CS Chapter 5 UP
CS Chapter 5 UP
Security Mechanism
A process that is designed to detect, prevent, or recover from a security attack. On the other hand
is security mechanisms are technical tools and techniques that are used to implement security
1
services. A mechanism might operate by itself, or with others, to provide a particular service.
Security mechanisms it is a method, tool, or procedure for enforcing a security policy.
Some example of security mechanism are encipherment or encryption, digital signature
authentication exchange, access control, security recovery, security audit track and event
detection.
Traffic Padding: The insertion of bits into gaps in a data stream to frustrate traffic analysis
attempts.
A successful value of assets should have the following multiple layers of security mechanism to
protect its operations of security mechanisms.
Physical security Communications security
Operations security Network Security
Personal security
Physical Security
Physical security protects your physical computer facility (your building, your computer
room, your computer, your disks and other media) [Chuck Easttom]
It was almost impossible to move them (not portable)
They were very few and it is affordable to spend on physical security for them
Management was willing to spend money
Everybody understands and accepts that there is restriction
Today Physical security is much more difficult to achieve today than some decades ago.
Computers are more and more portable (PC, laptop, Smartphone)
They are not “too expensive” to justify spending more money on physical security until a
major crisis occurs
Users don‟t accept restrictions easily
Accessories are not considered as important for security until there is a problem
Physical Security: Developing best access control install firewalls and intrusion prevention,
but its security cannot be complete without implementation of physical security. Physical
security is the protection of the actual hardware and networking components that store and
transmit information resources. To implement physical security, an organization must
identify all of the vulnerable resources and take measures to ensure that these
2
resources cannot be physically tampered with or stolen. These measures include the
following.
Locked Doors: It may seem obvious, but all the security in the world is useless if an
intruder can simply walk in and physically remove a computing device. High-value
information assets should be secured in a location with limited access.
Physical Intrusion Detection: High-value information assets should be monitored
through the use of security cameras and other means to detect unauthorized access to the
physical locations where they exist.
Secured Equipment: Devices should be locked down to prevent them from being stolen.
One employee‟s hard drive could contain all of your customer information, so it is
essential that it be secured.
Environmental Monitoring: An organization‟s servers and other high-value equipment
should always be kept in a room that is monitored for temperature, humidity, and airflow.
The risk of a server failure rises when these factors go out of a specified range. It also
protects resources from natural disasters such as floods, fires, storms, and
earthquakes.
Employee Training: One of the most common ways thieves steal corporate information
is to steal employee laptops while employees are traveling. Employees should be trained
to secure their equipment whenever they are away from the office.
Three Components of Physical Security.
The first component of physical security involves making a physical location less
tempting as a target.
The second component of physical security involves detecting a penetration or theft. You
want to know what was broken into, what is missing, and how the loss occurred.
The third component of physical security involves recovering from a theft or loss of
critical information or systems.
Operations Security: - to protect the details of a particular operation or series of activities. This
includes computers, networks, and communications systems as well as the management of
information. Operational security encompasses a large area, and as a security professional, you‟ll
be primarily involved here more than any other area, include network access control (NAC),
authentication, and security topologies after the network installation is complete.
3
Methods for example, if you implement a comprehensive password expiration policy,
you can require users to change their passwords every 30 or 60 days. If the system
doesn‟t require password rotation, though (it allows the same passwords to be reused),
you have a vulnerability that you may not be able to eliminate.
Personal Security: – to protect the individual or group of individuals who are authorized to
access the organization and its operations.
Communications Security: – to protect an organization‟s communications media, technology,
and content.
Network Security: – to protect networking components, connections, and contents.
Benefits of Computer Security
Business protection against malware, ransomware, phishing, and social engineering.
Protection for data and networks.
Prevention of unauthorized users.
Improves recovery time after a breach.
Protection for end-users.
Improved confidence in the product for both developers and customers.
4
suspicious or malicious activity, note activity that deviates from normal behavior, catalog and
classify the activity, and, if possible, respond to the activity.
An Intrusion detection system gathers and analyzes information from various areas within a
computer or a network to identify possible security breaches
It detects both intrusions and misuse
Intrusion detection functions include
Monitoring and analyzing both user and system activities
Analyzing system configurations and vulnerabilities
Assessing system and file integrity
Ability to recognize patterns typical of attacks
Analysis of abnormal activity patterns
Tracking user policy violations
5
malicious. This is considered to be one of the primary weaknesses of the signature-based
systems, as they can only spot malicious traffic they have seen before and have a signature to
match against. It looking for events or sets of events that match a predefined pattern of events
that describe a known attack. The patterns are called signatures.
Advantages:
Very effective at detecting attacks without generating an overwhelming number of
false alarms.
Disadvantages
Can only detect those attacks they know about, therefore they must be constantly
updated with signatures of new attacks.
Many misuse detectors are designed to use tightly defined signatures that prevent
them from detecting variants of common attacks.
Advantages
An advantage of anomaly-based IDSs is their ability to potentially detect new attacks or
variants of old attacks.
Can detect unusual behavior and thus have the ability to detect symptoms of attacks
without specific knowledge of details.
Can produce information that can in turn be used to define signatures for misuse
detectors.
Disadvantages
Usually produce a large number of false alarms due to the unpredictable behaviors of
users and networks.
Response is the set of actions that the system takes once it detects intrusions. Based on the
response actions the NIDSs categories into two active and passive
Active vs. Passive NIDSs Response
6
Most NIDSs can be distinguished by how they examine the traffic and whether or not they
interact with that traffic. On a passive system, the NIDS simply watches the traffic, analyzes it,
and generates alarms. Passive NIDS, generates an alarm when it matches a pattern and does not
interact with the traffic in any way. This passive NIDS measure reporting IDS findings to
humans, who are then expected to take action based on those reports. Active NIDS, reactive/
sensitive response to an attack such as a TCP reset. This active measure involving some
automated intervention on the part of the system. TCP reset is the most common defensive
ability for an active NIDS. The reset message (RST) tells both sides of the connection to drop the
session and stop communicating immediately.
Generally, there are a number of ways in which Intrusion Detection Systems can be categorized
Misuse detection versus anomaly detection(Based Distinguished or detection method)
Passive systems versus reactive systems(Based Response actions)
Network-based systems versus host-based systems(Based how they monitor activity
level)
IDS Approaches
Preemptive Blocking
This approach seeks to prevent intrusions before they occur and is done by noting any danger
signs of impending threats and then blocking the user or IP address from which these signs
originate. But there is a risk of blocking out legitimate users. It is better if a human administrator
makes the decision whether or not to block the suspicion.
Intrusion Deflection
Intrusion Deflection is an attempt is made subsystem that attract the intruder for the purpose of
observing her/him actions. This is done by tricking the intruder into believing that s/he has
succeeded in accessing system resources when, in fact, s/he has been directed to a specially
designed environment (honey pot). A honey pot assumes that an attacker is able to (break)
breach a network security.
Create a server that has fake but attractive data such as account numbers or research and just a
little less secure than a real server. Then, since none of the actual users ever access this server,
monitoring software is installed to alert when someone does access this server.
7
A honey pot achieves two goals:
First, it will take the attacker‟s attention away from the data to be protected.
Second, it will provide interesting and valuable data, thus leading the attacker to stay
connected to the fake server, giving time to try and track them.
This interest is motivated by a number of considerations, including the following:
If an intrusion is detected quickly enough, the intruder can be identified and ejected from
the system before any damage is done or any data are compromised. Even if the detection
is not sufficiently timely to preempt the intruder, the sooner that the intrusion is detected,
the less the amount of damage and the more quickly that recovery can be achieved.
An effective intrusion detection system can serve as a deterrent, so acting to prevent
intrusions.
Intrusion detection enables the collection of information about intrusion techniques that
can be used to strengthen the intrusion prevention facility.
8
Fig: Network Hardware-Based
A network firewall provides a barrier between two networks: a trusted network and an untrusted
network, using pre-configured rules. Firewalls can be composed of a single router, multiple
routers, a single host system or multiple hosts running firewall software, hardware appliances
specifically designed to provide firewall services. They vary greatly in design, functionality,
architecture, and cost. When information moves from the Internet to the internal network,
confidentiality is not an issue but, integrity is. When information moves from the internal
network to the Internet, confidentiality and integrity are both concerns. A firewall is also called a
Border Protection Device (BPD) in certain military contexts where a firewall separates networks
by creating perimeter networks in a DMZ “Demilitarized Zone”.
DMZ “Demilitarized Zone”
DMZ is a sub network that contains an organization‟s external facing services like Web services,
Mail services, FTP Services, etc. Typically, the systems in the DMZ require external
connectivity, such as a corporate Web site, an e-mail server, or a DNS (domain name system)
server.
9
Fig2: DMZ “Demilitarized Zone”
10
All traffic from outside to inside must pass through the firewall (physically blocking all access to
the local network except via the firewall). Only authorized traffic (defined by the local security
policy) will be allowed to pass. The firewall itself is immune to penetration (use of trusted
system with a secure operating system.
Firewall - Features
Port Control: allow some (e.g., 80 for a Web server, 25 for a mail server, 21 and 20 for
FTP server) and deny others
Network Address Translation: translates the IP addresses of internal hosts to hide them
from outside monitoring
Application Monitoring
Packet Filtering: rejects TCP/IP packets from unauthorized hosts and rejects connection
attempts to unauthorized services
Data Encryption: confidentiality of outgoing packets
Content Filtering: to block internal users from accessing certain types of content by
category, such as hate group propaganda, pornography, etc.
Virus Scanning
Popup advertisement blocking/Spam protection
Spyware protection
Firewalls Design
Firewalls design policy is a firewall implements a security policy, that is, a set of rules that
determine what traffic can or cannot pass through the firewall, thus, can be categorized
depending on methodology into two:
Packet Filtering Firewall
Application Proxies Gateways Firewall
Basic Packet Filtering Firewall: - looks at each packet entering or leaving the network and then
either accepts the packet or rejects the packet based on user-defined rules. Packet contain
heading (Source &destination IPad dress, protocol (port) & payload). Examine only the Source
&destination IP address, protocol (port) but not the content of the traffic (payload).
11
Packet filters look only at the headers of packets, not at the data inside the packets. It rejects
TCP/IP packets from unauthorized hosts and rejects connection attempts to unauthorized
services
Application Proxies Gateways Firewall: - examine the content of the traffic as well as the
ports and IP addresses.
Firewall Location
A firewall can be internal or external. An external firewall is placed at the edge of a local or
enterprise network, just inside the boundary router that connects to the Internet. More internal
firewalls protect the main part of the enterprise network.
External Firewall provides a measure of access control and protection for the DMZ systems
consistent with their need for external connectivity. A basic level of protection for the remainder
of the enterprise network.
12
Internal firewalls:
1. The internal firewall adds more stringent filtering capability, compared to the external
firewall, in order to protect enterprise servers and workstations from external attack. The
internal firewall provides two-way protection with respect to the DMZ.
First, the internal firewall protects the remainder of the network from attacks
launched from DMZ systems. Such attacks might originate from worms, bots, or
other malware lodged in a DMZ system.
Second, an internal firewall can protect the DMZ systems from attack from the
internal protected network
2. Multiple internal firewalls can be used to protect portions of the internal network from
each other.
3. For example, firewalls can be configured so that internal servers are protected from
internal workstations and vice versa.
13
Virtual Private Networks
AVPN consists of a set of computers that are interconnect by means of a relatively unsecured
network and that make use of encryption and special protocols to provide security. At each
corporate site, workstations, servers, and databases are linked by one or more LANs. There are
three different protocols that are used to create VPNs: Point-to-Point Tunneling Protocol (PPTP),
Layer 2 Tunneling Protocol (L2TP), and IP Security (IPsec).
IP Security (IPsec):
The Point to Point Tunneling Protocol (PPTP) is a network protocol used to create VPN
tunnels between public networks. PPTP servers are also known as Virtual Private Dialup
14
Network (VPDN) servers. PPTP is preferred over other VPN protocols because it is faster and it
has the ability to work on mobile devices.
Layer Two Tunneling Protocol (L2TP) is an extension of the Point-to-Point Tunneling
Protocol (PPTP) used by internet service providers (ISPs) to enable virtual private
networks (VPNs). To ensure security and privacy, L2TP must rely on an encryption protocol to
pass within the tunnel.
In computing, Internet Protocol Security is a secure network protocol suite that authenticates and
encrypts the packets of data to provide secure encrypted communication between two computers
over an Internet Protocol network. It is used in virtual private networks.
IPsec originally defined two protocols for securing IP packets: Authentication Header (AH) and
Encapsulating Security Payload (ESP). The former provides data integrity and anti-replay
services, and the latter encrypts and authenticates data.
The IPsec suite also includes Internet Key Exchange (IKE), which is used to generate shared
security keys to establish a security association (SA). SAs are needed for the encryption and
decryption processes to negotiate a security level between two entities. A special router or
firewall that sits between two networks usually handles the SA negotiation process.
While IP addresses determine the physical endpoints of a network connection, port numbers
determine the logical endpoints of the connection. Port numbers are 16-bit integers with a useful
range from 1 to 65535.
Socket is an endpoint between two-way communication, server machine may run multiple server
process, each contactable on different port. conversely, multiple client may want to contact same
port (web server). client create socket at its end, then send request to server (at port number) then
server create socket at its end dedicated to the client.
In TCP/IP and UDP networks, a port is an endpoint to a logical connection and the way a client
program specifies a specific server program on a computer in a network. According to Internet
16
Corporation for Assigning Name and Numbers(ICANA) there are three categories for ports such
as:
Port numbers range from 0 to 1023: Well-known port assigned to common protocol&services
Port numbers range from 1024 to 49151: Registered port assigned to a specific service
Port numbers range from 49152 to 65 535: Dynamic (private, high) port
Well-Known Port Numbers or Reserved Port Number
Only the port numbers range from 0 to 1023 are reserved for privileged services and designated
as well-known ports. This list of well-known port numbers specifies the port used by the server
process as its contact port. In a client-server application, the server usually provides its service
on a well-known port number. Well-known port numbers are a subset of the numbers which are
assigned to applications. According to RFC1700, well-known port numbers are managed by the
Internet Assigned Numbers Authority (IANA).
Port Service Name Transport Protocols
20,21 File Transfer Protocol TCP
22 Secure shell(SSH) TCP and UDP
23 Telnet TCP
25 Simple Mail Transfer Protocol (SMTP) TCP
50,51 IPSec UDP
53 Domain Name System (DNS) TCP and UDP
67,68 Dynamic Host Configuration Protocol(DHCP) UDP
69 Trivial File Transfer Protocol (TFTP) UDP
80 Hyper Text Transfer Protocol(HTTP) server TCP
110 Post office Protocol (POP3)Retrieve email location TCP
115 Simple File Transport Protocol (SFTP) TCP?
119 Network New Transfer Protocol(NNTP) TCP
123 Network Time Protocol UDP
135-139 NetBIOS TCP and UDP
143 Internet Mail Access Protocol (IMAP) TCP and UDP?
162,162 Simple Network management Protocol(SNMP) TCP and UDP
179 Border Gateway Protocol (BGP) TCP
443 HTTPS with Secure Socket layer (SSL) TCP and UDP
546 DHCP Client ?
547 DHCP Server ?
8080 HTTP alternate
Table: Well-Known Port Numbers or Reserved Port Number
17