Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.


3 579 vues

Publié le


Publié dans : Ingénierie
  • Soyez le premier à commenter


  1. 1. INFORMATION AND NETWORK SECURITY (Common to CSE & ISE) Subject Code: 10CS835 I.A. Marks : 25 Hours/Week : 04 Exam Hours: 03 Total Hours : 52 Exam Marks: 100 PART – A UNIT 1 6 Hours Planning for Security: Introduction; Information Security Policy, Standards, and Practices; The Information Security Blue Print; Contingency plan and a model for contingency plan UNIT 2 6 Hours Security Technology-1: Introduction; Physical design; Firewalls; Protecting Remote Connections UNIT 3 6 Hours Security Technology–2: Introduction; Intrusion Detection Systems (IDS); Honey Pots, Honey Nets, and Padded cell systems; Scanning and Analysis Tools UNIT 4 8 Hours Cryptography: Introduction; A short History of Cryptography; Principles of Cryptography; Cryptography Tools; Attacks on Cryptosystems. PART – B UNIT 5 8 Hours Introduction to Network Security, Authentication Applications: Attacks, services, and Mechanisms; Security Attacks; Security Services; A model for Internetwork Security; Internet Standards and RFCs Kerberos, X.509 Directory Authentication Service. UNIT 6 6 Hours Electronic Mail Security: Pretty Good Privacy (PGP); S/MIME UNIT 7 6 Hours IP Security: IP Security Overview; IP Security Architecture; Authentication Header; Encapsulating Security Payload; Combining Security Associations; Key Management. UNIT 8 6 Hours Web Security: Web security requirements; Secure Socket layer (SSL) and Transport layer Security (TLS); Secure Electronic Transaction (SET) Text Books: 1. Michael E. Whitman and Herbert J. Mattord: Principles of Information Security, 2nd Edition, Thomson, 2005. (Chapters 5, 6, 7, 8; Exclude the topics not mentioned in the syllabus) 2. William Stallings: Network Security Essentials: Applications and Standards, Pearson Education, 2000. (Chapters: 1, 4, 5, 6, 7, 8) VTU N O TESBYSR I
  3. 3. INFORMATION AND NETWORK SECURITY 2-1 UNIT 2: FIREWALLS AND VPNS 2.1 Firewall 2.1.1 Firewall Processing Modes Packet-Filtering Firewall Application Gateway Circuit Gateway MAC Layer Firewall Hybrid Firewall 2.1.2 Firewalls Categorized by Generation 2.1.3 Firewalls Categorized by Structure Commercial-Grade Firewall Appliance Commercial-Grade Firewall System Small Office/Home Office (SOHO) Firewall Appliance Residential-Grade Firewall Software 2.1.4 Firewall Architecture Packet-Filtering Router Screened Host Firewall Dual-Homed Firewall Screened Subnet Firewall (with DMZ) 2.1.5 Selecting the Right Firewall 2.1.6 Configuring and Managing Firewall Best Practices for Firewall 2.1.7 Content Filter 2.2 Protecting Remote Connections 2.2.1 Remote Access RADIUS, Diameter and TACACS RADIUS Diameter Protocol TACACS Securing Authentication with Kerberos Kerberos SESAME 2.2.2 Virtual Private Network Transport Mode Tunnel Mode VTU N O TESBYSR I
  4. 4. INFORMATION AND NETWORK SECURITY 2-2 UNIT 2: FIREWALLS AND VPNS 2.1 Firewall • A firewall is an information-security-program similar to a building’s firewall. • Firewall prevents specific types of info. from moving b/w untrusted-network & trusted-network. Example for untrusted-network: Internet (outside world) Example for trusted-network: Intranet or private network (inside world) • The firewall may be → separate computer → separate network containing a no. of supporting devices or → software running on an existing router/server • Firewall can be categorized by 1) processing mode, 2) development era, or 3) structure. 2.1.1 Firewall Processing Modes • Firewall fall into 5 major processing-mode categories: 1) Packet-filtering firewall 2) Application gateway 3) Circuit-gateway 4) Layer firewall and 5) Hybrid firewall Packet Filtering Firewall • It operates at the network-layer of the OSI-model. (Figure 2-1). • It examines the header of packets that come into a network. • It determines whether to drop or forward a packet based on the rules programmed into the firewall. • The rules are based on a combination of the following: → IP source and destination address → Direction (inbound or outbound) → Protocol → TCP/UDP source and destination port • The rules are created and modified in the ACL (Access Control List) by the network-administrators. Figure 2-1 Packet-Filtering-router Table 2-1 Sample Firewall-rule and Format • As shown in Table 2-1, any connection attempt made by an external-device in the 192.168.x.x address-range (– is allowed. VTU N O TESBYSR I
  5. 5. INFORMATION AND NETWORK SECURITY 2-3 • It can be further classified into 3 types: 1) Static Filtering  Here, the filtering-rules must be developed and installed with the firewall.  The rules are created and sequenced by a person directly editing the rule-set. 2) Dynamic Filtering  It can → react to an emergent event and → update/create rules to deal with that event. Static vs Dynamic Firewall  In static firewall, entire sets of one type of packet is allowed to enter into trusted-network.  In dynamic firewall, only a particular packet with a particular source, destination, and port address is allowed to enter into trusted-network. 3) Stateful Inspection  It monitors network-connection between internal and external systems using state-tables.  A state-table records information like → source and destination address of devices → what & when packet is sent (Table 2-2). Table 2-2 State-table Entries Application Gateway • It operates at the application-layer of the OSI-model. • It is frequently installed on a dedicated computer which is separate from the filtering-router. • It is commonly used in conjunction with a filtering-router. • It is also known as a proxy-server because it runs special software that acts as a proxy for a service-request. • The proxy-server → receives requests for Web-pages → accesses the Web-server on behalf of the external client and → returns the requested-pages to the users. • It is also known as a cache-server because it stores the most recently accessed pages in the internal cache. • Advantage: For any external-attack to happen, two separate systems has to be compromised. Thus, the proxy-server can placed in an unsecured-network, thereby protecting the Web-server • Disadvantage: It is designed for a specific type of protocols (e.g., FTP, Telnet, HTTP & SNMP). So, it cannot be re-configured to protect against attacks on other protocols. Circuit Gateway • It operates at the transport-layer of the OSI-model. • It does not usually look at traffic flowing between one network and another network. • Rather, it prevents direct connection between one network and another network. • It → creates tunnel connecting specific processes/systems on each side of the firewall, and → allow only authorized traffic in the tunnels MAC Layer Firewall • It operates at the data-link-layer of the OSI-model. • It examines the header of packets that come into a network. • It determines whether to drop or forward a packet based on the MAC source and destination address. VTU N O TESBYSR I
  6. 6. INFORMATION AND NETWORK SECURITY 2-4 Hybrid Firewall • It combines the elements of above 4 types of firewalls. • For ex: The elements of packet-filtering and proxy services. The elements of packet-filtering and circuit-gateways. • It may consist of 2 separate firewalls which are connected so that they work in tandem. • Advantage: An organization can make a security improvement w/o completely replacing its existing firewall. 2.1.2 Firewall Categorized by Generation 1) First Generation Firewall • It is a static packet-filtering firewall. • It examines the header of packets that come into a network. • It determines whether to drop or forward a packet based on the rules programmed into the firewall. 2) Second Generation Firewall • It is a application-level firewall. • It is frequently installed on a dedicated computer which is separate from the filtering-router. • It is commonly used in conjunction with a filtering-router. • It is also known as a proxy-server because this runs special software that acts as a proxy for a service-request. 3) Third Generation Firewall • It is a stateful inspection firewall. • It monitors network-connection between internal and external systems using state-tables. • A state-table records information like → source and destination address of devices involved in the conversation → what & when packet is sent 4) Fourth Generation Firewall • It is a dynamic packet-filtering firewall. • Here, only a particular packet with a particular source, destination, and port address is allowed to enter into trusted-network. 5) Fifth Generation Firewall • It includes the kernel-proxy. • The kernel-proxy works under Windows NT Executive, which is the kernel of Windows NT. • It evaluates packets at multiple layers of the OSI-model. • For example: Cisco's security-kernel  The security-kernel contains 3 components: 1) Interceptor/Packet-Analyzer 2) Security Verification ENgine (SVEN), and 3) Kernel Proxies.  Interceptor → captures packets arriving at the firewall and → passes the packets to the Packet-Analyzer.  Packet-Analyzer → reads the header → extracts signature-data, and → passes both the data and the packets to the SVEN.  SVEN → receives both the data and the packets → determines whether to drop the packet and → creates a new session. VTU N O TESBYSR I
  7. 7. INFORMATION AND NETWORK SECURITY 2-5 2.1.3 Firewall Categorized by Structure • Firewall can also be categorized by the structure used to implement them. 1) Commercial-Grade Firewall Appliance 2) Commercial-Grade Firewall System 3) Small Office/Home Office (SOHO) Firewall Appliance 4) Residential-Grade Firewall-software • Most commercial-grade firewall is dedicated appliance. • Specifically, It is a stand-alone unit running on fully customized computing-platforms. It provides both the physical network-connection and firmware programming necessary to perform their function. Commercial Grade Firewall Appliance • It is stand-alone, self contained combinations of computing hardware and software. • Normally, it has many features of a general-purpose computer with the addition of firmware based instruction. • Firmware based instruction → increases reliability/performance of the system and → minimizes the likelihood of the system being compromised. • The OS that drives the device can be periodically upgraded. • The firewall-rule-sets are stored in non-volatile memory. Thus, the rule-sets can be changed by technical-staff. • The OS is tuned to meet the type of firewall-activity built into the application-software. Commercial Grade Firewall System • It consists of application-software that is configured for the firewall-application. • The application-software run on a general-purpose computer. • Organizations can either 1) install firewall-software on an existing general-purpose-computer or 2) purchase hardware that runs firewall-application. SOHO Firewall Appliance • It is used for protecting the residential-user and small businesses using DSL or cable-modem. • Both DSL or cable-modem are more vulnerable to attacks. • It is also known as DSL-router or broadband-gateway. • It connects the user’s LAN/computer to the DSL-router provided by the ISP. • It serves first as a stateful firewall to enable inside-to-outside access. • It can also be configured to allow → limited TCP/IP port forwarding and → screened subnet capabilities. (DSL → Digital Subscriber Line ISP → Internet service- provider) • It include packet-filtering, port filtering, and IDPS. Residential Grade Firewall Software • It is also used for protecting the residential-user. • A software-firewall is installed directly on the user’s computer. • For example: antivirus • The most commonly used antivirus are McAfee, Norton, AVG, Kaspersky etc. • Many people have implemented free version of antivirus but, unfortunately, these are not fully protected. (As the proverb says “you get what you pay for”). VTU N O TESBYSR I
  8. 8. INFORMATION AND NETWORK SECURITY 2-6 2.1.4 Firewall Architecture • The configuration that works best for a particular organization depends on 3 factors: 1) The objectives of the network. 2) The organization’s ability to develop and implement the architectures, and 3) The budget available for the function. • There are four common architectural implementations: 1) Packet-filtering-router 2) Screened host firewall 3) Dual-homed firewall and 4) Screened subnet firewall. Packet Filtering Router • It is placed at the boundary between → organization’s internal-networks and → external service-provider. • It can be programmed to reject packets if the organization does not want to allow into the network. • Advantage: Reduces the organization’s risk from external-attack. • Disadvantages: 1) Lack of auditing and strong authentication. 2) Complexity of the ACLs used to filter the packets can degrade network-performance. Screened Host Firewall • It combines → packet-filtering-router and → dedicated firewall such as proxy-server. This separate host is referred to as a bastion-host. • The router pre-screens the packets to minimize the network-traffic and load on the internal proxy. • The proxy-server → receives requests for Web-pages → accesses the Web-server on behalf of the external client, and → returns the requested-pages to the users (Figure 2-3). • If the bastion-host is compromised, the attacker will get information about the configuration of internal-networks. • The bastion-host is commonly referred to as the sacrificial host because the bastion-host stands as a sole defender on the network perimeter. Figure 2-3 Screened Host Firewall VTU N O TESBYSR I
  9. 9. INFORMATION AND NETWORK SECURITY 2-7 • Advantage: For any external-attack to happen, two separate systems has to be compromised. Thus, the bastion-host can placed in an unsecured-network, thereby protecting the Web-server. • Disadvantage: It is designed for a specific type of protocols (e.g., FTP, Telnet, HTTP & SNMP). So, it cannot be re-configured to protect against attacks on other protocols. Dual Homed Firewall • The bastion-host contains two NICs rather than one. 1) One NIC is connected to the external-network and 2) Another NIC is connected to the internal-network. • Two NICs provide an additional layer of protection. (NIC → network interface card) • All traffic must physically go through the firewall to move b/w the internal and external-networks. Figure 2-4 Dual-Homed Host Firewall • NAT is used for implementation of this architecture (Figure 2-4). • NAT is a method of mapping external IP-addresses to non-routable internal IP-addresses. • NAT can be used to create yet another barrier to intrusion from external-attackers. • The internal-addresses consist of 3 different ranges (Table 2-3). 1) Organizations that need a large group of addresses will use the Class A address-range. 2) Organizations that need a medium group of addresses will use the Class B address-range. 3) Organizations that need a small group of addresses will use the Class C address-range. Table 2-3 Reserved Non-routable Address-ranges • Advantages: 1) NAT prevents external-attacks from reaching internal-computers. 2) Can translate between different protocols such as Ethernet, token ring, FDDI, and ATM. • Disadvantages: 1) If dual-homed host is compromised, it can disable the connection to the external-network. 2) As traffic volume increases, the dual-homed host can become overloaded. VTU N O TESBYSR I
  10. 10. INFORMATION AND NETWORK SECURITY 2-8 Screened Subnet Firewall (with DMZ) • It is the most popular architecture used today (Figure 2-5). • It provides a DMZ (demilitarized zone). • DMZ refers to an intermediate-area between a trusted-network and an untrusted-network. • As shown in figure 2-5, DMZ consist of two or more internal bastion-hosts behind a packet-filtering-router, with each host protecting the trusted-network. • The connections are routed as follow: 1) Connections from the untrusted-network are routed into an external filtering-router. 2) Then, connections from the untrusted-network are routed into the DMZ. 3) Finally, connections from the untrusted-network are routed into the trusted-network via DMZ bastion-host. • It performs two functions: 1) Protects the DMZ systems and information from outside threats by providing a network of intermediate-security. 2) Protects the internal-networks by limiting how external-connections can gain access to them. Figure 2-5 Screened Subnet (DMZ) • Disadvantages: 1) Expensive to implement. 2) Complex to configure and manage. • Advantage: 1) DMZ allows the creation of an area known as an extranet. In extranet, additional authentication and authorization controls are provided. (For example: In an online retailer, i) Anybody can browse the product catalog and place items into a shopping cart. ii) But additional authentication and authorization is required when the customer is ready to check out and place an order). VTU N O TESBYSR I
  11. 11. INFORMATION AND NETWORK SECURITY 2-9 2.1.5 Selecting the Right Firewall • To determine the best firewall for an organization, following questions can be considered: 1) Which type of firewall technology offers the right balance between protection and cost for the needs of the organization? 2) What features are included in the base price? What features are available at extra cost? Are all cost factors known? 3) How easy is it to set up and configure the firewall? How accessible are the staff technicians who can competently configure the firewall? 4) Can the candidate firewall adapt to the growing network in the target organization? 2.1.6 Configuring and Managing Firewall • After the firewall architecture is selected, the organization must provide the initial configuration of the firewall. • Good policy dictates that each firewall must have its own set of configuration-rules. • Each configuration-rule must be carefully crafted, debugged, tested, and placed into the ACL. • A good configuration-rules ensure that the actions taken comply with the organization’s policy. • In fact, the configuration of firewall-rules can be complex and difficult. • Programmable IT professionals can easily deal with debugging both syntax-errors and logic-errors. • Syntax-errors are usually easy to identify, as the systems alert the administrator. Best Practices for Firewall 1) All traffic from the trusted-network is allowed out. • Thus, members of the organization can access the required services. • Filtering and logging of outbound-traffic can be implemented when required by organization policy. 2) The firewall is never directly accessible from the public-network for configuration or management purposes. • Even internal-users must be denied to access the firewall. • Only authorized administrator must be allowed to access the firewall. • The access method can be based on cryptographically strong authentication. 3) SMTP-data is allowed to enter through the firewall, but is routed to a well-configured SMTP-gateway to filter and route messaging traffic securely. 4) All ICMP data should be denied. • ICMP is Known as the ping service. • ICMP is a common method used by hacker for snooping the internal-network. • So, ICMP should be turned off to prevent snooping. 5) Telnet access to all internal servers from the public-networks should be blocked. • Telnet access to the organization’s DNS-server should be blocked → to prevent illegal zone transfers and → to prevent attackers from taking down the organization’s entire network. • If internal-users want to access an organization’s network from outside, the organization should use a VPN. 6) When Web-services are offered outside the firewall, HTTP-traffic should be blocked from internal-networks through the proxy server or DMZ. • The restriction can be accomplished using NAT or proxy-server. i) If the Web-servers only contain critical data, they should be placed inside the network. ii) If the Web-servers only contain advertising, they should be placed in the DMZ. 7) All data that is not verifiably authentic should be denied. • When attempting to convince packet-filtering firewall to permit malicious traffic, attackers frequently put an internal-address in the source field. • To avoid this problem, set rules so that the firewall blocks all inbound traffic with an organizational source-address. VTU N O TESBYSR I
  12. 12. INFORMATION AND NETWORK SECURITY 2-10 2.1.7 Content Filter • It is a software-filter that allows administrators to restrict access to content from within a network. • It can help protect an organization’s systems from misuse and unintentional DOS problems. • It is restricts user access to → networking protocols (eg: ftp, http) and → Internet content (eg: facebook, youtube, amazon). • It is also called reverse-firewall because it is mainly used to restrict internal-access to external material. • It has two components: rating and filtering. 1) Rating  It is like a set of firewall-rules for Web-sites.  It is most common in residential content-filters.  It can be → complex, with multiple access control settings for different levels of organization or → simple, with a basic allow/deny scheme like that of a firewall. 2) Filtering  It is a method used to restrict specific access-requests to the identified resources.  The resources may be Web-sites or servers. • Two ways to configure: 1) Exclusive Mode  Certain sites are specifically excluded to access (eg: facebook, youtube, amazon).  Disadvantage: There may be thousands of Web-sites that an organization wants to exclude. 2) Inclusive Mode  Certain sites are specifically permitted to access (eg: ieee, springer, elsevier). • Advantages: 1) The assurance that employees are not distracted by non-business material. 2) The assurance that employees cannot waste time and resources of organization. • Disadvantage: Requires extensive configuration and ongoing maintenance to keep the blacklist up-to-date. VTU N O TESBYSR I
  13. 13. INFORMATION AND NETWORK SECURITY 2-11 2.2 Protecting Remote Connections • In past, organizations provided the remote-connections exclusively through dial-up services like RAS • Since the Internet has become more widespread in recent years, other options such as VPNs have become more popular. (RAS → Remote Authentication Service VPN → Virtual Private Network). 2.2.1 Remote Access • The connections b/w company-networks and the Internet use firewall to safeguard that interface. • The unsecured, dial-up connection-points represent a substantial exposure to attack. • An attacker who suspects that an organization has dial-up lines can use a war-dialer. • A war-dialer is an automatic phone-dialing program used to locate the connection-points. • A war-dialer → dials every number in a configured-range (e.g.,555-1000 to 555-2000), and → checks to see if a person, answering machine, or modem picks up. • If a modem answers, the war-dialer program → makes a note of the number and → moves then to the next target number. • Finally, the attacker attempts to hack into the network via the identified modem-connection. RADIUS, Diameter and TACACS RADIUS • RADIUS stands for Remote Authentication Dial-In User Service (Figure 2-6). • It is an remote-access authorization-system that is based on a client/server configuration. • It is used to authenticate the credentials of users who are trying to access an organization’s network via a dial-up connection. Figure 2-6 RADIUS Configuration Diameter Protocol • It is an emerging alternative derived from RADIUS. • It defines the minimum requirements for a system that provides authentication, authorization, and accounting (AAA) services. • It security uses existing encryption standards such as IPSec or TLS. • Diameter based devices are emerging into the marketplace. • It is expected to become the dominant form of AAA services. (TLS → Transport-layer Security). TACACS • TACACS stands for Terminal Access Controller Access Control System. • It is another remote-access authorization-system that is based on a client/server configuration. • There are three versions of TACACS: 1) TACACS  It combines authentication and authorization services. 2) Extended TACACS  It separates the steps needed to authenticate the individual/system from the steps needed to verify the authenticated individual/system. 3) TACACS+  It uses dynamic passwords and incorporates two-factor authentication. VTU N O TESBYSR I
  14. 14. INFORMATION AND NETWORK SECURITY 2-12 Securing Authentication with Kerberos • Two authentication-systems can provide secure third-party authentication: 1) Kerberos and 2) SESAME. Kerberos • It uses symmetric-key encryption to validate an individual client to various servers. i) Server provides network-service. (eg: vtu server containing result-sheets) ii) Client uses network-services. (eg: students requesting result-sheets) • It consists of 3 interacting-servers (Figure 2-7 & 2-8): 1) Authentication-server (AS) or Kerberos-Server  It is used to authenticate clients and servers. 2) Key Distribution Center (KDC)  It is used to generate and issue session-keys. 3) Ticket Granting Service (TGS)  It is used to provide tickets to clients who request services.  A ticket is an identification card for a particular client. (eg: Ticket is similar to token issued in bank).  The ticket confirms that the client is authorized to receive services from the server. • It is based on the following 4 principles: 1) KDC keeps a database containing the secret-keys of all clients and servers on the network. 2) Initially, KDC exchanges information with the client and server by using these secret keys. 3) Kerberos authenticates a client to a requested service on a server through TGS.  Kerberos also generates temporary session-keys.  Session-keys are private keys given to the two parties for communication purpose.  The session-keys are used to encrypt all communications between two parties.  For example: i) client and KDC ii) server and KDC iii) client and server. 4) Communications then take place between the client and server using these temporary session-keys. Figure 2-7 Kerberos Login VTU N O TESBYSR I
  15. 15. INFORMATION AND NETWORK SECURITY 2-13 Figure 2-8 Kerberos Request for Services SESAME • SESAME stands for Secure European System for Applications in a Multivendor Environment. • It is similar to Kerberos. 1) Firstly, the user is authenticated to an Authentication-server. 2) Then, the user receives a token. 3) Finally, the token is presented to a privilege attribute server as proof of identity to gain a privilege attribute certificate (PAC). (The PAC is like the ticket in Kerberos). • It uses public-key encryption to distribute secret-keys. • It also builds on the Kerberos model by adding → more sophisticated access control features → more scalable encryption systems → improved manageability and → auditing features VTU N O TESBYSR I
  16. 16. INFORMATION AND NETWORK SECURITY 2-14 2.2.2 Virtual Private Network (VPN) • It is defined as a private-network that makes use of the public telecommunication infrastructure. • It maintains privacy through the use of a tunneling-protocol and security-procedures. • It is commonly used to securely extend an organization’s internal-network-connections to remote- locations. • There are three VPN technologies: 1) Trusted VPN (or Legacy VPN)  It uses leased-circuits from a service-provider (e.g.: BSNL lines).  It forwards packet over these leased-circuits without encryption.  The organization must trust the service-provider.  The service-provider provides assurance that the circuits are properly maintained and protected. Hence, the name trusted VPN. 2) Secure VPN  It uses security-protocols.  It encrypts and forwards packet over unsecured public-networks like the Internet. 3) Hybrid VPN  It combines the above two technologies.  It encrypts and forwards packet over some or all of a trusted VPN network. • It provides three services: 1) Encapsulation of incoming and outgoing data. (For ex: IPv6-packet within IPv4-packet). 2) Encryption of incoming and outgoing data. (For ex: RSA, DES). 3) Authentication of the remote-computer or remote-user. • Two ways to implement a VPN: 1) Transport mode and 2) Tunnel mode. Transport Mode • The data within an IP-packet is encrypted, but the header is not encrypted (Figure 2-9). • Advantages: 1) Eliminates the need for special servers and tunneling-software. 2) Allows the end-users to transmit traffic from anywhere. 3) Especially useful for traveling employees. • Disadvantage: Attacker can still identify the destination-computer. Figure 2-9 Transport Mode VPN • There are two popular uses for transport mode VPNs: 1) End-to-end transport of encrypted data.  Here, two end-users can communicate securely using encryption and decryption.  Each machine acts as the 1) end-node VPN server and 2) end-node VPN client. 2) A teleworker (or remote-access worker) connects to an company-network over the Internet.  Thus, teleworker’s system can work as if it were part of the LAN. VTU N O TESBYSR I
  17. 17. INFORMATION AND NETWORK SECURITY 2-15 Tunnel Mode • A connection is set up between two perimeter tunnel-servers (Figure 2-10). • These 2 tunnel-servers encrypt all traffic that will traverse an unsecured-network. • Both data & header within an IP-packet are encrypted. • The entire IP-packet is encapsulated within another packet. (For ex: IPv6-packet within IPv4-packet). • The new packet is addressed from one tunneling server to another. • Advantage: An intercepted packet reveals nothing about the true destination system. Figure 2-10 Tunnel Mode VPN VTU N O TESBYSR I
  18. 18. INFORMATION AND NETWORK SECURITY 3-1 UNIT 3: INTRUSION-DETECTION AND PREVENTION SYSTEMS, AND OTHER SECURITY TOOLS 3.1 Intrusion-detection and Prevention Systems 3.1.1 IDPS Terminology 3.1.2 Why Use an IDPS? 3.1.3 Types of IDPS 3.1.4 IDPS Detection Methods Signature-Based IDPS Statistical Anomaly-Based IDPS Stateful Protocol Analysis IDPS 3.1.5 IDPS Response Behavior IDPS Response Options 3.1.6 Selecting IDPS Approaches and Products Technical and Policy Considerations Organizational Requirements and Constraints IDPSs Product Features and Quality 3.1.7 Strengths and Limitations of IDPSs Strengths of IDPS Limitations of IDPS 3.1.8 Deployment and Implementation of an IDPS IDPS Control Strategies Centralized Control-Strategy Fully Distributed Control-Strategy Partially Distributed Control-Strategy IDPS Deployment Deploying Network-Based IDPSs Deploying Host-Based IDPSs 3.1.9 Measuring the Effectiveness of IDPSs 3.2 Honeypots, Honeynets, and Padded-cell Systems 3.2.1 Trap-and-Trace Systems 3.2.2 Active Intrusion-prevention 3.3 Scanning and Analysis Tools 3.3.1 Port Scanners 3.3.2 Firewall Analysis Tools 3.3.3 Operating System Detection Tools 3.3.4 Vulnerability Scanners 3.3.5 Packet Sniffers 3.3.6 Wireless Security Tools VTU N O TESBYSR I
  19. 19. INFORMATION AND NETWORK SECURITY 3-2 UNIT 3: INTRUSION-DETECTION AND PREVENTION SYSTEMS, AND OTHER SECURITY TOOLS 3.1 Intrusion-detection and Prevention System (IDPS) • An intrusion occurs when an attacker attempts to → gain entry into the trusted-network or → disrupt the normal operation of the trusted-network. • Main motive for intrusion: to harm an organization. • Example includes: virus attack or DOS attack • Intrusion-prevention consists of activities that prevent an intrusion. • Some important intrusion-prevention activities are → implementing good security-policy → executing effective security-programs and → installing technology-based countermeasures (such as firewalls and IDPS) • Intrusion-detection consists of procedures used to identify intrusions. • Intrusion-reaction consists of actions taken by organization when an intrusion is detected. • These actions seek to → limit the loss from an intrusion and → return operations to a normal-state as quickly as possible. • Intrusion-correction consists of restoration of operations to a normal-state. • These actions seek to identify the source and method of the intrusion in order to ensure that the same type of attack cannot occur again. • Like a burglar alarm, an IDS detects a violation and activates an alarm. • This alarm can be → audible or visual or → silent an e-mail or pager alert. • System-admins can choose → configuration of the various alerts and → alarm-levels associated with each type of alert. • A current extension of IDS technology is the IPS, which can detect and prevent intrusion by means of an active response. • Because the two systems often coexist, the combined term Intrusion-detection and prevention system (IDPS) is generally used. (IPS --> intrusion-prevention system IDS --> Intrusion-detection systems) VTU N O TESBYSR I
  20. 20. INFORMATION AND NETWORK SECURITY 3-3 3.1.1 IDPS Terminology 1) Alert or Alarm • An indication that a system has just been attacked or is under attack. • Different forms of alarms are → audible-signals → e-mail messages → pager notifications or → pop-up windows. 2) Evasion • The process by which attackers change the format and timing of their activities to avoid being detected by the IDPS. 3) False Attack Stimulus • An event that triggers an alarm when no actual attack is in progress. • During testing phase, false attack stimuli can be used to check whether the IDPSs can distinguish between 1) false attack stimuli and 2) real attacks. 4) False Negative • An alert does not occurs in the presence of an actual attack. • It is the most serious failure, since the purpose of an IDPS is to detect and respond to attacks. 5) False Positive • An alert occurs in the absence of an actual attack. • A false positive may be produced when an IDPS mistakes normal system activity for an attack. 6) Noise • Alarm events that are accurate and noteworthy but that do not pose significant threats to information security. • Unsuccessful attacks are the most common source of noise. • Some of the alarms may be triggered by scanning-tools deployed by admins without intent to do harm. 7) Site Policy • The rules and guidelines governing the operation of IDPSs within the organization. 8) Site Policy Awareness • An IDPS’s ability to dynamically modify its rules in response to environmental activity. • A smart IDPS can adapt its reactions in response to admin guidance over time and circumstances of the current local environment. • A smart IDPS logs events that fit a specific profile instead of minor events, such as file modification or failed user logins. 9) True Attack Stimulus • An event that triggers alarms and causes an IDPS to react as if a real attack is in progress. • The event → may be an actual attack, in which an attacker has gained entry into the trusted-network or → may be a drill, in which security personnel are using hacker tools to conduct tests 10) Tuning • The process of adjusting an IDPS to maximize its efficiency in detecting true positives, while minimizing both false positives and false negatives. 11) Confidence Value • The measure of an IDPS’s ability to correctly detect and identify certain types of attacks. • The confidence value is based on experience and past performance measurements. • The confidence value helps an admin determine how likely it is that an alarm indicates an actual attack in progress. • For example, if a system has confidence value of 90% for reporting a DOS attack, then there is a high probability that an actual attack is occurring. 12) Alarm Filtering • The process of classifying IDPS alerts so that they can be more effectively managed. • An admin can set up alarm filtering by running the system for a while to track what types of false positives it generates and then adjusting the alarm classifications. • For example, the admin may set the IDPS to discard alarms produced by false attack stimuli or normal network operations. • Like a packet filter, an alarm filter are used to filter traffic based on operating systems, confidence values, alarm type, or alarm severity VTU N O TESBYSR I
  21. 21. INFORMATION AND NETWORK SECURITY 3-4 13) Alarm Clustering and Compaction • A process of grouping almost identical alarms that happen at close to the same time into a single higher-level alarm. • This consolidation reduces the number of alarms generated, thereby reducing administrative overhead. • This clustering may be based on → similarity in attack signature or → similarity in attack target 3.1.2 Why Use an IDPS? 1) The attackers avoid breaking into a trusted-network that has an IDPS. • Because, they are afraid of getting caught and punished. (For e.g., criminals avoid breaking into a house that has an burglar alarm). 2) To detect attacks and other security violations that are not prevented by other security measures. • IDPS can be used when trusted-network → cannot protect itself against known security-holes or → cannot respond to a rapidly changing threat environment. 3) To detect and deal with the preambles to attacks. • IDPSs can also help admins detect the preambles to attacks. • Most attacks begin with an organized and thorough probing of the organization’s network environment and its defenses. • This initial estimation of the defensive state of an organization’s networks and systems is called doorknob rattling and is accomplished by means of footprinting and fingerprinting 4) To document the existing threat to an organization. • The implementation of security technology usually requires that project proponents document the threat from which the organization must be protected. • IDPSs are one means of collecting such data. 5) To act as quality control for security design and administration, especially in large enterprises. • Data collected by an IDPS can also help management with quality assurance and continuous improvement. • IDPSs consistently pick up information about attacks that have successfully compromised the outer layers of information security controls such as a firewall. • This information can be used to identify and repair emergent or residual flaws in the security and network architectures. 6) To provide information about intrusions that occurred. • The information can be used for improved diagnosis, recovery, and correction. • IDPS can still assist in the after-attack review by providing information on → how the attack occurred → what the attacker accomplished and → which methods the attacker employed. • This information can be used → to remedy deficiencies and → to prepare the trusted-network for future attacks. • The IDPS can also provide forensic information. • This information may be used to catch the attacker for punishment. (footprinting refers to activities that gather information about the organization and its network activities and assets) (fingerprinting refers to activities that scan network locales for active systems and then identify the network services offered by the host systems) VTU N O TESBYSR I
  22. 22. INFORMATION AND NETWORK SECURITY 3-5 3.1.3 Types of IDPS • Two types of IDPSs are 1) network- based and host-based (Figure 3-1). 1) A network-based IDPS is focused on protecting network-assets. • Two subtypes of network-based IDPS: i) wireless IDPS and ii) network behavior analysis (NBA) IDPS. i) Wireless IDPS is focused on protecting wireless-networks. ii) NBA IDPS examines traffic-flow on a network in an attempt to identify attacks like DDoS, virus and worm. 2) A host-based IDPS is focused on protecting information-assets of a server(or host). Figure 3-1 Intrusion-detection and Prevention Systems VTU N O TESBYSR I
  23. 23. INFORMATION AND NETWORK SECURITY 3-6 Network-Based IDPS (NIDPS) • It is focused on protecting network-assets. • It resides on a network-segment of an organization. • It monitors a specific group of computers on a specific network-segment • It looks for indications of ongoing or successful attacks. • When it identifies an attack, it sends an alert to the admin. • When placed next to a network-device (hub/switch), NIDPS may use that device’s monitoring-port. • A monitoring-port is a connection on a network-device that is capable of viewing all of the traffic that moves through the entire device. • To check for an attack, NIDPS compares measured activity to known signatures in their knowledge base. • In protocol stack verification, the NIDPS looks for invalid data-packets. • In application protocol verification, the higher-order protocols (HTTP, FTP) are examined for unexpected packet behavior. • Advantages: 1) Few NIDPs can be used to monitor a large network. 2) It is passive device. So, they can be deployed into existing networks without disturbing normal operations. 3) It is not susceptible to direct attack. So, they are not be detectable by attackers. 4) It can detect many more types of attacks than a HIDPS. • Disadvantages: 1) NIDPS can be overloaded by network volume. So, they may fail to recognize actual attacks 2) It requires access to all traffic to be monitored. 3) It cannot analyze encrypted packets. 4) It cannot reliably confirm if an attack was successful or not. 5) It cannot detect attacks involving fragmented packets. 6) It requires a much more complex configuration and maintenance program. Wireless NIDPS(WIDPS) • It is focused on protecting wireless-networks. • It monitors and analyzes wireless-network-traffic. • It looks for potential problems with the wireless protocols. • It can be built into a device that provides a wireless access-point. (eg base station) • It can also detect: → Unauthorized WLANs and WLAN devices → Poorly secured WLAN devices → Unusual usage patterns → Use of wireless-network scanners → DoS attacks and conditions → Impersonation and man-in-the-middle attacks • Some issues associated with the implementation of WIDPS: 1) Physical Security • Many wireless sensors are deployed in public places to obtain the widest possible network range. • Public areas includes conference rooms, assembly areas, and highways. • So, additional security configuration and monitoring must be provided. 2) Sensor Range • A wireless device’s range can be affected by → atmospheric conditions → building construction and → quality of the network card • Some IDPS can be used to identify the optimal location for sensors by using the footprint based on signal strength. • Sensors are most effective when their footprints overlap. VTU N O TESBYSR I
  24. 24. INFORMATION AND NETWORK SECURITY 3-7 3) Access-point and wireless switch locations • Wireless-components containing IDPS must be carefully deployed to optimize the sensor detection grid. • The thumb rule: you must guard against the possibility of an attacker connecting to an access-point from a range far beyond the minimum. 4) Wired-network-connections • Wireless-network components work independently of the wired-network when sending and receiving between stations and access-points. • However, a network-connection eventually integrates wireless traffic with the organization’s wired network. • Where there is no available wired-network-connection, it may be impossible to deploy a sensor. 5) Cost • The more sensors deployed, the more expensive the configuration. • Wireless-components typically cost more than their wired counterparts. • Thus, the total cost of ownership of IDPS of both wired and wireless varieties should be carefully considered. Network Behavior Analysis System(NBA IDPS) • It examines traffic-flow on a network in an attempt to identify attacks like DDoS, virus and worm. • It uses a version of the anomaly detection method to identify excessive packet flows. • It typically monitors internal-networks but occasionally monitors connection between internal and external networks. • Typical traffic-flow includes: → Source and destination IP-addresses → Source and destination TCP or UDP ports → ICMP types and codes → Number of packets and bytes transmitted in the session → Starting and ending timestamps for the session • It can detect following types of attacks: → DoS attacks (including DDoS attacks) → Scanning → Worms → Unexpected application services (e.g., tunneled protocols, back doors) → Policy violations VTU N O TESBYSR I
  25. 25. INFORMATION AND NETWORK SECURITY 3-8 Host-Based IDPS (HIDPS) • It is focused on protecting information-assets of a server(or host). • It resides on a particular host, and monitors activity only on that host. • It is also known as system integrity verifiers because they → monitor the status of system-files and → detect when an attacker creates, modifies, or deletes files. • It is also capable of monitoring system configuration database. • It triggers an alert when one of the following occurs: → file-attributes change → new files are created or → existing files are deleted. • It can also monitor systems logs for predefined events. • It examines the log files to determine if an attack is underway or the attack has occurred. • Advantages: 1) HIDPS can → detect local events on host systems and → detect attacks that may escape a network-based IDPS. 2) It can process encrypted traffic. 3) It is not affected by the use of switched-network protocols. 4) It can detect inconsistencies in how applications were used by examining the records stored in audit logs. This enables to detect Trojan horse attacks. • Disadvantages: 1) It requires more management effort to install, configure, and operate. 2) It is vulnerable both to direct attacks and to attacks against the host operating system. 3) It is not optimized to detect multi-host scanning. Also, it is not able to detect the scanning of non-host network-devices such as routers or switches. 4) It is susceptible to some DOS attacks. 5) It requires a large amount of disk space to store audit logs. 6) It can impose a performance overhead on its host systems. Thus, system performance may be reduced. VTU N O TESBYSR I
  26. 26. INFORMATION AND NETWORK SECURITY 3-9 3.1.4 IDPS Detection Methods • IDPSs use a variety of detection methods to monitor and evaluate network-traffic. • Three popular methods are: 1) signature-based approach, 2) statistical-anomaly approach, and 3) stateful packet inspection approach. Signature-Based IDPS (Sig IDPS) • It examines network-traffic in search of patterns that match known signatures. • Signature refers to preconfigured, predetermined attack patterns. • It is widely used because many attacks have clear and distinct signatures. • For example: 1) Footprinting and fingerprinting activities use ICMP and DNS querying. 2) Exploits use a specific attack sequence designed to take advantage of a security-holes to gain access to a system. 3) DoS attacks. The attacker tries to prevent the normal usage of a system by overloading. • Disadvantages: 1) New attack strategies must be continuously added into the database of signatures. 2) A slow, methodical attack might escape detection if the attack signature has a shorter time frame. Solution: Collect and analyze data over longer periods of time. Use additional processing capacity and large data storage capability. Statistical Anomaly-Based IDPS (Stat IDPS) • It collects statistical summaries by observing traffic that is known to be normal. • This normal period of evaluation establishes a performance baseline. • Once the baseline is established, it periodically → samples network activity and → compares the sampled network activity to this baseline. • When the measured activity is outside the baseline parameters, it sends an alert to the admin. • The baseline parameters can include → host memory or CPU usage → network packet types, and → packet quantities. • Advantage: 1) It can detect new types of attacks, since it looks for abnormal activity of any type. • Disadvantages: 1) It requires much more overhead and processing capacity than sig-IDPSs. 2) It may not detect minor changes to system variables and may generate many false positives. 2) Due to its complexity, it is less commonly used than the sig-IDPSs. VTU N O TESBYSR I
  27. 27. INFORMATION AND NETWORK SECURITY 3-10 Stateful Protocol Analysis IDPS (SPA IDPS) • It compares → predetermined profiles of generally accepted definitions of benign activity & → observed events to identify deviations. • It relies on vendor-developed universal profiles that specify how particular protocols should and should not be used. • This is how it works: 1) Firstly, it stores relevant data detected in a session 2) Then, it uses this data to identify intrusions that involve multiple requests and responses 3) Finally, it detects multisession attacks. This process is known as deep packet inspection. • It can also examine authentication sessions for suspicious activity. • Disadvantages: 1) It requires heavy processing overhead to track multiple simultaneous connections. 2) It may interfere with the normal operations of the protocol. VTU N O TESBYSR I
  28. 28. INFORMATION AND NETWORK SECURITY 3-11 3.1.5 IDPS Response Behavior • IDPS responds to external stimulation in a different way, depending on its configuration and function. IDPS Response Options • IDPS responses can be classified as active or passive. 1) Active Response  Active response is a definitive action automatically initiated when certain types of alerts are triggered.  It can include → collecting additional information → modifying the environment and → taking action against the attackers. 2) Passive Response  Passive response → alerts the admin about attack and → waits for the admin to respond. • Some of the responses include the following: 1) Audible/visual Alarm • IDPS can trigger a siren to alert the admin of an attack. • For example: Computer pop-up can be configured with color indicators and specific messages. 2) SNMP Traps and plug-ins • SNNP contains trap functions. • A network-devices can use trap to send an alert to the SNMP management console. • An alert indicates that a certain threshold has been crossed, either positively or negatively. 3) E-mail message • IDPS can send e-mail to notify admins of an event. • The admins use smartphones to check for alerts and other notifications. 4) Page or Phone Message • IDPS can dial a phone number and produce a modem noise. 5) Log entry • IDPS can enter information about the event into a log file. (e.g., addresses, time, systems involved, protocol information). • These files can be stored on separate servers to prevent skilled attackers from deleting entries about their intrusions. 6) Evidentiary Packet Dump • Organizations can to record all log data. • Thus, the organization can → perform further analysis on the data and → submit the data as evidence in a civil or criminal case. 7) Take action against the attacker • This response option involves configuring IDPS to trace the data from the target system to the attacking system in order to initiate a counterattack. This is also known as trap-and-trace, back- hacking, or traceback. 8) Launch program • An IDPS can be configured to execute a specific program when it detects specific types of attacks. 9) Reconfigure firewall • An IDPS can send a command to the firewall to filter out suspected packets by IP-address, port, or protocol. • IDPS can block or deter intrusions via one of the following methods: 1) Establishing a block for all traffic from the suspected attacker’s IP-address. 2) Establishing a block for specific TCP or UDP port traffic from the suspected attacker’s. 3) Blocking all traffic to or from a network interface in case of the suspected attack. 4) Terminating the session by using the TCP/IP protocol specified packet. 5) Terminating the organization’s internal or external connections. VTU N O TESBYSR I
  29. 29. INFORMATION AND NETWORK SECURITY 3-12 3.1.6 Selecting IDPS Approaches and Products Technical and Policy Considerations • What Is Your Systems Environment? 1) What are the technical specifications of your systems environment? 2) What are the technical specifications of your current security protections? 3) What are the goals of your enterprise? 4) How formal is the system environment and management culture in your organization? • What Are Your Security Goals and Objectives? 1) Is primary concern of your organization protecting from threats originating from outside? 2) Is your organization concerned about insider attack? 3) Does your organization want to use the output of your IDPS to determine new needs? 4) Does your organization want to maintain managerial control over network usage? • What Is Your Existing Security-policy? 1) How is it structured? 2) What are the general job descriptions of your system users? 3) Does the policy include reasonable use policies or other management provisions? 4) Has your organization defined processes for dealing with specific policy violations? Organizational Requirements and Constraints • What Requirements Are Levied from Outside the Organization? 1) Is your organization subject to oversight or review by another organization? 2) Are there requirements for public access to information on your organization’s systems? 3) Are there other security-specific requirements levied by law? Are there legal requirements for protection of personal information stored on your systems? 4) Are there internal audit requirements for security best practices or due diligence? 5) Is the system subject to accreditation? 6) Are there requirements for law enforcement investigation of security incidents? • What Are Your Organization’s Resource Constraints? 1) What is the budget for acquisition and life cycle support of Intrusion-detection hardware, software, and infrastructure? 2) Is there sufficient existing staff to monitor an Intrusion-detection system full time? 3) Does your organization have authority to instigate changes based on the findings of an Intrusion-detection system? IDPSs Product Features and Quality • Is the Product Sufficiently Scalable for Your Environment? • How Has the Product Been Tested? 1) Has the product been tested against functional requirements? 2) Has the product been tested against attack? • What Is the User Level of Expertise Targeted by the Product? • Is the Product Designed to Evolve as the Organization Grows? 1) Can the product adapt to growth in user expertise? 2) Can the product adapt to growth and change of the organization’s systems infrastructure? 3) Can the product adapt to growth and change in the security threat environment? • What Are the Support Provisions for the Product? 1) What are the commitments for product installation and configuration support? 2) What are the commitments for ongoing product support? 3) Are subscriptions to signature updates included? 4) How often are subscriptions updated? 5) How quickly after a new attack is made public will the vendor ship a new signature? 6) Are software updates included? 7) How quickly will software updates be issued after a problem is reported to the vendor? 8) Are technical support services included? What is the cost? 9) What are the provisions for contacting technical support (e-mail, telephone, online chat)? 10) Are there any guarantees associated with the IDPS? 11) What training resources does the vendor provide? 12) What additional training resources are available from the vendor and at what cost? VTU N O TESBYSR I
  30. 30. INFORMATION AND NETWORK SECURITY 3-13 3.1.7 Strengths and Limitations of IDPSs Strengths of IDPS 1) Monitoring and analysis of system events and user behaviors. 2) Testing the security states of system configurations. 3) Baselining the security state of a system, then tracking any changes to that baseline. 4) Recognizing patterns of system events that correspond to known attacks. 5) Recognizing patterns of activity that statistically vary from normal activity. 6) Managing operating system audit and logging mechanisms and the data they generate. 7) Alerting appropriate staff by appropriate means when attacks are detected. 8) Measuring enforcement of security policies encoded in the analysis engine. 9) Providing default information security policies. 10) Allowing non-security experts to perform important security monitoring functions. Limitations of IDPS 1) Compensating for weak or missing security mechanisms in the protection infrastructure, such as → firewalls → identification and authentication systems → link encryption systems → access control mechanisms, and → virus detection and eradication software 2) Instantaneously detecting, reporting & responding to an attack when there is a heavy network load. 3) Detecting newly published attacks or variants of existing attacks. 4) Effectively responding to attacks launched by sophisticated attackers. 5) Automatically investigating attacks without human intervention. 6) Resisting all attacks that are intended to defeat or circumvent them. 7) Compensating for problems with the fidelity of information sources. 8) Dealing effectively with switched-networks. VTU N O TESBYSR I
  31. 31. INFORMATION AND NETWORK SECURITY 3-14 3.1.8 Deployment and Implementation of an IDPS IDPS Control Strategies • A Control-Strategy determines how an organization supervises and maintains the configuration of an IDPS. • It also determines how the input and output of the IDPS is managed. • The three commonly used control strategies are 1) Centralized 2) Partially distributed and 3) Fully distributed. Centralized Control-Strategy • All control functions are implemented and managed in a central location called IDPS Console. • IDPS console includes the management software which (Figure 3-2). → collects information from the remote sensors → analyzes the systems or networks, and → determines whether the current situation has deviated from the preconfigured baseline. • Advantage: Less cost and control compared to other 2 control strategies. • With one central implementation, → there is one management system → there is one place to monitor the status of the network → there is one location for reports and → there is one set of administrative management. • It supports task specialization, since all managers are located near the IDPS management console. • It means that each person can focus specifically on an assigned task. Figure 3-2 Centralized IDPS Control VTU N O TESBYSR I
  32. 32. INFORMATION AND NETWORK SECURITY 3-15 Fully Distributed Control-Strategy • All control functions are applied at the physical location of each IDPS component. (Figure 3-3). • Each monitoring site uses its own paired sensors to perform its own control functions to achieve the necessary detection, reaction, and response functions. • Thus, each sensor/agent is best configured to deal with its own environment. • Advantage: Better response time. This is because IDPSs do not have to wait for a response from a centralized control facility Figure 3-3 Fully Distributed IDPS Control1 VTU N O TESBYSR I
  33. 33. INFORMATION AND NETWORK SECURITY 3-16 Partially Distributed Control-Strategy • It combines the best of the other two strategies. (Figure 3-4). • The individual admins can analyze and respond to local threats. • In addition, they can also report to a hierarchical central facility. It enables the organization to detect widespread attacks. • Advantage: This approach is useful when attackers probe an organization at multiple points of entry. • The organization can optimize for economy of scale in the implementation of key management software and personnel. • A pool of security managers can evaluate reports from multiple distributed IDPS systems. Thus, they are able to detect various distributed attacks. Figure 3-4 Partially Distributed IDPS Control1 VTU N O TESBYSR I
  34. 34. INFORMATION AND NETWORK SECURITY 3-17 IDPS Deployment Deploying Network-Based IDPSs Location 1: Behind each external firewall, in the network DMZ (See Figure 3-5, location 1) • Advantages: 1) IDPS sees attacks that originate from the outside the trusted-network. 2) It identifies problems with the firewall policy or performance. 3) It sees attacks on the Web server which commonly reside in this DMZ. 4) Even if incoming attack is not detected, the IDPS can recognize attack via outgoing traffic. Location 2: Outside an external firewall (See Figure 3-5, location 2) • Advantages: 1) IDPS documents the number of attacks that originate from the Internet. 2) It documents the types of attacks that originate from the Internet. Location 3: On major network backbones (See Figure 3-5, location 3) • Advantages: 1) IDPS monitors a large amount of a network’s traffic, thus increasing its chances of spotting attacks. 2) It detects unauthorized activity by authorized users within the organization. Location 4: On critical subnets (See Figure 3-5, location 4) • Advantages: 1) IDPS detects attacks targeting critical systems and resources. 2) The organizations can protect these resources as the most valuable network-assets. Figure 3-5 Network IDPS Sensor Locations VTU N O TESBYSR I
  35. 35. INFORMATION AND NETWORK SECURITY 3-18 Deploying Host-Based IDPSs • The proper implementation of HIDPSs can be a time-consuming task. Since, each HIDPS must be custom configured to its host systems. • Deployment begins with implementing the most critical systems first. • Practice → helps the installation team gain experience and → helps determine if the installation might trigger any unusual events. • Gaining an edge on the learning curve by raining on nonproduction systems benefits the overall deployment process by reducing the risk of unforeseen complications. • Installation continues until all systems are installed. • To provide ease of management, control, and reporting, each HIDPS should be configured to interact with a central management console. • During the system testing process, training scenarios can be developed that will enable users to recognize and respond to common attack situations. • To ensure effective and efficient operation, the management team can establish policy for the operation and monitoring of the HIDPS. 3.1.9 Measuring the Effectiveness of IDPSs 1) Thresholds • It is a value that sets the limit between normal and abnormal behavior. • It usually specifies a maximum acceptable level. For ex: 30 failed connection attempts in 60 seconds • It is most commonly used in → anomaly-based detection and → stateful protocol analysis. 2) Blacklist and Whitelist Blacklist • It is a list of discrete entities which are associated with abnormal activity. • For example: Applications (say telnet, FTP) File extensions (say mpeg, mp4) URLs (say facebook, amazon) TCP or UDP port numbers (say 23:telnet, 21:FTP) • IDPS uses blacklist → to block the abnormal activity and → to assign a higher priority to alerts that match blacklist entries. • Some IDPSs generate dynamic blacklists that are used to temporarily block recently detected threats. Whitelist • It is a list of discrete entities that are known to be benign. • It is used to reduce or ignore false positives involving known benign activity from trusted hosts. • Whitelists and blacklists are most commonly used in → signature-based detection and → stateful protocol analysis. 3) Alert Settings • Most IDPS allow admins to customize each alert type. • For example: → Toggling it on or off → Setting a default priority or severity level → Specifying what information should be recorded → Specifying what notification methods should be used → Specifying which prevention capabilities should be used • Some products also suppress alerts if an attacker generates many alerts in a short period of time. It is to prevent the IDPS from being overwhelmed by alerts. 4) Code Viewing and Editing • Some IDPS permit admins to see some or all of the detection-related code. • Some IDPS allow admins to see additional code, such as programs used to perform stateful protocol analysis. VTU N O TESBYSR I
  36. 36. INFORMATION AND NETWORK SECURITY 3-19 3.2 Honeypots, Honeynets, and Padded-Cell Systems • Honeypot refers to a trapping-system used to tempt potential attackers into committing an attack. • Honeynet refers to an interconnection of several honeypots on a subnet. • A honeypot contains pseudo-services that imitate well-known services. • But, these services are configured in such a way that it looks vulnerable to attacks. • Honeypot is designed to do the following: 1) Divert an attacker from critical systems. 2) Collect information about the attacker’s activity. 3) Encourage the attacker to stay on the system for longer time, so that admins can respond. • Honeypot pretends like holding a valuable information. • So, any unauthorized access to honeypot can be considered as suspicious activity. • Honeypots are equipped with sensitive monitors and event loggers that → detect attempts to access the system and → collect information about the potential attacker’s activities. • Padded-Cell refers to a honeypot that is protected so that that it cannot be easily compromised. • A padded-cell operates in tandem with a traditional IDPS. • When the IDPS detects an attacker, the attacker will be diverted to a dummy-systems where they cause no harm. • Advantages: 1) Attackers can be diverted to dummy-systems that they cannot damage. 2) Attackers’ actions can be monitored. The records can be used to refine threat models and improve system protections. 3) Honeypots may be effective at catching insiders who are snooping around a network. 4) Admins have time to respond to an attacker. • Disadvantages: 1) An expert attacker, once diverted into a dummy-system, may become angry and launch a more aggressive attack. 2) The legal implications of using such devices are not well understood. 3) Honeypot/padded-cell have not yet been shown to be useful security technologies. 4) Admins must have a high level of expertise to manage these systems. VTU N O TESBYSR I
  37. 37. INFORMATION AND NETWORK SECURITY 3-20 3.2.1 Trap-and-Trace Systems • These systems use a combination of techniques to → detect an intrusion and → trace back the attacker to find his location. • The trap feature consists of a honeypot/padded-cell and an alarm. • When the attackers are trapped, the system alerts the admin. • Admins should be careful not to cross the line between enticement and entrapment. 1) Enticement is the act of attracting attention to a system by placing tempting information in key locations. 2) Entrapment is the act of tempting an individual into committing a crime to get a conviction. • Enticement is legal and ethical, whereas entrapment is not. • Admins should also be cautious of the wasp trap syndrome. • In this syndrome, a concerned homeowner installs a wasp trap in his back yard to trap the few insects he sees flying about. • The trace feature is an extension to the honeypot/padded-cell approach. • The trace is a process by which the organization attempts to identify an attacker discovered in the trusted-network. (Trace is similar to caller ID). 1) If the attacker is inside the organization, the admins can → track the individual and → hand him over to their boss. 2) If the attacker is outside the organization, then numerous legal issues arise. 3.2.2 Active Intrusion-Prevention • LaBrea is an example for active intrusion-prevention tool. • It is a combination of honeypot and IDPS. • It works by taking up the unused IP-address space within a network. • When LaBrea notes an ARP request, it checks to see if the requested IP-address is valid or not. • If the IP-address is not valid, LaBrea → pretends to be a computer at that IP-address and → allows the attacker to complete the connection. • After connection is setup, LaBrea → reduces the sliding window size and → keeps connection open for many hours, days, or even months. • Holding the connection open but inactive greatly slows down network-based worms and other attacks. • LaBrea can notify the admin about the anomalous behavior on the network. VTU N O TESBYSR I
  38. 38. INFORMATION AND NETWORK SECURITY 3-21 3.3 Scanning and Analysis Tools • Scanning-tools are used by an attacker to collect information needed to launch a successful attack. • The attack protocol is a set of steps used by an attacker to launch an attack against a target system/network. • Main goal of attack protocol is to the collect publicly available information about a potential target. This process is known as footprinting. • Footprinting is the organized research of the Internet addresses owned or controlled by a target organization. • By performing keyword searches on Internet, the attacker identifies the network addresses of the organization. • The attacker browses the organization’s Web pages. • Web pages contain information about → internal systems and → individuals developing Web pages • On Web browser, the view source option can be used to see the source code behind the Web page. • The attacker can get clues about following things in the source code: → locations and directories for CGI script bins and → names or possibly addresses of computers and servers. 3.3.1 Port Scanners • These are tools used by both attackers and defenders to identify → computers that are active on a network (fingerprinting) → ports and services active on those computers, and → functions and roles the machines are fulfilling. • These tools either → scans for specific types of computers, protocols, or resources, or → scans for generic types • The more specific the scanner is, the more useful the information it provides to attackers and defenders. • A port is a network channel or connection point in a data communications system. • Within TCP/IP model, Each application has a unique port number. Port numbers are used to differentiate the multiple network services provided to the same computer. • There are 2 types of ports: 1) Reserved Ports  Services with reserved ports generally run on ports 1–1023.  For example: TCP Port Numbers TCP Service 20 and 21 File Transfer Protocol (FTP) 23 Telnet 25 Simple Mail Transfer Protocol (SMTP) 53 Domain Name Services (DNS) 80 Hypertext Transfer Protocol (HTTP) 2) Ephemeral Ports  Ports greater than 1023 are referred to as ephemeral ports.  These ports may be randomly allocated to server and client processes. • Question: Why secure open ports? Ans:  An open port can be used by an attacker to gain access to a server, and gain control over a networking device.  The thumb rule is "Remove those service which are not absolutely necessary for conducting business".  For example, if a business doesn’t host Web services, then don't make port 80 available on its servers. VTU N O TESBYSR I
  39. 39. INFORMATION AND NETWORK SECURITY 3-22 3.3.2 Firewall Analysis Tools • These are tools used by security-admin to identify → location of organization’s firewall → existing rule sets on the firewall • By analyzing the rules, the admin can determine what type of traffic firewall permits and rejects. • Three popular tools to analyze firewalls: 1) Nmap  The Nmap tool has option called idle scanning.  Using Idle scanning, the user can scan across a firewall.  One of the idle DMZ hosts is used as the initiator of the scan. 2) Firewalk  It uses incrementing TTL packets to determine the path into a network  Running Firewalk against a target machine reveals where routers and firewalls are filtering traffic to the target host. 3) HPING  It is a modified ping client.  It supports multiple protocols.  It has a command-line method of specifying nearly any of the ping parameters.  For instance, HPING with modified TTL values can be used to determine the infrastructure of a DMZ. HPING with specific ICMP flags can be used to bypass poorly configured firewalls. • The admins should remember two important points: 1) It is user intent that dictates how the information gathered is used. 2) To defend a computer/network, it is necessary to understand the ways it can be attacked. 3.3.3 Operating System Detection Tools • These are tools used by an attacker to detect the operating system of target host. • Once OS is known, all security-holes in the OS can easily be determined. XProbe  It is a popular tool to detect OS.  It uses ICMP to determine the remote OS.  It sends many different ICMP queries to the target host.  Then, it matches the responses from the target host with its own internal database of known responses.  Solution: The admins must restrict the use of ICMP through their organization’s firewalls. VTU N O TESBYSR I
  40. 40. INFORMATION AND NETWORK SECURITY 3-23 3.3.4 Vulnerability Scanners • These tools scan networks for highly detailed information. • There are types: 1) Active-scanner 2) Passive-scanner Active-scanner • It is used to initiate traffic on the network in order to determine security-holes. • It can be used to → identify usernames and groups → expose configuration problems and → identify other security-holes in servers. Nessus  It is a popular active-scanner.  It uses IP packets to → identify the hosts available on the network → services of the hosts → OS of the hosts and → type of firewall used  The Nessus has a class of attacks called destructive.  If enabled, Nessus attempts common overflow techniques against a target host. Blackbox Scanner or Fuzzer • It is a class of vulnerability scanner. • Fuzz testing looks for security-holes in a program/protocol by feeding random input. • Security-holes can be detected by measuring the outcome of the random inputs. Passive-scanner • It is used to → listen in on the network and → determine vulnerable versions of both server and client software. • Two popular tools: 1) Tenable Network Security with its Passive Vulnerability Scanner (PVS) and 2) Sourcefire with its RNA product. • Advantages 1) Do not require security analysts to get approval prior to testing. 2) Simply monitors the network-connections to and from a server to obtain a list of vulnerable applications. 3) Ability to find client-side security-holes that are typically not found by active-scanners. VTU N O TESBYSR I
  41. 41. INFORMATION AND NETWORK SECURITY 3-24 3.3.5 Packet Sniffers • It can be used to → collect copies of packets from the network and → analyze those copies of packets. • It can provide a admin with valuable information for diagnosing and resolving networking issues. • In the wrong hands, however, a sniffer can be used to eavesdrop on network-traffic. • There are both commercial and open-source sniffers. • More specifically, Sniffer is a commercial product. Snort is open-source software. Wireshark  It is a popular packet sniffer.  It allows the admin to examine data from both live network-traffic and captured traffic.  It also provides a language filter and TCP session reconstruction utility. • To use a packet sniffer legally, the admin must 1) be on a network that the organization owns 2) be under direct authorization of the owners of the network and 3) have knowledge and consent of the content creators. • If all 3 conditions are met, the admin can collect and analyze packets to identify problems on the network. • Many admins feel that they are safe from sniffer attacks when their computing environment is primarily a switched-network environment. • There are a 2 open-source sniffers that support alternate networking approaches: 1) ARP-spoofing and 2) session hijacking 3.3.6 Wireless Security Tools • A wireless connection has many potential security-holes. • An organization that spends all of its time securing the wired-network and leaves wireless-networks to operate in any manner is opening itself up for a security breach. • As a security professional, you must assess the risk of wireless-networks. • A wireless security toolkit should include → ability to sniff wireless traffic → scan wireless hosts, and → assess the level of privacy. AirSnare  It is a free tool that can be run on a low-end wireless workstation.  It monitors the airwaves for any new devices or access-points.  When it finds a new devices, it sends alert to the admin. VTU N O TESBYSR I
  42. 42. INFORMATION AND NETWORK SECURITY 4-1 UNIT 4: CRYPTOGRAPHY 4.1 Introduction 4.2 Foundations of Cryptology 4.2.1 Terminology 4.3 Cipher Methods 4.3.1 Substitution Cipher 4.3.2 Transposition Cipher . 4.3.3 Exclusive OR 4.3.4 Vernam Cipher 4.3.5 Book or Running Key Cipher 4.3.6 Hash Functions 4.4 Cryptographic Algorithms 4.4.1 Symmetric Encryption 4.4.2 Asymmetric Encryption 4.5 Cryptographic Tools 4.5.1 Public-Key Infrastructure (PKI) 4.5.2 Digital Signatures 4.5.3 Digital-certificates 4.5.4 Hybrid Cryptography Systems 4.5.5 Steganography 4.6 Attacks on Cryptosystems 4.6.1 Man-in-the-Middle Attack 4.6.2 Correlation Attacks 4.6.3 Dictionary Attacks 4.6.4 Timing Attacks 4.6.5 Defending Against Attacks VTU N O TESBYSR I
  43. 43. INFORMATION AND NETWORK SECURITY 4-2 UNIT 4: CRYPTOGRAPHY 4.1 Introduction • The science of encryption, known as cryptology, encompasses cryptography and cryptanalysis. • Cryptography, which comes from the Greek words kryptos, meaning “hidden,” and graphein, meaning “to write,” is the process of making and using codes to secure the transmission of information. • Cryptanalysis is the process of obtaining the original message (called the plaintext) from an encrypted-message (called the ciphertext) without knowing the algorithms and keys used to perform the encryption. • Encryption is the process of converting an original message into a form that is unreadable to unauthorized individuals—that is, to anyone without the tools to convert the encrypted-message back to its original format. • Decryption is the process of converting the ciphertext message back into plaintext. 4.2 Foundations of Cryptology 4.2.1 Terminology 1) Algorithm • The programmatic-steps used to convert an unencrypted-message into an encrypted-message. 2) Cipher or cryptosystem • An encryption-method used to perform encryption and decryption. • The encryption-method includes → algorithm → key(s) and → procedures. 3) Ciphertext • The encrypted-message resulting from an encryption. 4) Code • The process of converting an unencrypted-message into encrypted-message. 5) Decipher • To decrypt, ciphertext into the equivalent plaintext. 6) Encipher • To encrypt, plaintext into the equivalent ciphertext. 7) Key • The information used along with an algorithm → to create the ciphertext from the plaintext or → to derive the plaintext from the ciphertext. 8) Keyspace • The entire range of values that can be used to construct an individual key. 9) Link Encryption • A series of encryptions and decryptions between a number of systems. • In a network, each system → decrypts the message and → then re-encrypts the message using different keys and → sends the message to the next neighbor. This process continues until the message reaches the final destination. 10) Plaintext • The original unencrypted-message resulting from a decryption. 11) Steganography • The hiding of messages—for example, within the digital encoding of a picture or graphic. 12) Work factor • The amount of effort required to perform cryptanalysis to decrypt an encrypted-message when the key or algorithm are unknown. VTU N O TESBYSR I
  44. 44. INFORMATION AND NETWORK SECURITY 4-3 4.3 Cipher Methods • Two methods of encrypting plaintext: 1) Bit stream method or 2) Block cipher method. 1) Bit Stream method • Each plaintext-bit is transformed into a ciphertext-bit, one bit at a time. • It uses algorithm functions like the XOR. 2) Block Cipher method • The message is divided into blocks. • Then, each block of plaintext-bits is transformed into a block of ciphertext-bits using an algorithm and a key. • It can use substitution, transposition, XOR, or some combination of these operations. VTU N O TESBYSR I
  45. 45. INFORMATION AND NETWORK SECURITY 4-4 4.3.1 Substitution Cipher Monoalphabetic Substitution • To perform encryption, you substitute one alphabet for another alphabet. This type of substitution is called a monoalphabetic substitution because of one to one mapping. • For example: Here, we can substitute a letter in the alphabet with the letter three values to the right. Here, the first row is the plaintext, and the second row is the ciphertexts. For example: The plaintext "MOON" will be encrypted into the ciphertext "PRRP". Polyalphabetic Substitutions • To perform encryption, you substitute two or more alphabets for another value. This type of substitution is called a polyalphabetic substitution because of one to many mapping. • For example: Here, the first row is the plaintext, and the next four rows are four sets of ciphertexts. For example: The plaintext "MOON" will be encrypted into the ciphertext "PUXZ". Vigenere Cipher • This is an advanced form of a polyalphabetic substitutions. • The ciphertext is found using the Vigenere table, which is made up of 26 distinct cipher alphabets. • Table 4-1 illustrates the setup of the Vigenere table. Table 4-1 The Vigenère Square VTU N O TESBYSR I
  46. 46. INFORMATION AND NETWORK SECURITY 4-5 • Here, we use a keyword to represent the shift. • For example, keyword: ITALY plaintext: SACK GAUL SPARE NO ONE Thus we have, plaintext S A C K G A U L S P A R E N O O N E keyword I T A L Y I T A L Y I T A L Y I T A ciphertext A T C V E I N L D N I K E T M W G E • To perform the substitution, Start with the first combination of plaintext and keyword letters i.e. SI. Use the plaintext letter 'S' to find the row. Use the keyword letter 'I' to locate the column. Then, look for the letter at intersection of row & column i.e. A. This is the ciphertext-letter. • Disadvantage: Any keyword-message letter combination containing an “A.” row or column reproduces the plaintext-message letter. For example, The third letter in the plaintext i.e. the C has a combination of AC, and thus is unchanged in the ciphertext. 4.3.2 Transposition Cipher (or Permutation Cipher) • It rearranges the values within a block to create the ciphertext. • It can be applied at the bit level or at the byte (character) level. • Assume key-pattern is as follows The bit in position 1 moves to position 4, The bit in position 2 moves to position 8, and so on. • Example for bit level: • Example for bit level: 4.3.3 Exclusive OR • XOR is a function of Boolean algebra in which two bits are compared. 1) If the two bits are identical, the result is a binary 0. (Table 4-2). 2) If the two bits are not the same, the result is a binary 1. Table 4-2 XOR Truth Table Table 4-3 Example XOR Encryption VTU N O TESBYSR I
  47. 47. INFORMATION AND NETWORK SECURITY 4-6 4.3.4 Vernam Cipher (or One-Time Pad) • It uses a set of characters only one time for each encryption-process. Hence, the name one-time pad. • To perform encryption, the pad-values are added to numeric-values that represent the plaintext. • Each letter of the plaintext is converted into a number & a pad-value for that position is added to it. • The resulting sum for that character is then converted back to a ciphertext-letter for transmission. • If the sum of the two values exceeds 26, then 26 is subtracted from the total. • Consider following example:  The encryption-process works as follows: The letter “S” is converted into the number 19 (because it is the 19th letter of the alphabet).  The pad-value is derived from the position of each pad text letter in the alphabet; thus the pad text letter “F” is assigned the position number 06.  This conversion process is repeated for the entire one-time pad text.  Next, the plaintext value & the one-time pad-value are added together.  The first sum is 25, so the ciphertext-letter is “Y,”  The decryption process works as follows: The letter “Y” becomes the number 25, from which we subtract the pad-value for the first letter of the message i.e. 06. This yields a value of 19, or the letter “S.” 4.3.5 Book or Running Key Cipher • The ciphertext consists of a list of codes representing the page number, line number, and word number of the plaintext word. • The algorithm is the mechanical process of looking up the references from the ciphertext and converting each reference to a word by using the ciphertext’s value and the key (the book). VTU N O TESBYSR I
  48. 48. INFORMATION AND NETWORK SECURITY 4-7 4.3.6 Hash Functions • Hash algorithms are public functions that create a hash value, also known as a message digest. • Hash algorithms converts variable-length messages into a single fixed-length value. 1) The message digest is a fingerprint of the author’s message that is compared with the recipient’s locally calculated hash of the same message. 2) If both hashes are identical after transmission, the message has arrived without modification. • Hashing functions do not require the use of keys, but it is possible to attach a message authentication code (MAC) that allows only specific recipients (symmetric key holders) to access the message digest. • Because hash functions are one-way, they are used in password verification systems to confirm the identity of the user. • The number of bits used in the hash algorithm is a measurement of the strength of the algorithm against collision attacks. • For example: SHA-1 produces a 160-bit message digest, which can be used as an input to a digital signature algorithm. • A recent attack method called rainbow cracking has generated concern about the strength of the processes used for password hashing. • In general, if attackers gain access to a file of hashed passwords, they can use a combination of brute force and dictionary attacks to reveal user passwords. • Passwords that are dictionary words or poorly constructed can be easily cracked. • Well-constructed passwords take a long time to crack even using the fastest computers, but by using a rainbow table, the rainbow cracker simply looks up the hashed password and reads out the text version, no brute force required. • This type of attack is more properly classified as a time–memory tradeoff attack. • Salting is the process of providing a non-secret, random piece of data to the hashing function when the hash is first calculated. • The use of the salt value creates a different hash and when a large set of salt values are used, rainbow cracking fails VTU N O TESBYSR I
  49. 49. INFORMATION AND NETWORK SECURITY 4-8 4.4 Cryptographic Algorithms • In general, cryptographic algorithms are often grouped into two broad categories—symmetric and asymmetric. • Symmetric and asymmetric algorithms are distinguished by the types of keys they use for encryption and decryption operations. 4.4.1 Symmetric Encryption (private key encryption) • The same secret key is used to encrypt and decrypt the message. • It uses mathematical operation that can be programmed into extremely fast computing algorithms. Thus, the encryption and decryption processes are executed quickly. • Main challenges: Both the sender and the recipient must have the secret key prior communication. Figure 4-1 Example of Symmetric Encryption • Popular methods are: 1) Data Encryption Standard (DES)  It uses a 64-bit block size and a 56-bit key. 2) Triple DES (3DES)  It was created to provide a more security than DES. 3) Advanced Encryption Standard (AES)  It is the successor to 3DES.  It uses a block size of variable length and a key length of 128, 192, or 256 bits VTU N O TESBYSR I
  50. 50. INFORMATION AND NETWORK SECURITY 4-9 4.4.2 Asymmetric Encryption (Public-key encryption) • Two different keys are used to encrypt and decrypt the message. • Either of 2 keys can be used to encrypt or decrypt the message. 1) If key A is used to encrypt the message, only key B can decrypt it. 2) If key B is used to encrypt a message, only key A can decrypt it. • It can be used to provide a solution to problems of secrecy and verification. • Two different keys are 1) private key is kept secret, known only to the owner and 2) public-key is stored in a public location where anyone can use it. • It is a one-way function. i.e. A one-way function is simple to compute in one direction, but complex to compute in the opposite direction. • Popular method is: RSA • Disadvantages: 1) The problem is holding a single conversation between two parties requires four keys. 2) Not efficient in terms of CPU computations when compared to symmetric Encryption. Figure 4-2 Example of Asymmetric Encryption VTU N O TESBYSR I
  51. 51. INFORMATION AND NETWORK SECURITY 4-10 4.5 Cryptographic Tools 4.5.1 Public-Key Infrastructure (PKI) • PKI is an integrated system of software, encryption-methods, protocols, legal agreements, and third- party services that enables users to communicate securely. • It is based on public-key cryptosystem. • It includes → Digital-certificates and → certificate authorities (CAs). • Digital-certificates contain the user name, public-key, and other identifying information. • Digital-certificates allow computer-programs → to validate the key and → to identify the owner of the key. • The security-services includes: 1) Authentication  Individuals, organizations, and Web-servers can validate the identity of each parties in an Internet transaction. 2) Integrity  Content signed by the certificate is known to not have been altered while in transit from host to host or server to client. 3) Privacy  Information is protected from being intercepted during transmission. 4) Authorization  The validated identity of users and programs can enable authorization rules that remain in place for the duration of a transaction. 5) Nonrepudiation  Customers can be held accountable for transactions, such as online purchases, which they cannot later dispute. • It contains following components: 1) Certificate authority (CA) issues, manages, authenticates, signs, and revokes users’ digital-certificates. 2) Registration authority (RA) operates under the trusted collaboration of the certificate authority.  The registration authority (RA) can handle day-to-day certification functions, such as → verifying registration information → generating end-user keys → revoking certificates, and → validating user certificates. 3) Certificate directories are central locations for certificate storage that provide a single access point for administration and distribution. 4) Management protocols organize and manage the communications among CAs, RAs, and end users. 5) Policies and procedures assist an organization in the management of certificates, in the formalization of legal liabilities. 4.5.2 Digital Signatures • Digital signatures were created in response to the rising need to verify information transferred via electronic systems. • Asymmetric encryption-processes are used to create digital signatures. • The sender’s private key is used to encrypt a message. The sender’s public-key must be used to decrypt the message. • When the decryption is successful, the process verifies that the message was sent by the sender and thus cannot deny having sent. This process is known as non-repudiation. • Digital signatures are encrypted-messages that can be mathematically proven authentic. • The management of digital signatures is built into most Web browsers. • Digital signatures should be created using processes and products that are based on the Digital Signature Standard (DSS). VTU N O TESBYSR I
  52. 52. INFORMATION AND NETWORK SECURITY 4-11 4.5.3 Digital-Certificates • A Digital-certificate is an electronic document(or container file) that contains a key value and identifying information about the owner of the key. • The certificate is issued and certified by a third party called as a certificate authority. • A digital signature attached to the certificate’s container file certifies the file’s origin and integrity. • This verification process often occurs when you download or update software via the Internet. • Digital-certificates authenticate the cryptographic key that is embedded in the certificate. • Different client-server applications use different types of Digital-certificates: 1) The CA application suite issues and uses certificates (keys) that identify and establish a trust relationship with a CA. 2) Mail applications use Secure/Multipurpose Internet Mail Extension (S/MIME) certificates for signing and encrypting e-mail. 3) Development applications use object-signing certificates to identify signers of object oriented code and scripts. 4) Web-servers use Secure Sockets Layer (SSL) certificates to authenticate servers. 5) Web clients use SSL certificates to authenticate users. • Two popular certificate types are those created using 1) Pretty Good Privacy (PGP) and 2) those created using applications that conform to International Telecommunication Union’s (ITU-T) X.509 version 3 (Table 4-4). Table 4-4 X.509 v3 Certificate Structure 4.5.4 Hybrid Cryptography Systems • The most common hybrid system is based on the Diffie-Hellman key exchange. • Diffie-Hellman key exchange is a method for exchanging private keys using public-key encryption. • It uses asymmetric encryption to exchange session keys. • It allows two entities to conduct quick, efficient, secure communications based on symmetric encryption. • It protects data from exposure to third parties, which is sometimes a problem when keys are exchanged out-of-band. VTU N O TESBYSR I
  53. 53. INFORMATION AND NETWORK SECURITY 4-12 4.5.5 Steganography • The word steganography is derived from the Greek words steganos, meaning “covered” and graphein, meaning “to write.” • While steganography is technically not a form of cryptography, it is another way of protecting the confidentiality of information in transit. • The steganography involves hiding information within files that contain digital pictures or other images. 4.6 Attacks on Cryptosystems • In general, attacks on cryptosystems fall into four general categories: man-in-the-middle, correlation, dictionary, and timing. 4.6.1 Man-in-the-Middle Attack • An attacker tries → to intercept a public-key or → to insert a known key structure in place of the requested public-key. • The attackers place themselves in between the sender and receiver. When they’ve intercepted the request for key exchanges, they send each participant a valid public-key, which is known only to them. • The victims (participants) thinks that the communication is secure but the attacker is will be → receiving and decrypting the encrypted-message, and → encrypting and sending the message to the intended recipient. • Possible solution: Establishing public-keys with digital signatures can prevent this attack. This is because the attacker cannot duplicate the signatures. 4.6.2 Correlation Attacks • The attack is a collection of brute-force methods that try to deduce statistical relationships between → the structure of the unknown key and → the ciphertext generated by the cryptosystem. • Differential and linear cryptanalysis have been used to perform successful attacks on block cipher encryptions such as DES. • Possible solution: Selection of strong cryptosystems that have → stood the test of time → thorough key management, and → best practices in the frequency of key changes. 4.6.3 Dictionary Attacks • An attacker encrypts every word in a dictionary using the same cryptosystem as used by the target in an attempt to locate a match between the target-ciphertext and the list of encrypted-words. • This attack can be successful when the ciphertext consists of relatively few characters. For example: Files containing encrypted usernames and passwords. • After getting password-file, an attacker can run hundreds of potential passwords from the dictionary he has prepared against the stolen list. • After a match is found, the attacker has essentially identified a potential valid password for the system. 4.6.4 Timing Attacks • An attacker → listens on the victim’s session and → uses statistical-analysis of patterns and inter-keystroke timings to determine the info. • This attack can be used to gain information about the encryption-key and the cryptosystem. • After getting encryption-key, an attacker can launch a replay attack. • Replay attack tries to resubmit a recording of the deciphered authentication to gain entry into a secure source. VTU N O TESBYSR I
  54. 54. INFORMATION AND NETWORK SECURITY 4-13 4.6.5 Defending Against Attacks • Encryption is a very useful tool in protecting the confidentiality of information that is in transmission. • However, it is just that another tool of the administrator against threats to information-security. • If the attacker can discover the key and encryption-method, he can read the message. • Thus, key-management is not so much the management of technology but rather the management of people. • Thus, main concern in key-management is not the management of technology but rather the management of people. VTU N O TESBYSR I
  55. 55. INFORMATION AND NETWORK SECURITY 5-1 UNIT 5: INTRODUCTION TO NETWORK SECURITY KEY DISTRIBUTION AND USER AUTHENTICATION 5.1 Computer Security Concepts 5.2 The OSI Security Architecture 5.3 Security Attacks 5.3.1 Passive Attack 5.3.2 Active Attacks 5.4 Security Services 5.5 Security Mechanisms 5.6 A Model for Network Security 5.7 Standards 5.8 Kerberos 5.8.1 Kerberos protocol Terminology 5.8.2 Kerberos Version-4 A Simple Authentication Dialogue A More Secure Authentication Dialogue Version 4 Kerberos Authentication Dialogue Kerberos realms and multiple kerberi 5.8.3 Kerberos Version-5 Differences between Kerberos version 4 and version 5. The Version 5 Authentication Dialogue 5.9 X.509 Certificates 5.9.1 Certificates Authentication Procedures Obtaining Certificates in X.509 Revocation of Certificates 5.9.2 X.509 Version-3 Key and Policy Information Certificate Subject and Issuer Attributes Certification Path Constraints VTU N O TESBYSR I