Security in (inter)network

PRAVIN SHETTY.

2

Security in layered IPSecurity at the IP layer is related to the layer’s function of end-to-end datagram delivery.The security weakness are:

Network snoopingMessage replayMessage alterationMessage delay and denialAuthentication issuesRouting attacks

3

Network SnoopingAttacker observes network traffic without disturbing the transmission (passive) – commonly known as snooping or sniffing.Commonly snooped are user passwords.Sniffing software works by placing a system’s network interface into promiscuous mode.Systems like Unix require superuser or system-level privileges to access the network promiscuously.

4

Message RelayRelaying the message to another host and it accepts as if it is trusted.

Example: transfer of password files in a networked unix systems.

5

Message alterationMessage means the payload of the IP datagram, the router performs routine modifications to the IP datagram header, and sometimes fragments a datagram into several smaller ones (when the length exceeds a limit allowed by the underlying data link layer).No need to suspect message alteration, but techniques such as check sum are not sufficient.

6

Message Delay and Denial

By gaining authorised control of a router or routing host, then modifying executable code or routing and screening rules used by the code.

need to apply proper authentication and access mechanisms to the routing systems.

By overwhelming a routing device, or one of the communication end systems, with an inordinate amount of network traffic.

easy to detect but difficult to prevent!

7

Authentication issuesAuthentication at the IP layer is concerned with the identify of computer systems.IP address are software configurable and the mere possession (or fraudulent use) of one enables communication with other systems.Two such techniques to do this are

address masquerading address spoofing

8

Address Masquerading

9

Address SpoofingAlso known as TCP sequence number attack.First we need to understand how the three-way TCP handshake protocol works.

handshake means- an assertion that indicates one party’s readiness to send or receive data. When two systems share a hardware connection, two-way handshake is enough.Since TCP rides on IP – an unreliable, connectionless protocol – a three-way handshake is required.

10

Handshake in TCP

Machine A Machine B

SYN+ISN A

SYN+ISN B+ ACK(ISNA)

ACK(ISNB)

Application Data

SYN – synchronize requestISN - Initial sequence numberACK – acknowledgement for the ISN

11

TCP CONNECTION

SYN=1 ACK=0 141521 win 4096 <mss 1024>

SYN = 1 ACK = 1 181521 141522 win 4096<mss 1024>

SYN = 0 ACK = 1 181522

Segment 1

Segment 2

Segment 3

CLIENT SERVER

THREE-WAYCONNECTION

Segment 1 shows the client sending a SYN segment with an Initial Sequence Number of 141521. The ISN is randomly generated. This is called an Active Open. The field win 4096 shows the advertised window size of the sending station while the field <mss 1024> shows the receiving maximum segment size specified by the sender. SYN=1, ACK=0.

Segment 2 shows the server responding with a SYN segment of 181521 and ACKnowledging the clients ISN with ISN + 1. This is called a Passive Open. SYN=1,ACK=1

Segment 3 shows the client responding by ACKnowledging the servers ISN with ISN + 1. SYN=0,ACK=1.

Data can now be transmitted.

THREE-WAY CONNECTION

12

How to get the ISN?ISN is a 32 bit clock that increases systematically with time.If the clock increment is predictable and an attacker can see the value of any one ISN, he can probably predict the value of the next or a soon subsequent ISN with accuracy.

13

Predictable ISN can lead toAfter knowing the ISN, wait for A to go down (say for maintenance) which is easy to detect (say by ping), then

C sends B a counterfeit IP datagram containing its SYN and ISN; this B receives and believes to have originated from A.B replies with a SYN, its own ISN and an acknowledgement of C’s ISN (This reply is routed inconsequentially to A who is still unavailable to receive it.)C mean while predicts and acknowledges B’s ISN. It follows with an rsh command that coxes B to give the attacker easier access from his true location.

C successfully opened a TCP connection and executed a command on B, without ever having received a single byte in return from B. It simply acted as if it had, enabled by B’s predictable ISN.

14

Method of defense

Avoid reliance on address-based authentication and trust mechanisms (liked those used by rsh)Use a screening router, a device that can intelligently filter network packets based on configurable rules. Although this cannot prevent spoofing, but can prevent

Inbound attacks that originate from external networks (by discarding incoming datagrams with source address belonging to the internal address)Outbound attacks that originate inside of your own network (discarding outgoing datagrams with a source address from an external network).

15

Screening Router

Accepted

Blocked

Accepted

Blocked

Source: 108.3.54.92Destination:130.194.225.92

Source: 130.194.225.52Destination:130.194.225.92

Source: 108.3.54.92Destination:121.92.5.52

Source: 130.194.225.92Destination:121.5.92.1

Internal network130.194.225.xxxx

External network

16

Exterior Router

Perimeter Network

Interior Router

Rule Direction Source Destination Protocol Source Destination ACK Set Action Address Address Port Port

Spoof In Internal Any Any Any Any Any DenyTelnet-1 Out Internal Any TCP >1023 23 Any Permit Telnet-2 In Any Internal TCP 23 >1023 Yes PermitFTP-1 Out Internal Any TCP >1023 21 Any PermitFTP-2 In Any Internal TCP 21 >1023 Yes PermitSMTP-1 Out Internal Bastion TCP >1023 25 Any PermitSMTP-2 In Bastion Internal TCP 25 >1023 Yes PermitDefault-1 Out Any Any Any Any Any Any Deny

Default-2 In Any Any Any Any Any Any Deny

Rule Direction Source Destination Protocol Source Destination ACK Set Action Address Address Port Port

Spoof-1 In Internal Any Any Any Any Any DenySpoof-2 In Perimeter Any Any Any Any Any Deny Telnet-1 Out Internal Any TCP >1023 23 Any Permit Telnet-2 In Any Internal TCP 23 >1023 Yes PermitFTP-1 Out Internal Any TCP >1023 21 Any PermitFTP-2 In Any Internal TCP 21 >1023 Yes PermitSMTP-1 Out Bastion Any TCP >1023 25 Any PermitSMTP-2 In Any Bastion TCP 25 >1023 Yes PermitDefault-1 Out Any Any Any Any Any Any Deny

Default-2 In Any Any Any Any Any Any Deny

PACKET FILTERING RULES

Note: These are incomplete, generalized examples in abstract notation.

17

FirewallsScreening router (also called as packet filtering) is an example of a firewall.We will look at the firewalls in more detail later.

18

SYN Attack

19

Attack Method: The Hacker sends a sequence of SYN packets. Each SYN packet (about 120 /second) has a different and unreachable IP address. This consumes all the communication channels and results in a denial to any TCP based service.

Countermeasure: Expand the number of ports, reduce the time-out period, validate TCP request packets.

Most hosts will only support 8-16 simultaneous communication channels.

TCP SYN FloodingSYN=1 ACK=0 141521 win 4096 (unreachable address

SYN = 1 ACK = 1 181521 141522 win 4096(unreachable address)

Hacker

SYN = 1 ACK =1 181521 141687 win 4096(unreachable address)

SYN = 1 ACK = 1 181521 141723 win 4096(unreachable address)

SYN=1 ACK=0 141686 win 4096 (unreachable address)SYN=1 ACK=0 141721 win 4096 (unreachable address)

UnreachableIP Address

Legitimate Client is denied access

Legitimate Client

Target Host

20

PING Attack

21

Ping AttackThe Hacker sends an ICMP Echo request to the target expecting an ICMP echo reply to be returned for each request.The hacker, because of the high bandwidth, can send more requests then the target can handle.

CountermeasuresNo known defense

ICMP ECHO Flooding

Hacker

INTERNET

Target

Packet 1

Packet 2

Packet 3

Packet 5

Packet 4

Packet n

128K LinkT-1 Link

Packet n

22

SMURF Attack

23

SMURF Attack The Hacker sends an ICMP Echo request to the target network with a destination broadcast address and a spoofed source address of the target. The network serves as a "bounce site" and returns an Echo Reply for each station on the network.

The network serves to multiply the effect of the "ping". The Echo Request could be sent to multiple networks.

Countermeasures: Disable IP-directed broadcasts at your router. Configure the workstation to not respond to an IP broadcast packet.

ICMP ECHO Flooding

Hacker

INTERNETTarget

Packet 5

Packet n

Echo Request

Echo Reply

Echo Reply

Echo Reply

Echo Reply

24

Ping O' Death Attack

25

Ping o' Death Attack ICMP, an integral part of IP, is utilized to report network errors. PING (Packet InterNet Grouper) utilizes ICMP Echo and Reply packets to test host reachability. ICMP messages normally consist of the IP Header and enclosed ICMP data with a default size of 64 bytes.

If the Hacker sends an ICMP Echo request that is greater than 65,536 this can crash or reboot the system.

A newer attack method modifies the header to indicate that there is more data in the packet than there actually is.

Countermeasure Router updates that check the size of the ICMP packet. Block PING (ICMP) traffic at the Firewall.

ICMP ECHO Request Attack

Hacker

INTERNET

Target

Packet > 65,536

128K LinkT-1 Link

Packet > 65,536

26

RST Attack

27

Attack Method•TCP requires a three step open to establish a connection between a client and a host The Hacker forges an IP Spoofed RST packet to the originator in order to disrupt the three step open process. This process is time sensitive.

Countermeasure No known countermeasure.

TCP SYN-RST Attack

Hacker

Target Host

Legitimate Client

Legitimate Client

Target Client

Legitimate Client

1. User begins to open a TCP connection to the Host.

2. Hacker spoofs a RST from the Host. This is done prior to the Host acknowledging the connection.

3. The Host returns a SYN/ACK to the client .

4.The user gets a SYN/ACK from the host for a closed connection. User sends a RST to host. No connection is ever established.

28

FIREWALL

INTERNET

Exterior Router

Internal Network

Perimeter Network

Interior Router

Bastion Host

SMTP Routing1. Route incoming/outgoing mail to bastion

Host.2. Use Exterior Router to restrict connections

from external hosts to Bastion Host.3. Use Interior Router to restrict connections

from Bastion Host to specific internal servers.4. Internal systems send mail to Bastion Host.

SMTP ROUTING

SMTP Server

SMTP Sender/Recipient

ExternalSMTP Server

SMTP Client Inside SMTP Server

29

Exterior Router

Internal Network

Perimeter Network

Interior Router

Bastion Host

DNS NAME LOOKUP ITERATION

Outside DNS Server

DNS Client Inside DNS Server

root

edu gov

temple

sims

rootname server

eduname server

cssename server

templename server

Internetquery for address of host@temple.csse.monash.edu.au

referral to edu name server

referral to csse name server

referral to temple name server

address of host@temple.csse.monash.edu.au

FIREWALL

query for address of host@temple.csse.monash.edu.au

query for address of host@temple.csse.monash.edu.au

query for address of host@temple.csse.monash.edu.au

csse

30

NATs are based upon the idea that only a small part of the hosts in a private network will communicate outside that network. Nats are a solution for those organizations that use Non-routable IP addresses. A NAT, normally part of a Firewall, is positioned between the Private Network and the Internet and:

Dynamically translates the private IP address of an outgoing packet into an Internet IP address. Dynamically translates the return Internet IP address into a private IP address.

Only TCP/UDP Packets are translated by NAT. For example, the Private Network cannot be Pinged (ie. ICMP is not supported).

Network Address Translators

InternetPrivateNetwork

Translate

Map

Exclude

Network Address Translator

PoolStatic

Addresses

31

TCP/IP Security

32

Why Wrappers?These programs are born out of the need to modify the operating systems without access to the systems’ source code as well as security tools.

the security logic is encapsulated into a single program, wrappers are simple and easy to validate. the wrapped program remains a separate entity, it can be upgraded without a need to re-certify the program that is wrapping it. wrappers call the wrapped program via the standard exec() system call, a single wrapper can be used to control access to a variety of wrapped programs.

33

Why Wrappers?Common use of wrappers is to limit the amount of information reaching a network-capable program. The above is an advantage because those programs are general in nature and are likely to be trusting and can accept too much information without validation.

34

TCP Wrapper The TCPWrapper is a utility program that can be "wrapped" around

existing servers connected to the Internet. A Firewall can be placed between your internal network and the

Internet to protect the entire internal network. The TCPWrapper is placed on an internal server and protects

the services of that machine. The combination of firewall and TCPWrapper provides defense

in-depth. The TCPWRapper was written by Wietse Venema and is used for:

Logging request for service made through /etc/inetd.confAnd intercepting and controlling TCP services that are started

by /etc/inetd.conf.

External User

Internal Server

INTERNET

RouterBastion Host

Firewall

TCP Wrapper

35

TCP Wrapper OperationThe TCPWrapper is installed on the internal server and inetd is configured to run

TCPwrapper, tcpd, instead of the the real server. inetd is the internet protocol starter program that, upon detecting a service

request, forks a process directly to the requested service. tcpd is is the TCPWrapper program that receives control from inetd when an

internal server has been "wrapped". tcpd evaluates the request against two TCPWrapper configuration files

/etc/hosts.allow tells tcpd which host to allow connections from. If no match found, then search

/etc/hosts.deny tells tcpd to deny all connections from that host. If no match is found the connection is allowed.

External User

INTERNET

inetd

/etc/hosts.allow

/etc/hosts.deny

tcpd

inetd.conf

telnetftprloginudp, etc

network services

RequestedService

tcpd

Router Bastion Host

Firewall

TCP Wrapper tcpd completes its function then transfers control to the requested service.

36

TCP Wrapper Functions

The TCPWrapper performs the following functions upon assuming control from inetd.

Compares the incoming hostname and requested service with previously created host.allow an hosts.deny files.

Performs a double-reverse lookup of the IP address to make sure the DNS entries for the IP address match the hostname.

Logs the result with syslog. This provides a way to log services that are normally not logged, e.g., finger and systat.

Optionally run a command, e.g., run finger to get a list of users on the connecting client computer.

Optionally substitute a different version of the requested service daemon, e.g., the calling host may require a special extended service.

Optionally send a banner to the connecting client.Passes control of the connection to the real network daemon.Reject the connection without providing a service.

37

Secure Sockets Layer

The Secure Sockets Layer (SSL) is a transport layer security protocol developed by Netscape to provide:

Data Privacy through Encryption.Validate a peer's identify through Authentication and CertificatesAssure message integrity through a Message Authentication Code

(MAC). SSL, in practice, is only widely implemented in the Hypertext

Transport Transfer Protocol (HTTP), however, it is application independent and can be employed with other application types such as NNTP, TELNET, etc.

Interface

Internet

TCP

SSL Record Layer

SSL Handshake

Application

38

Secure Sockets Layer Contd

SSL is composed of two major protocols:The SSL Record Layer is a protocol for transferring data using variety of

predefined cipher and authentication combinations which are negotiated by the SSL Handshake Protocol.

The Sender performs the following tasks:Take the data from the upper application and fragment it into manageable blocks.

Optionally compress the data and apply a Message Authentication Code (MAC).

Encrypt the data and transmit it to the lower layer. The Receiver performs the following tasks:

Take the data from the lower layer and decrypt it.Verify the data with the negotiated MAC key and decompress it.Reassemble the message and transmit it to the upper layer.

Interface

Internet

TCP

SSL Record Layer

SSL Handshake

Application

39

SSL is composed of two major protocols:The SSL Record Layer is a protocol for transferring data

using variety of predefined cipher and authentication combinations which are negotiated by the SSL Handshake Protocol.

The SSL Handshake is a protocol for establishing: The protocol version The initial authentication, Public-Key encryption method Encryption methodology.

Interface

Internet

TCP

SSL Record Layer

SSL Handshake

Application

Secure Sockets Layer Contd

40

SSL Handshake

SSL VersionRandomSession IDCiphersSuiteCompression Method

Client Hello Message

Server Hello Message

ServerCertificate MessageServerKeyExchange MessageCertificateRequest MessageServerHelloDone Message

Server

Client Certificate MessageClientKeyExchange MessageCertificateVerify Message

ChangeCipherSpec MessageClientFinished Message

Client

ChangeCipherSpec MessageClientFinished Message

41

Internet Protocol Security- IPSec -

42

IP SECURITY

Authentication: Allows the receiver to validate the identity of a user, client process or server process.Integrity: Provides assurance to the receiver that the transmitted data has not been changed.Confidentiality: Preventing the unwanted disclosure of information during transit.

SECURITY ISSUES

SECURITY STRATEGYMessage Digest 5(MD5): Used to satisfy Authentication and Data Integrity.Cipher Block Chaining/Data Encryption Standard (CBC-DES): Used to satisfy confidentiality.

43

IP Security

Interface

IPSec

TCP

Application

Internet Protocol Security (IPSec) is a Network layer security protocol proposed by IETF to provide:

Data Privacy through Encryption.Validate a peer's identify through Authentication.Assure message integrity through a Message Authentication Code

(MAC). IPSec is employed with both IPv4 and IPv6 but is a mandatory

component with IPv6. It is composed of two major components:Authentication Header (AH).Encapsulating Security Payload (ESP).

IPSec employs two major concepts:Security Association (SA).Tunneling.

Network

44

IPSecurity Contd

Interface

IPsec

TCP

Application

A Security Association is a logical simplex, connection between two IPSec systems composed of the following triple:

<Security Parameter Index, IP Destination Address, Security Protocol>An SPI is a 32 bit value used to distinguish between SAs. It has local significance only and is used as an index into the Security

Association Database (SAD) to identify SA parameter information so that the packet can be correctly processed.

The IP Destination address is self-explanatory.The Security Protocol can be either AH or ESP.

AH and ESP support the following two modes:Transport Mode: End-to-End communication,e.g., client to server.Tunnel Mode: Gateway to Gateway communication,e.g., Firewall to

Firewall.

45

Authentication

46

IPv6 AUTHENTICATION OVERVIEW

Router Router

IPv6 NetworkIPv6 Network

IPv6 Network

DataMsgDigest

Authentcation Key

DataMsgDigest

Authentication Key

The source and destination share an authentication key.The source performs the MD5 algorithm using the data and the authentication key as input. It includes an SPI to identify the key. The destination identifies the authentication key through the SPI, performs the same calculation and compares the computed MD with the transmitted MD. If they are the same the message is authenticated. The actual message is transmitted in cleartext.

Each client and server is configured with a security table that contains the Security Parameter Index(SPI) and the Authentication Key.

DataSPI MD DataSPI MD

47

IPv6 AUTHENTICATION HEADER

VERS PRITY Flow Label4 bits 4 bits 24 bits

Payload Length16 bits

Nxt Hdr : 51

Source IP Address128 bits

Destination IP Address128 bits

Hop Limit8bits

Nxt Hdr : 6 Hdr Length

Authentication Data

TCP Header and Data

All IP packets begin with the basic IP Header. IP Authentication Headers are used to ensure that (1) the received data is authentic - not been altered in transit and (2) that it came from the real sender. Authentication is part of the enhanced security feature of IPv6. It is also designed to be used with IPv4. It specifies Message Digest 5(MD5) as the default authentication algorithm. The Security Association (SA) consists of the Security Parameter Index, the IP destination address and the Security Protocol.

Reserved

Secrity Parameter Index

Security Parameter Index(SPI) field: An index used by the server and the client to point to an internal table that contains the authentication key assigned to each IP address. Authentication Data field: A 128 bit digest containing the results of the MD5 algorithm as applied to the authentication key, the IP datagram and the IP address. It serves as a user authenticator.

48

IPv6 AUTHENTICATION SOURCE SPI

Destination IPAddress

Role Client SourceIP Address

SPIClient

AuthenticationKey

Client Authentication

Method

Client Encryption

Key

Client Encryption

Method130.15.20.2135.150.201.2

130.15.20.1

Source Security Information at Host 130.15.60.10

Host 12 130.15.60.10 x?34-15-4R-44-C0.... MD5 #$%FFGH&*()!#... CBC-DES

Host 42 130.15.60.10 MD5 CBC-DES

Host 62 130.15.60.10 MD5 None

..........

..........

........

........

The Message Digest is calculated using MD5.The 128 bit key is retrieved from the table.The complete datagram is appended to the key.The key is appended once more to the end.This block of data is then passed through the MD5 algorithm. All fields that change during transit are treated as zeroes. The MD5 compresses the message into a one-way hash(message digest) of 128-bits.

The resulting message digest is then placed into the authentication header.The SPI, Message Digest and the cleartext datagram are then transmitted.The transmitting client looks up the destination IP address in its security table.

49

IPv6 AUTHENTICATION DESTINATION SPI

Client SourceIP Address

SPIClient

AuthenticationKey

Client Authentication

Method

Client Encryption

Key

Client Encryption

Method

Destination Security Information at Host 130.15.20.2

12 130.15.60.10 x?34-15-4R-44-C0.... MD5 #$%FFGH&*()!#... CBC-DES

42 130.150.201.20 MD5 CBC-DES

62 130.15.20.1 MD5 None.................... ........

........

The destination client uses the SPI to look up the source client in the table and compare the source IP address on the message with the source address of the table.The receiving station then calculates the Message Digest using MD5.

The 128 bit key is retrieved from the table.The complete cleartext datagram is appended to the key.The key is appended once more to the datagram.This block of data is then passed through the MD5 algorithm. All fields that change during transit are treated as zeroes.The MD5 compresses the message into a one-way hash(message digest) of 128-bits.

The resulting MD is then compared to the transmitted MD.

50

Encryption

51

CipherText

IPv6 ENCRYPTION OVERVIEW

Router Router

IPv6 NetworkIPv6 Network

IPv6 Network

ClearText

Encryption Key

The source and destination share an Encryption Key.The source performs the CBC-DES algorithm using the data, Initialization Vector (IV) and the encryption key as input. It includes an SPI to identify the key and the IV as the initializing random number.The destination identifies the encryption key through the SPI and decrypts the message utilizing the CBC-DES and the IV.

Each client and server is configured with a security table that contains the SPI and the Encryption Key.

E-DataSPI IV E-DataSPI IV

Encryption Key

CipherText ClearText

52

IPv6 ENCAPSULATING SECURITY PAYLOAD

VERS PRITY Flow Label4 bits 4 bits 24 bits

Payload Length16 bits

Nxt Hdr : 50

Source IP Address128 bits

Destination IP Address128 bits

Hop Limit8bits

Payload Data

All IP packets begin with the basic IP Header. IP Encapsulating Security Payload (ESP) is used for confidentiality,i.e., to prevent the unwanted disclosure of information. ESP is part of the enhanced security feature of IPv6.

It is also designed to be used with IPv4.

It specifies Cipher Block Chaining -Data Encryption Standard (CBC-DES) as the default encryption algorithm. The security association consists of the Security Parameter Index, the IP destination address and the Security Protocol.

Security Parameter Index

Security Parameter Index field: An index used by the server and the client to point to an internal table that contains the encryption key assigned to each IP address. Initialization Vector field: Used by the CBC-DES as a random number to start the encryption process. Padding: Added to force the ESP to be an integer multiple of 32. Padding Length: the length of the padding field. Payload Type: indicates which protocol has been encapsulated,e.g., 6 = TCP.

Initialization Vector

Padding(if needed) Pad Length Payload Type

53

IPv6 ENCRYPTION SOURCE SPI

Destination IPAddress

Role Client SourceIP Address

SPIClient

AuthenticationKey

Client Authentication

Method

Client Encryption

Key

Client Encryption

Method130.15.20.2135.150.201.2

130.15.20.1

Source Security Information at Host 130.15.60.10

Host 12 130.15.60.10 x?34-15-4R-44-C0.... MD5 #$%FFGH&*()!#... CBC-DES

Host 42 130.15.60.10 MD5 CBC-DES

Host 62 130.15.60.10 MD5 None

..........

..........

........

........

The transmitting client looks up the destination IP address in its security table.The message is encrypted using CBC-DES.

The encryption key is retrieved from the table.The first block of ciphertext is produced by XORing the IV with the first block of cleartext. The next block of data is produced by XORing the current cleartext block, the previous ciphertext block and the encryption key (the same key used for each block).In this fashion all blocks are chained together for encryption.

The resulting cipher blocks are concatenated for transmission.The SPI, Initialization Vector and the ciphertext datagram is then transmitted.

54

IPv6 ENCRYPTION DESTINATION SPI

Client SourceIP Address

SPIClient

AuthenticationKey

Client Authentication

Method

Client Encryption

Key

Client Encryption

Method

Destination Security Information at Host 130.15.20.2

12 130.15.60.10 x?34-15-4R-44-C0.... MD5 #$%FFGH&*()!#... CBC-DES

42 130.150.201.20 MD5 CBC-DES

62 130.15.20.1 MD5 None.................... ........

........

The destination client uses the SPI to look up the source client in the table and compares the source IP address on the message with the source address in the table. The message is decrypted using CBC-DES.

The encryption key is retrieved from the table.The key is applied against the first block of ciphertext and the result is XORed against the IV to produce the first block of cleartext.The key is applied against the second block of ciphertext and the result is XORed against the ciphertext of the previous stage to produce the second block of cleartext. In this fashion all blocks are chained together for decryption.

The cleartext is then passed to the higher level protocols.

55

Security at the Application Layer

Application gateways are firewalls that operate at the application layer (note: screening router operates at Network and Transport layers while firewalls can operate in all the three layers including the application layer)

E.g of application gateways are: mail gateway (also known as SMTP gateway), proxy (is used when a firewall separates the internal network from the rest of the world), server filter (host software that filters client access to its own servers).

ApplicationClient

ApplicationServer

Proxy

Client

Server

External Network Internal Network

OutboundRequest

InboundReplyt