Muhammad Umar (Department of Cybersecurity) 1

Rivest-Shamir-Adleman (RSA)-Algorithm
• The pioneering paper by Diffie and Hellman [DIFF76b] introduced a new approach to cryptography and, in
effect, challenged cryptologists to come up with a cryptographic algorithm that met the requirements for
public-key systems.
• Challenge was developed in 1977 by Rivest, Adi Shamir, and Len Adleman at MIT and first published in
1978 [RIVE78].
• The RSA scheme is a cipher in which the plaintext and ciphertext are integers between 0 and n - 1 for
some n.
• A typical size for n is 1024 bits, or 309 decimal digits.
• RSA makes use of an expression with exponentials.
• Plaintext is encrypted in blocks, with each block having a binary value less than some number n.
• That is, the block size must be less than or equal to log2(n) + 1; in practice, the block size is i bits, where

Muhammad Umar (Department of Cybersecurity) 2

 Rivest-Shamir-Adleman (RSA) Here what
is Mod
n,e,d

• Both sender and receiver must know the value of n

• The sender knows the value of e, and only the receiver knows the value of d.
• this is a publickey encryption algorithm with a public key of PU = {e, n} and a private key of PR = {d, n}.

Muhammad Umar (Department of Cybersecurity) 3

RSA- Modular Arithmetic
If a and b are integers and m is a positive integer, we say:

This means that aa and bb leave the same remainder when divided by mm.

For example:

This is because when 17 is divided by 5, the remainder is 2.

Muhammad Umar (Department of Cybersecurity) 4

RSA- Euler’s Totient Function

When n is a prime number:

Muhammad Umar (Department of Cybersecurity) 5

RSA- Euler’s Totient Function
If a and b are coprime:

Muhammad Umar (Department of Cybersecurity) 6

RSA- Multiplicative Inverse

Muhammad Umar (Department of Cybersecurity) 7

RSA- Multiplicative Inverse

Muhammad Umar (Department of Cybersecurity) 8

 Rivest-Shamir-Adleman (RSA)-Algorithm
Cipher text

plain text

• Both sender and receiver must know the value of n

• The sender knows the value of e, and only the receiver knows the value of d.
• this is a publickey encryption algorithm with a public key of PU = {e, n} and a private key of PR = {d, n}.

Muhammad Umar (Department of Cybersecurity) 9

(RSA)-Algorithm

Figure 1 RSA Processing of Multiple Blocks Figure 2 Example

Muhammad Umar (Department of Cybersecurity) 10
(RSA)-Algorithm- Example
1. Key Generation

Let p=5 and q=7

1.1 Compute nnn
The modulus n is the product of p and q:

1.2 Compute Euler's Totient Function ϕ(n):

Euler's Totient Function ϕ(n) is calculated as:

Figure 1 RSA Processing of Multiple Blocks

Muhammad Umar (Department of Cybersecurity) 11

(RSA)-Algorithm- Example
1.3 Choose Public Exponent e:

Figure 1 RSA Processing of Multiple Blocks

Muhammad Umar (Department of Cybersecurity) 12

(RSA)-Algorithm- Example
1.4 Compute the Private Key d:

Public and Private Keys

•Public Key: (e,n)=(5,35)
•Private Key: (d,n)=(5,35) Figure 1 RSA Processing of Multiple Blocks

Muhammad Umar (Department of Cybersecurity) 13

(RSA)-Algorithm- Example
Plaintext Message
• Assume the plaintext message P=9

Encrypt the Message

• The ciphertext CC is calculated as:

Substitute the values P=9, e=5, and n=35:

Figure 1 RSA Processing of Multiple Blocks

Muhammad Umar (Department of Cybersecurity) 14

(RSA)-Algorithm- Example

Figure 1 RSA Processing of Multiple Blocks

Muhammad Umar (Department of Cybersecurity) 15

 (RSA)-Algorithm- Example
Decryption
• The receiver gets the ciphertext C=4.
• The plaintext P is recovered using the private key (d,n):

Figure 1 RSA Processing of Multiple Blocks

Muhammad Umar (Department of Cybersecurity) 16

(RSA)-Algorithm

Muhammad Umar (Department of Cybersecurity) 17

(RSA)-Algorithm-Example

Muhammad Umar (Department of Cybersecurity) 18

(RSA)-Algorithm-Example
Do yourself

Homework

Muhammad Umar (Department of Cybersecurity) 19

 (RSA)-Algorithm-Applications
Secure Communication Protocols
1.HTTPS
RSA is used to establish secure connections between web browsers and servers, ensuring the confidentiality
and integrity of data transmitted over the internet.
• This is indicated by the padlock icon in the address bar.
• Padlock
2. SSH
RSA is used to secure remote access to servers and other devices, protecting sensitive information from
unauthorized access.
Any Desk

Muhammad Umar (Department of Cybersecurity) 20

 (RSA)-Algorithm-Applications
3. VPNs
RSA is used to establish secure tunnels between devices and networks, allowing for private and secure
communication over public networks.

Digital Signatures
4. Emails
RSA can be used to digitally sign emails, ensuring their authenticity and preventing tampering
5. RSA can be used to digitally sign documents, ensuring their integrity and non-repudiation

Muhammad Umar (Department of Cybersecurity) 21

 (RSA)-Algorithm-Applications
Data Encryption
6. File Encryption
RSA can be used to encrypt sensitive files, protecting them from unauthorized access.
7. Database Encryption
RSA can be used to encrypt sensitive data in databases, protecting it from unauthorized access

Muhammad Umar (Department of Cybersecurity) 22

Digital Signatures
Muhammad Umar (Department of Cybersecurity) 23
 (1) calculates a hash value for the message;
(2)provides the hash value and Bob’s public key as inputs to a digital signature verification
algorithm.
Digital signatures Bob Alice

• Mathematical way of verifying the authenticity

of digital messages.
• A digital signature is a secure way to
electronically sign a document or message. It's
like a handwritten signature, but it's created
using cryptography to ensure that the document
or message is authentic and hasn't been
tampered with.
• Digital signatures based on asymmetric key.
• The digital signature provides a set of security
capabilities that would be difficult to implement
in any other way.

Muhammad Umar (Department of Cybersecurity) 24

Digital signatures-Example
Encryption (Using Bob’s Private key)
At Sender side(Bob)

QUEST Nawabshah e3cf177203db3c5d28d44d4b1079d1c6df1e67a8df0c7d96ab7c7dcf8d395ae3

Message Hash

S = 93a7b6a821c3d93f41e6b382b2f9abec27e8f6f587efcf3a82ab93c9bcf1da56

Digital Signature
At Receiver side (Alice)
QUEST Nawabshah S = 93a7b6a821c3d93f41e6b382b2f9abec27e8f6f587efcf3a82ab93c9bcf1da56
Message Digital Signature

e3cf177203db3c5d28d44d4b1079d1c6df1e67a8df0c7d96ab7c7dcf8d395ae3

Hash
Decryption (Using Bob’s Public key) 25
Digital signatures-Example
Decrypt(S, Bob's public key)

e3cf177203db3c5d28d44d4b1079d1c6df1e67a8df0c7d96ab7c7dcf8d395ae3

After Decryption
Compare both Hashes

e3cf177203db3c5d28d44d4b1079d1c6df1e67a8df0c7d96ab7c7dcf8d395ae3

=
e3cf177203db3c5d28d44d4b1079d1c6df1e67a8df0c7d96ab7c7dcf8d395ae3

The message is authentic

 Hashing-Hash Function

It is used to prove the

Hash Functions: Hash A variable-length plaintext is Integrity of the data has not
Functions (One-Way Hash hashed into a fixed-length changed. Even changing a
Functions) are used for value hash or MD (Message comma in a 1000-page
Integrity Digest). document will produce an
entirely new hash.

When 2 hashes of different

data provide the same hash. Just 1 bit change completely
It is possible, but very changes the hash.
unlikely.
SHA 1 Hash Generate

Muhammad Umar (Department of Cybersecurity) 27

Digital signatures
• In addition, it is impossible to alter the message without access to Bob’s private key, so the
message is authenticated both in terms of source and in terms of data integrity.
• Message authentication protects two parties who exchange messages from any third
party. However, it does not protect the two parties against each other. Several forms of
dispute between the two parties are possible.
1. Mary may forge a different message and claim that it came from John. Mary would
simply have to create a message and append an authentication code using the key that
John and Mary share.
2. John can deny sending the message. Because it is possible for Mary to forge a message,
there is no way to prove that John did in fact send the message.

In situations where there is not complete trust between sender and receiver, something more
than authentication is needed. The most attractive solution to this problem is the digital
signature.
Muhammad Umar (Department of Cybersecurity) 28
 Digital signatures-Properties
Digital signature must have the following properties:

It must verify the author and the date and time of the signature.

It must authenticate the contents at the time of the signature.

It must be verifiable by third parties, to resolve disputes.

Muhammad Umar (Department of Cybersecurity) 29

Digital signatures-Requirement
• The signature must be a bit pattern that depends on the
message being signed.
• The signature must use some information only known to
the sender to prevent both forgery and denial.
• It must be relatively easy to produce the digital signature.
• It must be relatively easy to recognize and verify the
digital signature.
• It must be computationally infeasible to forge a digital
signature, either by constructing a new message for an
existing digital signature or by constructing a fraudulent
digital signature for a given message.
• It must be practical to retain a copy of the digital signature
in storage.

Muhammad Umar (Department of Cybersecurity) 22

 Secure Hash Algorithm (SHA-1)
• Secure Hash Algorithm 1, is a cryptographic hash function designed by the National
Institute of Standards and Technology (NIST) in 1993.
• It takes an input of any length and produces a 160-bit (20-byte) hash value, also known as
a message digest.
• There are 80 rounds in SHA-1
• The development of SHA-1 was part of a series of hash functions called Secure Hash
Standard (SHS), which also included SHA-0, SHA-224, SHA-256, SHA-384, and SHA-512.
• Over time, cryptographic weaknesses in SHA-1 have been discovered, making it insecure
for certain applications.
• In response to the vulnerabilities in SHA-1, NIST introduced the SHA-2 family of hash
functions, including SHA-224, SHA-256, SHA-384, SHA-512, and their variants with
different digest sizes.
Muhammad Umar (Department of Cybersecurity) 31
Secure Hash Algorithm (SHA-1)-Padding
Variable length
Fixed Length of 160
Input
SHA-1 Output

Padding
• Let message is M, divide the M message into the chunks M(m1,m2,m3…..)
• Each chunks size should be 512 bits
• The input message is divided into 512-bit blocks.
1. A '1' bit is appended to the message.
2. '0' bits are added until the length of the message (in bits) modulo 512 is 448.
3. The original message length (in bits) is appended as a 64-bit big-endian integer, filling up
the remaining 64 bits.
Muhammad Umar (Department of Cybersecurity) 32
Secure Hash Algorithm (SHA-1)-Padding
• In SHA-1 original length of the message in the padded message. This is done by
representing the original message length in binary as a 64-bit integer and appending it to
the end of the message.
• Let original message QUEST NAWABSHAH its length is (120 bits).
• Binary representation of 120 is
0000000000000000000000000000000000000000000000000000000001111000
STEP 1: Append 1 bit
• Append a '1' bit to the end of the message.
• Original Message: “QUEST Nawabshah1”
STEP 2: Add '0' bits:
• Add '0' bits until the length of the message (in bits) modulo 512 is 448.
• In this case, add 448 - (120+1) = 327 '0' bits.
Updated Message: “QUEST NAWAMuBhaSmHmaAdUHm”ar1(De0pa0rtm0e.n.t.o0fC0yb0er"sec(u3rit2y)7 zeros added) 25
 Secure Hash Algorithm (SHA-1)-Padding
STEP 3 Append Message Length (64 bits):
Updated Message: “QUEST NAWABSHAH1 000...000 000...000001111000" (64 bits added)
160 bit
W0
512 bit MSA R0
16 words Each word of 32 bit
W1
R1
W2
R2 Wt=Wt-16 ⊕ Wt-14 ⊕Wt-8 ⊕Wt-3

W3
R79

Muhammad Umar (Department of Cybersecurity)

+ 26
160 bit
Secure Hash Algorithm (SHA-1)-Working
67452301 EFCDAB89 988ACDFE 10325476 C3D2E1FO

A B C D E

f +
<<5 +
Wt
<<30 +
Kt
+

A B C D E

Muhammad Umar (Department of Cybersecurity) 35

Secure Hash Algorithm (SHA-1)-Working

Value of K(t) F function operation on B,C and D

• K(t) = 5A827999, where 0 ≤ t ≤ 19 • (B 𝖠 C) ∨ ((¬B) 𝖠 D)
• K(t)=6ED9EBA1 where 20 ≤ t ≤ 39 • B⊕C⊕D
• K(t)=8F1BBCDC, where 40 ≤ t ≤ 59 • (B 𝖠 C) ∨ (B 𝖠 D) ∨ (C 𝖠 D)
• K(t)=CA62C1D6, where 60 ≤ t ≤ 79 • B⊕C⊕D

Muhammad Umar (Department of Cybersecurity) 36

Muhammad Umar (Department of Cybersecurity) 37
 SHA-1 Applications
• Digital signatures
• Password Storage
For years, SHA-1 was often used to store password hashes in databases. While not ideal due
to collision vulnerability.
• Secure Communications
Protocols like TLS and SSL used SHA-1 to check data integrity during secure communication
channels.
• Checksums
• Bitcoin Mining
In early versions of Bitcoin mining, SHA-1 was used as the proof-of-work algorithm to secure
the network.
Muhammad Umar (Department of Cybersecurity) 38
Message Digest 5 (MD5) Algorithm
• Cryptographer Ronald Rivest, known for his contributions to RSA
encryption, designed MD5 as an improvement upon its predecessor,
MD4.
• MD4 was deemed insecure due to potential weaknesses discovered
by Hans Dobbertin.
• MD5 aimed to be a more robust and secure hashing function for
verifying data integrity and generating digital signatures.
• MD5 was published in RFC 1321
• MD5, or Message Digest 5, is a cryptographic hash function that takes
data of any length and produces a 128-bit fixed-size hash as output.
• The MD5 hashing algorithm converts data into a string of 32
characters. For example, the word QUEST always generates this hash:
87bcc1d9855b435de7f394c36416a5e1.

Muhammad Umar (Department of Cybersecurity) 31

 (MD5) Algorithm- Working –STEPS
• STEP1-Padding
Padding bits are added to the input message to ensure its length is 64 bits short of a multiple of 512. The padding begins
with a ‘1’ bit followed by zeroes before appending the original message length in binary.
• Let original message CYS its length is (24 bits).
• Binary representation of 24 is 0000000000000000000000000000000000000000000000000000000000011000
STEP 1: Append 1 bit
• Append a '1' bit to the end of the message.
• Original Message: “CYS1”
STEP 2: Add '0' bits:
• Add '0' bits until the length of the message (in bits) modulo 512 is 448.
• In this case, add 448 - (24+1) = 423 '0' bits.
Updated Message: “QUEST NAWABSHAH”1 000...000" (423 zeros added)
STEP 3 Append Message Length (64 bits):
Updated Message: “QUEST NAWABSHAH1 000...000 000...000000011000" (64 bits added)
Muhammad Umar (Department of Cybersecurity) 40
 (MD5) Algorithm- Working –STEPS
• STEP 2 Divide Message into blocks
Divide into Blocks: The padded data is divided into 512-bit blocks.
• STEP 3 Initialized MD Buffer
Four 32-bit buffers (A, B, C, D) are initialized with specific hexadecimal values. These variables will be used to
accumulate the results of processing each data block.
A=01234567
B=89ABCDEF
This is used as a initial Value
C=FEDCВА9
8
• STEP 4 Round Processing D=76543210
Each 512-bit block is processed in four rounds of 16 operations.
• STEP 5 Final Hash Value
The final values of A, B, C, and D are combined to generate the 128-bit hash value.
Muhammad Umar (Department of Cybersecurity) 41
(MD5)
Algorithm-
Working

Muhammad Umar (Department of Cybersecurity) 34

(MD5) Algorithm- Working

• (B 𝖠 C) ∨ ((¬B) 𝖠 D)
• B⊕C⊕D
• (B 𝖠 C) ∨ (B 𝖠 D) ∨ (C 𝖠 D)
• B⊕C⊕D

B田((A 田 Function (B,C,D) X[ ] T[i]))<<<s

Muhammad Umar (Department of Cybersecurity) 35

(MD5) Algorithm- Working
K1 – D76AA478 K21 – D62F105D K41 – 289B7EC6 K61 – F7537E82
K2 – E8C7B756 K22 – 02441453 K42 – EAA127FA K62 – BD3AF235
K3 – 242070DB K23 – D8A1E681 K43 – D4EF3085 K63 – 2AD7D2BB
K4 – C1BDCEEE K24 – E7D3FBC8 K44 – 04881D05 K64 – EB86D391
K5 – F57COFA K25 – 21E1CDE6 K45 – D9D4D039
K6 – 4787C62A K26 – C33707D6 K46 – E6DB99E5
K7 – A8304613 K27 – F4D50D87 K47 – 1FA27CF8
K8 – FD469501 K28 – 455A14ED K48 – C4AC5665
K9 – 698098D8 K29 – A9E3E905 K49 – F4292244
K10 – 8B44F7AF K30 – FCEFA3F8 K50 – 432AFF97
K11 – FFFF5BB1 K31 – 676F02D9 K51 – AB9423A7
K12 – 895CD7BE K32 – 8D2A4C8A K52 – FC93A039
K13 – 6B901122 K33 – FFFA3942 K53 – 655B59C3
K14 – FD987193 K34 – 8771F681 K54 – 8F0CCC92
K15 – A679438E K35 – 699D6122 K55 – FFEFF47D
K16 – 49B40821 K36 – FDE5380C K56 – 85845DD1
K17 – F61E2562 K37– A4BEEA44 K57 – 6FA87E4F
K18 – C040B340 K38 – 4BDECFA9 K58 – FE2CE6E0
K19 – 265E5A51 K39 – F6BB4B60 K59 – A3014314
K20 – E9B6C7AA K40M–uhaBmEmaBdFUmBaCr(D7e0partmentof CybersecKur6ity0) – 4E0811A1 36
(MD5) Algorithm- Working

Muhammad Umar (Department of Cybersecurity) 45

 Authentication
• Authentication is the process of verifying who someone is, similar to how we confirm
someone's identity in the real world before granting them access to something.
TYPES OF AUTHENTICATION
1. Something you know - Type 1 Authentication (passwords, pass phrase,
PIN, etc.).
Examples:
• Unlocking your phone with a PIN.
• Logging into your email with
• your username and password.

Muhammad Umar (Department of Cybersecurity) 46

Authentication
• Passwords, pass phrase, PIN etc., also called
Knowledge factors.
• This is the most commonly used form of
authentication, and a password is the most
common knowledge factor.
• It is the weakest form of authentication and can
easily be compromised.
• The user is required to prove knowledge of a
secret in order to authenticate.

Muhammad Umar (Department of Cybersecurity) 47

Authentication-Password
• It is always easier to guess or steal passwords than it is to break
the encryption.
• We have password policies to ensure they are as secure as
possible.
• They should contain minimum length, upper/lower case letters,
numbers, and symbols, they should not contain full words or
other easy to guess phrases.
• They have an expiration date, password reuse policy and
minimum use before users can change it again.
Common and less secure passwords often contain:
• The name of a pet, child, family member, significant other,
anniversary dates, birthdays, birthplace, favorite holiday,
something related to a favorite sports team, or the word
"password".
• Winter2024 is not a good password, even if it does fulfil the
password requirements. Muhammad Umar (Department of Cybersecurity) 40
Authentication-Password Management
• We covered some password requirements, here are the official
recommendations by the U.S. Department of Defense and
Microsoft.
→ Password history = set to remember 24 passwords.
→ Maximum password age = 90 days.
→ Minimum password age = 2 days
→ Minimum password length = 14 characters.
→ Passwords must meet complexity requirements = true.
→ Store password using reversible encryption = false.

Muhammad Umar (Department of Cybersecurity) 41

Authentication-Something you have
• Unique physical or behavioral traits that are like your personal
fingerprint for the digital world.
• ID, passport, smart card, token, cookie on PC, these are called
Possession factors.
Smart Cards and Tokens (contact or contactless):
They contain a computer circuit using an ICC (Integrated Circuit Chip).
Contact Cards:
• Inserted into a machine to be read.
• This can be credit cards you insert into the chip reader or the DOD
CAC (Common Access Card).
Contactless Cards:
• Can be read by proximity.
• Key fobs or credit cards where you just hold it close to a reader.
• hey use a RFID (Radio Frequency Identification) tag (transponder)
which is then read by a RFID TransceMiuvheamr.madUmar (Department of Cybersecurity) 42
Authentication-Something you have
Magnetic Stripe Cards:
Swiped through a reader, no circuit.
Very easy to duplicate.
Tokens:
HOTP and TOTP can be either hardware or software based.
HOTP (HMAC-based One-Time Password):
Shared secret and incremental counter,
generate code when asked, valid till used.
TOTP (Time-based One-Time Password):
Time based with shared secret, often generated
every 30 or 60 seconds, synchronized clocks are critical.

Muhammad Umar (Department of Cybersecurity) 51

Authentication-Something you Are
• Fingerprint, iris scan, facial geometry etc., these are also called
realistic authentication.
• Something that is unique to you, this one comes with more issues
than the two other common authentication factors.
• We can allow unauthorized people into our facilities or systems if
we accept someone by mistake. (False Accept)
• We can prevent our authorized people from entering our facilities if
we refuse them by mistake. (False Reject).

Muhammad Umar (Department of Cybersecurity) 52

Authentication-Something you Are
• Biometric identifiers are often categorized as
physiological and behavioral characteristics.
• Physiological Characteristics uses the shape of the
body, these do not
• change unless a drastic event occurs.
• Fingerprint, palm veins, facial recognition, DNA, palm
print, hand geometry, iris recognition, retina, and
odor.
• Behavioral Characteristics uses the pattern of
behavior of a person, these can change, but most
often revert back to the baseline.
• Typing rhythm, how you walk, signature and voice.
Muhammad Umar (Department of Cybersecurity) 53
Muhammad Umar (Department of Cybersecurity) 54
IPS/IDS
•IDS’s (Intrusion Detection Systems) and IPS’s (Intrusion
Prevention Systems) on our network to capture and
alert or block traffic seen as malicious.
•Network-Based, placed on a network segment (a switch
port in promiscuous mode).
• Host-Based, on a client, normally a server or
workstation.
•Signature (Pattern) Matching, similar to anti-virus, it
matches traffic against a long list of known malicious
traffic patterns.
•Heuristic-Based (Behavioral), uses a normal traffic
pattern baseline to monitor for abnormal traffic.

Muhammad Umar (Department of Cybersecurity) 55

Intrusion Prevention System-IPS
IPS (Intrusion Prevention System):
• Similar to IDS, but they also take action to malicious traffic,
what they do with the traffic is determined by configuration.
•Events trigger an action, drop/redirect traffic, often combined
with the trigger monitoring/administrator warnings, emails,
or text messages.
•One of the most popular and well-established open-source
IPS is Snort. It is a signature-based system that uses pre-
defined rules to identify and block malicious traffic.
• Suricata
• Bro
• Failtoban

Muhammad Umar (Department of Cybersecurity) 56

 Intrusion Detection System-IDS
• Monitors for abnormal activity indicating potential intrusions
• automates inspection of logs & events for suspicious activity
• Works with other security measures (firewalls) but doesn't replace them
• Detects external & internal attacks.
• Sends alerts or alarms upon detection.
• Aims for timely & accurate response to intrusions.
Host based IDS
Monitors individual computer activity, including:
• Process calls (Malware execution , Unauthorized access attempts,Privilege escalation)
• System logs (Suspicious login attempts, Unauthorized system changes, Service disruptions)
• Application logs (Application crashes or errors,Unusual application behavior, Unauthorized access attempts)
• Security logs (Identify attack attempts, Investigate potential security breaches)
• Host-based firewall logs (Detect unauthorized network connections, Identify suspicious communication patterns
,Investigate potential network-based attacks)
Muhammad Umar (Department of Cybersecurity) 57
Host Intrusion
Detection System-HIDS
• Can pinpoint compromised files and attacker
processes
• More costly to manage than NIDS (requires
individual system attention)
• Cannot detect network attacks on other
systems
• HIDS offers valuable insights into individual
system activity.
• HIDS offers valuable insights into individual
system activity.

Muhammad Umar (Department of Cybersecurity) 49

Network Intrusion Detection System-IDS
• Monitors and analyzes network activity for suspicious activity
and potential attacks.
• Cannot see inside encrypted traffic, but can analyze other
packet details.
• Uses remote sensors at key network points to collect data and
send it to a central console.
• Sensors can monitor traffic at routers, firewalls, switches, and
network taps.
• Has minimal impact on network performance.
• Monitors large networks effectively.
• Detects potential attacks in real-time.

Muhammad Umar (Department of Cybersecurity) 50

Signature/Heuristic-Based (Behavioral)
based Intrusion Prevention System-IDS
Signature based IDS
• Looks for known malware signatures.
• Faster since they just check traffic against malicious signatures.
• Easier to set up and manage, someone else does the signatures for
us
• They are completely vulnerable to 0-day attacks and have to be
updated constantly to keep up with new vulnerability patterns
Heuristic Based IDS
• Looks for abnormal behavior - can produce a lot of false positives.
• Traffic not matching the baseline is handled depending on settings,
they can take a lot of tweaking.
• Can detect 'out of the ordinary' activity, not just attacks.
• Takes much more work and skills.

Muhammad Umar (Department of Cybersecurity) 51

 Firewalls
• A firewall typically establishes a barrier between a trusted,
secure internal network, and another outside network, like
the Internet.
• A firewall is a network security system that monitors and
filters incoming and outgoing traffic based on pre-defined
rules or security policies.

Muhammad Umar (Department of Cybersecurity) 61

 Packet filtering Firewalls
• Packet filters act by inspecting the "packets" which are
transferred between clients.
• If a packet does not match the packet filter's set of filtering
rules, the packet filter will drop the packet or reject it and
send error responses to the source.
• Any packet that matches one of the Permits is allowed to pass.
• Rules are checked in order; the attacker's traffic is dropped on
the 3rd filter rule. Drop anything trying to access 100.1.1.100.
• The internal machines can access the server since their IPs are
whitelisted in the first rule.

Muhammad Umar (Department of Cybersecurity) 62

 Packet filtering Firewalls
• Packet filtering firewalls are usually part of a router firewall,
which permits or denies traffic based on Layer 3 and Layer 4
information.
• They are stateless firewalls that use a simple policy table look-up
that filters traffic based on specific criteria.
• For example, SMTP servers listen to port 25 by default. An
administrator can configure the packet filtering firewall to block
port 25 from a specific workstation to prevent it from
broadcasting an email virus.

Muhammad Umar (Department of Cybersecurity) 63

 PROS

•Packet filters implement simple permit or deny rule sets.

•Packet filters have a low impact on network performance.
•Packet filters are easy to implement, and are supported by
most routers.
•Packet filters provide an initial degree of security at the
network layer.
Packet •Packet filters perform almost all the tasks of a high-end firewall
at a much lower cost.

filtering CONS

Muhammad Umar (Department of Cybersecurity)

• Packet filters are susceptible to IP spoofing. Threat actors can send
Firewalls-Pros arbitrary packets that meet ACL criteria and pass through the filter.
• Packet filters do not reliably filter fragmented packets. Because
fragmented IP packets carry the TCP header in the first fragment and

& Cons packet filters filter on TCP header information, all fragments after the
first fragment are passed unconditionally. Decisions to use packet filters
assume that the filter of the first fragment accurately enforces the
policy.
• Packet filters use complex ACLs, which can be difficult to implement and
maintain.
• Packet filters cannot dynamically filter certain services. For example,
sessions that use dynamic port negotiations are difficult to filter without
opening access to a whole range of ports.

56
 Stateful filtering Firewalls
• Records all connections passing through and determines
whether a packet is the start of a new connection, a part of an
existing connection or not part of any connection.
• Static rules are still used, these rules can now contain
connection state as one of their criteria.
• Some DOS attacks bombard the firewall with thousands of fake
connection packets trying to overwhelm the firewall by filling
its connection state memory.
• Stateful firewalls are the most versatile and the most common
firewall technologies in use. Stateful firewalls provide stateful
packet filtering by using connection information maintained in
a state table. Stateful filtering is a firewall architecture that is
classified at the network layer. It also analyzes traffic at OSI
Layer 4 and Layer 5.

Muhammad Umar (Department of Cybersecurity) 57

 PROS

• Stateful firewalls are often used as a primary means of defense by

filtering unwanted, unnecessary, or undesirable traffic.
• Stateful firewalls strengthen packet filtering by providing more stringent
control over security.
• Stateful firewalls improve performance over packet filters or proxy
servers.
• Stateful firewalls defend against spoofing and DoS attacks by
determining whether packets belong to an existing connection or are

Stateful filtering from an unauthorized source.

• Stateful firewalls provide more log information than a packet filtering
firewall.

Muhammad Umar (Department of Cybersecurity)

Firewalls-Pros CONS

•Stateful firewalls cannot prevent application layer attacks

and cons because they do not examine the actual contents of the HTTP
connection.
•Not all protocols are stateful. For example, UDP and ICMP do
not generate connection information for a state table, and,
therefore, do not garner as much support for filtering.
•It is difficult to track connections that use dynamic port
negotiation. Some applications open multiple connections. This
requires a whole new range of ports that must be opened to
allow this second connection.
•Stateful firewalls do not support user authentication.
58
 Next Generation Firewall
Next-generation firewalls (NGFW) go beyond stateful firewalls by
providing:
• Integrated intrusion prevention
• Application awareness and control to see and block risky apps
• Upgrade paths to include future information feeds
• Techniques to address evolving security threats

Muhammad Umar (Department of Cybersecurity) 60

Firewall in Network Design
• Firewall design is primarily about device interfaces permitting or denying traffic
based on the source, the destination, and the type of traffic. Some designs are as
simple as designating an outside network and inside network, which are
determined by two interfaces on a firewall.
Common Firewalls Design
1. Private and Public
2. Demilitarized zone
3. Zone Based Policy Firewalls

Muhammad Umar (Department of Cybersecurity) 68

 Firewall in Network Design-Private and public
• As shown in the figure, the public network (or outside network) is untrusted, and the
private network (or inside network) is trusted.
Typically, a firewall with two interfaces is configured as follows:
• Traffic originating from the private network is permitted and inspected as it travels
toward the public network. Inspected traffic returning from the public network and
associated with traffic that originated from the private network is permitted.
• Traffic originating from the public network and traveling to the private network is
generally blocked.

Muhammad Umar (Department of Cybersecurity) 69

 Firewall in Network Design-Demilitarized Zone
• A demilitarized zone (DMZ) is a firewall design where there is typically
one inside interface connected to the private network, one outside
interface connected to the public network, and one DMZ interface, as
shown in the figure.
• Traffic originating from the private network is inspected as it travels
toward the public or DMZ network. This traffic is permitted with little or
no restriction. Inspected traffic returning from the DMZ or public
network to the private network is permitted.
• Traffic originating from the DMZ network and traveling to the private
network is usually blocked.
• Traffic originating from the DMZ network and traveling to the public
network is selectively permitted based on service requirements.
• Traffic originating from the public network and traveling toward the
DMZ is selectively permitted and inspected. This type of traffic is
typically email, DNS, HTTP, or HTTPS traffic. Return traffic from the DMZ
to the public network is dynamically permitted.
• Traffic originating from the public network and traveling to the private
network is blocked. Muhammad Umar (Department of Cybersecurity) 63
Firewall in Network Design-Demilitarized Zone

Muhammad Umar (Department of Cybersecurity) 63