Toivo Talikka

Total Data Pty Ltd

Computer system installation, support and IT management consultancy

Forestville NSW Australia        tel 0410 532 923       email toivo@totaldata.biz

Internet and Security

SUMMARY

[This research paper was produced as part of requirements of the postgraduate course "Management Issues in Telecommunications" at the Faculty of Business, University of Southern Queensland on 23/09/2001.]

This paper discusses a number of security issues in the Internet, the Internet protocols and how new standards are being developed to address those issues.  Virtual Private Networking (VPN) is discussed with emphasis on features offered by the new standards IP version 6 (IPv6) and IP Security (IPsec).   Most of the source material is based on selected Internet-Drafts from the Internet Engineering Task Force's working papers.  Projections are presented about the future development potential and practical impact for the business community and Internet users in general.

TABLE OF CONTENTS

0 SUMMARY

RESEARCH OBJECTIVES

INTRODUCTION

SECURITY ON THE INTERNET

3.1  Business Environment

3.2  Microsoft Products

3.3  Internet User's Perspective

3.4  Internet Service Providers

3.5  The Hacker Community

3.6  Internet Regulatory Bodies

IP SECURITY FEATURES

4.1  IPsec

4.2  Network Address Translation

THE EFFECT OF HACKING

NEW DEVELOPMENTS

6.1  IP version 6

6.2  IPv6 And Security

6.3  PC and Server Hardware

6.4  IPv6 Networking Features

FUTURE EXPECTATIONS

7.1  Larger IP Address Space

7.2  Secure Remote Access

7.3  Protection from Hackers

CONCLUSION

GLOSSARY OF ABBREVIATIONS

10 REFERENCES

APPENDIX 1 PORT PROBES

APPENDIX 2 IP HEADER FORMATS

APPENDIX 3 SECURITY THREATS IN IPv4


1 RESEARCH OBJECTIVES

The purpose of the paper is to provide material for further study in the Internet standards, and to assist in the evaluation and selection of security products.  It should be noted that the Internet-Draft documents quoted in the paper are working drafts and will expire usually in 6 months, unless their status is changed to Request For Comments (RFC).

2 INTRODUCTION

The expansion in the use of the Internet has brought to surface security issues, a large number of which have recently made their way to newspaper headlines.  In the services available on the Internet, the underlying requirement for security encompasses the following basic needs:

Authenticity, or ensuring that the exchange of information between a web host server and a client computer happens between two bona fide parties.

Secrecy, or protection against unauthorised disclosure of information or identity of the parties exchanging information to third parties.

Integrity, or prevention of unauthorised modification of the information while it is in transit between the two parties.

Necessity, or prevention of both delays in the delivery of data to its destination and removal of the capacity to exchange data with other parties.

(Adapted from Schneider & Perry 2000, p. 147)

This paper will focus on selected aspects of the technologies for providing secrecy, integrity and necessity in some of the current and proposed Internet protocols. The security incidents presented in this paper are actual and potential intrusions to a firm's local area network system and file servers, using vulnerabilities in the Internet protocols and technologies.

3 SECURITY ON THE INTERNET

3.1 Business Environment

General threats to business continuity come, in addition to hardware malfunctions and disasters like water damage, office fires and willful damage, from virus infections and network intrusions from outside the company.

Hackers usually want to have access to a system to get information so that they can use parts of the system like the SMTP server to relay unsolicited email messages.  Hackers may want to get enough information so that they can fake the identity of a network device to gain financial advantage or penetrate systems to get or modify or delete personal information and records (Prigent et al. 2001, p.3)

According to experts, a large number of security incidents are caused by insiders (Swoyer 2000, p.2), company employees or ex-employees who have obtained confidential information about passwords and access to the computer systems.  Social engineering, or information gathering e.g. by hackers who pretend to be working for the IT support team, also makes large companies vulnerable to security breaches unless strict policies and user education is implemented (Tims 2001).

Firewall applications prevent unwanted connections from the Internet to the corporate network.  Firewall software products are usually installed at the network periphery on router equipment and specialised appliances or servers running on the top of general purpose or hardened operating systems (Eldridge 2001).  There are major differences in the way these products handle the management functions and how resilient they are when a real intrusion attempt takes place (Oliver 2001).  However, further discussion of firewalls and their implementation methods is outside the scope of this paper.

In the last few years, Virtual Private Network (VPN) has become an important tool in allowing remote users to access network systems securely.  VPN is also becoming a target for hackers (McClure, Scambray & Jurtz 1999, p.284).   Even though the secure VPN tunnel protects the data from outside attacks while the data is in transit between the end points of the tunnel, the PC at the originating end of the VPN tunnel is still vulnerable to attempts to gather information by traditional hacking methods from the Internet.  A compromised PC, not running anti virus software and allowing anyone from the Internet to probe its services and collect information, is providing an open gateway for a hacker to enter the corporate network (Network ICE 2001).

3.2 Microsoft Products

Some industry sources say that the size of Microsoft as a company and its market share and influence causes hackers to target Microsoft (Chidi 2001). In the last 12 months there have been a number of security incidents involving Microsoft or Microsoft's software products like the Internet Information Server (IIS) and the Hotmail email system as targets. 

A large number of published exploits use vulnerabilities in Microsoft's Internet Information Server (IIS), and the Windows NT operating system and Windows in general.   The latest Internet worm viruses, Code Red and Nimda were infecting hundreds of thousands of servers within a few days (Evers 2001, Van Dijk 2001).

3.3 Internet User's Perspective

De facto standards like Microsoft Windows in the operating system market and Microsoft's strategy of integrating their Internet Explorer browser application and Outlook email software closely with the operating system have made the majority of personal computer users vulnerable as potential targets of virus attacks.  Unsecure functions in the operating system can execute program files received as attachments in an email message without much control by or warning to the user. 

Email attachments received from unknown people or screen savers downloaded from dubious web sites can contain Trojan Horse programs, program code that sets itself up as a service running in the PC.  The Trojan runs in the background and listens to the incoming TCP/IP traffic (McClure et al. 1999, p.390).  A Trojan Horse program can also steal password files and confidential documents and send them to the hacker via the Internet.

Third party anti virus software and an intrusion detection application or a personal firewall is required to keep home PCs safe from rogue programs, probes and intrusions during the Internet connection.   When an nternet user dials in to an ISP using an ordinary telephone line, the connection is allocated a temporary IP address from a pool of IP addresses (King & al. 1998, p.8).  Even the temporary nature of the IP address does not prevent automatic scanning programs from sending their probe packets, attempting to find open ports and extract information from the computer. In the Appendix there are examples of port probes, recorded during dial-up sessions (Example 1) and during a cable connection to the Internet (Example 2).

An unprotected Internet connection makes a PC vulnerable as a target to run zombie programs, which take over the PC and use it to launch Distributed dnial of Service (DDOS) attacks against service providers and commercial web servers.   It is believed that PCs using a broadband or cable connection to the Internet are especially popular targets for hackers, because of their fast connection and obvious potential for launching a massive DDOS attack.  

In July 2001 an Internet worm virus called Code Red infected 300000 web servers running the Microsoft IIS software (CERT 2001).  I run a home PC, connected to Telstra Bigpond via a cable modem, and I run an Intrusion Detection System (IDS) application.  I could see the number of daily probes increase from the usual average of 5 to 10 probes a day, to a maximum of 40 to 50 probes a day.

3.4 Internet Service Providers

Usually Internet Service Providers (ISPs) are protected by their terms and conditions, in effect legal contracts to protect them from lawsuits relating to viruses passed to clients from the Internet.  Some ISPs offer secure or 'managed' links to their home users and corporate customers.  The secure link is achieved by filtering the Internet connection through a firewall application.

However, not all the Internet traffic, or IP packets originating from the customers' networks, can be authenticated on the ISP's routers or firewalls.  Assuming that the customer is large enough to have their own range of IP addresses, these addresses may not be easily ontrolled by the routers of the ISP ('ISP Security Opinion' 2001).

ISPs are often providing VPN access points to their corporate customers where the ISP server establishes an authenticated and encrypted tunnel from the ISP's server to their customer's network.  Most medium size and large companies have their own VPN gateway devices and corresponding VPN client software, which provide a secure tunnel from the remote client PC to the firm's VPN gateway.  VPN routers provide connectivity between remote offices and the head office (Adam 2000).

3.5 The Hacker Community

The Internet started in the military and academic community in the USA, spreading through the universities to other countries.  In the 1990's the use of the Internet has exploded through home dial-up connections and the availability of broadband media like cable and Asymmetric Digital Subscriber Line (ADSL).

As a direct result of the popularity of the Internet in the 1990s, the fringe phenomena, computer viruses and hacking, started to spread through the Internet.  The techniques of how to write viral code and how to hack computer systems are published on web sites and discussion groups, making it relatively easy for anyone with some technical knowledge to unleash a new computer virus or run port scans and try to hack into computer systems.

Hackers have received a lot of publicity in the last few years.  Recently the Code Red worm (CERT 2001) made it to the headlines of afternoon papers.  Some commentators even predicted a meltdown of the Internet. One reason why hackers have succeeded in spreading their techniques is the fact that the Internet is an interconnected network of servers, not controlled by any single authority or institution, as explained by Bradner 1996, p.2):

The Internet, a loosely-organized international collaboration of autonomous, interconnected networks, supports host-to-host communication through voluntary adherence to open protocols and procedures defined by Internet Standards.

Therefore the contents of the web sites and the message traffic are not censored.  No one forces the users or ISPs to use anti virus software or intrusion detection systems.

Hackers have developed software utilities to probe network devices and find out about their identity, to record network traffic for later analysis and crack files containing encrypted passwords.  Not even the wireless networks are safe - a few months ago a tool AirSnort was reported to monitor transmissions on a wireless local area network (WLAN), gather packets of data and calculate the encryption password (Lee 2001).

3.6 Internet Regulatory Bodies

Much less heralded than hackers' exploits is the work of the Internet specialists and companies involved in the definition of standards to protect the Internet users from malicious intrusions of privacy and threats to the integrity of computer systems.

The Internet Engineering Task Force (IETF) and its working groups are responsible for publishing Internet Drafts and standards, in the form of Requests for Comments (RFC), as explained by Bradner (1996, p.2):

…an Internet Standard is a specification that is stable and well-understood, is technically competent, has multiple, independent, and interoperable implementations with substantial operational experience, enjoys significant public support, and is recognizably useful in some or all parts of the Internet.

From the currently available Internet Drafts of the working groups involved in the definition of the new version of the IP protocol and their initiatives relating to security, it is obvious that efforts are made to include security features into the Internet protocols.

4 IP SECURITY FEATURES

4.1 IPsec

The IP security (IPsec) protocol was defined by the Internet Engineering Task Force (IETF) in RFC 2401 in 1998 (Kent & Atkinson 1998).   This protocol is still being fine tuned and extensions are added to it.  A report was published in Networking Computing in March 2000 about the results of testing four shipping VPN gateway products.  The report concluded that an attempt to connect security products in a multi-vendor environment can lead to problems:  'Because no standard methods are employed, client configuration options, such as IP address, DNS and WINS, fall by the wayside when using client IPsec in a multi-vendor environment' (Fratto 2000).

4.2 Network Address Translation

Because of the scarcity of available IP addresses, Network Address Translation (NAT) is used in appliances like routers and firewalls to hide the private addresses of the servers and client workstations in corporate networks from the Internet, behind the public IP address of the network (Mann 2000).  Security applications embed IP addresses not just in the packet header but also in the rest of the packet.  The embedded address can be part of the authentication and security scheme but the use of NAT prevents the security algorithms from working because the public address of the packet has been changed.

There are also problems with IPsec packets when they are passed through firewalls which perform Network Address Translation (NAT), as explained by Dornan: '…it requires every user to have a well-defined public IP address' (Dornan 1999).    In fact, based on information in an article in Network Computing, NAT and IPsec appear to be totally incompatible.  The article discusses Authentication Header (AH) and the IPsec protocol, which verifies the presence of unaltered source and destination, IP addresses: 'NAT and IPsec will fail because, by definition, NAT changes the IP addressing of the IP packet.  Any change in the IP packet will be flagged as a violation by AH' (Fratto 2000a).

One solution to the problem is reliance on a vendor specific implementation like Cisco 3000 line of products (Fratto 2000a).  However, RFC 2709 presents a method how a tunnel-mode IPsec can run through NAT (Mann 2000, Shisuresh 1999).

5 THE EFFECT OF HACKING

The source of information in this chapter comes from the well-known book by McClure, Scambray and Kurtz, 'Hacking Exposed' (1999).  The hacking process starts with the identification or finding of the hacking target and then scanning it to find out its vulnerabilities.  The scanning of a server, a computer or a network on the Internet involves most often using one of many generally available port scanner applications.  Port scanners and other hacking tools give information about vulnerabilities in the target network. They use known vulnerabilities in the TCP/IP protocol.  The tools and exploits most often used by hackers are:

(McClure et al. 1999, pp. 31-6)

One of the more challenging tasks for a young hacker is to identify the type of firewall device the current target uses (McClure & al.1999, p. 320).  Most of the scanning techniques used in hacking rely on the need for systems to accept certain transactions like ICMP Echo, commonly known as ping, that provide information about the network host.  ICMP (Internet Control Message Protocol) has ' a few security problems and is often used in denial-of-service (DoS) attacks' (Eldridge 2001).  Another vulnerable but still a necessary function used by every browser application is Domain Name Service (DNS).  

Hacking has turned the original openness and principles of sharing and trust on the Internet to their exact opposites, undermining the confidence and security of all Internet users.   Because of the dependence of the world economy and information exchange on the Internet, a change of direction is needed to keep the Internet usable in the future.

6 NEW DEVELOPMENTS

6.1 IP version 6

The current Internet Protocol version 4 (IPv4) has been used since the early stages of the Internet.   Christian Huitema has used the progressive number of IP addresses on the Internet and extrapolated the time scale until the available IP addresses run out.  He came to the conclusion that the 32-bit addresses in the IPv4 scheme will run out some time between 2002 and 2009 (Huitema 2001).

The 128-bit address scheme of the Internet Protocol version 6 (IPv6) supports a much larger quantity of addresses, 10 to the 38th power Mace 2000).   This means that the current practice can stop where an organisation has just one 'real' IP address and Network Address Translation (NAT) function in routers or firewall appliances presents the internal network address, e.g. 10.0.1.94 or 192.168.1.87, to the outside world as the organisation's real IP address, e.g. 202.53.48.225.  In IPv6 each workstation can retain its identity by having a real IPv6 address (King et al. 2000, p.11).

Diagrams showing the header structure in IPv4 and IPv6 are included in Appendix 2.   The designers of the new packet format for IPv6 have considered simplicity by deciding on a fixed length header structure with fewer fields than in the header of the IPv4 packet (King et al. 2000, p.21).

Interoperability of the old standard and the new standard is essential, to avoid disruption of business during gradual migration from the older standard to version 6. The questions about the functioning of current hardware and software and conversion from IPv4 to IPv6 have been addressed in a number of RFC documents (Templin 2001).

IPv6 allows individual addresses to be allocated to mobile devices (King & al. 2000, p. 10), even to household appliances (Horikiri & Yomogita 2001).  Because IPv6 has a 128-bit address, it can contain the unique address of the computer's Ethernet card or its factory-assigned serial number.  IPv6 gives also the possibility to use just a random number in the address instead, which would satisfy privacy watchdogs (Mace 2000).  A few years ago the PC users reacted negatively to Intel's plan to make the unique serial number of its Pentium microprocessors available to PC software applications.  It will be interesting to see how the need to identify individual IPv6 hardware in worldwide networks is going to be resolved in practice. 

6.2 IPv6 And Security

IPv6 contains a security feature called Neighbour Discovery (ND) to prevent address spoofing in local networks by using (Mace 2000, p. 84).  The new security features of IPv6 are supported by security header extensions (King & al. 2000, p.9).

In "transport-mode" encryption some message headers are not encrypted. In spite of performance penalties due to high level encryption, full protection of the traffic requires that the whole message be encrypted: "…Fully encrypted datagrams are somewhat more secure than transport mode encryption because the headers of the fully encrypted packet are not available for traffic analysis." (King & al. 2000, p.29-30)

Encapsulating Security Payload (ESP) provides high level of encryption at the network layer, level 3 of the OSI model (King & al. 2000, p.28).  This means that the information stored by and provided about the upper levels of the OSI model, transport, session, presentation and application levels (Carr & Snyder 1997, pp.234-41), is encrypted and secure.

IPv6 also fixes a design problem in IPv4, where the specification included the option to store Source Routing information so that the return message can be transmitted following the source route in reverse order.  Using this option makes the interchange of messages vulnerable to interception and subsequent impersonation, but in IPv6 the recipient does not have to follow the source route information (King & al. 2000, p.25).

A summary of a number of security threats inherent in IPv4 and the way IPv6 counters them has been included in Appendix 3.

6.3 PC and Server Hardware

When computers communicate with other computers, e.g. when connecting to a firm's computer network remotely, it is important to establish a secure, protected link, rather than exposing company confidential information in clear text form while in transit.  If two computer users want to secure the exchange of information, they can encrypt the data using a security protocol or a Virtual Private Networking (VPN) connection.

A number of current security protocols have originated from proprietary products developed by hardware and software vendors.  Microsoft released their Windows 2000 Professional and Server operating systems in early 2000.  The Windows 2000 operating system is now a de facto standard in the Personal Computer marketplace.  VPN capability is part of the Windows 2000 implementation of the TCP/IP protocol.  Microsoft and Cisco originally developed the Layer 2 Transport Protocol (L2PT) that is included in the Windows 2000 version of IPsec. Microsoft proposed L2TP to the Internet Engineering Task Force (IETF) as a standard for remote access tunneling (Messmer 2000). One of the IETF working groups is currently specifying how Microsoft's L2PT protocol can be encapsulated into the IPsec protocol (Patel 2001, p.1).  It is in the interest of all computer users that standards are developed following general design principles, rather than tying them to individual manufacturers and their products and proprietary technology, however dominant those manufacturers may be.

Computer manufacturers are developing new products supporting the latest Internet protocols.  Apple has already released their MacOS X operating system with a development kit for IPv6 and IPsec this year.   Microsoft is planning to release their Windows XP operating system, supporting IPv6, in 2002. 

Network card manufacturers like Intel have released network cards which speed up the processing needed for encryption functions and the IPsec protocol (Messmer 2000).    These cards have special processors, designed to perform the encryption functions using 'up to 168-bit, triple Data Encryption Standard (3 DES) encryption' (Swoyer 2000 p.1).

It is expected that routers and other networking equipment from several manufacturers that support IPv6 will be available in 2002 (Horikiri & Yomogita 2001).

6.4 IPv6 Networking Features

IPv6 has a function to auto-configure addresses in local area networks, which assists in the administration and dynamic allocation of IP addresses (King & al. 2001, p.11).  The auto-reconfiguration of addresses will help the overworked network administrators greatly when two IPv6 networks have to be merged (Mace 2000).

The Dynamic Host Configuration Protocol (DHCP) will continue to be part of local area network systems.  The new version, DHCPv6, contains new authentication services, but they will not be mandatory because of the nature of the DHCP service - the client PC cannot establish the identity of the server until after the initial DHCP configuration has happened (Prigent et al. p.16).  The confidentiality of the messages exchanged with a DHCPv6 server can only be maintained if the client system has a shared secret with the server, which can be used as the encryption key (Prigent et al., p.10).

The Domain Name System (DNS) protocol has been extended with security extensions as part of IPv6.  These extensions support digital certificates and Public Key Infrastructure (PKI) to assist in providing data authentication and integrity services (Rose 2001).

7 FUTURE EXPECTATIONS

7.1 Larger IP address space

The IPv6 and IPsec protocol are the Internet community's response to a number of urgent needs.  IPv6 compliant hardware and software will be able to support much larger IP address space into the foreseeable future.  The structure of the IPv6 addressing will guarantee companies the availability of ranges of real IP addresses for all devices, without using NAT (King et al. 2000, p. 8).   Mobile devices, including mobile phones and Personal Digital Assistants (PDAs), will be part of the addressing schemes of future networks, with unique IPv6 addresses (Nokia 2001).

The transition from IPv4 to IPv6, starting from hosts and routers, will take a number of years.  The specifications of IPv6 have covered the co-existence of IPv4 and IPv6 networks, where migration to IPv6 happens while IPv4 is still being widely used. According to the specifications, two IPv6 hosts can communicate via an IPv4 network (King & al. 2000, p. 16-18).

However, depending on how each network communication application is handling the actual network functions or IP addresses, the network applications may need to be updated to support IPv6 (King & al. 2000, p.18).

7.2 Secure Remote Access

Compared with the current status of the Internet relying on the IPv4 architecture, networks based on IPv6 will have better structure and more efficient routing facilities.  Each network device will have its unique IPv6 address and networks will not need to use NAT.  IPsec based VPNs can be used based on shared secrets for the authentication of the client and the server so that the traffic can be encrypted.  Because of the difficulty and security risks involved in distributing the shared secret pass phrase or password, large scale implementations will need to use digital certificates and authentication using a Certification Authority (CA), as recommended by Yuan (2000).

The SSH protocol is an example of how remote logins and other secure network services can be made available over insecure networks.  The protocol was developed by SSH Communications Security Oy in 1995 and it is now at an Internet-Draft stage (Ylonen et al. 2001).  An example of products using the SSH protocol is SSH Sentinel.  It supports the IPsec standards and PKI mechanisms, VPN and traversal of NAT functions (SSH Communications Security Oy 2001).

7.3 Protection from Hackers

Different techniques have been proposed to combat the threats from hacking activities.

Suggestions have been made to use Artificial Intelligence (AI) based software packages to compare patterns of network traffic to normal traffic and once an intrusion like Denial of Service (DOS) is detected, locate and identify the perpetrator (Vizard 2001).  On the other hand, astute network administrators prefer proactive measures like using a set of software tools to assess the vulnerability of their network and servers to various attacks.  However, doubts have been expressed about the reliability of such assessment, compared to a review performed by 'an ethical hacker' (Street 2001).

The improved facilities provided by new version of the Internet Protocol IPv6 include individual IP addresses for every device communicating on the Internet.  Secure authentication is also standard part of the IP protocols, including support from the Domain Name System (DNS).  It is therefore conceivable that at least some parts of the Internet and its services are going to implement security measures to necessitate secure establishment of the identity of each computer joining the network. 

The improvements in the design of the IPv6 packet header and the logical addressing structure of IPv6 will contribute to more efficient handling of all the packet routing information in the traffic the network nodes and ISPs have to process.  Therefore it can be expected that extra processing power is left for some level of filtering of the traffic, following the flow of IP packets from each source and determining the patterns and the intentions of the originator of the traffic at the application level.  Any suspect traffic from non-identified, non-authenticated source could be blocked and denied access to resources.

8 CONCLUSION

In the last few years the Internet has transformed not just the infrastructure of computer networks but it has also changed the nature of communications worldwide.   An increase in hacking activities on the Internet has been part of this development.  It is important that the integrity of data and availability of Internet as the communications media is protected.

The new version of Internet Protocol, IPv6, when fully implemented with its address structure, will improve network management functions in general and security of the Internet in specific.  The deployment of the Public Key Infrastructure in conjunction with individual IP addresses and Domain Name System services have the capacity to provide secure authentication mechanisms and integrity of data transfers.  The new facilities will hopefully also help to block or at least track down the perpetrators of network intrusions. 

Existing proprietary de facto standards like Microsoft's Layer 2 Tunneling Protocol and SSH Communications Security Oy's SSH protocol are being incorporated into the Internet standards maintained by the workgroups of the Internet Engineering Task Force.   The ongoing task of developing and refining specifications is huge but the already available standards and working drafts indicate that the deployment of the planned security protocols will make the Internet more reliable to the users and safer to their systems.


9 GLOSSARY OF ABBREVIATIONS

ADSL              - Asymmetric Digital Subscriber Line

ARP                 - Address Resolution Protocol, part of IPv4

CA                   - Certificate Authority

DDOS             - Distributed Denial of Service

DHCP              - Dynamic Host Configuration Protocol

DNS                - Domain Name System

DOS                - Denial of Service

ESP                 - Encapsulating Security Payload

ICMP              - Internet Control Message Protocol

IETF                - Internet Engineering Task Force

IIS                   - Internet Information Server

IKE                  - Internet Key Exchange

IP                     - Internet Protocol

IPsec                - Secure IP

IPv4                 - Internet Protocol version 4, the current standard

IPv6                 - Internet Protocol version 6, the new standard with larger address base

ISO                  - International Standards Organisation

NAT                - Network Address Translation

ND                  - Neighbour Discovery, part of IPv6, replacing ARP

OSI                  - Open Systems Interconnection,  defined by International Standards Organisation (ISO)

PDA                - Personal Digital Assistant

Ping                  - Packet Internet Groper

RFC                 - Request for Comment

SMTP              - Simple Mail Transfer Protocol

SA                   - Security Association

VPN                - Virtual Private Networking

WLAN                        - Wireless Local Area Network


10 REFERENCES

Adam, L. 2000, 'Emerging VPN standards', IT Week (UK), April 10, v3 i14 p73

Bradner, S. 1996, The Internet Standards Process - Revision 3 [Online], Available:

  http://www.ietf.org/rfc/rfc2026.txt, [Accessed 9 Sept 2001]

Breiling, S. Plato, A. & Winters, K. 2001, BlackICE Defender User's Guide - Version

  2.5, Network ICE Corporation, Available:

  www.networkice.com/support/documentation.html

Carr, H. & Snyder, C. 1997, The Management of Telecommunications - Business

  Solutions to Business Problems, Irwin/McGraw-Hill, Boston et al.

Chidi, G. 2000,'Another hacker hits Microsoft' [Online], The Industry Standard (IDG

  Communications), Nov 3,  Available: 

  http://www.thestandard.com/article/0,1902,19948,00.html, [Accessed: 23 Sept 2001]

CERT 2001, 'CERT Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer

  Overflow in IIS Indexing Service DLL' [Online], Available:

  http://www.cert.org/advisories/CA-2001-19.html, [Accessed: 22 Sept 2001]

Dornan, A. 1999, 'IPsec Alert (security experts warn of problems with protocol)', Data

  Communications, Oct 7 p13 

Eldridge, B. 2001, 'Firewall Configuration Mistakes' [Online], SC Magazine August,

  Available: http://www.scmagazine.com/scmagazine/sc-  online/2001/article/031/article.html, [Accessed 15 Sept 2001]

Evers, J. 2001, 'Code Red floods helpdesks, not Internet' [Online], IDG News Service, 3

  August, Available: http://www.idg.net/spc_662426_7632_1-622.html,

  [Accessed 22 Sept 2001]

Fratto, M. 2000, 'The Trouble With Multivendor IPsec',  Network Computing, March 20

  p.98

-------- 2000a, 'Why Can't IPSec and NAT Just Get Along?', Network Computing, Nov

  27 p.116

Horikiri, C. & Yomogita, H. 2001, 'IPv6 Internet Protocol Comes of Age' [Online],

  Available: http://www.nikkeibp.asiabiztech.com/wcs/leaf?CID=onair/asabt/fw/135346,

  [Accessed 15 Sept 2001]

Huitema, C. 2001, 'IPv6 - How long can we wait?' [Online], Available:

  http://www.huitema.net/ipv6/howlong.html [Accessed 15 Sept 2001]

Internet Storm Centre 2001, [Online], Available: http://www.incidents.org/isw/iswp.php, [Accessed 19 Sept 2001]

The Internet Engineering Task Force 2001, Request for Comments [Online], Available:

  http://www.ietf.org/rfc.html, [Accessed 9 Sept 2001]

'ISP Security Opinion' 2001, [Online], Available: http://www.attrition.org/~null/isp.html, [Accessed 9 Sept 2001])

Kent, S. & Atkinson, R. 1998, 'Security Architecture for the Internet Protocol' [Online], Available: http://www.ietf.org/rfc/rfc2401.txt, [Accessed 22 Sept 2001]

King, S., Fax, R., Haskin, D., Ling, W.,Meehan, T., Fink, R. & Perkins, C. 2000, 'The

Case for IPv6' [Online], Available: http://www.ipv6.org/draft-iab-case-for-ipv6-06.txt, [Accessed 14 Sept 2001]

Lee, C. 2001, 'Wireless LANs face hacking threat' [Online], Available: 

http://news.zdnet.co.uk/story/0,,t269-s2093740,00.html, [Accessed 9 Sept 2001]

Mace, S. 2000, 'Enter Ipv6 (the Internet Engineering Task Force's Internet Protocol version 6)', Boardwatch Magazine, Feb v14 i2 p84

Mann, K. 2000, 'IPSec and NAT for VPNs', IT Week (UK), Nov 27 vv3 i45 p84

Masud, S. 2001, 'Public VPNs: Making the Internet Safer', Telecommunications,

  Feb v35 i2, p.40

McClure, S., Scambray, S. & Kurtz, G. 1999, Hacking Exposed - Network Security

  Secrets and Solutions, Osborne McGraw-Hill, Berkeley CA  (links available from

  http://www.hackingexposed.com)

Messmer, E. 2000, 'Intel adapters handle IPSec encryption processing; IPSec said to put

  heavy processing burden on host CPU', Network World, Jan 24 

Network ICE Corporation 2001, 'Network ICE VPN Solutions' [Online], Available:

  http://www.networkice.com/products/vpn.htm, [Accessed: 27 July 2001]

Nokia 2001, IPv6 Nokia FAQ [Online], Available: http://www.nokia.com/ipv6/faq.html,

  [Accessed 15 Sept 2001]

 

Oliver, R. 2001, 'Countering SYN Flood Denial-Of-Service Attacks' [Online], Available:

  http://www.tech-mavens.com/synflood.htm, [Accessed 2 Sept 2001]

Patel, B., Aboba, B., Dixon, W., Zorn, G. & Booth, S. 2001, 'Securing L2PT using IPsec'  

  [Online], Available: http://www.ipv6.org/draft-ietf-l2ptext-security-06.txt, [Accessed 14

  Sept 2001]

Prigent, N., Marchand, J., Dupont, F., Cousin, B., Laurent-Maknavicius, M. & Bournelle,

  J. 2001, 'DHCPv6 Threats'  [Online], Available: http://search.ietf.org/internet- drafts/draft-prigent-dhcpv6-threats-00.txt, [Accessed: 19 Sept 2001]

Rose, S. 2001, 'DNS Security Document Roadmap' [Online], Available:

  http://www.ietf.org/internet-drafts/draft-ietf-dnsext-dnssec-roadmap-04.txt,

  [Accessed: 20 Sept 2001]

Shisuresh, P. 1999, 'Security Model with Tunnel-mode IPsec for NAT Domains' [Online],

  Available: http://www.ietf.org/rfc/rfc2709.txt?number=2709, [Accessed: 22 Sept 2001]

Showalter, M. 2000, 'The Best Place For A Firewall - network based firewalls vs. CPE-

  based firewalls', Boardwatch Magazine, Feb v14 i2 p88

SSH Communications Security Oy 2001, 'SSH Sentinel' [Online], Available:

  http://www.ssh.com/products/sentinel/, [Accessed 23 Sept 2001]

Street, M. 2001, 'Tool copies hackers to detect flaws', IT Week [Online], Available:

  http://news.zdnet.co.uk/story/0,,t269-s2094843,00.html, [Accessed 9 Sept 2001]

Swoyer, S. 2000, 'IPSEC Protects Networks Inside and Out', ENT, Nov 22, v5 i19 p.28

Tims, R. 2001, 'Social Engineering: Strict Policies and Education A Must' [Online],

  Available: http://www.sans.org/infosecFAQ/social/policies.htm, [Accessed 22 Sept

  2001]

Taylor, S. 2000, 'Enhanced VPNs: Next-Gen Strategies', Telecommunications, Sept, v34

  i9 p.75

Templin, F. 2001, 'Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) '

  [Online], Available: http://www.ietf.org/internet-drafts/draft-ietf-ngtrans-isatap-01.txt,

  [Accessed: 15 Sept 2001]

Van Dijk, S. 2001, 'Nimda Hits Parliament House' [Online], The Industry Standard (IDG

  Communications), Sept 21, Available:

  http://www.thestandard.com.au/articles/display/0,1449,15186,00.html?home.tf,

  [Accessed 23 Sept 2001]

Vizard, M. 2001, 'Arbor Networks chief strategist has a plan and a product to stop denial

  of service attacks', InfoWorld [Online], Available:  http://www.idg.net/crd_idgsearch_2.html?url=http://www.infoworld.com/articles/hn/xml/01/09/07/010907hnjulian.xml [Accessed 9 Sept 2001]

Ylonen, T., Kivinen, T., Saarinen, M., Rinne, T. & Lehtinen, S. 2001, 'SSH Protocol

  Architecture' [Online], Available: http://www.ietf.org/internet-drafts/draft-ietf-secsh-   architecture-09.txt, [Accessed: 20 Sept 2001]

Yuan, R. 2000, 'IPSec VPNs with Digital Certificates', Telecommunications, August v34 

  i8 p84 

 

 

APPENDIX 1                PORT PROBES

Example 1       Port Probes On Dial-Up Connection



The above port probes were recorded on a home PC, connected to the Internet via a dial-up connection.


Example 2       Port Probes On Cable Connection





 

These port probes were recorded on a home PC, connected to the Internet via the Bigpond cable.


 

>APPENDIX 2                IP HEADER FORMATS

+-------+-------+---------------+-------------------------------+

      |Version| 4 bits|    8 bits     |         16 bits               |

      | == 4  |  IHL  |Type of Service|       Total Length            |

      +-------+-------+---------------+-------------------------------+

      |            16 bits            | 4 bits|       12 bits         |

      |        Identification         | Flags |    Fragment Offset    |

      +-------------------------------+-------------------------------+

      |     8 bits    |    8 bits     |         16 bits               |

      | Time to Live  |   Protocol    |       Header Checksum         |

      +-------------------------------+-------------------------------+

      |                            32 bits                            |

      |                         Source Address                        |

      +---------------------------------------------------------------+

      |                            32 bits                            |

      |                      Destination Address                      |

      +---------------------------------------------------------------+

      :                         0 or more bits                        :

      :                           IP options                          :

      +---------------------------------------------------------------+

                      Figure 5: IPv4 Header Format

      +-------+---------------+---------------------------------------+

      |Version|    8 bits     |             20 bits                   |

      | == 6  | Traffic Class |            Flow Label                 |

      +-------+---------------+-------+---------------+---------------+

      |            16 bits            |    8 bits     |    8 bits     |

      |         Payload Length        |  Next Header  |   Hop Limit   |

      +-------------------------------+---------------+---------------+

      |                            128 bits                           |

      |                                                               |

      |                         Source Address                        |

      +---------------------------------------------------------------+

      |                            128 bits                           |

      |                                                               |

      |                      Destination Address                      |

      +---------------------------------------------------------------+

                      Figure 6: IPv6 Header Format

            (Source:   King et al. 2000, p. 22)                    

APPENDIX 3          SECURITY THREATS IN IPv4

SECURITY THREATS IN IPv4 AND HOW IPv6 COUNTERS THEM

 

 

DEFENCE OPTIONS

THREAT

DESCRIPTION

IPv4

IPv6

Packet Spoofing

Impersonation (Source address masquerading) fools a server to grant access to data and resources                (p.9-10, 29)

 

Denial of Service attacks

                                           (p.10)

 

Firewall devices (no facilities in IPv4 protocol)

Authentication, integrity checking

Packet Sniffing

Eavesdrop network traffic (p.10)

                                         

 

 

Header extension for end-to-end encryption defined but not in wide use

Header extension for end-to-end encryption

Reverse Source Route

Impersonation                   (p.25)

 

Reverse source route option fallen out of use

No need to use reverse source route

NAT devices

NAT causes difficulty in setting up VPNs                                (p.7-8)

 

NAT the only option because of lack of addresses

No need to use NAT after  transition to IPv6

Source: King et al. 2001