Network security techniques

1
 Network security techniques
These are techniques designed to address issues
of network security. They can be implemented as
hardware or software and include:
•Firewalls
•Intrusion Detection Systems (IDS)
•Virtual Private Networks (VPN)
•Anti-virus
•Cryptography

2
 1) Firewalls
•A firewall is a system designed to prevent unauthorized access to
(or from) a private network.
•Firewalls can be implemented in either hardware or software, OR
a combination of both.
•Firewalls can be an effective means of protecting a local system
from network-based security threats
•All messages entering or leaving the intranet pass through the
firewall, which examines each message and blocks those that do
not meet the specified security criteria.
•Features include logging and reporting, automatic alarms at given
thresholds of attack, and a graphical user interface for controlling
the firewall.

3
 Firewall Limitations
a)Cannot protect against internal threats
– E.g. disgruntled employees who then cooperate
with an attacker
b) It cannot protect against attacks that bypass
the firewall,
- E.g. PCs with dial-out capability to an ISP, or dial-in
modem pool use
c) Cannot protect against transfer of all virus
infected programs or files
– because of huge range of O/S & file types
4
 Firewalls
• A firewall is a system that typically sits at some point of
connectivity between the site it protects and the rest of the
network.
• It is usually implemented as an “appliance” or part of a router,
although a “personal firewall” may be implemented on an end
user machine.
• Firewall-based security depends on the firewall being the only
connectivity to the site from outside; there should be no way to
bypass the firewall via other gateways, wireless connections,
or dial-up connections.

5
 Firewalls
• In effect, a firewall divides a network into a more-trusted zone
internal to the firewall, and a less-trusted zone external to the
firewall.
• This is useful if you do not want external users to access a
particular host or service within your site.
• Firewalls may be used to create multiple zones of trust, such as
a hierarchy of increasingly trusted zones.
• A common arrangement involves three zones of trust: the
internal network; the DMZ (“demilitarized zone”); and the rest
of the Internet.

6
 Firewalls

A firewall filters packets flowing between a site and the rest of the Internet

7
 Types of firewalls
a) Packet filter: Looks at each packet entering or leaving the
network and accepts or rejects it based on user-defined rules.
Packet filtering is fairly effective and transparent to users, but it
is difficult to configure. It is susceptible to IP spoofing.

b) Application gateway/ Proxy server: A proxy server is a server

that acts as an intermediary between a workstation user and the
Internet. It ensures security, administrative control, and caching
services.

c) Circuit-level gateway: Applies security mechanisms when a

TCP or UDP connection is established. Once the connection has
been made, packets can flow between the hosts without further
checking.
8
 a) Packet Filters
• Simplest, fastest firewall component and foundation of any
firewall system
• A packet-filtering router applies a set of rules to each in-coming
and out-going IP packet or discard the packet
• Filtering rules are based on information contained in a network
packet such as source, and destination IP addresses
• Examine each packet`s IP and permit or deny according to rules
• Does not control access based on content
• Advantages are simplicity, transparency and speed

9
 Attacks on Packet Filters
a) IP address spoofing where intruder transmits packets
from the outside with internal host source IP address
(fake source IP address)
b) Source routing attacks: where source specifies the
route that a packet should take in order to bypass
security measures. (Discard all source routed packets )
• Attacker sets a route other than default
– block source routed packets
c) Tiny fragment attacks – write notes

10
 Firewalls – Packet Filters

The diagram illustrates the packet filter firewall

placement in the border router, on the security perimeter,
between the external less-trusted Internet, and the
internal more trusted private network.
11
 b) Application Level Gateway (or Proxy)
• A Proxy is an intermediate agent or server acting on
behalf of an endpoint without allowing a direct
connection between the two endpoints
– So each endpoint talks to proxy, thinking it is
talking to other endpoint
– Proxy decides whether to forward messages, and
whether to alter them
• Usually controls access based on content as well as
source, destination addresses, etc.

12
 b) Application Level Gateway contd...
• How a proxy works
– user requests service from proxy
– proxy validates request as legal
– then actions request and returns result to user
• Application-level gateways tend to be more secure
than packet filters, & can log and audit traffic at
application level

13
 Proxy Firewall Example
Virus checking in electronic mail
• Incoming mail goes to proxy firewall
• Proxy firewall receives mail, scans it
• If no virus, mail forwarded to destination
• If virus, mail rejected or disinfected before
forwarding

14
 Firewalls - Application Level Gateway (or Proxy)

NB: A proxy only supports a specific list of application

services.
15
 DMZ
• Demilitarized Zone is the area between the
outside world and the trusted internal network
where publicly accessed servers are placed
• If DMZ is breached / attacked, internal
systems will still be safe
• Bastion hosts are computers that reside in the
DMZ and are exposed to attacks

16
 De-militarized zone (DMZ)

• The purpose of a DMZ is to add an additional layer of security to

an organization's LAN.
• An external network node only has direct access to equipment in
the DMZ, rather than any other part of the network.
• The name is derived from the term “demilitarized zone”, an area
between nations in which military operation is not permitted.
17
 2) Intrusion Detection Systems (IDS)
• Definition: Intrusion detection is the detection of intrusions
or intrusions attempts via software expert systems that
operate on logs or other information available from the
system or the network.

• IDSs serve three essential security functions; monitor,

detect and respond to unauthorized activity
• IDS can also respond automatically (in real-time) to a
security breach event such as logging off a user, disabling a
user account and launching of some scripts

18
 Intrusion Detection
• Unusual traffic pattern is a sign of intrusion by a
hacker
• IDS are complementary to firewalls
• IDS detects activity once the intruder is on the system

19
 Some of the benefits of IDS
a) Monitors the operation of firewalls, routers and files
critical to other security mechanisms
b) Comes with extensive attack signature database against
which information from the customer systems can be
matched
c) Allows administrator to tune, organize and comprehend
often incomprehensible operating system audit trails and
other logs
d) Non-Expert staff can perform security management
services via user-friendly interfaces
e) Can recognize and report alterations to data files

20
 Firewall Vs IDS
• Firewall cannot detect security breaches associated
with traffic that does not pass through it.
• IDS is only aware of traffic in the internal network
• Firewall does not inspect the content of the
permitted traffic, simply grants or denies access
based on source & destination address
• Firewall is likely to be attacked more often than
IDS
• IDS is capable of monitoring messages from other
pieces of security infrastructure

21
 Types of IDS

Signature-
Anomaly-based
based

Host-based
Network-
based 22
 a) Signature-based IDS
• Characteristics
– Uses known pattern matching to signify attack
– It is signature based just like
Antivirus software
• Advantages
– Widely available
– Fairly fast
– Easy to implement
– Easy to update
• Disadvantages
– Cannot detect attacks for which it has no signature
23
 b) Host-based IDS
• Characteristics
– Runs on single host
– Can analyze audit-trails, logs, integrity of files and
directories, etc.
• Advantages
– More accurate than NIDS
– Less volume of traffic so less overhead
• Disadvantages
– Deployment is expensive
– What happens when host get compromised?

24
 Host-based IDS contd…
• Example of agent HIDS is Entercept’s product
• How HIDS works upon detecting an intrusion?
– Log (record) the event
– Alert the administrator
– Terminate the user login
– Disable the user account
• Host-based and network-based IDS are
complementary products

25
 c) Network-based IDS
• Most commonly used IDS
• Location of IDS on the network is critical both to detect intrusion
as well as to be cost effective
• Typical locations are:
– Inside the firewall
– On the DMZ
– On network segments connecting mainframe to hosts
• Just inside the firewall is the best location because all inbound and
outbound traffic goes through that place
• DMZ is also a good location since the public enters the DMZ
only. If DMZ is attacked, an IDS there could potentially stop the
hacker at the DMZ.
• Locating the IDS on the server farm segment or the mainframe to
host segment is needed only in mission critical applications

26
 NIDS contd…
• Network IDS have the capacity to check 40 Mb/sec of traffic.
If traffic exceeds this capacity, then IDS will miss packets at
random and could potentially let the wrong packet through.
• An IDS monitors and detects network attacks or misuses in real
time
• Most of network-based systems are based on predefined attack
signatures--signatures that will always be a step behind the
latest underground exploits
• Provide better security against DoS attacks
• Have difficultés in sustaining networks with a very large
bandwidth

27
 d)Anomaly-based IDS
• Characteristics
– Uses statistical model or machine learning engine to detect
intrusions
– Recognizes departures from normal as potential intrusions
• Advantages
– Can detect attempts to exploit new and unforeseen vulnerabilities
– Can recognize authorized usage that falls outside the normal pattern

• Disadvantages
– Generally slower, more resource intensive compared to signature-
based IDS
– Greater complexity, difficult to configure
– Higher percentages of false alerts
28
 False positives and false negatives
a) False positives - happen when an IDS mistakenly
identifies an invalid packet as valid
• E.g. Network IDS have the capacity to check 40 Mb/sec of
traffic. If traffic exceeds this capacity, then IDS will miss
packets at random and could potentially let the wrong packet
through.
• False positives may require human intervention
• False positives are costly to fix
• To avoid false positives, the system needs tuning over a
period of time to monitor for the proper type of activity
b) False negatives – happen when an IDS mistakenly
identifies a valid packet as suspicious

29
 Detection methods
• Passive detection
– Detects anomalous activity but does not stop
such activity
• Active detection
– Detects anomalous activity and stops such
activity
– Inter-operates with routers and firewalls
– When IDS is used to block malicious traffic, it is
called shunning or blocking

30
 Task
a) As a computer security specialist at a local
university, write a report on the advantages of
honeypots at 3 possible locations
i) outside the firewall
ii) in the DMZ
iii) in the internal network
b) Suggest any useful ways in which an organization
can use honeypots.

31
 Task

a) Explain the differences between an IDS

and an IPS.
b) When and where is either of them more
appropriate?

32
c) Virtual Private Networks

33
d)Anti-virus

34
e) Cryptography

35
 Tutorial questions
1) Firewalls have been the mainstay of access control
that keep intruders out. However, backdoor entries into
firewalls are left. Explain how such backdoor entry points
are devised, why they are needed, what can be done to
minimize attacks through backdoor entries.

2) Give two reasons, other than buffer-overflow

attacks, why a network with both a firewall and virus-
detection software may still be vulnerable. Assume that
both the firewall and the virus scanner are configured
correctly with up-to-date information and that all network
connections go through the firewall

36
 Tutorial questions contd…
For each question, briefly explain which type of firewall can be used
to defend against the attack and how the firewall should be
configured. (12 marks)
a) Prevent external users from exploiting a security bug in a CGI
script on an internal Web server (the Web server is serving
requests from the Internet).
b) Prevent an online password dictionary attack from the external
network on the Telnet port of an internal machine.
c) Block a virus embedded in an incoming e-mail.
d) Block users on the internal network from browsing a specific
external IP address.
e) Prevent from spoofing inside IP address.
f) Prevent attacks that are broken into multiple packets.

37