Firewall Generations and VPN Implementation

For Question Papers - www.knowledgeadda.com
VTU
N
O
TESBYSR
I

INFORMATION & NETWORK SECURITY SOLVED PAPER JUNE - 2014
2014-1
2a. Discuss the different generations of firewalls. (06 Marks)
Ans:
Firewall Categorized by Generation
1) First Generation Firewall
• It is a static packet-filtering firewall.
• It examines the header of packets that come into a network.
• It determines whether to drop or forward a packet based on the rules programmed into the firewall.
2) Second Generation Firewall
• It is a application-level firewall.
• It is frequently installed on a dedicated computer which is separate from the filtering-router.
• It is commonly used in conjunction with a filtering-router.
• It is also known as a proxy-server because
this runs special software that acts as a proxy for a service-request.
3) Third Generation Firewall
• It is a stateful inspection firewall.
• It monitors network-connection between internal and external systems using state-tables.
• A state-table records information like
→ source and destination address of devices involved in the conversation
→ what & when packet is sent
4) Fourth Generation Firewall
• It is a dynamic packet-filtering firewall.
• Here, only a particular packet with a particular source, destination, and port address is allowed to
enter into trusted-network.
5) Fifth Generation Firewall
• It includes the kernel-proxy.
• The kernel-proxy works under Windows NT Executive, which is the kernel of Windows NT.
• It evaluates packets at multiple layers of the OSI-model.
• For example: Cisco's security-kernel
 The security-kernel contains 3 components:
1) Interceptor/Packet-Analyzer
2) Security Verification ENgine (SVEN), and
3) Kernel Proxies.
 Interceptor
→ captures packets arriving at the firewall and
→ passes the packets to the Packet-Analyzer.
 Packet-Analyzer
→ reads the header
→ extracts signature-data, and
→ passes both the data and the packets to the SVEN.
 SVEN
→ receives both the data and the packets
→ determines whether to drop the packet and
→ creates a new session.
2b. Explain the important points of selecting the right firewall. (04 Marks)
Ans:
Selecting the Right Firewall
• To determine the best firewall for an organization, following questions can be considered:
1) Which type of firewall technology offers the right balance between protection and cost for the
needs of the organization?
2) What features are included in the base price?
What features are available at extra cost?
Are all cost factors known?
3) How easy is it to set up and configure the firewall?
How accessible are the staff technicians who can competently configure the firewall?
4) Can the candidate firewall adapt to the growing network in the target organization?
VTU
N
O
TESBYSR
I

2014-2
2c. Explain the implementation of VPN in different method. (10 Marks)
Ans:
Virtual Private Network (VPN)
• It is defined as a private-network that makes use of the public telecommunication infrastructure.
• Two ways to implement a VPN: 1) Transport mode and 2) Tunnel mode.
1) Transport Mode
• The data within an IP-packet is encrypted, but the header is not encrypted (Figure 2-9).
• Advantages:
1) Eliminates the need for special servers and tunneling-software.
2) Allows the end-users to transmit traffic from anywhere.
3) Especially useful for traveling employees.
• Disadvantage:
Attacker can still identify the destination-computer.
Figure 2-9 Transport Mode VPN
• There are two popular uses for transport mode VPNs:
1) End-to-end transport of encrypted data.
 Here, two end-users can communicate securely using encryption and decryption.
 Each machine acts as the 1) end-node VPN server and 2) end-node VPN client.
2) A teleworker (or remote-access worker) connects to an company-network over the Internet.
 Thus, teleworker’s system can work as if it were part of the LAN.
2) Tunnel Mode
• A connection is set up between two perimeter tunnel-servers (Figure 2-10).
• These 2 tunnel-servers encrypt all traffic that will traverse an unsecured-network.
• Both data & header within an IP-packet are encrypted.
• The entire IP-packet is encapsulated within another packet. (For ex: IPv6-packet within IPv4-packet).
• The new packet is addressed from one tunneling server to another.
• Advantage:
An intercepted packet reveals nothing about the true destination system.
VTU
N
O
TESBYSR
I

2014-3
Figure 2-10 Tunnel Mode VPN
3a. Explain the advantages and disadvantages of NIDPS. (10 Marks)
Ans:
Network-Based IDPS (NIDPS)
• It is focused on protecting network-assets.
• It resides on a network-segment of an organization.
• It monitors a specific group of computers on a specific network-segment
• It looks for indications of ongoing or successful attacks.
• When it identifies an attack, it sends an alert to the admin.
• When placed next to a network-device (hub/switch), NIDPS may use that device’s monitoring-port.
• A monitoring-port is a connection on a network-device that is capable of viewing all of the traffic that
moves through the entire device.
• To check for an attack, NIDPS compares measured activity to known signatures in their knowledge
base.
• In protocol stack verification, the NIDPS looks for invalid data-packets.
• In application protocol verification, the higher-order protocols (HTTP, FTP) are examined for
unexpected packet behavior.
• Advantages:
1) Few NIDPs can be used to monitor a large network.
2) It is passive device.
So, they can be deployed into existing networks without disturbing normal operations.
3) It is not susceptible to direct attack. So, they are not be detectable by attackers.
4) It can detect many more types of attacks than a HIDPS.
• Disadvantages:
1) NIDPS can be overloaded by network volume.
So, they may fail to recognize actual attacks
2) It requires access to all traffic to be monitored.
3) It cannot analyze encrypted packets.
4) It cannot reliably confirm if an attack was successful or not.
5) It cannot detect attacks involving fragmented packets.
6) It requires a much more complex configuration and maintenance program.
• Two subtypes of network-based IDPS: i) wireless IDPS and ii) network behavior analysis (NBA) IDPS.
1) Wireless NIDPS(WIDPS)
• It is focused on protecting wireless-networks.
• It monitors and analyzes wireless-network-traffic.
• It looks for potential problems with the wireless protocols.
• It can be built into a device that provides a wireless access-point. (eg base station)
• It can also detect:
→ Unauthorized WLANs and WLAN devices
→ Poorly secured WLAN devices
→ Unusual usage patterns
VTU
N
O
TESBYSR
I

2014-4
→ Use of wireless-network scanners
→ DoS attacks and conditions
→ Impersonation and man-in-the-middle attacks
• Some issues associated with the implementation of WIDPS:
i) Physical Security
• Many wireless sensors are deployed in public places to obtain the widest possible network range.
• Public areas includes conference rooms, assembly areas, and highways.
• So, additional security configuration and monitoring must be provided.
ii) Sensor Range
• A wireless device’s range can be affected by
→ atmospheric conditions
→ building construction and
→ quality of the network card
• Some IDPS can be used to identify the optimal location for sensors by using the footprint based on
signal strength.
• Sensors are most effective when their footprints overlap.
iii) Access-point and wireless switch locations
• Wireless-components containing IDPS must be carefully deployed to optimize the sensor detection
grid.
• The thumb rule:
you must guard against the possibility of an attacker connecting to an access-point from a
range far beyond the minimum.
iv) Wired-network-connections
• Wireless-network components work independently of the wired-network when sending and receiving
between stations and access-points.
• However, a network-connection eventually integrates wireless traffic with the organization’s wired
network.
• Where there is no available wired-network-connection, it may be impossible to deploy a sensor.
v) Cost
• The more sensors deployed, the more expensive the configuration.
• Wireless-components typically cost more than their wired counterparts.
• Thus, the total cost of ownership of IDPS of both wired and wireless varieties should be carefully
considered.
2) Network Behavior Analysis System(NBA IDPS)
• It examines traffic-flow on a network in an attempt to identify attacks like DDoS, virus and worm.
• It uses a version of the anomaly detection method to identify excessive packet flows.
• It typically monitors internal-networks but occasionally monitors connection between internal and
external networks.
• Typical traffic-flow includes:
→ Source and destination IP-addresses
→ Source and destination TCP or UDP ports
→ ICMP types and codes
→ Number of packets and bytes transmitted in the session
→ Starting and ending timestamps for the session
• It can detect following types of attacks:
→ DoS attacks (including DDoS attacks)
→ Scanning
→ Worms
→ Unexpected application services (e.g., tunneled protocols, back doors)
→ Policy violations
VTU
N
O
TESBYSR
I

2014-5
3b. Describe the different IDPS detection methods. (10 Marks)
Ans:
IDPS Detection Methods
• IDPSs use a variety of detection methods to monitor and evaluate network-traffic.
• Three popular methods are: 1) signature-based approach, 2) statistical-anomaly approach, and 3)
stateful packet inspection approach.
1) Signature-Based IDPS (Sig IDPS)
• It examines network-traffic in search of patterns that match known signatures.
• Signature refers to preconfigured, predetermined attack patterns.
• It is widely used because many attacks have clear and distinct signatures.
• For example:
1) Footprinting and fingerprinting activities use ICMP and DNS querying.
2) Exploits use a specific attack sequence designed to take advantage of a security-holes to
gain access to a system.
3) DoS attacks. The attacker tries to prevent the normal usage of a system by overloading.
• Disadvantages:
1) New attack strategies must be continuously added into the database of signatures.
2) A slow, methodical attack might escape detection if the attack signature has a shorter time
frame.
Solution: Collect and analyze data over longer periods of time.
Use additional processing capacity and large data storage capability.
2) Statistical Anomaly-Based IDPS (Stat IDPS)
• It collects statistical summaries by observing traffic that is known to be normal.
• This normal period of evaluation establishes a performance baseline.
• Once the baseline is established, it periodically
→ samples network activity and
→ compares the sampled network activity to this baseline.
• When the measured activity is outside the baseline parameters, it sends an alert to the admin.
• The baseline parameters can include
→ host memory or CPU usage
→ network packet types, and
→ packet quantities.
• Advantage:
1) It can detect new types of attacks, since it looks for abnormal activity of any type.
• Disadvantages:
1) It requires much more overhead and processing capacity than sig-IDPSs.
2) It may not detect minor changes to system variables and may generate many false positives.
2) Due to its complexity, it is less commonly used than the sig-IDPSs.
3) Stateful Protocol Analysis IDPS (SPA IDPS)
• It compares
→ predetermined profiles of generally accepted definitions of benign activity &
→ observed events to identify deviations.
• It relies on vendor-developed universal profiles that specify how particular protocols should and
should not be used.
• This is how it works:
1) Firstly, it stores relevant data detected in a session
2) Then, it uses this data to identify intrusions that involve multiple requests and responses
3) Finally, it detects multisession attacks. This process is known as deep packet inspection.
• It can also examine authentication sessions for suspicious activity.
• Disadvantages:
1) It requires heavy processing overhead to track multiple simultaneous connections.
2) It may interfere with the normal operations of the protocol.
VTU
N
O
TESBYSR
I

2014-6
4a. Explain vernam cipher with an example. (10)
Ans:
Vernam Cipher (or One-Time Pad)
• It uses a set of characters only one time for each encryption-process. Hence, the name one-time
pad.
• To perform encryption, the pad-values are added to numeric-values that represent the plaintext.
• Each letter of the plaintext is converted into a number & a pad-value for that position is added to it.
• The resulting sum for that character is then converted back to a ciphertext-letter for transmission.
• If the sum of the two values exceeds 26, then 26 is subtracted from the total.
• Consider following example:
 The encryption-process works as follows:
The letter “S” is converted into the number 19 (because it is the 19th letter of the alphabet).
 The pad-value is derived from the position of each pad text letter in the alphabet; thus
the pad text letter “F” is assigned the position number 06.
 This conversion process is repeated for the entire one-time pad text.
 Next, the plaintext value & the one-time pad-value are added together.
 The first sum is 25, so the ciphertext-letter is “Y,”
 The decryption process works as follows:
The letter “Y” becomes the number 25, from which we subtract the pad-value for the
first letter of the message i.e. 06. This yields a value of 19, or the letter “S.”
4b. Discuss the tools that are used in cryptography. (10)
Ans:
Cryptographic Tools
1) Public-Key Infrastructure (PKI)
• PKI is an integrated system of software, encryption-methods, protocols, legal agreements, and third-
party services that enables users to communicate securely.
• It is based on public-key cryptosystem.
• It includes
→ Digital-certificates and
→ certificate authorities (CAs).
• Digital-certificates contain the user name, public-key, and other identifying information.
• Digital-certificates allow computer-programs
→ to validate the key and
→ to identify the owner of the key.
• The security-services includes:
1) Authentication 2) Integrity 3) Privacy
4) Authorization 5) Nonrepudiation
• It contains following components:
1) Certificate authority (CA) issues, manages, authenticates, signs, and revokes users’
digital-certificates.
2) Registration authority (RA) operates under the trusted collaboration of the certificate
authority.
 The registration authority (RA) can handle day-to-day certification functions, such as
→ verifying registration information
→ generating end-user keys
→ revoking certificates, and
→ validating user certificates.
VTU
N
O
TESBYSR
I

2014-7
3) Certificate directories are central locations for certificate storage that provide a single
access point for administration and distribution.
4) Management protocols organize and manage the communications among CAs, RAs, and
end users.
5) Policies and procedures assist an organization in the management of certificates, in the
formalization of legal liabilities.
2) Digital Signatures
• Digital signatures were created in response to the rising need to verify information transferred via
electronic systems.
• Asymmetric encryption-processes are used to create digital signatures.
• The sender’s private key is used to encrypt a message.
The sender’s public-key must be used to decrypt the message.
• When the decryption is successful, the process verifies that the message was sent by the sender and
thus cannot deny having sent. This process is known as non-repudiation.
• Digital signatures are encrypted-messages that can be mathematically proven authentic.
• The management of digital signatures is built into most Web browsers.
• Digital signatures should be created using processes and products that are based on the Digital
Signature Standard (DSS).
3) Digital-Certificates
• A Digital-certificate is an electronic document(or container file) that contains a key value and
identifying information about the owner of the key.
• The certificate is issued and certified by a third party called as a certificate authority.
• A digital signature attached to the certificate’s container file certifies the file’s origin and integrity.
• This verification process often occurs when you download or update software via the Internet.
• Digital-certificates authenticate the cryptographic key that is embedded in the certificate.
• Different client-server applications use different types of Digital-certificates:
1) The CA application suite issues and uses certificates (keys) that identify and establish a trust
relationship with a CA.
2) Mail applications use Secure/Multipurpose Internet Mail Extension (S/MIME) certificates for
signing and encrypting e-mail.
3) Development applications use object-signing certificates to identify signers of object oriented
code and scripts.
4) Web-servers use Secure Sockets Layer (SSL) certificates to authenticate servers.
5) Web clients use SSL certificates to authenticate users.
• Two popular certificate types are those created using
1) Pretty Good Privacy (PGP) and
2) those created using applications that conform to International Telecommunication Union’s
(ITU-T) X.509 version 3.
4) Hybrid Cryptography Systems
• The most common hybrid system is based on the Diffie-Hellman key exchange.
• Diffie-Hellman key exchange is a method for exchanging private keys using public-key encryption.
• It uses asymmetric encryption to exchange session keys.
• It allows two entities to conduct quick, efficient, secure communications based on symmetric
encryption.
• It protects data from exposure to third parties, which is sometimes a problem when keys are
exchanged out-of-band.
5) Steganography
• The word steganography is derived from the Greek words steganos, meaning “covered” and
graphein, meaning “to write.”
• While steganography is technically not a form of cryptography, it is another way of protecting the
confidentiality of information in transit.
• The steganography involves hiding information within files that contain digital pictures or other
images.
VTU
N
O
TESBYSR
I

2014-8
5a. Explain briefly OSI security architecture. (12 Marks)
Ans:
OSI Security Architecture
• OSI Security architecture focuses on 1) security attacks, 2) security mechanisms, and 3) security
services.
1) Security Attack
• Security attack refers to any action that compromises the information or network security.
• It can be divided into two categories: i) passive attack and ii) active attack.
ii) Passive Attack
• The attacker tries to learn or make use of information from the system.
• The attacker does not affect system resources.
• The attack can be in the form of eavesdropping on, or monitoring of, transmissions.
• Goal of the opponent: To obtain information that is being transmitted.
• It can be further subdivided into 2 categories: 1) release of message contents and 2) traffic analysis.
a) Release of message contents
• For example:
 A telephone conversation, an electronic mail message, and a transferred file may contain
sensitive or confidential information..
 We would like to prevent an opponent from learning the contents of these transmissions.
b) Traffic analysis
• Encryption is the most common technique for hiding the contents of a message.
• Even if we have encryption protection in place, an opponent may be able to observe the pattern of
these messages.
• The opponent can
→ determine the location and identity of communicating hosts and
→ observe the frequency and length of messages being exchanged.
ii) Active Attacks
• The attacker tries to alter system resources or affect their operation.
• For example:
→ modification of the data stream
→ creation of a false stream
• Goal of the active attack:
To detect active attacks and to recover from any disruption or delays caused by them.
• It can be further subdivided into 4 categories: a) masquerade, b) replay, c) modification of
messages, and d) denial of service.
a) Masquerade
• This attack takes place when one entity pretends to be a different entity.
• For example:
Authentication sequences can be captured and replayed after a valid authentication sequence
has taken place
b) Replay
• This attack involves the passive capture of a data unit and its subsequent retransmission to produce
an unauthorized effect.
c) Modification of messages
• For example:
→ some portion of a legitimate message is altered
→ messages are delayed or reordered.
d) Denial of service
• This attack prevents the normal use of communications facilities.
i) This attack may have a specific target.
 For example:
An entity may suppress all messages directed to a particular destination
ii) This attack may involve the disruption of an entire network.
 For example:
Overloading the network to degrade performance.
VTU
N
O
TESBYSR
I

2014-9
2) Security Services
• A security service refers to a communication service that can prevent or detect the various security
attacks.
• Various security services are described in Table 5.1.
Table 5.1 Security Services (X.800)
VTU
N
O
TESBYSR
I

2014-10
3) Security Mechanisms
• Table 5.2 lists the security mechanisms defined in X.800
Table 5.2, based on one in X.800, indicates the relationship between security services and security
mechanisms.
VTU
N
O
TESBYSR
I

2014-11
5b. Discuss the difference between kerberos version 4 and kerberos version 5. (08 Marks)
Ans:
Differences between Kerberos version 4 and version 5
• Version 5 is intended to address the limitations of version 4 in two areas:
1) Environmental shortcomings and
2) Technical deficiencies
Environmental
Shortcomings
Version 4 Version 5
Encryption system
dependence
DES is used for encryption. Ciphertext is tagged with an encryption-
type identifier so that any encryption
technique may be used.
Encryption key is tagged with a type and
a length, so that the same key can be
used in different algorithms (RSA,
DES).
Addressing Only IP address is used for
addressing.
Network addresses are tagged with type
and length, so that any network address
type may be used.
Message byte
ordering
The sender of a message uses a byte
ordering of its own choosing and tags
the message to indicate least
significant byte in lowest address or
most significant byte in lowest
address.
All message structures are defined using
ASN.1 and BER, which provide an
unambiguous byte ordering.
(ASN.1 → Abstract Syntax Notation One
BER → Basic Encoding Rules)
Ticket lifetime Lifetime values are encoded in an 8-
bit quantity in units of five minutes.
Thus, the maximum lifetime that can
be expressed is 28×5=1280 minutes
(21 hours).
This may be inadequate for some
applications.
Tickets include an explicit start time and
end time, so that tickets with arbitrary
lifetimes may be used.
Authentication
forwarding
Credentials issued to one client cannot
be forwarded to some other host and
used by some other client.
This capability enables a client to
access a server and have that server
access another server on behalf of the
client.
For example: a client issues a request
to a print server that then accesses
the client’s file from a file server,
using the client’s credentials for
access.
Credentials issued to one client can be
forwarded to some other host and used
by some other client.
Inter-realm
authentication
interoperability among N realms
requires on the order of N2
Kerberos-
to-Kerberos relationships.
Interoperability among N realms requires
fewer relationships.
VTU
N
O
TESBYSR
I

2014-12
Technical Deficiencies
1) Double Encryption
• In Version 4, tickets provided to clients are encrypted twice.
i) First time with the secret key of the target server. and
ii) Second time with a secret key known to the client.
• The second encryption is not necessary and is computationally wasteful.
2) PCBC Encryption
• In Version 4,
 A nonstandard mode of DES known as propagating cipher block chaining (PCBC) is used.
 This mode is vulnerable to an attack involving the interchange of ciphertext blocks.
 PCBC was intended to provide an integrity check as part of the encryption operation.
• Version 5 provides explicit integrity mechanisms, allowing the standard CBC mode to be used for
encryption.
In particular, a checksum or hash-code is attached to the message prior to encryption using CBC.
3) Session Keys
• Each ticket includes a session key that is used by the client to encrypt the authenticator sent to the
service associated with that ticket.
• Because the same ticket may be used repeatedly to gain service from a particular server, there is the
risk that an opponent will replay messages from an old session to the client or the server.
• In version 5, it is possible for a client and server to negotiate a sub-session key, which is to be used
only for that one connection.
VTU
N
O
TESBYSR
I

2014-13
6a. With a neat diagram, explain the overview of kerberos. (10 Marks)
Ans:
Kerberos
• Kerberos is a key distribution and user authentication service developed at MIT.
• Kerberos provides a centralized authentication server whose function is to authenticate
→ users to servers and
→ servers to users.
• Kerberos uses symmetric encryption.
• Two versions of Kerberos are in use.
1) Version 4 implementations still exist, although this version is being phased out.
2) Version 5 corrects some of the security deficiencies of version 4.
Kerberos Version 4
• Version 4 of Kerberos makes use of DES to provide the authentication service.
A Simple Authentication Dialogue
• In an unprotected network environment, any client can apply to any server for service.
• Problem: The obvious security risk is impersonation.
i.e. an opponent can
→ pretend to be another client and
→ obtain unauthorized privileges on server machines
Solution: Use an authentication server (AS).
• An authentication server (AS) knows the passwords of all users and stores these in a centralized
database.
• In addition, the AS shares a unique secret key with each server.
• These keys have been distributed physically or in some other secure manner.
• Consider the following hypothetical dialogue:
Here is how it works:
1) C → AS
The client C requests a service-granting ticket to the AS.
• The request contains
→ user’s ID
→ server’s ID, and
→ user’s password.
• Server ID indicates a request to use the service. (printing, mailing and file transfer)
2) AS → C
• AS checks its database to see
i) if the user has supplied the correct credential and
ii) whether the user has right to access the server.
• If both conditions are satisfied, AS accepts the user as authentic.
• Then, the AS sends a service-granting ticket to the client.
• The ticket is encrypted using the secret key shared by the AS and the server.
VTU
N
O
TESBYSR
I

2014-14
3) C → V
• The client sends a request to the server.
• The server decrypts the ticket.
• Then, server verifies that the user ID in the ticket is the same as the unencrypted user ID in the
request.
If these 2 match, the server grants the requested service to the client.
• Disadvantages (Problems):
1) A user needs a new ticket for every different service.
For example: If a user want to access a print server, a mail server and a file server, then new
ticket has to be generated for each service.
2) Password attack: An eavesdropper can capture the password and use any service accessible
to the victim.
Solution: Use a new server known as the ticket-granting server (TGS).
6b. Explain procedure along with diagram to implement confidentiality in PGP. (10 Marks)
Ans:
CONFIDENTIALITY
• Confidentiality is provided by encrypting messages to be transmitted.
• For encryption, 3DES(or CAST) can be used.
• The 64-bit cipher feedback (CFB) mode is also used.
• Each symmetric key is used only once. This is called a session key. The session key is attached to the
message and transmitted with it.
• To protect the session key, it is encrypted with the receiver’s public-key.
• The sequence of operation is as follows(Figure 6.2):
At Sender
1) A message is created. A session key is used for this message only.
2) The message is encrypted using 3DES (or CAST) with the session key.
3) The session key is encrypted using RSA with the receiver’s public-key.
4) The encrypted session key is appended to the message.
At Receiver
1) The received message is decrypted using RSA with the receiver’s private-key. Thus, the
session key is recovered.
2) The received message is decrypted using 3DES (or CAST) with the session key.
• As an alternative to RSA, Diffie-Hellman can be used.
• Diffie-Hellman is a key exchange algorithm.
• PGP uses a variant of Diffie-Hellman known as ElGamal.
Figure 6.2 Confidentiality only
• Three benefits of this approach:
1) To reduce encryption time, the combination of symmetric and public-key encryption is used in
preference to simply using RSA. The symmetric algorithms are faster than RSA.
2) The use of the public-key algorithm solves the problem of session-key distribution.
This is because only the receiver is able to recover the session key that is attached to the message
3) The use of one-time symmetric keys strengthens this approach.
VTU
N
O
TESBYSR
I

DOWNLOAD VTUCAMPUS ANDROID APP
AND GET ALL NOTES AND QUESTION PAPERS
VTUCAMPUS.COM : DOWNLOAD ALL OTHER QUESTION PAPERS
FOR YOUR BRANCH AND SEMESTER
VTU
N
O
TESBYSR
I

2015-1
2a. Explain the dual homes host firewall. (10 Marks)
Ans:
Dual Homed Firewall
• The bastion-host contains two NICs rather than one.
1) One NIC is connected to the external-network and
2) Another NIC is connected to the internal-network.
• Two NICs provide an additional layer of protection. (NIC → network interface card)
• All traffic must physically go through the firewall to move b/w the internal and external-networks.
Figure 2-4 Dual-Homed Host Firewall
• NAT is used for implementation of this architecture (Figure 2-4).
• NAT is a method of mapping external IP-addresses to non-routable internal IP-addresses.
• NAT can be used to create yet another barrier to intrusion from external-attackers.
• The internal-addresses consist of 3 different ranges (Table 2-3).
1) Organizations that need a large group of addresses will use the Class A address-range.
2) Organizations that need a medium group of addresses will use the Class B address-range.
3) Organizations that need a small group of addresses will use the Class C address-range.
Table 2-3 Reserved Non-routable Address-ranges
• Advantages:
1) NAT prevents external-attacks from reaching internal-computers.
2) Can translate between different protocols such as Ethernet, token ring, FDDI, and ATM.
• Disadvantages:
1) If dual-homed host is compromised, it can disable the connection to the external-network.
2) As traffic volume increases, the dual-homed host can become overloaded.
VTU
N
O
TESBYSR
I

2015-2
2b. Define firewall and explain all the firewall rules. (10 Marks)
Ans:
Firewall
• A firewall is an information-security-program similar to a building’s firewall.
• Firewall prevents specific types of info. from moving b/w untrusted-network & trusted-network.
Example for untrusted-network: Internet (outside world)
Example for trusted-network: Intranet or private network (inside world)
Best Practices for Firewall
1) All traffic from the trusted-network is allowed out.
• Thus, members of the organization can access the required services.
• Filtering and logging of outbound-traffic can be implemented when required by organization policy.
2) The firewall is never directly accessible from the public-network for configuration or
management purposes.
• Even internal-users must be denied to access the firewall.
• Only authorized administrator must be allowed to access the firewall.
• The access method can be based on cryptographically strong authentication.
3) SMTP-data is allowed to enter through the firewall, but is routed to a well-configured
SMTP-gateway to filter and route messaging traffic securely.
4) All ICMP data should be denied.
• ICMP is Known as the ping service.
• ICMP is a common method used by hacker for snooping the internal-network.
• So, ICMP should be turned off to prevent snooping.
5) Telnet access to all internal servers from the public-networks should be blocked.
• Telnet access to the organization’s DNS-server should be blocked
→ to prevent illegal zone transfers and
→ to prevent attackers from taking down the organization’s entire network.
• If internal-users want to access an organization’s network from outside, the organization should use
a VPN.
6) When Web-services are offered outside the firewall, HTTP-traffic should be blocked from
internal-networks through the proxy server or DMZ.
• The restriction can be accomplished using NAT or proxy-server.
i) If the Web-servers only contain critical data, they should be placed inside the network.
ii) If the Web-servers only contain advertising, they should be placed in the DMZ.
7) All data that is not verifiably authentic should be denied.
• When attempting to convince packet-filtering firewall to permit malicious traffic, attackers frequently
put an internal-address in the source field.
• To avoid this problem, set rules so that the firewall blocks all inbound traffic with an organizational
source-address.
VTU
N
O
TESBYSR
I

2015-3
3a. Explain the different types of IDP systems. (10 Marks)
Ans:
Types of IDPS
• Two types of IDPSs:
1) Network- based IDPS
i) Wireless IDPS and
ii) Network behavior analysis (NBA) IDPS.
2) Host-based IDPS.
Figure 3-1 Intrusion-detection and Prevention Systems
1) Network-Based IDPS (NIDPS)
• It is focused on protecting network-assets (Figure 3-1).
• It resides on a network-segment of an organization.
• It monitors a specific group of computers on a specific network-segment
• It looks for indications of ongoing or successful attacks.
• When it identifies an attack, it sends an alert to the admin.
• When placed next to a network-device (hub/switch), NIDPS may use that device’s monitoring-port.
• A monitoring-port is a connection on a network-device that is capable of viewing all of the traffic that
moves through the entire device.
• To check for an attack, NIDPS compares measured activity to known signatures in their knowledge
base.
• Advantages:
1) Few NIDPs can be used to monitor a large network.
2) It is passive device.
So, they can be deployed into existing networks without disturbing normal operations.
3) It is not susceptible to direct attack.
So, they are not be detectable by attackers.
4) It can detect many more types of attacks than a HIDPS.
• Disadvantages:
1) NIDPS can be overloaded by network volume.
So, they may fail to recognize actual attacks
2) It requires access to all traffic to be monitored.
3) It cannot analyze encrypted packets.
4) It cannot reliably confirm if an attack was successful or not.
5) It cannot detect attacks involving fragmented packets.
6) It requires a much more complex configuration and maintenance program.
VTU
N
O
TESBYSR
I

2015-4
i) Wireless NIDPS (WIDPS)
• It is focused on protecting wireless-networks.
• It monitors and analyzes wireless-network-traffic.
• It looks for potential problems with the wireless protocols.
• It can be built into a device that provides a wireless access-point. (eg base station)
• It can also detect:
→ Unauthorized WLANs and WLAN devices
→ Poorly secured WLAN devices
→ Unusual usage patterns
→ Use of wireless-network scanners
→ DoS attacks and conditions
→ Impersonation and man-in-the-middle attacks
• Some issues associated with the implementation of WIDPS:
1) Physical Security
2) Sensor Range
3) Access-point and wireless switch locations
4) Wired-network-connections
5) Cost
ii) Network Behavior Analysis System(NBA IDPS)
• It examines traffic-flow on a network in an attempt to identify attacks like DDoS, virus and worm.
• It uses a version of the anomaly detection method to identify excessive packet flows.
• It typically monitors internal-networks but occasionally monitors connection between internal and
external networks.
• Typical traffic-flow includes:
→ Source and destination IP-addresses
→ Source and destination TCP or UDP ports
→ ICMP types and codes
→ Number of packets and bytes transmitted in the session
→ Starting and ending timestamps for the session
• It can detect following types of attacks:
→ DoS attacks (including DDoS attacks)
→ Scanning
→ Worms
→ Unexpected application services (e.g., tunneled protocols, back doors)
→ Policy violations
2) Host-Based IDPS (HIDPS)
• It is focused on protecting information-assets of a server(or host).
• It resides on a particular host, and monitors activity only on that host.
• It is also known as system integrity verifiers because they
→ monitor the status of system-files and
→ detect when an attacker creates, modifies, or deletes files.
• It is also capable of monitoring system configuration database.
• It triggers an alert when one of the following occurs:
→ file-attributes change
→ new files are created or
→ existing files are deleted.
• It can also monitor systems logs for predefined events.
• It examines the log files to determine if an attack is underway or the attack has occurred.
• Advantages:
1) HIDPS can
→ detect local events on host systems and
→ detect attacks that may escape a network-based IDPS.
2) It can process encrypted traffic.
3) It is not affected by the use of switched-network protocols.
4) It can detect inconsistencies in how applications were used.
VTU
N
O
TESBYSR
I

2015-5
• Disadvantages:
1) It requires more management effort to install, configure, and operate.
2) It is vulnerable both to direct attacks and to attacks against the host operating system.
3) It is not optimized to detect multi-host scanning.
4) It is susceptible to some DOS attacks.
5) It requires a large amount of disk space to store audit logs.
6) It can impose a performance overhead on its host systems.
3b. Discuss measuring effectiveness of IDPS. (10 Marks)
Ans:
Measuring the Effectiveness of IDPSs
1) Thresholds
• It is a value that sets the limit between normal and abnormal behavior.
• It usually specifies a maximum acceptable level.
For ex: 30 failed connection attempts in 60 seconds
• It is most commonly used in
→ anomaly-based detection and
→ stateful protocol analysis.
2) Blacklist and Whitelist
Blacklist
• It is a list of discrete entities which are associated with abnormal activity.
• For example:
Applications (say telnet, FTP)
File extensions (say mpeg, mp4)
URLs (say facebook, amazon)
TCP or UDP port numbers (say 23:telnet, 21:FTP)
• IDPS uses blacklist
→ to block the abnormal activity and
→ to assign a higher priority to alerts that match blacklist entries.
• Some IDPSs generate dynamic blacklists that are used to temporarily block recently detected threats.
Whitelist
• It is a list of discrete entities that are known to be benign.
• It is used to reduce or ignore false positives involving known benign activity from trusted hosts.
• Whitelists and blacklists are most commonly used in
→ signature-based detection and
→ stateful protocol analysis.
3) Alert Settings
• Most IDPS allow admins to customize each alert type.
• For example:
→ Toggling it on or off
→ Setting a default priority or severity level
→ Specifying what information should be recorded
→ Specifying what notification methods should be used
→ Specifying which prevention capabilities should be used
• Some products also suppress alerts if an attacker generates many alerts in a short period of time. It
is to prevent the IDPS from being overwhelmed by alerts.
4) Code Viewing and Editing
• Some IDPS permit admins to see some or all of the detection-related code.
• Some IDPS allow admins to see additional code, such as programs used to perform stateful protocol
analysis.
VTU
N
O
TESBYSR
I

2015-6
4a. With an example, explain vernam cipher technique for encrypting the plaintext. (10)
Ans: For answer, refer Solved Paper June/July 2014 Q.No.4a.
4b. Explain the different attacks on crypto system. (10)
Ans:
Attacks on Cryptosystems
• In general, attacks on cryptosystems fall into four general categories: man-in-the-middle,
correlation, dictionary, and timing.
1) Man-in-the-Middle Attack
• An attacker tries
→ to intercept a public-key or
→ to insert a known key structure in place of the requested public-key.
• The attackers place themselves in between the sender and receiver.
When they’ve intercepted the request for key exchanges, they send each participant a valid
public-key, which is known only to them.
• The victims (participants) thinks that the communication is secure but the attacker is will be
→ receiving and decrypting the encrypted-message, and
→ encrypting and sending the message to the intended recipient.
• Possible solution: Establishing public-keys with digital signatures can prevent this attack. This is
because the attacker cannot duplicate the signatures.
2) Correlation Attacks
• The attack is a collection of brute-force methods that try to deduce statistical relationships between
→ the structure of the unknown key and
→ the ciphertext generated by the cryptosystem.
• Differential and linear cryptanalysis have been used to perform successful attacks on block cipher
encryptions such as DES.
• Possible solution: Selection of strong cryptosystems that have
→ stood the test of time
→ thorough key management, and
→ best practices in the frequency of key changes.
3) Dictionary Attacks
• An attacker encrypts every word in a dictionary using the same cryptosystem as used by the target
in an attempt to locate a match between the target-ciphertext and the list of encrypted-words.
• This attack can be successful when the ciphertext consists of relatively few characters.
For example: Files containing encrypted usernames and passwords.
• After getting password-file, an attacker can run hundreds of potential passwords from the dictionary
he has prepared against the stolen list.
• After a match is found, the attacker has essentially identified a potential valid password for the
system.
4) Timing Attacks
• An attacker
→ listens on the victim’s session and
→ uses statistical-analysis of patterns and inter-keystroke timings to determine the info.
• This attack can be used to gain information about the encryption-key and the cryptosystem.
• After getting encryption-key, an attacker can launch a replay attack.
• Replay attack tries to resubmit a recording of the deciphered authentication to gain entry into a
secure source.
VTU
N
O
TESBYSR
I

2015-7
5a. Discuss the different active attacks. (10 Marks)
Ans:
Active Attacks
• For example:
• It can be subdivided into four categories: 1) masquerade, 2) replay, 3) modification of messages,
and 4) denial of service.
1) Masquerade
• This attack takes place when one entity pretends to be a different entity (Figure 5.4).
• For example:
has taken place
2) Replay
an unauthorized effect (Figure 5.5).
3) Modification of Messages
• For example:
→ messages are delayed or reordered (Figure 5.6).
4) Denial of Service
• This attack prevents the normal use of communications facilities (Figure 5.7).
 For example:
 For example:
• Disadvantage:
 Difficult to prevent active attacks because of the wide variety of potential physical,
software, and network vulnerabilities.
Figure 5.4: Masquerade
VTU
N
O
TESBYSR
I

2015-8
Figure 5.5: Replay
Figure 5.6: Modification of messages
Figure 5.7: Denial of service
5b. Explain the environment shortcomings of kerberos V4. (05 Marks)
Ans: For answer, refer Solved Paper June/July 2014 Q.No.5b.
VTU
N
O
TESBYSR
I

2015-9
5c. With a diagram, explain the X.509 certificate format. (05 Marks)
Ans:
X.509 Certificates
• X.509 provides authentication services and defines authentication protocols.
• X.509 uses X.500 directory which contains:
→ Public key certificates
→ Public key of users signed by certification authority
• X.509 is based on the use of public-key cryptography and digital signatures.
Certificates
• Figure 5.12 shows the general format of a certificate, which includes the following elements.
Figure 5.12 X.509 certificate
1) Version
• This field is used to differentiate among successive versions of the certificate format.
i) Default version = 1.
ii) version=2 , if the Issuer Unique Identifier or Subject Unique Identifier are present.
iii) version=3 , if one or more extensions are present.
2) Serial Number
• This field is an unique integer value that is unambiguously associated with this certificate.
3) Signature Algorithm Identifier
• This field indicates the algorithm used to sign the certificate, together with any associated
parameters.
4) Issuer Name
• This field indicates X.500 name of the CA that created and signed this certificate.
5) Period of Validity
• This field consists of two dates: the first and last on which the certificate is valid.
6) Subject Name
• This field indicates the name of the user to whom this certificate refers.
VTU
N
O
TESBYSR
I

2015-10
7) Subject’s public-key Information
• This field contains
→ the public key of the subject,
→ an identifier of the algorithm.
8) Issuer Unique Identifier
• This field is an optional bit string field used to identify uniquely the issuing CA in the event the X.500
name has been reused for different entities.
9) Subject Unique Identifier
• This field is an optional bit string field used to identify uniquely the subject in the event the X.500
name has been reused for different entities.
10) Extensions
• This field contains a set of one or more extension fields.
• Extensions were added in version 3.
11) Signature
• This field covers all of the other fields of the certificate; it contains the hash code of the other fields
encrypted with the CA’s private key.
• This field includes the signature algorithm identifier.
6a. Using figure, explain how authentication is performed in PGP. (10 Marks)
Ans:
6.1.2.1 AUTHENTICATION
• Figure 6.1 illustrates the digital signature service provided by PGP.
• The sequence of operation is as follows:
At Sender
1) A message is created.
2) A hash code of a message is created using SHA-1.
3) The hash code is encrypted using RSA with the sender’s private-key.
4) The encrypted hash code is appended to the message.
At Receiver
1) The received message is decrypted using RSA with the sender’s public-key. Thus, the hash code is
recovered.
2) A new hash code for the received message is created using SHA-1.
3) The new hash code is compared with the decrypted hash code.
4) If the two match, the message is accepted as authentic.
Figure 6.1 Authentication only
• The combination of SHA-1 and RSA provides an effective digital signature scheme.
1) Because of the strength of RSA, the receiver is assured that only the possessor of the
matching private-key can generate the signature.
2) Because of the strength of SHA-1, the receiver is assured that no one else could generate
→ a new message that matches the hash code and
→ the signature of the original message.
• Normally, signatures are attached to the message (or file). But here, detached signatures are
supported.
• A detached signature may be transmitted separately from the message.
• Three benefits of detached signature:
1) A user may wish to maintain a separate signature log of all messages sent or received.
2) A detached signature of an executable program can detect subsequent virus infection.
3) Detached signatures can be used when more than one party must sign a document, such as
a legal contract.
VTU
N
O
TESBYSR
I

2015-11
6b. Explain the S/MIME functionality. (05 Marks)
Ans:
Secure/Multipurpose Internet Mail Extension (S/MIME)
• S/MIME is a security enhancement to the MIME Internet e-mail format standard based on technology
from RSA Data Security.
S/MIME FUNCTIONALITY
• In terms of general functionality, S/MIME is very similar to PGP.
• Both offer the ability to sign and/or encrypt messages.
FUNCTIONS
• S/MIME provides the following functions.
1) Enveloped data
• This consists of encrypted content of any type and encrypted content encryption keys for one or
more receivers.
2) Signed data
• A digital signature is formed by taking the message digest of the content to be signed and then
encrypting that with the private-key of the signer.
• The content plus signature are then encoded using base64 encoding.
• A signed data message can only be viewed by a receiver with S/MIME capability.
3) Clear-signed data
• As with signed data, a digital signature of the content is formed. However, in this case, only the
digital signature is encoded using base64.
• As a result, receivers without S/MIME capability can view the message
content, although they cannot verify the signature.
4) Signed and enveloped data
• Signed-only and encrypted-only entities may be nested, so that encrypted data may be signed and
signed data or clear-signed data may be encrypted.
6c. Explain the MIME content types. (05 Marks)
Ans:
MIME CONTENT TYPES
• The bulk of the MIME specification is concerned with the definition of a variety of content types.
• This reflects the need to provide standardized ways of dealing with a wide variety of information
representations in a multimedia environment.
• Table 6.3 lists the content types specified in RFC 2046.
Table 6.3 MIME Content Types
VTU
N
O
TESBYSR
I

2015-12
• There are four subtypes of the multipart type (Table 6.3):
1) In multipart/mixed subtype, there are multiple independent body parts that need to be
bundled in a particular order.
2) In multipart/parallel subtype, the order of the parts is not significant.
If the receiver’s system is appropriate, the multiple parts can be presented in parallel.
3) In multipart/alternative subtype, the various parts are different representations of the
same information.
The body parts are ordered in terms of increasing preference.
4) In multipart/digest subtype, each of the body parts is interpreted as an RFC 5322
message with headers.
This subtype enables the construction of a message whose parts are individual
messages.
• There are 3 subtypes of the message type:
1) The message/rfc822 subtype indicates that the body is an entire message, including
header and body.
2) The message/partial subtype enables fragmentation of a large message into a number of
parts, which must be reassembled at the destination.
3) The message/external-body subtype indicates that the actual data to be conveyed in this
message are not contained in the body.
Instead, the body contains the information needed to access the data.
• The application type refers to other kinds of data, typically either uninterpreted binary data or
information to be processed by a mail-based application.
VTU
N
O
TESBYSR
I

2016-1
2a. Explain different categories of firewalls according to their processing mode. (10 Marks)
Ans:
Firewall Processing Modes
• Firewall fall into 5 major processing-mode categories:
1) Packet-filtering firewall 2) Application gateway
3) Circuit-gateway 4) Layer firewall and 5) Hybrid firewall
1) Packet Filtering Firewall
• It operates at the network-layer of the OSI-model. (Figure 2-1).
• The rules are based on a combination of the following:
→ IP source and destination address
→ Direction (inbound or outbound)
→ Protocol
→ TCP/UDP source and destination port
• The rules are created and modified in the ACL (Access Control List) by the network-administrators.
Figure 2-1 Packet-Filtering-router
Table 2-1 Sample Firewall-rule and Format
• As shown in Table 2-1, any connection attempt made by an external-device in the 192.168.x.x
address-range (192.168.0.0–192.168.255.255) is allowed.
• It can be further classified into 3 types:
1) Static Filtering
 Here, the filtering-rules must be developed and installed with the firewall.
 The rules are created and sequenced by a person directly editing the rule-set.
2) Dynamic Filtering
 It can
→ react to an emergent event and
→ update/create rules to deal with that event.
Static vs Dynamic Firewall
 In static firewall, entire sets of one type of packet is allowed to enter into trusted-network.
 In dynamic firewall, only a particular packet with a particular source, destination, and port
address is allowed to enter into trusted-network.
3) Stateful Inspection
 It monitors network-connection between internal and external systems using state-tables.
 A state-table records information like
→ source and destination address of devices
→ what & when packet is sent (Table 2-2).
VTU
N
O
TESBYSR
I

2016-2
Table 2-2 State-table Entries
2) Application Gateway
• It operates at the application-layer of the OSI-model.
it runs special software that acts as a proxy for a service-request.
• The proxy-server
→ receives requests for Web-pages
→ accesses the Web-server on behalf of the external client and
→ returns the requested-pages to the users.
• It is also known as a cache-server because
it stores the most recently accessed pages in the internal cache.
• Advantage:
For any external-attack to happen, two separate systems has to be compromised.
Thus, the proxy-server can placed in an unsecured-network, thereby protecting the Web-server
• Disadvantage:
It is designed for a specific type of protocols (e.g., FTP, Telnet, HTTP & SNMP).
So, it cannot be re-configured to protect against attacks on other protocols.
3) Circuit Gateway
• It operates at the transport-layer of the OSI-model.
• It does not usually look at traffic flowing between one network and another network.
• Rather, it prevents direct connection between one network and another network.
• It
→ creates tunnel connecting specific processes/systems on each side of the firewall, and
→ allow only authorized traffic in the tunnels
4) MAC Layer Firewall
• It operates at the data-link-layer of the OSI-model.
• It determines whether to drop or forward a packet based on the MAC source and destination address.
5) Hybrid Firewall
• It combines the elements of above 4 types of firewalls.
• For ex:
The elements of packet-filtering and proxy services.
The elements of packet-filtering and circuit-gateways.
• It may consist of 2 separate firewalls which are connected so that they work in tandem.
• Advantage:
An organization can make a security improvement w/o completely replacing its existing firewall.
2b. Define any 6 design rules of firewall. (06 Marks)
VTU
N
O
TESBYSR
I

2016-3
2c. Discuss content filter technology in a security. (04 Marks)
Ans:
Content Filter
• It is a software-filter that allows administrators to restrict access to content from within a network.
• It can help protect an organization’s systems from misuse and unintentional DOS problems.
• It is restricts user access to
→ networking protocols (eg: ftp, http) and
→ Internet content (eg: facebook, youtube, amazon).
• It is also called reverse-firewall because
it is mainly used to restrict internal-access to external material.
• It has two components: rating and filtering.
1) Rating
 It is like a set of firewall-rules for Web-sites.
 It is most common in residential content-filters.
 It can be
→ complex, with multiple access control settings for different levels of organization or
→ simple, with a basic allow/deny scheme like that of a firewall.
2) Filtering
 It is a method used to restrict specific access-requests to the identified resources.
 The resources may be Web-sites or servers.
• Two ways to configure:
1) Exclusive Mode
 Certain sites are specifically excluded to access (eg: facebook, youtube, amazon).
 Disadvantage:
There may be thousands of Web-sites that an organization wants to exclude.
2) Inclusive Mode
 Certain sites are specifically permitted to access (eg: ieee, springer, elsevier).
3a. Explain HIDPS. Write its advantages and disadvantages, (08 Marks)
Ans:
Host-Based IDPS (HIDPS)
• It is focused on protecting information-assets of a server(or host).
• It resides on a particular host, and monitors activity only on that host.
• It is also known as system integrity verifiers because they
→ monitor the status of system-files and
→ detect when an attacker creates, modifies, or deletes files.
• It is also capable of monitoring system configuration database.
• It triggers an alert when one of the following occurs:
→ file-attributes change
→ new files are created or
→ existing files are deleted.
• It can also monitor systems logs for predefined events.
• It examines the log files to determine if an attack is underway or the attack has occurred.
• Advantages:
1) HIDPS can
→ detect local events on host systems and
→ detect attacks that may escape a network-based IDPS.
2) It can process encrypted traffic.
3) It is not affected by the use of switched-network protocols.
4) It can detect inconsistencies in how applications were used by examining the records
stored in audit logs. This enables to detect Trojan horse attacks.
• Disadvantages:
1) It requires more management effort to install, configure, and operate.
2) It is vulnerable both to direct attacks and to attacks against the host operating system.
3) It is not optimized to detect multi-host scanning.
Also, it is not able to detect the scanning of non-host network-devices such as routers or
switches.
VTU
N
O
TESBYSR
I

2016-4
4) It is susceptible to some DOS attacks.
5) It requires a large amount of disk space to store audit logs.
6) It can impose a performance overhead on its host systems.
3b. Discuss port scanning and vulnerability scanning tools. (08 Marks)
Ans:
Port Scanners
• These are tools used by both attackers and defenders to identify
→ computers that are active on a network (fingerprinting)
→ ports and services active on those computers, and
→ functions and roles the machines are fulfilling.
• These tools either
→ scans for specific types of computers, protocols, or resources, or
→ scans for generic types
• The more specific the scanner is, the more useful the information it provides to attackers and
defenders.
• A port is a network channel or connection point in a data communications system.
• Within TCP/IP model,
Each application has a unique port number.
Port numbers are used to differentiate the multiple network services provided to the same
computer.
• There are 2 types of ports:
1) Reserved Ports
 Services with reserved ports generally run on ports 1–1023.
 For example:
TCP Port Numbers TCP Service
20 and 21 File Transfer Protocol (FTP)
80 Hypertext Transfer Protocol (HTTP)
2) Ephemeral Ports
 Ports greater than 1023 are referred to as ephemeral ports.
 These ports may be randomly allocated to server and client processes.
• Question: Why secure open ports?
Ans:  An open port can be used by an attacker to gain access to a server, and gain control
over a networking device.
 The thumb rule is
"Remove those service which are not absolutely necessary for conducting business".
 For example, if a business doesn’t host Web services, then don't make port 80 available on its
servers.
Vulnerability Scanners
• These tools scan networks for highly detailed information.
• There are types: 1) Active-scanner 2) Passive-scanner
1) Active-scanner
• It is used to initiate traffic on the network in order to determine security-holes.
• It can be used to
→ identify usernames and groups
→ expose configuration problems and
→ identify other security-holes in servers.
Nessus
 It is a popular active-scanner.
 It uses IP packets to
→ identify the hosts available on the network
→ services of the hosts
→ OS of the hosts and
→ type of firewall used
 The Nessus has a class of attacks called destructive.
 If enabled, Nessus attempts common overflow techniques against a target host.
VTU
N
O
TESBYSR
I

2016-5
Blackbox Scanner or Fuzzer
 It is a class of vulnerability scanner.
 Fuzz testing looks for security-holes in a program/protocol by feeding random input.
 Security-holes can be detected by measuring the outcome of the random inputs.
2) Passive-scanner
• It is used to
→ listen in on the network and
→ determine vulnerable versions of both server and client software.
• Two popular tools:
1) Tenable Network Security with its Passive Vulnerability Scanner (PVS) and
2) Sourcefire with its RNA product.
• Advantages
1) Do not require security analysts to get approval prior to testing.
2) Simply monitors the network-connections to and from a server to obtain a list of vulnerable
applications.
3) Ability to find client-side security-holes that are typically not found by active-scanners.
3c. Define the following with respect to intrusion detection systems. (04 Marks)
i) alert
ii) false positive
iii) false negative
iv) confidence value .
Ans:
i) Alert or Alarm
• An indication that a system has just been attacked or is under attack.
• Different forms of alarms are
→ audible-signals → e-mail messages
→ pager notifications or → pop-up windows.
ii) False Positive
• An alert occurs in the absence of an actual attack.
• A false positive may be produced when an IDPS mistakes normal system activity for an attack.
iii) False Negative
• An alert does not occurs in the presence of an actual attack.
• It is the most serious failure, since the purpose of an IDPS is to detect and respond to attacks.
iv) Confidence Value
• The measure of an IDPS’s ability to correctly detect and identify certain types of attacks.
• The confidence value is based on experience and past performance measurements.
• The confidence value helps an admin determine how likely it is that an alarm indicates an actual
attack in progress.
• For example,
if a system has confidence value of 90% for reporting a DOS attack, then there is a high
probability that an actual attack is occurring.
4a. Describe any 4 attacks on a crytosystem. (08 Marks)
VTU
N
O
TESBYSR
I

2016-6
4b. Explain substitution cipher technique. discuss its weakness. (08 Marks)
Ans:
Substitution Cipher
Monoalphabetic Substitution
• To perform encryption, you substitute one alphabet for another alphabet. This type of substitution is
called a monoalphabetic substitution because of one to one mapping.
• For example:
Here, we can substitute a letter in the alphabet with the letter three values to the right.
Here, the first row is the plaintext, and the second row is the ciphertexts.
For example: The plaintext "MOON" will be encrypted into the ciphertext "PRRP".
Polyalphabetic Substitutions
• To perform encryption, you substitute two or more alphabets for another value. This type of
substitution is called a polyalphabetic substitution because of one to many mapping.
• For example:
Here, the first row is the plaintext, and the next four rows are four sets of ciphertexts.
For example: The plaintext "MOON" will be encrypted into the ciphertext "PUXZ".
Vigenere Cipher
• This is an advanced form of a polyalphabetic substitutions.
• The ciphertext is found using the Vigenere table, which is made up of 26 distinct cipher alphabets.
• Table 4-1 illustrates the setup of the Vigenere table.
Table 4-1 The Vigenère Square
VTU
N
O
TESBYSR
I

2016-7
• Here, we use a keyword to represent the shift.
• For example,
keyword: ITALY
plaintext: SACK GAUL SPARE NO ONE
Thus we have,
• To perform the substitution,
Start with the first combination of keyword and message letters i.e. IS.
Use the keyword letter 'I' to locate the column.
Use the message letter 'S' to find the row.
Then, look for the letter at intersection of column & row i.e. A. This is the ciphertext-letter.
• Disadvantage:
Any keyword-message letter combination containing an “A.” row or column reproduces the
plaintext-message letter.
For example,
The third letter in the plaintext i.e. the C has a combination of AC, and thus is
unchanged in the ciphertext.
4c. Define the following terms with respect to cryptography: (04 Marks)
i) encryption
ii) cipher
iii) keyspace
iv) steganography.
Ans:
i) Encryption
• The process of converting an unencrypted-message into an encrypted-message.
i) Cipher or cryptosystem
• An encryption-method used to perform encryption and decryption.
• The encryption-method includes
→ algorithm
→ key(s) and
→ procedures.
iii) Keyspace
• The entire range of values that can be used to construct an individual key.
iv) Steganography
• The hiding of messages—for example, within the digital encoding of a picture or graphic.
5a. Write and explain the general format of a X.509 public key certificate. (08 Marks)
Ans: For answer, refer Solved Paper June/July 2015 Q.No.5c.
5b. List the difference between kerberos version 4 and version 5. (06 Marks)
5c. Explain any three active security attacks. (06 Marks)
VTU
N
O
TESBYSR
I

2016-8
6a. Explain the PGP message generation and message reception technique. (10 Marks)
Ans:
PGP Message Generation
• The sending entity performs the following steps (Figure 6.7).
1) Signing the message.
a) PGP retrieves the sender’s private-key from the private-key ring using your_userid as an
index.
b) PGP prompts the user for the passphrase to recover the unencrypted private-key.
c) The signature component of the message is constructed.
2) Encrypting the message.
a) PGP generates a session key and encrypts the message.
b) PGP retrieves the receiver’s public-key from the public-key ring using her_userid as an
index.
c) The session key component of the message is constructed.
Figure 6.7 PGP Message Generation (from User A to User B: no compression or radix-64 conversion)
PGP Message Reception
• The receiving entity performs the following steps (Figure 6.8).
1) Decrypting the message:
a) PGP retrieves the receiver’s private-key from the private-key ring using the Key ID field in
the message as an index.
b) PGP prompts the user for the passphrase to recover the unencrypted private-key.
c) PGP
→ recovers the session key and
→ decrypts the message.
2) Authenticating the message:
a) PGP retrieves the sender’s public-key from the public-key ring using the Key ID field in the
the message as an index.
b) PGP recovers the transmitted message digest.
c) PGP
→ computes the message digest for the received message and
→ compares the message digest to the transmitted message digest to authenticate.
VTU
N
O
TESBYSR
I

2016-9
Figure 6.8 PGP Message Reception (from User A to User B; no compression or radix-64 conversion)
6b. Briefly explain the header fields of MIME protocol. (05 Marks)
Ans:
Header Fields of MIME
• The five header fields defined in MIME are
1) MIME-Version
 Must have the parameter value 1.0.
 This field indicates that the message conforms to RFCs 2045 and 2046.
2) Content-Type
 Describes the data contained in the body with sufficient detail that the receiving user agent
can pick an appropriate agent or mechanism to represent the data to the user.
3) Content-Transfer-Encoding
 Indicates the type of transformation that has been used to represent the body of the message
in a way that is acceptable for mail transport.
4) Content-ID
 Used to identify MIME entities uniquely in multiple contexts.
5) Content-Description
 A text description of the object with the body; this is useful when the object is not readable
(e.g., audio data).
6c. What is S/MIME? What are the functions of S/MIME? (05 Marks)
VTU
N
O
TESBYSR
I

2017-1
2a. What is a firewall? Discuss the categorization of firewall. (12 Marks)
Ans:
Firewall
• A firewall is an information-security-program similar to a building’s firewall.
• Firewall prevents specific types of info. from moving b/w untrusted-network & trusted-network.
Example for untrusted-network: Internet (outside world)
Example for trusted-network: Intranet or private network (inside world)
• Firewall can be categorized by i) processing mode, ii) development era, or iii) structure.
i) Firewall Processing Modes
• Firewall fall into 5 major processing-mode categories:
1) Packet-filtering firewall 2) Application gateway
3) Circuit-gateway 4) Layer firewall and 5) Hybrid firewall
1) Packet Filtering Firewall
• It operates at the network-layer of the OSI-model. (Figure 2-1).
• The rules are based on a combination of the following:
→ IP source and destination address
→ Direction (inbound or outbound)
→ Protocol
→ TCP/UDP source and destination port
2) Application Gateway
• It operates at the application-layer of the OSI-model.
it runs special software that acts as a proxy for a service-request.
• The proxy-server
→ receives requests for Web-pages
→ accesses the Web-server on behalf of the external client and
→ returns the requested-pages to the users.
• It is also known as a cache-server because
it stores the most recently accessed pages in the internal cache.
3) Circuit Gateway
• It operates at the transport-layer of the OSI-model.
• It does not usually look at traffic flowing between one network and another network.
• Rather, it prevents direct connection between one network and another network.
• It
→ creates tunnel connecting specific processes/systems on each side of the firewall, and
→ allow only authorized traffic in the tunnels
4) MAC Layer Firewall
• It operates at the data-link-layer of the OSI-model.
• It determines whether to drop or forward a packet based on the MAC source and destination address.
5) Hybrid Firewall
• It combines the elements of above 4 types of firewalls.
• For ex:
The elements of packet-filtering and proxy services.
The elements of packet-filtering and circuit-gateways.
• It may consist of 2 separate firewalls which are connected so that they work in tandem.
VTU
N
O
TESBYSR
I

2017-2
ii) Firewall Categorized by Generation
1) First Generation Firewall
• It is a static packet-filtering firewall.
2) Second Generation Firewall
• It is a application-level firewall.
3) Third Generation Firewall
• It is a stateful inspection firewall.
• It monitors network-connection between internal and external systems using state-tables.
• A state-table records information like
→ source and destination address of devices involved in the conversation
→ what & when packet is sent
4) Fourth Generation Firewall
• It is a dynamic packet-filtering firewall.
• Here, only a particular packet with a particular source, destination, and port address is allowed to
enter into trusted-network.
5) Fifth Generation Firewall
• It includes the kernel-proxy.
• The kernel-proxy works under Windows NT Executive, which is the kernel of Windows NT.
• It evaluates packets at multiple layers of the OSI-model.
iii) Firewall Categorized by Structure
1) Commercial Grade Firewall Appliance
• It is stand-alone, self contained combinations of computing hardware and software.
• Normally, it has many features of a general-purpose computer with the addition of firmware based
instruction.
• Firmware based instruction
→ increases reliability/performance of the system and
→ minimizes the likelihood of the system being compromised.
2) Commercial Grade Firewall System
• It consists of application-software that is configured for the firewall-application.
• The application-software run on a general-purpose computer.
• Organizations can either
1) install firewall-software on an existing general-purpose-computer or
2) purchase hardware that runs firewall-application.
3) SOHO Firewall Appliance
• It is used for protecting the residential-user and small businesses using DSL or cable-modem.
• Both DSL or cable-modem are more vulnerable to attacks.
• It is also known as DSL-router or broadband-gateway.
• It connects the user’s LAN/computer to the DSL-router provided by the ISP.
• It serves first as a stateful firewall to enable inside-to-outside access.
4) Residential Grade Firewall Software
• It is also used for protecting the residential-user.
• A software-firewall is installed directly on the user’s computer.
• For example: antivirus
• The most commonly used antivirus are McAfee, Norton, AVG, Kaspersky etc.
2b. What is a VPN? Explain the 2 modes of a VPN. (08 Marks)
3a. Bring out the different types of intrusion detection system (IDPS), with their advantages
and disadvantages. (10 Marks)
VTU
N
O
TESBYSR
I

2017-3
3b. Define
i) false negative
ii) false positive
iii) site policy
iv) alarm filtering (04 Marks)
Ans:
i) False Negative
• An alert does not occurs in the presence of an actual attack.
• It is the most serious failure, since the purpose of an IDPS is to detect and respond to attacks.
ii) False Positive
• An alert occurs in the absence of an actual attack.
• A false positive may be produced when an IDPS mistakes normal system activity for an attack.
iii) Site Policy
• The rules and guidelines governing the operation of IDPSs within the organization.
iv) Alarm Filtering
• The process of classifying IDPS alerts so that they can be more effectively managed.
• An admin can set up alarm filtering by running the system for a while to track what types of false
positives it generates and then adjusting the alarm classifications.
• For example, the admin may set the IDPS to discard alarms produced by false attack stimuli or
normal network operations.
• Like a packet filter, an alarm filter are used to filter traffic based on operating systems, confidence
values, alarm type, or alarm severity
3c. Explain honey pots, honey nets and padded cell systems. (06 Marks)
Ans:
Honeypots, Honeynets, and Padded-Cell Systems
• Honeypot refers to a trapping-system used to tempt potential attackers into committing an attack.
• Honeynet refers to an interconnection of several honeypots on a subnet.
• A honeypot contains pseudo-services that imitate well-known services.
• But, these services are configured in such a way that it looks vulnerable to attacks.
• Honeypot is designed to do the following:
1) Divert an attacker from critical systems.
2) Collect information about the attacker’s activity.
3) Encourage the attacker to stay on the system for longer time, so that admins can
respond.
• Honeypot pretends like holding a valuable information.
• So, any unauthorized access to honeypot can be considered as suspicious activity.
• Honeypots are equipped with sensitive monitors and event loggers that
→ detect attempts to access the system and
→ collect information about the potential attacker’s activities.
• Padded-Cell refers to a honeypot that is protected so that that it cannot be easily compromised.
• A padded-cell operates in tandem with a traditional IDPS.
• When the IDPS detects an attacker, the attacker will be diverted to a dummy-systems where they
cause no harm.
• Advantages:
1) Attackers can be diverted to dummy-systems that they cannot damage.
2) Attackers’ actions can be monitored.
The records can be used to refine threat models and improve system protections.
3) Honeypots may be effective at catching insiders who are snooping around a network.
4) Admins have time to respond to an attacker.
• Disadvantages:
1) An expert attacker, once diverted into a dummy-system, may become angry and launch a
more aggressive attack.
2) The legal implications of using such devices are not well understood.
3) Honeypot/padded-cell have not yet been shown to be useful security technologies.
4) Admins must have a high level of expertise to manage these systems.
VTU
N
O
TESBYSR
I

2017-4
4a. Encipher the text message "VISVESVARAYA TECH VERSITY" with one time pad text
"JNANA SANGAMA KARNATAKA ST" using vernam cipher technique. (10 Marks)
Ans:
Vernam Cipher (or One-Time Pad)
• It uses a set of characters only one time for each encryption-process. Hence, the name one-time
pad.
• To perform encryption, the pad-values are added to numeric-values that represent the plaintext.
• Each letter of the plaintext is converted into a number & a pad-value for that position is added to it.
• The resulting sum for that character is then converted back to a ciphertext-letter for transmission.
• If the sum of the two values exceeds 26, then 26 is subtracted from the total.
• Consider following given problem:
Plaintext J N A N A S A N G A M A K A R N A T A K A S T
Plaintext
value
10 14 1 14 1 19 1 14 7 1 13 1 11 1 18 14 1 20 1 11 1 19 20
One time
Pad text
V I S V E S V A R A Y A T E C H V E R S I T Y
One time
Pad value
22 9 19 22 5 19 22 1 18 1 25 1 20 5 3 8 22 5 18 19 9 29 25
Sum of
plaintext &
pad
32 23 20 36 6 38 23 15 25 2 38 2 31 6 21 22 23 25 19 30 10 48 45
After mod
subtraction
6 10 12 12 5 4 22 19
Ciphertext F W T J F L W O Y B L B E F U V W Y S D J V S
• The encryption-process works as follows:
 The letter “J” is converted into the number 10 (because it is the 10th letter of the alphabet).
 The pad-value is derived from the position of each pad text letter in the alphabet; thus
the pad text letter “V” is assigned the position number 22.
 This conversion process is repeated for the entire one-time pad text.
 Next, the plaintext value & the one-time pad-value are added together.
 The first sum is 32, since the sum exceeds 26, 26 is subtracted from the total.
i.e. 32-26=6, so the ciphertext-letter is “F,”
4b. Explain the different attack on cryptosystem. (10 Marks)
5a. Discuss the different security attack. (10 Marks)
Ans:
Security Attack
• Security attack refers to any action that compromises the information or network security.
• It can be divided into two categories: 1) passive attack and 2) active attack.
1) Passive Attack
• The attacker tries to learn or make use of information from the system.
• The attacker does not affect system resources.
• The attack can be in the form of eavesdropping on, or monitoring of, transmissions.
• Goal of the opponent: To obtain information that is being transmitted.
• Disadvantage (Problem):
Passive attacks are very difficult to detect, because they do not involve any alteration of the
data.
Solution: Use encryption.
• It can be subdivided into two categories: i) release of message contents and ii) traffic analysis.
i) Release of Message Contents
• For example:
 A telephone conversation, an electronic mail message, and a transferred file may contain
sensitive or confidential information. (Figure 5.2).
 We would like to prevent an opponent from learning the contents of these transmissions.
VTU
N
O
TESBYSR
I

2017-5
Figure 5.2: Release of message contents
ii) Traffic Analysis
• Encryption is the most common technique for hiding the contents of a message.
• Even if we have encryption protection in place, an opponent may be able to observe the pattern of
these messages.
• The opponent can
→ determine the location and identity of communicating hosts and
→ observe the frequency and length of messages being exchanged. (Figure 5.3).
• This information may be useful in guessing the nature of the communication that was taking place.
Figure 5.3 : Traffic analysis
2) Active Attacks
• For example:
• It can be subdivided into four categories: i) masquerade, ii) replay, iii) modification of messages, and
iv) denial of service.
i) Masquerade
• This attack takes place when one entity pretends to be a different entity (Figure 5.4).
• For example:
has taken place
ii) Replay
an unauthorized effect (Figure 5.5).
VTU
N
O
TESBYSR
I

2017-6
iii) Modification of Messages
• For example:
→ messages are delayed or reordered (Figure 5.6).
iv) Denial of Service
• This attack prevents the normal use of communications facilities (Figure 5.7).
 For example:
 For example:
• Disadvantage:
 Difficult to prevent active attacks because of the wide variety of potential physical,
software, and network vulnerabilities.
Figure 5.4: Masquerade
Figure 5.5: Replay
VTU
N
O
TESBYSR
I

2017-7
Figure 5.6: Modification of messages
Figure 5.7: Denial of service
5b. Explain in detail the X.509 certificate format with a diagram. (10 Marks)
6a. Discuss the services of pretty good privacy (PGP). (10 Marks)
Ans:
OPERATIONAL DESCRIPTION
• Basically, PGP provides 4 services (Table 6.1):
1) authentication
2) confidentiality
3) compression
4) e-mail compatibility and
5) segmentation.
1) AUTHENTICATION
• Figure 6.1 illustrates the digital signature service provided by PGP.
At Sender
1) A message is created.
2) A hash code of a message is created using SHA-1.
3) The hash code is encrypted using RSA with the sender’s private-key.
4) The encrypted hash code is appended to the message.
VTU
N
O
TESBYSR
I

2017-8
At Receiver
1) The received message is decrypted using RSA with the sender’s public-key. Thus, the hash code is
recovered.
2) A new hash code for the received message is created using SHA-1.
3) The new hash code is compared with the decrypted hash code.
4) If the two match, the message is accepted as authentic.
Figure 6.1 Authentication only
2) CONFIDENTIALITY
• Figure 6.2 illustrates the message encryption service provided by PGP.
At Sender
1) A message is created. A session key is used for this message only.
2) The message is encrypted using 3DES (or CAST) with the session key.
3) The session key is encrypted using RSA with the receiver’s public-key.
4) The encrypted session key is appended to the message.
At Receiver
1) The received message is decrypted using RSA with the receiver’s private-key. Thus, the
session key is recovered.
2) The received message is decrypted using 3DES (or CAST) with the session key.
Figure 6.2 Confidentiality only
3) COMPRESSION
• PGP compresses the message after applying the signature but before encryption.
• This has the benefit of saving space both for
→ e-mail transmission and
→ file storage.
1) The signature is generated before compression. This is done for following two reasons:
a) It is preferable to sign an uncompressed message. For future verification, we can store only
the uncompressed message together with the signature.
b) The algorithms are not deterministic.
2) Message encryption is applied after compression to strengthen cryptographic security.
4) E-MAIL COMPATIBILITY
• An encrypted message consists of a stream of arbitrary 8-bit octets.
• Radix64 is used for converting a stream of arbitrary 8-bit octets to a stream of printable ASCII
characters.
• Each group of 3 octets is mapped into 4 ASCII characters.
• CRC is also appended for detecting errors.
• The use of radix64 expands a message by 33%.
VTU
N
O
TESBYSR
I

2017-9
5) SEGMENTATION AND REASSEMBLY
• E-mail facilities often are restricted to a maximum message length.
• For example, Internet impose a maximum length of 50,000 octets.
• Any message longer than that must be broken up into smaller segments, each of which is mailed
separately.
• The segmentation is done after all of the other processing, including the radix-64 conversion.
• Thus, the session key component and signature component appear only once, at the beginning of the
first segment.
• At the receiving end, PGP must strip off all e-mail headers and reassemble the entire original block.
6b. Explain MIME content type. (05 Marks)
6c. Briefly explain the S/MIME functionality. (05 Marks)
VTU
N
O
TESBYSR
I

Firewall Generations and VPN Implementation

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Firewall Generations and VPN Implementation

Similaire à Firewall Generations and VPN Implementation (20)

Plus de vtunotesbysree

Plus de vtunotesbysree (17)

Dernier

Dernier (20)

Firewall Generations and VPN Implementation