It has to be remembered that when the Internet Protocol was originally developed, security was not the main objective, reliable connectivity was. Once commercial entities started to populate the public network, the military realized they had to build a separate network to keep their assets secure.
Let us take a look at some the basic threats to network security:
This simply means impersonating the source of a stream of packets by sending packets with a valid source IP Address. It is very simple for any attacker to prepare an attack like this and likewise it is a fairly simple task to counter by using an authentication method during the exchange between source and destination.
To Hijack a TCP session an attacker can observe the authentication exchange and then take over the session, maybe by overwhelming either the source or destination device or its local router by flooding it and then continue the session purporting to be the other end of the connection. Authentication at the beginning of the session will not defeat this attack, but repeated authentication at intervals, even using a simple hashing system such as that used by CHAP (Challenge Handshake Authentication Protocol) will ensure both ends of a session are challenged at intervals to recalculate a hash value through the use of a random value introduced into the authentication process. An attacker would need the original keys to be able to reproduce the correct hash values.
There are many protocol analyzers on the market, even free ones such as Wireshark that are capable of viewing packets if the host NIC (Network Interface Card) is set to promiscuous mode. An attacker at the very least will be able view the conversation, and in the case of some protocols even read the information or listen in to a conversation in the case of Voice over IP. The way to defeat this type of attack is by encrypting the session traffic, either at the application layer or at the network layer.
This sort of attack can circumvent encryption by intercepting the encryption keys during an exchange and substituting with another set of keys. Strong Authentication methods coupled with secure key exchange methods such as Diffie-Hellman would be the answer.
This article on Basic IP Security was written by David Christie, MD at NSTUK Ltd, Website http://www.nstuk.com