This is a non-technical guide which will make you familiar with the transport layer. The main purpose of writing this guide is to point out why we need major security implementation on the transport layer. What if the components of this layer get compromised?
Introduction
In this today’s digital world, every
business has their website. If it is a small firm or any big agency which is
government agency or non-government agency, they have a website and they use
websites. It is clearly visible that number of individuals and companies who
are accessing the internet has rapidly increased. As the businesses around the
globe are rapidly increasing, they want the internet to be act as web
e-commerce for their business to manage everything centrally. However, over the
years we are watching that web services across the internet are majorly
vulnerable in various ways. None of the business wants to put themselves into
vulnerable environment. As a result, the need for security in the corporate
world is also in demand.
If we talk about web
applications/services, then it is a very broad topic. As it mentioned in title
that we are going to discuss security for only those parts which are related to
transport layer. So in this criteria only SSH, TLS/SSL and HTTPS come.
Security Deliberation in Web
WWW is nothing but the client/server application running on internet using TCP/IP. There are a number of security auditing tools and mechanisms which address the network security considerations, but there are many new vulnerabilities which are not appreciated by those tools and mechanisms yet.
Unlike traditional publishing environments, internet has also 2-way which is client and servers. Attacks can be done on client application as well as a web server. Web servers are the heart of the corporate world where bunch general and sensitive information is stored. If those web servers are compromised, then reputation & the money of that organization can be lost in no time. Web browsers are easy to use and web servers are very easy to configure and manage. Thus how we produce mass digital information. Below table shows the security threats which we are facing and have faced up to now. There are two types of threats such as passive threats & active threats.
Category
|
Threat
|
Impact
of Threat
|
Mitigation
|
Authentication
|
Passing Invalid Data
Impersonate Valid user
|
False information being accepted &
Attacker may get access
Access of personal data behalf of
legitimate user
|
Use Cryptography Mechanism
|
Integrity
|
Trojan in browser
User data modification
Message modification in network traffic
|
Compromisation of machine
Information loss
|
Use Cryptography Checksums
|
Denial
of Service
|
Flood server with bogus requests
Filling server memory
DNS attack for machine isolation
|
Legitimate users cannot work due to long
waiting state
The server breaks down completely
|
IPS/IDS, Honeypot, Firewalls
|
Confidentiality
|
MITM attack
Information Theft from server & client
|
Privacy loss
|
Web proxies, Encryption techniques
|
Passive threat : It includes man in the middle attack between server and client on the network traffic in order to gain access to the information which is being shared between them. Generally the information which attacker gains by doing this, is restricted except that client and server.
Active threat : In this, the attacker impersonates user, network or website directly in order to gain the information which is usually restricted to see.
Apart from these two categories, we can also categorize web threats in the way they serve between client and server such as web browser, web server and network traffic.
Security Approaches in Web TrafficThere are a number of security approaches available to address each web threats. There are some common mitigation for addressing more than one threat which has the same impact, but here in network security it differs from with location. We have to see first where the service is placed within the TCP/IP stack in order to provide mitigation for that.
There are 3 levels, which plays important roles network security, they are network level, transport level and application level. The below figure illustrates the network level.
One way to provide security is to use IPSec policy which is referred as an IP Security mechanism. The Major benefit of using IPSec is that it is very transparent to end users. It is a general purpose mechanism to provide end-to-end security for both end users. One of the biggest advantage is, it uses a filtering mechanism which allows only selected traffic to let in and go. If you want to know how to implement IPSec in 2 XP end users, you should go to this link.
Now we will come to the transport level. The below figure illustrates the transport level and where we should implement security in that.
Another general purpose solution to address network security is to implement SSL (Secure Socket Layer just above the TCP. It is also referred as TLS known as transport layer security. There are two implementation choices for SSL.
1. SSL can be provided as underlying protocol and can be separated. So it becomes transparent to that specific application.
2. SSL can be embedded in some packages like web browsers such as Firefox, IE, Chrome. So if server wants to use it, those browsers are always up for that. Otherwise it will serve as normal HTTP.
Now we will move on to the application level. Now to understand the scenario here is the architecture for application level.
Application level security approach varies with the different application used in that. That is why it is giving more flexibility to choose a security policy according to the application’s requirement.
Thus how, we have seen where exactly we can implement security mechanisms in between different layers. In Part 2 of this series of article, I am going to unleash SSL and what roles it plays in TLS and how. Stay tuned.
References
1. http://en.wikipedia.org/wiki/Network_security
2. http://ix.cs.uoregon.edu/~butler/teaching/11W/cis533/slides/cis533-authentication.pdf
3. http://www.draytek.co.uk/products/network_threats.html
4. http://www.andrew.cmu.edu/course/95-752/notes/netsec.ppt?
5. http://en.wikipedia.org/wiki/Network_Interface_Layer_Security
6. http://tools.ietf.org/html/rfc5246
7. http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_overview.html
Thus how, we have seen where exactly we can implement security mechanisms in between different layers. In Part 2 of this series of article, I am going to unleash SSL and what roles it plays in TLS and how. Stay tuned.
References
1. http://en.wikipedia.org/wiki/Network_security
2. http://ix.cs.uoregon.edu/~butler/teaching/11W/cis533/slides/cis533-authentication.pdf
3. http://www.draytek.co.uk/products/network_threats.html
4. http://www.andrew.cmu.edu/course/95-752/notes/netsec.ppt?
5. http://en.wikipedia.org/wiki/Network_Interface_Layer_Security
6. http://tools.ietf.org/html/rfc5246
7. http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_overview.html
No comments:
Post a Comment