Cream and strawberries – baking security into the internet protocol stack

Posted byAnnePosted inInternet protocols, Network security, Security hardeningTags:, , , ,

When the strawberry season is at its best, it’s my summer tradition to make a cake with layers of fresh strawberries and fluffy cream. Yummy! These delicious layers inspired me to write about baking security into the TCP/IP Internet protocol suite.

It’s good to have security controls in many layers

As security controls might sometimes fail due to mistakes or vulnerabilities, it’s good to have multiple layers of security. This principle applies to all kinds of security practices ranging from application security, network security, and physical security. Let’s go through the TCP/IP Internet protocol suite layers from top to bottom and see what security measures we can use on each layer. Note that many protocols used on the internet probably haven’t been designed with layering in mind, so these may not apply in all cases.

The application layer is like the icing on a cake

The application layer is like the icing on a cake – the first one you encounter. Examples of application layer protocols include HTTP, DNS, SMTP, and SSH. Protection mechanisms in the application layer include (but are not limited to):

  • Input validation. Check what data you get in form or URL parameters, API requests, protocol parameters, files, and other input and validate that it contains known good content. If it doesn’t — reject it. Input validation typically falls as the responsibility of the application or API on top of the protocol, but it’s such an important topic, so I thought I’ll mention it here. 
  • Output encoding. Always encode the output in the expected or agreed format so that other applications can present it correctly. Again, this is typically something for the application or API to handle.
  • Fuzzing. If your system requires strong reliability or you are using a not-so-mainstream protocol implementation, fuzzing is for you. With fuzz testing, you can check how well the implementation handles malformed messages.
  • Application layer firewalls. As an additional security control, application layer firewalls, such as Web Application Firewalls (WAF), can protect your apps from injection attempts or other application-layer attacks. WAFs are especially useful in case you cannot, for some reason, immediately patch a known application-layer vulnerability.  
  • Security updates. Related to the tip above, if a protocol implementation, server software, or application has a security update, install it. 
  • Session management. In the Internet protocol suite, session management also belongs to the application layer.
  • DNSSEC. The Domain Name System Security Extensions (DNSSEC) protects from spoofed DNS data with the help of digital signatures.
Layered security is not a piece of cake: there are many threats to consider in each protocol layer.
Layered security is not a piece of cake: there are many threats to consider in each protocol layer.

The transport layer is the messenger

The task of the transport layers is to establish a host-to-host channel for sending data. TCP and UDP are the most known transport layer protocols. To protect the transport layer, you can use the following security measures:

  • Server hardening. Make sure that only the required services are on and listening to network ports.
  • Firewalls. Allow inbound connections to be established only to the required TCP or UDP ports. Restrict outbound traffic to responses to existing connections and other required domains, such as for fetching updates.
  • DDoS protection. An intrusion prevention system (IPS), some firewalls, or DDoS protection services by hosting providers or cloud service providers can protect you from a transport layer distributed denial of service attack, such as SYN flood. 
  • Fuzzing. In the case of exotic protocol stack implementations or special reliability needs, fuzzing can help you check that the protocol implementation does not contain vulnerabilities.

The internet layer carries data from one network to another 

The internet layer is the layer with IP addresses that differentiate different networks from each other. Internet layer protocols (for example, IP, ICMP, IGMP, and IPsec) provide a transport mechanism from one network to another by sending the data to a suitable next hop. The next-hop router then forwards the packet to another network, if needed. The next-hop networks are defined by routing protocols. 

Interestingly, the most essential routing protocol on the internet, BGP, is actually an application layer protocol. Another typical routing protocol, OSPF, belongs to the link layer. 

To following security measures help you build security on the internet layer:

  • Hardening routers, VPN gateways, and other network devices. It’s crucial to ensure that attackers cannot access network devices to change their configuration, manipulate routing or monitor traffic.
  • Routing protocol security. Authenticating neighbors, using access control lists to limit allowed traffic, and restricting what routes can be redistributed are examples of router security configuration. You can read more from A Guide To Border Gateway Protocol (BGP) Best Practices and the article Cisco OSPF Configuration according to best practices.
  • Firewalls. Allow connections only to and from required networks. Perform ingress filtering to drop packets from outside the network with a source IP address inside the network and egress filtering for the opposite.  
  • DDoS protection. Internet layer distributed denial of service attempts to overwhelm or crash the network devices or use up all the bandwidth by sending IP, ICMP, or IPsec traffic your way. There are many DDoS mitigation services to help you.
  • Fuzzing, as explained with the previous layers, can be considered on the internet layer, too. 

The link layer establishes connections between devices

The link layer is the lowest layer of the TCP/IP model. Protocols in this layer include IEEE 802.3 (Ethernet), IEEE 802.11 (WLAN), ARP, L2TP, and many others. There are several security measures you can take on the link layer:

  • Physical security. Limiting access to network sockets and cabling prevents unauthorized persons from connecting to the network. Of course, this is not always possible.
  • Authentication. Requiring authentication to connect to the networks, for example, in the form of a WLAN password, prevents others from accessing your network.
  • 802.1X network access controls. Identifying devices and users with passwords, or even better, certificates, prevents rogue devices from plugging into your network. 
  • Static ARP to IP address mapping. Managing the mapping may require quite a lot of management, so it’s not for everyone.  

The security measures depend on the link layer protocols you use, the number of devices, and of course, the data that you want to protect. 

Alternative representation: the OSI model

Another way of describing and categorizing network protocols is the OSI model with its seven layers. There are two noteworthy things in the OSI model. Firstly, the data link and physical layer are separated, which makes sense. Secondly, there’s a separate presentation layer below the application layer. The presentation layer includes encoding standards such as MIME, ASCII, and ASN.1. A crucial presentation layer security measure is that you should always check the correct MIME type of files. And as always, input validation and output encoding are essential to ensure you get meaningful data that you can show correctly. 

TCP/IP layered strawberry cake

This time I baked a simple and small cake with just two eggs: it’s perfect for a small party. When you count in the filling and the decorations, this strawberry and cream cake also happens to have four layers: exactly the number of protocol layers in the TCP/IP protocol suite!

A layered cake with strawberry and whipped cream filling.
You can ponder the security controls of the TCP/IP protocol layers while munching through the tasty layers of this strawberry and cream cake.

Ingredients:

  • 2 eggs
  • 0,75 dl sugar
  • 0,5 dl wheat flour
  • 0,5 dl potato flour
  • 0,5 tsp baking powder 

For the filling and decoration:

  • 4 dl whipping cream
  • 0,5 dl milk or juice
  • 0,5-1 dl strawberry jam
  • 1,5 dl strawberries

Line a springform pan with baking paper and preheat the oven to 175 ºC. I used a springform pan with a diameter of 20 cm, but with a smaller pan, you’ll get a higher cake (and possibly extra layers).

Mix the eggs and sugar into a foam. Mix the flours and the baking powder first together and then to the dough mix. 

Pour the dough evenly into the springform pan. Bake for 20 minutes or until a toothpick comes out clean. Let the cake cool for a couple of minutes, and then remove the edges of the pan. Cool the cake thoroughly and cut it into two layers.

Whip the cream until stiff peaks form into the foam. You can add some vanilla sugar and regular sugar to sweeten the cream. Cut about half of the strawberries into slices. Moisten each layer with a few spoonfuls of juice or milk. Cover the first layer with strawberry jam, strawberry slices, and a bit less than half the whipped cream. Cover the top and the edges of the cake with the rest of the cream. Put whole strawberries on top. Simple but tasty!