Unit 4 – Network Security

• Basic Concepts of Network Security

1. Confidentiality
Definition: Ensures that data is only accessible to authorized users and not to
any unauthorized individuals or systems.
Example: Encryption of sensitive information like passwords or financial data
so that even if intercepted, it cannot be read.
2. Integrity
Definition: Ensures that data remains accurate, consistent, and unaltered
during transmission or storage.
Example: Hash functions or digital signatures used to verify that data has not
been tampered with.
3. Availability
Definition: Ensures that data and network resources are available to
authorized users when needed.
Example: Protecting against Denial of Service (DoS) attacks that try to make
resources unavailable to legitimate users.
4. Authentication
Definition: The process of verifying the identity of a user, device, or system.
Example: Passwords, biometrics, or two-factor authentication (2FA) methods
that verify the legitimacy of users before allowing access.
5. Authorization
Definition: The process of granting access to specific resources based on the
identity of the authenticated user or system.
Example: A user might be authenticated but only authorized to access
specific files or directories, based on their role.
6. Non-repudiation
Definition: Ensures that a party cannot deny the authenticity of their actions,
such as sending a message or making a transaction.
Example: Digital signatures and logs that can be used to prove actions taken
by a specific entity.
Types of network attacks:
1. Interruption
Definition: Interruption refers to attacks that disrupt the normal operation of
the network or make services unavailable.
Objective: The goal of interruption is to prevent legitimate users from
accessing services or resources.
Examples:
Denial of Service (DoS) Attack: The attacker floods the target server or
network with excessive requests to overwhelm its resources, causing it to
crash or become unavailable.
Distributed Denial of Service (DDoS): Similar to DoS but from multiple
distributed sources, making it harder to block the attack.
2. Interception
Definition: Interception refers to unauthorized access to data or
communication as it travels over the network.
Objective: The aim is to capture or eavesdrop on sensitive information.
Examples:
Packet Sniffing: An attacker captures network packets to access confidential
data, such as passwords or credit card information.
Man-in-the-Middle (MitM) Attack: The attacker secretly relays and possibly
alters the communication between two parties who believe they are directly
communicating with each other.
3. Modification
Definition: Modification involves altering the data being transmitted over the
network.
Objective: The goal is to corrupt or change the data so that it is no longer
accurate, or to insert malicious content.
Examples:
Man-in-the-Middle (MitM) Attack (again): Not only intercepting the
communication but also altering it before sending it to the intended
recipient.
Data Corruption: Attackers alter files or messages being transmitted to
change their meaning or cause errors.
4. Fabrication
Definition: Fabrication refers to creating false data or messages to deceive
the receiver.
Objective: The aim is to introduce new, fake information into the system or
network.
Examples:
Fake DNS Entries: An attacker may fabricate DNS responses to redirect users
to malicious websites.
Replay Attacks: Attackers intercept valid data and resend it, trying to deceive
the recipient into believing it is a new, legitimate message.
What is an Intrusion Detection System (IDS)?
An Intrusion Detection System (IDS) is a security technology designed to
monitor and detect unauthorized or malicious activities within a network or
computer system. It acts as a network defense mechanism to identify
potential threats, providing early warnings to system administrators. IDS can
track various activities such as attempts to gain unauthorized access,
malware infections, and other abnormal activities that may indicate a
security breach.

Need for Intrusion Detection System:

Protection Against Malicious Attacks:
IDS helps in detecting cyber-attacks, unauthorized access, or vulnerabilities in
a system. These attacks could include viruses, worms, or more advanced
threats like DDoS (Distributed Denial of Service) attacks.
Early Detection:
IDS provides early warnings, allowing administrators to take preventive
measures before damage is done. Early detection reduces the time attackers
have within a network to exploit vulnerabilities.
Compliance:
Many industries require systems to comply with specific security standards
(e.g., PCI-DSS, HIPAA). IDS helps organizations meet compliance
requirements by monitoring and reporting malicious activities.
Incident Response:
An IDS assists in identifying attack vectors and the methods used, aiding in a
swift and informed response. This helps in minimizing damage and
preventing future attacks.
Improved Monitoring:

It continuously monitors network traffic and system activities, offering real-

time surveillance that manual methods can't match, making detection of
complex attacks easier.
Forensic Investigation:
After an attack, the logs and data from the IDS can be invaluable for
investigating the attack's source, nature, and impact. It helps in recovering
lost data and improving system defenses for the future.
Types of Intrusion Detection Systems:
There are two primary categories of IDS based on their operating mechanism
and the nature of monitoring:
1. Network-based IDS (NIDS):
Description: Monitors network traffic for suspicious activity and detects
attacks by analyzing traffic across different network segments.
Deployment: Installed at key points within the network, such as firewalls or
routers, to monitor the flow of data between different network segments.
Use Case: Best suited for large-scale networks where network-wide attacks
are more likely, such as DDoS or malware infections.
Advantages: Can detect external threats in real time and can monitor
multiple devices or systems on the network.
Limitations: May not be effective at detecting threats that are internal to the
system (e.g., employee misconduct) or encrypted traffic.
2. Host-based IDS (HIDS):
Description: Focuses on monitoring and analyzing activities on individual
hosts (e.g., servers, computers). It looks at system logs, file integrity, and
processes for signs of suspicious activity.
Deployment: Installed on specific devices or servers to monitor and analyze
behaviors such as file access, process execution, and system configuration
changes.
Use Case: Useful in environments where monitoring individual system
activity is critical, such as with sensitive data or critical infrastructure.
Advantages: Provides deeper insights into system activities, better at
detecting internal threats, and can monitor encrypted communications.
Limitations: Limited to the scope of the host it is installed on, so it may not
provide a complete network-wide view.
3. Signature-based IDS:
Description: Detects intrusions by comparing network traffic or system
activity to a database of known attack patterns (signatures).
Deployment: Can be deployed as either a NIDS or HIDS solution.
Use Case: Effective against known threats with identifiable patterns, such as
specific types of malware or viruses.
Advantages: Low false positive rate since it only looks for known attack
patterns.
Limitations: Cannot detect new or unknown attacks (zero-day attacks), as
they don't match any predefined signatures.
4. Anomaly-based IDS:
Description: Establishes a baseline of normal activity for a system or network
and detects deviations from this baseline. It uses machine learning or
statistical methods to identify unusual behavior that could indicate an attack.
Deployment: Works in both NIDS and HIDS systems and can detect previously
unknown attack patterns.
Use Case: Ideal for detecting new or evolving threats that don't have
predefined signatures.
Advantages: Can detect zero-day attacks and novel threats.
Limitations: Higher false positive rate, as benign activities that deviate from
normal behavior might be flagged as malicious.
5. Hybrid IDS:
Description: Combines both signature-based and anomaly-based detection
techniques to improve detection accuracy and minimize false positives.
Deployment: Used in larger, more complex environments where the
advantages of both methods are needed.
Use Case: Useful for organizations that need both high accuracy (signature-
based) and the ability to detect new threats (anomaly-based).
Advantages: Offers the benefits of both signature detection (low false
positives) and anomaly detection (identifies unknown threats).
Limitations: More complex to configure and manage.
What is a Virtual Private Network (VPN)?
A Virtual Private Network (VPN) is a technology that creates a secure,
encrypted connection over a less secure network, such as the public internet.
It enables users to send and receive data as if their devices were directly
connected to a private network. VPNs help protect privacy, ensure security,
and allow remote access to resources in a private network, even when the
user is geographically distant.
Types of VPNs and Their Usage
VPNs come in different types based on their architecture, implementation,
and usage. Below are the main types of VPNs:
1. Remote Access VPN
Concept: A Remote Access VPN allows individual users to connect securely to
a private network over the internet. This is most commonly used by remote
workers or employees working from home.
Usage:
Employees can access company resources, internal applications, and files
while working from remote locations.
It is commonly used by organizations to facilitate secure connections for
employees working outside the office.
Ideal for accessing network resources securely when traveling or working
from public networks (e.g., cafes, airports).
Example: An employee connects to their company’s intranet from home to
access internal systems, email, and databases.

2. Site-to-Site VPN
Concept: A Site-to-Site VPN is used to securely connect entire networks, such
as one office location to another. It is typically used by organizations with
multiple branches or remote offices to ensure secure communication
between them.

Usage:
Enables branch offices to securely connect to the central office network, as if
they were on the same local area network (LAN).
Typically used for interconnecting different office locations or data centers
over the internet.
Ensures that sensitive data is encrypted when transmitted between different
locations.
Example: A company with offices in different cities establishes a Site-to-Site
VPN to securely link the office networks, allowing data sharing and
communication.

3. PPTP (Point-to-Point Tunneling Protocol) VPN

Concept: PPTP is an older VPN protocol that creates a tunnel between the
user and the destination network. It is one of the simplest VPN protocols but
has known security vulnerabilities, which makes it less secure compared to
more modern protocols.

Usage:
Often used in environments where ease of use and compatibility with older
systems are prioritized over security.
Commonly used for basic, low-risk remote access needs.
Example: Used in older or less secure systems where high-level encryption
isn't needed, such as connecting to an office network from a personal
computer.

4. L2TP/IPsec (Layer 2 Tunneling Protocol with Internet Protocol Security)

Concept: L2TP is a tunneling protocol that is often paired with IPsec (Internet
Protocol Security) to provide enhanced security. It encrypts the data being
transmitted while also tunneling it, making it more secure than PPTP.

Usage:
Suitable for scenarios where better security is needed than PPTP provides.
Commonly used for secure remote access, especially in corporate
environments.
A standard choice for applications that require secure communication over
potentially untrusted networks.
Example: A remote employee connects to a corporate network using
L2TP/IPsec to securely access sensitive files.

5. OpenVPN
Concept: OpenVPN is an open-source, highly configurable VPN protocol that
uses SSL/TLS for encryption. It is known for its flexibility and strong security
features.
Usage:
OpenVPN is widely used for both personal and corporate VPNs because it
provides robust encryption and supports various platforms.
It can operate over UDP (User Datagram Protocol) or TCP (Transmission
Control Protocol), making it adaptable to different network conditions.
OpenVPN can be configured for both remote access and site-to-site VPNs.
Example: A business uses OpenVPN to allow employees to securely access
company resources from remote locations or for connecting offices to each
other.
Firewall: Concept, Types, and Importance
Concept of a Firewall
A firewall is a security system designed to monitor and control incoming and
outgoing network traffic based on predetermined security rules. Its primary
role is to act as a barrier or filter between a trusted internal network and an
untrusted external network (such as the internet), blocking potential threats
while allowing legitimate communications. Firewalls can be hardware
devices, software applications, or a combination of both.

Firewalls perform three primary tasks:

Traffic Filtering: Firewalls filter data packets based on specific criteria (like IP
addresses, ports, or protocols) to allow or block traffic.
Traffic Monitoring: They monitor network activity for unusual or suspicious
behavior and can trigger alerts or automatic actions.
Access Control: They enforce access control policies by restricting which
devices or users can access certain resources.
Types of Firewalls
Packet-Filtering Firewalls:

Description: The most basic type of firewall. It inspects packets of data (basic
units of network communication) to determine if they meet security criteria.
How it Works: It checks the header of each packet, such as the source and
destination IP address, port numbers, and protocol type, to decide whether
to allow or block the packet.
Advantages: Fast and efficient.
Disadvantages: Lacks deep inspection, cannot detect sophisticated attacks
(e.g., application-level attacks).
Stateful Inspection Firewalls:
Description: These firewalls are more advanced than packet-filtering
firewalls. They track the state of active connections and make decisions
based on the context of traffic (state of the connection).
How it Works: It not only examines packet headers but also keeps track of
connection states (e.g., whether a packet is part of an existing connection).
Advantages: More secure than packet-filtering, and can detect a broader
range of threats.
Disadvantages: Can be more resource-intensive.
Proxy Firewalls (Application-Level Gateways):

Description: These firewalls work by acting as an intermediary between a

client and the server. When data is sent, the firewall retrieves it on behalf of
the user, inspects it, and then forwards it.
How it Works: They perform deep inspection of network traffic at the
application layer and can analyze content, blocking malicious payloads.
Advantages: Provides detailed security, as it can filter at the application
layer.
Disadvantages: Slower due to the need to analyze the full application data.
Next-Generation Firewalls (NGFW):

Description: These firewalls integrate traditional firewall features with

additional functionalities like intrusion prevention, application awareness,
and deep packet inspection.
How it Works: They include advanced features such as URL filtering, DNS
filtering, and malware detection alongside traditional firewall duties.
Advantages: Comprehensive protection, with the ability to detect
sophisticated threats.
Disadvantages: More expensive and resource-intensive.
Hybrid Firewalls:

Description: A combination of different firewall types, such as integrating

stateful inspection with application-layer filtering.
How it Works: These firewalls offer a layered approach, providing a mix of
performance and advanced security features.
Advantages: Tailored to meet specific security requirements.
Disadvantages: Complexity in configuration and management.
Cloud Firewalls:

Description: Firewalls designed to protect cloud-based infrastructures. These

can be either physical or virtual firewalls located in the cloud.
How it Works: It monitors and filters traffic going to and from cloud
environments, including public and private clouds.
Advantages: Scalable and flexible.
Disadvantages: Dependent on the cloud service provider for management
and configuration.