Security and the TCP/IP stack

The following is Michael's reply:
That's a very good question. I am going to use the TCP/IP model as a reference as it is the protocol of the Internet and networks around the world. TCP/IP is a four layer model. If you want to learn more about TCP/IP check out this Cisco page as it has lots of good information.

The four layers of the TCP/IP model are, from bottom to top, 1) physical, 2) network, 3) transport, and 4) application as shown below.


[IMAGE]

Each layer has security mechanisms, protocols, and applications. I will list some of the more popular ones that are associated with each layer of the TCP/IP stack.

1. Physical – The physical layer comprises layer one and two of the OSI model
   1. Packet Filters – A packet filter is designed to set between the internal and external network. As packets enter or leave the network, they are compared to a set of rules. This determines if they are passed, rejected, or dropped. A router ACL is an example of a packet filter.
   2. NAT – NAT (Network Address Translation) is a means of translating addresses. Most residential high speed Internet users use NAT. It provides security as it hides the internal address from external networks.
   3. CHAP - CHAP (Challenge Handshake Authentication Protocol) is an authentication protocol that is used as an alternative to passing clear text usernames and passwords. CHAP uses the MD5 hashing algorithm to encrypt passwords.
   4. PAP – While PAP (Password Authentication Protocol) may not be the best security mechanism at the physical layer, it does provide some protection as it requires a user to present a username and password. Its Achilles heel is that it transmits this information in clear text.
   To continue reading for free, register below or login

   Requires Membership to View

   To gain access to this and all member only content, please provide the following information:

   Email Address:
   
   
   

   By joining SearchNetworking.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
   
   TechTarget cares about your privacy. Read our Privacy Policy
   To read more you must become a member of SearchNetworking.com

   As an existing member of the TechTarget network please activate your SearchNetworking.com account 

   By joining SearchNetworking.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.
   
   TechTarget cares about your privacy. Read our Privacy Policy
   
   
   

   Digg This!     StumbleUpon     Del.icio.us

   
   
   
   

   RELATED CONTENT Network Security Application-specific network intrusion detection systems emerge Anomaly-based intrusion protection configuration and installation Preventing hacker attacks with network behavior analysis IPS Rogue access points: Preventing, detecting and handling best practices The TPM chip: An unexploited resource for network security Shifting defenses and dynamic perimeters challenge network security Compliance in a virtualized world: Server virtualization and NAC security Securing the new network architecture: Security for distributed, dynamic networks How to configure Windows Server 2008 advanced firewall MMC snap-in USB storage devices: Two ways to stop the threat to network security

   RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

   
   
   sidebar code snippet --> Learn about protocols related to TCP/IP
   Protocols related to TCP/IP include the User Datagram Protocol (UDP), which is used instead of TCP for special purposes. Other protocols are used by network host computers for exchanging router information. These include the Internet Control Message Protocol (ICMP), the Interior Gateway Protocol (IGP), the Exterior Gateway Protocol (EGP), and the Border Gateway Protocol (BGP).
   
   [IMAGE]
   

2. Network – The network layer matches up to layer three of the OSI model.
   1. PPTP – PPTP (Point to Point Tunneling Protocol) was developed by a consortium of vendors including Microsoft and 3Com. Its purpose is to provide data encapsulation. Security for PPTP is provided by Microsoft Point-to-Point Encryption.
   2. L2TP – This VPN protocol is used for security and was based on PPTP and L2F.
   3. IPsec – IPsec is used to protect IP packets and defend against network attacks. It uses cryptographic-based protection services, security protocols, and dynamic key management. IPsec has two basic configurations AH (Authenticated Header) and ESP (Encapsulated Secure Payload).

3. Transport – The transport layer relates to layer four and five of the OSI model.
   1. SSL – SSL (Secure Sockets Layer) is a protocol independent technology that enables users to ensure security for data that is exchanged over the Internet. Read more about it here.
   2. TLS – This protocol is similar to SSL. The TLS (Transport Layer Security) protocol is a layered approach to data security that consists of several sub-protocols.
   3. More IPsec - ESP is found at the transport layer, as it encapsulates the data for security and privacy.

4. Application – The application layer includes some of layer five and all of layer six, and layer seven of the OSI model.
   1. RADIUS – RADIUS (Remote Authentication Dial-In User Service) is the most widely used dialup authentication protocol in the world. It offers authentication and authorization to dial-up network users.
   2. TACACS – Whatis.com defines TACACS (Terminal Access Controller Access Control System) as "an older authentication protocol common to UNIX networks that allows a remote access server to forward a user's logon password to an authentication server to determine whether access can be allowed to a given system." Read more about it here.
   3. Kerberos – Kerberos was invented by MIT to be a strong authentication protocol. It uses tickets to validate user's rights to objects. It provides encryption, privacy and data integrity.
   4. S-MIME - S/MIME (Secure / Multipurpose Internet Mail Extensions) is a protocol designed to secure e-mail. It secures clear-text email by adding digital signatures and encryption.
   5. Virus scanners – While this may be the final item on my list it is by no means any less important than any of the other security mechanism discussed. Virus scanners play an important part of security!

Actually, there is a name for what I have been describing here. It is called layered security. Layered security is an approach that builds defense in depth. This principle can significantly reduce the risk of attack or loss of CIA (Confidentiality, Integrity, and Availability), as it increasing the costs and resources required by an attacker to break into a network or host. While no network or host can ever be 100% secure, defense in depth can greatly reduce the risk of successful attack.

Rate this Tip To rate tips, you must be a member of SearchNetworking.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.