Chapter One

Basic Network Security Concepts & Terminologies

Part One

Computer Networks and Information

Security
(IT 3104)
Introduction
 While computer systems today have some of the best security

systems ever, they are more vulnerable than ever before.

 Computer and network security comes in many forms,

including encryption algorithms, access to facilities, digital

signatures, and using fingerprints and face scans as passwords.

 The OSI security architecture provides a systematic frame work

for defining security attacks, mechanisms and services.

2
 Contd.
 The OSI security architecture focuses on security attacks,
mechanisms and services.
Security attack:- Any action that compromises the security of

information owned by an organization.

Security mechanism:- A process (or a device incorporating such a

process) that is designed to detect, prevent, or recover from a

security attack.
Security service:- A processing or communication service that

enhances the security of the data processing systems and the

information transfers of an organization.
 The services are intended to counter security attacks, and they make

use of one or more security mechanisms to provide the service.

3
 Definitions

 Computer Security - generic name for the collection of tools

designed to protect data and to hackers from attacking the

organizational assets.

 Network Security - measures to protect data during their

transmission over the network.

 Internet Security - measures to protect data during their

transmission over a collection of interconnected

4 networks(network of networks)
 Why Is Computer and Network Security Important?
1. To protect company assets:- One of the primary goals of computer and network
security is the protection of company assets (hardware, software and/or information).

2. To gain a competitive advantage:- Developing and maintaining effective

security measures can provide an organization with a competitive advantage
over its competition
3. To comply with regulatory requirements and fiduciary responsibilities:-
organizations that rely on computers for their continuing operation must
develop policies and procedures that address organizational security
requirements.
 Such policies and procedures are necessary not only to protect company assets but
also to protect the organization from liability
4. To keep your job:-Security should be part of every network or systems
administrator's job. Failure to perform adequately can result in
5
termination..
 Network Security In Action
NETWORK
Client
DNS Network Services FTP/Telnet SMTP/POP Web Server
Configuration

VULNERABILITAS
IP & Port Web Server Sniffing KeyStroke Password
Email Exploit DoS Attack Trojan Attack MITM Attack
Scanning Exploit Traffic Logging Cracking

PREVENT
Hardening AntiVirus Using Using Using
Using SSH Using IPSec
Host Applications Firewall GPG/PGP Certificate

DETECTION
Intrusion Spyware
System Log Backup and Finding
Detection HoneyPot Detection and
Analysis Restore Hidden Data
System Removal

6
Contd.

Internal External
attacker attacker

Corporate Assets Incorrect

Virus permissions

A network security design protects assets from threats and vulnerabilities in

an organized manner
To design security, analyze risks to your assets and create responses
7
 The Security Trinity
The three legs of the "security trinity," prevention,
detection, and response, comprise the basis for
network security.
The security trinity should be the foundation for all
security policies and measures that an organization
develops and deploys.

8
Contd.
1. Prevention:- is the foundation of the security trinity.
 To provide some level of security, it is necessary to implement
measures to prevent the exploitation of vulnerabilities.
 In developing network security schemes, organizations should
emphasize preventative measures over detection and response.
 It is easier, more efficient, and much more cost-effective to
prevent a security breach than to detect or respond to one.
2. Detection:- Once preventative measures are implemented,
procedures need to be put in place to detect potential
problems or security breaches, in the event preventative
measures fail.
9
 The sooner a problem is detected the easier it is to correct and cleanup.
Contd.
3. Response:- Organizations need to develop a plan that
identifies the appropriate response to a security breach.
 The plan should be in writing and should identify who
is responsible for what actions and the varying
responses and levels of escalation.

10
 Information Security
 Network security is concerned, above all else, with the security of
information assets.
 Information security means protecting information and information
systems from unauthorized access, use, disclosure, disruption,
modification, perusal, inspection, recording or destruction.
Information security = confidentiality + integrity +
availability + authentication.
 The terms information security, computer security and information
assurance are frequently incorrectly used interchangeably.
 These fields are interrelated often and share the common goals of
protecting the confidentiality, integrity and availability of information;
11
however, there are some subtle differences between them.
Contd.
 Information security is concerned with the confidentiality,
integrity and availability of data regardless of the form the
data may take: electronic, print, or other forms.
 Computer security can focus on ensuring the availability and
correct operation of a computer system without concern for
the information stored or processed by the computer.
 Information security offers many areas for specialization
including: securing network(s) and allied infrastructure,
securing applications and databases, security testing,
information systems auditing, business continuity
12 planning and digital forensics science, etc
 Basic Security Terminology
 Network security terms are the foundation for any discussion of network
security and are the elements used to measure the security of a network.
 Some of these terms include:-

1. Identification:- is simply the process of identifying one's self to another

entity or determining the identity of the individual or entity with whom you
are communicating.

2. Authentication:- is the assurance that the communicating entity is the one

that it claims to be.

 Authentication serves as proof that you are who you say you are or
what you claim to be.
 Authentication is required when communicating over a network or
13
logging onto a network.
 Contd.
 When communicating over a network you should ask
yourself two questions:
1) With whom am I communicating?
2) Why do I believe this person or entity is who he, she, or it
claims to be?
 When logging onto a network, three basic schemes are
used for authentication:
 Something you know
 Something you have
 Something you are

14
 Contd.
3. Access Control(Authorization):- refers to the ability to control the

level of access that individuals or entities have to a network or

system and how much information they can receive.

 Your level of authorization basically determines what you're

allowed to do once you are authenticated and allowed access to a

network, system, or some other resource such as data or

information.

 Access control is the determination of the level of authorization to a

system, network, or information (i.e., classified, secret, or top-

15
secret).
Contd.
4. Confidentiality:- can also be called privacy or secrecy and refers to

the protection of information from unauthorized disclosure.

 Usually achieved either by restricting access to the information or

by encrypting the information so that it is not meaningful to

unauthorized individuals or entities.

5. Availability:- refers to whether the network, system, hardware, and

software are reliable and can recover quickly and completely in the

event of an interruption in service.

 Ideally, these elements should not be susceptible to denial of

16 service attacks (DOS).
 Contd.
6. Data Integrity:- refers to the assurance of data received
are exactly as sent by an authorized entity.
 Data integrity is achieved by preventing unauthorized or
improper changes to data, ensuring internal and external
consistency, and ensuring that other data attributes (such as
timeliness and completeness) are consistent with
requirements.
7. Accountability:- refers to the ability to track or audit
what an individual or entity is doing on a network
or system.
 Does the system maintain a record of functions performed,
17
files accessed, and information altered?
 Contd.

8. Non-Repudiation:- refers to the ability to prevent

individuals or entities from denying (repudiating) that
information, data, or files were sent or received or that
information or files were accessed or altered, when in
fact they were.
 is crucial to e-commerce.

18
 Part Two
Security Threats, Attacks and Vulnerabilities

Computer Networks and Information

Security
(IT 3104)
 Introduction
 Information is the key asset in most organizations.

 Companies gain a competitive advantage by knowing how to use that

information.
 The threat comes from others who would like to acquire the information or

limit business opportunities by interfering with normal business processes.

 The object of security is to protect valuable or sensitive organizational

information while making it readily available.

 Attackers trying to harm a system or disrupt normal business operations

exploit vulnerabilities by using various techniques, methods, and tools.

 Attackers generally have motives or goals—for example, to disrupt normal

business operations or steal information.

 To achieve these motives or goals, they use various methods, tools, and

techniques to exploit vulnerabilities in a computer system or security policy

20
and controls.
 Methods used by attackers
1. Deleting and altering Information:- Malicious attackers who
delete or alter information normally do this to prove a point or take
revenge for something that has happened to them.
 Inside attackers normally do this to spite the organization because
they are disgruntled about something.
 Outside attackers might want to do this to prove that they can get
in to the system or for the fun of it.
2. Committing Information Theft and Fraud:- Information technology
is increasingly used to commit fraud and theft.
 Computer systems are exploited in numerous ways, both by automating
traditional methods of fraud and by using new methods.
 Some of the systems which are subjected to fraud include: Financial
systems, systems that control access to any resources, such as time and
attendance systems, inventory systems, school grading systems, or long-
21
distance telephone systems
 Contd.
3. Disrupting Normal Business Operations:- Attackers may want
to disrupt normal business operations.
 In any circumstance like this, the attacker has a specific goal to
achieve.
 Attackers use various methods for denial-of-service attacks; the
section on methods, tools, and techniques will discuss these.

22
 Security Threats

Security Threats

Human Natural Disasters

Malicious Non-Malicious
Floods
Fires
Earthquakes
Outsiders Hurricanes
like Insiders like
Ignorant
Crackers Disgruntled
Employees
and Hackers Employees

23
 Contd.
1. Natural Disaster:- Nobody can stop nature from taking its
course.
 Earthquakes, hurricanes, floods, lightning, and fire can cause

severe damage to computer systems.

 Information can be lost, downtime or loss of productivity can

occur, and damage to hardware can disrupt other essential

services.
 Few safeguards can be implemented against natural disasters.

 The best approach is to have disaster recovery plans and

contingency plans in place.
 Other threats such as riots, wars, and terrorist attacks could be
24 included here.
 Contd.
2. Human Threats:- Malicious threats consist of inside attacks by
disgruntled or malicious employees and outside attacks by non-
employees just looking to harm and disrupt an organization.
 Insiders are the most dangerous attackers, because they know
many of the codes and security measures that are already in place .
 Insiders can plant viruses, Trojan horses, or worms, and they can
browse through the file system.
 By browsing through a system, an insider can learn confidential
information.
 Insiders can affect availability by overloading the system's
processing or storage capacity, or by causing the system to crash.
 Disgruntled employees can create both mischief and sabotage on a
25
computer system.
Common Examples of Computer-related Employee Sabotage
include:
i. Changing/Deleting Data
ii. Destroying data or programs with logic bombs
iii. Crashing systems
iv. Holding data hostage
v. Destroying hardware or facilities
vi. Entering data incorrectly.

 Outsiders like hackers and crackers are also some of the

security human threats.
A. Hackers are people who either break in to systems for which
they have no authorization or Intentionally overstep their
bounds on systems for which they don’t have legitimate access.
 Hacker usually is a programmer who constantly seeks further
knowledge, freely share what they have discovered, and never
26
intentionally damage data.
 Contd.
B. Crackers are people who breaks into or otherwise violates

system integrity with malicious intent.

 They destroy vital data or cause problems for their targets.
 Common methods for gaining access to a system include
password cracking, exploiting known security weaknesses,
network spoofing, and social engineering.
 Malicious attackers normally will have a specific goal,
objective, or motive for an attack on a system:
 Denial of Service
 Stealing Information or hardware (Resources).
27
 Ways to gain Access or deny Services
 Malicious attackers can gain access or deny services in

numerous ways. Here are some of them:-

1. Viruses:- Attackers can develop harmful codes, called viruses, and
plant them into systems.
 Viruses can also be spread via e-mail and disks.
2. Trojan horses:- are malicious programs or software code hidden
inside what looks like a normal program.
 When a user runs the normal program, the hidden code runs as
well.
 It can then start deleting files and causing other damage to the
computer.
28  Trojan horses are normally spread by e-mail attachments.
 Contd.
3. Worms:- are programs that copy themselves from one system to
another over a network, without the assistance of a human being.
 Worms usually propagate themselves by transferring from
computer to computer via e-mail.
4. Password cracking:- is a technique attackers use to
surreptitiously gain system access through another user's
account.
 This is possible because users often select weak passwords.
 The two major problems with passwords is:
i. when they are easy to guess based on knowledge of the user (for
example, wife's maiden name) and
ii. when they are susceptible to dictionary attacks (that is, using a
29
dictionary as the source of guesses).
 Contd.
5. Denial of Services attacks:- This attack exploits the need to have
a service available.
 It is a growing trend on the Internet because Web sites in general
are open doors ready for abuse.
 People can easily flood the Web server with communication in
order to keep it busy.
 Therefore, companies connected to the Internet should prepare for
(DoS) attacks.
 They also are difficult to trace and allow other types of attacks to
be subdued.
30  DoS attacks are designed to prevent legitimate use of a service.
 Contd.
 Attackers achieve this by flooding a network with more

traffic than it can handle. Examples of this include:

 Saturating network resources, thereby preventing users from
using network resources.
 Disrupting connections between two computers, preventing
communications between services.
 Preventing a particular individual from accessing a service.
 Disrupting services to a specific system or client .

 DoS attacks flood a remote network with an enormous

31
amount of protocol packets.
 Contd.
 Routers and servers eventually become overloaded by attempting

to route or handle each packet.

 Within minutes, network activity exponentially rises and the

network stops responding to normal traffic and service requests

from clients.

 This is also known as a network saturation attack or bandwidth

consumption attack.

32  Attackers strike with various tools, including Trin00 and Tribe

 Types of Denial-of Service
 Computers use certain core resources, such as network bandwidth,
memory, CPU time, and hard drive space, to operate and function
correctly.
 The operating system and applications than run on the system play
an important role in managing these resources correctly.
 When the operating system or the resources are overrun by
malicious attacks, one or more of these core resources breaks
down, causing the system to crash or stop responding.
 An attacker can cause resources to be overrun by various means,
including consuming server resources, saturating network
33
resources, and mail bombing.
 Contd.
A. Consuming Server Resources:- The goal of a DoS attack is to
prevent hosts or networks from communicating on the network.
An example of this type of attack is the SYN flood attack
i. When a client attempts to contact a server service, the client and
server exchange a series of messages.
ii. The client starts by sending a TCP connection request or SYN
message to the server. The server responds to the SYN message
with an acknowledgement ACK-SYN message.
iii. The client then acknowledges the server's ACK-SYN message with
an ACK message.
 After these three actions take place, the connection between the client
34
and server is open and they can exchange service-specific data.
 Contd.
 The problem arises when the server has sent the SYN-ACK message
back to the client but has not yet received an ACK response from the
client.
 This is now a half-open connection. The server keeps the pending
connection in memory, waiting for a response from the client.
 The half-open connections in memory eventually will time out on the
server, freeing up valuable resources again.
 Creating these half-open connections is accomplished with IP
spoofing.
 The attacker's system sends a SYN message to the victim's server
which messages seem to be legitimate but in fact are references to a
client system that is unable to respond to the server's SYN-ACK
35
message.
Contd.
 The server now has half-open connections in memory and eventually will fill

up the server connections and it is unable to accept any new connections.

 The time limit on half-open connections will expire. However, the attacker's

system keeps sending IP-spoofed packets faster than the expire limit on the
victim's server.
 In most cases the victim of such an attack will have difficulty accepting any

new, legitimate incoming connections.

 This type of attack does not really affect any of the current connections or

outgoing connections.
 Normally it consumes an enormous amount of memory and processing power

on the server, causing it to crash.

 The location of the attacking system is difficult to trace because the attacker's
36 system address was masquerading as a legitimate IP address.
 Contd.
B. Saturating Network Resources:- an intruder may also be able to
consume all the available bandwidth on a network by generating a
large number of packets directed to the network.
 Typically, these packets are Internet Control Message Protocol
(ICMP) echo packets, but in principle they may be anything.
 Such attacks can be generated from a single computer or from
several computers on different networks.
 This is known as a distributed denial-of-service attack (DDoS).
 The ICMP is used to convey status and error information including
notification of network congestion and other network-related
problems.
37
 Contd.
 First, an ICMP echo request packet is sent to a computer on the

network.
 If the computer is operating, it will respond to the request by sending

an ICMP echo reply packet. Common example is PING command.

 On TCP/IP networks, a packet can be sent to an individual computer

or broadcast to all computers on the network.

 When an IP packet is sent to an IP broadcast address from a computer

on the same local area network, all computers on that network receive
the IP packet.
 When a computer outside the local area network sends an IP broadcast
38 packet, all computers on the target network receive the broadcast
Parties Involved in Saturating Network Resources
attack
 Three parties are involved Saturating resource attack, namely:
i. The attacker
ii. The intermediary, can also be a victim
iii.The Victim
 The intermediary receives an ICMP echo request packet that is
directed to the IP broadcast network address.
 If nothing is filtering these ICMP echo requests, all computers on
the network will receive the ICMP echo request packet and respond
with an ICMP echo reply packet.
 When all computers respond to these packets, severe network
39
congestion or outages are possible.
Contd.
 Attackers don’t use their own IP source address while creating the attack.
 Instead, they use the source address of their intended victim. This is
known as IP spoofing.
 Attackers use a variety of tools for this purpose:
 The tools enable the hackers to send ICMP echo request packets to
multiple intermediary computers, causing all of them to respond to
the same victim's source IP address.
 These tools could also be used to scan for network routers that do not
filter broadcast traffic.
 DDoS attacks involve breaking in to hundreds or thousands of computers
across the Internet.
 Then the attacker installs DDoS software on them, allowing the attacker to
control all of these computers and launch coordinated attacks on victim
sites.
40
 These attacks typically exhaust bandwidth, router processing capacity, or
network stack resources, breaking network connectivity to the victims.
 Contd.
C. Mail Bombing:- is an e-mail based attack which sends floods of e-
mail to a system until it fails.
 A system will fail in different ways, depending on the type of server
and how it is configured.
 Some Internet service providers give temporary accounts to anyone
who signs up for a trial subscription, and those accounts can be
used to launch e-mail attacks.
 Here are typical failure modes:
a. The e-mail server accepts e-mail messages until the disk where e-
mail is stored fills up.
 Subsequent e-mail is not accepted.
41  If the e-mail disk is also the main system disk, it may crash the
 Contd.
b. The incoming queue is filled with messages to be forwarded until

the queue reaches its limit.

 Subsequent messages can't be queued.

c. A particular user's server disk quota can be exceeded. This

prevents subsequent mail from being received and may keep the

user from getting work done.

 Recovery can be difficult because the user may need to use

more disk space just to delete the e-mail.

42
 Contd.
6. E-mail hacking:- With access to Internet e-mail, someone can

potentially correspond with any one of millions of people worldwide.

 The most common mail transfer protocols (SMTP, POP3, IMAP4)

do not typically include provisions for reliable authentication as

part of the core protocol, allowing e-mail messages to be easily

forged.

 Nor do these protocols require the use of encryption that could

ensure the privacy or confidentiality of e-mail messages.

43
 Threats associated with e-mail
1. Impersonation:- The sender address on Internet e-mail cannot be
trusted because the sender can create a false return address.
 Someone could have modified the header in transit, or the sender
could have connected directly to the Simple Mail Transfer Protocol
(SMTP) port on the target computer to enter the e-mail.

2. Eavesdropping:- E-mail headers and contents are transmitted in

the clear text if no encryption is used.
 As a result, the contents of a message can be read or altered in transit.
 The header can be modified to hide or change the sender, or to
redirect the message
44
 Eavesdropping on a Dialog

Dialog

Hello
Client PC
Server
Bob
Alice

Hello

Attacker (Eve) intercepts

and reads messages
45
 Contd.
3. Packet replay:- refers to the recording and retransmission of
message packets in the network.
 Packet replay is a significant threat for programs that require
authentication sequences, because an intruder could replay
legitimate authentication sequence messages to gain access to a
system.
 It is frequently undetectable, but can be prevented by using packet
time stamping and packet sequence counting.
4. Network Spoofing(passive eavesdropping):- is when a user creates a
packet that appears to be something else or from someone else.
46  Here, a system presents itself to the network as though it were a different
 Contd.
5. Smurffing attack:- is a nasty technique in which a program

attacks a network by exploiting IP broadcast addressing

operations.
 The Smurf attack is a way of generating significant computer

network traffic on a victim network.

 This is a type of denial-of-service attack that floods a target system

via spoofed broadcast ping messages.

6. Ping Storm:- is a condition in which the Internet Ping program

47
is used to send a flood of packets to a server to test its ability to
 Contd.
 The ping support in Windows operating systems does not allow
someone to mount a ping storm.
 The ping command in at least some UNIX-based systems offers
two options:
A. "ping -f" which specifies to output ping packets back as fast as they
are returned.
B. "ping -s[packetsize]", which causes the size of the outgoing packet to
be padded by some specified size in order to increase the load on the
receiving server. A ping storm is one form of packet storm.

7. E-mail Bombing:- here, a user sends an excessive amount of

48 unwanted e-mail to someone.

 Contd.
7. Snoffing:- here, an attacker forges network data, appearing to
come from a different network address than he actually comes
from.
 This sort of attack can be used to thwart systems that authenticate
based on host information (e.g., an IP address).

8. Intrusion Attacks:- In these attacks, a hacker uses various

hacking tools to gain access to systems.
 These can range from password-cracking tools to protocol hacking
and manipulation tools.
 Intrusion detection tools often can help to detect changes and

49
variants that take place within systems and networks.
 Contd.
9. Social Engineering:- is a common form of cracking. It can be
used by outsiders and by people within an organization.
 Social engineering is a hacker term for tricking people into
revealing their password or some form of security information.
 A common example of social engineering would be where a hacker
sends e-mail to an employee, claiming to be an administrator who
needs the employee's password to do some administrative work.
 The normal user who has not been taught about security might not
know the difference between the actual administrator and the
imposter administrator, especially in a large organization.
50
 Contd.
10. Packet Modification:- involves one system intercepting and
modifying a packet destined for another system.
 Packet information may not only be modified, it could also be
destroyed.
Dialog

Balance =
Balance = $1
Client PC $1,000,000 Server
Bob Alice

Balance =$1
Balance =
$1,000,000
Attacker (Eve) intercepts
51
and alters messages
 Contd.
3. Non-Malicious Threats:- The primary threat to data integrity comes
from authorized users who are not aware of the actions they are
performing.
 Errors and omissions can cause valuable data to be lost, damaged,
or altered.
 Non-malicious threats usually come from employees who are
untrained in computers and are unaware of security threats and
vulnerabilities.
 Note that ignorant employees usually have no motives and goals
for causing damage. The damage is accidental.
 Malicious attackers can deceive ignorant employees by using
"social engineering" to gain entry.
 The attacker could masquerade as an administrator and ask for
52 passwords and user names
 Contd.

 Users, data entry clerks, system operators, and programmers

frequently make unintentional errors that contribute to security
problems, directly or/and indirectly.
 Error can be a threat, such as a data entry error or a programming
error that crashes a system.
 They can also create vulnerabilities, which is a weakness which
allows an attacker to reduce a system's information assurance.
 Programming and development errors, often called "bugs," range
in severity from irritating to catastrophic.
 Errors and omissions are important threats to data integrity.
53
Security Vulnerabilities
  Vulnerabilities(Attack Surface):- are weak points or loopholes
in security that an attacker can exploit in order to gain access to
the network or to resources on the network.
 The vulnerability is not the attack, but rather the weak point that is
exploited.
 Vulnerability is the intersection of three elements:
1. A system susceptibility or flaw,
2. attacker access to the flaw, and
3. attacker capability to exploit the flaw
 To be vulnerable, an attacker must have at least one applicable
tool or technique that can connect to a system weakness.
 A security risk may be classified as a vulnerability. But there are
vulnerabilities without risk, for example when the
55
affected asset has no value.
 Contd.
 A vulnerability with one or more known instances of working and
fully-implemented attacks is classified as an exploitable
vulnerability, a vulnerability for which an exploit exists.

56 Fig Threat agents, attack vectors, weakness, controls, IT asset and business
impact
 Vulnerability Classification
 Vulnerabilities are classified according to the asset class they

related to:
1. Hardware
 susceptibility to humidity
 susceptibility to dust
 susceptibility to soiling
 susceptibility to unprotected storage

2. Software
 insufficient testing
 lack of audit trail

57
 Contd.
3. Network
 Unprotected communication lines
 Insecure network architecture

4. Personnel
 inadequate recruiting process
 inadequate security awareness

5. Site
 area subject to flood
 unreliable power source

6. Organizational
 lack of regular audits
58  lack of continuity plans
 Vulnerabilities in Common Network Access Procedures &
Protocols
 The primary protocol used in operating systems today is the TCP/IP
protocol stack.
 The wide use of this protocol helps to integrate different operating system
architectures such as Microsoft and UNIX.
 Many organizations make use of this interoperability and use various
TCP/IP utilities to run programs, transfer information, and reveal
information.
 Due to the nature of these utilities, various security risks and threats exist.
 Users often use the same passwords for mixed environments.
 Sometimes, passwords are automatically synchronized.
 If hackers can crack the password on systems other than Microsoft

59
systems, they could also use that password to logon to a Microsoft system.
 Telnet
 The Telnet protocol allows a user to log onto a system over the network
and use that system as though the user was sitting at a terminal that was
directly connected.
 The telnet command provides a user interface to a remote system.
 When using the Microsoft telnet client to log on to the Microsoft
Windows 2000 Telnet service, it uses the NTLM protocol to log the client
on.
 Problems arise when integrating Microsoft systems and UNIX systems.
 When logging on to a system from a Microsoft telnet client to UNIX
TELNET daemon service or vice versa, the user name and password are
sent over the network in plain text.
 Since the user name and password characters are not encrypted, it is
60
possible for an electronic eavesdropper to capture a user name and
 File Transfer Protocol(FTP)
 It allows users to connect to remote systems and transfer files back and
forth.
 As part of establishing a connection to a remote computer, FTP relies
on a user name and password combination for authentication.
 Use of FTP poses a security problem similar to use of the Telnet
protocol because passwords typed to FTP are transmitted over the
network in plain text, one character per packet. These packets can be
intercepted.
 Another problem area for FTP is anonymous FTP.
 Anonymous FTP allows users who do not have an account on a
computer to transfer files to and from a specific directory.
61  This capability is particularly useful for software or document
 Contd.
 To use anonymous FTP, a user passes a remote computer name as an
argument to FTP and then specifies "anonymous" as a user name.
 Problems with anonymous FTP are:
 There is often no record of who has requested what information.
 The threat of denial-of-service attacks. That is, For deliberate or
accidental denial-of-service attacks, authorized users may be denied
access to a system if too many file transfers are initiated
simultaneously.
 It is important to securely set up the anonymous FTP account on the
server because everyone on the network will have potential access.
 If the anonymous FTP account is not securely configured and
62
administered, crackers may be capable of adding and modifying files.
 Trivial File Transfer Protocol(TFTP)

 It is a file transfer program that is frequently used to allow diskless

hosts to boot over the network.

 Microsoft Windows 2000 implements a client utility to make use of

TFTP services on UNIX flavors.

 Because TFTP has no user authentication, it may be possible for

unwanted file transfer to occur.

 The use of TFTP to steal password files is a significant threat.

63
 Commands Revealing User Information
 It is not uncommon to find interoperability between Microsoft
products and various flavors of UNIX.
 Commands that reveal user and system information pose a
threat because crackers can use that information to break into a
system.
 Some of these commands whose output makes a system
vulnerable to break-ins include:
 Finger
 Rexec
64
 Finger
 The finger client utility on Windows NT and Windows 2000 can be
used to connect to a finger daemon service running on a UNIX-based
computer to display information about users.

 When the finger client utility is invoked with a name argument, the
password file is searched on a UNIX server.

 Every user with a first name, last name, or user name that matches the
name argument is returned.

 When the finger program is run with no arguments, information for

every user currently logged on to the system is displayed.

 User information can be displayed for remote computers as well as for

65 the local computer.
 Contd.
 The output of finger typically includes logon name, full name, home
directory, last logon time, and in some cases when the user received
mail and/or read mail.
 Personal information, such as telephone numbers, is often stored in
the password file so that this information is available to other users.
 Making personal information about users available poses a security
threat because a password cracker can make use of this information.
 In addition, finger can reveal logon activity.

66
 Rexec
 The rexec utility is provided as a client on Microsoft Windows NT and

Windows 2000.

 The rexec client utility allows remote execution on UNIX-based

systems running the rexecd service.

 A client transmits a message specifying the user name, the password,

and the name of a command to execute.

 The rexecd program is susceptible to abuse because it can be used to

probe a system for the names of valid accounts.

 In addition, passwords are transmitted unencrypted over the network.

67
 Protocol Design
 Communication protocols sometimes have weak points. Attackers
use these to gain information and eventually gain access to systems.
Some known issues are:
 TCP/IP:- The TCP/IP protocol stack has some weak points that
allows:
 IP address spoofing

 TCP connection request (SYN) attacks

 ATM:- Security can be compromised by what is referred to as

"manhole manipulation“, direct access to network cables and
connections in underground parking garages and elevator shafts.
68
 Frame relay:- Similar to the ATM issue.
 Weak Password
 Password selection will always be a contentious point as long as users
have to select one.
 Users usually select commonly used passwords because they are easy to
remember, like anything from birthday to the names of loved ones. This
creates a vulnerability.
 A password is the key to a computer, a key much sought-after by hackers,
as a means of getting a foothold into a system.
 A weak password may give a hacker access not only to a computer, but to
the entire network to which the computer is connected.
 Users should treat their passwords like the keys to their homes.
 Switches and routers are easily managed by an HTTP Web interface or
through a command line interface.
 Coupled to the use of weak passwords it allows anybody with some
69
technical knowledge to take control of the device.
 Modem
 If a computer has a modem connected to the Internet, the user needs to
take appropriate precautions because modem connections can be a
significant vulnerability.
 Hackers commonly use a tool known as a "war dialer" to identify the
modems at a target organization.
 A war dialer is a computer program that automatically dials phone
numbers within a specified range of numbers.
 Most organizations have a block of sequential phone numbers..
 By dialing all numbers within the targeted range, the war dialer identifies
which numbers are for computer modems and determines certain
characteristics of those modems.
 The hacker then uses other tools to attack the modem to gain access to the
computer network.
70
 Anyone can download effective war dialers from the Internet at no cost.
 Part Three
Security Policies, Services and Mechanisms

Computer Networks and Information

Security
(IT 3104)
 Overview
 Overview on Security polices, Attacks, services and mechanisms

 Security attacks and security attack types: Active and passive

Attacks

 Security services and security service types

 Security Mechanisms and security Mechanism types.

 A model for Internetwork Security

 Other network security considerations

72
 Security Policy
 is a document or set of documents that states an organization’s
intentions and decisions on what and how electronic
information should be secured.
 a statement of what is and what is not allowed.

 It is a set of rules and practices that specify or regulate how a

system or organization provides security services to protect

sensitive and critical system resources.
 Is also the set of rules laid down by the security authority

governing the use and provision of security services and

73
facilities.
 Security attacks, Mechanisms and Services
 Security attack: any action that will compromise the security of
information.
 These attacks take many forms, but in most cases, they seek to obtain

sensitive information, destroy resources, or deny legitimate users access

to resources.

 Security mechanism:- is a mechanism that is designed to

detect , prevent, or recover from a security attack.

 Security services: A service that enhances the security of data

processing systems and information transfers.
 A security service makes use of one or more security mechanisms.
74
 Security Attacks
 Is an assault on system security- an intelligent act that is a deliberate
attempt to evade security services and violate the security policy of a
system.
Information Information
source destination

a) Normal flow

b) Interruption
c) Interception

75 d) Modification e) Fabrication
 Contd.

Interruption

 The system is destroyed or becomes unavailable

 This is an attack on availability.
 This could be a destruction of a piece of hardware or
cutting a communication line.
76
 Contd.

Interception

 Unauthorized party gets access to information

 This is an attack on confidentiality
• Overhearing, eavesdropping over a communication line
 The attacker could be a person or program.
• Eg. of this could be unauthorized copying of files.
77
 Contd.
Modification

 An unauthorized party gains access to information and also

modifies it.
 This is an attack on integrity of information.
 Modification of program or date files to operate or contain
different information.
 Corrupting transmitted data or tampering with it before it reaches its
78 destination
 Contd.
Fabrication

 An unauthorized party injects fabricated information into

the system.
 That is, Faking data as if it were created by a legitimate and
authentic party
 This is an attack on authenticity.
 Examples of this is insertion of spurious messages, addition
79 of records to a file etc.
 Attack Types
1. Passive attacks:- are the type of attacks which do not
change or modify the information flowing between the parties.
 This type of attacks are hard to detect since it does not involve
the other party or alter the data.
 The objective of the opponent is to obtain the information that
is being transmitted.
 Passive attacks attempt to learn or make use of information
from the system but don’t affect the system resources.
 This kind of attack can be prevented rather than detected.
80
Examples are Eavesdropping or monitoring of traffic.
 Passive Attack Types
A. Release of Message Content:- Messages, such as telephone
conversation, an e-mail, and transferred file, may contain sensitive or
confidential information.
 An opponent may get to know the contents of the message.
 Prevent the opponent from learning the contents of these
transmission.

B. Traffic Analysis:- Analyzing or determning the location and

identity of hosts and paths to guess on the nature of communication
that is/was taking place.
 Here, the link traffic profile and information gathering is done by
81
the opponent.
82
 Contd.
2. Active attacks:- are types of attacks which attempt to alter

system resources or affect their operation

 Are easier to detect since the information stream is altered and
involves the other party.

 Harder to prevent since no absolute protection is available

with the current buggy systems.

 Involves some modification of the data stream or creation

of a false stream.
83
 Active Attack Types
A. Masquerading:- The entity pretends to be a different entity.

 It usually includes one of the other forms

B. Replay:- involves the passive capture of a data unit and its

subsequent retransmission to produce an authorized effect.

 Passive capture of data, alter and then retransmit.

C. Modification of Message:- Means some portion of the legitimate

message is altered, or the messages are delayed or reordered, to

produce an authorized effect.

D. Denial of Service:- Prevents or inhibits the normal use or

84 management of communications facilities.

85
 Security Services
 A security service is the collection of mechanisms, procedures and

other controls that are implemented to help reduce the risk

associated with threat.

 For example, the identification and authentication service helps

reduce the risk of the unauthorized user threat.

 Some services provide protection from threats, while other services

provide for detection of the threat occurrence.

86  An example of this would be a logging or monitoring service.

 Security Services Types
A. Confidentiality (privacy):- is the protection of
transmitted data from passive attacks.
 The other aspect of confidentiality is the protection of
traffic flow from analysis.
 The attacker will not be able to observe the source and
destination, frequency, length or other characteristics of the
traffic on a communications facility.

B. Integrity (has not been altered):- ensures that the

messages are received with no duplication, insertion,
87
modification, reordering or replays.
 Contd.
 Connection oriented service:- addresses DoS and modifications

(duplication, insertion, modification and reordering problems

handled).

 Connectionless service:- deals with only individual messages and

only assures against modification. This is because it only deals with

individual packets.

C. Access Control:- This service controls who can have access to a

resource, under what conditions access can occur and what those
accessing the resources are allowed to do.

D. Non-repudiation:- Prevents either sender or receiver from denying a

88
transmitted message.
 Contd.
E. Authentication:- is the assurance that the communicating
entity is the one that it claims to be.
I. Peer Entity Authentication:- is used in association with a
logical connection to provide confidence in identity of the entities.
II. Data Origin Authentication:- In a connectionless transfer, it
provides assurance that the source of received data is as claimed

F. Audit:- Recording & analyses of participation, roles and actions in

information communication by relevant entities..

G. Availability:- having your data accessible and obtainable at all

times.
89
 Contd.
1. Confidentiality
Data Confidentiality
Traffic Confidentiality
Primary Services
2. Data Integrity
3. Authentication
Data Origin Authentication
Peer Authentication
4. Access Control
5. Non-Repudiation
Non-Repudiation of Origin
Non-Repudiation of Reception
6. Audit
7. Availability – an after-thought but increasingly important
90
 Security Mechanisms
1. Encipherment:- is the use of mathematical algorithms to transform

data into a form that is not readily intelligible.

2. Digital Signature:- is a mathematical scheme for demonstrating the

authenticity of a digital message or document.

 A valid digital signature gives a recipient reason to believe that the message

was created by a known sender, and that it was not altered in transit.

3. Access Control:- a variety of mechanisms that enforce access

rights to resources.
91
 Contd.
4. Data Integrity:- a variety of mechanisms used to assure the integrity
of data unit or stream of data units.
5. Authentication Exchange:- a mechanism intended to ensure the
identity of an entity by means of information exchange.

6. Traffic Padding:- The insertion of bits into gaps in a data stream to

frustrate traffic analysis attempt.

7. Routing Control:- Enables selection of particularly secure routes

from certain data & allows routing changes, especially when a
breach of security is suspended.

8. Notarization:- The use of a trusted 3rd party to assure certain

92 properties of a data exchange.
 Confidentiality
• Protection of information from disclosure to unauthorized entities
(organizations, people, machines, processes).
• Information includes data contents, size, existence, communication
characteristics, etc.

Service Types Protection Mechanisms

 Data Confidentiality / Disclosure  Data Encryption
Protection  Symmetric (Secret-Key)
 Connection Oriented  Asymmetric (Public-Key)
 Connectionless
 Selective Field
 Traffic Flow Confidentiality
 Origin Destination Association
 Message Size
 Transmission Patterns
93  Accompanied with Data Integrity
 Integrity
 Protection of data against creation, alteration, deletion,
duplication, re-ordering by unauthorized entities (organizations,
people, machines, processes).
 Integrity violation is always caused by active attacks.

Service Types Protection Mechanisms

Message Integrity Message Digests (Hashing)
Associated with Sequence Numbers
connectionless communication Nonce ID (Random Number)
Message Stream Integrity Time Stamps
Associated with
connection oriented
communication
94
 Authentication
• Communicating entities are provided with assurance & information
of relevant identities of communicating partners (people, machines,
processes).
• Personnel Authentication requires special attention.

Service Types Protection Mechanisms

 Data Origin Authentication  Password
 Associated with  Manual
Connectionless Communication  One-Time Password
 Peer Entity Authentication
 Key Sharing
 Associated with
 Manual
Connection Oriented Communication
 Symmetric Key (Tickets)
 Fundamental for access control
 Asymmetric Key (Certificates)
hence, confidentiality & integrity
 Challenge – Response
 Nonce Based
 Zero Knowledge Proof

95
 Access Control
Protection of information resources or services from access or use by unauthorized
entities (organizations, people, machines, processes).
 Privileges – rights to access or use resources or services
 Principles – entities own access control privileges
 Subjects – entities exercise access control privileges
 Objects / Targets – resources or services accessed/used by subjects
 Delegation – transfer of access control privileges among principals
 Authorization – transfer of access control privileges from principals to subjects

Service Types Protection Mechanisms

 Subject Based Typing
 Identity Based
 Role Based
 Enforcement Based Typing
 Mandatory Access Control
― Management Directed
 Discretionary Access Control ―
96 Resource Owner Directed
 Access Control Lists (ACLs)
 Object Based Specification
Ex.: UNIX File System
 Capabilities
 Subject Based Specification
 Issue Tickets/Certificates
 Non-Repudiation

 Protection against denial of participation by communicating

entities in all or part of a communication.

Service Types Protection Mechanisms

Non-Repudiation of Origin Notarization

Non-Repudiation of Reception 
Time Stamp
Digital Signature

97
 Audit
 Recording & analyses of participation, roles and actions in

information communication by relevant entities.

Service Types Protection Mechanisms

 Intrusion Monitors / Sensors
Off-line Analysis
 Common Intrusion Detection
(Computer Forensic)
Framework (CIDF)
On-line Analysis
 Common Information Model
(Real-time Intrusion Detection) (CIM)

98
 Service vs. Layer Mapping
Service / Layer 1 2 3 4 6 7
Confidentiality, Connectionless Y Y Y Y
Confidentiality, Connection Y Y Y Y Y
Confidentiality, Selected Field Y Y
Confidentiality, Traffic Flow Y Y
Authentication, Data Origin ? Y Y Y
Authentication, Peer Entity Y Y Y
Integrity, Message Y Y Y Y
Integrity, Message Stream ? Y Y Y
Access Control ? Y Y Y
Non-Repudiation, Origin Y
Non-Repudiation, Receipt Y
? = difference between IEEE802 and ISO
99
 A Model for Network Security

100
 Design Issues in the Model

1. Design an algorithm for performing the security-related

transformation.
 The algorithm should be such that an opponent cannot defeat its

purpose.

2. Generate the secret information to be used with the algorithm.

3. Develop methods for the distribution and sharing of the secret

information.

4. Specify a protocol to be used by the two principles that makes

use of the security algorithm and the secret information to

101 achieve a particular security service.

 Other Considerations
1. Network Design Considerations
 Designing for acceptable risk.

 Use of network models with security (LAN/WAN more secure, Dedicated/non-

dedicated, segregation and isolation)

2. Host hardening
 Firewalls, Packet filtering

3. Choice of network devices

 Choice of routers and other hardware

 Routing protocols

4. Intrusion detection systems (IDS)

 Host based IDS

102  Network based IDS

 Network Penetration Attacks and Firewalls

Passed Packet Attack

Internet Packet
Firewall
Hardened
Client PC Internet

Attacker

Dropped
Packet

Hardened
Server Internal
Log File Corporate
Network
103
 Intrusion Detection System
1.
4. Alarm Intrusion Suspicious
Detection Packet
System
Network
Administrator 2. Suspicious
Packet Passed Internet

Attacker

3. Log
Packet

Hardened
Server
Log File Corporate Network

104
 Encryption for Confidentiality
Encrypted
Message
“100100110001”

Client PC Server
Bob Alice

“100100110001”

Attacker (Eve) intercepts

Original but cannot read Decrypted
Message Message
“Hello” “Hello”

105
 Impersonation and Authentication

I’m Bob

Prove it!
Client PC Attacker (Authenticate Yourself)
Server
Bob (Eve) Alice

106
 Secure Dialog System

Secure Dialog

Client PC
Automatically Handles Server
Bob
Negation of Security Options Alice
Authentication
Encryption
Integrity
Attacker cannot
read messages, alter
messages, or impersonate

107
 Hardening Host Computers
1. The Problem
 Computers installed out of the box have known vulnerabilities
 Not just Windows computers
 Hackers can take them over easily
 They must be hardened—a complex process that involves many actions
2. Elements of Hardening
 Physical security
 Secure installation and configuration
 Fix known vulnerabilities
 Turn off unnecessary services (applications)
 Harden all remaining applications
 Manage users and groups
 Manage access permissions
 For individual files and directories, assign access permissions specific users and
groups
 Back up the server regularly
108  Advanced protections