Computer System Security

UNIT – 5
Internet Infrastructure
One of the greatest things about the Internet is that nobody really owns it. It is a
global collection of networks, both big and small. These networks connect
together in many different ways to form the single entity that we know as
the Internet. In fact, the name comes from this idea of interconnected networks.

Since its beginning in 1969, the Internet has grown from four host computer
systems to tens of millions. However, just because nobody owns the Internet, it
doesn't mean it is not monitored and maintained in different ways. The Internet
Society, a non-profit group established in 1992, oversees the formation of the
policies and protocols that define how we use and interact with the Internet.

The Internet: Computer Network Hierarchy

PREV NEXT

When you connect to the Internet, your computer becomes part of a network.
Every computer that is connected to the Internet is part of a network, even the
one in your home. For example, you may use a modem and dial a local number to
connect to an Internet Service Provider (ISP). At work, you may be part of a local
area network (LAN), but you most likely still connect to the Internet using an ISP
that your company has contracted with. When you connect to your ISP, you
become part of their network. The ISP may then connect to a larger network and
become part of their network. The Internet is simply a network of networks.

Most large communications companies have their own dedicated backbones

connecting various regions. In each region, the company has a Point of
Presence (POP). The POP is a place for local users to access the company's
network, often through a local phone number or dedicated line. The amazing
thing here is that there is no overall controlling network. Instead, there are
several high-level networks connecting to each other through Network Access
Points or NAPs.

Basic Security Problems

Problem 1: Unknown Assets on the Network

There are many businesses that don’t have a complete inventory of all of
the IT assets that they have tied into their network. This is
a massive problem. If you don’t know what all of the assets are on your
network, how can you be sure your network is secure?

The easiest fix for this is to conduct a review of all the devices on your
network and identify all of the various platforms they run. By doing this, you
can know what all of the different access points are on your network and
which ones are most in need of security updates.
Problem 2: Abuse of User Account Privileges

According to data cited by the Harvard Business Review, for the year of 2016,
“60% of all attacks were carried out by insiders.” Whether it’s because of honest
mistakes (accidentally sending info to the wrong email address or losing a work
device), intentional leaks and misuse of account privileges, or identity theft arising
from a phishing campaign or other social engineering attack that compromises
their user account data, the people inside your business represent one of the
biggest security problems you’ll ever face.

Because these threats come from trusted users and systems, they’re also among
the hardest to identify and stop.

However, there are ways to minimize your risk in case of an insider attack.

Problem 3: Unpatched Security Vulnerabilities

Many businesses are concerned with “zero day” exploits. These exploits are those
unknown issues with security in programs and systems that have yet to be used
against anyone. However, zero day vulnerabilities aren’t the problem—unpatched
known vulnerabilities are the problem.

This is because when a “zero day” exploit is used it can be discovered—becoming

a known issue that the software vendor can begin working on. The more often the
exploit is used, the more likely it is to get discovered and patched. Also, it takes a
lot of effort to independently discover a completely unknown vulnerability in a
system.

Problem #4: A Lack of Defense in Depth

Eventually, despite all of your best efforts, there will be a day where an attacker
succeeds in breaching your network security. However, just how much damage
this attacker will be capable of depends on how the network is structured.

The problem is that some businesses have an open network structure where once
an attacker is in a trusted system, they have unfettered access to all systems on
the network.
If the network is structured with strong segmentation to keep all of its discrete
parts separate, then it’s possible to slow down the attacker enough to keep them
out of vital systems while your security team works to identify, contain, and
eliminate the breach.

Problem 5: Not Enough IT Security Management

Another common issue for many companies is that even when they have all of the
best cyber security solutions in place, they might not have enough people in place
to properly manage those solutions.

When this happens, critical cyber security alerts may get missed, and successful
attacks may not be eliminated in time to minimize damage.

Routing Security
1. Bad guys play games with routing protocols.

2. Traffic is diverted.
– Enemy can see the traffic.
– Enemy can easily modify the traffic.
– Enemy can drop the traffic.

3. Cryptography can mitigate the effects, but not stop them.

Why So Little Work?

• It’s a really hard problem.
• Actually, getting routing to work well is hard enough.
• It’s outside the scope of traditional communications security.
Routing Protocols

• Routers speak to each other.

• They exchange topology information and cost information.
• Each router calculates the shortest path to each destination.
• Routers forward packets along locally shortest path.
• Attacker can lie to other routers.
• X has no knowledge of Z’s real connectivity.
• Even Y has no such knowledge.
• The problem isn’t the link from X to Z; the problem is the information being
sent. (Note that Z might be deceived by some other neighbor Q.
Types of DNS Attacks and Tactics for Security
Domain Name Server is a prominent building block of the Internet. It’s developed
as a system to convert alphabetical names into IP addresses, allowing users to
access websites and exchange e-mails. DNS is organized into a tree-like
infrastructure where the first level contains topmost domains, such
as .com and .org. The second level nodes contain general, traditional domain
names. The ‘leaf’ nodes on this tree are known as hosts.

DNS works similar to a database which is accessed by millions of computer

systems in trying to identify which address is most likely to solve a user’s query.
In DNS attacks, hackers will sometimes target the servers which contain the
domain names. In other cases, these attackers will try to determine vulnerabilities
within the system itself and exploit them for their own good.

Types of Attacks:
1. Denial of service (DoS) – An attack where the attacker renders a computer
useless (inaccessible) to the user by making a resource unavailable or by
flooding the system with traffic.

2. Distributed denial of service (DDoS) – The attacker controls an

overwhelming amount of computers (hundreds or thousands) in order to
spread malware and flood the victim’s computer with unnecessary and
overloading traffic. Eventually, unable to harness the power necessary to
handle the intensive processing, the systems will overload and crash.

3. DNS spoofing (also known as DNS cache poisoning) – Attacker will drive the
traffic away from real DNS servers and redirect them to a “pirate” server,
unbeknownst to the users. This may cause in the corruption/theft of a user’s
personal data.

4. Fast flux – An attacker will typically spoof his IP address while performing an
attack. Fast flux is a technique to constantly change location-based data in
order to hide where exactly the attack is coming from. This will mask the
attacker’s real location, giving him the time needed to exploit the attack.
 Flux can be single or double or of any other variant. A single flux changes
address of the web server while double flux changes both the address of
web server and names of DNS serves.

5. Reflected attacks – Attackers will send thousands of queries while spoofing

their own IP address and using the victim’s source address. When these
queries are answered, they will all be redirected to the victim himself.

6. Reflective amplification DoS – When the size of the answer is considerably

larger than the query itself, a flux is triggered, causing an amplification
effect. This generally uses the same method as a reflected attack, but this
attack will overwhelm the user’s system’s infrastructure further.

Measures against DNS attacks:

1. Use digital signatures and certificates to authenticate sessions in order to

protect private data.
2. Update regularly and use the latest software versions, such as BIND. BIND is
an open source software that resolves DNS queries for users. It is widely
used by a good majority of the DNS servers on the Internet.
3. Install appropriate patches and fix faulty bugs regularly.
4. Replicate data in a few other servers, so that if data is corrupted/lost in one
server, it can be recovered from the others. This could also prevent single
point failure.
5. Block redundant queries in order to prevent spoofing.
6. Limit the number of possible queries

Weaknesses of Internet Security

Internet users should identify weaknesses of internet security in their information
system security and outlined areas where they are most prone to be hacked.
Weaknesses of internet security can be classified as internal factors that affect
the security of the internet. Mostly weakness of internet security originates from
the violations of security information system by employees. For the past twenty
years, information system theft by the employee has been evidenced in many
companies, and institution others have been able to transfer faulty information
protocols.
1. Using only single level verification for access to sensitive data - Password
authentication is more easily cracked than cryptographic key-based
authentication. The purpose of a password is to make it easier to
remember the login credentials needed to access a secure resource,
however biometric or key-based authentication is a stronger authentication
method which makes credential more difficult to crack.

2. Having “public” workstations or access point is connected to a secure

network - If workstation that anyone can use or re-boot is connected to a
secure resource you can't guarantee it is secure. Key loggers, compromised
network encryption clients, and other tricks of the malicious security
cracker's trade can all allow someone unauthorized access to sensitive data
regardless of all the secured networks, encrypted communications, and
other networking protections you employ.

3. Weak Passwords - No formal process is in place to ensure that strong

passwords are used.

4. Sharing login credentials - The more login credentials are shared, the more
they likely they are commonly know by too many others, even with people
who should not have access to the system. The more they are shared, the
more difficult it is to establish an audit trail to help track down the source
of a problem. The more they are shared, the greater the number of people
affected when logins need to be changed due to a security breach or
threat.

5. Static Passwords - No formal process to require passwords be changed over

time or after an employee leaves the enterprise or is terminated.

6. Data validation for forms is contained in client-side JavaScript - A malicious

security cracker can develop a form that accesses the resource at the other
end of the Web page's form action that does not include any validation at
all. In addition, JavaScript form validation can be circumvented simply by
deactivating JavaScript in the browser or using a Web browser that does
not support JavaScript at all. Server-side validation does not fall prey to the
shortcomings of client-side validation because a malicious security cracker
must already have gained access to the server to be able to compromise it.
7. Connect to network from an unsecure access point - When traveling avoid
connecting from open Wi-Fi networks, networks with unknown or
uncertain security characteristics or from those with known poor security
such wireless access points in coffee shops. This is especially important
whenever you must log in to the server or Web site for administrative
purposes or otherwise access secure resources. If you must access the Web
site or Web server when connected to an unsecured network, use a secure
proxy so that your connection to the secure resource comes from a proxy
on a secured network.

8. Corporate web site is encrypted but the login process is not - Encrypting a
session after login may be useful but failing to encrypt logins is a bit like
leaving the key in the lock when you are done locking the barn door. Even if
a login form POSTs to an encrypted resource, in many cases this can be
circumvented by a malicious security cracker who develops their own login
form to access the same resource and allow them access to sensitive data.

9. Using weak encryption for back end management - Using Windows Remote
Desktop without and encrypted user-id and password in a non-VPN
environment is opening your site to the world. Using proprietary platform-
specific technologies often leads to resistance to use of secure encryption
for Web site access. Cross-platform-compatible strong encryption such as
SSH is usually preferable to platform-specific, weaker encryption tools such
as Windows Remote Desktop.

10.Using unencrypted or weak encryption for Web site or Web

server management- Using unencrypted connections (or even connections
using only weak encryption), such as unencrypted FTP or HTTP for Web site
or Web server management, opens you up to man-in-the-middle attacks
and login/password sniffing. Use encrypted protocols such as SSH to access
secure resources, using verifiably secure tools. . Once someone has
intercepted your login and password information, that person can do
anything you could have done.
Link Layer Connectivity and TCP/IP Connectivity
The TCP/IP Protocol Suite is a group of different communication protocols
working through the Internet and other private communication networks, and it
carries most of the essential services running over the network. It provides end-
to-end connectivity by establishing, maintaining, and releasing connections
between the sender and receiver. It provides for flow control, error control, IP
addressing and the routing of network traffic and an interface between the node
and the physical network.

SECURITY PROBLEMS IN TCP/IP MODELS PROTOCOL

1 Application Protocol - One of the main purposes of an application is the

encryption and decryption as a technique for securing the data. The security
threat of this layer is at the application level. Applications need to secure sensitive
data that is sent to the network, hence applications needs to be well formulated
to protect the data.

(A)Security Threats on HTTP –

HTTP is the default communication protocol used by all web browsers. The
transfer of files in the form of web pages is done in plain text and therefore is
prone to security attacks.

(B) Session hijacking –

Hijacking means stealing an HTTP session. A cyber-terrorist usually uses a packet
sniffer to capture the packets for stealing the session; hijacking can be possible if
in the initialization session strong authentications procedures are not used,
opening the way for picking up the session ID or Token ID. Session hijacking
provides access to the account as an authentic user and hence attacks the
integrity of the target user.

(C) Caching Web browsers temporarily save web pages on a user’s machine as
he/she visits them to speed up and ease access in case the user wants to visit
those pages again. This is known as cashing. The hacker has gained the access of
the user’s machine and views all the cashed contents of the user that may contain
user IDs, passwords and pictorial data without any authentication.
(D) Cookie Poisoning –
Cookies are created by the web servers when a user visits a website. Cookies are
used to save credentials and the interaction information of the user with the
website, which the web server can use later when processing the sessions of that
particular user. Cookie poisoning is the alteration or stealing of cookie in a user’s
machine by a hacker to reprieve personal information. If the hacker gets a hold of
a cookie containing a password and username, he or she can use the cookie on his
or her machine and the web server will not demand any verification.

(E) Replay attack –

A replay attack is made possible by man in middle. By repeating the sent data to
the server, it is a more serious threat than session hijacking. The resent data can
be altered and hence producing wrong or totally different results. More critically,
the attacker can take off the client’s IP address and thus redirect his/her machine.

(F) Cross-Site Scripting (XSS) –

This attack involves the hacker inserting malicious code in a web application or
browser and is executed on the client side. The essence of this attack is to
perform a session hijack by stealing session tokens and cookies of a genuine
user’s session.

(G) Domain Name System –

The domain name system (DNS) is used to translate domain names to IP
addresses for the sake of user convenience, as they use alphabetical names. The
security issue started in DNS when a hacker changed record to resolve to an
incorrect IP address; hackers can direct all traffic for a site to the wrong server or
client computer.

(H) DNS cache poisoning –

Caching poisoning through DNS is a reliability attack that involves modifying the
information saved in the DNS cache. This fabricated information will map the
name to a wrong IP address and mislead the request to a false site. This attack
can lead to pharming or phishing. The most critical situation can occur if the user
does not notice anything and enters a user name and password. The hacker then
can take the user’s credentials for misuse.
(I) DNS spoofing -
A DNS spoofing attack uses a fake IP address of a computer to match the DNS
server’s IP address. The user request then will be directed to the hacker’s
machine. In this attack, the clients and other servers will consider the hacker’s
machine to be a genuine DNS server and send their requests and receive the reply
from the wrong server.

(J) DNS ID Hijacking –

The most common method for DNS ID hijacking is through installing malware on a
user’s computer that changes the DNS. This malware changes the default DNS
service provider to something that the cybercriminals want. From there, they
control user’s URL resolutions (DNS lookups), and then they keep on poisoning
the DNS cache.

Packet filtering firewall

Packet-filtering firewalls provide a way to filter IP addresses by either of two basic

methods:
1. Allowing access to known IP addresses
2. Denying access to IP addresses and ports

By allowing access to known IP addresses, for example, you could allow access
only to recognized, established IP addresses, or, you could deny access to all
unknown or unrecognized IP addresses.
By denying access to IP addresses or ports, for example, you could deny access to
port 80 to outsiders. Since most HTTP servers run on port 80, this would in effect
block off all outside access to the HTTP server.
IP packet filtering is accomplished by all firewalls in some fashion. This is normally
done through a packet-filtering router. The router will filter or screen packets
traveling through the router's interfaces that are operating under the firewall
policy established by the enterprise. A packet is a piece of information that is
being transmitted over the network. The packet filtering router will examine the
path the packet is taking and the type of information contained in the packet. If
the packet passes the firewall policy's tests, it is permitted to continue on its path.
The information the packet filtering router looks for includes
 1. The packet source IP address and source TCP/UDP port, and
2. The destination IP address and destination TCP/UDP port of the packet.

Some packet-filtering firewalls will only be able to filter IP addresses and not the
source TCP/UDP port, but having TCP or UDP filtering as a feature can provide
much greater maneuverability, since traffic can be restricted for all incoming
connections except those selected by the enterprise.

Packet-filtering firewalls are generally run on either general purpose

computers that act as routers or on special-purpose routers. Both have their
advantages and disadvantages. The main advantage of the general purpose
computer is that it offers unlimited functional extensibility, whereas the
disadvantages are average performance, a limited number of interfaces, and
operating system weaknesses. The advantages of the special-purpose router are
the greater number of interfaces and increased performance, whereas the
disadvantages are reduced functional extensibility and higher memory
requirements.

Although packet-filtering firewalls are less expensive than other types, and
vendors are improving their offerings, they are considered less desirable
in maintainability and configurability. They are useful for bandwidth control and
limitation but are lacking in other features such as logging capabilities. If the
firewall policy does not restrict certain types of packets, the packets may
go unnoticed until an incident occurs. Enterprises utilizing packet-filtering
firewalls should look for devices that can provide detailed logging, a simplified
setup, and firewall policy checking.
Devices that Help us with Network Security
Firewalls − They can be software or applications which operate at the network
level. They protect Private networks from external users and other networks.
Generally, they are a compound of programs and their main function is to
monitor the traffic flow from outside to inside and vice versa. Their position is
generally behind a router or in front of the router depending on the network
topologies.

They are also called Intrusion detection devices; their traffic rules are configured
according to the company policy rules. For example, you block all incoming traffic
to port POP because you don’t want to receive a mail so as to be secured from all
possible mail attacks. They log all the network attempts for a latter audit for you.
They also can work as packet filters this means that the firewall takes the
decisions to forward or not the packet based on source and destination
addresses and ports.
Some of the recommended brands are −

 Cisco ASA Series

 Checkpoint
 Fortinet
 Juniper
 SonicWALL
 pfSense
Intrusion Detection Systems
Intrusion Detection Systems are also as important as the firewall because they
help us to detect the type of attack that is being done to our system and then to
make a solution to block them. The monitoring part like tracing logs, looking for
doubtful signatures and keeping history of the events triggered. They help also
the network administrators to check the connection integrity and authenticity
that occur.
Let us see the schema of their positions −

Intrusion Detection Tools

One of the best intrusion detection tool is Snort, you can take information and
download the same from − www.snort.org
It is software based, but is an open source so it is free and easy to configure. It
has a real time signature based network – IDS, which notifies the system
administrators or attacks like port scanners, DDOS attacks, CGI attacks,
backdoors, OS finger printing.