Computer Security

Q1). Attempt all of the following:

1) What is spam?
a) Unsolicited commercial email
b) Unsent archives
c) Computer virus
d) Encryption algorithm

Answer--- a) Unsolicited commercial email

2) Applying latest patch is important for maintaining security of:

a) Applications only
b) Os and applications
c) Firmware only
d) Buffer overflows

Answer--- b) Os and applications

3) Detecting and responding to malicious traffic on a network terminal requires:

a) Active host based IDS
b) Passive host based IDS
c) Active network based IDS
d) Passive network based IDS

Answer--- c) Active network based IDS

4) The purpose of DMZ in a network is to ______ :

a) Provide easy connection to internet without an interfacing firewall
b) Allow server farms to be divided into similar functioning entities

1
 c) Provide a place to lure and capture hackers
d) Act as buffer between trusted and untrusted networks

Answer--- d) Act as buffer between trusted and untrusted networks

5) A class-1 digital certificate is commonly used for ____ :
a) Personal email signing
b) Personal web server SSL
c) Code signing
d) Denoting an entity as CA

Answer--- a) Personal email signing

6) What kind of encryption uses concept of public key?

a) Asymmetric
b) Hash
c) Linear cryptanalysis
d) Authentication

Answer--- a) Asymmetric

7) How many bits are in block of SHA algorithm?

a) 128
b) 2048
c) 512
d) 56

Answer--- d) 56

8) A digital signature requires what type of encryption?

a) Hashing and asymmetric
b) Hashing and symmetric
c) Asymmetric and symmetric
d) Hashing

2
 Answer--- Hashing and asymmetric

Q2). Attempt any three of the following:

1) Enlist and explain steps performed in each DES round.

Data encryption standard (DES) has been found vulnerable against very powerful attacks and
therefore, the popularity of DES has been found slightly on decline.

DES is a block cipher, and encrypts data in blocks of size of 64 bit each, means 64 bits of
plain text goes as the input to DES, which produces 64 bits of cipher text. The same algorithm
and key are used for encryption and decryption, with minor differences. The key length is 56
bits.

before the DES process even starts, every 8th bit of the key is discarded to produce a 56 bit key.
That is bit position 8, 16, 24, 32, 40, 48, 56 and 64 are discarded.

Thus, the discarding of every 8th bit of the key produces a 56-bit key from the original 64-bit key.

DES is based on the two fundamental attributes of cryptography: substitution (also called as
confusion) and transposition (also called as diffusion). DES consists of 16 steps, each of
which is called as a round. Each round performs the steps of substitution and transposition.

1. In the first step, the 64 bit plain text block is handed over to an initial Permutation (IP)
function.

2. The initial permutation performed on plain text.

3. Next the initial permutation (IP) produces two halves of the permuted block; says Left
Plain Text (LPT) and Right Plain Text (RPT).

4. Now each LPT and RPT to go through 16 rounds of encryption process.

3
5. In the end, LPT and RPT are rejoined and a Final Permutation (FP) is performed on the
combined block

6. The result of this process produces 64 bit cipher text.

2) Differentiate between centralized and decentralized infrastructure.

Centralized infrastructure Decentralised infrastructure

Decentralized networks are organized in a

In a centralized system, a singular authority much more distributed fashion.
or administrator retains total control over all
aspects of the network.

Management is simpler Management is difficult

It doesn’t simply the process.

It simplifies the process

4
This authority is typically exerted through a Each node within the network functions as a
central server that manages all data and separate authority with independent
permissions.
decision-making power regarding how it

interacts with other systems

These networks also distribute processing
A centralized network also locates all major power and workload functions among
processing power in this primary server. connected servers.

3) Explain IPsec with its modes.

• IPSec (IP Security) architecture uses two protocols to secure the traffic or data
flow.

• These protocols are ESP (Encapsulation Security Payload) and AH

(Authentication Header). IPSec Architecture include protocols, algorithms,
DOI, and Key Management. All these components are very important in order
to provide the three main services:

o Confidentiality o
Authentication o
Integirity

IPSec operates in one of two different modes: the transport mode or the tunnel mode

Transport mode
• In the transport mode, IPSec protects what is delivered from the transport layer to the
network layer.

• In other words, the transport mode protects the network layer payload, the payload to be
encapsulated in the network layer.

• Note that the transport mode does not protect the IP header. In other words, the
transport mode does not protect the whole IP packet; it protects only the packet from
the transport layer (the IP layer payload).

5
• this mode, the IPSec header and trailer are added to the information corning from the
transport layer.

• The IP header is added later. IPSec in the transport mode does not protect the IP header;
it only protects the information coming from the transport layer.

• The transport mode is normally used when we need host-to-host (end-to-end) protection
of data.

• The sending host uses IPSec to authenticate and/or encrypt the payload delivered from
the transport layer.

• The receiving host uses IPSec to check the authentication andlor decrypt the IP packet
and deliver it to the transport layer. Figure 32.4 shows this concept.

Tunnel mode
• In the tunnel mode, IPSec protects the entire IP packet. It takes an IP packet, including
the header, applies IPSec security methods to the entire packet, and then adds a new IP
header as shown in Figure.

• The new IP header, as we will see shortly, has different information than the original IF
header. The tunnel mode is normally used between two routers, between a host and a
router, or between a router

• In other words, we use the tunnel mode when either the sender or the receiver is not a
host.

• The entire original packet is protected from intrusion between the sender and the
receiver.

• It's as if the whole packet goes through an imaginary tunnel.

6
4) Describe working of firewall and its types.
A firewall is a network security system that monitors and controls incoming and
outgoing network traffic based on predetermined security rules.A firewall typically
establishes a barrier between a trusted internal network and untrusted external
network, such as the Internet. Working:

• Basically A firewall is a network security device, either hardware or softwarebased, which

monitors all incoming and outgoing traffic and based on a defined set of security rules it
accepts, rejects or drops that specific traffic.
Accept : allow the traffic
Reject : block the traffic but reply with an “unreachable error” Drop :
block the traffic with no reply

• Firewall match the network traffic against the rule set defined in its table. Once the rule is
matched, associate action is applied to the network traffic. From the perspective of a server,
network traffic can be either outgoing or incoming. Firewall maintains a distinct set of rules
for both the cases.

• Mostly the outgoing traffic, originated from the server itself, allowed to pass. Still, setting a
rule on outgoing traffic is always better in order to achieve more security and prevent
unwanted communication.

Incoming traffic is treated differently.

• Packet filtering firewall
Packet filtering firewalls operate inline at junction points where devices such as
routers and switches do their work. However, these firewalls don't route packets,
but rather they compare each packet received to a set of established criteria -- such
as the allowed IP addresses, packet type, port number and other aspects of the

7
 packet protocol headers. Packets that are flagged as troublesome are, generally
speaking, unceremoniously dropped -- that is, they are not forwarded and, thus,
cease to exist.

• Circuit-level gateway
Using another relatively quick way to identify malicious content, circuit-level
gateways monitor TCP handshakes and other network protocol session initiation
messages across the network as they are established between the local and remote
hosts to determine whether the session being initiated is legitimate -- whether the
remote system is considered trusted. They don't inspect the packets themselves,
however.

• Stateful inspection firewall

State-aware devices, on the other hand, not only examine each packet, but also
keep track of whether or not that packet is part of an established TCP or other
network session. This offers more security than either packet filtering or circuit
monitoring alone but exacts a greater toll on network performance.
A further variant of stateful inspection is the multilayer inspection firewall, which
considers the flow of transactions in process across multiple protocol layers of the
seven-layer Open Systems Interconnection (OSI) model.

• Application-level gateway
This kind of device -- technically a proxy and sometimes referred to as a proxy
firewall -- combines some of the attributes of packet filtering firewalls with those
of circuit-level gateways. They filter packets not only according to the service for
which they are intended -- as specified by the destination port -- but also by certain
other characteristics, such as the HTTP request string. While gateways that filter at
the application layer provide considerable data security, they can dramatically
affect network performance.

5) Draw and explain IDS with its components.

8
 • An Intrusion Detection System (IDS) is a system that monitors network
traffic for suspicious activity and issues alerts when such activity is
discovered.

• It is a software application that scans a network or a system for harmful

activity or policy breaching.

• Any malicious venture or violation is normally reported either to an

administrator or collected centrally using a security information and event
management (SIEM) system.

• A SIEM system integrates outputs from multiple sources and uses alarm
filtering techniques to differentiate malicious activity from false alarms.

• Although intrusion detection systems monitor networks for potentially

malicious activity, they are also disposed to false alarms. Hence,
organizations need to fine-tune their IDS products when they first install
them.

• It means properly setting up the intrusion detection systems to recognize what

normal traffic on the network looks like as compared to malicious activity.
• Intrusion prevention systems also monitor network packets inbound the
system to check the malicious activities involved in it and at once sends the
warning notifications.

Components of IDS:

9
 • Traffic collector (or sensor):
Collects activity/events for the IDS to examine. On a HIDS, this could be log files,
audit logs, or traffic coming to or leaving a specific system. On a NIDS, this is
typically a mechanism for copying traffic off the network link—basically
functioning as a sniffer. This component is often referred to as a sensor.

• Analysis engine:
Examines the collected network traffic and compares it to known patterns of
suspicious or malicious activity stored in the signature database. The analysis engine
is the “brains” of the IDS.

• Signature database:
A collection of patterns and definitions of known suspicious or malicious activity.

 User interface and reporting:

Interfaces with the human element, providing alerts when appropriate and giving the user
a means to interact with and operate the IDS.

10
11