This is a non-technical guide which will make you familiar with the transport layer. The main purpose of writing this guide is to point out why we need major security implementation on the transport layer. What if the components of this layer get compromised?

Introduction

In today’s digital world, nearly every business has a website. Both tiny companies and huge corporations have websites. Clearly, the number of individuals and companies who are accessing the internet has rapidly increased. As businesses around the globe are rapidly increasing, they want the internet to act as web e-commerce for their business to manage everything centrally.

However, over the years we’re watching that web services across the internet are vulnerable in various ways. No business wants to put themselves into a vulnerable environment. As a result, the need for security in the corporate world is also in demand.

If we talk about web applications and services, then it’s a very broad topic. As I mentioned, we are going to discuss security only for components which are related to the transport layer.

Security Deliberation in Web

The web is simply a client and server system, running on the internet using TCP/IP. There are a number of security auditing tools and mechanisms which address network security considerations, but there are many new vulnerabilities which are not appreciated by those tools and mechanisms yet.

Unlike traditional publishing environments, internet is two way, between clients and servers. Attacks can be done on client applications as well as a web servers. Web servers are at the heart of the corporate world where a lot of general and sensitive information is stored. If those web servers are compromised, then reputation and the money of that organization can be lost in no time.

Web browsers are easy to use, and web servers are very easy to configure and manage. That’s how we produce mass digital information.

The table below shows the security threats we are facing and have faced up to now. There are two types of threats, passive threats and active threats.

Category Threat Impact of Threat Mitigation
Authentication Passing Invalid DataImpersonate Valid user False information being accepted & Attacker may get access
Access of personal data behalf of legitimate user		 Use Cryptography Mechanism
Integrity Trojan in browser
User data modification
Message modification in network traffic		 Compromisation of machine
Information loss		 Use Cryptography Checksums
Denial of Service Flood server with bogus requests
Filling server memory
DNS attack for machine isolation		 Legitimate users cannot work due to long waiting state
The server breaks down completely		 IPS/IDS, Honeypot, Firewalls
Confidentiality MITM attack
Information Theft from server & client		 Privacy loss Web proxies, Encryption techniques

Passive threats: Includes man in the middle attacks between servers and clients on network traffic in order to gain access to information that’s being shared between them. Generally the information which attacker gains by doing this is restricted except between that client and server.

CISSP Instant Pricing- Resources

Active threats: A attacker could impersonate a user, network, or website in order to gain information which is usually restricted.

Apart from these two categories, we can also categorize web threats in the way they behave between clients and servers such as web browsers, web servers and network traffic.

Security Approaches in Web Traffic

There are a number of security approaches available to address each type of web threat. There are some common mitigation techniques for addressing more than one threat. In network security, strategies differ depending on location. We have to see first where the service is placed within the TCP/IP stack, in order to provide mitigation of an attack.

There are three levels that play important roles in network security- network level, transport level and application level. The figure below illustrates the network level.

fig1

Fig:1 Network Level

One way to provide security is to use IPSec policy, which is referred to as an IP security mechanism. The main benefit of using IPSec is that it’s transparent to end users. It’s a general purpose mechanism to provide end-to-end security for end users. One of the biggest advantages is it uses a filtering mechanism that allows only selected traffic to pass. To learn about how to apply IPSec between two Windows XP clients, click on this link.

Now, onto the transport level. The figure below illustrates the transport level and where we should implement security in it.

fig2

Fig:2 Transport Level

Another general purpose solution to address network security is to implement SSL (Secure Socket Layer) just above TCP. It’s also referred to as TLS, or transport layer security. There are two implementations of SSL.

  1. SSL can be provided as underlying protocol and can be separated. So it becomes transparent to a specific application.
  2. SSL can be embedded in some packages like web browsers such as Firefox, IE, Chrome. So if a server wants to use it, those browsers are always up for that. Otherwise it’ll serve as normal HTTP.

Now, we’ll move on to the application level. To understand the scenario, here’s the architecture for application level.

fig3

Application level security approaches vary with different applications used. That’s why it needs to give more flexibility to choose a security policy according to the application’s requirements.

Now, we have seen where exactly we can implement security mechanisms in between different layers. In part two of this series, I will unleash SSL and describe what roles it plays in TLS and how. Stay tuned.

References

http://en.wikipedia.org/wiki/Network_security
http://ix.cs.uoregon.edu/~butler/teaching/11W/cis533/slides/cis533-authentication.pdf
http://www.draytek.co.uk/products/network_threats.html
www.andrew.cmu.edu/course/95-752/notes/netsec.ppt?
http://en.wikipedia.org/wiki/Network_Interface_Layer_Security
http://tools.ietf.org/html/rfc5246
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_overview.html