21CSE281T-CRYPTOGRAPHY AND

NETWORK SECURITY
 Introduction to Network Security

Networking Devices(layer 1,2,3):

Physical Layer – Physical layer of TCP/IP model is responsible for physical connectivity of two
devices. Some of the devices used in Physical layers are,

Hubs: Hubs are devices commonly used to connect segments of a LAN. It contains multiple
input/output ports. when signal is at any input port, this signal will be made at all output ports
except the one it is coming from.

Cables: In Wired network architecture (e.g Ethernet), cables are used to interconnect the devices.
some of the types of cables are coaxial cable, optical fiber cable, and twisted pair cable.

Modem: Modem stands for MOdulator/DEModulator. A modem converts digital signals

generated by the computer into analog signals which, then can be transmitted over cable line and
transforms incoming analog signals into digital equivalents.

Repeaters:
Repeaters are used in transmission systems to regenerate analog or digital signals distorted by
transmission loss. Analog repeaters can only amplify the signal whereas a digital repeaters can
reproduce a signal to near its original quality.
Data Link Layer – Data Link layer is responsible to transfer data hop by hop (i.e within same
LAN, from one device to another device) based on the MAC address. Some of the devices
used in Data Link layer are,

Bridges:
A bridge is a type of computer network device that provides interconnection with other
networks that use the same protocol, connecting two different networks together and
providing communication between them.

Switch: A network switch is a multiport network bridge that uses MAC addresses to forward
data at the data link layer (layer 2) of the OSI model. Some switches can also forward data at
the network layer (layer 3) by additionally incorporating routing functionality. Such switches
are commonly known as layer-3 switches or multilayer switches.

Network Interface Card:

Network interface card is an electronic device that is mounted on ROM of the com that
connects a computer to a computer network, usually a LAN. It is considered a piece of
computer hardware. Most modern computers support an internal network interface controller
embedded in the motherboard directly rather than provided as an external component .
Network Layer – The network layer is responsible for creating routing table, and based on
routing table, forwarding of the input request. Some of the Devices used in Network Layer
are,
Routers:
A router is a switch like device that routes/forwards data packets based on their IP
addresses. Routers normally connect Local Area Network (LANs) and Wide Area Network
(WANs) together and have a dynamically updating routing table based on which they make
decisions on routing the incoming packets.
Brouters:
A bridge router or brouter is a network device that works as a bridge and as a router. The
brouter routes packets for known protocols and simply forwards all other packets as a
bridge would. Brouters operate at both the network layer for routable protocols (or between
network with different data link layer protocol ex. one is running on ethernet (802.3) and
other network is running on Token ring (802.5)) and at the data link layer for non-routable
protocols (or both network are using same data link layer protocol).
Figure: Typical interconnection of Router, Switch, Hub and Bridge
4. Transport Layer – Transport layer is responsible for end-to-end communication (or process-to-
process communication). Some of the transport layer devices are,
Gateways:
In computer networking, a gateway is a component that is part of two networks, which use
different protocols. The gateway is a protocol converter which will translate one protocol into the
other. A router is a special case of a gateway.
Firewall:
A firewall is a system designed to prevent unauthorized access to or from a private network, some
of the functionalities of firewall are, packet filtering and as a proxy server.

5. Application Layer – Application layer is the top most layer of TCP/IP Model that provides the
interface between the applications and network. Application layer is used exchange messages.
Some of the devices used in Application layer are,
•PC’s (Personal Computer), Phones, Servers
•Gateways and Firewalls
Different types of network layer attacks

Network layer attacks target the network infrastructure of a system or network. These attacks exploit
weaknesses in the protocols and devices responsible for routing and transferring data between different
systems. Below are some common types of network layer attacks:

Malware – short for malicious software which is specifically designed to disrupt, damage, or gain
authorized access to a computer system. Much of the malware out there today is self-replicating: once it
infects one host, from that host it seeks entry into other hosts over the Internet, and from the newly infected
hosts, it seeks entry into yet more hosts. In this manner, self-replicating malware can spread exponentially
fast.

Virus – A malware which requires some form of user’s interaction to infect the user’s device. The classic
example is an e-mail attachment containing malicious executable code. If a user receives and opens such an
attachment, the user inadvertently runs the malware on the device.

Worm – A malware which can enter a device without any explicit user interaction. For example, a user may
be running a vulnerable network application to which an attacker can send malware. In some cases, without
any user intervention, the application may accept the malware from the Internet and run it, creating a worm.

Botnet – A network of private computers infected with malicious software and controlled as a group
without the owners’ knowledge, e.g. to send spam.
DoS (Denial of Service) – A DoS attack renders a network, host, or other pieces of infrastructure unusable by
legitimate users. Most Internet DoS attacks fall into one of three categories :

• Vulnerability attack: This involves sending a few well-crafted messages to a vulnerable application or
operating system running on a targeted host. If the right sequence of packets is sent to a vulnerable application
or operating system, the service can stop or, worse, the host can crash.
• Bandwidth flooding: The attacker sends a deluge of packets to the targeted host—so many packets that the
target’s access link becomes clogged, preventing legitimate packets from reaching the server.
• Connection flooding: The attacker establishes a large number of half-open or fully open TCP connections at
the target host. The host can become so bogged down with these bogus connections that it stops accepting
legitimate connections.

DDoS (Distributed DoS) – DDoS is a type of DOS attack where multiple compromised systems, are used to
target a single system causing a Denial of Service (DoS) attack. DDoS attacks leveraging botnets with
thousands of comprised hosts are a common occurrence today. DDoS attacks are much harder to detect and
defend against than a DoS attack from a single host.

Packet sniffer – A passive receiver that records a copy of every packet that flies by is called a packet sniffer.
By placing a passive receiver in the vicinity of the wireless transmitter, that receiver can obtain a copy of every
packet that is transmitted! These packets can contain all kinds of sensitive information, including passwords,
social security numbers, trade secrets, and private personal messages. some of the best defenses against packet
sniffing involve cryptography.

IP Spoofing – The ability to inject packets into the Internet with a false source address is known as IP spoofing,
and is but one of many ways in which one user can masquerade as another user. To solve this problem, we will
need end-point authentication, that is, a mechanism that will allow us to determine with certainty if a message
originates from where we think it does.
Man-in-the-Middle Attack – As the name indicates, a man-in-the-middle attack occurs when
someone between you and the person with whom you are communicating is actively
monitoring, capturing, and controlling your communication transparently. For example, the
attacker can re-route a data exchange. When computers are communicating at low levels of the
network layer, the computers might not be able to determine with whom they are exchanging
data.
Compromised-Key Attack – A key is a secret code or number necessary to interpret secured
information. Although obtaining a key is a difficult and resource-intensive process for an
attacker, it is possible. After an attacker obtains a key, that key is referred to as a compromised
key. An attacker uses the compromised key to gain access to a secured communication without
the sender or receiver being aware of the attack.
Phishing – The fraudulent practice of sending emails purporting to be from reputable
companies in order to induce individuals to reveal personal information, such as passwords
and credit card numbers.
DNS spoofing – Also referred to as DNS cache poisoning, is a form of computer security
hacking in which corrupt Domain Name System data is introduced into the DNS resolver’s
cache, causing the name server to return an incorrect IP address.
Rootkit – Rootkits are stealthy packages designed to benefit administrative rights and get the
right of entry to a community tool. Once installed, hackers have complete and unrestricted get
right of entry to the tool and can, therefore, execute any movement including spying on
customers or stealing exclusive data with no hindrance.
Buffer overflow and malicious software:

Buffer Overflow Attack:

Buffer overflow is a critical vulnerability in computer security that has persisted for decades. Despite
technological advancements and security practices, buffer overflow attacks pose significant threats to
software systems worldwide.

Buffer:
A buffer, or data buffer, is a designated area of memory storage used to temporarily hold data while
being transferred from one location to another. Buffers are typically located in RAM and are essential
for enhancing system performance. They are employed in various applications, such as hard drives for
efficient data access and online services like video streaming to prevent interruptions.

For instance, when streaming a video, a buffer stores a portion of the video to ensure
smooth playback, even if the internet connection experiences minor disruptions. Buffers are designed to
hold a specific amount of data. If a program attempts to store more data than the buffer can
accommodate, it may overwrite adjacent memory locations, leading to a buffer overflow. This overflow
can corrupt data and, more alarmingly, can be exploited by attackers to alter program execution.
How Do Buffer Overflows Occur?
Buffer overflows occur when a program writes more data to a buffer than it can hold. This excess
data spills over into adjacent memory, potentially overwriting critical information.Programming
errors, such as failing to check input sizes or incorrect memory allocation, can cause buffer
overflows.

Fig:Buffer Overflows
Exploitation Techniques:

Attackers exploit buffer overflows by crafting inputs that exceed the buffer’s capacity. By understanding a program’s memory
layout, they can overwrite specific areas to inject malicious code.This code can alter the program’s behavior, allowing attackers to
execute arbitrary commands, steal data, or gain unauthorized access.

For example, suppose the overflow affects a memory location containing a pointer (an object that points to another memory
location). In that case, attackers can redirect the pointer to execute their malicious payload, effectively transferring control of the
program to the attacker.

Mitigating Buffer Overflow Attacks

Fortunately, several strategies can mitigate the risk of buffer overflow attacks:
1. Address Space Layout Randomization (ASLR)
ASLR is a security technique that randomizes the memory address space of key data areas. By making it difficult for attackers to
predict the location of executable code, ASLR significantly reduces the chances of a successful buffer overflow attack.

2. Data Execution Prevention (DEP)

DEP is a security feature that marks certain areas of memory as non-executable. This prevents attackers from executing code in
these regions, even if they manage to inject it through a buffer overflow.

3. Secure Coding Practices

Developers can minimize buffer overflow risks by adopting secure coding practices. This includes using languages with built-in
protections, implementing proper input validation, and employing security-focused libraries and frameworks.

4. Regular Patching and Updates

Software vulnerabilities are continually discovered, and timely patching is crucial. Developers should promptly address newly
identified buffer overflow vulnerabilities and distribute patches to users to protect against exploitation.
Types of Buffer Overflow Attacks:
Buffer overflow attacks can be categorized based on their target and method of execution:

Fig: Types of Buffer Overflow Attacks

1. Stack Overflow Attack
This is the most common type of buffer overflow attack. It involves overflowing a buffer on the
call stack, a structured memory area that stores function parameters, return addresses, and local
variables.By overwriting the return address, attackers can redirect program execution to their
malicious code.

2. Heap Overflow Attack

Heap overflow attacks target the heap, an unstructured memory area used for dynamic memory
allocation. Unlike the stack, the heap does not follow a strict data entry and exit order. Attackers
exploit heap overflows to corrupt data structures and execute arbitrary code.

3. Integer Overflow Attack

An integer overflow occurs when an arithmetic operation results in a value too large for its
designated storage type. If the oversized value is used in memory allocation or indexing
operations, it can lead to buffer overflows.
4. Unicode Overflow Attack
Unicode overflows exploit the difference between ASCII and Unicode character encodings. By
inserting Unicode characters into inputs expecting ASCII, attackers can cause buffer overflows
due to the larger size of Unicode characters.

5. Format String-Based Attack

A format string exploit arises when an application improperly handles input data by treating it
as a command or failing to validate it adequately. When user-supplied data is interpreted as a
format string, it can be manipulated to reveal or modify sensitive information .
Malicious Software:

Malicious software (also known as malware) refers to any software specifically

designed to harm, exploit, or disrupt systems, devices, or networks. Malware can
have a wide range of malicious activities, such as stealing data, damaging files,
hijacking systems, or causing disruptions to normal operations. The intent behind
malware is typically to cause harm, gain unauthorized access, or achieve financial
or strategic advantages.
Here are the most common types of malicious software:
1. Viruses:
A virus is a type of malicious software that attaches itself to a legitimate program or file. When the
infected program or file is executed, the virus spreads to other files or programs on the system. Viruses
can cause data loss, damage files, and corrupt systems.

How it works: Viruses can spread via email attachments, infected files, or through network
vulnerabilities.
Example: The ILOVEYOU virus, which spread through email in 2000, was one of the most infamous
examples.

2. Worms:
Worms are self-replicating malicious software that spread without needing a host program or human
intervention. Worms often exploit vulnerabilities in networks to spread across multiple systems.

How it works: Worms often exploit network protocols or system vulnerabilities to propagate.
Example: The Morris Worm (1988) was one of the first widespread internet worms.
3. Trojans:
A Trojan horse (or simply Trojan) is malware that disguises itself as a legitimate software or file to deceive
the user into installing it. Once executed, Trojans can steal sensitive data, allow remote access, or perform
destructive actions.

•How it works: Trojans do not replicate themselves like viruses or worms. Instead, they rely on social
engineering, tricking the user into installing them.

•Example: The Zeus Trojan is a notorious example, often used for banking fraud and stealing personal
information.

4. Ransomware:
Ransomware is malicious software that locks or encrypts files on a victim’s system and demands a ransom
(usually in cryptocurrency) to restore access to the data. Ransomware can target individuals, companies, or
even government agencies.

•How it works: Ransomware often spreads through phishing emails or vulnerabilities in software. After
infecting a system, it encrypts the user's data, making it inaccessible.

•Example: The WannaCry ransomware attack (2017) exploited vulnerabilities in Microsoft Windows to
infect hundreds of thousands of computers globally.
5. Spyware:
Spyware is software that secretly monitors and collects information about a user’s activities, often
without their knowledge or consent. This can include logging keystrokes, tracking browsing habits,
and stealing sensitive data like passwords.
•How it works: Spyware is typically bundled with other software, often masquerading as useful tools
or programs.
•Example: The CoolWebSearch spyware was known for hijacking web browsers and tracking users'
internet activity.
6. Adware:
Adware is software that automatically displays unwanted advertisements to users, often in the form of
pop-ups or banners. While adware is typically less harmful than other forms of malware, it can be
annoying and sometimes acts as a precursor to more dangerous malware like spyware.
•How it works: Adware usually comes bundled with free software or shareware that users download
from the internet.
•Example: Gator (also known as Claria) was an adware program that tracked user behavior and
served intrusive pop-up ads.
7. Keyloggers:
A keylogger is a type of malware that records all the keystrokes made by the user, often with
the intent to capture sensitive information such as passwords, credit card numbers, or personal
messages.

•How it works: Keyloggers are often installed via Trojan horses or phishing attacks and
operate in the background without the user’s knowledge.
•Example: Keyloggers like Revealer Keylogger are frequently used in cybercriminal
activities to steal personal information.

8. Rootkits:
A rootkit is a set of software tools designed to gain unauthorized access to a computer system
and hide its presence. Rootkits are typically used to maintain privileged access (root or
administrator access) to a system and avoid detection by antivirus or security software.

•How it works: Rootkits can modify system files, processes, and even the operating system
itself to conceal their presence and actions.
•Example: The Sony BMG rootkit (2005) was used to prevent users from copying music, but
it also created vulnerabilities that could be exploited by hackers.
9. Botnets:
A botnet is a network of compromised computers (called "bots" or "zombies") that are controlled
remotely by a cybercriminal. These infected systems are often used to perform coordinated
malicious actions, such as launching distributed denial-of-service (DDoS) attacks, sending spam
emails, or stealing data.

•How it works: Botnets are often created by infecting machines with Trojans or worms, and once
infected, the machines can be controlled by the attacker to carry out malicious tasks.
•Example: The Mirai botnet (2016) was used to launch one of the largest DDoS attacks in history,
targeting major websites like Twitter and Reddit.

10. Fileless Malware:

Fileless malware is a type of malicious software that does not rely on files to infect a system.
Instead, it operates directly in the computer’s memory and often exploits existing trusted software or
system tools to perform malicious activities.

•How it works: Fileless malware is difficult to detect because it does not leave traditional traces on
the disk and runs in the system’s memory.
•Example: The PowerShell-based attacks are a form of fileless malware that exploits Windows
PowerShell to execute malicious code.
Methods of Distribution:
•Phishing Emails: Malware is often delivered via malicious email attachments or links that trick
users into executing the software.
•Drive-by Downloads: Malicious software can be installed automatically when a user visits a
compromised website.
•Social Engineering: Attackers deceive users into downloading or executing malware through
fake software updates, fraudulent websites, or impersonating trusted sources.

How to Protect Against Malware:

•Use Antivirus Software: Install reputable antivirus and anti-malware software to detect and
block malicious programs.
•Keep Software Updated: Regularly update your operating system, software, and applications to
patch security vulnerabilities.
•Be Cautious with Email Attachments and Links: Avoid clicking on suspicious email links or
downloading attachments from unknown sources.
•Use Firewalls: Firewalls help monitor and control incoming and outgoing network traffic,
blocking potentially harmful communications.
•Back Up Data: Regularly back up important files and data to an external device or cloud service
to protect against ransomware.
 Password Management:
Password management is a system that facilitates an easy and secure way to store
passwords and quickly access them when needed. One solution to this modern problem is
password management. With a password manager, users can manage all of their passwords
personal and business from one central location. A password manager does more than just
remember your passwords. It helps you choose strong enough passwords, ensures timely
password changes, and enforces many computer security best practices.
Since passwords are meant to keep the files and data secret and safe so it is prevented
that unauthorized access, password management refers to the practices and set of rules or
principles or standards that out must follow or at least try to seek help from in order to be a
good/strong password and along with its storage and management for the future requirements.
 Issues Related to Managing Passwords:
The main problem with password management is that it is not safe to use the same
password for multiple sites, therefore having different passwords for different sites and
on top of that remembering them is quite difficult. As per the statistics, more than 65% of
people reuse passwords across accounts and the majority do not change them, even after
a known breach. Meanwhile, 25% reset their passwords once a month or more because
they forgot them.
To escape from this situation people often tend to use password managers (A
password manager is a computer program that allows users to store, generate, and
manage their passwords for local applications and online services.). Password managers
to a certain extent reduce the problem by having to remember only one “master
password” instead of having to remember multiple passwords. The only problem with
having a master password is that once it is out or known to an attacker, the rest of all the
passwords become available.
The main issues related to managing passwords are as follows:
Login spoofing
Sniffing attack
Brute force attack
Shoulder surfing attack
Data breach
Top Password Management Tools
1. Keeper Security
Keeper Security is a leading cyber security company, popular for its advanced password management and secure file
storage solutions. It provides both individuals and businesses with robust tools to safeguard sensitive information.
Moreover, it stores all your passwords in an encrypted vault and even alerts you if the credentials are compromised or
found on the dark web. It is safe, easy to use, and the best solution for all your password woes.
2. 1Password
1Password is a secure password manager designed for both individuals and businesses. It stores
passwords and sensitive information in an encrypted vault, ensuring robust security. With its
Travel Mode, it removes sensitive data from your devices when crossing borders, providing
added protection. Additionally, it supports multi-factor authentication and offers advanced team
management capabilities for businesses.
3. Zoho Vault
Zoho Vault, part of the Zoho suite, provides secure password management for individuals and
businesses with features like password encryption, secure sharing, access controls, audit trails,
and integration with other Zoho products and third-party apps. It has a user-friendly interface
making it easier for users to protect their digital credentials and foster effective access control
in a team setting.
4. Bitwarden
Bitwarden is an open-source password manager known for its transparency and security. It offers
end-to-end encryption, a password vault, a password generator, cross-platform sync, and the option
to self-host for added control.
The key highlight of this tool is its compatibility with all the devices. This allows you to create and
manage passwords from any device or location.

5.LastPass
LastPass is another popular password manager that securely stores and manages your passwords
and sensitive information. With features like a password vault, password generator, auto-fill
capabilities, secure notes, and multi-platform support, it is one of the most reliable and easy-to-use
password management tools in the market.
 Methods to Manage Password
There are a lot of good practices that we can follow to generate a strong password and also the
ways to manage them.

Strong and long passwords: A minimum length of 8 to 12 characters long, also it should
contain at least three different character sets (e.g., uppercase characters, lowercase characters,
numbers, or symbols).
Password Encryption: Using irreversible end-to-end encryption is recommended. In this
way, the password remains safe even if it ends up in the hands of cyber criminals.
Multi-factor Authentication (MFA): Adding MFA layer as some security questions and a
phone number that would be used to confirm that it is indeed you who is trying to log in will
enhance the security of your password.
Make the password pass the test: Yes, put your password through some testing tools that
you might find online in order to ensure that it falls under the strong and safe password category.
Avoid updating passwords frequently: Though it is advised or even made mandatory to
update or change your password. as frequently as in 60 or 90 days.
 Firewall:
A firewall is a network security device, either hardware or software-based, which monitors
all incoming and outgoing traffic and based on a defined set of security rules accepts, rejects, or
drops that specific traffic.

Accept: allow the traffic

Reject: block the traffic but reply with an “unreachable error”
Drop: block the traffic with no reply

A firewall is a type of network security device that filters incoming and outgoing network
traffic with security policies that have previously been set up inside an organization. A firewall is
essentially the wall that separates a private internal network from the open Internet at its very
basic level.
Working of Firewall:
Firewall match the network traffic against the rule set defined in its table. Once the rule is matched,
associate action is applied to the network traffic. For example, Rules are defined as any employee
from Human Resources department cannot access the data from code server and at the same time
another rule is defined like system administrator can access the data from both Human Resource and
technical department. Rules can be defined on the firewall based on the necessity and security
policies of the organization. From the perspective of a server, network traffic can be either outgoing
or incoming.
Firewall maintains a distinct set of rules for both the cases. Mostly the outgoing traffic, originated
from the server itself, allowed to pass. Still, setting a rule on outgoing traffic is always better in order
to achieve more security and prevent unwanted communication. Incoming traffic is treated
differently. Most traffic which reaches on the firewall is one of these three major Transport Layer
protocols- TCP, UDP or ICMP. All these types have a source address and destination address. Also,
TCP and UDP have port numbers. ICMP uses type code instead of port number which identifies
purpose of that packet.
Default policy:
It is very difficult to explicitly cover every possible rule on the firewall. For this reason, the firewall
must always have a default policy. Default policy only consists of action (accept, reject or drop).
Suppose no rule is defined about SSH connection to the server on the firewall. So, it will follow the
default policy. If default policy on the firewall is set to accept, then any computer outside of your
office can establish an SSH connection to the server. Therefore, setting default policy as drop (or
reject) is always a good practice.
Types of Firewall
Firewalls can be categorized based on their generation.
1. Packet Filtering Firewall:
Packet filtering firewall is used to control network access by monitoring outgoing and incoming packets and
allowing them to pass or stop based on source and destination IP address, protocols, and ports. It analyses
traffic at the transport protocol layer (but mainly uses first 3 layers). Packet firewalls treat each packet in
isolation. They have no ability to tell whether a packet is part of an existing stream of traffic. Only It can allow
or deny the packets based on unique packet headers. Packet filtering firewall maintains a filtering table that
decides whether the packet will be forwarded or discarded. From the given filtering table, the packets will be
filtered according to the following rules:

Incoming packets from network 192.168.21.0 are blocked.

Incoming packets destined for the internal TELNET server (port 23) are blocked.
Incoming packets destined for host 192.168.21.3 are blocked.
All well-known services to the network 192.168.21.0 are allowed.
2. Stateful Inspection Firewall
Stateful firewalls (performs Stateful Packet Inspection) are able to determine the connection state of packet,
unlike Packet filtering firewall, which makes it more efficient. It keeps track of the state of networks
connection travelling across it, such as TCP streams. So the filtering decisions would not only be based on
defined rules, but also on packet’s history in the state table.
3. Software Firewall
A software firewall is any firewall that is set up locally or on a cloud server. When it comes to controlling the
inflow and outflow of data packets and limiting the number of networks that can be linked to a single device,
they may be the most advantageous. But the problem with software firewall is they are time-consuming.
4. Hardware Firewall
They also go by the name “firewalls based on physical appliances.” It guarantees that the malicious data is
halted before it reaches the network endpoint that is in danger.
5.Application Layer Firewall
Application layer firewall can inspect and filter the packets on any OSI layer, up to the
application layer. It has the ability to block specific content, also recognize when certain
application and protocols (like HTTP, FTP) are being misused. In other words, Application
layer firewalls are hosts that run proxy servers. A proxy firewall prevents the direct
connection between either side of the firewall, each packet has to pass through the proxy.

6. Next Generation Firewalls (NGFW)

NGFW consists of Deep Packet Inspection, Application Inspection, SSL/SSH inspection and
many functionalities to protect the network from these modern threats.

7. Proxy Service Firewall

This kind of firewall filters communications at the application layer, and protects the network.
A proxy firewall acts as a gateway between two networks for a particular application.

8. Circuit Level Gateway Firewall

This works as the Sessions layer of the OSI Model’s . This allows for the simultaneous setup
of two Transmission Control Protocol (TCP) connections. It can effortlessly allow data
packets to flow without using quite a lot of computing power. These firewalls are ineffective
because they do not inspect data packets; if malware is found in a data packet, they will
permit it to pass provided that TCP connections are established properly.
 Functions of Firewall
Every piece of data that enters or leaves a computer network must go via the firewall.
If the data packets are safely routed via the firewall, all of the important data remains intact.
A firewall logs each data packet that passes through it, enabling the user to keep track of all network
activities.
Since the data is stored safely inside the data packets, it cannot be altered.
Every attempt for access to our operating system is examined by our firewall, which also blocks
traffic from unidentified or undesired sources.
Intrusion Detection System (IDS)
An Intrusion Detection System (IDS) is a security tool that monitors a computer network
or systems for malicious activities or policy violations. It helps detect unauthorized access,
potential threats, and abnormal activities by analyzing traffic and alerting administrators to
take action. An IDS is crucial for maintaining network security and protecting sensitive
data from cyber-attacks.
An Intrusion Detection System (IDS) maintains network traffic looks for unusual activity
and sends alerts when it occurs. The main duties of an Intrusion Detection System (IDS)
are anomaly detection and reporting, however, certain Intrusion Detection Systems can
take action when malicious activity or unusual traffic is discovered. In this article, we will
discuss every point about the Intrusion Detection System.
What is an Intrusion Detection System?
A system called an intrusion detection system (IDS) observes network traffic for
malicious transactions and sends immediate alerts when it is observed. It is software
that checks a network or system for malicious activities or policy violations. Each
illegal activity or violation is often recorded either centrally using an SIEM system
or notified to an administration. IDS monitors a network or system for malicious
activity and protects a computer network from unauthorized access from users,
including perhaps insiders. The intrusion detector learning task is to build a
predictive model (i.e. a classifier) capable of distinguishing between ‘bad
connections’ (intrusion/attacks) and ‘good (normal) connections’.
Working of Intrusion Detection System(IDS)
•An IDS (Intrusion Detection System) monitors the traffic on a computer network to detect any
suspicious activity.
•It analyzes the data flowing through the network to look for patterns and signs of abnormal
behavior.
•The IDS compares the network activity to a set of predefined rules and patterns to identify any
activity that might indicate an attack or intrusion.
•If the IDS detects something that matches one of these rules or patterns, it sends an alert to the
system administrator.
•The system administrator can then investigate the alert and take action to prevent any damage or
further intrusion.
Classification of Intrusion Detection System(IDS)
Intrusion Detection System are classified into 5 types

Network Intrusion Detection System (NIDS): Network intrusion detection systems (NIDS) are
set up at a planned point within the network to examine traffic from all devices on the network. It
performs an observation of passing traffic on the entire subnet and matches the traffic that is passed
on the subnets to the collection of known attacks. Once an attack is identified or abnormal behavior
is observed, the alert can be sent to the administrator. An example of a NIDS is installing it on the
subnet where firewalls are located in order to see if someone is trying to crack the firewall.

Host Intrusion Detection System (HIDS): Host intrusion detection systems (HIDS) run on
independent hosts or devices on the network. A HIDS monitors the incoming and outgoing packets
from the device only and will alert the administrator if suspicious or malicious activity is detected.
It takes a snapshot of existing system files and compares it with the previous snapshot. If the
analytical system files were edited or deleted, an alert is sent to the administrator to investigate. An
example of HIDS usage can be seen on mission-critical machines, which are not expected to
change their layout.
Protocol-Based Intrusion Detection System (PIDS): Protocol-based intrusion detection
system (PIDS) comprises a system or agent that would consistently reside at the front end of a server,
controlling and interpreting the protocol between a user/device and the server. It is trying to secure
the web server by regularly monitoring the HTTPS protocol stream and accepting the related
HTTP protocol. As HTTPS is unencrypted and before instantly entering its web presentation layer
then this system would need to reside in this interface, between to use the HTTPS.

Application Protocol-Based Intrusion Detection System (APIDS): An application

Protocol-based Intrusion Detection System (APIDS) is a system or agent that generally resides
within a group of servers. It identifies the intrusions by monitoring and interpreting the
communication on application-specific protocols. For example, this would monitor the SQL protocol
explicitly to the middleware as it transacts with the database in the web server.

Hybrid Intrusion Detection System: Hybrid intrusion detection system is made by the
combination of two or more approaches to the intrusion detection system. In the hybrid intrusion
detection system, the host agent or system data is combined with network information to develop a
complete view of the network system. The hybrid intrusion detection system is more effective in
comparison to the other intrusion detection system. Prelude is an example of Hybrid IDS.
What is an Intrusion in Cybersecurity?
Understanding Intrusion Intrusion is when an attacker gets unauthorized access to a device,
network, or system. Cyber criminals use advanced techniques to sneak into organizations
without being detected. Common methods include:
Address Spoofing: Hiding the source of an attack by using fake, misconfigured, or unsecured
proxy servers, making it hard to identify the attacker.
Fragmentation: Sending data in small pieces to slip past detection systems.
Pattern Evasion: Changing attack methods to avoid detection by IDS systems that look for
specific patterns.
Coordinated Attack: Using multiple attackers or ports to scan a network, confusing the IDS
and making it hard to see what is happening.
Intrusion Detection System Evasion Techniques
Fragmentation: Dividing the packet into smaller packet called fragment and the process is known as
fragmentation. This makes it impossible to identify an intrusion because there can’t be a malware
signature.
Packet Encoding: Encoding packets using methods like Base64 or hexadecimal can hide malicious
content from signature-based IDS.
Traffic Obfuscation: By making message more complicated to interpret, obfuscation can be utilised
to hide an attack and avoid detection.
Encryption: Several security features, such as data integrity, confidentiality, and data privacy, are
provided by encryption. Unfortunately, security features are used by malware developers to hide
attacks and avoid detection.
Benefits of IDS
Detects Malicious Activity: IDS can detect any suspicious activities and alert the system
administrator before any significant damage is done.
Improves Network Performance: IDS can identify any performance issues on the network, which
can be addressed to improve network performance.
Compliance Requirements: IDS can help in meeting compliance requirements by monitoring
network activity and generating reports.
Provides Insights: IDS generates valuable insights into network traffic, which can be used to identify
any weaknesses and improve network security.
Detection Method of IDS
Signature-Based Method: Signature-based IDS detects the attacks on the basis of the specific
patterns such as the number of bytes or a number of 1s or the number of 0s in the network traffic. It
also detects on the basis of the already known malicious instruction sequence that is used by the
malware. The detected patterns in the IDS are known as signatures. Signature-based IDS can easily
detect the attacks whose pattern (signature) already exists in the system but it is quite difficult to
detect new malware attacks as their pattern (signature) is not known.
Anomaly-Based Method: Anomaly-based IDS was introduced to detect unknown malware attacks
as new malware is developed rapidly. In anomaly-based IDS there is the use of machine learning to
create a trustful activity model and anything coming is compared with that model and it is declared
suspicious if it is not found in the model. The machine learning-based method has a better-
generalized property in comparison to signature-based IDS as these models can be trained according
to the applications and hardware configurations.
Comparison of IDS with Firewalls
IDS and firewall both are related to network security but an IDS differs from a firewall as a firewall
looks outwardly for intrusions in order to stop them from happening. Firewalls restrict access
between networks to prevent intrusion and if an attack is from inside the network it doesn’t signal.
An IDS describes a suspected intrusion once it has happened and then signals an alarm.
Why Are Intrusion Detection Systems (IDS) Important?
An Intrusion Detection System (IDS) adds extra protection to your cybersecurity setup, making it
very important. It works with your other security tools to catch threats that get past your main
defenses. So, if your main system misses something, the IDS will alert you to the threat.
Intrusion Prevention System (IPS)
Intrusion Prevention System is also known as Intrusion Detection and Prevention System.
It is a network security application that monitors network or system activities for
malicious activity. Major functions of intrusion prevention systems are to identify
malicious activity, collect information about this activity, report it and attempt to block or
stop it.
Intrusion prevention systems are contemplated as augmentation of
Intrusion Detection Systems (IDS) because both IPS and IDS operate network traffic and
system activities for malicious activity.
IPS typically record information related to observed events, notify security administrators
of important observed events and produce reports. Many IPS can also respond to a
detected threat by attempting to prevent it from succeeding. They use various response
techniques, which involve the IPS stopping the attack itself, changing the security
environment or changing the attack’s content.
How Does an IPS Work?
An IPS works by analyzing network traffic in real-time and comparing it against known
attack patterns and signatures. When the system detects suspicious traffic, it blocks it
from entering the network.
Types of IPS
There are two main types of IPS:
Network-Based IPS: A Network-Based IPS is installed at the network perimeter and
monitors all traffic that enters and exits the network.
Host-Based IPS: A Host-Based IPS is installed on individual hosts and monitors the
traffic that goes in and out of that host.
Why Do You Need an IPS?
An IPS is an essential tool for network security. Here are some reasons why:
Protection Against Known and Unknown Threats: An IPS can block known threats and
also detect and block unknown threats that haven’t been seen before.

Real-Time Protection: An IPS can detect and block malicious traffic in real-time,
preventing attacks from doing any damage.

Compliance Requirements: Many industries have regulations that require the use of an
IPS to protect sensitive information and prevent data breaches.

Cost-Effective: An IPS is a cost-effective way to protect your network compared to the

cost of dealing with the aftermath of a security breach.

Increased Network Visibility: An IPS provides increased network visibility, allowing

you to see what’s happening on your network and identify potential security risks.
 Classification of Intrusion Prevention System (IPS):

Intrusion Prevention System (IPS) is classified into 4 types:

Network-based intrusion prevention system (NIPS):

It monitors the entire network for suspicious traffic by analyzing protocol activity.

Wireless intrusion prevention system (WIPS):

It monitors a wireless network for suspicious traffic by analyzing wireless networking
protocols.

Network behavior analysis (NBA):

It examines network traffic to identify threats that generate unusual traffic flows, such as
distributed denial of service attacks, specific forms of malware and policy violations.

Host-based intrusion prevention system (HIPS):

It is an inbuilt software package which operates a single host for doubtful activity by
scanning events that occur within that host.
 Wireless Local Area Network:
WLAN stands for Wireless Local Area Network. WLAN is a local area
network that uses radio communication to provide mobility to the network users
while maintaining the connectivity to the wired network. A WLAN basically,
extends a wired local area network. WLAN’s are built by attaching a device called
the access point(AP) to the edge of the wired network. Clients communicate with the
AP using a wireless network adapter which is similar in function to an ethernet
adapter. It is also called a LAWN is a Local area wireless network.
The performance of WLAN is high compared to other wireless networks. The
coverage of WLAN is within a campus or building or that tech park. It is used in the
mobile propagation of wired networks. The standards of WLAN are HiperLAN, Wi-
Fi, and IEEE 802.11. It offers service to the desktop laptop, mobile application, and
all the devices that work on the Internet. WLAN is an affordable method and can be
set up in 24 hours. WLAN gives users the mobility to move around within a local
coverage area and still be connected to the network. Most latest brands are based on
IEE 802.11 standards, which are the WI-FI brand name.
WLAN Architecture
Components in Wireless LAN architecture as per IEEE standards are as follows:
Stations: Stations consist of all the equipment that is used to connect all wireless
LANs. Each station has a wireless network controller.
Base Service Set(BSS): It is a group of stations communicating at the physical layer.
Extended Service Set(ESS): It is a group of connected Base Service Set(BSS).
Distribution Service (DS): It connects all Extended Service Set(ESS).
Types of WLANs
As per IEEE standard WLAN is categorized into two basic modes, which are as
follows:
Infrastructure: In Infrastructure mode, all the endpoints are connected to a base
station and communicate through that; and this can also enable internet access. A
WLAN infrastructure can be set up with: a wireless router (base station) and an
endpoint (computer, mobile phone, etc). An office or home WiFi connection is an
example of Infrastructure mode.
Ad Hoc: In Ad Hoc mode WLAN connects devices without a base station, like a
computer workstation. An Ad Hoc WLAN is easy to set up it provides peer-to-peer
communication. It requires two or more endpoints with built-in radio transmission.
Working of WLAN:

WLAN transmits data over radio signals and the data is sent in the form of a packet. Each packet
consists of layers, labels, and instructions with unique MAC addresses assigned to endpoints. This
enables routing data packets to correct locations.

How is a WLAN Created ?

A WLAN is a collection of nodes interconnected with each other for the purpose of data sharing,
transmitting messages over the internet, connecting for peer-2-peer connectiob etc. As discussed
above in types, it can be created in following 2 ways :
Connecting through one base station and that could be the router that acts as a doorway to the
internet, and every other nodes (devices like computer, smartphones) can connect to the internet
and to each other through it.
Peer-2-Peer connection using the wifi direct technology. This is more suitable for situations when
we require to connect two or more devices without internet and only for purpose of data exchange,
connecting over a same local network.
Is a WLAN Secure ?
Whether or not WLAN is secure depends on multiple factors of implementation
configured by the network administrator. However, by default it has multiple security
vulnerabilities. So the security team should consider all the factor and configure
accordingly.
Following are 3 ways to ensure best security practices :
Encryption: Ensure that the network is using highest level of encryption
Authentication: There are multiple authentication mechanism, its good to use
protocols that rely on 802.1x standards like WPA-EAP (Wireless Protected Acess-
Extensible Authentication Protocol) for organisation as this method ONLY gives access
when correct username and passwords are inputed. And usernames and passwords are
not shared and are individual specific only.
Monitor Rougue APs: The Rougue APs (Access Points) are similar set of networks
that user can unknowingly connect to where all the activities of the user will be tracked
and monitored by the bad actor who set up the network. Hence the security team can
be on the lookout for such configured networks occasionally.
Characteristics of WLAN
•Seamless operation.
•Low power for battery use.
•Simple management, easy to use for everyone.
•Protection of investment in wired networks.
•Robust transmission technology.

Advantages of WLAN
•Installation speed and simplicity.
•Installation flexibility.
•Reduced cost of ownership.
•Reliability.
•Mobility.
•Robustness.

Disadvantages of WLAN
•Slower bandwidth.
•Security for wireless LANs is the prime concern.
•Less capacity.
•Wireless networks cost four times more than wired network cards.
•Wireless devices emit low levels of RF which can be harmful to our health.
Network Access Control
Network Access Control is a security solution that uses a set of protocols to keep unauthorized
users and devices out of a private network or give restricted access to the devices which are
compliant with network security policies. It is also known as
Network Admission Control. It handles network management and security that implements
security policy, compliance, and management of access control to a network.

NAC works on wired and wireless networks by identifying different devices that are connected
to the network. For setting up an NAC network security solution, administrators will determine
the protocols that will decide how devices and users are authorized for the right level of
authorization. Access rules are generally based on the criterion such as device used, the location
accessed from, the access rights of various individuals, as well as the specific data and resources
being accessed.

Components of Network Access Control Scheme:

Restricted Access: It restricts access to the network by user authentication and authorization
control. For example, the user can’t access a protected network resource without permission to
access it.

Network Boundary Protection: It monitors and controls the connectivity of networks with
external networks. It includes tools such as controlled interfaces, intrusion detection, and anti-
virus tools. It is also called perimeter defense. For example, the firewall can be used to prevent
unauthorized access to network resources from outside of the network.
Types of Network Access Control:
Pre-admission: It happens before access to the network is granted on initialization of request
by user or device to access the network. It evaluates the access attempt and only allows the
access if the user or device is compliant with organization security policies and authorized to
access the network.
Post-admission: It happens within the network when the user or device attempts to access the
different parts of the network. It restricts the lateral movement of the device within the network
by asking for re-authentication for each request to access a different part of the network.
Steps to Implement NAC Solutions:
Gather Data: Perform an exhaustive survey and collect information about every
device, user, and server that has to interface with the network resources.

Manage Identities: Verify user identities within the organization by authentication

and authorization.

Determine Permissions: Create permission policies stating different access levels

for identified user groups.

Apply for Permissions: Apply permission policies on identified user groups and
register each user in the NAC system to trace their access level and activity within
the network.

Update: Monitor security operations and make adjustments to permission policies

based on changing requirements of the organization with time.
 Importance of Network Access Control:
There has been exponential growth in the number of mobile devices accessing private networks of
organizations in the past few years. This has led to an increase in security risks for the organization’s resources
and therefore, some tools are required that can provide the visibility, access control, and compliance
capabilities to strengthen the network security infrastructure.
A NAC system can deny network access to non-compliant devices or give them only restricted access to
computing resources, thus preventing insecure nodes from infecting the network. Also, NAC products can
handle large enterprise networks that have a large range of different device types connected to the network.
Responsibilities:
It allows only compliant, authenticated devices to access network resources and infrastructure.
It controls and monitors the activity of connected devices on the network.
It restricts the availability of network resources of private organizations to devices that follow their
security policy.
It regulates the access of network resources to the users.
It mitigates network threats by enforcing security policies that block, isolate, and repair non-compliant
machines without administrator attention.
Common Use-Cases:
Organizations that allow employees to use their own devices or take corporate devices home use
NAC to ensure network security.
Organizations use NAC to grant access to different network resources to people or devices that are
outside of the organization and are subjected to different security controls.
NAC protects from threats caused due to use of IoT devices by categorizing IoT devices into
groups that have limited permission and constantly monitoring their activities.
Benefits:
Users can be required to authenticate via multi-factor authentication, which is much more secure
than identifying users based on IP addresses or username and password combinations.
It provides additional levels of protection around individual parts of the network.
Limitations:
It has low visibility in IoT devices and devices with no specific users associated with it.
It does not protect from threats present inside the network.
It may not work for organizations if it is not compatible with existing security controls.