Every layer of communication has its own unique security challenges. The application layer communication is a very weak link in terms of security because that t he application layer supports many protocols which provide many vulnerabilities and access points for attackers. All this variability makes application-layer attacks very hard to defend against. In addition, application-layer attacks are very attractive to a potential attacker because the information they seek ultimately resides within the application itself and it is direct for them to make an impact and reach their goals. The main categories of risks at the application level are as follows:

Web Security : Balance between security and accessibility: A poorly configured Web server can punch a hole in the most carefully designed firewall system so that stackers can steal confidential information, modify systems and launch various attacks. On the other hand, a poorly configured firewall can make a Web site impossible to use.

Virus/Worm: To the end-user, active content, such as ActiveX controls and Java applets, introduces the possibility that Web browsing will introduce viruses or other malicious software into the user's system. For network administrator, Web browsers with active content provide a pathway for malicious software to bypass the firewall system and enter the local area network.

Information privacy: Both end-users and Web administrators need to worry about the confidentiality of the data transmitted across the Web.

EMAIL Security :

WebMail: If the connection to your WebMail server is "insecure" (i.e. the address is http:// and NOT https://), then all information including your username and password is not encrypted as it passes between the WebMail server and your computer.

SMTP: SMTP does not encrypt messages. Additionally, your username and password to "login" to the SMTP server are also in plain text. This information, available to all recipients, may be a privacy concern.

POP and IMAP: These protocols require that you send your username and password to login, which are not encrypted. So, your messages and credentials can be read by any eavesdropper listening to the flow of information between your personal computer and your email service provider's computer. Virus/Worm: EMAILs are a very active carrier of viruses and worms.

Password Attack: A password attack is indicated by a series of failed logins within a short period of time. The most sophisticate password auditing tools includes pre-computed password tables containing trillions of password hashes that have been computed in advance of the password auditing and recovery process.

Information sniffing: Because most network applications distribute network packets in clear text, a packet sniffer can provide its user with meaningful and often sensitive information, such as user account names and passwords. A packet sniffer can provide an attacker with information that is queried from the database, as well as the user account names and passwords used to access the database. This cause serious information privacy problems as well as tools for crimes.

DNS Attack: Also called DNS Spoofing or DNS cache poisoning, t he attacks aim to redirect users to potentially malicious web servers by changing the records used to convert domain names to numerical addresses, which is used as another way for online fraudsters to install aggressive advertising software, or adware, on victims' computers and redirect people to pay-per-click Web sites. The domain name system protocol is inherently vulnerable to this style of attack due to the weakness of 16-bit transaction IDs.

Instant Message Security: The top 5 security risks for IM are: Viruses and worms over IM, Identity theft/authentication spoofing, Firewall tunneling, Data security leaks and spim (instant messaging spam).

SNMP Attack: Most network devices support the Simple Network Management Protocol (SNMP) for the network monitoring purpose. Attackers can access to the MIBs of SNMP agents which can result in the network being mapped, and traffic can be monitored and redirected. The best defense against this attack is upgrading to SNMP3, which encrypts passwords and messages.

Operation System Risks: All Operating Systems are not secure, especially Windows OS and Unix systems. The subject requires additional articles (if not books) to address.

Other Applications (FTP and TELNET): Some old versions of network applications such as Passive FTP and are likely with security holes. The newer versions of products should implemented the latest security patches.

Like most of the network security problems, there are no silver bullet solution to FIX the problems, however, there are many technologies and solutions available to mitigate the above security problems and to monitor the network to reduce its damage if attack happens. To mitigate the application layer security problems, many technologies have been developed in various levels of communications. The main technologies are as follows:

Secure/Multipurpose Internet Mail Extensions (S/MIME) is a specification for securing electronic mail. S/MIME, which is based on the popular MIME standard, describes a protocol for adding cryptographic security services through MIME encapsulation of digitally signed and encrypted objects. These security services are authentication, nonrepudiation, message integrity, and message confidentiality.

Pretty Good Privacy (PGP) is intentionally uses existing cryptographic algorithms (RSA, IDEA, MD5) rather than inventing new ones. PGP supports secrecy, digital signatures, key management, and data compression.

Secure HTTP (S-HTTP) is a superset of HTTP, which allows web traffic to be encapsulated in various ways. S-HTTP provides a wide variety of mechanisms for confidentiality, authentication, and integrity. Separation of policy from mechanism was an explicit goal. The S-HTTP based system is not tied to any particular cryptographic system, key infrastructure, or cryptographic format.

Public Key Infrastructure (PKI): PKI provides an integrated solution with digital certificates, public-key cryptography, and certificate authorities that enables enterprises to protect the security of their communications and business transactions on the Internet. A typical network PKI encompasses the issuance of digital certificates to individual users and servers; end-user enrollment software; integration with corporate certificate directories; tools for managing, renewing, and revoking certificates; and related services and support.

Anti-virus systems: many products at the client or the server level to capture and kill viruses from different sources including http (web) traffic, email and messenger services.

There are many lower layer technologies that support the application layer security. The following is a few examples:

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are cryptographic protocols which provide secure communications on the Internet. TLS is the seccesor of SSL. TSL/SSL runs on layers beneath application protocols such as HTTP, SMTP and NNTP and above the TCP transport protocol. While TSL/SSL can add security to any protocol that uses TCP, it is most commonly used with HTTP to form HTTPS which serves to secure World Wide Web pages for e-commence.

IPsec: IPsec provides security services at the IP layer by enabling a system to select required security protocols, determine the algorithm(s) to use for the service(s), and put in place any cryptographic keys required to provide the requested services.

Firewall: Well designed firewall products blocking un-wanted visitors and malicious traffic.

The following is the top threats from the latest (March 2005) Symantec Internet Security threat report:

Communication Security at the Application Layer

Related Terms: EMAIL Security, Web Security, Password Attack, DNS Attack, S-MIME, S-HTTP, PGP, SSL, TLS, IPsec, Kerboros, Public Key Infrastructure