ECN: Electronic Component News

 
 
Subscribe | About Us | Feedback


Products for Design
Boards & Modules
Electromechanical & Mechanical Devices
Embedded Systems
Integrated Circuits
Optoelectronics & Displays
Packaging & Interconnects
Passive & Discrete Components
Power Sources
Sensors
Test & Measurement

Designer's Workbench
Distributor & Manufacturer Network
ECN Reference Directory
Related Links
White Papers
Job Search
Digital Library
Web Exclusives
Wall Charts
Supplements
Newsletter Subscription
Events
ECN Videos
ECN Literature News

 




News
World News
Industry News

Blogs
Technology and Gadgets
Government and Industry
The Efficiency Zone

From the Magazine
Brainstorm
Design Talk
Sensor Zone
Embedded Systems
Semiconductor Highlight
Editor's View
Cover Story
Industry Focus
Product Technology Review
Leading Off
Archive




About Us
Contact Us
Subscribe
2009 Media Kit
List Rental
ECN Content Policy

Partner Sites
CED
In-Stat
Medical Design Technology
Product Design & Development
Wireless Design & Development
Wireless Week

July 09 Cover


Securing IP Networks: A Primer
Nauman Arshad, Technical Product Marketing Manager, Curtiss-Wright Controls Embedded Computing S. Rajesh Kumar, Product Line Manager, Aricent
Ecnmag.com - February 11, 2008

 
Figure 1: Packet Sniffing Example – An Attacker connected to the network can monitor packets using special sniffing software.
Figure 1: Packet Sniffing Example – An Attacker connected to the network can monitor packets using special sniffing software.  
Security is becoming increasingly important for electronic defense subsystems that need connectivity using gigabit Ethernet and Internet Protocols such as IPv4 and IPv6. Unprotected Ethernet ports could provide an opening that would enable attackers to get unwanted access to sensitive data or to launch an attack that could bring down an embedded network. Attacks on a network can come from external sources or from within. An external attacker could be a casual hacker, a funded organization, or a rogue government that is able to remotely connect and break into the network. An internal attacker could be a disgruntled employee who already has access to the network or an unwanted intruder who is able to get access to an unprotected network terminal or an Ethernet port that can be used to launch a network attack from within.

As networking security is a vast topic with a multitude of possible attack scenarios, only selected examples of internal network attacks will be described in this article. Four types of attacks that can occur on a network include packet sniffing, planting Trojan Horses, connection hijacking, and Denial of Service (DoS).

Packet sniffing, also known as eavesdropping can occur when an attacker is able to read packets sent between two communicating nodes. If the packet payload is unprotected, the attacker can read the payload data, which could contain passwords or other sensitive information. In many cases, this form of eavesdropping can be accomplished without the communicating nodes ever knowing that their data is being monitored.

 
Figure 2: Connection Hijacking Example – An Attacker can hijack an FTP session and gain sensitive information.
Figure 2: Connection Hijacking Example – An Attacker can hijack an FTP session and gain sensitive information.  

Taking packet sniffing further, an attacker can use this technique to plant a Trojan Horse program on to the destination node. In this case an attacker can intercept a set of packets, replace their payload portion with the malicious Trojan Horse program, re-assemble the packets and forward them to the destination node. The destination node would receive and execute the Trojan Horse program, which could then be used to track key strokes or monitor activities of the destination node and transmit logged information back to the attacker.

Connection hijacking occurs when an attacker pretends to be one of the communicating nodes. Using a technique called “IP spoofing” which is used to read an IP address, forge it, and then send it back to the source, an attacker can completely take over a communications exchange by appearing to be a legitimate communicating node. For example, in a scenario where two nodes A and B are communicating through a switch, an attacker intercepts the packets coming from A, forges them and sends them back to A pretending to be B. In this case the attacker has B’s information and now unbeknownst to A or B, the attacker has hijacked the communications and is now able to mislead A to provide sensitive information meant for B.

DoS attacks can also be launched using IP spoofing. In this case the attacker sends floods of certain types of packets to a server or a switch, preventing other nodes from accessing the same server or switch.

 
Figure 3: Denial of Services Attack Example – An Attacker can use up all services and not allow any other node to access that service.
Figure 3: Denial of Services Attack Example – An Attacker can use up all services and not allow any other node to access that service.  
This can be done directly by the attacker or indirectly through a node in the network, which has been implanted with malicious code to launch the attack without its knowledge. For example, consider a file server that can service up to ten clients at a time. An attacker sets up a node to send FTP connection requests continuously with different IP addresses. The result is that the malicious node occupies all ten connections all the time, which essentially prevents any other client from accessing the server. If this is done with a router, an entire network can be rendered inaccessible.

Establishing Secure IP Communications

The new version of the Internet Protocol, IPv6, addresses many important security issues. In comparison, the previous Internet Protocol, IPv4, had certain shortcomings with respect to security. Most notably, IPv4did not mandate the use of the important IP security protocol, IPSec, which only found increased use after IPv4-based infrastructure had been widely deployed and before IPv6 became standardized. The IPv6 specification mandates nodes in a network to support IPSec (Table 1). This makes IPv6 more secure than IPv4 simply because all IPv6-capable nodes are also IPSec-capable.

The fundamental methods used to guard against security threats include authentication, authorization, protection against DoS attacks, encryption, intrusion detection, intrusion prevention, and the use of IPSec and Internet Key Exchange (IKE) protocols.

Authentication is the process of checking the identity of a node before allowing communication to or from that node. A router can authenticate a node attempting to connect to it using a protocol specified in the IEEE 802.1x standard. A router or server can authenticate an administrator by a user ID/password combination. The authentication can be made more secure via a certificate such as those using Secure Shell (SSH) or Secure Sockets Layer (SSL) protocols. Two nodes can authenticate each other using the IPSec Authentication Header (AH) on each packet sent or received.

Authorization is permitting or denying access to one or more resources by checking the credentials of a node or user. For example, the use of 802.1x authentication results in a network switch port being marked as “authorized” or “unauthorized.” Multiple privilege levels may also be used to access a server or a router. Authentication validates a user as a genuine user. Based on the user ID, the user may be authorized only to read information or to read and write information.

 
Table 1: Creating Secure Communications using IPv4 or IPv6.
Table 1: Creating Secure Communications using IPv4 or IPv6.  
DoS attacks are recognized by looking for suspicious patterns. For example, if there are repeated connection requests at a switch from the same port or from the same IP address, the router may put a threshold on the number of simultaneous connection requests and drop all connection requests above that threshold. Many DoS attacks rely on vulnerabilities in ICMP, TCP, and UDP streams.
 

The IPSec protocol uses per-packet authentication and encryption to secure the traffic between any two communicating nodes over IPv4 or IPv6 networks. For authentication, each node includes an AH in every packet it transmits. Each node also validates the AH in each received packet to verify that the packet has, in fact, originated from the correct source. For encryption, each node encodes the payload in the IP packet before transmission and decodes the payload received in the IP packet before processing. This security feature is called Encapsulating Security Payload (ESP).

The encoding and decoding processes use cryptographic techniques, which have been established as strong and resistant to attacks. The keys used for encryption and decryption are also distributed in a secure manner. AH and ESP can be used individually or in combination, depending upon the requirement and degree of security needed. For example, connection requests may only need to be authenticated, while file transfers may have to be encrypted. Many algorithms are available for authentication, the most popular being the Hash Message Authentication Code-Secure Hash Algorithm (HMAC-SHA). Similarly, many algorithms are available for encryption, the most popular being Advanced Encryption Standard (AES), Data Encryption Standard (DES), and Triple DES.

Similar to DoS attack protection, intrusion detection relies on identifying the signatures of attacks, which are essentially patterns of packet flows. Network devices such as advanced routers sense nodes that must not be allowed access or attempts at malicious access. This is done using IP addresses, TCP/UDP port numbers, TCP sequence numbers, ICMP patterns and header fields in IP packets. When an intrusion is sensed, an alarm is sent to alert a network administrator who can decide on the appropriate action, such as shutting down a network port.

In intrusion prevention, the router first takes action, such as shutting down the network port, and then alerts the administrator of the action it has taken and the reason for it. This halts the intrusion until the network administrator is able to act.

Used alone, IPSec relies on keys being configured and set up statically in the nodes. Since this can be cumbersome for administrators, IKE may be used in conjunction with IPSec. IKE lets nodes dynamically negotiate keys, thereby eliminating the need for administrators to manually provision keys for sessions between nodes.

Securing Network Interfaces with COTS Hardware

Today, there are several types of cost-effective open standards-based COTS products that enable the vision of network-centric operations for military applications. These include rugged, intelligent, managed or unmanaged, high port density,

 
Figure 4: VME-682 FireBlade Managed Layer 2/3 Router and PMC-110 CryptoNet provides security for embedded networks.
Figure 4: VME-682 FireBlade Managed Layer 2/3 Router and PMC-110 CryptoNet provides security for embedded networks.  
multi-layer (Layer 2/3) Gigabit Ethernet switches and standalone, managed, Gigabit Ethernet Switch/Router modules that are well suited for building intra-platform networks for land, air and sea vehicles. Using star, dual star, mesh and hybrid network topologies, these switches and routers provide a flexible, cost-effective solution that can be used to architect reliable backbone communications infrastructure for current and future networked platforms. Redundancy and fail-over can be implemented using dual star and mesh networks while investment dollars can be retained by implementing hybrid network topologies that co-exist with legacy and/or next-generation interconnection strategies.

Some of these switches, such as Curtiss-Wright’s VME-682 FireBlade or the SMS-682 SwitchBox II standalone Gigabit Ethernet switch module, can be combined with plug-in security expansion modules such as the PMC-110 CryptoNet. This expansion module provides encryption/decryption/authentication, access control list (ACL) filtering, Network Address Translation (NAT), and basic key generation/management, as well as enabling VPN with secure tunneling (IPSec/L2TP). These hardware combinations provide high levels of security in IPv4 and IPv6 networks, in the form of an International Computer Security Association (ICSA)-certified statefull firewall that protects against multiple evasive attacks and acts as a Unified Threat Management (UTM) router capable of strong perimeter defense.



 

Viewing 0 User Comments
 		Write a Comment


Type Comment...

Title:
E-Mail:
Comment:




View Previous Survey Results