Network Security Final Report

8/6/2019 Network Security Final Report

http://slidepdf.com/reader/full/network-security-final-report 1/23

1

NETWORK SECURITY

ABSTRACT

John, sitting desperately in front of his system tries to hack his friend William’s bank

account. But after a tiresome job, all he could succeed in getting was an encrypted

code, which did not make any sense to him and would take a lifetime to decode

making use of the concept of probability. Thanks! To the advanced techniques of 

security which saved William from getting bankrupt and losing his lifetime savings. In

the present day scenario, where the earth is shrinking rapidly, such that the entire

world is now on your desktop, security is gaining much significance consequently.

Cryptography, authentication and access control mechanisms play a very important

role in secured communication as they form the major disciplines of network

security.

8/6/2019 Network Security Final Report

http://slidepdf.com/reader/full/network-security-final-report 2/23

2

INTRODUCTION

What is security?

Freedom from danger, fear or ensuring safety is security. Measures adopted to

prevent the authorized use, misuse, modification or denial of use of knowledge or 

facts, data or capabilities. Network security is an issue of great significance today

where a single problem can change the fate of the companies and organizations.

Need of Security

Computer security is required because most organizations can be damaged by

hostile software or intruders. There may be several forms of damage which are

obviously interrelated which are produced by the intruders. These include -

• lose of confidential data

• Damage or destruction of data

• Damage or destruction of computer system

• Loss of reputation of a company

Orange Book: -

The National Computer Security Center (NCSC), an agency of the U.S government

published an official standard called “Trusted Computer System Evaluation Criteria”

universally known as the “Orange Book”. The Orange Book defines a series of 

ratings a computer system can have based on it’s security features and the care that

went into it’s design, documentation and testing. This rating is intended to give

government agencies and commercial enterprises an objective assessment of a

system’s security and to goad computer manufacturers into placing more emphasis

on security. The official categories are D, C1, C2, B1, B2, B3, and A1 ranging from

minimal protection or unrated to most secure.

When computers are networked together new security problems occur which can

prove to be great threats to major companies. The orange book did not address the

issue of networked computers. The Red Book took all the requirements of the

8/6/2019 Network Security Final Report

http://slidepdf.com/reader/full/network-security-final-report 3/23

3

Orange book and attempted to address a networked environment of computers, thus

creating the concept of network security. A single layer of security cannot ensure

good security. Effective security is achieved by the combination of all security

disciplines. The prominent security technologies and product categories used todayare anti-virus software, firewalls, smart cards, biometrics, intrusion detection, policy

management, vulnerability scanning, encryption etc.

Common Misperceptions on Network Host Attacks

It’s sad that system administrators and users often think that their network hosts are

either uninteresting or invulnerable to hackers.

Some of the common beliefs include:

· “Nobody would ever attack our servers or desktops.”

· “Only good people work here.”

· “We have an Internet firewall. That’s all we need.”

· “We’re secure. We use system passwords.”

· “Network security is too expensive and hard to maintain.”

Sure, we’ve all heard and used these excuses. We all have more pressing problems

to worry about than getting hacked.

But the fact is that all the above excuses, and many more just like them, are

complete fantasy. Servers and desktops are attacked on a fairly common basis. Just

because it is not detected does not mean it is not happening . . .

Reality: Hacking Tools are Pervasive and Cheap to Acquire

It’s easy to find Windows NT (WinNT) and Windows 2000 (Win2K) hacking tools.

Pick any Internet search engine (Altavista, Lycos, Yahoo, etc.) you are comfortable

with and type in the following words as a search item:

“HACK Microsoft” or “HACK NT”

8/6/2019 Network Security Final Report

http://slidepdf.com/reader/full/network-security-final-report 4/23

4

Watch how many sites come up. Scary, isn’t it? In some queries, you can find over 

80,000 web sites with hacking tools on them. To make matters worse, there are CD-

ROMs full of hacking tools such as Forbidden subjects, WinHackGoldCD, Hacker 

Chronicles and others of a more underground nature. These are available from avariety of both legitimate and less reputable sources.

Some Statistics on Network Security

Every year, the Computer Security Institute (www.gocsi.com) and the U.S. Federal

Bureau of Investigation (www.fbi.gov) publish statistics about computer crime. The

2000CSI/FBI Computer Crime and Security Survey was eye-opening, and reportedthe following statistics:

· 30% reported computer systems penetrated by outsiders

· 55% reported unauthorized access by insiders

· 26% reported theft of proprietary information

· 32% reported denial of service attacks

· 19% reported sabotage of data or networks

· 90% of financial loss is from internal attacks

As the statistics show, the truth is that network attacks are REAL, PERVASIVE, and

EXPENSIVE. They are NOT going away. And, they are getting more insidious and

dangerous to organizations.

8/6/2019 Network Security Final Report

http://slidepdf.com/reader/full/network-security-final-report 5/23

5

SECURITY SERVICES 

Network security can provide one of the five services as shown in the figure: -

Four of these services are related to the message exchanged using the network:

Message confidentiality, integrity, authentication, non repudiation. Fifth service

provides entity authentication or identification.

8/6/2019 Network Security Final Report

http://slidepdf.com/reader/full/network-security-final-report 6/23

6

COMMON ATTACKS AGAINST NETWORK ASSETS 

Attacks may occur through technical means such as specific tools designed for 

attacks or exploitation of vulnerabilities in a computer system, or they may occur 

through social engineering, which is the use of non-technical means to gain

unauthorized access.

Attacks are primarily of four types:

• Access

• Modification

• Denial of service

• Repudiation

An access attack is an attempt to gain information that the attacker is not

authorized to see. This is an attack against the confidentiality of the information.

Snooping, Eavesdropping and Interception come under this category.

SNOOPING is looking through information files in the hopes of finding something

interesting. If the files are on a computer system, an attacker may open one file after 

another until the required information is found.

EAVESDROPPING is the process of listening to a conversation of which they are

not a part. To gain unauthorized access to information, an attacker must position him

at a location where the information is likely to pass by. A sniffer is a computer that is

8/6/2019 Network Security Final Report

http://slidepdf.com/reader/full/network-security-final-report 7/23

7

configured to capture all the traffic on the network. Most often they are configured to

capture user Ids and passwords. Tapping a fiber-optic line requires more specialized

equipment and is normally not performed by run-of-the-mill attackers.

INTERCEPTION is an active attack against the information. When an attacker 

intercepts information, he is inserting himself in the path of the information and

capturing it before it reaches the destination. The attacker may or may not allow the

information to continue to its destination. On the Internet this could be done by

causing a name resolution change. The traffic is then sending to the attackers

system instead of the real destination. If configured correctly, the sender may never 

know that he was not talking to the real destination.

MO

D IFIC

A TIO

N

ATTACK is an attempt to modify information that an attacker is not authorized to

modify.

CHANGES are one type of modification attack is to change existing information.

Change attacks can be targeted at sensitive or public information.

INSERTION is the addition of information that did not exist previously. An attacker 

might choose to add a transaction in a banking system that moves funds from a

customer’s account to his own.

DELETION attack is the removal of existing information. This could be the removal

of information in a historical record or in a record that is yet to be acted upon.

8/6/2019 Network Security Final Report

http://slidepdf.com/reader/full/network-security-final-report 8/23

8

Denial-of-service (DoS) attacks are the attacks that deny the use of resources to

legitimate users of the system, information or capabilities. DoS attacks generally do

not allow the attackers to access or modify information on the computer system.

DoS attacks are nothing more than vandalism. An attacker could encrypt a file andthen destroy the encryption key. In that way, no one could get access to the

information in the file. This type of vulnerability allows an attacker to send a pre-

defined set of commands to the application that the application is not able to process

properly. The application is likely to crash when this occurs.

REPUDIATION ATTACK is an attack against the accountability of the information.

In other words, repudiation is an attempt to give false information or to deny that a

real event or transaction should have occurred.

MASQUERADING is an attempt to act like or impersonate someone else or some

other system. With few exceptions, any computer system can take on any IP

address. Thus it is possible for a computer system to masquerade as another 

system.

PASSWORD ATTACKS: These attacks comprise network sniffing and brute force

attacks. Network sniffing concentrates on two areas:

Acquiring clear-text passwords (the situation when Windows systems exchange

passwords with any non-Windows operating system, such as UNIX or Novell) via

network capture or file infiltration.

• Grabbing the encrypted value of an NT system password from a network

packet or the password file and trying to decrypt the packet or file to expose

the passwords that would allow a valid login to the host.

• Brute Force attacks involve a piece of software working its way through

dictionaries and potential word-matching libraries to discover (“guess”) a

specific word which, when matched with a specific user ID, will allow login to

the system.

Password attacks cannot be stopped by a packet-filtering firewall, but can be greatly

reduced. Network access controls manage the network protocols and addresses

allowed to pass through the firewall, providing a more definitive sense of control over 

8/6/2019 Network Security Final Report

http://slidepdf.com/reader/full/network-security-final-report 9/23

9

where a password attack can originate. Time-based security policies further define

network access to the target system by allowing only specific transactions to take

place at particular times of the day. And, con-nection logging allows for accurate and

timely recording of all traffic activity. These are the types of firewall facilities youneed to protect against Password attacks.

URL Based Attacks: These attacks are initiated by exploiting the vulnerabilities in

many web servers and web-based applications that allow malicious code to be

included as part of a URL. These attacks can result in denial-of-service,

unauthorized file access or remote machine compromise.

THE COMMON TECHNIQUES ADOPTED BY HACKERS 

Open File Sharing via NFS was used by some of the hackers to gain access to

information. They simply mounted the remote drive and read the information. NFS

uses user Ids to mediate the access to the information on the drive. This became

more dangerous when some systems were found to allow the sharing of the root file

system. In this case, if a hacker could become root on a system and mount a remotefile system; he could change the configuration files of that remote system.

Bad Passwords is the most common method used by the hackers to get into

systems. Short passwords allow the hacker to brute-force the password. The other 

type of weak password is the one that is easy to guess.

Buffer Overflows are one type of programming flaw exploited by the hackers. They

are harder to find than bad passwords. Buffer overflows require quite a bit of 

expertise. Buffer overflows come up very often as the flaw in an application that

copies user data into another variable without checking the amount of data being

copied. More and more programs seem to suffer from this type of problem. If the

programmer checked the size of the user data before placing it in the pre-defined

variable, the buffer overflow can be prevented.

8/6/2019 Network Security Final Report

http://slidepdf.com/reader/full/network-security-final-report 10/23

10

Denial-of-Service

i) Single-source Denial-of-Service attack-Perhaps the most widely

known DoS attack is called the SYN flood. Other attacks have also been

identified. The Ping of Death attack caused a ping packet to be sent to a

target system. Normally a ping packet does not contain any data. The ping of 

death packet contained a large amount of data. When this data was read by

the target, it would crash because of buffer overflow.

ii) Distributed Denial-of-Service attacks are simply DoS attacks that

originate from a large number of systems. DDoS are usually controlled from a

single master and a single hacker. Such attacks can be as simple as a hacker sending a ping packet to the broadcast address of a large network while

spoofing the source address to direct all responses at a target. This particular 

attack is called Smurf attack.

Advanced techniques: - Sniffing switch networks, redirecting traffic, IP spoofing are

few of the advanced techniques.

Malicious code

• Computer viruses

• Trojan horse programs

• Worms

VIRUSES

A computer virus is a set of instructions that, when executed, inserts copies of itself 

into other programs. Some viruses are malicious and delete files or cause systems

to become unusable. Other viruses do not perform any malicious act except to

spread to other systems. Examples include Michelangelo (a traditional virus) and

Melissa (a macro virus).

TROJAN HORSES

Just as the Greeks used a gift to hide evidence of their attack, so too does a Trojan

horse program hide its malicious nature behind the façade of something useful or 

interesting. Example is the “ILOVEYOU” Trojan horse. It arrived as an email with a

visual basic program, which caused the e-mail services to stop completely.

8/6/2019 Network Security Final Report

http://slidepdf.com/reader/full/network-security-final-report 11/23

11

WORMS

A worm, as the name implies is a program that crawls from system to system without

any assistance from its victims. The program replicates itself by installing copies of 

itself on other machines across the network. The most famous recent worm is calledthe CodeRed. Since CodeRed used legitimate web connections to attack, firewalls

did not protect the victims. Once on a system, CodeRed chose a random address to

attack next.

VARIOUS SECURITY TECHNOLOGIES 

FIREWALLS

A firewall is a network access control device that is designed to deny all traffic

except that is explicitly allowed. Firewalls can be configured to allow traffic based on

the service, the IP address of the source or destination, or the ID of the user 

requesting service. Firewalls are generally of two types: application layer firewalls

and packet filtering firewalls.

Application layer firewalls are software packages that sit on top of the

general –purpose operating systems or on firewall appliances. If a rule does

not specifically allow the traffic to flow, the firewall will deny or drop the

packets. With an application layer firewall, all connections terminate on the

firewall. If the policy rules allow the traffic, the firewall initiates a new

connection from its external interface to the server system.

i) Packet filtering firewalls is similar to the application layer firewalls in

matters related to policy rules. Policy rules are enforced through the use of 

packet inspection filters. With a packet filtering firewall, connections do not

terminate on the firewall, but instead travel directly to the destination. As the

packets arrive at the firewall, the firewall will determine if the packets and the

connection state are allowed by the policy rules. If so, the packet is sent on its

way. If not, the packet is denied or dropped.

DEFENSIVE STRATEGIES:

8/6/2019 Network Security Final Report

http://slidepdf.com/reader/full/network-security-final-report 12/23

12

If an intruder can find a hole in our firewall, then the firewall has failed. There are no

in-between states. Once a hacker is in, our internal network is at her mercy. If he

hijacks an administrative account, we're in big trouble. If he hijacks an account with

lesser privileges, all the resources available to that account are at risk. No firewallcan protect against inadequate or mismanaged policies. If a password gets out

because a user did not properly protect it, our security is at risk. If an internal user 

dials out through an unauthorized connection, an attacker could subvert our network

through this backdoor. Therefore, we must implement a firewall policy. The most

basic firewall policy is as follows:

Block all traffic, and then allow specific services on a case-by-case basis.

This policy is restrictive but secure. However, it may be so restrictive that users

circumvent it. In addition, the more restrictive our policy, the harder it will be to

manage connections that are to be allowed. On screening routers, we'll need to

implement complicated sets of rules—a difficult task. Most firewall products including

the Microsoft Proxy Server simplify this process by using graphical interfaces and a

more efficient set of rules.

Security policies must be outlined in advance so administrators and users know what

type of activities are allowed on the network.. Our policy statement should address

internal and external access, remote user access, virus protection and avoidance,

encryption requirements, program usage, and a number of other considerations, as

outlined here:

- Network traffic to and from outside networks such as the Internet must pass

through the firewall. The traffic must be filtered to allow only authorized

packets to pass.

- Never use a firewall for general-purpose file storage or to run programs,

except for those required by the firewall. Do not run any services on the

firewall except those specifically required to provide firewall services.

Consider the firewall expendable in case of an attack.

- Do not allow any passwords or internal addresses to cross the firewall.

8/6/2019 Network Security Final Report

http://slidepdf.com/reader/full/network-security-final-report 13/23

8/6/2019 Network Security Final Report

http://slidepdf.com/reader/full/network-security-final-report 14/23

14

This method would be analogous to a gatekeeper remembering some defining

characteristics of anyone leaving the castle and only allowing people back in with

those characteristics.

This brings up another point. While firewalls are keeping Internet intruders out, our 

internal users might be looting our systems. We may need to separate departments,

workgroups, divisions, or business partners using the same firewall technology, and

we may need to implement encryption throughout our organization. Firewalls also do

not protect against leaks, such as users connecting to the outside with a desktop

modem. In addition, if some new threat comes along, our firewall might not be able

to protect against it. Viruses and misuse of security devices are also a threat.

DRAWBACKS WITH FIREWALLS

Firewalls assume that  all the unauthorized members are on the outside and

everyone inside can be completely trusted. This is an unwarranted assumption.

Firewalls can be defeated by somehow injecting malicious code into the corporate

network. Firewalls, when not configured properly refuse to recognize legitimate

users and make their job difficult.

CRYPTOGRAPHY AS A TOOL FOR SECURITY

No one can deny the importance of security in data communication and networking.

Security in networking is based on cryptography.

Cryptography, a word with Greek origin, means “secret writing”. The figure below

shows the components involved in cryptography.

The German  Lorenz cipher  machine, used in World War-II for encryption of very

high-level general staff messages

8/6/2019 Network Security Final Report

http://slidepdf.com/reader/full/network-security-final-report 15/23

15

Cryptography is a discipline of  mathematics concerned with information security 

and related issues, particularly  encryption, authentication, and access control.

Its purpose is to hide the meaning of a message rather than its existence.

Cryptography is used in many applications that touch everyday life; the security of 

ATM cards, computer passwords, and electronic commerce all depend on

cryptography. Until modern times, cryptography referred almost exclusively to

encryption, the process of converting ordinary information (plaintext) into an

unreadable ciphertext. Decryption is the reverse process.

A cipher (or cypher) is a pair of algorithms for 

encryption and decryption. The exact operation

of a cipher is controlled by a key, which is a secret parameter for the cipher 

algorithm. Historically, ciphers were often used directly for encryption or decryption

without additional procedures. The Enigma machine, used in several variants by the

German military between the late 1920s and the end of World War II, implemented a

complex electro-mechanical cipher  to protect sensitive communications. In

cryptography, code has a more specific meaning, referring to a procedure which

replaces a unit of plaintext (i.e. the meaningful words or phrases) with a code word 

(for example, apple pie replaces attack at dawn). Codes are no longer used in

serious cryptography - except incidentally for such things as unit designations - since

properly chosen ciphers are both more practical and secure than even the best

codes, and better adapted to computers as well. In recent decades, the field has

expanded beyond confidentiality concerns to include techniques for  authentication,

8/6/2019 Network Security Final Report

http://slidepdf.com/reader/full/network-security-final-report 16/23

16

digital signatures, interactive proofs, and secure computation. The main classical

cipher types are transposition ciphers, which rearrange the order of letters in a

message (e.g. 'help me' becomes 'ehpl em'); and substitution ciphers, which

systematically replace letters or groups of letters with other letters or groups of letters (e.g. 'fly at once' becomes 'gmz bu podf' by replacing each letter with the one

following it in the alphabet). Simple versions of either offered little confidentiality. The

development of digital computers and electronics after WWII made possible much

more complex ciphers. Many computer ciphers can be characterized by their 

operation on binary  bits (sometimes in groups or blocks), unlike classical and

mechanical schemes, which generally manipulate traditional characters (i.e. letters

and digits).

SYMMETRIC-KEY CRYPTOGRAPHY

Symmetric-key cryptography refers to encryption methods in which both the sender 

and receiver share the same key. This was the only kind of encryption publicly

known until 1976. The modern study of symmetric-key ciphers relates mainly to the

study of block ciphers and stream ciphers and to their applications. Block ciphers

take as input a block of plaintext and a key, and output a block of ciphertext of the

same size. Stream ciphers, in contrast to the 'block' type, create an arbitrarily long

stream of key material, which is combined with the plaintext bit by bit or character by

character, somewhat like the one-time pad. In a stream cipher, the output stream is

created based on an internal state which changes as the cipher operates. That

state's change is controlled by the key.

Cryptographic hash functions (often called message digest functions) do not use

keys, but are a related and important class of cryptographic algorithms. They take

input data (often an entire message), and output a short, fixed length hash, and do

8/6/2019 Network Security Final Report

http://slidepdf.com/reader/full/network-security-final-report 17/23

17

so as a one-way function. For good ones, collisions (two plaintexts which produce

the same hash) are extremely difficult to find.

  Message authentication codes (MACs) are much like cryptographic hash

functions, except that a secret key is used to authenticate the hash value on receipt.

PUBLIC KEY CRYPTOGRAPHY

In a groundbreaking 1976 paper, Whitfield Diffie and Martin Hellman proposed the

notion of  public-key  (also, more generally, called asymmetric key ) cryptography in

which two different but mathematically related keys are used: a  public  key and a

 private key. A public key system is constructed so that calculation of the private key

is computationally infeasible from knowledge of the public key, even though they are

necessarily related. Instead, both keys are generated secretly, as an interrelated

pair.

The public key algorithms are: -

• Modular addition,

• Multiplication and modular exponentiation,

• RSA algorithm

• DSS algorithm.

8/6/2019 Network Security Final Report

http://slidepdf.com/reader/full/network-security-final-report 18/23

18

AUTHENTICATION

The authentication of authorized users prevents unauthorized users from gaining

access to information systems. The use of authentication mechanisms can also

prevent authorized users from accessing information that they are not authorized to

view. Currently, password remains the primary authentication mechanism for internal

system access. If passwords are to be used, the following are recommended as best

practices:

• Length- passwords must be a minimum of eight characters in length.

• Change frequency- passwords must not be more than 60 days old.

• History- the last ten passwords should not be re-used.

Content- passwords should not be made up of only letters but instead should include

letters, numbers and special punctuation characters.

KEY CERTIFICATION

If keys are transmitted to a remote destination by some means, they must be

checked once they arrive to be sure that they have not been tampered with during

the transmission. Public keys are intended to be published or given out to other 

users and must also be certified as belonging to the owner of the key pair. This can

be done through a central authority- certificate authority. CA generates certificates,

which are signed messages specifying a name and the corresponding key.

INTRUSION DETECTION SYSTEMS

Intrusion detection systems (IDS) are the burglar alarms of the network. An IDS is

designed to differentiate between an authorized entry and a malicious intrusion into

a protected network. A very common intrusion detection mechanism is anti-virus

software. Other forms of intrusion detection include the following:

• Manual log examination

• Automated log examination

• Host-based intrusion detection software

• Network based intrusion detection software

8/6/2019 Network Security Final Report

http://slidepdf.com/reader/full/network-security-final-report 19/23

19

Manual log examination can be effective, but is time consuming and error-prone. A

better form of log examination would be to create programs or scripts that can

search through computer logs looking for potential anomalies.

SECURITY IN INTERNET

IP Security

It is a collection of protocols which is designed by Internet Engineering Task Force

(IETF) to provide security for a packet at the network level. It helps to create

authenticated and confidential packets for IP layer as shown in the figure below.

 IP security (IPSec) operates in one of the two different modes: The transport mode

or the tunnel Mode.

8/6/2019 Network Security Final Report

http://slidepdf.com/reader/full/network-security-final-report 20/23

20

Transport Mode:

Tunnel Mode:

We use Tunnel mode when either the sender or receiver is not the host. The entire

packet is protected from intrusion between the sender and the receiver.

8/6/2019 Network Security Final Report

http://slidepdf.com/reader/full/network-security-final-report 21/23

21

ULTIMATE TOP-10 ELEMENTS OF SECURITY

Having just Firewalls in a network doesn’t make it completely foolproof. So, there

exist some technical and non-technical TIPS to be followed to ensure maximum

security:

1. POLICY: Define, Implement and measure systems, networks and applications for 

compliance

2. EDUCATION: Part of (1) above is to ensure your users understand the

consequences of their actions and the importance of information security to the

organization

3. WARNINGS: Implement online warnings informing users (internal and external) of 

the rules of access to the systems

4. ASSESS: Determine what you are trying to protect, why and what value it has

5. PROTECT: Based on (4) above, implement firewalls, anti-virus and intrusion

detection (IDS) tools

6.  AUDIT: Regularly audit systems for access violations, latest applicable patches

and integrity of operating systems and applications

7. PASSWORD: Enforce strong password policy and run password guessing for 

easy to guess passwords

8. SCAN: Periodically for known vulnerabilities and the latest exploits

9. BACK-UP: Ensure regular clean backups are made to enable speedy recovery

10. RESPONSE: Set up an incident response team with complimentary measures.

8/6/2019 Network Security Final Report

http://slidepdf.com/reader/full/network-security-final-report 22/23

22

CONCLUSION

Examining the threats and managing them appropriately is very important for the

smooth running of any organization. Security is a very difficult topic. Everyone has a

different idea of what ``security'' is, and what levels of risk are acceptable. The key

for building a secure network is to define what security means to your organization.

Once that has been defined, everything that goes on with the network can be

evaluated with respect to that policy. It's important to build systems and networks in

such a way that the user is not constantly reminded of the security system around

him.

8/6/2019 Network Security Final Report

http://slidepdf.com/reader/full/network-security-final-report 23/23

23

REFERENCES:

http://www.robertgraham.com/pubs/network-intrusion-detection.html 

http://online.securityfocus.com/infocus/1527

http://www.snort.org/ 

http://www.cert.org/ 

http://www.nmap.org/ 

http://grc.com/dos/grcdos.htm

http://lcamtuf.coredump.cx/newtcp/