Basic TrainingEditors: Michael Howard, michael.howard@microsoft.comJames A. Whittaker, jw@se.fit.edu

The first question to address iswhat we mean by “network secu-rity.” Several possible fields of en-deavor come to mind within thisbroad topic, and each is worthy of alengthy article. To begin, virtually allthe security policy issues raised inMatt Bishop’s book, Computer Secu-rity Art and Science,1 apply to networkas well as general computer securityconsiderations. In fact, viewed fromthis perspective, network security isa subset of computer security.

The art and science of cryptogra-phy and its role in providing confiden-tiality, integrity, and authenticationrepresents another distinct focus eventhough it’s an integral feature of net-work security policy. Readers lookingfor a good introduction (and more) tothis area should consider Practical Cryp-tography by Niels Ferguson and BruceSchneier.2

The topic also includes designand configuration issues for bothnetwork-perimeter and computersystem security. References in thisarea include Stephen Northcutt andcolleagues’ Inside Network PerimeterSecurity,3 the classic Firewalls and Net-work Security4 by Steven Bellovin andWilliam Cheswick, and too manyspecific system configuration textsto list. These are merely startingpoints for the interested novice.

The practical networking as-

pects of security include computerintrusion detection, traffic analysis,and network monitoring. This arti-cle focuses on these aspects becausethey principally entail a networkingperspective.

Network trafficTo analyze network traffic, we needa basic understanding of its composi-tion. In this regard, networking peo-ple often speak of flows and formats.Flow is a laconic reference to net-working protocols and the messagesthat travel back and forth betweentheir endpoints. Format refers to thestructure of the cells, frames, packets,datagrams, and segments (the awk-ward generic term is protocol dataunits) that comprise the flow.

The vast majority of networktraffic today uses the Internet Proto-col (IP) as its network-layer proto-col.5 IP addresses represent sourcesand destinations, and IP routerswork together to forward traffic be-tween them. Link-layer protocolssuch as Ethernet (IEEE 802.3),token ring, frame relay, and asyn-chronous transfer mode (ATM) for-ward IP packets, called datagrams,across many types of links.

Networks can be attacked atmultiple layers; here, I focus on thenetwork layer and the layer above it(the transport layer). The Internet

network layer is “unreliable,” mean-ing it doesn’t guarantee end-to-enddata delivery. To get reliable end-to-end service, a user invokes the Trans-port Control Protocol (TCP).

Figure 1 shows the format for anIP datagram; Figure 2 shows the for-mat for a TCP segment, which is theprotocol data unit associated withthe TCP protocol. These formatsare essential for understanding net-work traffic composition and some-thing of the methods that can beused to corrupt them.

TCP/IP traffic accounts formuch of the traffic on the Internet(although TCP isn’t typically usedfor voice or video traffic). Figure 3illustrates how a tool such as Ethereal(www.ethereal.com) can help cap-ture and analyze traffic.

We now have a fairly representa-tive picture of the traffic flowingacross the Internet. It consists of IPdatagrams (which can be carried in-side link-layer frames, for example)carrying higher-layer information,often including TCP segments.

Those with malicious intentcould misuse any of the fields shownin Figures 1 and 2. The attackerswould know the protocol’s intentand the rules to use to interpret theassociated formats and flows. Theycan create a networking attack bychanging values in any of thefields—any ensuing problems con-stitute attacks on the network. Spoof-ing, or changing the source address,lets an attacker disguise malicioustraffic’s origin.

Network intrusionsTypical network traffic consists ofmillions of packets per secondbeing exchanged among hosts on a

GERALD A.MARIN

FloridaInstitute ofTechnology

Writing a basic article on network security is

something like writing a brief introduction

to flying a commercial airliner. Much must

be omitted, and an optimistic goal is to en-

able the reader to appreciate the skills required.

Network Security Basics

68 PUBLISHED BY THE IEEE COMPUTER SOCIETY ■ 1540-7993/05/$20.00 © 2005 IEEE ■ IEEE SECURITY & PRIVACY

Basic Training

LAN and between hosts on theLAN and other hosts on the Inter-net that can be reached via routers.Network intrusions consist ofpackets that are introduced specifi-cally to cause problems for any ofthe following reasons:

• to consume resources uselessly,• to interfere with any system re-

source’s intended function, or• to gain system knowledge that can

be exploited in later attacks.

The simplest example of a networkintrusion is probably the land attack.Some early IP implementations failedto take into account that a data-gram might be generated withidentical source and destination IPaddresses. Some older operatingsystems (and perhaps unpatchedones) simply crashed if they re-ceived such datagrams.

Somewhat more complicated isthe smurf attack in which an attackerspoofs the source address and sets itequal to the targeted machine’s ad-dress. The attacker then broadcastsan echo request to perhaps hun-dreds of machines on distant net-works—a capability provided bythe Internet Control Message Pro-tocol (ICMP). Each distant ma-chine responds to the received echorequest with an echo response mes-sage to the targeted IP address, thusoverwhelming the targeted ma-chine’s resources.

The teardrop attack is somewhatmore sophisticated in its use of theheader fields shown in Figure 1. IPversion 4 (IPv4) can break largedatagrams into sequences of smallerIP datagrams through a process re-ferred to as fragmentation. It uses cer-tain bit flags and the fragmentoffsetfield to ensure that the frag-ments can be reassembled at the des-tination (see Figure 1). In a teardropattack, an attacker sends fragmentsthat are purposely made to overlapso that they don’t fit together prop-erly at the destination. Again, older(or unpatched) operating systems

could have severe problems withsuch fragments.

DDoS attacksIn February 2000, hackers attackedseveral high-profile Web sites, in-cluding Amazon.com, Buy.com,CNN Interactive, and eBay, bysending large numbers of boguspackets with the intent of slowingor interrupting offered services.6

Many articles have since examinedthese attacks and potential de-fenses, and several Web sites offeroverviews, case histories, suggesteddefenses, and other resources. In

spite of all the work done in thisarea, the threat of DoS attacksremains, as high-profile attacks de-scribed periodically in the net-working trade press will attest.

Typically, a hacker launches a dis-tributed denial-of-service (DDoS)attack by issuing commands to “at-tack zombie” computer programsthat have penetrated unsuspectingusers’ machines via the Internet—perhaps propagated by viruses orworms, for example. Once present,the zombies allow hackers to lever-age user machines as part of an attackagainst a given target. Note that the

www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 69

Figure 1. Internet datagram header format. As defined in RFC 791, Internet datagramsrunning under version 4 of the Internet Protocol (IPv4) carry most of today’s Internettraffic, although a newer version has been defined as IPv6. (The numbers across thetop indicate bit positions.)

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

Source address

Destination address

Identification Fragment offsetFlags

Version IHL Type of service Total length

Time to live Header checksumProtocol

Options Padding

Figure 2. Transport Control Protocol header format. As defined in RFC 793, TCPprovides a reliable end-to-end transport service across the unreliable Internet.

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

Data

Sequence number

Acknowledgment number

Source port Destination port

Checksum Urgent pointer

Options Padding

Data offset WindowReserved| U | A | P | R | S | F || R | C | S | S | Y | I || G | K | H | T | N | N |

Basic Training

generated traffic might seem to benormal Web browser requests andother innocent-looking traffic that,in fact, differs from valid traffic prin-cipally in its intent. This makes iden-tifying such attacks extremelydifficult. For particularly interestingreading, Steve Gibson provides acase history of one of the earlyDDoS attacks.7

Intrusion detection systemsNo single technique is likely to de-tect all possible types of network in-trusions—especially because newintrusion types are still waiting to beexploited. Reviewing the attacksdescribed here, it’s clear that land at-tacks can be discovered by lookingfor arriving packets in which the

source and destination IP addressesare identical. Smurf attacks can’t bedetected on the basis of content fromsingle packets; only the arrival of anunusually large number of ICMPecho requests and responses wouldsignal such an attack’s presence. Wecould respond by killing all echo re-quests at a gateway router, but doingso would interfere with other net-work functions that might be vital tothe organization being protected.We might discover the teardrop at-tack by looking for illegal fragmen-tation in arriving packet trains, butthe router (or firewall) would have tomaintain a significant amount ofstate information.

Intrusion detection systems(IDSs) use particular collections ofanalytical techniques to detect at-

tacks, identify their sources, alertnetwork administrators, and possiblymitigate an attack’s effects. An IDSuses one or both of the followingtechniques to detect intrusions:

• Signature detection—the IDSscans packets or audit logs to lookfor specific signatures (sequencesof commands or events) that werepreviously determined to indicatea given attack’s presence.

• Anomaly detection—the IDS usesits knowledge of behavior patternsthat might indicate malicious ac-tivity and analyzes past activities todetermine whether observed be-haviors are normal.

It’s fairly easy to understand howsignature detection can help find

70 IEEE SECURITY & PRIVACY ■ NOVEMBER/DECEMBER 2005

Figure 3. Example traffic-analysis output. This screenshot from the Ethereal tool shows a list of 18 packets. The middlesection describes the highlighted packet; the third section displays the packet in hex format. Ethereal is open-sourcesoftware released under the GNU General Public License.

Basic Training

identifying characteristics in previ-ously observed attacks. This is farfrom simple to accomplish, how-ever, because attackers can changesome identifier (a port number, aparticular sequence number, a par-ticular protocol indicator) that al-ters the signature without affectingthe attack’s fundamental nature.Moreover, someone constructingan alert based on signature detec-tion must be mindful that normaltraffic could have the same charac-teristics. A useful signature must re-flect a reliable attack identifier thatdoesn’t generate many alerts onnonmalicious traffic. With the hugenumber of packets arriving at mostmodern subnets, even a minisculeerror rate could generate tens ofthousands of false alarms within afew minutes.

Several commercial and a fewpublic IDSs are available. The tradepress frequently evaluates them,but research journals generally donot. Early IDSs largely used signa-ture detection. Generally speaking,they detected all the attacks cap-tured in their signature databases,but they suffered from unac-ceptably high false-alarm rates.8

More innovative approaches haveappeared recently, includingbehavior-based modeling.9

To clarify how traffic or behav-ioral anomalies can be used to iden-tify attack traffic for attacks thathaven’t been seen before, considerthe following example. IP addressesgenerally suffice to enable a datagramto reach its intended destination ma-chine, but many processes typicallyrun at once on any given machine.TCP/IP uses port numbers to distin-guish among them. A security ana-lyst might be able to analyze daily orhourly patterns in the use of sourceaddresses, destination addresses, andboth source and destination portnumbers to determine when a pat-tern change suggests possible mali-cious activity. (We must be careful toobserve that “different” doesn’t al-ways imply “evil.”) In Figure 4, for

example, we see port activity dis-played from data produced at theLincoln Labs at the Massachusetts In-stitute of Technology (MIT) for aparticular subnet over a 10-hour pe-riod.10,11 This often-used data set in-cludes data with and without attackspresent, which are difficult to obtainon “live” networks. (Data are fromMonday of week five in the LincolnLab data.) Figure 5 shows the resultwhen we remove all the port activityfound during a similar 10-hour pe-riod from an attack-free data set:three areas clearly represent unusual(or anomalous) port activity. Furtherinvestigation reveals that these are,indeed, attacks—in this case, insertedby MIT researchers.

Researchers have applied manyother techniques to detecting trafficanomalies including data mining,statistical analysis, artificial intelli-gence, neural networks, Markovmodeling, sensor correlation, andanalysis of management information

data. It’s safe to say that the ultimatesolution remains to be found.

A lthough intrusion detection is agood place to start “basic train-

ing,” we should note that networksecurity people are probably moreconcerned about worms, viruses,and spam; they worry at least asmuch about active methods to com-bat these pests as they do about IDSs.Network worms seek to exploitsoftware weaknesses on servers thatmust keep particular ports open toprovide service. If a worm succeedsin penetrating the network perime-ter security, it can introduce Trojancode that changes the target ma-chine in ways that users won’t detect.At present, therefore, detecting thepresence of malicious traffic fromoutside the network probablydoesn’t worry network administra-tors as much as the likelihood thatTrojans and spyware might already

www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 71

Figure 4. Port usage at MIT’s Lincoln Lab. This data set illustrates patterns in the use ofsource and destination ports over a 10-hour period. Dots indicate the use of a port at aparticular moment in time.

10,000 20,000 30,000

Seconds

0

20,000

40,000

60,000

Port

reside in internal machines that ac-cess sensitive data.

Techniques for detecting mali-cious code bring us back to generalcomputer security issues and meth-ods. Analysis of network activity as-sociated with problems such asworm infections could complementother system security work in deter-mining which machines are in-fected. Based on both traffic analysisand system behavioral analysis, forexample, sufficiently suspicious ma-chines might be isolated from theirpeers via (perhaps new) security pro-tocols until administrators took stepsto secure them. Whether such isola-tion can be accomplished before acritical subset of the Internet be-comes infected is one concern ofcurrent and future research. Thereare others, and they also depend, tosome extent, on the basics covered inthis article.

References1. M. Bishop, Computer Security Art and

Science, Pearson Education, 2003.2. N. Ferguson and B. Schneier, Prac-

tical Cryptography, John Wiley &Sons, 2003.

3. S. Northcutt et al., Inside NetworkPerimeter Security, New RidersPublishing, 2003.

4. S. Bellovin and R.W. Cheswick,Firewalls and Internet Security:Repelling the Wily Hacker, PearsonEducation, 1994.

5. Internet Protocol, RFC 791, Sept.1981; www.ietf.org/rfc/rfc791.txt.

6. S. Bonisteel, “Yahoo DoS AttackWas Sophisticated,” ComputerUser.com, 4 April 2003; www.computeruser.com/news/00/02/14/news1.html.

7. S. Gibson, “The Strange Tale ofthe Denial of Service AttacksAgainst grc.com,” GibsonResearch, 2002; http://grc.com/dos/grcdos.htm.

8. D. Newman, J. Snyder, and R.Thayer, “Crying Wolf: FalseAlarms Hide Attacks,” NetworkWorld, 24 June 2002; www.networkworld.com/techinsider/2002/0624security1.html.

9. R. Thayer, “Intrusion DetectionSystems,” Network World, 31 Jan.2005; www.networkworld.com/reviews/2005/013105rev.html.

10. J. Haines et al., 1999 DARPAIntrusion Detection Evaluation: Designand Procedures, Lincoln Lab tech.report 1062, Massachusetts Inst.Technology, 2001.

11. J. Haines, L. Rossey, and R.Lippman, “Extending the DARPAOff-Line Intrusion Detection Eval-uations,” Proc. IEEE/DARPA Infor-mation Survivability Conf. andExposition (DISCEXII), vol. I, vol.1, IEEE CS Press, 2001, p. 0035.

Gerald A. Marin is a professor at theFlorida Institute of Technology. Hisresearch interests include computer com-munication networks, system and net-work performance, system and networksecurity, and simulation modeling. Marinhas a PhD in mathematics from NorthCarolina State University. He has severalyears of industry experience, both withIBM and the Center for Naval Analyses.Contact him at gmarin@fit.edu.

Basic Training

72 IEEE SECURITY & PRIVACY ■ NOVEMBER/DECEMBER 2005

Figure 5. Anomalous port activity on the Lincoln Lab machines. Subtracting all(time,port) pairs that were active during the base comparison period in Figure 4shows three areas that represent unusual port activity, which could be attacks.

10,000 20,000 30,000

Seconds

0

20,000

40,000

60,000

Port

Documented attacks

Peer-Reviewed Theme & Feature Articles2 0 0 6

Special-Purpose Computing

Monte Carlo Method

Noise and Signal Interaction

Computing in Anatomic Rendering

Multigrid Computing

Mechanical Engineering Design and Tools

Jan/Feb

Mar/Apr

May/Jun

Jul/Aug

Sep/Oct

Nov/Dec

Subscribe to CiSE online athttp://cise.aip.org andwww.computer.org/cise

The magazine that helps scientists to apply high-end softwarein their research!