Thursday, November 14, 2013

Transport Layer Security - Part 1

This is a non-technical guide which will make you familiar with the transport layer. The main purpose of writing this guide is to point out why we need major security implementation on the transport layer. What if the components of this layer get compromised?


Introduction
In this today’s digital world, every business has their website. If it is a small firm or any big agency which is government agency or non-government agency, they have a website and they use websites. It is clearly visible that number of individuals and companies who are accessing the internet has rapidly increased. As the businesses around the globe are rapidly increasing, they want the internet to be act as web e-commerce for their business to manage everything centrally. However, over the years we are watching that web services across the internet are majorly vulnerable in various ways. None of the business wants to put themselves into vulnerable environment. As a result, the need for security in the corporate world is also in demand.

If we talk about web applications/services, then it is a very broad topic. As it mentioned in title that we are going to discuss security for only those parts which are related to transport layer. So in this criteria only SSH, TLS/SSL and HTTPS come.

Security Deliberation in Web
WWW is nothing but the client/server application running on internet using TCP/IP. There are a number of security auditing tools and mechanisms which address the network security considerations, but there are many new vulnerabilities which are not appreciated by those tools and mechanisms yet.    


Unlike traditional publishing environments, internet has also 2-way which is client and servers. Attacks can be done on client application as well as a web server. Web servers are the heart of the corporate world where bunch general and sensitive information is stored. If those web servers are compromised, then reputation & the money of that organization can be lost in no time. Web browsers are easy to use and web servers are very easy to configure and manage. Thus how we produce mass digital information. Below table shows the security threats which we are facing and have faced up to now. There are two types of threats such as passive threats & active threats.




Category
Threat
Impact of Threat
Mitigation
Authentication
Passing Invalid Data




Impersonate Valid user
False information being accepted & Attacker may get access

Access of personal data behalf of legitimate user
Use Cryptography Mechanism
Integrity
Trojan in browser

User data modification

Message modification in network traffic
Compromisation of machine

Information loss

Use Cryptography Checksums
Denial of Service
Flood server with bogus requests

Filling server memory

DNS attack for machine isolation
Legitimate users cannot work due to long waiting state

The server breaks down completely
IPS/IDS, Honeypot, Firewalls
Confidentiality
MITM attack
Information Theft from server & client
Privacy loss
Web proxies, Encryption techniques
  

Passive threat : It includes man in the middle attack between server and client on the network traffic in order to gain access to the information which is being shared between them. Generally the information which attacker gains by doing  this, is restricted except that client and server.

Active threat : In this, the attacker impersonates user, network or website directly in order to gain the information which is usually restricted to see.
Apart from these two categories, we can also categorize web threats in the way they serve between client and server such as web browser, web server and network traffic.



Security Approaches in Web Traffic
There are a number of security approaches available to address each web threats. There are some common mitigation for addressing more than one threat which has the same impact, but here in network security it differs from with location. We have to see first where the service is placed within the TCP/IP stack in order to provide mitigation for that.

There are 3 levels, which plays important roles network security, they are network level, transport level and application level. The below figure illustrates the network level.


 
One way to provide security is to use IPSec policy which is referred as an IP Security mechanism. The Major benefit of using IPSec is that it is very transparent to end users. It is a general purpose mechanism to provide end-to-end security for both end users. One of the biggest advantage is, it uses a filtering mechanism which allows only selected traffic to let in and go. If you want to know how to implement IPSec in 2 XP end users, you should go to this link.

Now we will come to the transport level. The below figure illustrates the transport level and where we should implement security in that.
 

Another general purpose solution to address network security is to implement SSL (Secure Socket Layer just above the TCP. It is also referred as TLS known as transport layer security. There are two implementation choices for SSL.

1.    SSL can be provided as underlying protocol and can be separated. So it becomes transparent to that specific application.

2.    SSL can be embedded in some packages like web browsers such as Firefox, IE, Chrome. So if server wants to use it, those browsers are always up for that. Otherwise it will serve as normal HTTP.
Now we will move on to the application level. Now to understand the scenario here is the architecture for application level.

 
Application level security approach varies with the different application used in that. That is why it is giving more flexibility to choose a security policy according to the application’s requirement.
Thus how, we have seen where exactly we can implement security mechanisms in between different layers. In Part 2 of this series of article, I am going to unleash SSL and what roles it plays in TLS and how. Stay tuned.

References
1.    http://en.wikipedia.org/wiki/Network_security
2.    http://ix.cs.uoregon.edu/~butler/teaching/11W/cis533/slides/cis533-authentication.pdf
3.    http://www.draytek.co.uk/products/network_threats.html   
4.    http://www.andrew.cmu.edu/course/95-752/notes/netsec.ppt?
5.    http://en.wikipedia.org/wiki/Network_Interface_Layer_Security   
6.    http://tools.ietf.org/html/rfc5246
7.    http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_overview.html

No comments: