network security final report
TRANSCRIPT
8/6/2019 Network Security Final Report
http://slidepdf.com/reader/full/network-security-final-report 1/23
1
NETWORK SECURITY
ABSTRACT
John, sitting desperately in front of his system tries to hack his friend William’s bank
account. But after a tiresome job, all he could succeed in getting was an encrypted
code, which did not make any sense to him and would take a lifetime to decode
making use of the concept of probability. Thanks! To the advanced techniques of
security which saved William from getting bankrupt and losing his lifetime savings. In
the present day scenario, where the earth is shrinking rapidly, such that the entire
world is now on your desktop, security is gaining much significance consequently.
Cryptography, authentication and access control mechanisms play a very important
role in secured communication as they form the major disciplines of network
security.
8/6/2019 Network Security Final Report
http://slidepdf.com/reader/full/network-security-final-report 2/23
2
INTRODUCTION
What is security?
Freedom from danger, fear or ensuring safety is security. Measures adopted to
prevent the authorized use, misuse, modification or denial of use of knowledge or
facts, data or capabilities. Network security is an issue of great significance today
where a single problem can change the fate of the companies and organizations.
Need of Security
Computer security is required because most organizations can be damaged by
hostile software or intruders. There may be several forms of damage which are
obviously interrelated which are produced by the intruders. These include -
• lose of confidential data
• Damage or destruction of data
• Damage or destruction of computer system
• Loss of reputation of a company
Orange Book: -
The National Computer Security Center (NCSC), an agency of the U.S government
published an official standard called “Trusted Computer System Evaluation Criteria”
universally known as the “Orange Book”. The Orange Book defines a series of
ratings a computer system can have based on it’s security features and the care that
went into it’s design, documentation and testing. This rating is intended to give
government agencies and commercial enterprises an objective assessment of a
system’s security and to goad computer manufacturers into placing more emphasis
on security. The official categories are D, C1, C2, B1, B2, B3, and A1 ranging from
minimal protection or unrated to most secure.
When computers are networked together new security problems occur which can
prove to be great threats to major companies. The orange book did not address the
issue of networked computers. The Red Book took all the requirements of the
8/6/2019 Network Security Final Report
http://slidepdf.com/reader/full/network-security-final-report 3/23
3
Orange book and attempted to address a networked environment of computers, thus
creating the concept of network security. A single layer of security cannot ensure
good security. Effective security is achieved by the combination of all security
disciplines. The prominent security technologies and product categories used todayare anti-virus software, firewalls, smart cards, biometrics, intrusion detection, policy
management, vulnerability scanning, encryption etc.
Common Misperceptions on Network Host Attacks
It’s sad that system administrators and users often think that their network hosts are
either uninteresting or invulnerable to hackers.
Some of the common beliefs include:
· “Nobody would ever attack our servers or desktops.”
· “Only good people work here.”
· “We have an Internet firewall. That’s all we need.”
· “We’re secure. We use system passwords.”
· “Network security is too expensive and hard to maintain.”
Sure, we’ve all heard and used these excuses. We all have more pressing problems
to worry about than getting hacked.
But the fact is that all the above excuses, and many more just like them, are
complete fantasy. Servers and desktops are attacked on a fairly common basis. Just
because it is not detected does not mean it is not happening . . .
Reality: Hacking Tools are Pervasive and Cheap to Acquire
It’s easy to find Windows NT (WinNT) and Windows 2000 (Win2K) hacking tools.
Pick any Internet search engine (Altavista, Lycos, Yahoo, etc.) you are comfortable
with and type in the following words as a search item:
“HACK Microsoft” or “HACK NT”
8/6/2019 Network Security Final Report
http://slidepdf.com/reader/full/network-security-final-report 4/23
4
Watch how many sites come up. Scary, isn’t it? In some queries, you can find over
80,000 web sites with hacking tools on them. To make matters worse, there are CD-
ROMs full of hacking tools such as Forbidden subjects, WinHackGoldCD, Hacker
Chronicles and others of a more underground nature. These are available from avariety of both legitimate and less reputable sources.
Some Statistics on Network Security
Every year, the Computer Security Institute (www.gocsi.com) and the U.S. Federal
Bureau of Investigation (www.fbi.gov) publish statistics about computer crime. The
2000CSI/FBI Computer Crime and Security Survey was eye-opening, and reportedthe following statistics:
· 30% reported computer systems penetrated by outsiders
· 55% reported unauthorized access by insiders
· 26% reported theft of proprietary information
· 32% reported denial of service attacks
· 19% reported sabotage of data or networks
· 90% of financial loss is from internal attacks
As the statistics show, the truth is that network attacks are REAL, PERVASIVE, and
EXPENSIVE. They are NOT going away. And, they are getting more insidious and
dangerous to organizations.
8/6/2019 Network Security Final Report
http://slidepdf.com/reader/full/network-security-final-report 5/23
5
SECURITY SERVICES
Network security can provide one of the five services as shown in the figure: -
Four of these services are related to the message exchanged using the network:
Message confidentiality, integrity, authentication, non repudiation. Fifth service
provides entity authentication or identification.
8/6/2019 Network Security Final Report
http://slidepdf.com/reader/full/network-security-final-report 6/23
6
COMMON ATTACKS AGAINST NETWORK ASSETS
Attacks may occur through technical means such as specific tools designed for
attacks or exploitation of vulnerabilities in a computer system, or they may occur
through social engineering, which is the use of non-technical means to gain
unauthorized access.
Attacks are primarily of four types:
• Access
• Modification
• Denial of service
• Repudiation
An access attack is an attempt to gain information that the attacker is not
authorized to see. This is an attack against the confidentiality of the information.
Snooping, Eavesdropping and Interception come under this category.
SNOOPING is looking through information files in the hopes of finding something
interesting. If the files are on a computer system, an attacker may open one file after
another until the required information is found.
EAVESDROPPING is the process of listening to a conversation of which they are
not a part. To gain unauthorized access to information, an attacker must position him
at a location where the information is likely to pass by. A sniffer is a computer that is
8/6/2019 Network Security Final Report
http://slidepdf.com/reader/full/network-security-final-report 7/23
7
configured to capture all the traffic on the network. Most often they are configured to
capture user Ids and passwords. Tapping a fiber-optic line requires more specialized
equipment and is normally not performed by run-of-the-mill attackers.
INTERCEPTION is an active attack against the information. When an attacker
intercepts information, he is inserting himself in the path of the information and
capturing it before it reaches the destination. The attacker may or may not allow the
information to continue to its destination. On the Internet this could be done by
causing a name resolution change. The traffic is then sending to the attackers
system instead of the real destination. If configured correctly, the sender may never
know that he was not talking to the real destination.
MO
D IFIC
A TIO
N
ATTACK is an attempt to modify information that an attacker is not authorized to
modify.
CHANGES are one type of modification attack is to change existing information.
Change attacks can be targeted at sensitive or public information.
INSERTION is the addition of information that did not exist previously. An attacker
might choose to add a transaction in a banking system that moves funds from a
customer’s account to his own.
DELETION attack is the removal of existing information. This could be the removal
of information in a historical record or in a record that is yet to be acted upon.
8/6/2019 Network Security Final Report
http://slidepdf.com/reader/full/network-security-final-report 8/23
8
Denial-of-service (DoS) attacks are the attacks that deny the use of resources to
legitimate users of the system, information or capabilities. DoS attacks generally do
not allow the attackers to access or modify information on the computer system.
DoS attacks are nothing more than vandalism. An attacker could encrypt a file andthen destroy the encryption key. In that way, no one could get access to the
information in the file. This type of vulnerability allows an attacker to send a pre-
defined set of commands to the application that the application is not able to process
properly. The application is likely to crash when this occurs.
REPUDIATION ATTACK is an attack against the accountability of the information.
In other words, repudiation is an attempt to give false information or to deny that a
real event or transaction should have occurred.
MASQUERADING is an attempt to act like or impersonate someone else or some
other system. With few exceptions, any computer system can take on any IP
address. Thus it is possible for a computer system to masquerade as another
system.
PASSWORD ATTACKS: These attacks comprise network sniffing and brute force
attacks. Network sniffing concentrates on two areas:
Acquiring clear-text passwords (the situation when Windows systems exchange
passwords with any non-Windows operating system, such as UNIX or Novell) via
network capture or file infiltration.
• Grabbing the encrypted value of an NT system password from a network
packet or the password file and trying to decrypt the packet or file to expose
the passwords that would allow a valid login to the host.
• Brute Force attacks involve a piece of software working its way through
dictionaries and potential word-matching libraries to discover (“guess”) a
specific word which, when matched with a specific user ID, will allow login to
the system.
Password attacks cannot be stopped by a packet-filtering firewall, but can be greatly
reduced. Network access controls manage the network protocols and addresses
allowed to pass through the firewall, providing a more definitive sense of control over
8/6/2019 Network Security Final Report
http://slidepdf.com/reader/full/network-security-final-report 9/23
9
where a password attack can originate. Time-based security policies further define
network access to the target system by allowing only specific transactions to take
place at particular times of the day. And, con-nection logging allows for accurate and
timely recording of all traffic activity. These are the types of firewall facilities youneed to protect against Password attacks.
URL Based Attacks: These attacks are initiated by exploiting the vulnerabilities in
many web servers and web-based applications that allow malicious code to be
included as part of a URL. These attacks can result in denial-of-service,
unauthorized file access or remote machine compromise.
THE COMMON TECHNIQUES ADOPTED BY HACKERS
Open File Sharing via NFS was used by some of the hackers to gain access to
information. They simply mounted the remote drive and read the information. NFS
uses user Ids to mediate the access to the information on the drive. This became
more dangerous when some systems were found to allow the sharing of the root file
system. In this case, if a hacker could become root on a system and mount a remotefile system; he could change the configuration files of that remote system.
Bad Passwords is the most common method used by the hackers to get into
systems. Short passwords allow the hacker to brute-force the password. The other
type of weak password is the one that is easy to guess.
Buffer Overflows are one type of programming flaw exploited by the hackers. They
are harder to find than bad passwords. Buffer overflows require quite a bit of
expertise. Buffer overflows come up very often as the flaw in an application that
copies user data into another variable without checking the amount of data being
copied. More and more programs seem to suffer from this type of problem. If the
programmer checked the size of the user data before placing it in the pre-defined
variable, the buffer overflow can be prevented.
8/6/2019 Network Security Final Report
http://slidepdf.com/reader/full/network-security-final-report 10/23
10
Denial-of-Service
i) Single-source Denial-of-Service attack-Perhaps the most widely
known DoS attack is called the SYN flood. Other attacks have also been
identified. The Ping of Death attack caused a ping packet to be sent to a
target system. Normally a ping packet does not contain any data. The ping of
death packet contained a large amount of data. When this data was read by
the target, it would crash because of buffer overflow.
ii) Distributed Denial-of-Service attacks are simply DoS attacks that
originate from a large number of systems. DDoS are usually controlled from a
single master and a single hacker. Such attacks can be as simple as a hacker sending a ping packet to the broadcast address of a large network while
spoofing the source address to direct all responses at a target. This particular
attack is called Smurf attack.
Advanced techniques: - Sniffing switch networks, redirecting traffic, IP spoofing are
few of the advanced techniques.
Malicious code
• Computer viruses
• Trojan horse programs
• Worms
VIRUSES
A computer virus is a set of instructions that, when executed, inserts copies of itself
into other programs. Some viruses are malicious and delete files or cause systems
to become unusable. Other viruses do not perform any malicious act except to
spread to other systems. Examples include Michelangelo (a traditional virus) and
Melissa (a macro virus).
TROJAN HORSES
Just as the Greeks used a gift to hide evidence of their attack, so too does a Trojan
horse program hide its malicious nature behind the façade of something useful or
interesting. Example is the “ILOVEYOU” Trojan horse. It arrived as an email with a
visual basic program, which caused the e-mail services to stop completely.
8/6/2019 Network Security Final Report
http://slidepdf.com/reader/full/network-security-final-report 11/23
11
WORMS
A worm, as the name implies is a program that crawls from system to system without
any assistance from its victims. The program replicates itself by installing copies of
itself on other machines across the network. The most famous recent worm is calledthe CodeRed. Since CodeRed used legitimate web connections to attack, firewalls
did not protect the victims. Once on a system, CodeRed chose a random address to
attack next.
VARIOUS SECURITY TECHNOLOGIES
FIREWALLS
A firewall is a network access control device that is designed to deny all traffic
except that is explicitly allowed. Firewalls can be configured to allow traffic based on
the service, the IP address of the source or destination, or the ID of the user
requesting service. Firewalls are generally of two types: application layer firewalls
and packet filtering firewalls.
Application layer firewalls are software packages that sit on top of the
general –purpose operating systems or on firewall appliances. If a rule does
not specifically allow the traffic to flow, the firewall will deny or drop the
packets. With an application layer firewall, all connections terminate on the
firewall. If the policy rules allow the traffic, the firewall initiates a new
connection from its external interface to the server system.
i) Packet filtering firewalls is similar to the application layer firewalls in
matters related to policy rules. Policy rules are enforced through the use of
packet inspection filters. With a packet filtering firewall, connections do not
terminate on the firewall, but instead travel directly to the destination. As the
packets arrive at the firewall, the firewall will determine if the packets and the
connection state are allowed by the policy rules. If so, the packet is sent on its
way. If not, the packet is denied or dropped.
DEFENSIVE STRATEGIES:
8/6/2019 Network Security Final Report
http://slidepdf.com/reader/full/network-security-final-report 12/23
12
If an intruder can find a hole in our firewall, then the firewall has failed. There are no
in-between states. Once a hacker is in, our internal network is at her mercy. If he
hijacks an administrative account, we're in big trouble. If he hijacks an account with
lesser privileges, all the resources available to that account are at risk. No firewallcan protect against inadequate or mismanaged policies. If a password gets out
because a user did not properly protect it, our security is at risk. If an internal user
dials out through an unauthorized connection, an attacker could subvert our network
through this backdoor. Therefore, we must implement a firewall policy. The most
basic firewall policy is as follows:
Block all traffic, and then allow specific services on a case-by-case basis.
This policy is restrictive but secure. However, it may be so restrictive that users
circumvent it. In addition, the more restrictive our policy, the harder it will be to
manage connections that are to be allowed. On screening routers, we'll need to
implement complicated sets of rules—a difficult task. Most firewall products including
the Microsoft Proxy Server simplify this process by using graphical interfaces and a
more efficient set of rules.
Security policies must be outlined in advance so administrators and users know what
type of activities are allowed on the network.. Our policy statement should address
internal and external access, remote user access, virus protection and avoidance,
encryption requirements, program usage, and a number of other considerations, as
outlined here:
- Network traffic to and from outside networks such as the Internet must pass
through the firewall. The traffic must be filtered to allow only authorized
packets to pass.
- Never use a firewall for general-purpose file storage or to run programs,
except for those required by the firewall. Do not run any services on the
firewall except those specifically required to provide firewall services.
Consider the firewall expendable in case of an attack.
- Do not allow any passwords or internal addresses to cross the firewall.
8/6/2019 Network Security Final Report
http://slidepdf.com/reader/full/network-security-final-report 13/23
8/6/2019 Network Security Final Report
http://slidepdf.com/reader/full/network-security-final-report 14/23
14
This method would be analogous to a gatekeeper remembering some defining
characteristics of anyone leaving the castle and only allowing people back in with
those characteristics.
This brings up another point. While firewalls are keeping Internet intruders out, our
internal users might be looting our systems. We may need to separate departments,
workgroups, divisions, or business partners using the same firewall technology, and
we may need to implement encryption throughout our organization. Firewalls also do
not protect against leaks, such as users connecting to the outside with a desktop
modem. In addition, if some new threat comes along, our firewall might not be able
to protect against it. Viruses and misuse of security devices are also a threat.
DRAWBACKS WITH FIREWALLS
Firewalls assume that all the unauthorized members are on the outside and
everyone inside can be completely trusted. This is an unwarranted assumption.
Firewalls can be defeated by somehow injecting malicious code into the corporate
network. Firewalls, when not configured properly refuse to recognize legitimate
users and make their job difficult.
CRYPTOGRAPHY AS A TOOL FOR SECURITY
No one can deny the importance of security in data communication and networking.
Security in networking is based on cryptography.
Cryptography, a word with Greek origin, means “secret writing”. The figure below
shows the components involved in cryptography.
The German Lorenz cipher machine, used in World War-II for encryption of very
high-level general staff messages
8/6/2019 Network Security Final Report
http://slidepdf.com/reader/full/network-security-final-report 15/23
15
Cryptography is a discipline of mathematics concerned with information security
and related issues, particularly encryption, authentication, and access control.
Its purpose is to hide the meaning of a message rather than its existence.
Cryptography is used in many applications that touch everyday life; the security of
ATM cards, computer passwords, and electronic commerce all depend on
cryptography. Until modern times, cryptography referred almost exclusively to
encryption, the process of converting ordinary information (plaintext) into an
unreadable ciphertext. Decryption is the reverse process.
A cipher (or cypher) is a pair of algorithms for
encryption and decryption. The exact operation
of a cipher is controlled by a key, which is a secret parameter for the cipher
algorithm. Historically, ciphers were often used directly for encryption or decryption
without additional procedures. The Enigma machine, used in several variants by the
German military between the late 1920s and the end of World War II, implemented a
complex electro-mechanical cipher to protect sensitive communications. In
cryptography, code has a more specific meaning, referring to a procedure which
replaces a unit of plaintext (i.e. the meaningful words or phrases) with a code word
(for example, apple pie replaces attack at dawn). Codes are no longer used in
serious cryptography - except incidentally for such things as unit designations - since
properly chosen ciphers are both more practical and secure than even the best
codes, and better adapted to computers as well. In recent decades, the field has
expanded beyond confidentiality concerns to include techniques for authentication,
8/6/2019 Network Security Final Report
http://slidepdf.com/reader/full/network-security-final-report 16/23
16
digital signatures, interactive proofs, and secure computation. The main classical
cipher types are transposition ciphers, which rearrange the order of letters in a
message (e.g. 'help me' becomes 'ehpl em'); and substitution ciphers, which
systematically replace letters or groups of letters with other letters or groups of letters (e.g. 'fly at once' becomes 'gmz bu podf' by replacing each letter with the one
following it in the alphabet). Simple versions of either offered little confidentiality. The
development of digital computers and electronics after WWII made possible much
more complex ciphers. Many computer ciphers can be characterized by their
operation on binary bits (sometimes in groups or blocks), unlike classical and
mechanical schemes, which generally manipulate traditional characters (i.e. letters
and digits).
SYMMETRIC-KEY CRYPTOGRAPHY
Symmetric-key cryptography refers to encryption methods in which both the sender
and receiver share the same key. This was the only kind of encryption publicly
known until 1976. The modern study of symmetric-key ciphers relates mainly to the
study of block ciphers and stream ciphers and to their applications. Block ciphers
take as input a block of plaintext and a key, and output a block of ciphertext of the
same size. Stream ciphers, in contrast to the 'block' type, create an arbitrarily long
stream of key material, which is combined with the plaintext bit by bit or character by
character, somewhat like the one-time pad. In a stream cipher, the output stream is
created based on an internal state which changes as the cipher operates. That
state's change is controlled by the key.
Cryptographic hash functions (often called message digest functions) do not use
keys, but are a related and important class of cryptographic algorithms. They take
input data (often an entire message), and output a short, fixed length hash, and do
8/6/2019 Network Security Final Report
http://slidepdf.com/reader/full/network-security-final-report 17/23
17
so as a one-way function. For good ones, collisions (two plaintexts which produce
the same hash) are extremely difficult to find.
Message authentication codes (MACs) are much like cryptographic hash
functions, except that a secret key is used to authenticate the hash value on receipt.
PUBLIC KEY CRYPTOGRAPHY
In a groundbreaking 1976 paper, Whitfield Diffie and Martin Hellman proposed the
notion of public-key (also, more generally, called asymmetric key ) cryptography in
which two different but mathematically related keys are used: a public key and a
private key. A public key system is constructed so that calculation of the private key
is computationally infeasible from knowledge of the public key, even though they are
necessarily related. Instead, both keys are generated secretly, as an interrelated
pair.
The public key algorithms are: -
• Modular addition,
• Multiplication and modular exponentiation,
• RSA algorithm
• DSS algorithm.
8/6/2019 Network Security Final Report
http://slidepdf.com/reader/full/network-security-final-report 18/23
18
AUTHENTICATION
The authentication of authorized users prevents unauthorized users from gaining
access to information systems. The use of authentication mechanisms can also
prevent authorized users from accessing information that they are not authorized to
view. Currently, password remains the primary authentication mechanism for internal
system access. If passwords are to be used, the following are recommended as best
practices:
• Length- passwords must be a minimum of eight characters in length.
• Change frequency- passwords must not be more than 60 days old.
• History- the last ten passwords should not be re-used.
Content- passwords should not be made up of only letters but instead should include
letters, numbers and special punctuation characters.
KEY CERTIFICATION
If keys are transmitted to a remote destination by some means, they must be
checked once they arrive to be sure that they have not been tampered with during
the transmission. Public keys are intended to be published or given out to other
users and must also be certified as belonging to the owner of the key pair. This can
be done through a central authority- certificate authority. CA generates certificates,
which are signed messages specifying a name and the corresponding key.
INTRUSION DETECTION SYSTEMS
Intrusion detection systems (IDS) are the burglar alarms of the network. An IDS is
designed to differentiate between an authorized entry and a malicious intrusion into
a protected network. A very common intrusion detection mechanism is anti-virus
software. Other forms of intrusion detection include the following:
• Manual log examination
• Automated log examination
• Host-based intrusion detection software
• Network based intrusion detection software
8/6/2019 Network Security Final Report
http://slidepdf.com/reader/full/network-security-final-report 19/23
19
Manual log examination can be effective, but is time consuming and error-prone. A
better form of log examination would be to create programs or scripts that can
search through computer logs looking for potential anomalies.
SECURITY IN INTERNET
IP Security
It is a collection of protocols which is designed by Internet Engineering Task Force
(IETF) to provide security for a packet at the network level. It helps to create
authenticated and confidential packets for IP layer as shown in the figure below.
IP security (IPSec) operates in one of the two different modes: The transport mode
or the tunnel Mode.
8/6/2019 Network Security Final Report
http://slidepdf.com/reader/full/network-security-final-report 20/23
20
Transport Mode:
Tunnel Mode:
We use Tunnel mode when either the sender or receiver is not the host. The entire
packet is protected from intrusion between the sender and the receiver.
8/6/2019 Network Security Final Report
http://slidepdf.com/reader/full/network-security-final-report 21/23
21
ULTIMATE TOP-10 ELEMENTS OF SECURITY
Having just Firewalls in a network doesn’t make it completely foolproof. So, there
exist some technical and non-technical TIPS to be followed to ensure maximum
security:
1. POLICY: Define, Implement and measure systems, networks and applications for
compliance
2. EDUCATION: Part of (1) above is to ensure your users understand the
consequences of their actions and the importance of information security to the
organization
3. WARNINGS: Implement online warnings informing users (internal and external) of
the rules of access to the systems
4. ASSESS: Determine what you are trying to protect, why and what value it has
5. PROTECT: Based on (4) above, implement firewalls, anti-virus and intrusion
detection (IDS) tools
6. AUDIT: Regularly audit systems for access violations, latest applicable patches
and integrity of operating systems and applications
7. PASSWORD: Enforce strong password policy and run password guessing for
easy to guess passwords
8. SCAN: Periodically for known vulnerabilities and the latest exploits
9. BACK-UP: Ensure regular clean backups are made to enable speedy recovery
10. RESPONSE: Set up an incident response team with complimentary measures.
8/6/2019 Network Security Final Report
http://slidepdf.com/reader/full/network-security-final-report 22/23
22
CONCLUSION
Examining the threats and managing them appropriately is very important for the
smooth running of any organization. Security is a very difficult topic. Everyone has a
different idea of what ``security'' is, and what levels of risk are acceptable. The key
for building a secure network is to define what security means to your organization.
Once that has been defined, everything that goes on with the network can be
evaluated with respect to that policy. It's important to build systems and networks in
such a way that the user is not constantly reminded of the security system around
him.
8/6/2019 Network Security Final Report
http://slidepdf.com/reader/full/network-security-final-report 23/23
23
REFERENCES:
http://www.robertgraham.com/pubs/network-intrusion-detection.html
http://online.securityfocus.com/infocus/1527
http://www.snort.org/
http://www.cert.org/
http://www.nmap.org/
http://grc.com/dos/grcdos.htm
http://lcamtuf.coredump.cx/newtcp/