Model Answer

Q1. (A)
a) Explain active attack and passive attack.
(Active attack 1M its types 1M, Passive attack 1M its
types 1M)
Active Attack
An active attack attempts to alter system resources or
affect their operation.
It is quite difficult to prevent active attacks absolutely
because of the wide variety of potential physical, software, and
network vulnerabilities.
A masquerade takes place when one entity pretends to be
a different entity
Replay involves the passive capture of a data unit and its
subsequent retransmission to produce an unauthorized effect.
Modification of messages simply means that some portion
of a legitimate message is altered, or that messages are delayed
or reordered, to produce an unauthorized effect
The denial of service prevents or inhibits the normal use
or management of communications facilities
Passive Attack
A passive attack attempts to learn or make use of
information from the system but does not affect system
resources.
The goal of the opponent is to obtain information that is
being transmitted.
Traffic Analysis
Traffic analysis a passive attacker may try to find out
pattern of message between encoded messages for some
regarding communication and this analysis is known as
traffic analysis.
Release of Message Contents
A telephone conversation, an electronic mail
message, and a transferred file may contain sensitive or
confidential information. We would like to prevent an
opponent from learning the contents of these
transmissions.
 b) List individual user responsibilities?
(Any eight responsibilities 4 marks)
Specific duties that user should follow be expected to
perform vary between organizations and type of business,
1. Lock the office, computer,
2. Don‟t leave sensitive information in free access,
3. Secure storage media,
4. Before discard of paper apply shredding
5. Discard used papers,
6. Protect laptops,
7. Be aware of persons around you.
8. Enforce corporate access control methods.

c) Explain rail fence technique with suitable example.

(Rail fence 2M, example 2M)
The rail fence technique is the transposition technique. The
name is given from the way in which it is encoded.
The plaintext message is written downwards on successive
rails of fence, starting a new column when the bottom is
reached.
Then the message is read according to the rows.

Ex. COMPUTER
C M U E
O P T R
Cipher text – CMUEOPTR

d) What is firewall? What are its limitations?

(Firewall - 2M, Limitations - 2M)
Firewall is a dedicated appliance (H/w) or S/W.
Firewall stands between trusted & untrusted N/W,
inspecting all traffic passing between them, either permits or
deny depending on rules.
 Firewall is a choke point of control and monitoring
Firewall acts as a security gateway between two networks
Based on rules defined by the organization, it decides
whether to pass or reject traffic.
Some firewalls can also decide whether to encrypt traffic
or take other actions.
Limitations
Firewall cannot protect against attacks that bypass the
firewall
Firewall does not protect against internal threats.
Firewall cannot protect against the transfer of virus
infected programs or files.

Q1. (B) Attempt any ONE 06 Marks

a) What is virus? List and explain types of virus.
(Virus 2M, List & explain 4 M)
Virus is a program which attaches itself to another
program and causes damage to the computer system or the
network;
It is loaded onto your computer without your
knowledge and runs against your wishes.
They can replicate themselves, all computer viruses are
manmade.
Even a simple virus is dangerous because it will quickly
use all available memory and bring the system to a halt.
Types of Viruses
Parasitic Viruses: It attaches itself to executable code and
replicates itself. Once it is infected it will find another program
to infect.
Memory resident viruses: lives in memory after its
execution it becomes a part of operating system or application
and can manipulate any file that is executed, copied or moved.
Non- resident viruses: it executes itself and terminates or
destroys after specific time.
 Boot sector Viruses: It infects boot sector and spread
through a system when it is booted from disk containing virus.
Overwriting viruses: It overwrites the code with its own
code.
Stealth Virus: This virus hides the modification it has
made in the file or boot record.
Macro Viruses: These are not executable. It affects
Microsoft word like documents, they can spreads through email.
Polymorphic viruses: it produces fully operational copies
of itself, in an attempt to avoid signature detection.
Companion Viruses: creates a program instead of
modifying an existing file.
Email Viruses: Virus gets executed when email
attachment is open by recipient. Virus sends itself to every one
on the mailing list of sender.
Metamorphic viruses: keeps rewriting itself every time, it
may change their behavior as well as appearance code.

b) Explain Virtual LAN with its types.

(VLAN 2M, List & explain 4 types 4 M)
Virtual LANs are a method of using a single switch and dividing
it into multiple broadcast domain and or multiple network
segments.
It allows different VLANs over a single switch in such a manner
that all the LANs can operate in parallel.
It allows to create a virtual LAN and the users are using it same
like a regular LAN.
Types of VLAN
1. Port Based VLANs
Here, all the traffic arrives at particular port is assigned o a
specific VLAN independent to the user or system attached
to the port.
All systems attached to the port should be members in the
same VLAN.
Network administrator typically performs VLAN
assignment. The port configuration is static and cannot be
automatically changed to another VLAN without manual
reconfiguration.
It is possible to connect several VLANs to a single switch
and they operate concurrently.
2. MAC based VLANs
The MAC based VLAN feature allows incoming traffic to
be assigned to a VLAN and thus classify traffic based on
the source MAC address of the packet.
It help to create all the computers to all the ports of a
switch and each switch will be associated to the
appropriate VLAN.
This approach is very easy because it removes the physical
requirement of connection of a particular device to
particular port.
3. Protocol based VLANs
The traffic is forwarded through ports based on protocol
used for transmission.
The protocol are assigned to different port
4. IP subnet based VLANs
In this type of VLAN, all the incoming traffic will be
divided according to the IP subnet address of each
source/destination.
This will provide great flexibility in network because the
users can move computers from one location to another
location and can remain in the same VLAN.
The disadvantage of VLAN is that it needs additional
processing for the layer 3 header and therefore it adds
more latency than the other VLAN segments.
Q2. Attempt any TWO 16 Marks
a) Explain the concept of hashing.
(Hashing 2M, diagram 2M, properties 2M, uses 2M)
The principal object of a hashing is to provide data integrity.
Hash functions are often used to determine whether or not
data has changed.
Hash used to detect changes to message.
It provides error detection capability.
Provides Message authentication - assures that data received
are exactly as sent
A hash function H accepts a variable-length block of data
M as input and produces a fixed-size hash value h = H (M).
A "good" hash function has the property that the results of
applying the function to a large set of inputs will produce
outputs that are evenly distributed, and apparently random.
In general terms, the principal object of a hash function is
data integrity.
A change to any bit or bits in M results, with high
probability, in a change to the hash code.
The kind of hash function needed for security applications
is referred to as a cryptographic hash function.
A cryptographic hash function is an algorithm for which it
is computationally infeasible (because no attack is significantly
more efficient than brute force) to find either (a) a data object
that maps to a pre-specified hash result (the one-way property)
or (b) two data objects that map to the same hash result (the
collision-free property). Because of these characteristics, hash
functions are often used to determine whether or not data has
changed.
Hash Function Uses
 To create a one-way password file
Store hash of password not actual password
 Pseudorandom function (PRF) or pseudorandom number
generator (PRNG)
 Another important application, which is similar to the
message authentication application, is the digital signature.
b) Explain
i. Man in the Middle attack.
(Diagram 2M, Description 2M)
A Man_in_The_Middle attack generally occurs when
attacker are able to place themselves in the middle of two other
hosts that are communicating in order to view and/or modify the
traffic.

Communication appears to be direct

Host 1 Host 2

Attacker relays Communication

message to actually sent to
dest. host attacker

Attacker
 This is done by ensuring that all communication going to
or from the target host routed through the attacker host.
 The attacker can observe all traffic before relaying it and
can actually modify or block traffic.
 To the target host it appears that communication is
occurring normally, since all expected replies are received
 A MITM attack can only be successful when the attacker
can impersonate each endpoint to the satisfaction of the
other.

ii. Replay attack with the help of diagram.

(Diagram 2M, Description 2M)
A replay attack is a form of network attack in which
a valid data transmission is maliciously or fraudulently
repeated or delayed.
 A replay attack is an attack where the attacker
captures a portion of a comm. between two parties and
retransmits it after some time.
A best way to prevent replay attacks is with
encryption, cryptographic authentication and time stamps.

c) Explain digital signature with diagram.

(Diagram – 2M, encryption & decryption keys used -2M,
Description 4 M)
Message authentication protects two parties who exchange
messages from any third party.
However, it does not protect the two parties against each
other either fraudulently creating, or denying creation, of a
message.
A digital signature is electronic signature, which is used to
authenticate identity of sender or signer.
Digital signature is based upon hashing function and
asymmetric cryptography.
Digital signature must have following properties
It must verify the author and the date and time of the
signature
It must authenticate to contents at the time of the
signature
It must be verifiable by third parties, to resolve
disputes

Digital signature provides the ability to

  Verify author, date and time of signature
 Authenticate message content

Bob can sign a message using a digital signature

generation algorithm. The inputs to the algorithm are the
message and Bob's private key. Any other user, say Alice, can
verify the signature using a verification algorithm, whose inputs
are the message, the signature, and Bob's public key.

Q3. Attempt any FOUR 16 Marks

a) Explain the term software piracy.
(Software Piracy 4 M)
Software Piracy
 “Software piracy is the illegal copying, distribution, or use
of software.”
 Software piracy is copying and use of Software without
proper license from the developer.
 Simultaneous use of single user license software by
multiple users
 Using trial version software for commercial gains is also
piracy,
  Piracy is also can be punishable if you install a pirated
software do your work and then delete this software from
the machine with enough evidences to show the activity.
There are four primary ways to legally obtain a software license:
1. Purchasing a new PC equipped with OEM software and
equipment.
2. Purchasing products “off the shelf” from a certified
retailer.
3. Signing a License Agreement online.
4. Buying a software as a service
b) Write short note on access by non employee and
security awareness.
(Access by non employee 2M, Security awareness 2M)
Access by non employee
If an attacker can get physical access to a facility then
there are many chances of obtaining information to enter
computer system and network, wearing ID cards, Cell
phones, built-in cameras, use of social website from
organization.
Many organizations restrict their employees to wear
identification symbols at work. This is an easy method to
quickly identify an unauthorized person.

Security awareness
 An unaware user is as dangerous to the system as the
attacker.
 An active security awareness program is most
effective method to oppose potential social
engineering attacks.
 When a person is hired it is important to provide an
initial employee training on social engineering.
 An unaware security illiterate user can inflict damage
due to…
  User runs programs: that allow the viruses or
Trojans to gain access to the system and spread
their malicious intent.
 Access network and internet unaware of the
fact that, this act may give change to the worms
and spy ware to compromise the system
security
 opens emails and messages and unknowingly
facilitating malicious code to execute and
spread and infect the system
 login remotely, download applets and active X
controls executing underlying un trusted code

c) Describe Caesar's cipher encryption algorithm with

example.
(4M)
Caesar cipher is one of the simplest and most widely
known encryption techniques. It is substitution technique.
In this each letter in plain text is replaced by a letter
some fixed number of position down the alphabet.
a D , bE, cF, ………..,xa, yb, zc

A B C D E F G H I J K L M
0 1 2 3 4 5 6 7 8 9 10 11 12
N O P Q R S T U V W X Y Z
13 14 15 16 17 18 19 20 21 22 23 24 25

Then the algorithm can be expressed as follows. For

each plaintext letter, substitute the ciphertext letter
C = E(3, p) = (p + 3) mod 26
A shift may be of any amount, so that the general
Caesar algorithm is
 C = E(k, p) = (p + k) mod 26
Where takes on a value in the range 1 to 25.The
decryption algorithm is simply
p = D(k, C) = (C - k) mod 26
Example :- "Computer Security"

C 02 02+03 mod 26 = 5 F
O 14 14+03 mod 26 = 17 R
M 12 12+03 mod 26 = 15 P
P 15 15+03 mod 26 = 18 S
U 20 20+03 mod 26 = 23 X
T 19 19+03 mod 26 = 22 W
E 04 04+03 mod 26 = 07 H
R 17 17+03 mod 26 = 20 U
S 18 18+03 mod 26 = 21 V
E 04 04+03 mod 26 = 07 H
C 02 02+03 mod 26 = 05 F
U 20 20+03 mod 26 = 23 X
R 17 17+03 mod 26 = 20 U
I 08 08+03 mod 26 = 11 L
T 19 19+03 mod 26 = 22 W
Y 24 24+03 mod 26 = 01 B

Ciphertext FRPSXWHU VHFXULWB

 d) Describe the working of single homed bastion and
screen host gateway type of firewall with diagram.
(Bastion Host 1M, Diagram 1M, Description 2M)
Bastion Host
 Highly secure host system that serves as a platform for an
application-level or circuit-level gateway.
 Host hardware platform executes a secure version of it‟s
operating system, making it a trusted system.
 Only services that the network administrator considers
essential are installed on the bastion host (e.g. Telnet,
DNS, FTP, and user authentication)
Single-Homed Bastion

 Consists of two systems: a packet-filtering router and a

bastion host. The router is configured so that
 For traffic from the Internet, only IP packets destined for
the bastion host are allowed in.
 For the traffic from the internal network, only IP packets
from the bastion host are allowed to out.
 The bastion host performs authentication and proxy
functions.
e) Describe SSL protocol stack with sketch.
(Diagram 1M, explanation of protocols 3M)

The SSL protocol was originally developed by Netscape,

to ensure security of data transported and routed through
HTTP, LDAP or POP3 application layers.
SSL is designed to make use of TCP as a communication
layer to provide a reliable end-to-end secure and
authenticated connection between two points over a network
(for example between the service client and the server).
Notwithstanding this SSL can be used for protection of
data in transit in situations related to any network service, it is
used mostly in HTTP server and client applications.
Today, almost each available HTTP server can support an
SSL session, whilst IE or Netscape Navigator browsers are
provided with SSL-enabled client software.
The SSL record protocol is responsible for data encryption
and integrity.
It is also used to encapsulate data sent by other SSL
protocols, and therefore, it is also involved in the tasks
associated with the SSL check data.
The other three protocols cover the areas of session
management, cryptographic parameter management and
transfer of SSL messages between the client and the server.
 Prior to going into a more detailed discussion of the role of
individual protocols and their functions let us describe two
fundamental concepts related to the use of SSL
Connection: this is a logical client/server link, associated
with the provision of a suitable type of service. In SSL terms,
it must be a peer-to-peer connection with two network nodes.
Session: this is an association between a client and a
server that defines a set of parameters such as algorithms
used, session number etc.
An SSL session is created by the Handshake Protocol that
allows parameters to be shared among the connections made
between the server and the client, and sessions are used to
avoid negotiation of new parameters for each connection.
This means that a single session is shared among multiple
SSL connections between the client and the server.

Q4. (A) Attempt any THREE 12 Marks

a) Explain asymmetric key cryptography.
(Diagram 2M, description 2M)
Asymmetric algorithms rely on one key for encryption and
a different but related key for decryption. These algorithms
have the following important characteristic.
• It is computationally infeasible to determine the
decryption key given only knowledge of the cryptographic
algorithm and the encryption key.
In addition, some algorithms, such as RSA, also exhibit
the following characteristic.
• Either of the two related keys can be used for encryption,
with the other used for decryption.
 b) Explain the working of host based intrusion detection
system.
(Diagram 2M, HIDS 2M)
A host based IDS check log files, audit trails & network
traffic coming into or leaving a specific host.
HIDS can operate in real time, looking for activity as it
arises, or batch mode, looking for activity on a periodic basis.

Critical Signature
Files Database

Traffic Analysis User

Collector Engine Interface

Log Alarm Reports

Files Storage

Many host-based IDS focus on the log files or audit trails

produced by local operating system. On windows systems, the
examined logs are typically Application, System, & Security
event logs. On Unix system, the examined logs are generally
message, kernel & error logs.
Some host based IDSs have the ability to cover specific
applications by examining the logs produced by that specific
applications or examining the traffic from the services
themselves like FTP, or web services.

HIDS is looking for certain activities in the log file are -

 Logins at odd hours
 Login authentication failure
 Adding new user account
 Modification or access of critical system files
 Modification or removal of binary files
 Starting or stopping processes
 Privilege escalation
 Use of certain programs

c) What are characteristics of IT Act 2008?

(Four Characteristics one mark each)
This act provides legal recognition for the transaction
i.e. Electronic Data Interchange (EDI) and other electronic
communications. Electronic commerce is the alternative to
paper based methods of communication to store
information.
This act also gives facilities for electronic filling of
information with the government agencies and further to
change the Indian Penal code – Indian Evidence Act 1872,
Bankers code Evidence Act 1891 and Reserve Bank of
India Act 1934 and for matter connected therewith or
incidental thereto.
The general assembly of the United Nations by
resolution A/RES/51/162, dated on 30 January 1997 was
adopted the model law on Electronic Commerce adopted
 by the United Nations Commission on International Trade
Law.
This recommends that all states give favorable
consideration to the above said model law when the enact
or revise their laws, in terms of need for uniformity of the
law applicable to alternative to paper based methods of
communications ad storage of information.
It is considered necessary to give effect to the said
resolution and to promote efficient delivery of
Government services by means of reliable electronic
records.

d) What are SET requirements?

(Any four Requirements ONE marks each)

Provide confidentiality of payment and ordering

information: It is necessary to assure cardholders that this
information is safe and accessible only to the intended recipient.
Confidentiality also reduces the risk of fraud by either party to
the transaction or by malicious third parties. SET uses
encryption to provide confidentiality.
Ensure the integrity of all transmitted data: That is, ensure
that no changes in content occur during transmission of SET
messages. Digital signatures are used to provide integrity.
Provide authentication that a cardholder is a legitimate user
of a credit card account: A mechanism that links a cardholder
to a specific account number reduces the incidence of fraud and
the overall cost of payment processing. Digital signatures and
certificates are used to verify that a cardholder is a legitimate
user of a valid account.
Provide authentication that a merchant can accept credit
card transactions through its relationship with a financial
institution: This is the complement to the preceding
requirement. Cardholders need to be able to identify merchants
with whom they can conduct secure transactions. Again, digital
signatures and certificates are used.
Ensure the use of the best security practices and system
design techniques to protect all legitimate parties in an
electronic commerce transaction: SET is a well-tested
specification based on highly secure cryptographic algorithms
and protocols.
Create a protocol that neither depends on transport security
mechanisms nor prevents their use: SET can securely operate
over a „raw‟ TCP/IP stack. However, SET does not interfere
with the use of other security mechanisms, such as IPSec and
SSL/TLS.
Facilitate and encourage interoperability among software
and network providers: The SET protocols and formats are
independent of hardware platform, operating system, and web
software.

Q4. (B) Attempt any ONE 06 Marks

a) Describe the term authentication and authorization.
Explain authenticity methods with example.
(Def of authentication and authorization -3 M, three
methods 1 mark each)
Authentication is Process of determining the identity of a
user or other entity. It is performed during logon process, or
while accessing or entering into the system.
Authorization is a process of verifying that a known
person has the authority to perform has the authority to perform
a certain operation. Authorization can not occur without
authentication.
Job of authentication mechanism is to make sure validity
of user.
The property of being genuine and being able to be
verified and trusted; confidence in the validity of a transmission,
a message, or message originator.
This means verifying that users are who they say they are
and that each input arriving at the system came from a trusted
source.
Three methods of authentication
 1. Something you know: It is the most common
authentication mechanism is to provide user ID and password.
Authentication is performed at users remember level
Ex. User name, password, PIN no, security question
2. Something you have: This method involves use of
something that only valid users should have like lock and key.
Only those individuals with correct key can able to open the
lock.
3. Something about you: This method involves
something that is unique about you like fingerprint, DNA, face,
iris.

b) Write a short note on intruders and insiders.

(Intruder 2M, intruder classes 2M, insiders 2M)

Intruder

The act of accessing computer system or network without

authorization is known as intrusion.

Intruders can also be authorized users who attempt to gain

access to a file or to obtain permission which is not granted for
them.

Unauthorized intrusion into a computer system or network

is one of the most serious threats to computer security.

Intruders are extremely patience since the process to gain

access to system takes persistence and dogged determination.

Three classes of intruders:

Masquerader:

An individual who is not authorized to use the computer

and who penetrates a system‟s access controls to exploit a
legitimate user‟s account
Misfeasor:

A legitimate user who accesses data, programs, or

resources for which such access is not authorized, or who is
authorized for such access but misuses his or her privileges

Clandestine user:

An individual who seizes supervisory control of the

system and uses this control to evade auditing and access
controls or to suppress audit collection

Insiders

· More dangerous than outside intruders

· Most difficult to detect and prevent

· Have access and knowledge to cause immediate

damage to an organization.

· Have knowledge of the security systems in place and

will be better able to avoid detection

Q5. Attempt any TWO 16 Marks

a) What is access control? List and explain all access
control.
(Access Control 2M, DAC 2M, MAC 2M, RBAC 2M)
Access is the ability of a subject to interest with an
object. Authentication deals with verifying the identity of a
subject.
It is ability to specify, control and limit the access to the
host system or application, which prevents unauthorized use
to access or modify data or resources.
Access control is the ability to permit or deny the use of
a particular resource by a particular entity.
Access control mechanisms can be used in managing
physical resources, logical resources, or digital resources.
 It can be represented using Access Control matrix or
List:

Discretionary Access Control

• DAC is an access policy determined by the owner of an
object.
• The owner decides who is allowed to access the object and
what privileges they have.
• DAC provide flexibility in allowing access to database
• DAC protect unstructured work in progress
• DAC also includes privileges associated with email
• Access decisions in DAC do not take into account the
user‟s role or program‟s functionality
• Linux has benefited from DAC
Two important concepts
• File and data ownership:
– Every object in the system has an owner.
– In DAC systems, each objects initial owner is the
subject that caused it to be created.
– The access policy for an object determined by its
owner.
• Access rights and permissions:
– These are the controls that an owner can assign to
other subjects for specific resources.
Mandatory Access Control
• MAC is an access policy determined by the system, not by
owner.
• MAC used in multilevel systems that process highly
sensitive data, (govt. military)
• A multilevel system is a single computer system that
handles multiple classification levels between subject and
object.
• Why MAC is needed?
– Enhances security of database
– Gives consistent view of operations
• Sensitivity Labels:
– All subjects and objects must have labels assigned to
them.
– A Subjects sensitivity label specifies its level of trust.
– As Objects sensitivity label specifies the level of
trust required for access.
– In order to access a given object, the subject must
have a sensitivity level equal to or higher than the
requested object.
• Data import and export:
– Controlling the import of information from other
systems and export to other systems is critical
function of MAC based systems
Role-based Access Control
• RBAC is an access policy determined by the system, not
the owner.
• It is used in commercial applications and also in military
system, where multi level security requirement also exist.
• RBAC differ from DAC in that DAC allows users to
control access to their resources, while in RBAC access is
controlled at system level, outside of the user's control.
• RBAC is non discretionary
• MAC controls read and write permissions based on a users
clearance level and additional labels.
 • RBAC controls collection of permissions that may include
complex operations such as e-commerce transaction.
• A role is RBAC is viewed as set of permissions
Three primary rules are defined for RBAC
1. Role assignment:
• A subject can execute a transaction only if the
subject has selected or been assigned a role.
2. Role authorization:
• A subject's active role must be authorized for subject.
• With rule 1 above this rule ensures that users can
take on only roles which they authorized.
3. Transaction authorization:
• A subject can execute a transaction only if the
transaction is authorized for the subjects active role
• This rule ensures that users can execute only
transactions for which they are authorized

b) What is IP security? Explain tunnel mode and

transport mode of IPSec.
(IPSec 2M, diagram 2M, Tunnel Mode 2M,
transport mode 2M)
IPSec is a set of protocols developed by IETF.
It is developed for exchange of packets at n/w layer.
Overall idea of IPSec is to encrypt & seal the transport
& application layer data during transmission
This protocol only works in combination with IP
Once an IPSec connection is established it is possible to
tunnel across other n/w
 Original Original
Message Message

Application Application
Transpor Transport
t
IPSe IPSec
c
Internet Internet
Physical Physical

Transmission
Media

Transport Mode
• Encrypts only data portion of packet,
• Thus enabling outsiders to see source & dest. IP address.
• This protects data being transmitted, but allows knowledge
of transmission.
• IPSec takes transport layer payload adds IPSec header &
then adds the IP header
• Thus the IP header in not encrypted.
• Protection of data portion of packet is referred as content
protection
Transport Layer
Payload

IPSec IPSec IPSec

H Payload T

IP H IP Payload
Tunnel Mode
• Provides encryption of source & dest. IP addresses, as well
as of the data itself.
• It can only be done between IPSec servers because final
dest. Needs to be known for delivery.
• Protection of header information known as context
protection.
• It takes IP datagram, including IP header.
• It adds IPSec header & trailer & encrypts whole thing.
• It then adds new IP header to this encrypted datagram
• It is possible to use both methods at the same time
• Such as using transport within ones own n/w to reach an
IPSec server
• Which then using the transport method from the target n/w
IPSec server to target host.
• Has three connections- host to server, server to server &
host to host.
Transport
Payload

IP H IP Payload

IPSec H IPSec Payload IPSec T

New IP H New IP payload

c) Explain Application Level gateway and circuit level
gateway with neat diagram.
(Application Level Gateway, diagram 1M, Description
3M, Circuit Level Gateway Diagram 1M Description 3M)
Application Level Gateway
Application level gateway also known as proxy server.
It acts like proxy & decides about the flow of application
level traffic.
User contacts application level gateway using a TCP/IP
application, such as FTP or HTTP.
Application level gateway asks the user about the remote
host with which user wants to set up connection for comm.
When user responds & provides valid user ID &
authentication information, gateway contacts the application
on remote host,
If the gateway does not implement the proxy code for a
specific application. The service is not supported & can not
be forwarded across firewall.
The gateway can also be configured to support only
specific features of an application.
Application level gateways tend to be more secure than
packet filtering.
Application level gateways have application specific gateway
/ proxy
It has full access to protocol
User requests service from proxy
Proxy validates request as legal
Then actions request and returns result to user
Can log / audit traffic at application level.
Need separate proxies for each service
Advantage
Higher Security than packet Filtering
Only need to scrutinize a few allowable application.
Easy to log & audit all incoming traffic.
Disadvantage
Additional overhead on each connection.
Circuit Level Gateway
Circuit-level gateway is a stand-alone system or it can be a
specialized function performed by an application-level gateway
for certain applications.
A circuit-level gateway relays two TCP connections, one
between itself and an inside TCP user, and the other between
itself and a TCP user on an outside host.
Once the two connections are established, it relays TCP
data from one connection to the other without examining its
contents.
The security function consists of determining which
connections will be allowed.
It is typically used when internal users are trusted to
decide what external services to access.
One of the most common circuit-level gateways is
SOCKS, defined in RFC 1928.
 It consists of a SOCKS server on the firewall, and a
SOCKS library & SOCKS-aware applications on internal
clients.
When a TCP-based client wishes to establish a connection
to an object that is reachable only via a firewall (such
determination is left up to the implementation), it must open a
TCP connection to the appropriate SOCKS port on the SOCKS
server system.
If the connection request succeeds, the client enters a
negotiation for the authentication method to be used,
authenticates with the chosen method, and then sends a relay
request.
The SOCKS server evaluates the request and either
establishes the appropriate connection or denies it. UDP
exchanges are handled in a similar fashion.

Q6. Attempt any FOUR 16 Marks

a) Explain handprint, fingerprint mechanism for
authentication of user.
Handprint
Handprint is usually most appropriate for fixed physical
locations requiring very high assurance to identify, since it
combines the hand biometric with essentially five different
fingerprints biometrics.
Fingerprint
Fingerprint involves a finger size identification sensor with
a very low cost biometric chip.
 This is the best option for most uses of biometric
verification and it is specially attached to specific computer
and network assets.
• It efers to automated method of verifying a match between
two human fingerprints.
• It is used to identify an individual and verify its identity.
• Analysis of fingerprints for matching purposes requires
comparison of several features of the print pattern.
• These patterns are aggregate characteristics of ridges, and
minutia points, which are unique features found within the
patterns.
b) How does simple columnar transposition technique
work? Write algorithm and encrypt plaintext "Attack
is postponed till noon" with key 2,4,6,3,1,5
Columnar transposition, the message is written out in rows
of a fixed length, and then read out column by column and
columns are chosen in some scrambled order.
Both the length of the rows and the permutation of the
columns are usually defined by keyword.

c) Explain the working of network based intrusion

detection system.
(Diagram 1M, Description and advantages/disadvantages
3M)

Signature
Database

Network Traffic Analysis User

Traffic Collector Engine Interface

Alarm Reports
Storage
 NIDS performs packet sniffing and analyze network traffic
to identify possible threats in network traffic
Some times they are deployed as in-line or out of path in
network.
Switch ports traffic is mirrored to IDS.
Each packet coming and going from the network is
scanned against defined rules and signatures.
Alerts are configured to notify security team whenever it
detects any anomaly.
Network based IDS focuses on network traffic bits and
bytes traveling along the cables.
NIDS having capability to analyze traffic according to
protocol, source, dest, content, traffic already seen.
The IDS must be able to handle traffic at any speed the
network operates.
Network based IDS looks for certain activities
 Denial of service attack
 Port scans
 Malicious content in the data payload of packet
 Vulnerability scanning
 Trojan horse, viruses and worm
 Tunneling
 Brute force attack
Advantages
 Examine content of packet
 Lower cost of deployment, maintenance and upgrade
 Examine all network traffic and correlate attacks
Disadvantage
 Ineffective when traffic is encrypted
 Don‟t know the activity on the hosts
 Cant check traffic which does not pass it

d) List steps for investigating cyber crime.

(4M for listing correct steps)
 To determine the nature of crime and collect evidence.
 Used to stop a crime in progress, report past crime.
 Training in IT is necessary for investigation
 First job of investigation team is to secure computers,
networks & components that are connected with
incident.
 Investigators may clone the system to explore it.
 They can take a detailed audit of a computer
 Interviews
 Investigators arrange interviews with victims,
witness.
 Surveillance
 Investigators checks the digital activities, monitors
all elements of suspect.
 Forensics
 Mining a computer for all related information to
detect potential evidence.
 Undercover
 Steps to uncover to trap criminals using fake
online identities.
 Obtain a search warrant and seize the victims
equipment
 Interview the victim.
 Prepare bit stream copies.
 Identify the victim's configuration.
 Acquire the evidence.
  Examine and analyze the evidence.
 Generate a report.

e) List and explain SET participants.

(Any four participants 1 Mark each)
SET Participants:
Cardholder: A cardholder is an authorized holder of a
payment card that has been issued by an issuer.
Merchant: A merchant is a person or org that has goods and
services to sell to the cardholder.
Issuer: This is a financial institution, such as a bank, that
provides the cardholder with the payment card.
Acquirer:
A financial institution that establishes an account with a
merchant and processes payment card authorizations and
payments.
Certification Authority (CA):
This is an entity that is trusted to issue X509v3 public-key
certificates for cardholders, merchants, and payment
gateways.