Chapter 5

Security Policies and Mechanisms

Security Policies
A security policy is a document that states in writing how a company plans to protect its physical
and (digital) logical assets. Security policies are a formal set of rules and guidelines related to
value of asset security issued by an organization to ensure only authorized user access company
resources. Security policies also known as an Information Security (IS) Policy. Security policies
are living documents that are continuously updated and changing as technologies, vulnerabilities
and security requirements change. There are some important computer security policies
recommendations here describe below:

Virus and Spyware Protection Policy

 It helps to detect threads in files, to detect applications that exhibits suspicious behavior.
 Removes, and repairs the side effects of viruses and security risks by using signatures.
Firewall Policy
 It blocks the unauthorized users from accessing the systems and networks that connect to
the Internet and it detects the attacks by cybercriminals and removes the unwanted
sources of network traffic.
Intrusion Prevention policy
 This policy automatically detects and blocks the network attacks and browser attacks. It
also protects applications from vulnerabilities and checks the contents of one or more
data packages and detects malware which is coming through legal ways.
Application and Device Control
 This policy protects a system's resources from applications and manages the peripheral
devices that can attach to a system. The device control policy applies to both Windows
and Mac computers whereas application control policy can be applied only to Windows
clients.

Security Mechanism
A process that is designed to detect, prevent, or recover from a security attack. On the other hand
is security mechanisms are technical tools and techniques that are used to implement security

1
services. A mechanism might operate by itself, or with others, to provide a particular service.
Security mechanisms it is a method, tool, or procedure for enforcing a security policy.
Some example of security mechanism are encipherment or encryption, digital signature
authentication exchange, access control, security recovery, security audit track and event
detection.
Traffic Padding: The insertion of bits into gaps in a data stream to frustrate traffic analysis
attempts.
A successful value of assets should have the following multiple layers of security mechanism to
protect its operations of security mechanisms.
 Physical security  Communications security
 Operations security  Network Security
 Personal security

Physical Security
 Physical security protects your physical computer facility (your building, your computer
room, your computer, your disks and other media) [Chuck Easttom]
 It was almost impossible to move them (not portable)
 They were very few and it is affordable to spend on physical security for them
 Management was willing to spend money
 Everybody understands and accepts that there is restriction
Today Physical security is much more difficult to achieve today than some decades ago.
 Computers are more and more portable (PC, laptop, Smartphone)
 They are not “too expensive” to justify spending more money on physical security until a
major crisis occurs
 Users don‟t accept restrictions easily
 Accessories are not considered as important for security until there is a problem

Physical Security: Developing best access control install firewalls and intrusion prevention,
but its security cannot be complete without implementation of physical security. Physical
security is the protection of the actual hardware and networking components that store and
transmit information resources. To implement physical security, an organization must
identify all of the vulnerable resources and take measures to ensure that these

2
 resources cannot be physically tampered with or stolen. These measures include the
following.
 Locked Doors: It may seem obvious, but all the security in the world is useless if an
intruder can simply walk in and physically remove a computing device. High-value
information assets should be secured in a location with limited access.
 Physical Intrusion Detection: High-value information assets should be monitored
through the use of security cameras and other means to detect unauthorized access to the
physical locations where they exist.
 Secured Equipment: Devices should be locked down to prevent them from being stolen.
One employee‟s hard drive could contain all of your customer information, so it is
essential that it be secured.
 Environmental Monitoring: An organization‟s servers and other high-value equipment
should always be kept in a room that is monitored for temperature, humidity, and airflow.
The risk of a server failure rises when these factors go out of a specified range. It also
protects resources from natural disasters such as floods, fires, storms, and
earthquakes.
 Employee Training: One of the most common ways thieves steal corporate information
is to steal employee laptops while employees are traveling. Employees should be trained
to secure their equipment whenever they are away from the office.
Three Components of Physical Security.
 The first component of physical security involves making a physical location less
tempting as a target.
 The second component of physical security involves detecting a penetration or theft. You
want to know what was broken into, what is missing, and how the loss occurred.
 The third component of physical security involves recovering from a theft or loss of
critical information or systems.
Operations Security: - to protect the details of a particular operation or series of activities. This
includes computers, networks, and communications systems as well as the management of
information. Operational security encompasses a large area, and as a security professional, you‟ll
be primarily involved here more than any other area, include network access control (NAC),
authentication, and security topologies after the network installation is complete.

3
  Methods for example, if you implement a comprehensive password expiration policy,
you can require users to change their passwords every 30 or 60 days. If the system
doesn‟t require password rotation, though (it allows the same passwords to be reused),
you have a vulnerability that you may not be able to eliminate.
Personal Security: – to protect the individual or group of individuals who are authorized to
access the organization and its operations.
Communications Security: – to protect an organization‟s communications media, technology,
and content.
Network Security: – to protect networking components, connections, and contents.
Benefits of Computer Security
 Business protection against malware, ransomware, phishing, and social engineering.
 Protection for data and networks.
 Prevention of unauthorized users.
 Improves recovery time after a breach.
 Protection for end-users.
 Improved confidence in the product for both developers and customers.

Intrusion Detection System (IDS)/ IPS

IDS/IPS is a software or hardware system that has all the capabilities of intrusion detection
/prevention and can react effectively in case of possible intrusions.
Intrusion Detection System (IDS) Vs. Intrusion Prevention Systems (IPS)
An intrusion detection system (IDS) is a security system that detects unsuitable or malicious
activity on a computer or network. IDS is a passive system that scans incoming traffic. Once the
IDS identified dangerous or suspicious traffic it can send alert to the system but leaves the action
to IPS. IPS stand for intrusion prevention system. Unlike IDS, IPS is able to actively block or
prevent intrusion. Once unwelcome packets are identified IPS would either put them in
quarantine or simple drop them.
A well-secured system uses up-to-date application and operating system patches, requires well-
chosen passwords, runs the minimum number of services necessary, and restricts access to
available services. On top of that foundation, you can add layers of protective measures such as
antivirus products, firewalls, sniffers, and IDSs. The main purpose of an IDS is to identify

4
suspicious or malicious activity, note activity that deviates from normal behavior, catalog and
classify the activity, and, if possible, respond to the activity.

An Intrusion detection system gathers and analyzes information from various areas within a
computer or a network to identify possible security breaches
 It detects both intrusions and misuse
 Intrusion detection functions include
 Monitoring and analyzing both user and system activities
 Analyzing system configurations and vulnerabilities
 Assessing system and file integrity
 Ability to recognize patterns typical of attacks
 Analysis of abnormal activity patterns
 Tracking user policy violations

Types of Intrusion Detection Systems

An IDS is somewhat like a burglar/ thief/ robber alarm. It watches the activity going on around
it and tries to identify undesirable activity. IDSs are typically divided into two main categories,
depending on how they monitor activity level in to host-based and network-based IDSs.
A host-based IDS runs on a specific system (server or workstation) and looks at all the activity
on that host. This examines activity on Host-based IDS (HIDS) individual system, such as a
mail server, web server, or individual PC. It is concerned only with an individual system and
usually has no visibility into the activity on the network or systems around it. A network based
IDS sniffs traffic from the network and sees only activity that occurs on the network. This
examines activity on the Network-based IDS (NIDS) network itself. It has visibility only into the
traffic crossing the network link it is monitoring and typically has no idea of what is happening
on individual systems.
Distinguished by Detection Method
There are two Distinguished by detection method such as Signature-based IDS and Heuristic or
Anomaly-based IDS.
Signature-Based IDS: only match against known patterns, if a new attack comes in that the
signature-based IDS has never seen before, it won „t be able to identify it as suspicious or

5
malicious. This is considered to be one of the primary weaknesses of the signature-based
systems, as they can only spot malicious traffic they have seen before and have a signature to
match against. It looking for events or sets of events that match a predefined pattern of events
that describe a known attack. The patterns are called signatures.

Advantages:
 Very effective at detecting attacks without generating an overwhelming number of
false alarms.
Disadvantages
 Can only detect those attacks they know about, therefore they must be constantly
updated with signatures of new attacks.
 Many misuse detectors are designed to use tightly defined signatures that prevent
them from detecting variants of common attacks.

Anomaly-based IDS: this method of IDS considers to be normal system operations is

potentially unfriendly. An anomaly-based IDS must be able to learn what is normal
and create its own rule sets based on those normal traffic and activity patterns. They function on
the assumption that attacks are different from “normal” (legitimate) activity and can therefore be
detected by systems that identify these differences.

Advantages
 An advantage of anomaly-based IDSs is their ability to potentially detect new attacks or
variants of old attacks.
 Can detect unusual behavior and thus have the ability to detect symptoms of attacks
without specific knowledge of details.
 Can produce information that can in turn be used to define signatures for misuse
detectors.
Disadvantages
 Usually produce a large number of false alarms due to the unpredictable behaviors of
users and networks.
Response is the set of actions that the system takes once it detects intrusions. Based on the
response actions the NIDSs categories into two active and passive
Active vs. Passive NIDSs Response

6
Most NIDSs can be distinguished by how they examine the traffic and whether or not they
interact with that traffic. On a passive system, the NIDS simply watches the traffic, analyzes it,
and generates alarms. Passive NIDS, generates an alarm when it matches a pattern and does not
interact with the traffic in any way. This passive NIDS measure reporting IDS findings to
humans, who are then expected to take action based on those reports. Active NIDS, reactive/
sensitive response to an attack such as a TCP reset. This active measure involving some
automated intervention on the part of the system. TCP reset is the most common defensive
ability for an active NIDS. The reset message (RST) tells both sides of the connection to drop the
session and stop communicating immediately.

Generally, there are a number of ways in which Intrusion Detection Systems can be categorized
 Misuse detection versus anomaly detection(Based Distinguished or detection method)
 Passive systems versus reactive systems(Based Response actions)
 Network-based systems versus host-based systems(Based how they monitor activity
level)

IDS Approaches
Preemptive Blocking
This approach seeks to prevent intrusions before they occur and is done by noting any danger
signs of impending threats and then blocking the user or IP address from which these signs
originate. But there is a risk of blocking out legitimate users. It is better if a human administrator
makes the decision whether or not to block the suspicion.
Intrusion Deflection
Intrusion Deflection is an attempt is made subsystem that attract the intruder for the purpose of
observing her/him actions. This is done by tricking the intruder into believing that s/he has
succeeded in accessing system resources when, in fact, s/he has been directed to a specially
designed environment (honey pot). A honey pot assumes that an attacker is able to (break)
breach a network security.
Create a server that has fake but attractive data such as account numbers or research and just a
little less secure than a real server. Then, since none of the actual users ever access this server,
monitoring software is installed to alert when someone does access this server.

7
A honey pot achieves two goals:
 First, it will take the attacker‟s attention away from the data to be protected.
 Second, it will provide interesting and valuable data, thus leading the attacker to stay
connected to the fake server, giving time to try and track them.
This interest is motivated by a number of considerations, including the following:
 If an intrusion is detected quickly enough, the intruder can be identified and ejected from
the system before any damage is done or any data are compromised. Even if the detection
is not sufficiently timely to preempt the intruder, the sooner that the intrusion is detected,
the less the amount of damage and the more quickly that recovery can be achieved.
 An effective intrusion detection system can serve as a deterrent, so acting to prevent
intrusions.
 Intrusion detection enables the collection of information about intrusion techniques that
can be used to strengthen the intrusion prevention facility.

Firewall in Computer Security

Firewall is network security device which can be software or hardware that checks information
coming from the Internet and then either blocks it or allows it to pass to your network,
depending on your firewall settings. Firewall comes either as software (software host-based) or
separate computer system as network hardware-based or a combination both hardware and
software. As computer security devices, network firewalls are similar, protecting one subnet
from harm from another subnet. The primary use of a firewall is to protect an internal sub-
network from the many threats.
Simply firewall is a security device that filters all the traffic between a protected network and a
less trustworthy network.

8
 Fig: Network Hardware-Based
A network firewall provides a barrier between two networks: a trusted network and an untrusted
network, using pre-configured rules. Firewalls can be composed of a single router, multiple
routers, a single host system or multiple hosts running firewall software, hardware appliances
specifically designed to provide firewall services. They vary greatly in design, functionality,
architecture, and cost. When information moves from the Internet to the internal network,
confidentiality is not an issue but, integrity is. When information moves from the internal
network to the Internet, confidentiality and integrity are both concerns. A firewall is also called a
Border Protection Device (BPD) in certain military contexts where a firewall separates networks
by creating perimeter networks in a DMZ “Demilitarized Zone”.
DMZ “Demilitarized Zone”
DMZ is a sub network that contains an organization‟s external facing services like Web services,
Mail services, FTP Services, etc. Typically, the systems in the DMZ require external
connectivity, such as a corporate Web site, an e-mail server, or a DNS (domain name system)
server.

9
 Fig2: DMZ “Demilitarized Zone”

Firewall – Design Goals

10
All traffic from outside to inside must pass through the firewall (physically blocking all access to
the local network except via the firewall). Only authorized traffic (defined by the local security
policy) will be allowed to pass. The firewall itself is immune to penetration (use of trusted
system with a secure operating system.

Firewall - Features
 Port Control: allow some (e.g., 80 for a Web server, 25 for a mail server, 21 and 20 for
FTP server) and deny others
 Network Address Translation: translates the IP addresses of internal hosts to hide them
from outside monitoring
 Application Monitoring
 Packet Filtering: rejects TCP/IP packets from unauthorized hosts and rejects connection
attempts to unauthorized services
 Data Encryption: confidentiality of outgoing packets
 Content Filtering: to block internal users from accessing certain types of content by
category, such as hate group propaganda, pornography, etc.
 Virus Scanning
 Popup advertisement blocking/Spam protection
 Spyware protection

Firewalls Design
Firewalls design policy is a firewall implements a security policy, that is, a set of rules that
determine what traffic can or cannot pass through the firewall, thus, can be categorized
depending on methodology into two:
 Packet Filtering Firewall
 Application Proxies Gateways Firewall
Basic Packet Filtering Firewall: - looks at each packet entering or leaving the network and then
either accepts the packet or rejects the packet based on user-defined rules. Packet contain
heading (Source &destination IPad dress, protocol (port) & payload). Examine only the Source
&destination IP address, protocol (port) but not the content of the traffic (payload).

11
Packet filters look only at the headers of packets, not at the data inside the packets. It rejects
TCP/IP packets from unauthorized hosts and rejects connection attempts to unauthorized
services
Application Proxies Gateways Firewall: - examine the content of the traffic as well as the
ports and IP addresses.

Firewall Location
A firewall can be internal or external. An external firewall is placed at the edge of a local or
enterprise network, just inside the boundary router that connects to the Internet. More internal
firewalls protect the main part of the enterprise network.

External Firewall provides a measure of access control and protection for the DMZ systems
consistent with their need for external connectivity. A basic level of protection for the remainder
of the enterprise network.

12
Internal firewalls:

1. The internal firewall adds more stringent filtering capability, compared to the external
firewall, in order to protect enterprise servers and workstations from external attack. The
internal firewall provides two-way protection with respect to the DMZ.

 First, the internal firewall protects the remainder of the network from attacks
launched from DMZ systems. Such attacks might originate from worms, bots, or
other malware lodged in a DMZ system.
 Second, an internal firewall can protect the DMZ systems from attack from the
internal protected network
2. Multiple internal firewalls can be used to protect portions of the internal network from
each other.
3. For example, firewalls can be configured so that internal servers are protected from
internal workstations and vice versa.

13
Virtual Private Networks
AVPN consists of a set of computers that are interconnect by means of a relatively unsecured
network and that make use of encryption and special protocols to provide security. At each
corporate site, workstations, servers, and databases are linked by one or more LANs. There are
three different protocols that are used to create VPNs: Point-to-Point Tunneling Protocol (PPTP),
Layer 2 Tunneling Protocol (L2TP), and IP Security (IPsec).

Point-to-Point Tunneling Protocol (PPTP):

Layer 2 Tunneling Protocol (L2TP):

IP Security (IPsec):

 The Point to Point Tunneling Protocol (PPTP) is a network protocol used to create VPN
tunnels between public networks. PPTP servers are also known as Virtual Private Dialup

14
 Network (VPDN) servers. PPTP is preferred over other VPN protocols because it is faster and it
has the ability to work on mobile devices.
 Layer Two Tunneling Protocol (L2TP) is an extension of the Point-to-Point Tunneling
Protocol (PPTP) used by internet service providers (ISPs) to enable virtual private
networks (VPNs). To ensure security and privacy, L2TP must rely on an encryption protocol to
pass within the tunnel.

 In computing, Internet Protocol Security is a secure network protocol suite that authenticates and
encrypts the packets of data to provide secure encrypted communication between two computers
over an Internet Protocol network. It is used in virtual private networks.

IPsec (Internet Protocol Security)

IPsec (Internet Protocol Security) is a suite of protocols and algorithms for securing data
transmitted over the internet or any public network. The Internet Engineering Task Force, or
IETF, developed the IPsec protocols in the mid-1990s to provide security at the IP layer through
authentication and encryption of IP network packets.

IPsec originally defined two protocols for securing IP packets: Authentication Header (AH) and
Encapsulating Security Payload (ESP). The former provides data integrity and anti-replay
services, and the latter encrypts and authenticates data.

The IPsec suite also includes Internet Key Exchange (IKE), which is used to generate shared
security keys to establish a security association (SA). SAs are needed for the encryption and
decryption processes to negotiate a security level between two entities. A special router or
firewall that sits between two networks usually handles the SA negotiation process.

Network Security (Ports and Protocols)

Computer Port Numbers that used in Network Communication
15
The computers have physical and logical (virtual) ports. Physical ports such as serial port,
network port and USB port which connect at the computing device, such that server, switch,
router and modem…etc. They offer physical connection and are often from hardware failer. On
the other hand, a logical port is essential component of computer network which allow client
computer to communicate with server with specific ports which the service is running. They had
to many network traffic through predefined data location which are assigned their own unique
port number The logical port number is used to uniquely identify different application. It acts as
a communication endpoint between application. The logical port number is associated with IP
address for communication between two applications (IP address + Port = Address of
process(service) on a host).

While IP addresses determine the physical endpoints of a network connection, port numbers
determine the logical endpoints of the connection. Port numbers are 16-bit integers with a useful
range from 1 to 65535.
Socket is an endpoint between two-way communication, server machine may run multiple server
process, each contactable on different port. conversely, multiple client may want to contact same
port (web server). client create socket at its end, then send request to server (at port number) then
server create socket at its end dedicated to the client.

In TCP/IP and UDP networks, a port is an endpoint to a logical connection and the way a client
program specifies a specific server program on a computer in a network. According to Internet

16
Corporation for Assigning Name and Numbers(ICANA) there are three categories for ports such
as:
 Port numbers range from 0 to 1023: Well-known port assigned to common protocol&services
 Port numbers range from 1024 to 49151: Registered port assigned to a specific service
 Port numbers range from 49152 to 65 535: Dynamic (private, high) port
Well-Known Port Numbers or Reserved Port Number
Only the port numbers range from 0 to 1023 are reserved for privileged services and designated
as well-known ports. This list of well-known port numbers specifies the port used by the server
process as its contact port. In a client-server application, the server usually provides its service
on a well-known port number. Well-known port numbers are a subset of the numbers which are
assigned to applications. According to RFC1700, well-known port numbers are managed by the
Internet Assigned Numbers Authority (IANA).
Port Service Name Transport Protocols
20,21 File Transfer Protocol TCP
22 Secure shell(SSH) TCP and UDP
23 Telnet TCP
25 Simple Mail Transfer Protocol (SMTP) TCP
50,51 IPSec UDP
53 Domain Name System (DNS) TCP and UDP
67,68 Dynamic Host Configuration Protocol(DHCP) UDP
69 Trivial File Transfer Protocol (TFTP) UDP
80 Hyper Text Transfer Protocol(HTTP) server TCP
110 Post office Protocol (POP3)Retrieve email location TCP
115 Simple File Transport Protocol (SFTP) TCP?
119 Network New Transfer Protocol(NNTP) TCP
123 Network Time Protocol UDP
135-139 NetBIOS TCP and UDP
143 Internet Mail Access Protocol (IMAP) TCP and UDP?
162,162 Simple Network management Protocol(SNMP) TCP and UDP
179 Border Gateway Protocol (BGP) TCP
443 HTTPS with Secure Socket layer (SSL) TCP and UDP
546 DHCP Client ?
547 DHCP Server ?
8080 HTTP alternate
Table: Well-Known Port Numbers or Reserved Port Number

17