPTX
Wireless lan security(10.8)
SubashiniRathinavel
 
PPTX
Wireless Communiction Security
Meet Soni
 
PPT
Wireless and WLAN Secuirty, Presented by Vijay
thevijayps
 
PDF
Wireless Security | Wireless Network Security
Lumiverse Solutions Pvt Ltd
 
PPT
Wireless Device and Network level security
Chetan Kumar S
 
PPTX
Wireless_Networks_Paragraph_Style_Final.pptx
SheshnaBoolakee1
 
4 wifi security
al-sari7
 
Wireless security
vinay chitrakathi
 
Wireless network security
Vishal Agarwal
 
Analysis Of Security In Wireless Network
Steven Wallach
 
Chương 2_2_Final (1).pptxfffffffffffffffffffffff
tranviethung30503
 
chapter 8.ppt
KidaneKenenisa1
 
Security standard
lyndyv
 
Wpa2 psk security measure
Shivam Singh
 
ECE560 Wireless and Mobile Security Fall2020..pdf
TuulTriyason
 
chapter 7 -wireless network security.ppt
abenimelos
 
WIRELESS_SECURITY.pptx
AdityaKulkarni571462
 
254460979-ishant abcd-098765432222-1.ppt
zainabsaiyad566
 
Shashank wireless lans security
Shashank Srivastava
 
5169 wireless network_security_amine_k
Rama Krishna M
 
Wireless lan security(10.8)
SubashiniRathinavel
 
Wireless Communiction Security
Meet Soni
 
Wireless and WLAN Secuirty, Presented by Vijay
thevijayps
 
Wireless Security | Wireless Network Security
Lumiverse Solutions Pvt Ltd
 
Wireless Device and Network level security
Chetan Kumar S
 
Wireless_Networks_Paragraph_Style_Final.pptx
SheshnaBoolakee1
 
Ad

More from nikshaikh786 (20)

PPTX
Module 2_ Divide and Conquer Approach.pptx
nikshaikh786
 
PPTX
Module 1_ Introduction.pptx
nikshaikh786
 
PPTX
Module 1_ Introduction to Mobile Computing.pptx
nikshaikh786
 
PPTX
Module 2_ GSM Mobile services.pptx
nikshaikh786
 
PPTX
MODULE 4_ CLUSTERING.pptx
nikshaikh786
 
PPTX
MODULE 5 _ Mining frequent patterns and associations.pptx
nikshaikh786
 
PDF
DWM-MODULE 6.pdf
nikshaikh786
 
PDF
TCS MODULE 6.pdf
nikshaikh786
 
PPTX
Module 3_ Classification.pptx
nikshaikh786
 
PPTX
Module 2_ Introduction to Data Mining, Data Exploration and Data Pre-processi...
nikshaikh786
 
PPTX
Module 1_Data Warehousing Fundamentals.pptx
nikshaikh786
 
PPTX
Module 2_ Cyber offenses & Cybercrime.pptx
nikshaikh786
 
PPTX
Module 1- Introduction to Cybercrime.pptx
nikshaikh786
 
PPTX
MODULE 5- EDA.pptx
nikshaikh786
 
PPTX
MODULE 4-Text Analytics.pptx
nikshaikh786
 
PPTX
Module 3 - Time Series.pptx
nikshaikh786
 
PPTX
Module 2_ Regression Models..pptx
nikshaikh786
 
PPTX
MODULE 1_Introduction to Data analytics and life cycle..pptx
nikshaikh786
 
PPTX
IOE MODULE 6.pptx
nikshaikh786
 
PDF
MAD&PWA VIVA QUESTIONS.pdf
nikshaikh786
 
Module 2_ Divide and Conquer Approach.pptx
nikshaikh786
 
Module 1_ Introduction.pptx
nikshaikh786
 
Module 1_ Introduction to Mobile Computing.pptx
nikshaikh786
 
Module 2_ GSM Mobile services.pptx
nikshaikh786
 
MODULE 4_ CLUSTERING.pptx
nikshaikh786
 
MODULE 5 _ Mining frequent patterns and associations.pptx
nikshaikh786
 
DWM-MODULE 6.pdf
nikshaikh786
 
TCS MODULE 6.pdf
nikshaikh786
 
Module 3_ Classification.pptx
nikshaikh786
 
Module 2_ Introduction to Data Mining, Data Exploration and Data Pre-processi...
nikshaikh786
 
Module 1_Data Warehousing Fundamentals.pptx
nikshaikh786
 
Module 2_ Cyber offenses & Cybercrime.pptx
nikshaikh786
 
Module 1- Introduction to Cybercrime.pptx
nikshaikh786
 
MODULE 5- EDA.pptx
nikshaikh786
 
MODULE 4-Text Analytics.pptx
nikshaikh786
 
Module 3 - Time Series.pptx
nikshaikh786
 
Module 2_ Regression Models..pptx
nikshaikh786
 
MODULE 1_Introduction to Data analytics and life cycle..pptx
nikshaikh786
 
IOE MODULE 6.pptx
nikshaikh786
 
MAD&PWA VIVA QUESTIONS.pdf
nikshaikh786
 

Recently uploaded (20)

PDF
Embodied AI: Ushering in the Next Era of Intelligent Systems
Yu Huang
 
PPTX
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
PDF
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 
PPTX
Recipes for Real Time Voice AI WebRTC, SLMs and Open Source Software.pptx
Alberto González Trastoy
 
PPTX
Welding lecture in detail for understanding
sahilpoonia10
 
PPTX
Infosys Presentation by1.Riyan Bagwan 2.Samadhan Naiknavare 3.Gaurav Shinde 4...
bapushinde7218
 
PPTX
CH1 Production IntroductoryConcepts.pptx
RacemMellouli1
 
PPTX
FINAL REVIEW FOR COPD DIANOSIS FOR PULMONARY DISEASE.pptx
rubeshbme
 
PPTX
Internet of Things (IOT) - A guide to understanding
Davies Chacko
 
PPTX
Lesson 3_Tessellation.pptx finite Mathematics
quakeplayz54
 
PPTX
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
PPTX
KTU 2019 -S7-MCN 401 MODULE 2-VINAY.pptx
VinayB68
 
DOCX
573137875-Attendance-Management-System-original
AYUSHMANAV
 
PPTX
OOP with Java - Java Introduction (Basics)
Rashmi T V
 
PDF
SM_6th-Sem__Cse_Internet-of-Things.pdf IOT
smceramu
 
PPTX
MCN 401 KTU-2019-PPE KITS-MODULE 2.pptx
VinayB68
 
PPTX
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
PPTX
CYBER-CRIMES AND SECURITY A guide to understanding
Davies Chacko
 
PPTX
Geodesy 1.pptx...............................................
abhi1361yadav
 
PPT
Project quality management in manufacturing
BarMusaTetik
 
Embodied AI: Ushering in the Next Era of Intelligent Systems
Yu Huang
 
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 
Recipes for Real Time Voice AI WebRTC, SLMs and Open Source Software.pptx
Alberto González Trastoy
 
Welding lecture in detail for understanding
sahilpoonia10
 
Infosys Presentation by1.Riyan Bagwan 2.Samadhan Naiknavare 3.Gaurav Shinde 4...
bapushinde7218
 
CH1 Production IntroductoryConcepts.pptx
RacemMellouli1
 
FINAL REVIEW FOR COPD DIANOSIS FOR PULMONARY DISEASE.pptx
rubeshbme
 
Internet of Things (IOT) - A guide to understanding
Davies Chacko
 
Lesson 3_Tessellation.pptx finite Mathematics
quakeplayz54
 
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
KTU 2019 -S7-MCN 401 MODULE 2-VINAY.pptx
VinayB68
 
573137875-Attendance-Management-System-original
AYUSHMANAV
 
OOP with Java - Java Introduction (Basics)
Rashmi T V
 
SM_6th-Sem__Cse_Internet-of-Things.pdf IOT
smceramu
 
MCN 401 KTU-2019-PPE KITS-MODULE 2.pptx
VinayB68
 
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
CYBER-CRIMES AND SECURITY A guide to understanding
Davies Chacko
 
Geodesy 1.pptx...............................................
abhi1361yadav
 
Project quality management in manufacturing
BarMusaTetik
 

Module 6 Wireless Network security

  • 2. COURSE OUTCOME Students shall be able to justify security measures, standards, services and layer wise security considerations in wireless networks.
  • 3. OUTLINE The need, attacks, security serviced, WEP, Mobile IP, VPN( PPTP, LLTP, IPSec), Network Layer Security, Transport Layer Security, Email Security: PGP, S/ MIME, Internet Firewalls for Trusted System Book Wireless Mobile Internet Security, 2nd Edition, Man, Young Rhee, Wiley- IEEE press
  • 5. WIRELESS NETWORKS SECURITY More problematic than wired networks Open transmission media Susceptible for sniffing Wide area of coverage Higher bit error rate Needs isolation from sensitive data Requires encryption in transient
  • 6. WHAT IS ENCRYPTION? The process of encoding a message or information Only authorized parties can access information Cryptography is the science Decryption is the reverse Encryption= Data Cipher Decryption= Cipher Data Sometimes requires a KEY
  • 7. WIRED EQUIVALENT PRIVACY WEP Built to suit the IEEE 802.11 Wi-Fi Targets preserving data confidentiality Recognizable by its key of 10 or 26 hexadecimal digits (40 or 104 bits) Included a method for encrypting data using: a shared secret and the RC4 encryption algorithm Was at one time widely in use
  • 10. SHARED-KEY AUTHENTICATION MESSAGE FLOW Shared key authentication is a cryptographic technique for authentication. It is a simple “challenge response” scheme based on whether a client has knowledge of a shared secret. In this scheme, a random challenge is generated by the access point and sent to the wireless client. The client, using a cryptographic key that is shared with the AP, encrypts the challenge (or “nonce,” as it is called in security vernacular) and returns the result to the AP. The AP decrypts the result computed by the client and allows access only if the decrypted value is the same as the random challenge transmitted.
  • 11. WEP DRAWBACKS Shared secrets do not remain secretive Inability to rotate WEP keys Produced stagnant shared secret implementations Accelerated WEP cracking becoming common In 2003 the Wi-Fi Alliance announced that WEP had been superseded Eliminate WEP from choices
  • 13. WI-FI PROTECTED ACCESS (WPA) Announced by the Wi-Fi alliance in 2003 Security standard for wireless internet connections or Wi-Fi Improved upon and replaced the Wired Equivalent Privacy (WEP) Provides more sophisticated data encryption than WEP Offers user authentication Two versions of WPA WPA I in 2003 WPA II in 2004
  • 14. WPA I The most common WPA configuration is WPA-PSK (Pre-Shared Key) The keys used by WPA are 256-bit Significant increase over the 64-bit and 128-bit keys used in the WEP system Message integrity checks (to determine if an attacker captured or altered packets between access point and client) Temporal Key Integrity Protocol (TKIP) TKIP employs a per-packet key system
  • 15. WPA I DRAWBACKS WPA, like its predecessor WEP, has been shown to be vulnerable to intrusion via Proof-of-concept Applied public demonstrations The process by which WPA is breached is not a direct attack on the WPA algorithm Although such attacks have been successfully demonstrated Attacks on a supplementary system that was rolled out with WPA Wi-Fi Protected Setup (WPS) Designed to make it easy to link devices to modern access points.
  • 16. WPA II WPA1 has, as of 2006, been officially superseded by WPA2 Significant changes between WPA and WPA1 The mandatory use of Advanced Encryption Standard AES algorithms The introduction of CCMP (Counter Cipher Mode with Block Chaining Message Authentication Code Protocol) as a replacement for TKIP TKIP is still preserved in WPA2 as a fallback system and for interoperability with WPA Security implications of the known WPA2 vulnerabilities are limited Recommended to be used on wireless networks now Available by all wireless devices vendors
  • 18. GENERAL MISCONCEPTIONS We aren’t using wireless for sensitive data I don’t need to worry about security We don’t have any wireless Organizations often discover that they have Rogue Access Point Unauthorized access points deployed with little or no security What about Ad-hoc networks?
  • 19. MISCONCEPTIONS We cloak(hide) our SSID (Service set Identifier), so people cannot join our wireless network By passively listening to the network, an attacker can capture the network name There are some software like NSSinssider are free and it is used to show the broadcasted SSID and hidden SSID MAC-based access control restricts access to authorized users An attacker can monitor the network to identify valid MAC addresses and spoof Mac address with another valid Mac address and fools your Mac address control WEP is safe WEP is unsafe DoS attacks require expensive hardware that is not easily accessible An attacker can launch DoS attacks with  $10 wireless card  Readily-available software  Can jam your traffic and u find that your machine is not reaching access point
  • 21. TAXONOMY OF SECURITY ATTACKS Figure provides a general taxonomy of security attacks to help organizations and users understand some of the attacks against WLANs.
  • 22. SECURITY ATTACKS Network security attacks are typically divided into passive and active attacks. These two broad classes are then subdivided into other types of attacks. All are defined below. Passive Attack—An attack in which an unauthorized party gains access to an asset and does not modify its content (i.e., eavesdropping). Passive attacks can be either eavesdropping or traffic analysis (sometimes called traffic flow analysis). These two passive attacks are described below. – Eavesdropping—The attacker monitors transmissions for message content. An example of this attack is a person listening into the transmissions on a LAN between two workstations or tuning into transmissions between a wireless handset and a base station. – Traffic analysis—The attacker, in a more subtle way, gains intelligence by monitoring the transmissions for patterns of communication. A considerable amount of information is contained
  • 23. SECURITY ATTACKS Active Attack—An attack whereby an unauthorized party makes modifications to a message, data stream, or file. It is possible to detect this type of attack but it may not be preventable. Active attacks may take the form of one of four types (or combination thereof): masquerading, replay, message modification, and denial-of- service (DoS). These attacks are defined below. – Masquerading—The attacker impersonates an authorized user and thereby gains certain unauthorized privileges. – Replay—The attacker monitors transmissions (passive attack) and retransmits messages as the legitimate user. – Message modification—The attacker alters a legitimate message by deleting, adding to, changing, or reordering it. – Denial-of-service—The attacker prevents or prohibits the normal use or
  • 24. EAVESDROPPING MITIGATION Use strong encryption in the lowest layer protocol possible Design your wireless networks with caution Minimize coverage area Audit your network with a packet sniffer What can an attacker see? method by which authorized and unauthorized users are able to get around normal security measures and gain high level user access (aka root access) on a computer system, network or software application. close the backdoors
  • 25. MASQUERADING AND MITIGATION An attacker spoofs his identity as a legitimate node or AP Tricks unsuspecting users to giving up sensitive information Tricks an AP into authenticating malicious users Use mutual-authentication wireless protocols like PEAP or TTLS Use SSL/TLS for passing sensitive information to Web applications
  • 26. DOS MITIGATION Upgrade the firmware of faulty WiFi cards Understand the impact of a DoS attack against your environment Deploy wireless intrusion detection systems IDS Prepare a response strategy
  • 27. ROGUE AP AND MITIGATION Unauthorized APs connected to a private network Often installed with default settings, and without security Permits full access to a network for an unauthorized user Perform rogue AP detection Use mutual authentication wireless protocols such as PEAP or TTLS Deploy wireless intrusion detection systems Deploy a strong wireless LAN
  • 30. WIRELESS SECURITY Consider design at all layers of the OSI model Identify specific areas for coverage Audit the WLAN for rogues and unauthorized clients Consider wireless IDS Migrate to WPA II
  • 31. INSSIDER Tool used to locate access points and determine their SSIDs MAC address: The hardware address of the device's network adapter SSID: A 32-character ID that acts like a password on a wireless LAN Name: The name of the access point, if it is available Channel: The channel that the device is using Vendor: The vendor of the device Encryption: Whether WEP is enabled or disabled
  • 35. INSSIDER New in Version 5.0: channel utilization break down to show device (AP and client) airtime utilization; see connected client devices and info about client such as utilization and signal strength Gathers information from wireless card and software Helps choose the best wireless channel available Wi-Fi network information such as SSID, MAC, vendor, data rate, signal strength, and security Graphs signal strength over time Shows which Wi-Fi network channels overlap
  • 38. MOBILE IP Mobile IP is designed to support host mobility on the internet. User is connected to one or more applications across the internet, the user’s point of attachment changes dynamically and that all connections are automatically maintained despite the change.  Server X transmits an IP datagram for mobile nodes A with A’s address in IP header. IP datagram is routed to A’s home network.  At home N/w the incoming IP datagram is intercepted by home agent. The home agent encapsulates the entire datagram inside a new IP datagram. The use of an outer IP datagram with a different destination IP address is known as “tunneling”. This IP datagram is routed to foreign agent.  Foreign agent strips off the outer IP header, encapsulates the original IP datagram in a N/w level packet data unit(PDU) and delivers the original datagram to A across the foreign network.  When A sends the IP datagram to X, it uses X’s IP address. This is a fixed address that is X is not a mobile node. Each IP datagram is sent by A to a router on the foreign network to X. This router is also a foreign agent.  The IP datagram from A to X travels directly across the Internet to X, using X’s IP address.
  • 41. VPN A VPN is a private connection between two machines or networks over a shared or public network. VPN technology lets an organization securely extend its network services over the Internet to remote users, branch offices, and partner companies. VPN turn the Internet into a simulated private WAN. VPN allows users working at home or office to connect in a secure fashion to a remote corporate server using the routing infrastructure provided by a public inter-network (such as the Internet) The Internet connection over the VPN is encrypted and secure. New authentication and encryption protocols are enforced by the remote access server. Sensitive data is hidden from the public, but it is securely accessible to appropriate users through a VPN
  • 43. VPN CONNECTION There are following two ways to create a VPN connection: By dialing an Internet service provider (ISP): If you dial-in to an ISP, your ISP then makes another call to the private network's remote access server to establish the PPTP or L2TP tunnel after authentication, you can access the private network. By connecting directly to the Internet: If you are already connected to an Internet, on a local area network, a cable modem, or a digital subscriber line (DSL), you can make a tunnel through the Internet and connects directly to the remote access server. After authentication, you can access the corporate network. Host x wishes to send data a data packet to Host y. The data packet at Host A has the IP address of Host y. Host A transmits the data packet. When the data packet receives Router Rx, the IP Packet is removed. The Router inserts the payload field and sends it to Router Ry. On receiving the packet Router Ry removes the IP Packets and sends it to Host y in an Ethernet frame.
  • 45. TUNNELING PROTOCOL Today for secure data transmission the following tunneling protocols are used as a result of developments in VPN. PPTP (Point to Point Tunneling): This is the most commonly and widely used tunneling protocol. It is available easily in all the windows operating systems. It can be easily setup and does processing at high speeds. For including the PPP data packets the PPTP uses a control channel. It is dependent on the PPP (Point to point protocol) to provide encryption and authentication, security to the data packets. The PPTP protocol tunnels a PP session over and IP network. It is called point-to-point protocol (PPP) and TCP/IP protocol.
  • 46. TUNNELING PROTOCOL Layer 2 Tunneling Protocol (L2TP): L2TP is tunneling protocol. It is an improved version of PPTP protocol. It supports LAN-LAN and user-to-LAN connectivity. It provides data integrity and confidentiality. However it does not provide any encryption or authentication i.e. it lacks in providing security. Internet Protocol Security (IPSEC): It is a collection of multiple related protocols like PPTP, L2TP, it is the most important protocol used in VPNs. IPSEC is a layer 3 protocol that authenticates every IP packet. It uses standard cryptographic methods. It provides good security.
  • 47. FEATURES OF A TYPICAL VPN Keep data confidential (encryption): - Data carried on the public network must be rendered unreadable to unauthorized clients on the network. Ensure the identities of two parties communicating (authentication): The solution must verify the user's identity and restrict VPN access to authorized users only. It must also provide audit and accounting records to show who accessed what information and when. Address Management: It must assign a client's address on the private net and ensure that private addresses are kept private. Key Management: It must generate and refresh encryption keys for the client and the server. Multiprotocol Support: The solution must handle common protocols used in the public network. These include IP, Internet Packet Exchange (IPX), and so on.
  • 48. DISADVANTAGES OF VPN The performance of a VPN will be more unpredictable and generally slower than dedicated lines due to public Net traffic Likewise, many more points of failure can affect a Net-based VPN than in a closed private system.
  • 49. VPN DESIGN AVPN is connectivity deployed on a shared infrastructure with the same policies, security, and performance as a private network, but typically with lower total cost of ownership. The infrastructure used can be the Internet, an IP infrastructure, or any WAN infrastructure, such as a Frame Relay network or an ATM WAN. The following sections discuss these topics: ■ VPN applications ■ VPN connectivity options ■ VPN benefits
  • 50. VPN APPLICATIONS VPNs can be grouped according to their applications: ■ Access VPN: Access VPNs provide access to a corporate intranet (or extranet) over a shared infrastructure and have the same policies as a private network. Remote-access connectivity is through dial-up, ISDN, DSL, wireless, or cable technologies. Access VPNs enable businesses to outsource their dial or other broadband remote access connections without compromising their security policy. The two access VPN architectures are client-initiated and Network Access Server (NAS)– initiated connections. With client-initiated VPNs, users establish an encrypted IP tunnel from their PCs across an SP’s shared network to their corporate network. With NAS-initiated VPNs, the tunnel is initiated from the NAS; in this scenario, remote users dial into the local SP point of presence (POP), and the SP initiates a secure, encrypted tunnel to the corporate network.
  • 51. VPN APPLICATIONS ■ Intranet VPN: Intranet VPNs link remote offices by extending the corporate network across a shared infrastructure. The intranet VPN services are typically based on extending the basic remote-access VPN to other corporate offices across the Internet or across the SP’s IP backbone. Note that there are no performance guarantees with VPNs across the Internet—no one organization is responsible for the performance of the Internet. The main benefits of intranet VPNs are reduced WAN infrastructure needs, which result in lower ongoing leased line, Frame Relay, or other WAN charges, and operational savings. ■ Extranet VPN: Extranet VPNs extend the connectivity to business partners, suppliers, and customers across the Internet or an SP’s network. The security policy becomes very important at this point; for example, the company does not want a hacker to spoof any orders from a business partner. The main benefits of an extranet VPN are the ease of securely connecting a business partner as needed, and the ease of severing the connection with the business partner (partner today, competitor tomorrow), which becomes as simple as shutting down the VPN tunnel. Very granular rules can be created for what traffic is shared with the peer network in the extranet.
  • 52. VPN CONNECTIVITY OPTIONS The following sections describe three connectivity options that provide IP access through VPNs: ■ Overlay VPNs ■ Virtual private dial-up networks (VPDN) ■ Peer-to-peer VPNs
  • 53. OVERLAY VPNS With overlay VPNs, the provider’s infrastructure provides virtual point-to-point links between customer sites. Overlay VPNs are implemented with a number of technologies, including traditional Layer 1 and Layer 2 technologies (such as ISDN, SONET/SDH, Frame Relay, and ATM) overlaid with modern Layer 3 IP-based solutions (such as Generic Routing Encapsulation [GRE] and IPsec).
  • 54. OVERLAY VPNS EXTEND THE ENTERPRISE NETWORK ■ Every individual virtual circuit must be provisioned. ■ Optimum routing between customer sites requires a full mesh of virtual circuits between sites. ■ Bandwidth must be provisioned on a site-to-site basis.
  • 55. VPDNS VPDNs enable an enterprise to configure secure networks that rely on an ISP for connectivity. With VPDNs, the customers use a provider’s dial-in (or other type of connectivity) infrastructure for their private connections. A VPDN can be used with any available access technology. Ubiquity is important, meaning that VPDNs should work with any technology, including a modem, ISDN, xDSL, or cable connections.
  • 56. VPDN FOR REMOTE ACCESS Access VPN connectivity involves the configuration of VPDN tunnels. Following are the two types of tunnels: ■ The client PC initiates voluntary tunnels. The client dials into the SP network, a PPP session is established, and the user logs on to the SP network. The client then runs the VPN software to establish a tunnel to the network server. ■ Compulsory tunnels require SP participation and awareness, giving the client no influence over tunnel selection. The client still dials in and establishes a PPP session, but the SP (not the client) establishes the tunnel to the network server.
  • 57. PEER-TO-PEER VPNS In a peer-to-peer VPN, the provider actively participates in customer routing. Traditional peer-to-peer VPNs are implemented with packet filters on shared provider edge (PE) routers, or with dedicated per- customer PE routers. In addition to high maintenance costs for the packet filter approach or equipment costs for the dedicated per- customer PE-router approach, both methods require the customer to accept the provider-assigned address space or to use public IP addresses in the private customer network.
  • 58. BENEFITS OF VPN The benefits of using VPNs include the following: ■ Flexibility: VPNs offer flexibility because site-to-site and remote-access connections can be set up quickly and over existing infrastructure to extend the network to remote users. Extranet connectivity for business partners is also a possibility. A variety of security policies can be provisioned in a VPN, thereby enabling flexible interconnection of different security domains. ■ Scalability: VPNs allow an organization to leverage and extend the classic WAN to more remote and external users. VPNs offer scalability over large areas because IP transport is universally available. This arrangement reduces the number of physical connections and simplifies the underlying structure of a customer’s WAN. ■ Lower network communication cost: Lower cost is a primary reason for migrating from traditional connectivity options to a VPN connection. Reduced dialup and dedicated bandwidth infrastructure and service provider costs make VPNs attractive. Customers can reuse existing links and take advantage of the statistical packet multiplexing features.
  • 59. BENEFITS OF VPN Low Cost: The main benefit of a VPN is the potential for significant cost savings compared to traditional leased lines or dial up networking. Security: VPNS secure the data access by hackers and unauthorized users by supporting different authentication methods and encryption methods. Scalability: VPNS allow more number of users to be added to their network easily without modifications in the system infrastructure. Compatibility with broadband technology: VPN provides efficient and flexible methods of accessing the network like broadband, ISDN, DSL, wireless technologies. These connections provide a cost effective method to connect to the remote offices.
  • 60. IP SECURITY: IPSEC AND MODES OF IPSEC IP SECURITY: ( IPSEC ) IPSEC is a protocol to provide security for a packet at a Network layer which is often referred to as the Internet Protocol or IP layer. IPSEC helps to create confidential & authenticated packets for the IP layer. It can enhance the security of those client / server programs such as electronic mail, that use their own security protocol. It can enhance the security of those client / server programs such as HTTP, that use the security services provided at the transport layer. It can also be used to provide security to those client /server programs that do not use the security services provided at the transport layer. It can provide security for node to node communication programs such as routing protocols.
  • 61. MODES OF IPSEC Modes of IPSEC Transport mode: - (it only protects the information coming from Transport layer) In this mode, IPSEC protects only the packet from the transport layer not the whole IP packet. Here the IPSEC header & trader are added to the information coming from the transport layer. The IP header is added later. This mode is normally used when we need host to host (end to end protection of data)
  • 62. MODES OF IPSEC Tunnel Mode : ( IPSEC in this mode protects the original IP header )  In this mode, IPSEC protects the entire IP packet. It takes an IP packet, including the header , applies IPSEC security methods to the entire packet & then adds a new IP header.  The new IP header, has different information than the original IP header.  Tunnel mode is normally used between two route, between a host & a router or between a router & a host.
  • 63. PROTOCOLS OF IPSEC Protocols of IPSEC : IPSEC defines two protocols  a. the Authentication Header (AH)  b. Encapsulation Security Payload (ESP) to provide authentication and for encryption for the packets at the IP level.
  • 64. THE AUTHENTICATION HEADER (AH) 1.Authentication Header (AH) (provide source authentication & data integrity but not privacy) AH protocol is designed to authenticate the source host & to ensure the integrity of the payload carried in the IP packet. This protocol uses a hash function & a symmetric key to create a message digest; the digest is inserted via the authentication header. The AH is then placed on the appropriate location , based on the mode i .e transport or tunnel. When an IP datagram carries an authentication header, the original value in the protocol of the IP header is replaced by the value 51.
  • 66. THE AUTHENTICATION HEADER (AH) The addition of an authentication header follows following steps : An AH is added to the payload with authentication data field set to 0. Padding may be added to make the total length ever for a particular hashing algorithm. Hashing is based on the total packet. However only those fields of the IP header that do not change during transmission are included in the calculation of the message digest i.e authentication data. The authentication data are inserted in the authentication header. The IP header is added after changing the value of the protocol filed to 51.
  • 67. THE AUTHENTICATION HEADER (AH) Description of every field of AH protocol 1.Next header : The 8 bit header field defines the type of payload carried by the IP datagrams (such as TCP , UDP, ICMP ). The process copies the value of the protocol field in the IP datagram to this field. The value of the protocol field in the new IP datagram is now set to 51 to show that the packet carried an AH. 2.Payload length : It defined the length of the AH in 4 -byte multiples, but it does not include the first 8 bytes. 3.Security Parameter index : The 32 but SPI field plays the role of a virtual circuit identifier & is the same for all packets sent during a connection called Security Association. 4.Sequence Number : A 32 bit sequence number provides ordering information for a sequence of datagrams. It prevents a playback. Sequence number is not repeated even if a packet is retransmitted. 5.Authentication data : This field is the result of applying a hash function to the entire IP datagram except for the fields that are changed during transit.
  • 68. ENCAPSULATING SECURITY PROTOCOL (ESP) Encapsulating Security Protocol (ESP) (privacy achieved here)  As AH protocol does not provide privacy , IPSEC comes up with ESP protocol.  It provides source authentication , integrity & privacy.  It adds a header & trailer.  ESP's authentication data are added at the end of the packet which makes its calculation easier.  When an IP datagram carries an ESP header & trailer, the value of the protocol field in the IP header is 50.  A field inside the ESP trailer ( next header field) holds the original value of the protocol field ( the type of payload being carried by the IP datagram such as TCP or UDP )
  • 69. ENCAPSULATING SECURITY PROTOCOL (ESP) •ESP procedure follows the following steps : •An ESP trailer is added to the payload. •The payload & the trailer are encrypted. •The ESP header is added. •The ESP header, payload & ESP trailer are used to create the authentication data. •The authentication data are added to the end of the ESP trailer. •The IP header is added after changing the protoco value of 50.
  • 70. ENCAPSULATING SECURITY PROTOCOL (ESP) Description for the fields of ESP are as follow : a. Security parameter index : - The 32 bit security parameter index field is similar to that defined for the AH protocol. b. Sequence number : - 32 bit sequence number is also similar to AH protocol. This variable length field (0 to 25 bytes) of 0s. c. Padding : Serves as padding. d. Pad length : The 8 bit pad length field defines the number of padding bytes, the value is between 0 & 255, the max value is rare. e. Next header : - The 8 bit next header field is similar to that defined in AH protocol. It serves the same purpose as the protocol field in the IP header before encapsulation. f. Authentication data: Finally authentication data field is the result of applying an Authentication scheme to parts of the datagram. In AH part of IP header is included in the calculation of the authentication data whereas in ESP it is not.
  • 71. INTERNET SECURITY PROTOCOL: SECURE SOCKET LAYER SSL ( Secure socket Layer ) This protocol is used for secure communication between the web browser & web server. SSL protocol is located between the application layer & transport layer of the TCP/IP protocol suite i.e the application layer does not forward the data directly to the transport layer but it forwards to the SSL layer & the SSL layer performs encryption. There are three protocols which are used by SSL :  Handshake Protocol  Record Protocol  Alert Protocol Handshake Protocol This is the 1st protocol which is used between the client & the server for communications.
  • 72. HANDSHAKE PROTOCOL MESSAGE •Type indicated the type of message exchanged between the client & server •Length indicates the length of the message •Content indicates the actual message or the parameters
  • 73. PHASES OF HANDSHAKE PROTOCOL The handshake protocol consists of four phases : i. Establish security capabilities ii. Server authentication 7 key exchange iii. Client authentication & key exchange iv. Finish
  • 74. PHASES OF HANDSHAKE PROTOCOL Step 1: Establishing security capabilities This phase is limited by the client by sending a client Hello Message
  • 75. PHASES OF HANDSHAKE PROTOCOL Step 2 : Server authentication & Key exchange In this phase the server initiated the communication : There server first sends its own digital certificates to the client If the server does not send its own digital certificates to the client in step 1 The server requires for client’s digital certificate, however this request id optional. There server Hello done message indicated the client that the server portion of Hello message is complete After sending all these messages, the server waits for the client’s response.
  • 76. PHASES OF HANDSHAKE PROTOCOL Step 3 : Client authenticated & key exchange This phase is initiated by the client, The client sends its own certificate to the server, if & only if the server has requested it. The client generated a symmetric key which both the parties will use during the session, It is called as master key secret & the client encrypts it with the server’s public key & then it sends to the server.  This step is for client authentication for this client continues the master key secret with the random no which was agreed by the client & server earlier to generate a has & the client signs it with its own private key.
  • 77. PHASES OF HANDSHAKE PROTOCOL Step 4: Finish This phase is initiated by the client.  The client sends a finish message to the server & the server replies finish message to the client.
  • 78. INTERNET SECURITY PROTOCOL: TRANSPORT LAYER SECURITY(TLS) TLS protocol is the IETF standard version of SSL protocol. Whose goal is to come out with an internet version of SSL & TLS are very similar with slight difference. Following are the differences between TLS & SSL 1. Version : the current version of SSL is 3.0 & TLS is 1.0. 2. Cipher suite : SSL supports an algorithm called Fortezza whereas TLS does not support Fortezza. 3. Generation of Cryptographic secrets : TLS has more complex process of generation of cryptographic secrets than SSL. TLS uses pseudorandom function to create master secret. 4. Alert protocol : TLS supports all of the alerts defined in SSL except for no certificate, TLS also added some new ones like decryption failed, export restriction, protocol
  • 79. INTERNET SECURITY PROTOCOL: TRANSPORT LAYER SECURITY(TLS) 5. Handshake protocol : TLS has made some changes in Handshake protocol, The details of the certificate verify message & the finished message have been changed. •Certificate verify message in SSL . The hash used in the certificate verify message is the two step hash of the handshake message plus a pad and the master secret, TLS has simplified the process by using hashes only over the handshake messages. •Finished messages: Hash calculation for the finished message has also been changed, TLS uses the PRF (pseudorandom function) to calculate two hashed used for finished message. 6. Record protocol : The only change in this protocol is the use of HMAC, instead of MAC for signing the message.
  • 80. HANDSHAKE PROTOCOL Pseudorandom Function (PRF)  PRF is the combination of two date expansion functions, one using MD5 & the other SHA -1  PRF takes three input, a secret a label and a seed.  The label & the seed are concatenated & serves as the seed for each date- expansion function The secret is divided into two halves ; each half is used as the secret for each data expansion function. The output of two data expansion function is exclusive – ored together to create the final expanded secret.  As the hashes created froMD5 & SHA-1 are of different sized, extra section of md5 – based function must be created to make the two outputs the same size.
  • 82. EMAIL SECURITY: PGP, S/ MIME MODULE 6
  • 83. SECURE MAIL: PGP(PRETTY GOOD PRIVACY)  It provide email with privacy, integrity &authentication.  It can be used to create a secure e-mail message or to store a file securely for future retrieval.  PGP provides following services :  Message integrity  Message compression.  Confidentiality with one time session key.  Code conversion.  Segmentation  Most email systems allow the message to consist of only ASCII characters. To translate other characters not in the ASCII set , PGP uses Radix 64 conversion. Each character to be sent (after encryption) is converted to Radix 64 code.  PGP allows segmentation of the message after it has been converted to Radix 64 to make each transmitted unit the uniform size as allowed by underlying e-mail protocol.  PGP uses following algorithms :  Public Key Algorithms : RSA ( for signing, encryption ) , Elgamel for encryption only, DSS.  Symmetric - Key Algorithm : Blowfish, triple DES.
  • 84. PGP : - (PRETTY GOOD PRIVACY) PGP Packets: -A message in PGP consists of one or more packets -PGP has generic header that applies to every packets
  • 85. PGP : - (PRETTY GOOD PRIVACY) a. Tag : - This field defines a tag as an 8-bit flag, the 1st bit that is the most significant is always 1, 2nd bit is 1 if we are using the latest version. The remaining six bits can define up to 64 different packet types. b. Length: The length field defines the length of the entire packet in bytes. The size of this field is variable, it can be 1,2,or 5 bytes. The receiver can determine the number of bytes of the length field by looking at the value of the byte immediately following tag field.  Case 1: if the value of the byte after the tag field is <192, the length of the field is only byte.  Case 2: If the value of the byte after tag field is between 192 to 223 (inclusive ) the length field is two bytes.  Case 3: If the value of the byte after tag field is between 224 & 254 (inclusive) the length field is one byte. This type of length field defines only the length of part of the body o .e partial body length.  Case 4: If it is 255, then length field is of 5 bytes.
  • 86. PGP : - (PRETTY GOOD PRIVACY) Types of data packets: a. Literal : This type of data packet carries or holds the actual data that is being transmitted or stored. It is most elementary types of message, it cannot carry any other packet.
  • 87. PGP : - (PRETTY GOOD PRIVACY) b. Compressed Data Packet : This packet carries compressed data packets. Here the data field can be single packet or two or more packets.
  • 88. PGP : - (PRETTY GOOD PRIVACY) c. Data Packet Encrypted with Secret Key : - This packet carries data from one packet or a combination of packets that have been encrypted using conventional symmetric key algorithm & before this packet is sent, a packet carrying one time session key is sent.
  • 89. PGP : - (PRETTY GOOD PRIVACY) d. Signature packet : This packet protects the integrity of the data.
  • 90. WORKING OF PGP In PGP, the sender of the message needs to include. the identifiers of the algorithm used in the message, along with the value of the keys. PGP starts with a digital signature. which is followed by compression, then by encryption, then by digital enveloping and finally. by Base-64 encoding. PGP allows for four security options when sending an email message, These Options are :  Signature only (Steps 1 and 2 )  Signature and Base 64 encoding (Steps 1,2 and 5 )  Signature, Encryption ,Enveloping and Base 64 encoding (Steps 1,2 and 5 )
  • 92. PGP OPERATION The receiver has to perform these four steps in the reverse direction to retrieve the original plain text email message. Step 1: Digital Signature : This is a typical process of digital signature, which we have studied many times before. In PGP, it consists of the creation of a message digest of the email message using the SHA -1 algorithm. The resulting message digest is then encrypted with the sender's private key. The result is the sender's digital signature.
  • 93. PGP OPERATION Step 2: Compression : This is an additional step in PGP, Here, the input message as well as the digital signature are compressed together to reduce the size of the final message that will be transmitted. For this , the famous ZIP program is used. ZIP is based on the Lempel Ziv algorithm. The Lempel Ziv algorithm looks for repeated strings or words and stores them in variables. It then replaces the actual occurrence of the repeated words to string with a pointer to the corresponding variable . Since a pointer requires only a few bits of memory as compared to the original string, this method results in the data being compressed. For instance , consider the following string : What is your name ? My name is Atul. Using the Lempel Ziv algorithm, we would create two variables, say A and B and replace the words is and name by pointers to A and B respectively. This is shown in the figure
  • 94. PGP OPERATION As we can see, the resulting string What 1 your 2 ? My 2 1 Atul is smaller compared to the original string, What is your name ? My name is Atul. Of course , the bigger the original string, the better the compression gets The same process works for PGP.
  • 95. PGP OPERATION Step 3 : Encryption : In this step, the compressed output of step 2 (i .e the compressed form of the original email and the digital signature together ) are encrypted with a symmetric key. For this, generally the IDEA algorithm in CFB mode is used. Step 4 : Digital Enveloping : In this case, the symmetric key is used for encryption with the receiver's public key. The output of step 3 and step 4 together form a digital envelope.
  • 96. PGP OPERATION Step 5 : Base 64 encoding : The output of step 4 is Base-64 and is encoded now.
  • 97. PGP MESSAGES -In PGP, a message is a combination of sequenced and/or nested packets. All the combinations of packets cant make a message, but still some examples are shown below to give some idea. a. Encrypted Message: It can be a sequence of two packets, a session key packet & a symmetrically encrypted packet.
  • 98. PGP MESSAGES b. Signed Message : It can be the combination of a signature packet & a literal packet as shown below
  • 99. PGP MESSAGES c. Certificate Message: Certificate can take many forms, one simple example is the combination of user ID packet & a public - key packet as shown below Signature is calculated on the concatenation of the key & user ID.
  • 100. APPLICATION Extensively used for personal e-mails.
  • 101. SECURE MAIL: S/MIME (SECURE/MULTIPURPOSE INTERNET MAIL EXTENSION) It is an enhancement of MIME protocol. –S / MIME adds some new content types to include security service to the MIME. All these new types include the parameter " application / pkcs7-mime", in which 'pkcs' defines "Public Key cryptography Specification" Cryptographic Message Syntax (cms) S/MIME has defined CMS, the syntax in each case defined the exact encoding scheme for each content type. following content type describe the type of message & different sub types that are created from the messages. a.Data content types: - This is an arbitrary string. The object created is called Data. b.Signed- Data content type: - This type provides only integrity of data. It contains any type & zero or more signature values. The encoded result is called signed data. figure below shows the process of creating an object of this type. following are the steps in the process
  • 102. following are the steps in the process 1.for each signer ,a message digest is created from the content using a specific header algorithm chosen by that signer. 2.Each message digest is signal with the private key of the signs. 3.The content signature values , certificates are then collected to create the 'signed data object'.
  • 103. c.Enveloped -Data content type : This type is used to provide privacy for the message. It contains any type & zero or more encrypted keys & certificated. The encoded result is an object called enveloped data . Below figure shows the process of creating an object of this type. 1. A pseudorandom session key is created for the symmetric key algorithm to be used. 2. For each recipient, a copy of the session key is encrypted with the public key of each recipient. 3. The content is encrypted using the defined Algorithm & created session key. 4. The encrypted contents, encrypted session keys, algorithm used & certificate are encoded using radix 64 .
  • 104. SECURE MAIL: S/MIME (SECURE/MULTIPURPOSE INTERNET MAIL EXTENSION) d.Encrypted data type content type : This type is used to create an encrypted session of any content type. This is similar to the enveloped data content type, the encrypted data content type has no recipient. It can be used to store the encrypted data instead of transmitting it. The process is very simple , the user employs any key & any algorithm to encrypt the content. The encrypted content is stored without including the key or the algorithm.The object created is called encrypted data.
  • 105. Authenticated -Data content type: This type is used to provide authentication of the data. The object is called authenticated Data. figure below shows the process. 1.using a pseudorandom generator, a MAC key is generated for each recipient. 2.The MAC key is encrypted with the public key of the recipient. 3. A MAC is created for the content. 4.The content MAC, algorithms & other information are collected together to for the authenticated Data object.
  • 106. KEY MANAGEMENT The key management in S/MIME is a combination of key management used by X.509 & PGP. S/MIME uses public-key certificates signed by the certificate authorities defined by X.509. However, the user is responsible to maintain the web of trust to verify the signature as defined by PGP.
  • 107. APPLICATIONS OF S/MIME It is predicted that S/MIME will become the industry choice to provide security for commercial email.
  • 108. WHY USING FIREWALLS? Module 6
  • 109. WHAT IS FIREWALL? Firewall is one of the most effective security tools Protects internal network users from external threats Resides between two or more networks Controls the traffic between networks Helps prevent unauthorized access
  • 111. FIREWALLS BENEFITS Protect internal/external systems from attack Filter communications based on content Perform NAT (Network Address Translation) Logging to aid in intrusion detection and forensics
  • 112. SHORTCOMINGS OF FIREWALLS Attacks at the application layer may sneak through Some connections may bypass firewalls like: Dial-up Virtual Private Network (VPN) Extranet Organizations may let down their guard in other security areas such as: Passwords Patches Encryption
  • 115. FIREWALLS A firewall is a term used for a ``barrier'' between a network of machines and users that operate under a common security policy and generally trust each other, and the outside world. In recent years, firewalls have become enormously popular on the Internet. In large part, this is due to the fact that most existing operating systems have essentially no security, and were designed under the assumption that machines and users would trust each other. A firewall is a system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both.
  • 117. REASONS TO USE FIREWALLS There are two basic reasons for using a firewall at present: To save money in concentrating your security on a small number of components, and to simplify the architecture of a system by restricting access only to machines that trust each other. Firewalls are often regarded as some as an irritation because they are often regarded as an impediment to accessing resources. This is not a fundamental flaw of firewalls, but rather is the result of failing to keep up with demands to improve the firewall.
  • 118. HOW ARE FIREWALLS USED? Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.
  • 120. DEFAULT RULE Firewall rule controls the decision of the firewall on inspected traffic Controls what happens when a packet does not match an existing rule: Default deny- more restrictive Default allow- more permissive
  • 121. DEFAULT RULE EFFECT Default deny helps protect against previously unknown: Attacks Vulnerabilities Consider the effect that the default rule will have on your security posture Default Allow is more suitable for educational and training organizations Default Deny is more suitable for security authorities and banks
  • 122. EXAMPLE FIREWALL RULES IF Source IP==163.121.25.10 AND Destination IP==163.121.11.12 AND Source Port==2050 AND Destination Port==80 Then ACCEPT IF Source IP==163.121.25.10 AND Destination IP==163.121.11.12 AND Source Port==2050 AND Destination Port==80 Then REJECT These are detected inside the header of the packet
  • 123. FIREWALL ACTION Filtering: Egress filtering (filter outgoing traffic); Ingress filtering (filter incoming traffic)
  • 125. TYPICAL FIREWALL DESIGNS Default-deny approach (white-list): Have a list of allowable traffic and block the rest. Default-allow approach (black-list): Have a list of non allowable traffic and allow the rest. – A good design needs to have a hybrid of these two approaches
  • 126. TYPES OF FIREWALLS Following are the types of Firewalls Firewalls are used to protect both home and corporate networks. A typical firewall program or hardware device filters all information coming through the Internet to your network or computer system. There are several types of firewall techniques that will prevent potentially harmful information from getting through:
  • 127. PACKET FILTER A packet filter firewall is a stateless firewall that looks at only the packet headers to decide whether or not to drop a packet. Stateless means it does not keep track of the decisions taken on any packet. The decision taken on a packet is independent of the decision taken on the preceding packets. The code for packet filters will become lengthy as we want to block traffic belonging to specific networks, IP addresses and transport layer protocols.
  • 128. PACKET FILTER Thus, need efficient filtering algorithms. The packet filter firewall applies a set of rules to each & every packet & based on the rule it will decide whether to accept the packet or reject the packet. It receives each packet & checks with the rule. Suppose the rule is to block all the packets coming from a port other than 80 then the firewall will block all the packets entering the internal system.
  • 129. PACKET FILTER Attacks Detected by Packet Filters • IP Spoofing Attacks: Have the packet filter configured not to let in packets having a source address that corresponds to the internal network. For example, the attacker has spoofed the source IP address to be the IP address of a machine belonging to the network being protected by the firewall. • Source routing attacks: where source specifies the route that a packet should take to bypass security measures, should discard all source routed packets • Tiny fragment attacks: Intruder uses the IP fragmentation option to create extremely small fragments and force the TCP header information into fewer separate fragments to circumvent filtering rules needing full header info; can enforce minimum fragment size to include full header.
  • 130. PACKET FILTER Looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing. Packet-filtering firewalls validate packets based on protocol, source and/or destination IP addresses, source and/or destination port numbers, time range, Differentiate Services Code Point (DSCP), type of service (ToS), and various other parameters within the IP header. Advantages The primary advantage of packet-filtering firewalls is that they are located in just about every device on the network. Routers, switches, wireless access points, Virtual Private Network (VPN) concentrators, and so on may all have the capability of being a packet-filtering firewall.
  • 131. PROXY FIREWALLS Maintains complete TCP connection state and sequencing through 2 connections User to proxy session Proxy to destination server session Process table manages to keep the connections straight The most secure form of firewall Slower performance
  • 132. APPLICATION GATEWAY Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose performance degradation. Application-layer firewalls work on the application level of the TCP/IP stack (i.e., all browser traffic, or all telnet or ftp traffic), and may intercept all packets traveling to or from an application. They block other packets (usually dropping them without acknowledgment to the sender). It inspects all packets for improper content, firewalls can restrict or prevent outright the spread of networked computer worms and trojans. The additional inspection criteria can add extra latency to the forwarding of packets to their destination.
  • 133. APPLICATION GATEWAY Application Gateway firewall is also called as 'Proxy Server' The internal user first requests the application gateway such as HTTP, FTP, telnet Etc. The application gateway will track the IP address of the user & provide access to the remote host on behalf of the user.
  • 134. CIRCUIT-LEVEL GATEWAY Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking. Most circuit-gateway firewalls are implemented using SOCKS, a tool that includes a set of client libraries for proxy interfaces with clients. SOCKS receives an incoming connection from clients, and if the connections are allowed, it provides the data necessary for each client to connect to the application. Each client then invokes a set of commands to the gateway. The circuit-gateway firewall imposes all predefined restrictions, such as the particular commands that can be executed, and establishes a connection to the destination on the client's behalf. To users, this process appears transparent
  • 135. PROXY SERVER Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses. A proxy server (running either on dedicated hardware or as software on a general-purpose machine) may act as a firewall by responding to input packets (connection requests, for example) in the manner of an application, while blocking other packets. A proxy server is a gateway from one network to another for a specific network application, in the sense that it functions as a proxy on behalf of the network user.
  • 136. STATEFUL INSPECTION FIREWALL Unlike packet filtering firewall stateful firewall keeps track of state of a connection which may be initiation data transfer. A drawback of packet filters is that they are stateless and they have no memory of previous packets which makes them vulnerable to spoofing attacks. Stateful inspection firewall examines a group of packets at the same time. Stateful firewall operates at following layers of OSI model.  Session  Transport  Network