Академический Документы
Профессиональный Документы
Культура Документы
MODULE VI
Introduction to information system security, common attacks. Security at Application Layer
(E-MAIL, PGP and S/MIME). Security at Transport Layer (SSL and TLS).Security at
Network Layer (IPSec).Defence and counter measures: Firewalls and their types. DMZ,
Limitations of firewalls, Intrusion Detection Systems -Host based, Network based, and
Hybrid IDSs
• Sniffing is a process of monitoring and capturing all data packets passing through a
given network.
• If any of the Ethernet NIC cards are in promiscuous mode (done remotely via a
sniffer program), the sniffer program will pick up all communication packets through
that network.
• The best countermeasure against sniffing is end-to-end or user-to-user encryption.
3. Mapping (Eavesdropping)
• Before attacking a network, attackers would like to know the IP address of machines
on the network, the operating systems they use, and the services that they offer. With
this information, their attacks can be more focused and are less likely to cause alarm.
The process of gathering this information is known as mapping.
• Counter measures are strong encryption services that are based on cryptography only.
4. Hijacking (man-in-the-middle attack)
• Hijacking occurs when someone between you and the person with whom you are
communicating is actively monitoring, capturing, and controlling your
communication transparently.
• Man-in-middle attacks are like someone assuming your identity in order to read your
message.
5. Trojans
• These are programs that look like ordinary software, but actually performmalicious
actions when launched.
• The only protection is early use of a cryptographic checksum or binary digital
signature procedure.
6.Denial-of-Service attack (DoS) and Distributed-Denial-of-Service (DDoS)
• Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) attack is an attempt
to make a machine or network resource unavailable to its real users.
• There are three basic types of attack.
− Consumption of computational resources, such as band width, disk
space or CPU time.
− Disruption of configuration information, such as routing information.
− Disruption of physical network components.
• Common forms of denial of service attacks are,
a) Buffer Overflow Attacks
• Simply sends more traffic to a network address than the programmer's expectation on
size of buffers.
• Examples:
− Sending e-mail messages that have attachments with 256 character file names
to Netscape and Microsoft mail programs.
− Sending over sized Internet Control Message Protocol (ICMP) packets.
b) Smurf Attack
• In this attack, the attacker sends an IP ping request to a large number ofhosts with
source address of the target site.
• The result will be lots of ping replies flooding back to the innocent, spoofed host.
c) SYN floods
• Attacker sends a succession of SYN requests to a target's system to consume enough
server resources to make the system unresponsive to legitimate traffic.
Distributed Denial-of-Service attacks (DDoS)
• DDoS occurs when multiple attackers flood the band width or resources of a targeted
DEPARTMENT OF ECE Page 2
EC 407 COMPUTER COMMUNICATION MODULE III
S/MIME
3. The content, signature values, certificates, and algorithms are then collected to
create the signed Data object.
it.
• The encrypted content is stored without including the key or the algorithm. The object
created is called encrypted Data.
Authenticated-Data Content Type
• This type is used to provide authentication of the data. The object is called
authenticated Data. Figure shows the process.
1. Using a pseudorandom generator, a MAC key is generated for each recipient.
2. The MAC key is encrypted with the public key of the recipient.
3. A MAC is created for the content.
4. The content, MAC, algorithms, and other information are collected together to
form the authenticated Data object.
symmetric-key encryption.
– Append SSL Record Header: Finally, an SSL header is appended to the encrypted
block. SSL header has Content type (8 bits),Major Version (8 bits),Minor Version (8 bits)
and Compressed Length (16 bits)
• The record protocol then transmits the resulting unit in a TCP segment. At the
receiver side, received data are decrypted, verified, decompressed and reassembled
and then delivered to the higher level protocol
SSL Change Cipher Spec Protocol
• This is used to cause the pending state to be copied into the current state which
updates the cipher suite.
SSL Alert Protocol
• This protocol is used to convey SSL-related alerts.
• It consists of two bytes the first of which takes the values 1 (warning) or 2 (fatal).
• If the level is fatal SSL immediately terminates the connection.
• The second byte contains a code that indicates the specific alert
Framing: A header is assed the encrypted payload. The payload is then passed to a reliable
transport layer protocol.
• Tunnel Mode:In tunnel mode, IPSec protects the entire IP packet. It takes an IP
packet, including the header, applies IPSec security methods to the entire packet and
then adds a new IP header.
o Entire packet is encrypted
o New IP header is added to cipher text and routed
o Decrypts the packet at destination
• Next Header – indicates what follows the AH header. In transport mode it will be the
value of the upper-layer protocol being protected (e.g.UDP or TCP). In tunnel mode,
the value is 4 for IPv4encapsulation or 41 for IPv6 encapsulation.
• Payload length–indicates the length of authentication header in 32-bit words minus
two
• Security Parameter Index (SPI)– it is a 32-bit value, that in combination with
destination IP address identifies the Security Association (SA) for the packet.
• Sequence Number field – it is a 32-bit field containing a monotonically increasing
sequence number for each packet sent to prevent replay attacks. It is initially set to
zero at the establishment of an SA. For each SPI, only one packet can have a given
sequence number.
• Authentication Data– it is a variable length field and holds the MAC (Message
Authentication Code) of the packet
ESP Protocol
• ESP provides confidentiality, data integrity,data source authentication of IP packets,
and protection against replay attacks.
• It does so by inserting a new header, an ESP header, after an IP header and before the
data to be protected and appending an ESP trailer.
• SPI: helps the receiving host identify the security association to which the packet
belongs.
• Sequence Number - protects against replay attacks.
• Payload Data- contains the data described by the Next Header field and being
protected by the ESP. If confidentiality is selected, then the data is encrypted by
encryption algorithm associated with the SA.
• Padding is sometimes necessary, for example, because the encryption algorithm
requires the plaintext to be a multiple of some number of bytes. The Pad Length field
records how much padding was added to the data.
• Authentication data- used to hold the result of the data integrity check.
SA and Key Management
• Several protocols have been defined for a scalable and automated SA and key
management, including:
• The Internet Key Exchange (IKE) algorithm is the default key management protocol
for IPsec.
• The Internet Security Association and Key Management Protocol (ISKMP) defines
procedures for establishing and tearing down SAs.
DEFENCE AND COUNTER MEASURES:
FIREWALLS
• A firewall is a piece of hardware or software or combination of bothto prevent
unauthorized external users (from other networks) from accessing or modifying the
resources of a network.
• It enforces an access control policy between two or more networks. It is also called a
Border Protection Device (BPD).
• They sit at the junction point or gateway between the two networks, usually between a
private network and a public network such as the internet.
• Firewall examines all traffic routed between the two networks to see if it meets certain
criteria. If it does, it is routed between the two networks, otherwise it is stopped.
• Firewalls can filter packets based on their source and destination addresses and port
numbers. This is known as address filtering.
• Firewalls can also filter specific types of network traffic. This is also known protocol
filtering because the decision to forward or reject traffic is dependent on the protocol
used.
• Firewalls can also filter traffic by packet attribute or state.
• Firewalls fall into four broad categories.
1. Filter- Based Firewalls
a. Frame filtering Firewalls
b. Packet filtering Firewalls
2. Circuit level Gateway Firewalls
3. Proxy- Based Firewalls or Application Gateways
4. Stateful Multilayer Inspection Firewalls
1.Filter - Based Firewalls
• Filter-based firewalls are the simplest and most widely used. They are configured
with a table of addresses that characterize the packets (or frames) they will, and will
not, forward.
a)Frame filtering firewalls
• Frames that do not belong to a trusted network are summarily rejected.
• Stateful multilayer inspection firewalls combine the aspects of the other three types of
firewalls. They filter packets at the network layer, determine whether session packets
are legitimate and evaluate contents of packets at the application layer.
• They monitor all transactions between two systems.
• Stateful multilayer inspection firewalls offer a high level of security, good
performance and transparency to end users.
• They are expensive and complex.
Advantages of firewalls
• Defines a single choke point to keep unauthorized users out of protected network
• Provides protection from various kinds of IP spoofing
• Provides a location for monitoring security-related events
• Prohibits potentially vulnerable services from entering or leaving the network
• Audits and alarms can be implemented on the firewall systems
Limitations of firewalls
• It doesn’t protect against internal threats from traitors.
• It can’t prevent uncontrolled traffic.
• It can’t protect against completely new threats.
• It can’t prevent virus attacks.
• It can’t protect against any attacks that bypass the firewall
• Defined as the tools, methods, and resources to help identify, assess, and report
unauthorized or unapproved network activity.
• An IDS detects activity in traffic that may or may not be an intrusion.
• IDSes can detect and deal with insider attacks, as well as, external attacks, and are
often very useful in detecting violations of corporate security policy and other internal
threats
Typical features of an Intrusion Detection System:
system.
3. Assesses the integrity of system and data files
4. Conducts analysis of patterns based on known attacks
5. Detects errors in system configuration
6. Detects and cautions if the system is in danger
Classification of Intrusion Detection Systems:
• These systems collect information from the network itself, rather than from each
separate host.
• This system monitors the contents and header information of all the packets moving
across the network by continuously analyzing the traffic and comparing it with the
known attacks in the library.
• If an attack is detected, an alert is sent to the system administration.
• It is placed mostly at important points in the network so that it can keep an eye on the
traffic travelling to and from the different devices on the network.
• The IDS is placed along the network boundary or between the network and the server.
• An advantage of this system is that it can be deployed easily and at low cost, without
having to be loaded for each system.
Comparison between Host based IDS and Network based IDS:
• Are systems that combine both Host-based IDS, which monitors events occurring on
the host system and Network-based IDS, which monitors network traffic.
• A Hybrid IDS is often deployed on an organization’s most critical servers.
Based on the method of working: