SlideShare a Scribd company logo

Network security chapter 1,2

E
Education

The document covers the fundamentals of computer network security, detailing the various forms of network threats and defenses against them. It discusses the necessity for network security, including protecting sensitive organizational data from malicious attacks, and outlines common attack methods such as denial of service and spoofing. Additionally, it introduces defensive strategies like access control and the importance of authentication, authorization, and auditing in maintaining network integrity.

Engineering
1 of 17
Downloaded 30 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Chapter No 1 & 2 Computer Network Security Written by Engr. Muhammad Waseem 1 COMPUTER NETWORK SECURITY Course outline The need for network security The Network security problem Different types of attacks Malicious and Non-Malicious Program Flaws Protection in operating systems Spoofing Intrusion Detection Systems Firewalls Operating Systems Hardening Device security Honeypots and honey nets Module objectives Understand Why we need network security The nature of the network security problem Defensive strategies The gold standard History What is network security? Network Security is the process of taking physical and software preventative measures to protect the underlying networking infrastructure from unauthorized access, misuse, malfunction, modification, destruction, or improper disclosure, thereby creating a secure platform for computers, users and programs to perform their permitted critical functions within a secure environment. OR Network security is an over-arching term that describes that the policies and procedures implemented by a network administrator to avoid and keep track of unauthorized access, exploitation, modification, or denial of the network and network resources. This means that a well-implemented network security blocks viruses, malware, hackers, etc. from accessing or altering secure information. 1. The need for network security 1.1 Why do you need to take this course? Credit towards Bachelor degree An easy A Value for your organization An organization’s data may include personnel information which may include sensitive information, which could be misused, or information of personal nature which should not be disclosed to authorize users only. It may include payroll information, contact lists, strategies and plans, fiscal reports, and
Chapter No 1 & 2 Computer Network Security Written by Engr. Muhammad Waseem 2 intellectual property such as present and future product designs, the sort of things that the organization wouldn’t publish on the streets 1.1.1 Value of an organization’s data Personnel information Financial information Intellectual property Proprietary information Contact lists 1.1.2 Organizations that are at risk: Corporate financial systems Credit card processing systems ATMs Telephone systems Emergency response infrastructure Air traffic control Power system Almost all processes automated No manual alternative In case of a crash, restoration is essential Nature of problem Common belief: Computers are digital devices, sharp 1s and 0s, so perfect security should be possible Not true Too many contributing factors: too many people and too many programs involved A reasonable goal would be as good as real-world security Common network security problem isn’t the result of human error or intent; it is due to the forces of nature: lightning, flood, fire and earthquake. And surprisingly, some other common network security problems are none other than equipment failure, outdated technology, issues with ISP or WAN service or software failures and errors. Nature of problem-differences Variety of attack methods Can attack a lot more places Can attack a lot more quickly Can attack with relative anonymity All without spending too many resources Defensive strategies Access Control Keep everybody out. Disconnect your PC from the network, and only install programs that you wrote yourself. It will be secure, but it will be more difficult to be worked on.
Chapter No 1 & 2 Computer Network Security Written by Engr. Muhammad Waseem 3 Keep the bad guy out. This can be done in a variety of ways, such as code signing and firewalls. You can let the bad guy in but keep him from doing bad things by using sandboxing or access control. Try to catch the bad guy and prosecute him. This uses a different set of techniques, instead of locks it uses auditing. The access control model is based on a principal sending requests to an object, and there is a guard in between that scrutinizes the request and its source to decide whether or not it should be allowed to go through to the object. The gold standard Authentication, authorization, and auditing, all start with Au, so they are also known as the gold standard. The principle of authentication is that you have a way of knowing what principal is taking responsibility for the request that is being made. Principals are usually people, but can also be channels, servers, and programs. For example, typically in distributed applications, communication channels are implemented by means of encryption and the encryption key acts as a principal. Cont’d The next step is to figure out whether or not that request coming from that party ought to be granted. This is authorization. Typically access is granted to principals or group of principals. Auditing keeps track of all the activity. Auditing analyzed logs and access requests that were made by principals that were either granted or denied. Another underlying principle in this model is assurance. How do you know that the system doesn’t have bugs? One of the ways to think of that is in terms of a trusted computing base in which are all things that have to be working correctly in order for you to have security. Common attacks and Exploits 1.Denial of Service (Dos) 2.Distributed Denial of Service (DDoS) 3.Back door 4.Spoofing 5.Man in the middle 6.Replay 7.Session hijacking 8.DNS poisoning 9.Password guessing 10.Software exploitation 11.War dialing 12.War driving 13.Buffer overflow 14.SYN flood 15.ICMP flood 16.UDP flood 17.Smurfing 18.Sniffing 19.Ping of death Denial of Service (DoS) A denial of service attack causes disruption of service to legitimate users.
Chapter No 1 & 2 Computer Network Security Written by Engr. Muhammad Waseem 4 For example, causing a web server to overload, due to which browsers would be unable to view the websites on that web server, or overloading a file server so that users are unable to access their home folders. Work by: Resource exhaustion Application or OS crash A denial of service attack is an effort to make one or more computer systems unavailable. It is typically targeted at web servers, but it can also be used on mail servers, name servers, and any other type of computer system. Denial of service attacks can be problematic, especially when they cause large websites to be unavailable during high-traffic times. Fortunately, security software has been developed to detect DoS attacks and limit their effectiveness. While many well-known websites, like Google, Twitter, and WordPress, have all been targets of denial of service attacks in the past, they have been able to update their security systems and prevent further service interruptions. Distributed Denial of Service (DDoS) A distributed denial of service attack is when several machines taken over by an attacker launch a coordinated denial of service attack against a common target to achieve a far greater impact. These are compromised machines. See http://grc.com/dos/grcdos.htm for a good example of this type of attack. A distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users Back door A backdoor is an opening in software which allows entry into the system/application without the knowledge of the owner. Backdoors are sometimes left by the developer intentionally, and sometimes exist by virtue of bad programming logic and practices. Definition: A backdoor is a secret or undocumented means of getting into a computer system. Many programs have backdoors placed by the programmer to allow them to gain access to troubleshoot or change the program. Some backdoors are placed by hackers once they gain access to allow themselves an easier way in next time or in case their original entrance is discovered Spoofing Some communication protocols use a host’s IP address as a trust and authentication mechanism. An attacker may forge the IP address of a trusted host to fool the target into trusting the attacker’s machine
Chapter No 1 & 2 Computer Network Security Written by Engr. Muhammad Waseem 5 The word "spoof" means to hoax, trick, or deceive. Therefore, in the IT world, spoofing refers tricking or deceiving computer systems or other computer users. This is typically done by hiding one's identity or faking the identity of another user on the Internet. E-mail spoofing can take place on the Internet in several different ways. One common method is through e-mail. E-mail spoofing involves sending messages from a bogus e-mail address or faking the e-mail address of another user. IP spoofing another way spoofing takes place on the Internet is via IP spoofing. This involves masking the IP address of a certain computer system. By hiding or faking a computer's IP address, it is difficult for other systems to determine where the computer is transmitting data from. Man in the middle Man in the middle attacks is launched by placing oneself in the middle of a communication session, so as to intercept the traffic. The attacker may merely passively listen in on the conversation or may introduce other information into the traffic. A Man-in-the-Middle attack is a type of cyber-attack where a malicious actor inserts him/herself into a conversation between two parties, impersonates both parties and gains access to information that the two parties were trying to send to each other. A Man-in-the-Middle Attack allows a malicious actor to intercept, send, and receive data meant for someone else, or not meant to be sent at all, without either outside party knowing until it is too late. Man-in-the-Middle attacks can be abbreviated in many ways including, MITM, MitM, MiM, or MIM. Replay The attacker uses a packet sniffer to capture packets on the wire and extracting information from them. For example, username and passwords, and later placing the same information back on the wire so as to have the target believe that it is a new legitimate session. A Replay attack is when a Hacker uses a Sniffer to grab packets off the wire After packets are captured, then the hacker can simply extract information from the packets like authentication information and passwords Once the information is extracted, the captured data can be placed back on the network or replayed For example, messages from an authorized user who is logging into a network may be captured by an attacker and resent (replayed) the next day. Even though the messages may be encrypted, and the attacker may not know what the actual keys and passwords are, the retransmission of valid logon messages is sufficient to gain access to the network.
Chapter No 1 & 2 Computer Network Security Written by Engr. Muhammad Waseem 6 Session hijacking (TCP/IP Hijacking) This is when an attacker takes over a communication session between two hosts. TCP session hijacking is when a hacker takes over a TCP session between two machines. Since most authentication only occurs at the start of a TCP session, this allows the hacker to gain access to a machine. A popular method is using source-routed IP packets. This allows a hacker at point A on the network to participate in a conversation between B and C by encouraging the IP packets to pass through its machine DNS poisoning Wrong information may be added to your DNS files. Your host will be directed to the wrong direction due to DNS poisoning. Cache poisoning, also called domain name system (DNS) poisoning or DNS cache poisoning, is the corruption of an Internet server's domain name system table by replacing an Internet address with that of another, rogue address. When a Web user seeks the page with that address, the request is redirected by the rogue entry in the table to a different address. At that point, a worm, spyware, Web browser hijacking program, or othermalware can be downloaded to the user's computer from the rogue location. Password guessing Password guessing is an attack on the authentication credentials on any system. One form of password guessing is brute force attacks in which an attacker uses every single possible key to try and crack the passwords. In another form, known as dictionary attack, all words in a dictionary file are tried as passwords. Another type of network attack is Password Guessing attack. Here a legitimate users access rights to a computer and network resources are compromised by identifying the user id/password combination of the legitimate user. Password guessing attacks can be classified into two. Brute Force Attack: A Brute Force attack is a type of password guessing attack and it consists of trying every possible code, combination, or password until you find the correct one. This type of attack may take long time to complete. A complex password can make the time for identifying the password by brute force long. Dictionary Attack: A dictionary attack is another type of password guessing attack which uses a dictionary of common words to identify the user’s password. Software exploitation These are attacks against a system’s software bugs or flawed code.
Chapter No 1 & 2 Computer Network Security Written by Engr. Muhammad Waseem 7 a piece of software is it will still contain bugs. One of the most common bugs involves buffer overflows where an area of memory has been allocated by the programmer to store a specific amount of data. When the volume of data written to the storage area exceeds the space allocated a buffer overflow occurs causing part or all of the system to crash, potentially leaving it open for an intruder to take over War dialling In order to gain access into a network, the organization’s range of PBX numbers is used as input to a war dialler program, which dials all those phone numbers using a modem, and logs whether or not the call was answered by a modem. The process of running modem scanning tools against a PBX or any given dialup modem for the purpose of penetration. A war dialler is a computer program used to identify the phone numbers that can successfully make a connection with a computer modem. The program will dial a range of numbers you ask it to dial and will log failure and success ranges in a database War driving These are attacks against wireless networks, which work by passing from outside the building with a wireless Ethernet card in promiscuous mode. Around the year 2000, an engineer named Peter Shipley coined the term war driving to refer to the practice of deliberately searching a local area looking for Wi-Fi wireless network signals. Mr. Shipley pioneered the practice of using an automobile, a Global Positioning System (GPS), and a mounted antenna to identify unsecured wireless home networks Buffer overflow Buffer overflow attacks are due to poorly written code which does not check the length of variable arguments. A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity. SYN flood Occurs when a network becomes so overwhelmed by SYN packets initiating incomplete connection requests that it can no longer process legitimate connection request causing high CPU, memory, and NIC usage. A SYN flood is a type of denial of service (DoS) attack that sends a series of "SYN" messages to a computer, such as a web server. SYN is short for "synchronize" and is the first step in establishing
Chapter No 1 & 2 Computer Network Security Written by Engr. Muhammad Waseem 8 communication between two systems over the TCP/IP protocol.When a server receives a SYN request, it responds with a SYN-ACK (synchronize acknowledge) message. The computer then responds with an ACK (acknowledge) message that establishes a connection between the two systems. In a SYN flood attack, a computer sends a large number of SYN requests, but does not send back any ACK messages. Therefore, the server ends up waiting for multiple responses, tying up system resources. If the queue of response requests grows large enough, the server may not be able respond to legitimate requests. This results in a slow or unresponsive server. ICMP flood (Internet Control Message Protocol Flood) An ICMP flood occurs when ICMP pings overload a system with so many echo requests that the system expends all its resources responding until it can no longer process valid network traffic. ICMP is primarily used for error messaging and typically does not exchange data between systems. An ICMP Flood is the sending of an abnormally large number of ICMP packets. This flood can overwhelm a target server that attempts to process every incoming ICMP request, and can result in a denial-of-service condition for the target server. UDP flood Similar to the ICMP flood, UDP flooding occurs when UDP packets are sent with the purpose of slowing down the system to the point that it can no longer handle valid connections. A UDP flood attack is a denial-of-service (DoS) attack using the User Datagram Protocol (UDP), a session less/connectionless computer networking protocol. Using UDP for denial-of-service attacks is not as straightforward as with the Transmission Control Protocol (TCP). However, a UDP flood attack can be initiated by sending a large number of UDP packets to random ports on a remote host Smurfing An ICMP echo request is sent to a network’s broadcast address with a spoofed source IP address. The spoofed machine is then overwhelmed with a large number of echo replies. The Smurf Attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol(ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP Broadcast address. Most devices on a network will, by default, respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, the victim's computer will be flooded with traffic. This can slow down the victim's computer to the point where it becomes impossible to work on.
Chapter No 1 & 2 Computer Network Security Written by Engr. Muhammad Waseem 9 Sniffing Sniffing uses protocol analysers or packet sniffers to capture network traffic for passwords or other data. A sniffer is an application that can capture network packets. Sniffers are also known as network protocol analysers. They are also used by hackers for hacking network. If the network packets are not encrypted, the data within the network packet can be read using a sniffer. Once the packet is captured using a sniffer. Sniffers are used by hackers to capture sensitive network information, such as passwords, account information etc. Ping of death Ping of death attack uses oversized ICMP echo requests to a hosts in an attempt to crash it. Ping of Death (PoD) is a type of network attack in which an attacker sends a network packet that is larger than what the target computer can handle. This can crash the computer, or freeze or degrade computer service. Ping of death is used to make a computer system unstable by deliberately sending larger ping packets to the target system over an IPv4 network. Ping of death is also known as long ICMP TCP Three-way handshake  Security implementation Identify what you are trying to protect. Determine what you are trying to protect them from. Determine how likely the threats are. Implement steps that protect your assets in a cost effective manner Review the process continuously making improvements when you find a weakness Assets needing to be protected Physical resources Intellectual resources
Chapter No 1 & 2 Computer Network Security Written by Engr. Muhammad Waseem 10 Time resources Perception resources Physical resources Anything that has a physical form Routers, hubs, switches, servers etc Assets that have a physical form, such as workstations, servers, printers, hubs, switches, routers, firewalls. Basically, any computing resource that has a physical form can be considered a physical resource. An individual walks into an organization’s office claiming to be a computer repairs technician. The receptionist allowed him through giving directions to the network administrator’s office. The repairs person returns a short while later with a network printer which he claims needs repairs and must be taken back to the shop. Of course, the printer didn’t need repairs, and he didn’t seek the network administrator. Instead, he just unplugged the first high end printer he came across and took it with him. The theft was discovered when the network administrator heard complaints about people being unable to print. Of course, it’s not easy to print without the printer. This printer theft could’ve been avoided if the company policy dictated that no outsider would be allowed in without an escort, and would have saved the company the cost of replacing a high end network printer Intellectual resources Sometimes harder to identify Exist in electronic form only Any information that plays a vital role in your organization’s business Software, financial records, database records, schematics, emails etc These resources are sometimes harder to identify because they exist only in electronic form. An intellectual resource is any information that plays a part in your organization’s business. This can include software, financial information, database records and schematic .If email is used to exchange information, the stored email messages are also intellectual resources. Time resources An important resource which is overlooked quite often in a risk analysis. To evaluate what lost time costs your organization, make sure to include all consequences of lost time It is an important organizational resource which is quite often over-looked in a risk analysis. When evaluating what lost time could cost your organization, make sure that you include all the consequences of lost time. Consider a company’s file server, which is backed up every night, but doesn’t have redundant hard disk drives. The disk drive crashes. The physical loss is a hard disk drive, which is not very expensive. The intellectual loss is whatever was updated since the last backup. What is lost in terms of time can be evaluated based on what the network administrator must do as a cleanup job
Chapter No 1 & 2 Computer Network Security Written by Engr. Muhammad Waseem 11 1. Install the new disk drive in the system 2• completely reinstall the network operating system, any required patches, and the back-up software, if necessary 3• Restore all required backup tapes. If a full backup is not performed every night, there may be multiple tapes to restore from. Perception resources Risk of damage to perception is the cause of significant trouble The stock prices for affected companies fell after the denial of service attacks of February 2000. Although this loss was not long term, it had a real, measurable impact on the trust of consumers and stockholders. With the publicity surrounding the penetration of Microsoft’s system in October 2000, some wondered if valuable source code had been unknowingly modified. Sources to protect from Potential network attacks may come from any source that has access to your network. These sources can vary greatly, depending on your organization’s size and the type of network access provided. Some of these sources could include: Internal network Access from field offices Access from WAN link to the business partners Access through the Internet Access through modem pools Internal systems A vast majority of attacks originate from within the organization Using firewalls protects from external threats, but it is still the employees that are responsible for the greatest amount of damage or compromise of data, because they have the insider’s view of how your network operates A vast majority of attacks originate from within the organization. While using firewalls protects assets from external attacks is all the rage, it is still the employees, who have an insider’s view of how your network operates, who are responsible for the greatest amount of damage to, or compromise of your data. This damage can be accidental, or in some cases, intentional Internal attacks Disgruntled employee or ex-employee Not so computer literate management with access privileges A company’s CEO insisted on having administrative privileges on the NetWare server and inadvertently deleted the cc:Mail directory The most typical cause of a true attack is a disgruntled employee or ex-employee. for example, one company’s owner insisted on having full privileges on the NetWare server, even though he was not very computer literate. He inadvertently deleted the cc:Mail data directory, which contained al the mail messages and public folders. Approximately two years worth of data disappeared.
Chapter No 1 & 2 Computer Network Security Written by Engr. Muhammad Waseem 12 External attacks Although external attacks can come from ex-employees, the range of possible attacks increases dramatically. Competitors Stealing designs, financial statements, making network resources unavailable Shorten development time Equip their products with better features Second lowest price website DoS If you are in a highly competitive business, an ambitious competitor may see advantage in attacking your network. This can take the form of stealing designs or financial statements, or just making your network resources unusable Subjecting the website of a competitor with lower prices to a denial of service attack than your organization, could lead some buyers to your website because it has the second lowest prices, and the lowest price product is unavailable due to denial of service Militant viewpoints If your organization has controversial viewpoints If your business can be considered controversial, it may be prone to threats from others who take a different point of view. In 1998, following the nuclear tests by India and Pakistan, Indian and Pakistani hackers launched defacing attacks on each other’s websites. High profile An organization with high visibility is a good candidate for an attack for merely the sake of notoriety or a wider audience Organizations can become a target for attack simply because of their high level of visibility. A would- be attacker may attempt to infiltrate a well-known site with the hope that a successful attack will bring with it some level of notoriety. In May 1999, major US government websites including whitehouse.gov, fbi.gov, and senate.gov were defaced. Threat assessment Network security attacks are malicious or unintentional attempts to use or modify resources available through a network in a way they were not intended to be used The goal of network security is to protect its assets from network attacks. The goal of network security is to protect its assets from network attacks. Network attacks may be defined as malicious or unintentional attempts at using or modifying resources available through the network in a way that they were not intended to be used. All network attacks fall into one of the following categories:
Chapter No 1 & 2 Computer Network Security Written by Engr. Muhammad Waseem 13 Network attack types Unauthorized access to resources or information through the use of a network Unauthorized manipulation and alteration of information on a network Denial of service The key to note here is the word unauthorized. It is the job of a network security policy to spell out what is authorized and what is not. The network attack can be planned as well as intentional and the job of the network security mechanisms is not only to protect against planned attacks which are coordinated attacks conducted by malicious users, but also against unintentional attacks in terms of mistakes made by users. Network security goals Based on the three types of attacks, the goals of network security are to: Ascertain data confidentiality Maintain data integrity Maintain data availability Risk assessment After threat identification, the likelihood must be determined Security is expensive It is not feasible to protect against all types of attacks It is wise to protect against the most likely threats Having identified the assets and the factors that threaten them, the next step in formulating a network security implementation is to ascertain how likely the threats are in the environment in which the security is being implemented. Realize that although it can be important to protectagainst all types of attacks, security does not come cheap. Therefore, a careful analysis must be done to find out what the most significant sources of attack are and devote the most resources to protecting against them. Even though risk assessment can be done in a number of ways, there are two main factors that affect the risk associate with a particular type of threat’s materializing: • The likelihood of that particular attack being launched against the asset in question • The cost to the network in terms of damages that a successful attack will incur It is often useful to divide the risk analysis into three categories: Confidentiality Integrity Availability If a network resource’s availability is critical and the likelihood of an attack being launched against it is high, this asset’s risk level can be considered fairly high. For example, a high visibility web server.
Chapter No 1 & 2 Computer Network Security Written by Engr. Muhammad Waseem 14 Due to its high visibility, it can be a likely target for attackers. Also, it is important for a web server to be available all the time. Therefore, this asset is high-risk in terms of availability. If an asset’s availability is critical and the likelihood of an attack is high, the asset’s risk level can be considered high e.g., a high visibility web server is a high risk asset in terms of availability An FTP server used internally, which is not visible from the outside has a lower risk level in terms of availability but a high risk level in terms of confidentiality Note that all risk assessments are relative Once a list of risk levels associate with various assets in the network have been compiled, the next step is to create a policy framework for protecting these resources so that risk can be minimized Network security policy Having determined the risk level of various assets, the next step is to formulate a security policy A security policy must prioritize mitigation of threats against high risk assets and then spend the rest of its resources to protecting the lower risk assets Defines a framework for protecting the assets connected to a network Defines access rules and limitations for accessing various assets A source of information for users and administrators as they: Setup, Use and Audit the network Should be broad and general in scope Provide a high level view of the principles on which security related decisions should be taken Should not go into the details of how security is to be implemented The details can change overnight, but the general principles of what these details are trying to achieve should remain the same Roles played by the policy: Clarify what is being protected and why State who is responsible for providing the protection Provide grounds on which to interpret and resolve any future conflicts The first point is an offshoot of the asset identification and risk analysis Those responsible for the protection can be one or more of the following: Users Administrators and managers Network usage auditors Managers who have overall ownership of the network and its associate resources The third point places responsibility on shoulders of a particular person to resolve any conflicts A network policy should be such that it can be implemented using existing technology, it shouldn’t contain elements that are not technically enforceable In terms of ease of use there are two types of network security policies: Permissive: that which is not expressly prohibited is allowed Restrictive: that which is not expressly allowed is prohibited
Chapter No 1 & 2 Computer Network Security Written by Engr. Muhammad Waseem 15 It is better to have a restrictive policy and then based on usage open it up for legitimate uses A permissive policy will have holes in it no matter how hard you try to plug all holes A security policy must balance: Ease of use Network performance Security aspects An overly restrictive policy costs more than a slightly more lenient one might make up for it in terms of performance gains Minimum security requirements as identified by risk analysis must be met for a security policy to be practical. A network security policy defines a framework to protect the assets connected to a network based on a risk assessment. A network security policy defines the access rules and limitations for accessing various assets. It is the source of information for users and administrators as they set up, use, and audit the network. A network security policy should be general and broad in scope. What this means is that it should provide a high level view of the principles based on which security-related decisions should be made, but it should not go into the details of how the policy should be implemented. The details can change overnight, but the general principles of what these details are trying to achieve should remain the same. The policy should play the following roles: • Clarify what is being protected and why it is being protected • State who is responsible for providing that protection • Provide grounds on which to interpret and resolve any later conflicts that might arise The first point is an off shoot of the asset identification and risk assessment. The second point covers who is responsible for ensuring the security requirements are met. This can be one or more of the following: • Users • Administrators and managers • Network usage auditors • Managers who have overall ownership of the network and its associated resources The third point places the responsibility of resolving issues not covered by the policy on the shoulders of a particular person rather than leaving them open to arbitrary interpretation. A network security policy should be implementable given available technology. A network security that is very comprehensive but contains elements that are not technically enforceable is less than useful. In terms of ease of use of network resources for users, There are two types of network security policies: • Permissive: everything not expressly prohibited is allowed • Restrictive: everything not expressly permitted is prohibited
Chapter No 1 & 2 Computer Network Security Written by Engr. Muhammad Waseem 16 It is generally better to have a restrictive policy and then based on actual usage, open it up for legitimate usage. A permissive policy generally has holes no matter how hard you try to plug all the holes. A security policy must balance ease of use, network performance, and security aspects in defining the rules and regulations. This is important, because an overly restrictive security policy can end up costing more than a security policy that is somewhat more lenient but makes up for it in terms of performance gains. Of course, minimum security requirements as identified by risk analysis must be met for a security policy to be practical. Implementation Implementation of Network security involves technical and non-technical aspects It is important to come up with a design agreeable for all involved parties The following points must be kept in mind before implementation: All stakeholders (including users and management) must agree on the policy It is crucial to educate all parties including management on why security is necessary. This education must continue in case of newcomers Management and financial people must be educated about the cost and risk analysis because security is expensive and is not a one-time expense Responsibilities of people and their reporting relationship must be clearly defined The next step is network security design Translate security policy into procedures which are usually laid out tasks that must be completed to implement the security policy Execution of these procedures results in a network design that can be implemented using various devices The following are components of network security design: Device security features such as administrative password Firewalls Remote access VPN concentrators Intrusion detection Access control and limiting mechanisms Implementing a network security policy involves technical as well as non-technical aspects. Even though it is challenging enough to find the right equipment that can work together and implement the security policy in its true spirit, coming up with a design that is workable for all parties concerned is equally challenging. The following points must be kept in mind before implementing a security policy: • All stakeholders, including the users and the management must agree or have consensus on the security policy. It is not easy to maintain a security policy that not everyone is convinced is necessary. • It’s crucial to educate the users and the affected parties, including management, on why security is important. You must make sure that all parties understand the reasons behind the security policy and what is about to be implemented. This education must continue on an ongoing basis such that all newcomers to the company are aware of the network’s security aspects.
Chapter No 1 & 2 Computer Network Security Written by Engr. Muhammad Waseem 17 • Security does not come for free. Implementing security is expensive and is often an ongoing expense rather than a one-time cost. It is important to educate the management and the financial people about the cost and risk analysis done in coming up with the security policy. • Responsibilities of various people must be clearly defined for various parts of the network and their reporting relationships. Working on implementing a security policy while keeping these issues in mind can help you implement a security policy both in practice and in spirit. Audit and improvement It is important to continually analyse, test and improve the security policy after implementation This can be done through: Formal security audits Day-to-day checks based on operational measurements Audits can also be done using automated tools An important purpose of audits is to keep the users aware of implications of their actions Can help identify bad user habits There should be schedule and random audits A random audit will help: Catch the organization with its guards down Reveal weakness during maintenance etc If the audit reveals technical issues, they can be fixed by technical means Other issues can be addressed by user education programs Education programs should not go into minute details, but focus on the goals of the policy and how the user can help in its implementation Using examples of what they did wrong would cause the users to think that they can not do any wrong unless they are caught doing wrong After implementation of a network security policy, it is critically important to continually analyze, test and improve it. This can be done by formal audits of the security systems as well as through day-to- day checks based on normal operational measurements. Audits can also take various forms, such as automated audits using software tools. Many commercial as well as open source tools are available for this. An important purpose of the security audit is to keep the users aware of the implications of their actions on the network. Audits can be used to identify habits that the users may have formed that can lead to network attacks. Audits should be scheduled as well as random. A random audit tends to catch the organization with its guards down and also reveals penetrability during maintenance, turnaround and so on. After identification of various issues through the audit, if the issues are technical, they can be fixed or they can be transformed into educational programs to educate the users on better network security techniques. These programs should focus on the goals of the network security policy and how individuals can help in its implementation. The education should not be of minute details of things that the users are doing wrong, but to educate them on the general security policy and use infringements as examples. An audit and education that is too hands on can remove a sense of empowerment from the users, making them think that they can do no wrong until they are caught doing something wrong.

More Related Content

PPT
Networking fundamentals
Besar Limani
 
PDF
VLAN and its implementation
Mohit Kumar
 
PPT
Network layer and circuit switching
asimnawaz54
 
PDF
pfSense firewall workshop guide
Sopon Tumchota
 
PPT
SDH BASICS
Niranjan Poojary
 
PDF
Yet Another Fog Simulator (YAFS) - user guide
wisaaco
 
PDF
Data Communication & Networking
Md Abdus Sobur Sikdar
 
PPT
H.323 protocol
Habibur Rahman
 
Networking fundamentals
Besar Limani
 
VLAN and its implementation
Mohit Kumar
 
Network layer and circuit switching
asimnawaz54
 
pfSense firewall workshop guide
Sopon Tumchota
 
SDH BASICS
Niranjan Poojary
 
Yet Another Fog Simulator (YAFS) - user guide
wisaaco
 
Data Communication & Networking
Md Abdus Sobur Sikdar
 
H.323 protocol
Habibur Rahman
 

What's hot (11)

PPT
Lte mac presentation
Praveen Kumar
 
PDF
Throughput calculation for LTE TDD and FDD systems
Pei-Che Chang
 
PPT
Call flow comparison gsm umts
sivakumar D
 
PPT
Multicasting and multicast routing protocols
Abhishek Kesharwani
 
PPT
2. data and signals
Humayoun Kabir
 
PDF
Opti x rtn 910950980 hardware description wind
nctgayaranga
 
PPTX
BSNL
BUNDELKHAND INSTITUTE OF ENGINEERING & TECHNOLOGY
 
PPTX
CCNA3 Verson6 Chapter1
Chaing Ravuth
 
PPTX
Teaching English as a Foreign Language in Japan
Hirosaki Gakuin University
 
PPT
GPRS/EDGE Basics / knowledge sharing
Mustafa Golam
 
PPT
Handling Common Faults and Alarms for Huawei RTN Microwaves
ibrahimnabil17
 
Lte mac presentation
Praveen Kumar
 
Throughput calculation for LTE TDD and FDD systems
Pei-Che Chang
 
Call flow comparison gsm umts
sivakumar D
 
Multicasting and multicast routing protocols
Abhishek Kesharwani
 
2. data and signals
Humayoun Kabir
 
Opti x rtn 910950980 hardware description wind
nctgayaranga
 
BSNL
BUNDELKHAND INSTITUTE OF ENGINEERING & TECHNOLOGY
 
CCNA3 Verson6 Chapter1
Chaing Ravuth
 
Teaching English as a Foreign Language in Japan
Hirosaki Gakuin University
 
GPRS/EDGE Basics / knowledge sharing
Mustafa Golam
 
Handling Common Faults and Alarms for Huawei RTN Microwaves
ibrahimnabil17
 
Ad

Viewers also liked (17)

PPTX
Chapter 1: Overview of Network Security
Shafaan Khaliq Bhatti
 
PPTX
Password craking techniques
أحلام انصارى
 
PDF
Cehv8 - Module 10: Denial of Service
Vuz Dở Hơi
 
PPTX
Last news from the 2.0 World
Henri Kaufman
 
DOC
Drept fiscal
Serghei Murzac
 
PPT
Kokomo Twitter Seminar
Kyle Lacy
 
PPTX
נושאים מתקדמים בניורו-חישוביים הרצאת מבוא
butest
 
PDF
Immediate Media General Agency Deck
Jamie Hall
 
PPTX
Empowering women to be the ambassadors of climate
Krithika Thushyantha
 
PPTX
Video Marketing is the New Black: How to Drive Sales and Marketing Success
Marketo
 
PDF
Grafico diario del dax perfomance index para el 10 10-2013
Experiencia Trading
 
PDF
Buyer Personas 101: How to Build Perfect Profile
Uberflip
 
PDF
8 Leo Abaya
pknmanila
 
DOCX
Soundtrack brief
iain bruce
 
PPS
网人
tvdotnet
 
PDF
Case Studies in Pharmaceutical Project Management.
Anthony Grenier
 
PPTX
Tips and Tools for Great Financial Management
Greenlights
 
Chapter 1: Overview of Network Security
Shafaan Khaliq Bhatti
 
Password craking techniques
أحلام انصارى
 
Cehv8 - Module 10: Denial of Service
Vuz Dở Hơi
 
Last news from the 2.0 World
Henri Kaufman
 
Drept fiscal
Serghei Murzac
 
Kokomo Twitter Seminar
Kyle Lacy
 
נושאים מתקדמים בניורו-חישוביים הרצאת מבוא
butest
 
Immediate Media General Agency Deck
Jamie Hall
 
Empowering women to be the ambassadors of climate
Krithika Thushyantha
 
Video Marketing is the New Black: How to Drive Sales and Marketing Success
Marketo
 
Grafico diario del dax perfomance index para el 10 10-2013
Experiencia Trading
 
Buyer Personas 101: How to Build Perfect Profile
Uberflip
 
8 Leo Abaya
pknmanila
 
Soundtrack brief
iain bruce
 
网人
tvdotnet
 
Case Studies in Pharmaceutical Project Management.
Anthony Grenier
 
Tips and Tools for Great Financial Management
Greenlights
 
Ad

Similar to Network security chapter 1,2 (20)

PPTX
Cyber.pptx
MahalakshmiShetty3
 
PDF
Network security
nafisarayhana1
 
PPT
Computer Securityyyyyyyy - Chapter 2.ppt
SolomonSB
 
PDF
Implications of Computer Misuse and Cyber Security (Teaching) (1).pdf
srtwgwfwwgw
 
DOCX
Chapter 10.0
Adebisi Tolulope
 
PPTX
Common Types of Cyber Attacks & How to Prevent Them.pptx
KalponikPrem
 
DOCX
E commerce security 4
Anne ndolo
 
PPTX
download-20171010121559download-20171010121559.pptx
2024proj005
 
PPT
Security communication
Say Shyong
 
PPTX
Computer security system Unit1.pptx
VIRAJDEY1
 
PDF
1 ijaems sept-2015-3-different attacks in the network a review
INFOGAIN PUBLICATION
 
PDF
Chapter 2 konsep dasar keamanan
newbie2019
 
PPT
Lecture 1
Education
 
PPTX
Ehical Hacking: Unit no. 1 Information and Network Security
prachi67
 
PPTX
Security Operation Center Fundamental
Amir Hossein Zargaran
 
PPTX
Website security
RIPPER95
 
PDF
Information Systems Audit - Auditing Information Systems
ssuser557ea5
 
PDF
What Is Denial Of Service Attack
Stephanie Williams
 
PPT
Dos and Dont to be followed to protect information and technology
ssuser3baba2
 
PPTX
What is Cryptography and Types of attacks in it
lavakumar Thatisetti
 
Cyber.pptx
MahalakshmiShetty3
 
Network security
nafisarayhana1
 
Computer Securityyyyyyyy - Chapter 2.ppt
SolomonSB
 
Implications of Computer Misuse and Cyber Security (Teaching) (1).pdf
srtwgwfwwgw
 
Chapter 10.0
Adebisi Tolulope
 
Common Types of Cyber Attacks & How to Prevent Them.pptx
KalponikPrem
 
E commerce security 4
Anne ndolo
 
download-20171010121559download-20171010121559.pptx
2024proj005
 
Security communication
Say Shyong
 
Computer security system Unit1.pptx
VIRAJDEY1
 
1 ijaems sept-2015-3-different attacks in the network a review
INFOGAIN PUBLICATION
 
Chapter 2 konsep dasar keamanan
newbie2019
 
Lecture 1
Education
 
Ehical Hacking: Unit no. 1 Information and Network Security
prachi67
 
Security Operation Center Fundamental
Amir Hossein Zargaran
 
Website security
RIPPER95
 
Information Systems Audit - Auditing Information Systems
ssuser557ea5
 
What Is Denial Of Service Attack
Stephanie Williams
 
Dos and Dont to be followed to protect information and technology
ssuser3baba2
 
What is Cryptography and Types of attacks in it
lavakumar Thatisetti
 

More from Education (11)

PDF
A friendly introduction to differential equations
Education
 
PDF
High-order Assembly Language/Shuttle (HAL/S)
Education
 
PDF
assembly language programming and organization of IBM PC" by YTHA YU
Education
 
PDF
Program security chapter 3
Education
 
PPT
Lecture 7
Education
 
PPT
Lecture 6
Education
 
PPT
Lecture 5
Education
 
PPT
Lecture 4
Education
 
PPT
Lecture 3
Education
 
PPT
Lecture 2
Education
 
PDF
Data warehousing labs maunal
Education
 
A friendly introduction to differential equations
Education
 
High-order Assembly Language/Shuttle (HAL/S)
Education
 
assembly language programming and organization of IBM PC" by YTHA YU
Education
 
Program security chapter 3
Education
 
Lecture 7
Education
 
Lecture 6
Education
 
Lecture 5
Education
 
Lecture 4
Education
 
Lecture 3
Education
 
Lecture 2
Education
 
Data warehousing labs maunal
Education
 

Recently uploaded (20)

PPTX
UNIT-1 - COAL BASED THERMAL POWER PLANTS
Chandra Kumar S
 
PDF
The CXO Playbook 2025 – Future-Ready Strategies for C-Suite Leaders Cerebrai...
Cerebraix Technologies
 
PPTX
Current and future trends in Computer Vision.pptx
Subramanyam Natarajan
 
PPTX
UNIT 4 Total Quality Management .pptx
gokuld13012005
 
PPTX
Safety Seminar civil to be ensured for safe working.
DILJEETKUMAR8
 
PPT
Project quality management in manufacturing
BarMusaTetik
 
PPTX
OOP with Java - Java Introduction (Basics)
Rashmi T V
 
PDF
737-MAX_SRG.pdf student reference guides
ssusere2119a1
 
PDF
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
PDF
Automation-in-Manufacturing-Chapter-Introduction.pdf
pcmth867
 
PPTX
CH1 Production IntroductoryConcepts.pptx
RacemMellouli1
 
PDF
TFEC-4-2020-Design-Guide-for-Timber-Roof-Trusses.pdf
AinieButt1
 
PDF
Operating System & Kernel Study Guide-1 - converted.pdf
mranoninvisib16
 
PDF
PPT on Performance Review to get promotions
prashant593122
 
PPTX
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
PPTX
Fundamentals of safety and accident prevention -final (1).pptx
Palani kumar
 
PDF
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 
PDF
composite construction of structures.pdf
AinieButt1
 
PDF
R24 SURVEYING LAB MANUAL for civil enggi
MNANDITHACIVILSTAFF
 
PPT
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
UNIT-1 - COAL BASED THERMAL POWER PLANTS
Chandra Kumar S
 
The CXO Playbook 2025 – Future-Ready Strategies for C-Suite Leaders Cerebrai...
Cerebraix Technologies
 
Current and future trends in Computer Vision.pptx
Subramanyam Natarajan
 
UNIT 4 Total Quality Management .pptx
gokuld13012005
 
Safety Seminar civil to be ensured for safe working.
DILJEETKUMAR8
 
Project quality management in manufacturing
BarMusaTetik
 
OOP with Java - Java Introduction (Basics)
Rashmi T V
 
737-MAX_SRG.pdf student reference guides
ssusere2119a1
 
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
Automation-in-Manufacturing-Chapter-Introduction.pdf
pcmth867
 
CH1 Production IntroductoryConcepts.pptx
RacemMellouli1
 
TFEC-4-2020-Design-Guide-for-Timber-Roof-Trusses.pdf
AinieButt1
 
Operating System & Kernel Study Guide-1 - converted.pdf
mranoninvisib16
 
PPT on Performance Review to get promotions
prashant593122
 
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
Fundamentals of safety and accident prevention -final (1).pptx
Palani kumar
 
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 
composite construction of structures.pdf
AinieButt1
 
R24 SURVEYING LAB MANUAL for civil enggi
MNANDITHACIVILSTAFF
 
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 

Network security chapter 1,2

  • 1. Chapter No 1 & 2 Computer Network Security Written by Engr. Muhammad Waseem 1 COMPUTER NETWORK SECURITY Course outline The need for network security The Network security problem Different types of attacks Malicious and Non-Malicious Program Flaws Protection in operating systems Spoofing Intrusion Detection Systems Firewalls Operating Systems Hardening Device security Honeypots and honey nets Module objectives Understand Why we need network security The nature of the network security problem Defensive strategies The gold standard History What is network security? Network Security is the process of taking physical and software preventative measures to protect the underlying networking infrastructure from unauthorized access, misuse, malfunction, modification, destruction, or improper disclosure, thereby creating a secure platform for computers, users and programs to perform their permitted critical functions within a secure environment. OR Network security is an over-arching term that describes that the policies and procedures implemented by a network administrator to avoid and keep track of unauthorized access, exploitation, modification, or denial of the network and network resources. This means that a well-implemented network security blocks viruses, malware, hackers, etc. from accessing or altering secure information. 1. The need for network security 1.1 Why do you need to take this course? Credit towards Bachelor degree An easy A Value for your organization An organization’s data may include personnel information which may include sensitive information, which could be misused, or information of personal nature which should not be disclosed to authorize users only. It may include payroll information, contact lists, strategies and plans, fiscal reports, and
  • 2. Chapter No 1 & 2 Computer Network Security Written by Engr. Muhammad Waseem 2 intellectual property such as present and future product designs, the sort of things that the organization wouldn’t publish on the streets 1.1.1 Value of an organization’s data Personnel information Financial information Intellectual property Proprietary information Contact lists 1.1.2 Organizations that are at risk: Corporate financial systems Credit card processing systems ATMs Telephone systems Emergency response infrastructure Air traffic control Power system Almost all processes automated No manual alternative In case of a crash, restoration is essential Nature of problem Common belief: Computers are digital devices, sharp 1s and 0s, so perfect security should be possible Not true Too many contributing factors: too many people and too many programs involved A reasonable goal would be as good as real-world security Common network security problem isn’t the result of human error or intent; it is due to the forces of nature: lightning, flood, fire and earthquake. And surprisingly, some other common network security problems are none other than equipment failure, outdated technology, issues with ISP or WAN service or software failures and errors. Nature of problem-differences Variety of attack methods Can attack a lot more places Can attack a lot more quickly Can attack with relative anonymity All without spending too many resources Defensive strategies Access Control Keep everybody out. Disconnect your PC from the network, and only install programs that you wrote yourself. It will be secure, but it will be more difficult to be worked on.
  • 3. Chapter No 1 & 2 Computer Network Security Written by Engr. Muhammad Waseem 3 Keep the bad guy out. This can be done in a variety of ways, such as code signing and firewalls. You can let the bad guy in but keep him from doing bad things by using sandboxing or access control. Try to catch the bad guy and prosecute him. This uses a different set of techniques, instead of locks it uses auditing. The access control model is based on a principal sending requests to an object, and there is a guard in between that scrutinizes the request and its source to decide whether or not it should be allowed to go through to the object. The gold standard Authentication, authorization, and auditing, all start with Au, so they are also known as the gold standard. The principle of authentication is that you have a way of knowing what principal is taking responsibility for the request that is being made. Principals are usually people, but can also be channels, servers, and programs. For example, typically in distributed applications, communication channels are implemented by means of encryption and the encryption key acts as a principal. Cont’d The next step is to figure out whether or not that request coming from that party ought to be granted. This is authorization. Typically access is granted to principals or group of principals. Auditing keeps track of all the activity. Auditing analyzed logs and access requests that were made by principals that were either granted or denied. Another underlying principle in this model is assurance. How do you know that the system doesn’t have bugs? One of the ways to think of that is in terms of a trusted computing base in which are all things that have to be working correctly in order for you to have security. Common attacks and Exploits 1.Denial of Service (Dos) 2.Distributed Denial of Service (DDoS) 3.Back door 4.Spoofing 5.Man in the middle 6.Replay 7.Session hijacking 8.DNS poisoning 9.Password guessing 10.Software exploitation 11.War dialing 12.War driving 13.Buffer overflow 14.SYN flood 15.ICMP flood 16.UDP flood 17.Smurfing 18.Sniffing 19.Ping of death Denial of Service (DoS) A denial of service attack causes disruption of service to legitimate users.
  • 4. Chapter No 1 & 2 Computer Network Security Written by Engr. Muhammad Waseem 4 For example, causing a web server to overload, due to which browsers would be unable to view the websites on that web server, or overloading a file server so that users are unable to access their home folders. Work by: Resource exhaustion Application or OS crash A denial of service attack is an effort to make one or more computer systems unavailable. It is typically targeted at web servers, but it can also be used on mail servers, name servers, and any other type of computer system. Denial of service attacks can be problematic, especially when they cause large websites to be unavailable during high-traffic times. Fortunately, security software has been developed to detect DoS attacks and limit their effectiveness. While many well-known websites, like Google, Twitter, and WordPress, have all been targets of denial of service attacks in the past, they have been able to update their security systems and prevent further service interruptions. Distributed Denial of Service (DDoS) A distributed denial of service attack is when several machines taken over by an attacker launch a coordinated denial of service attack against a common target to achieve a far greater impact. These are compromised machines. See http://grc.com/dos/grcdos.htm for a good example of this type of attack. A distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users Back door A backdoor is an opening in software which allows entry into the system/application without the knowledge of the owner. Backdoors are sometimes left by the developer intentionally, and sometimes exist by virtue of bad programming logic and practices. Definition: A backdoor is a secret or undocumented means of getting into a computer system. Many programs have backdoors placed by the programmer to allow them to gain access to troubleshoot or change the program. Some backdoors are placed by hackers once they gain access to allow themselves an easier way in next time or in case their original entrance is discovered Spoofing Some communication protocols use a host’s IP address as a trust and authentication mechanism. An attacker may forge the IP address of a trusted host to fool the target into trusting the attacker’s machine
  • 5. Chapter No 1 & 2 Computer Network Security Written by Engr. Muhammad Waseem 5 The word "spoof" means to hoax, trick, or deceive. Therefore, in the IT world, spoofing refers tricking or deceiving computer systems or other computer users. This is typically done by hiding one's identity or faking the identity of another user on the Internet. E-mail spoofing can take place on the Internet in several different ways. One common method is through e-mail. E-mail spoofing involves sending messages from a bogus e-mail address or faking the e-mail address of another user. IP spoofing another way spoofing takes place on the Internet is via IP spoofing. This involves masking the IP address of a certain computer system. By hiding or faking a computer's IP address, it is difficult for other systems to determine where the computer is transmitting data from. Man in the middle Man in the middle attacks is launched by placing oneself in the middle of a communication session, so as to intercept the traffic. The attacker may merely passively listen in on the conversation or may introduce other information into the traffic. A Man-in-the-Middle attack is a type of cyber-attack where a malicious actor inserts him/herself into a conversation between two parties, impersonates both parties and gains access to information that the two parties were trying to send to each other. A Man-in-the-Middle Attack allows a malicious actor to intercept, send, and receive data meant for someone else, or not meant to be sent at all, without either outside party knowing until it is too late. Man-in-the-Middle attacks can be abbreviated in many ways including, MITM, MitM, MiM, or MIM. Replay The attacker uses a packet sniffer to capture packets on the wire and extracting information from them. For example, username and passwords, and later placing the same information back on the wire so as to have the target believe that it is a new legitimate session. A Replay attack is when a Hacker uses a Sniffer to grab packets off the wire After packets are captured, then the hacker can simply extract information from the packets like authentication information and passwords Once the information is extracted, the captured data can be placed back on the network or replayed For example, messages from an authorized user who is logging into a network may be captured by an attacker and resent (replayed) the next day. Even though the messages may be encrypted, and the attacker may not know what the actual keys and passwords are, the retransmission of valid logon messages is sufficient to gain access to the network.
  • 6. Chapter No 1 & 2 Computer Network Security Written by Engr. Muhammad Waseem 6 Session hijacking (TCP/IP Hijacking) This is when an attacker takes over a communication session between two hosts. TCP session hijacking is when a hacker takes over a TCP session between two machines. Since most authentication only occurs at the start of a TCP session, this allows the hacker to gain access to a machine. A popular method is using source-routed IP packets. This allows a hacker at point A on the network to participate in a conversation between B and C by encouraging the IP packets to pass through its machine DNS poisoning Wrong information may be added to your DNS files. Your host will be directed to the wrong direction due to DNS poisoning. Cache poisoning, also called domain name system (DNS) poisoning or DNS cache poisoning, is the corruption of an Internet server's domain name system table by replacing an Internet address with that of another, rogue address. When a Web user seeks the page with that address, the request is redirected by the rogue entry in the table to a different address. At that point, a worm, spyware, Web browser hijacking program, or othermalware can be downloaded to the user's computer from the rogue location. Password guessing Password guessing is an attack on the authentication credentials on any system. One form of password guessing is brute force attacks in which an attacker uses every single possible key to try and crack the passwords. In another form, known as dictionary attack, all words in a dictionary file are tried as passwords. Another type of network attack is Password Guessing attack. Here a legitimate users access rights to a computer and network resources are compromised by identifying the user id/password combination of the legitimate user. Password guessing attacks can be classified into two. Brute Force Attack: A Brute Force attack is a type of password guessing attack and it consists of trying every possible code, combination, or password until you find the correct one. This type of attack may take long time to complete. A complex password can make the time for identifying the password by brute force long. Dictionary Attack: A dictionary attack is another type of password guessing attack which uses a dictionary of common words to identify the user’s password. Software exploitation These are attacks against a system’s software bugs or flawed code.
  • 7. Chapter No 1 & 2 Computer Network Security Written by Engr. Muhammad Waseem 7 a piece of software is it will still contain bugs. One of the most common bugs involves buffer overflows where an area of memory has been allocated by the programmer to store a specific amount of data. When the volume of data written to the storage area exceeds the space allocated a buffer overflow occurs causing part or all of the system to crash, potentially leaving it open for an intruder to take over War dialling In order to gain access into a network, the organization’s range of PBX numbers is used as input to a war dialler program, which dials all those phone numbers using a modem, and logs whether or not the call was answered by a modem. The process of running modem scanning tools against a PBX or any given dialup modem for the purpose of penetration. A war dialler is a computer program used to identify the phone numbers that can successfully make a connection with a computer modem. The program will dial a range of numbers you ask it to dial and will log failure and success ranges in a database War driving These are attacks against wireless networks, which work by passing from outside the building with a wireless Ethernet card in promiscuous mode. Around the year 2000, an engineer named Peter Shipley coined the term war driving to refer to the practice of deliberately searching a local area looking for Wi-Fi wireless network signals. Mr. Shipley pioneered the practice of using an automobile, a Global Positioning System (GPS), and a mounted antenna to identify unsecured wireless home networks Buffer overflow Buffer overflow attacks are due to poorly written code which does not check the length of variable arguments. A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra information - which has to go somewhere - can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. Although it may occur accidentally through programming error, buffer overflow is an increasingly common type of security attack on data integrity. SYN flood Occurs when a network becomes so overwhelmed by SYN packets initiating incomplete connection requests that it can no longer process legitimate connection request causing high CPU, memory, and NIC usage. A SYN flood is a type of denial of service (DoS) attack that sends a series of "SYN" messages to a computer, such as a web server. SYN is short for "synchronize" and is the first step in establishing
  • 8. Chapter No 1 & 2 Computer Network Security Written by Engr. Muhammad Waseem 8 communication between two systems over the TCP/IP protocol.When a server receives a SYN request, it responds with a SYN-ACK (synchronize acknowledge) message. The computer then responds with an ACK (acknowledge) message that establishes a connection between the two systems. In a SYN flood attack, a computer sends a large number of SYN requests, but does not send back any ACK messages. Therefore, the server ends up waiting for multiple responses, tying up system resources. If the queue of response requests grows large enough, the server may not be able respond to legitimate requests. This results in a slow or unresponsive server. ICMP flood (Internet Control Message Protocol Flood) An ICMP flood occurs when ICMP pings overload a system with so many echo requests that the system expends all its resources responding until it can no longer process valid network traffic. ICMP is primarily used for error messaging and typically does not exchange data between systems. An ICMP Flood is the sending of an abnormally large number of ICMP packets. This flood can overwhelm a target server that attempts to process every incoming ICMP request, and can result in a denial-of-service condition for the target server. UDP flood Similar to the ICMP flood, UDP flooding occurs when UDP packets are sent with the purpose of slowing down the system to the point that it can no longer handle valid connections. A UDP flood attack is a denial-of-service (DoS) attack using the User Datagram Protocol (UDP), a session less/connectionless computer networking protocol. Using UDP for denial-of-service attacks is not as straightforward as with the Transmission Control Protocol (TCP). However, a UDP flood attack can be initiated by sending a large number of UDP packets to random ports on a remote host Smurfing An ICMP echo request is sent to a network’s broadcast address with a spoofed source IP address. The spoofed machine is then overwhelmed with a large number of echo replies. The Smurf Attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol(ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP Broadcast address. Most devices on a network will, by default, respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, the victim's computer will be flooded with traffic. This can slow down the victim's computer to the point where it becomes impossible to work on.
  • 9. Chapter No 1 & 2 Computer Network Security Written by Engr. Muhammad Waseem 9 Sniffing Sniffing uses protocol analysers or packet sniffers to capture network traffic for passwords or other data. A sniffer is an application that can capture network packets. Sniffers are also known as network protocol analysers. They are also used by hackers for hacking network. If the network packets are not encrypted, the data within the network packet can be read using a sniffer. Once the packet is captured using a sniffer. Sniffers are used by hackers to capture sensitive network information, such as passwords, account information etc. Ping of death Ping of death attack uses oversized ICMP echo requests to a hosts in an attempt to crash it. Ping of Death (PoD) is a type of network attack in which an attacker sends a network packet that is larger than what the target computer can handle. This can crash the computer, or freeze or degrade computer service. Ping of death is used to make a computer system unstable by deliberately sending larger ping packets to the target system over an IPv4 network. Ping of death is also known as long ICMP TCP Three-way handshake  Security implementation Identify what you are trying to protect. Determine what you are trying to protect them from. Determine how likely the threats are. Implement steps that protect your assets in a cost effective manner Review the process continuously making improvements when you find a weakness Assets needing to be protected Physical resources Intellectual resources
  • 10. Chapter No 1 & 2 Computer Network Security Written by Engr. Muhammad Waseem 10 Time resources Perception resources Physical resources Anything that has a physical form Routers, hubs, switches, servers etc Assets that have a physical form, such as workstations, servers, printers, hubs, switches, routers, firewalls. Basically, any computing resource that has a physical form can be considered a physical resource. An individual walks into an organization’s office claiming to be a computer repairs technician. The receptionist allowed him through giving directions to the network administrator’s office. The repairs person returns a short while later with a network printer which he claims needs repairs and must be taken back to the shop. Of course, the printer didn’t need repairs, and he didn’t seek the network administrator. Instead, he just unplugged the first high end printer he came across and took it with him. The theft was discovered when the network administrator heard complaints about people being unable to print. Of course, it’s not easy to print without the printer. This printer theft could’ve been avoided if the company policy dictated that no outsider would be allowed in without an escort, and would have saved the company the cost of replacing a high end network printer Intellectual resources Sometimes harder to identify Exist in electronic form only Any information that plays a vital role in your organization’s business Software, financial records, database records, schematics, emails etc These resources are sometimes harder to identify because they exist only in electronic form. An intellectual resource is any information that plays a part in your organization’s business. This can include software, financial information, database records and schematic .If email is used to exchange information, the stored email messages are also intellectual resources. Time resources An important resource which is overlooked quite often in a risk analysis. To evaluate what lost time costs your organization, make sure to include all consequences of lost time It is an important organizational resource which is quite often over-looked in a risk analysis. When evaluating what lost time could cost your organization, make sure that you include all the consequences of lost time. Consider a company’s file server, which is backed up every night, but doesn’t have redundant hard disk drives. The disk drive crashes. The physical loss is a hard disk drive, which is not very expensive. The intellectual loss is whatever was updated since the last backup. What is lost in terms of time can be evaluated based on what the network administrator must do as a cleanup job
  • 11. Chapter No 1 & 2 Computer Network Security Written by Engr. Muhammad Waseem 11 1. Install the new disk drive in the system 2• completely reinstall the network operating system, any required patches, and the back-up software, if necessary 3• Restore all required backup tapes. If a full backup is not performed every night, there may be multiple tapes to restore from. Perception resources Risk of damage to perception is the cause of significant trouble The stock prices for affected companies fell after the denial of service attacks of February 2000. Although this loss was not long term, it had a real, measurable impact on the trust of consumers and stockholders. With the publicity surrounding the penetration of Microsoft’s system in October 2000, some wondered if valuable source code had been unknowingly modified. Sources to protect from Potential network attacks may come from any source that has access to your network. These sources can vary greatly, depending on your organization’s size and the type of network access provided. Some of these sources could include: Internal network Access from field offices Access from WAN link to the business partners Access through the Internet Access through modem pools Internal systems A vast majority of attacks originate from within the organization Using firewalls protects from external threats, but it is still the employees that are responsible for the greatest amount of damage or compromise of data, because they have the insider’s view of how your network operates A vast majority of attacks originate from within the organization. While using firewalls protects assets from external attacks is all the rage, it is still the employees, who have an insider’s view of how your network operates, who are responsible for the greatest amount of damage to, or compromise of your data. This damage can be accidental, or in some cases, intentional Internal attacks Disgruntled employee or ex-employee Not so computer literate management with access privileges A company’s CEO insisted on having administrative privileges on the NetWare server and inadvertently deleted the cc:Mail directory The most typical cause of a true attack is a disgruntled employee or ex-employee. for example, one company’s owner insisted on having full privileges on the NetWare server, even though he was not very computer literate. He inadvertently deleted the cc:Mail data directory, which contained al the mail messages and public folders. Approximately two years worth of data disappeared.
  • 12. Chapter No 1 & 2 Computer Network Security Written by Engr. Muhammad Waseem 12 External attacks Although external attacks can come from ex-employees, the range of possible attacks increases dramatically. Competitors Stealing designs, financial statements, making network resources unavailable Shorten development time Equip their products with better features Second lowest price website DoS If you are in a highly competitive business, an ambitious competitor may see advantage in attacking your network. This can take the form of stealing designs or financial statements, or just making your network resources unusable Subjecting the website of a competitor with lower prices to a denial of service attack than your organization, could lead some buyers to your website because it has the second lowest prices, and the lowest price product is unavailable due to denial of service Militant viewpoints If your organization has controversial viewpoints If your business can be considered controversial, it may be prone to threats from others who take a different point of view. In 1998, following the nuclear tests by India and Pakistan, Indian and Pakistani hackers launched defacing attacks on each other’s websites. High profile An organization with high visibility is a good candidate for an attack for merely the sake of notoriety or a wider audience Organizations can become a target for attack simply because of their high level of visibility. A would- be attacker may attempt to infiltrate a well-known site with the hope that a successful attack will bring with it some level of notoriety. In May 1999, major US government websites including whitehouse.gov, fbi.gov, and senate.gov were defaced. Threat assessment Network security attacks are malicious or unintentional attempts to use or modify resources available through a network in a way they were not intended to be used The goal of network security is to protect its assets from network attacks. The goal of network security is to protect its assets from network attacks. Network attacks may be defined as malicious or unintentional attempts at using or modifying resources available through the network in a way that they were not intended to be used. All network attacks fall into one of the following categories:
  • 13. Chapter No 1 & 2 Computer Network Security Written by Engr. Muhammad Waseem 13 Network attack types Unauthorized access to resources or information through the use of a network Unauthorized manipulation and alteration of information on a network Denial of service The key to note here is the word unauthorized. It is the job of a network security policy to spell out what is authorized and what is not. The network attack can be planned as well as intentional and the job of the network security mechanisms is not only to protect against planned attacks which are coordinated attacks conducted by malicious users, but also against unintentional attacks in terms of mistakes made by users. Network security goals Based on the three types of attacks, the goals of network security are to: Ascertain data confidentiality Maintain data integrity Maintain data availability Risk assessment After threat identification, the likelihood must be determined Security is expensive It is not feasible to protect against all types of attacks It is wise to protect against the most likely threats Having identified the assets and the factors that threaten them, the next step in formulating a network security implementation is to ascertain how likely the threats are in the environment in which the security is being implemented. Realize that although it can be important to protectagainst all types of attacks, security does not come cheap. Therefore, a careful analysis must be done to find out what the most significant sources of attack are and devote the most resources to protecting against them. Even though risk assessment can be done in a number of ways, there are two main factors that affect the risk associate with a particular type of threat’s materializing: • The likelihood of that particular attack being launched against the asset in question • The cost to the network in terms of damages that a successful attack will incur It is often useful to divide the risk analysis into three categories: Confidentiality Integrity Availability If a network resource’s availability is critical and the likelihood of an attack being launched against it is high, this asset’s risk level can be considered fairly high. For example, a high visibility web server.
  • 14. Chapter No 1 & 2 Computer Network Security Written by Engr. Muhammad Waseem 14 Due to its high visibility, it can be a likely target for attackers. Also, it is important for a web server to be available all the time. Therefore, this asset is high-risk in terms of availability. If an asset’s availability is critical and the likelihood of an attack is high, the asset’s risk level can be considered high e.g., a high visibility web server is a high risk asset in terms of availability An FTP server used internally, which is not visible from the outside has a lower risk level in terms of availability but a high risk level in terms of confidentiality Note that all risk assessments are relative Once a list of risk levels associate with various assets in the network have been compiled, the next step is to create a policy framework for protecting these resources so that risk can be minimized Network security policy Having determined the risk level of various assets, the next step is to formulate a security policy A security policy must prioritize mitigation of threats against high risk assets and then spend the rest of its resources to protecting the lower risk assets Defines a framework for protecting the assets connected to a network Defines access rules and limitations for accessing various assets A source of information for users and administrators as they: Setup, Use and Audit the network Should be broad and general in scope Provide a high level view of the principles on which security related decisions should be taken Should not go into the details of how security is to be implemented The details can change overnight, but the general principles of what these details are trying to achieve should remain the same Roles played by the policy: Clarify what is being protected and why State who is responsible for providing the protection Provide grounds on which to interpret and resolve any future conflicts The first point is an offshoot of the asset identification and risk analysis Those responsible for the protection can be one or more of the following: Users Administrators and managers Network usage auditors Managers who have overall ownership of the network and its associate resources The third point places responsibility on shoulders of a particular person to resolve any conflicts A network policy should be such that it can be implemented using existing technology, it shouldn’t contain elements that are not technically enforceable In terms of ease of use there are two types of network security policies: Permissive: that which is not expressly prohibited is allowed Restrictive: that which is not expressly allowed is prohibited
  • 15. Chapter No 1 & 2 Computer Network Security Written by Engr. Muhammad Waseem 15 It is better to have a restrictive policy and then based on usage open it up for legitimate uses A permissive policy will have holes in it no matter how hard you try to plug all holes A security policy must balance: Ease of use Network performance Security aspects An overly restrictive policy costs more than a slightly more lenient one might make up for it in terms of performance gains Minimum security requirements as identified by risk analysis must be met for a security policy to be practical. A network security policy defines a framework to protect the assets connected to a network based on a risk assessment. A network security policy defines the access rules and limitations for accessing various assets. It is the source of information for users and administrators as they set up, use, and audit the network. A network security policy should be general and broad in scope. What this means is that it should provide a high level view of the principles based on which security-related decisions should be made, but it should not go into the details of how the policy should be implemented. The details can change overnight, but the general principles of what these details are trying to achieve should remain the same. The policy should play the following roles: • Clarify what is being protected and why it is being protected • State who is responsible for providing that protection • Provide grounds on which to interpret and resolve any later conflicts that might arise The first point is an off shoot of the asset identification and risk assessment. The second point covers who is responsible for ensuring the security requirements are met. This can be one or more of the following: • Users • Administrators and managers • Network usage auditors • Managers who have overall ownership of the network and its associated resources The third point places the responsibility of resolving issues not covered by the policy on the shoulders of a particular person rather than leaving them open to arbitrary interpretation. A network security policy should be implementable given available technology. A network security that is very comprehensive but contains elements that are not technically enforceable is less than useful. In terms of ease of use of network resources for users, There are two types of network security policies: • Permissive: everything not expressly prohibited is allowed • Restrictive: everything not expressly permitted is prohibited
  • 16. Chapter No 1 & 2 Computer Network Security Written by Engr. Muhammad Waseem 16 It is generally better to have a restrictive policy and then based on actual usage, open it up for legitimate usage. A permissive policy generally has holes no matter how hard you try to plug all the holes. A security policy must balance ease of use, network performance, and security aspects in defining the rules and regulations. This is important, because an overly restrictive security policy can end up costing more than a security policy that is somewhat more lenient but makes up for it in terms of performance gains. Of course, minimum security requirements as identified by risk analysis must be met for a security policy to be practical. Implementation Implementation of Network security involves technical and non-technical aspects It is important to come up with a design agreeable for all involved parties The following points must be kept in mind before implementation: All stakeholders (including users and management) must agree on the policy It is crucial to educate all parties including management on why security is necessary. This education must continue in case of newcomers Management and financial people must be educated about the cost and risk analysis because security is expensive and is not a one-time expense Responsibilities of people and their reporting relationship must be clearly defined The next step is network security design Translate security policy into procedures which are usually laid out tasks that must be completed to implement the security policy Execution of these procedures results in a network design that can be implemented using various devices The following are components of network security design: Device security features such as administrative password Firewalls Remote access VPN concentrators Intrusion detection Access control and limiting mechanisms Implementing a network security policy involves technical as well as non-technical aspects. Even though it is challenging enough to find the right equipment that can work together and implement the security policy in its true spirit, coming up with a design that is workable for all parties concerned is equally challenging. The following points must be kept in mind before implementing a security policy: • All stakeholders, including the users and the management must agree or have consensus on the security policy. It is not easy to maintain a security policy that not everyone is convinced is necessary. • It’s crucial to educate the users and the affected parties, including management, on why security is important. You must make sure that all parties understand the reasons behind the security policy and what is about to be implemented. This education must continue on an ongoing basis such that all newcomers to the company are aware of the network’s security aspects.
  • 17. Chapter No 1 & 2 Computer Network Security Written by Engr. Muhammad Waseem 17 • Security does not come for free. Implementing security is expensive and is often an ongoing expense rather than a one-time cost. It is important to educate the management and the financial people about the cost and risk analysis done in coming up with the security policy. • Responsibilities of various people must be clearly defined for various parts of the network and their reporting relationships. Working on implementing a security policy while keeping these issues in mind can help you implement a security policy both in practice and in spirit. Audit and improvement It is important to continually analyse, test and improve the security policy after implementation This can be done through: Formal security audits Day-to-day checks based on operational measurements Audits can also be done using automated tools An important purpose of audits is to keep the users aware of implications of their actions Can help identify bad user habits There should be schedule and random audits A random audit will help: Catch the organization with its guards down Reveal weakness during maintenance etc If the audit reveals technical issues, they can be fixed by technical means Other issues can be addressed by user education programs Education programs should not go into minute details, but focus on the goals of the policy and how the user can help in its implementation Using examples of what they did wrong would cause the users to think that they can not do any wrong unless they are caught doing wrong After implementation of a network security policy, it is critically important to continually analyze, test and improve it. This can be done by formal audits of the security systems as well as through day-to- day checks based on normal operational measurements. Audits can also take various forms, such as automated audits using software tools. Many commercial as well as open source tools are available for this. An important purpose of the security audit is to keep the users aware of the implications of their actions on the network. Audits can be used to identify habits that the users may have formed that can lead to network attacks. Audits should be scheduled as well as random. A random audit tends to catch the organization with its guards down and also reveals penetrability during maintenance, turnaround and so on. After identification of various issues through the audit, if the issues are technical, they can be fixed or they can be transformed into educational programs to educate the users on better network security techniques. These programs should focus on the goals of the network security policy and how individuals can help in its implementation. The education should not be of minute details of things that the users are doing wrong, but to educate them on the general security policy and use infringements as examples. An audit and education that is too hands on can remove a sense of empowerment from the users, making them think that they can do no wrong until they are caught doing something wrong.