| Historically, listening to the network was not considered feasible because it required physical access to the network cable, the ability to tap the cable, and the ability to look through all of the packets on the network seeking the few packets that contained interesting information and reassembling them. Today, however, with the wide use of twisted-pair networking and wireless networking, physical access constraints are all but eliminated and there are plenty of network protocol decoders that are widely available, either as a turnkey LAN analyzer system or in software. Most systems have some network monitoring tools to assist in troubleshooting network problems. Network monitoring is the process of watching all the packets that cross the network. This can yield a wealth of information if you can filter the information you want. Passwords are passed across the network in plain text when logging on and when using FTP. Any data that is passed across the network can be captured, if you know where to look for them. Even something as simple as traffic analysis can give you information about the relationship between systems. There are a variety of network monitors that are available. There are LAN analyzers that are specialized pieces of equipment that attach to the network and read packets and decode them. There is software for a variety of systems, including PCs, that will allow them to monitor all the network traffic. The only way to protect information that travels over an unsecured network is encryption. Native encryption is available in the Internet Protocol, Version 6, (IPv6) and with IPSec in IPv4. It provides integrity and privacy for the data within the packet. Physical Isolation Physical isolation can significantly reduce the ability to eavesdrop. When networks are small and under the control of a single organization, physically isolating the networks between systems and their users from other networks can be accomplished. This is most often done when isolating networks with very high value information or isolating internal networks for the Internet. Physical isolation of networks requires discipline in granting users only the access which they need and not the access they want. A physically isolated network provides the greatest level of security. Network Isolation Separating physical networks reduces the possibility of eavesdropping. Complete physical isolation is not usually a viable option. Most networks need to be interconnected for basic communications needs, such as e-mail and Internet connectivity. So network isolation has to be implemented as controlled isolation. Network devices, such as firewalls and routers, can limit the scope of a service by blocking the service port from other networks. -
A switch , or switched hub, is a hub in a star network which isolates network traffic by maintaining a list of what addresses are on which segment and sending only the traffic which contains the target device to the segment. Most of these switches will revert to a hub, and send all traffic to each segment, if the list of addresses gets too large or the device gets conflicting address data. -
A bridge is a network device that is used to connect networks of different media types at a link level, such as coax and twisted-pair. These networks must be running the same protocol and be configured in the same address space. Some bridges filter the communication that passes across them by determining the machine's hardware addresses on the segments to which they connect and not transmitting packets for that machine to the other side of the bridge. This is called auto-segmentation. This isolates the network traffic and is generally used to improve network performance. It also adds to the security of the network by not broadcasting all the packets throughout the network. Some bridges also allow for programmatic filtering. -
A router is a network device that is used to connect networks of different protocol types at the network level. They can be of totally different topologies, such as Token Ring and Ethernet, and in totally different address spaces. A router uses software addresses, such as IP addresses, instead of machine addresses to forward the packets. It also isolates the network based on where the source and destination machines are located. Routers are also programmable with the ability to filter the packets and reject packets based on the information within the packets, the source IP and destination IP, source and destination port number, and the "direction" of the connection if it is a TCP/IP connection. Some routers also include encryption. -
A firewall is a method of isolating networks at the application level. It will authenticate all packets as they pass through the firewall. Application firewalls can do a great deal of authentication. A firewall can limit access by service, source, destination host, user , or any combination of these. A company can have many firewall machines, each servicing one or more applications. Firewalls may be set up within a company when organizations deem the information contained on their systems needs this level of protection. Encryption Encryption can be used to make the information presented unintelligible except to those who have the decryption key. Historically, the computational requirements limited the use of encryption. Today, cryptographic solutions are becoming commonplace. A virtual private network ( VPN) is a method of using encryption to create secure tunnels through an untrusted network (e.g., the Internet). A variety of VPN solutions exist; many are proprietary ” requiring the same vendor's equipment or software on both ends of the secure tunnel ” others are based on standards and are interoperable between different vendors ' implementations . A VPN can be implemented at any level of the network stack. Implementing encryption higher in the stack provides more selectivity in which traffic is encrypted, while implementing it lower in the stack provides less impact on applications and an increased level of security against traffic profiling. -
Application layer encryption can be used to protect the information used in the application providing that the client and server sides of the application can utilize the same encryption. Application level encryption is seen most often in e-mail applications. There are a number of differing and incompatible e-mail encryption systems. S/MIME , Secure Multipurpose Internet Mail Extension, is an example of application layer encryption. It is an encryption standard used to encrypt electronic mail and other types of messages on the Internet. It is an open standard developed by Rivest, Shamir, and Adleman. -
Presentation layer encryption is provided by the software which provides the look and feel for any of a number of applications. Remote display systems, such as X windows or the web protocol HTTP, are examples of presentation layer applications. Any encryption provided at this layer protects any application which uses this presentation service. S-HTTP is another protocol that provides security services across the Internet. It was designed to provide confidentiality, authentication, integrity, and non-reputability while supporting multiple key-management mechanisms and cryptographic algorithms via option negotiation between the parties involved in each transaction. S-HTTP is limited to the specific software that is implementing it, and encrypts each message individually. -
Session layer encryption creates a tunnel for each separate session. A single user may create multiple sessions between systems; generally each session of each program or service creates a separate tunnel. Wrapping or tunneling can be used to achieve a transport layer-like VPN with multiple applications sharing an encrypted tunnel. SSH , Secure Shell, provides support for secure remote login, secure file transfer, and secure TCP/IP and X11 forwardings. It can automatically encrypt, authenticate, and compress transmitted data. -
Transport layer encryption protects all the communication over a specific socket. This is the connection between two systems for a specific service. All requests for that service are encrypted at the transport layer. SSL , Secure Sockets Layer, is an encryption method developed by Netscape to provide security over the Internet. It supports several different encryption protocols, and provides client and server authentication. SSL operates at the transport layer, creates a secure encrypted channel of data, and thus can seamlessly encrypt data of many types. -
Network layer encryption protects all communication between two physical systems. All communication between the two systems is encrypted. It provides point-to-point encryption often used with a border gateway. IPSEC is an effort by the IETF to create cryptographically -secure peer-to-peer communications at the IP network level, and to provide authentication, integrity, access control, and confidentiality. An IPsec VPN generally consists of two communications channels between the endpoint hosts : a key-exchange channel over which authentication and encryption key information is passed (port 500), and one or more data channels over which private network traffic is carried. The format of the headers and packets used is described in a series of RFCs. The encapsulating security payload, ESP, is in RFC2406, and the authentication header, AH, is in RFC2402 and the ISAKMP key-exchange protocol is in RFC2408. A number of Linux implementations of IPSec are available. However, export restrictions on cryptography limit its distribution. The HP-UX implementation of IPSec is available as a no-charge add-on product. -
Data Link layer encryption provides encryption at the link level. Any communication of any protocol which travels over the link will be encrypted with the encryption at this level. Data link layer encryption is used to protect the information from security flaws in the transmission media, such are widespread broadcasts or media which are easy to eavesdrop. |
