<option value="/reference/dir.multimediaandgraphicdesign1.html">Multimedia
			<option value="/reference/dir.networkservices1.html">Networks 
			<option value="/reference/dir.operatingsystems.html">OS
			<option value="/reference/dir.productivityapplications1.html">Prod Apps
			<option value="/reference/dir.programminglanguages.html">Programming
			<option value="/reference/dir.security1.html">Security	
			<!-- <option value="/reference/dir.ewtraining1.html">Training Guides -->
			<option value="/reference/dir.userinterfaces.html">UI
			<option value="/reference/dir.webservices.html">Web Services
			<option value="/reference/dir.webmasterskills1.html">Webmaster
			<option value="/reference/dir.y2k1.html">Y2K
			<option value="">-----------
			<option value="/reference/whatsnew.html">New Titles
			<option value="">-----------
			<option value="/reference/dir.archive1.html">Free Archive		
			</SELECT>
			</font></td>
	</tr>
	</table>
	</form>
<!-- LEFT NAV SEARCH END -->

		</td>
		
<!-- PUB PARTNERS END -->
<!-- END LEFT NAV -->

<td rowspan="8" align="right" valign="top"><img src="/images/iswbls.gif" width=1 height=400 alt="" border="0"></td>
<td><img src="/images/white.gif" width="5" height="1" alt="" border="0"></td>
<!-- end of ITK left NAV -->

<!-- begin main content -->
<td width="100%" valign="top" align="left">


<!-- END SUB HEADER -->

<!--Begin Content Column -->

<FONT FACE="Arial,Helvetica" SIZE="-1">
To access the contents, click the chapter and section titles.
</FONT>
<P>
<B>Intrusion Detection: Network Security beyond the Firewall</B>
<FONT SIZE="-1">
<BR>
<I>(Publisher: John Wiley & Sons, Inc.)</I>
<BR>
Author(s): Terry Escamilla
<BR>
ISBN: 0471290009
<BR>
Publication Date: 11/01/98
</FONT>
<P>
<form name="Search" method="GET" action="http://search.earthweb.com/search97/search_redir.cgi">

<INPUT TYPE="hidden" NAME="Action" VALUE="Search">
<INPUT TYPE="hidden" NAME="SearchPage" VALUE="http://search.earthweb.com/search97/samples/forms/srchdemo.htm">
<INPUT TYPE="hidden" NAME="Collection" VALUE="ITK">
<INPUT TYPE="hidden" NAME="ResultTemplate" VALUE="itk-full.hts">
<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">

<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE="">&nbsp;<input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471290009/">

</form>


<!-- Empty Reference Subhead -->

<!--ISBN=0471290009//-->
<!--TITLE=Intrusion Detection: Network Security Beyond the Firewall//-->
<!--AUTHOR=Terry Escamilla//-->
<!--PUBLISHER=John Wiley & Sons, Inc.//-->
<!--IMPRINT=Wiley Computer Publishing//-->
<!--CHAPTER=4//-->
<!--PAGES=136-139//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->

<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="134-136.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="139-141.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<P><FONT SIZE="+1"><B>How Likely Is Impersonation?</B></FONT></P>
<P>Executing a successful address impersonation attack depends on several factors. First, the hacker must be able to drop packets with forged addresses onto the IP stack either by writing a program or using one of the readily available tools for doing so. Next, the location of the user&#146;s attacking station must be such that it is possible for the forged packet to be delivered. Some network routers and firewalls are configured to drop a packet unless the source address of the packet is within a range, fits a pattern, or matches an entry in a table. Therefore,  the network on which the attacker is working may not deliver the packet beyond the attacker&#146;s network boundary. If such filters exist on the network, the hacker also needs to compromise the filter source (firewall or router). Because many ISPs do not bother to block outbound source address impersonation, attacks often originate from public Internet provider locations.
</P>
<P>When the attacker&#146;s node is on the same subnet as the forged address, the impersonation attack is easier. The same is true if (as standard policy) the faked packets are routed to the subnet of the attacked node, such as the routing of packets between subnets of a university network.</P>
<P>What else is necessary if the goal is to <I>receive</I> traffic for a forged node and not just flood the victim with ICMP Reply messages? The simple answer is that the impersonated system must be unable to carry out its half of the communication session. The forged node must be unavailable. You can disable a node in a number of ways. The hacker with physical access can walk up to the node and turn it off. As a fallback, the node can be flooded with network packets, even from another dedicated node acting in cohort with the attacker&#146;s node.</P>
<P><FONT SIZE="+1"><B>Open Networks and Denial-of-Service Attacks</B></FONT></P>
<P>Can you stop an unknown person from continually barraging your publicly published phone number with prank calls? Unfortunately, the answer is &#147;No.&#148; A determined person can reprogram cell phone numbers, migrate from one public pay phone to another, enlist the help of numerous helpers to initiate calls from public phones all over the world, or choose from a variety of other techniques that hide true identity. This is the problem with anonymous source connections. Only if you forced all inbound calls to your house to provide strong authentication could you prevent this attack. Oh, you also can request an unlisted number, but that would hardly be useful if the phone number was for your business. <I>If the number must be public, you can do little to prevent denial-of-service attacks</I>.</P>
<P>The corollary in the Internet is true as well. If you have a publicly visible IP address, such as the one that identifies your business Web server to the world, you always will be open to some denial-of-service attacks. Some threats can be lessened by putting a filter, such as a router that blocks known denial-of-service attacks, between your node and the Internet. However, the attack has merely been shifted to the router, which will be burdened with analyzing and dropping the attack packets. Your Web server throughput will still be lessened if someone is launching denial-of-service packets in your direction.</P>
<P><FONT SIZE="+1"><B>Impersonation and Tracking</B></FONT></P>
<P>Another unfortunate consequence of open networks is that tracing activities to a specific, prosecutable individual is very difficult. A serious hacker will obtain stolen credit cards, use these to obtain Internet access from ISPs, and launch attacks from these accounts even if address impersonation is not needed. Poor physical and configuration security at publicly available Internet terminals also offer nodes from which address impersonation attacks can be launched. As long as the network is open by design, and anonymous connections are permitted, true accountability for network behavior will remain illusive.
</P>
<P>Address impersonation is a particularly threatening attack because it can lead to loss of confidentiality, integrity, and availability. A hacker, who can trick another node into sending information, might be able to gain access to confidential information such as passwords. The ability to fake an address and inject forged messages into the network can be used to trick another node into altering data and violating its integrity. Finally, the pizza attack shows how availability can be impacted. All of these concerns about IP can be summed up in one statement:</P>
<DL>
<DD><I>Authentication based only on IP address is not secure unless cryptography is added to prove the authenticity of the addresses</I>.
</DL>
<H4 ALIGN="LEFT"><A NAME="Heading19"></A><FONT COLOR="#000077">IPsec</FONT></H4>
<P>To improve upon the security of IP, the IPsec standard was introduced. The purpose of IPsec is to provide confidentiality, integrity, authentication, and nonrepudiation of IP packets in a network. The design of IPsec is flexible enough to support a variety of encryption and hashing algorithms to protect the packets. At the heart of IPsec is the notion of a <I>security association</I> between two endpoints. The security association contains various parameters about the communication exchange including cryptographic algorithm options and choices, as well as session status information. IPsec does not define how the keys used in the session are obtained.</P>
<P>IPsec provides two alternatives called <I>Authentication Header</I> (AH) and <I>Encapsulation Security Payload</I> (ESP).</P>
<P><FONT SIZE="+1"><B>Authentication Header</B></FONT></P>
<P>If the environment is trying to prevent only tampering or impersonation of IP headers, and consequently of IP addresses, AH is sufficient. A cryptographic hash can be computed on the IP header and attached to the IP packet to provide authenticity and integrity. If public-key cryptography is exploited, nonrepudiation is also guaranteed. All values in the packet appear in the clear with AH because privacy is not a concern.
</P>
<P>How does this prevent address impersonation? Each half of the session shares a secret key. The packets sent between the communication endpoints are protected with a digital signature or secure message hash. In the simplest case, a cryptographic checksum is added to each packet to ensure its authenticity and optionally its integrity. Without knowledge of the secret key, impersonation is impossible. IPsec also provides facilities to prevent replay attacks based on previously authenticated packets.</P><P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="134-136.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="139-141.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>


<!-- all of the reference materials (books) have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- BEGIN SUB FOOTER -->
		<br><br>
		</TD>
    </TR>
	</TABLE>

		
	<table width="640" border=0 cellpadding=0 cellspacing=0>
		<tr>
		<td align="left" width=135><img src="/images/white.gif" width=100 height="1" alt="" border="0"></td>
		
		
<!-- END SUB FOOTER -->

<!-- all of the books have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- FOOTER -->
			
		<td width="515" align="left" bgcolor="#FFFFFF">
<font face="arial, helvetica" size="1"><b><a href="/products.html"><font color="#006666">Products</font></a>&nbsp;|&nbsp; <a href="/contactus.html"><font color="#006666">Contact Us</font></a>&nbsp;|&nbsp; <a href="/aboutus.html"><font color="#006666">About Us</font></a>&nbsp;|&nbsp; <a href="http://www.earthweb.com/corporate/privacy.html" target="_blank"><font color="#006666">Privacy</font></a> &nbsp;|&nbsp; <a href="http://www.itmarketer.com/" target="_blank"><font color="#006666">Ad Info</font></a> &nbsp;|&nbsp; <a href="/"><font color="#006666">Home</font></a></b>
		<br><br>
		
		Use of this site is subject to certain <a href="/agreement.html">Terms &amp; Conditions</a>, <a href="/copyright.html">Copyright &copy; 1996-1999 EarthWeb Inc.</a><br> 
All rights reserved.  Reproduction whole or in part in any form or medium without express written permision of EarthWeb is prohibited.</font><p>
</td>
		</tr>
</table>
</BODY>
</HTML>

<!-- END FOOTER -->