introduction to information security prof. salman [email protected] chapter# 1 1
TRANSCRIPT
2
What is Information Security?
• Information security is prevention of information
from unauthorized access, misuse and
modification.
• Information can be any form of information and
security can be any form of security.
• We will mostly discuss about digital information
security.
• Discussion will be mostly about Networks.
3
History of Security
Physical Security
• In early days, everything was physical.
• Information was also physical.
• Mostly information was written on stones and then on
papers.
• To secure the information, physical preventions were used
• Walls
• Forts
• Guards
• Information sharing was done through messengers.
4
History of Security
Communication Security
• In Physical security, if a messenger is caught with the
information, that information is compromised.
• To overcome this difficulty, Caesar created a technique
called, “Caesar Cipher” which are encrypted messages and
even if intercepted, cannot be compromised.
• This concept was used by Germany in World War II.
• The encrypted messages where sent using “Enigma
Machine”
5
History of Security
Communication Security
Enigma Machine
6
History of Security
Emission Security
• The encrypted messages in early days were weak and
were sometimes easily decrypted.
• An Encryptor is an electronic device used to encrypt the
messages but give off electronic emissions.
• These messages are then sent using phone lines.
• However these phone lines are checked to see that they
also contain the original message in unencrypted form
which can be seen if intercepted properly.
7
History of Security
Emission Security
8
History of Security
Computer Security
• Simple Encryption was fine with old telegraphs.
• When Computer came, high security was required.
• All the information in the computer is in the form of
electronic information.
• If someone has access to the machine, they can access
the information.
• For this purpose, even today, different techniques like
passwords, security code and etc. are used.
9
History of Security
Network Security
• Increase in the computers, increased the need of sharing
information between electronic devices.
• This need gave birth to networking of different devices.
• Network Security hence came into being.
• Device connected together can share information which is
allowed but they can also access each others information
even if not allowed.
• For this purpose different network security techniques
have been developed and used these days.
10
History of Security
Information Security
• Today, combination of all the securities is used to secure the
information.
• Physical security using walls and doors.
• Communication Security for encryption techniques.
• Emission Security to standardize emissions for electronic
devices.
• Computer Security to secure information in computers.
• Network Security to secure information over the network.
• No Single security technique can promise maximum security
hence combination of most of them are used these days.
11
History of SecurityInformation Security
12
Security as a Process
• For an organization different security techniques are
used to secure the information or data.
• No single product can ensure the security of the
whole organizations.
• Combination of different products can maximize the
security of the information within an organization.
13
Security as a Process
Antivirus Software
• Antivirus software are used to reduce the exposure of data
for an organization to a malicious program.
• They can reduce the risk but cannot fully remove the risk.
• They can stop viruses to damage the files.
• They can search for known virus definitions and remove
them.
• However, they cannot protect the information from a legal
user of the system who does not have access to files but still
accesses them.
14
Security as a Process
Antivirus Software
15
Security as a Process
Access Control
• Access Control programs can manage the files in a way that
they allow only legitimate users to access the files.
• They make sure that only users who have permissions to
access the file will actually access the files.
• There are lots of software available for Access Control in the
market.
• Majority of today’s operating systems have this functionality
of access control embedded into them.
16
Security as a Process
Access Control
17
Security as a Process
Firewalls
• Firewalls are used to protect the system from external
attacks.
• Firewalls can be hardware or software based.
• Hardware based firewalls are used as a gate keeper which
resides between the router and the network.
• Software firewalls are these days available within the routers
and can monitor incoming and outgoing traffic of a network.
18
Security as a Process
Firewalls
Hardware Firewalls
19
Security as a Process
Firewalls
Software Firewall within Router
20
Security as a Process
Smart Cards
• Research showed that something you know is less effective
than something you have.
• Passwords are something you know and are used to protect
information.
• However passwords can be guessed and information can be
compromised.
• Smart cards are something you have and are widely used
these days for protecting information.
• Smart Cards are RFID, NFC cards or tags etc.
21
Security as a Process
Smart Cards
22
Security as a Process
Biometrics
• They are one step ahead of Smart Cards.
• They use scanners for verification of
• Finger prints
• Retina
• Facial
• Voice
• Many more
• In order to use this technique, data for matching a specific
record should be maintained.
23
Security as a Process
Biometrics
24
Security as a Process
Intrusion Detection
• These systems were assumed to remove all the risk of
information stealing by detecting intrusions and removing
them.
• These systems will keep monitoring the system and alert if
something goes wrong.
• These systems are still not mature and need a lot of work to
be done.
25
Security as a Process
Policy Management
• This is a mechanism used in different organization to secure
the information.
• Different policies are designed for different users and system
will react according to the policies.
• However, these systems require user to do their work at their
part e.g. remembering password and not sharing the
passwords with anybody.
26
Security as a Process
Encryption
• Encrypting the important information is also ongoing trend.
• It is always better to encrypt the sensitive information.
• Furthermore, most of the network sharing activities highly
encourage encryption of information.
• A lot of network devices actually encrypt the information
before sending them.
27
Security as a Process
Physical Security Mechanism
• All the security mechanisms will fail if physical security is not
up to the mark.
• Physical security is keeping the system secure physically e.g.
doors, gates and walls etc.
29
Attacks at Digital Information
• Attack at Digital Information can be in many forms
• Some one uses some tools to steal the information
• Some one pretends to be an employee and get information
• Some one copies the information and does not delete the
original information
• Some one destroys the information by damaging the
equipment
30
Types of Attacks
• There are different types of attacks to an
organization’s security
• Access
• Modification
• Denial of Service
• Repudiation
31
Access Attacks
• This is the kind of attack in which a person
accesses the information which he is not
authorized to access.
• Gaining access to the information can be through
many ways.
• This type of attack is an attack against the
confidentiality of the information.
32
Access Attacks
33
Access Attacks
Snooping
• It is to search for the information in the files.
• These files can be paper files or computer files.
• An attacker keeps on searching the files unless and until he
finds something interesting about the organization.
• In paper files, attacker will open a drawer and search for
files paper by paper.
• In computer files, the attacker will open up the folders and
search for information in the files by opening file to file until
he finds something.
34
Access Attacks
Eaves Dropping
• It is about listening to the information which a person is not
authorized to listen.
• For such a process, the person should position himself so
that he can listen to the information.
• Wireless transmission of information has increased the
chances of eaves dropping since no wires are required to
steal the information from different connected devices.
35
Access Attacks
Eaves Dropping
36
Access Attacks
Interception
• It is the process in which an attacker places himself in
between the information source and destination.
• Once he is done with the information, he lets it pass to the
destination.
• This is unlike eavesdropping where information is passing
from source to destination and attacker is in between
without the knowledge of anyone.
37
Access Attacks
Interception
38
Access Attacks Accomplishment
• Access Attacks can be accomplished depending
upon the type of the information
• Paper
• Electronic
39
Information on Paper
• Information on the paper can be compromised by placing
• In filing cabinets
• In desk file drawers
• On desktops
• In fax machines
• In printers
• In the trash
• In long-term storage
• Information can be secured with proper physical security
Access Attacks Accomplishment
40
Electronic Information
• Electronic Information can be compromised by placing
• In desktop machines
• In servers
• On portable computers
• On floppy disks
• On CD-ROMs
• On backup tapes
Access Attacks Accomplishment
41
Electronic Information
Access Attacks Accomplishment
42
Modification Attacks
• This is the kind of attack in which a person modifies
the information which he is not authorized to
modify.
• Gaining access to the information can be through
many ways.
• This type of attack is an attack against the integrity
of the information.
43
Modification Attacks
Changes
• An attacker can change the existing information.
• Attacker can change the structure of database
• Attacker can change any record in the database
• Information is not lost but it is not modified and may be
incorrect.
• Such attacks can be made without alarming the system.
• Changing an employee’s salary can be one example
44
Modification Attacks
Insertion
• An Attacker can insert some information.
• Insertion is made in alignment with information so that it
does not ring the bells.
• Inserting a bank transaction in the banking system can be
an example
45
Modification Attacks
Deletion
• An Attacker can delete some information.
• This information is deleted in such a way that it does not
allow to be reclaimed.
• Deleting a bank transaction can cause lose of transaction
information in the banking system.
46
Modification Attacks Accomplishment
Information on Paper
• Modifying, deleting or inserting an information on the paper
is very difficult.
• It normally contains signature, so modifying the document
might require signing the document again which can be a
difficult task.
47
Modification Attacks Accomplishment
Electronic Information
• Modifying, deleting or inserting an Electronic Information is
easier than Paper information.
• Information can be easily changed in databases without
even leaving traces.
• Similarly information can be inserted or deleted in the digital
files without alarming.
48
Denial of Service Attacks
• This is the kind of attacks deny the request of
legitimate users for the use of resources.
• These kind of attacks normally do not allow the
attacker to modify information.
• They simply create problems for already available
user permissions.
49
Denial of Service Attacks
Denial of Access to Information
• This causes the information to be unavailable for the users.
• Information is not deleted in fact has been moved to a
location where users cannot access it.
• Sometimes the information is available but is not in usable
form.
50
Denial of Service Attacks
Denial of Access to Applications
• It cause denial of access to the applications which an
organization uses to perform different tasks.
• Applications are made unavailable or are placed in the
location where users can not access them.
51
Denial of Service Attacks
Denial of Access to Systems
• It cause denial of access to the systems.
• The whole system with all its resources are made to be
down so that information is not available to the users.
52
Denial of Service Attacks
Denial of Access to Communication
• It cause denial of access to communication by cutting wires,
deleting access points etc.
• The information is available but users cannot communicate
with them since the network is down.
53
Denial of Service Attacks Accomplishment
Information on Paper
• Loss of information on the paper can be down intentionally
or unintentionally.
• The information can be lost because of fire or some other
accident.
• The information can be lost intentionally by destroying the
information.
54
Denial of Service Attacks Accomplishment
Electronic Information
• Applications and documents can be uninstalled
• A bug is installed which disallows all the information.
• Communication medium is destroyed to deny the access of
information on the network.
55
Repudiation Attacks
• This attack is against the credibility of information.
• This attack is against the accountability of
information.
• It is about giving false information about the data.
• It is about denying the fact that information actually
existed.
56
Repudiation Attacks
Masquerading
• It is to act like someone else.
• This attack can occur in
• Personal Communication
• System to System
• Transactions
57
Repudiation Attacks
Denying an Event
• It is to deny the fact that event actually occurred.
• For example purchasing something through the credit card
and when bill arrives, totally rejecting it that the purchase
was not done by me.
58
Repudiation Attacks Accomplishment
Information on Paper
• Information on paper can be repudiated by simply forging
the signature
• Information on paper can also be repudiated by simply
rejecting the invoice billed against the name or credit card.
59
Repudiation Attacks Accomplishment
Electronic Information
• Electronic Information can be masqueraded by altering the
information on behalf of someone else.
• For example, any computer can take IP addresses using
proxy servers.
61
Hacker’s Motivation
• One of important things behind hacking a system
is the motivation.
• Motivation is the reason that drives the hacker to
hack a system.
• Understanding a motivation sometimes helps in
securing a system.
62
Hacker’s Motivation
Challenge
• In old times, and it is true these days as well, one of the
biggest reason for hackers to hack a system is
CHALLENGE.
• Hacking a difficult system can be challenging which urges
hackers to hack it.
• Sometimes, Challenge is about being the first one to hack
a system.
• Hacking is not always about leaking the information or
breaching the security for bad intents.
63
Hacker’s Motivation
Greed
• Greed is definitely one of the motivations for hacking.
• A hackers is hungry for information
• Credit Card
• Employee details
• Confidential data
• Most of the companies simply rectify the security breach and go
back to work.
• Some companies actually want to trace the hacker and give him
penalty.
• Even if penalties are there, still those penalties are not very
serious.
64
Hacker’s Motivation
Malicious Intent
• A Hacker at times, simply wants to harm an organization
by hacking their system.
• In such cases, the targets are specific.
• Intentions are not only to gain access to the systems but
to damage the system.
65
Hacking Techniques
Open Sharing
• Internet was invented for information sharing on the open
platform.
• Old OS allowed mounting of drives on the remote system
which allowed reading of information.
• Some UNIX based systems allowed root file system
mounting on remote systems which was very dangerous
because anyone can remote modify system files.
• Modern operating systems tackle this situation by allowing
different file systems with password protection, encryption
techniques and firewalls.
66
Hacking Techniques
Open Sharing
67
Hacking Techniques
Bad/Weak Passwords
• Passwords are still the most common way of securing a
system.
• If passwords comprise of less characters, it is easy to guess
it.
• A technique called “Brute Force” is used by the hackers to
guess the password by combining different characters.
• Default passwords are also sometimes cause of system
security breaches. E.g. ‘root’ and ‘toor’.
• Increasing the no. of characters for the password will
decrease the chances of hacking.
68
Hacking Techniques
Programming Flaws
• Hackers take advantage of programming flaws to hack the
system.
• Sometimes programmers leave backdoors to enter a
software which if goes public can be disastrous.
• In websites, sometimes information is displayed in the URL
when switching between pages, which can be manually
changed.
• Programmers should never leave sensitive information to
be displayed on a public forum like websites.
69
Hacking Techniques
Social Engineering
• It is more of non-technical way of gaining access to the
information.
• Pretending to be someone to gain access to information is
the most famous way.
• Researching for information on internet is another form of
Social Engineering.
• However it takes time and requires patience.
70
Hacking Techniques
Buffer Overflows
• It is more of a technical way to gain access.
• Experts in programming usually use this technique.
• In Buffer Overflow, any command can be executed to
perform any task
• Gain access to information
• Gain access privileges
• Control resources
• Steal information
71
Hacking Techniques
Understanding a Buffer Overflows
• Buffer Overflow occurs if some program or variable or
object is forced to store more than it actually can store.
• A variable of eight bytes if asked to store 9 bytes, a buffer
overflow can occur.
• OS use Stack to temporarily hold the information which is
next to be executed.
• If buffer overflow occurs and a hacker stores the
information in the variable which is stored in a stack that
information can later on be used to perform any action.
72
73
Hacking Techniques
Denial of Service (DoS)
• These attacks are not to access the information or
resources but to deny the access to the information or
resources.
• Hacker can spoof his location or IP Address.
• In such attacks hacker can target a specific system or
network of systems.
74
Hacking Techniques
Denial of Service (DoS)
Single Source DoS Attacks
• In this attack, single source is targeted.
• Connection requests are send without responding to the
acknowledgment requests.
• Ignoring the acknowledgment requests and keep
sending the connection request will fill up the connection
buffer and server might crash or at least wont respond
to upcoming connections.
75
Denial of Service (DoS)
Single Source DoS Attacks
76
Hacking Techniques
Denial of Service (DoS)
Distributed DoS Attacks
• In this attack, single source is targeted but through
multiple systems.
• Normally a broadcast message is sent to the network
spoofing the address to be the target system.
• All those systems then send packets to that single target
system.
• The system will get busy in responding to those requests
and might crash at some time.
77
Distributed DoS Attacks
78
Distributed DoS Attacks
79
Advanced Hacking Techniques
Sniffing Switch Techniques
• After the system is compromised, the network card of
the system can be put in promiscuous mode which
means NIC will get all the packets on the network.
• This is called Sniffing of network and such devices are
called Sniffers.
• In Switch network, the information is sent to specific
ports and is not broadcasted, however if sniffers are
used information can be gathered at a single port.
80
Advanced Hacking Techniques
Sniffing Switch Techniques
Redirecting Traffic
• Switch directs traffic to ports using MAC address.
• Switch knows which port is connected to which MAC
address.
• Sending traffic to sniffer can be done by
• ARP spoofing
• MAC duplication
• DNS Spoofing
81
Advanced Hacking Techniques
ARP Spoofing
• ARP is Address Resolution Protocol.
• It translated between IP and MAC addresses.
• Sender will send an ARP request for Destination IP
address.
• Receiver will respond using ARP response with MAC
address and information sharing starts.
• Sniffer will respond to ARP request with its MAC address
• Sending system will now send all the info to Sniffer.
82
ARP Spoofing
83
Advanced Hacking Techniques
MAC Duplication
• Sniffer should convince the switch that it has the MAC
address of the target machine.
• MAC address changing is normally considered as
impossible however, some software can change the
MAC change in the soft form.
84
Advanced Hacking Techniques
DNS Spoofing
• Sniffer sends replies to the DNS requests.
• Sniffer provides IP address of the attacker computer
as a victim’s computer IP address.
• Sniffer should also send traffic back to the original
victim to avoid an Interception Attack.
85
Real DNS operation
86
Spoofed DNS operation
87
Advanced Hacking Techniques
IP Spoofing
• IP Spoofing can be done to establish a connection
with the target system.
• ISN (Initial Sequence Number) should be provided
correctly in the final ACK response to establish a
connection.
• ISN can be guessed if it is not a random generated
number.
88
Advanced Hacking Techniques
IP Spoofing
89
91
Information Security Services
• Confidentiality
• Integrity
• Availability
• Accountability
92
Information Security Services
• Information security services can have different
affect on different types of information
93
Confidentiality
• This service provides secrecy of information.
• This service allows only authorized users to access
certain information.
• It protects against the access attacks.
• The service takes into account that information is
in
• Paper form
• Electronic form
94
Confidentiality
Paper Form
• Confidentiality for paper form should have physical
access controls
• Door Locks
• Guards
• The location of the paper information itself should
be protected
95
Confidentiality
Electronic Form
• Files can exist in different locations
• Hard Disk
• ROMS
• Cloud
• Information along with the location must be secured.
• Computer location must be secured using computer security.
• ROMS must be secured using Encryption.
• Cloud must be secured with Network Security or Cloud
Security.
96
Confidentiality
Electronic Form
97
Confidentiality
Confidentiality of Files in Transmission
• Protecting the files is not sufficient.
• Files can be attacked on their way in transmission.
• Transmission should also be protected which can be done
through encryption.
• Information can be protected on per message basis or per
link basis.
• However, encryption cannot prevent from interception.
• To prevent from interception, information should be properly
identified and authenticated.
98
Confidentiality
Confidentiality of Files in Transmission
99
Confidentiality
Confidentiality of Files in Transmission
100
Confidentiality
Traffic Flow Confidentiality
• In some cases traffic flow is meaningful.
• It is important to make sure that traffic flow does not leak
any information.
• To avoid ringing bells because of inconsistent traffic flow,
constant traffic flow is required.
• Traffic flow should be the same no matter information is
travelling or not.
• This constant traffic flow can be achieved using some
garbage information.
101
Confidentiality
Traffic Flow Confidentiality
102
Integrity
• This service deals with correctness of information.
• This is to make sure that information is correct and
has not been modified.
• It protects against modification attacks.
• Information protected by this service must be in
• Paper Form
• Electronic Form
103
Integrity
Paper Form
• It is sometimes difficult to modify the information
in paper form.
• Integrity of paper form can be done using
• Signature pages
• Binding information
• Distribution of file
104
Integrity
Electronic Form
• It is much easier to modify information in
electronic form.
• Modification can be prevented using Access
Control.
• It is also be protected by proper
• Identification
• Authentication
105
Information Integrity during Transmission
• Information integrity can be achieved during
transmission by avoiding interception.
• Encryption can help in avoiding interception
• Authentication and Identification can help in
avoiding interception to large extent.
106
Integrity
Integrity of Files in Transmission
107
Integrity
Integrity of Files in Transmission
108
Availability
• This service deals with availability of information.
• The information, system and applications should to
be available to be used.
• This allows users to access the information
• It also provides communication between the
systems which are carrying the information.
109
Availability
Backup
• It is one of the simplest form of availability.
• It is the second copy of the information to be
available if first copy is not available.
• These backups can be in
• Paper form
• Electronic form
• They prevent complete loss of information because
of accident or attack.
110
111
112
Availability
Fail-overs
• It is an operation that automatically switches to
standby servers in case of failures.
• These systems can detect failure and redirects the
requests to the alternate servers.
113
Availability
Fail-overs
114
Availability
Disaster Recovery
• It is a process of recovering the information from
disasters like fire, flood etc.
• It can be a combination of both backups and fail-
overs.
• It can be important to see the critical point in it
when all the rooms and buildings are damaged
and information is not available at all.
115
Availability
Disaster Recovery
116
Accountability
• This service is more of an add-on with other
services like Integrity and Confidentiality.
• This service alone can not tackle security
breaches.
117
Accountability
Identification and Authentication
• It serves two purposes
• It identifies the individual
• It checks for authentication of that user
• Lots of identification and authentication processes
are available these days
• Paper form
• Electronic form
118
Accountability
Identification and Authentication
119
Accountability
Identification and Authentication
120
Accountability
Audit
• It records the actions performed by a certain user.
• In electronic form, the audit is done in the form of
log files.
• The actions performed by a user are recorded in
the log file.
• These log files should be protected against
modification to maintain integrity.
121
Accountability
Audit
123
Security Policies
• Policies for an organization normally does not
require any technical knowledge.
• Policies are normally designed in a generic way.
• Policies set rule.
• Policies force people to do certain things in certain
ways.
124
Why Policy is important?
• Policies provide rules that govern how employees
in an organization should work in certain
circumstances.
• Policies also define how and what should be done
in case of unusual circumstances.
• Security Policies
• Define what kind of security should be implemented.
• Puts everyone on same page to make them understand
what policies are about.
125
Policy about Security of an organization - I
• Policy defines what kind of security an organization
should use?
• It includes
• System Configurations
• Firewall Settings
• ACL Profile building
• And many more
• Security Policy does have technical aspects for an
organization.
126
Policy about Security of an organization - II
• Policies are also designed for unusual
circumstances
• Accidents
• System Failure
• These policies explain what should be done in such
circumstances.
• How employees should react in such cases?
• How system will reach in such cases?
127
Put everyone on the same page
• Defining policies is one part, making people follow
them is another part.
• It is important to make employees of an
organization to follow defined policies.
• Different automated systems are available for this
purpose.
• Some organizations follow manual systems for
policy implementation
128
Information Policy
• It defines what sensitive information is within an
organization and how it should be protected?
• Sensitive information should be kept at save place and
should be protected with password or through encryption
techniques.
• In some cases information is kept encrypted even from
the administrators.
• Trash information should be removed from the computer
using special software because normal deletion can still
be used to retrieve the information.
129
Security Policy
• It defines the technical ways in which the information
can be secured on computers and network.
• It defines how users are identified and authenticated.
• It includes
• Access Control
• Audit
• Network Connectivity
• Malicious Code
• Encryption
130
Computer Policy
• It defines who can use the computer and how a
computer can be used.
• Most organizations expect employees to use their
provided computers only even at home.
• The information in these computers may be
monitored by the admin and employee should
understand this fact.
131
Internet Policy
• It defines how internet can be used and who can
use the internet?
• In some cases specific websites are blocked.
• Specific gateways might be blocks.
• Use of specific DNS is allowed, other DNS is not
allowed.
132
Email Policy
• It defines what type of email should be allowed.
• It may also include the type of content of the email
e.g. keywords etc.
• Some organizations allow their employees to email
through their provided email addresses because
they are more secure.
133
Firewalls
134
Firewall
• It is a network access control mechanism.
• It only allows traffic inside outside which is explicitly
specified through rules.
• Firewalls can be configured to allow traffic based on
• Services
• Ports
• IP Addresses
• Firewalls provide centralized security management.
135
Types of Firewalls
• Application Layer Firewalls
• Packet Filtering Firewall
136
Application Layer Firewall - I
• It is also called Proxy Firewalls.
• They are normally software based that work on the
top of an OS.
• Set or rules are defined on how the traffic will go
out and come into the network.
• If these rules are not followed, traffic will be denied
or packets will be dropped.
• Rules are enforced through proxy.
137
Application Layer Firewall - II
• On application layer firewall, each protocol follows a
proxy.
• Normally built in protocols are used.
• For example HTTP proxy understands HTTP
(protocol).
• In Application layer firewall, all connections
terminates at firewall.
• Normally connection starts at Client System and
goes to the firewall.
138
Application Layer Firewall - III
• Firewall analyzes the contents and protocol and if
everything is fine, it starts a connection to the
server.
• This way the client computer is hidden from the
server and from the outside world.
• This makes the system secure.
139
Application Layer Firewall - IV
140
Packet Filtering Firewall
• They can also be software packages sitting on top of OS
and monitoring.
• They monitor packets.
• Only the packets allowed are welcome, rest are denied.
• If a connection is to be made and SYN command is sent.
• The firewall will accept either ACK or RESET command.
• If any other packet comes, that packet is denied.
141
Packet Filtering Firewall
• In this techniques, connections do not terminate at
firewall.
• The connections are first checked by the firewall, If
specified rules allow, these connections are
allowed to go to destination.
• These types of connection can support large no. of
connections since no new connections are made at
firewall so no overhead of connections.
142
Packet Filtering Firewall
143
Firewall Configurations
• Different Firewall configurations can be done to
protect the system against attacks.
• All these configurations depend upon what type of
system an organization has.
• All these configurations are done based on Firewall
Policies.
144
Firewall Configurations
Proposed System
• Web Server allows service on Port 80 only.
• Mail Server allows service on Port 25 only.
• Internal DNS system requests ISP for domain names.
• Internet policy allows following protocols: -
• HTTP
• HTTPS
• FTP
• Telnet
• SSH
145
Configuration No. 1
146
Firewall Rule No. 1
• Mail Server and Web Server are not protected by firewall.
• Firewall only protects internal network in this configuration.
• Filtering can be done at router’s part
147
Configuration No. 2
148
Firewall Rule No. 2
• Mail Server and Web Server are protected by firewall.
• Firewall also protects internal network in this configuration.
• Filtering can be done at firewall.
149
Configuration No. 3
150
Firewall Rule No. 3
151
Firewall Rule No. 3
• There are two different firewalls.
• First is protecting
• Mail Server
• Web Server
• Second is protecting the internal system
• Both have different rules.
152
Designing Firewall Rule Set
• Designing rules for Firewall is very important.
• While designing the rules, it is important to keep into
consideration the processing time.
• If more rules are set, the processing time of the
firewall will increase.
• Most Firewalls work on “First Match” Algorithm in
order to decide whether to accept or reject the
packet.
153
Designing Firewall Rule Set
First Match Algorithm
• In this algorithm, most specific rules are placed on
the top of the list.
• Least specific or general rules are placed at the
bottom of the list or at the lowest end of the rule list.
• For example, allowing HTTP at port 80 is specific
which can be placed at the top.
• Similarly, allowing email incoming from all the ports is
less specific so should be at the lowest end of the list
155
Private Networks
• Private networks are means of transferring
information within an organization.
• This information transfer can be to a remote
branch as well.
• Private lines are leased from Providers for this
purpose.
• Can be very costly.
156
Private Networks
157
Private Networks are very costly!
158
Virtual Private Networks (VPNs)
• Information flows through the internet
• Less costly
• Secure
• Maintains confidentiality
• Traffic is encrypted
• Multiple protocols are supported
• Connection is normally point to point
159
Virtual Private Networks
160
Multiple Protocols in VPN
• Unlike other servers e.g. Web Server, Mail Server
etc., VPN supports multiple protocols specially at
Application Layer.
• VPN can support HTTP and SMTP at the same time.
• These protocols can run over the same VPN
channel.
161
Multiple Protocols in VPN
162
User VPN
• In this type of VPN, a user accesses the internal
network of an organization from outside, remotely.
• An employee can access the file server of the
organization from home using VPN.
• Organization can limit the use of the system for
the employee.
• Normally VPN is handled by a separate software on
user’s computer.
163
User VPN
164
Benefits of User VPN
• Users do not need to dial calls to connect to the
server to have access to files and mails.
• Users do not need to use leased lines to access
their data on the server of an organization.
• Same data is readily available to the user even
outside the organization.
165
Problems of User VPN
• Since user can use both VPN and Internet at the
same computer, there are chances that
• A Trojan in the computer can access the VPN
• Using VPN, data of the organization can be compromised
• Delay can be an issue if lots of users are sending
and receiving data from VPN server.
166
Problems of User VPN
167
Site VPN
• In this type of VPN, an organization wants to
connect to another organization.
• In some cases an organization wants to connects
to its remote branch office for sharing data.
168
Site VPN
169
Benefits of Site VPN
• Like User VPN, the primary benefit of Site VPN is
cost saving.
• In such case head office of an organization can
connect to its multiple remote branches using
VPNs without worrying about cost of Leased Lines.
170
Problems of Site VPN
• If a remote branch is compromised, there are
chances that Head Office can be compromised.
• Proper measures must be taken to avoid intrusion
at both Head and Branch offices.
• If there is a lot of Traffic at VPN server, delays can
occur.
171
Components of VPN
• VPN Server
• Encryption Algorithm
• Authentication System
• VPN Protocol
172
Components of VPN
VPN Server
• It is a computer system that acts as an end point to
VPN.
• Specifications of VPN Servers should be considered
properly.
• VPN Servers should be able to handle load from
various clients.
• Some VPN Software vendors provide specifications for
the hardware.
173
Components of VPN
VPN Server
• Multiple VPN Servers are recommended if single
server cannot handle the load.
• Fail-Over Systems can also be used for VPN.
• In some cases Firewall acts as a VPN.
• VPN Server can also be standalone system.
• VPN Servers are considered more secure than Web,
File and Mail Servers.
174
Components of VPN
VPN Server
175
Components of VPNVPN Server
176
Components of VPN
Encryption Algorithm
• An encryption technique is required to keep data in
VPN secure.
• For this purpose lots of encryption algorithms are
available in the market.
• In come cases when buying a VPN package, an
encryption algorithm is included in the package.
177
Components of VPN
Encryption Algorithm
• In order to get the information from the VPN, an
attacker must
• Capture the entire session between the end points
• To capture session, sniffer is required to be placed between end
points.
• Spend time and effort to brute force to decrypt data.
178
Components of VPNEncryption Algorithm
179
Components of VPN
Authentication Systems
• VPN should authenticate users or sites before they
can retrieve information from them.
• Normally passwords are used for this purpose.
• In some cases, smart cards are also used.
• Policies for passwords are kept very strong for VPNs.
• Passwords expire every 30 days.
• Passwords should included numeric, alphabetic and symbolic
characters etc.
180
Components of VPNAuthentication Systems
181
Components of VPN
VPN Protocol
• Some rules need to be defined in order for VPN to
operate.
• If site VPN is used, it is important to make sure how to
use internet.
• In VPN encryption keys will also be exchanged
between the sites using a connection.
• If this connection itself is not secure, security keys
can be compromised.
182
Components of VPN
VPN Protocol
• Different protocols are available for this purpose.
• One of the most Important one is IPSec (IP
Security).
• Two modes are used for IPSec
• Transport Mode
• Encrypts message in the data packet only
• Tunneling Mode
• Encrypts the whole data packet
183
Types of VPN
• Hardware Based
• Software Based
• Web Based
184
Types of VPN
Hardware Based
• Hardware appliance is used with the combination of
software for VPN.
• These VPNs can handle both User and Site VPNs.
• Special Hardware and Software are used for this
purpose.
• Vendors can have their own Hardware and
Customized Software for such VPNs.
185
Types of VPN
Hardware Based
186
Types of VPN
Hardware Based
• Benefits
• Because of high specifications, speed is the major
benefit.
• Security is another benefit, since, if system is
going to be used as a VPN, other software are
removed from this system.
187
Types of VPN
Software Based
• VPNs can be software based.
• These types of VPN are one of the most famous
these days.
• Different software are available for setting up VPN
• openVPN
• ExpressVPN
188
Types of VPN
Software Based
• Benefits
• Less costly than hardware based
• Customizable
• Easy to use
189
Types of VPN
Web Based
• VPNs can use browsers as their front face as well.
• Users / Organizations can use Web Based VPNs to
connect.
• No need to install extra software.
• However Web-Based VPNs are limited to few
applications.
190
Types of VPN
Web Based
• Benefits
• Less costly than both Software and Hardware
based
• No extra software to install
• Easy to use
192
Encryption
• It is a way of keeping information secure.
• Only a person or a system having a proper
decryption algorithm with proper keys can use that
information.
• Unauthorized people having no proper information
cannot access the encrypted information.
• A lot of algorithms are available for encryption.
193
Encryption
194
Types of Encryption
• Private Key Encryption
• Public Key Encryption
195
Private Key Encryption
• In this case, both encryption and decryption
algorithm use the same key.
• Sender and Receiver should have the same key.
• Private Key Encryption is fast and convenient.
• It provides confidentiality of information since
people having key can access the information.
196
Private Key Encryption
197
One Time Pad
• It is used for encrypting the short messages.
• In this type of encryption, a random generated
number is used.
• It is called the most secure way of encrypting the
message since every time a new number will be
generated.
198
One Time Pad
199
Private Key Algorithms
• Various Private Key based Algorithms are
available:-
• DES
• IDEA
• Skipjack
• RC5
200
DES (Data Encryption Standard)
• It was developed by IBM.
• It has a 56 bit Key.
• Works on 64 bit block of plain text.
• It has 16 rounds of encryption.
• Blocks are divided into half (32 bits).
• 56 bits keys can generate around 256 different keys.
201
202
Triple DES
• It was found in different researches, that DES can
be used a couple of times to make information
even securer.
• For this purpose Triple DES is used.
• It can have 2 or 3 keys.
• Text is first DES encrypted with key, then
Decrypted with Key and then encrypted with key
again.
203
Triple DES
204
Password Encryption
• Unix System uses DES for password encryption.
• 8 Characters are used for passwords
• If less than 8, random characters are added.
• If more than 8, characters are truncated.
• Password is then transformed into 56 bit number
• Taking 7 bits from each character.
• System time is used as 12 bit number
• This is called Salt.
205
Password Encryption
206
Public Key Encryption
• In this case, both encryption and decryption
algorithm use the different keys.
• One key is used for encryption and another different
key is used for decryption.
• It is also called Asymmetric Encryption Operation.
• Keys are related to each other and are called Key
Pair, however both are different.
• If K1 is used for Encryption, only its pair key K2 can
decrypt the information.
207
Public Key Encryption
208
Diffie Hellman Key Exchange
P1 and P2 agree for some large numbers
P1 choses a random number i and send I to P2
P2 choses a random number j and send J to P1
P1 computes k1
P2 computes k2
1< a < b
I = ai mod b
J = aj mod b
k1 = Ji mod b
k2 = Ij mod b
209
210
Diffie Hellman Key Exchange
211
Digital Signatures
• This is a way of knowing that information is sent by
some legitimate user.
• The concept is same like real world signature.
• For Digital Signatures, info is first passed to a Hash
Function which creates a checksum.
• This checksum is encrypted with user’s private key.
• This information and encrypted checksum is then
sent to other user.
212
213
Secure Hash Functions
• Hash Function is said to be secure if it is one way
• Function creates a checksum from the information but
cannot create information from checksum.
• Hash function should create at least 128 bit
checksum.
• Two famous Hash functions are
• MD5 (Message Digest) – 128 bits
• SHA (Secure Hash Algorithm) – 160 bits
215
Intrusion Detection Systems (IDS)• It is a way or a tool to protect the security of an
organization.
• Ideally, such systems alarm only when a
successful attack attempt is made.
• Real world examples are
• Watchman guarding the building
• Alarm system in the cars
• Alarm systems in houses or buildings
216
Intrusion Detection Systems
• The basic aim is to detect any penetration into the
security of the system
• Home
• Car
• Building
• Computers
• Network
• OSSEC is an open source IDS available in the
market.
217
Types of IDS
There are normally two types of IDS
• Host Based IDS (HIDS)
• Network Based IDS (NIDS)
218
Types of IDS
219
Host based IDS
• These are based on various sensors called HIDS
sensors.
• These sensors are installed in the servers and are
controlled by some central manager.
• HIDS are normally more expensive than NIDS.
• HIDS require processing time of the processor of a
server, sometimes up to 5 – 10%
220
Host based IDS
• This type of system has some sensors installed.
• Below are most famous sensors for HIDS
• Log Analyzer
• Signature based Sensors
• System call analyzers
• Application behavior analyzers
• File Integrity checkers
221
Host based IDS
Log Analyzers
• A Process runs on the server and analyzes specific
log files on the server.
• If an entry appears which matches a pre-defined
criteria, a proper action is taken.
• They normally react after an event occurs.
• They normally do not prevent system from attack,
instead they notify about the attack.
222
Host based IDS
Log Analyzers
223
Host based IDS
Signature based sensors
• It checks for proper signature for incoming traffic.
• They can see the incoming attack, so they can
notify about it as well.
• They can even be used for keeping track for
internal users for accessing specific files.
224
Host based IDS
System Call Analyzers
• They actually analyzes, calls from applications to
OS.
• They keep on monitoring the calls from different
applications and check them against the rules or
policies.
• As soon as something is wrong they not only notify
it but also have the capability of stopping or
rejecting the call.
225
Host based IDS
System Call Analyzers
Application
Operating System
Server
Buffer overflow
226
Host based IDS
Application Behavior Analyzers
• They analyze the behavior of an application
instead of checking the calls to the operating
system.
• They see whether an application is allowed to
perform some action or not.
• If not they can stop it and notify it too.
227
Host based IDS
Application Behavior Analyzers
Application
Server
Read
Write
228
Host based IDS
File Integrity Check
• It is used to check the integrity of the file.
• At start each file is checked for changes and
signature is maintained.
• Periodically each file is checked for its changes
against the initial signature for integrity.
229
Network based IDS
• These types of systems normally have two network
cards.
• One card is in stealth mode
• It does not have an IP address
• It does not implement common protocols
• Second card is also hidden but connected to IDS
management to send notifications.
230
Network based IDS
231
Advantages of NIDS
• NIDS can be hidden, so attacker cannot tell is he is
being monitored or not.
• It can monitor large number of systems.
• It can capture all the packets travelling to the
system.
• Less expensive than HIDS
232
Disadvantages of NIDS
• NIDS can notify only if signature matches.
• It can miss traffic of interest due to high bandwidth
at times.
• It cannot determine of attack was successful.
• Encrypted traffic cannot be monitored.
• Special configurations are required for complex
networks.
233
Choosing what to Monitor?
• In IDS, the most important question is what to
monitor?
• For this purpose, different policies are required to
be designed depending upon the architecture of
organization.
234
Choosing what to Monitor?
235
Responding to Attacks
There are two types of responses
• Passive Response
• Active Response
236
Responding to Attacks
Passive Response
• It means not to directly hinder the act of attacker.
• It is one of the most common responses.
• It is easy to implement.
• It does not largely affect the traffic of a network.
237
Types of Passive Responses
Shunning
• It means to ignore the attempt of attack.
• They are most common forms of passive responses.
• Organizations install security measures and assume they
will secure the network
• Installing a firewall
• Installing an antivirus
• Sometimes attacks are not applicable on all the
environments, shunning is the right choice in those cases.
238
Types of Passive Responses
Logging
• Logging the information is also a type of passive
response.
• If attack takes place, system should gather
information and log in to the files.
• Sometimes extensive logging is done.
239
Types of Passive Responses
Notification
• Notification is a popular form of passive response.
• If attack takes place, it should be notified to
concerned authorities.
240
Responding to Attacks
Active Response
• It means to quickly take an action against the
attack.
• It requires careful consideration before reacting to
the attack.
• It can even deny legitimate users denial of access
to system for unknown time period.
241
Types of Active Response
Termination of Connection
• The most famous of active responses is
termination of connection.
• If attacker is using a TCP connection, that
connection should be terminated.
• If a process is taking too much memory for
worthless takes, terminate that process.
242
Types of Active Response
Network Reconfiguration
• If attacks are being made from a legitimate IP
address, a call for network reconfiguration should
be made.
• Rules must be reconfigured.
• New policies must be designed if possible.
243
Types of Active Response
Deception
• In such attacks, attackers are fooled to believe
that they are not being watched.
• Instead they are watch and monitored carefully.
• In some cases, important information is moved to
some safe location and attacker is exposed to fake
information.
244
Automatic vs. Automated Response
Automatic Response
• It is the set of predefined actions taken as a result
of particular event.
• These actions can be active or passive.
Automatic Response
• When a response is taken by a computer without
human intervention, such responses are called
automatic responses.
245
Intrusion Prevention using IDS
• Once the intrusion is detected, it must be
prevented so systems are not compromised.
• In HIDS, application behavior analyzer and System
call analyzer prevent the intrusion.
• In NIDS it is a little complicated, since sensors
should be placed where it can monitor the traffic
and response time is less.
246
Problems with Intrusion PreventionsDenial of Service
• If attack is not properly recognized, a legitimate
user might be denied of service.
Availability
• The sensors installed must be available all the
time, which is difficult in high traffic environment.
248
Typical Wireless Connections
249
Transmission Security
• In WLAN, since the information is transmitted over
the air, proper security is required.
• WLAN normally uses WEP (Wired Equivalent
Privacy)
• WEP has 3 major services
• Authentication
• Confidentiality
• Integrity
250
Authentication
Service Set Identifier (SSID)
• It is a 32 bytes string used as network name.
• Normally SSID is broadcasted by Access Points
(APs)
• However at times, SSID is not broadcasted to
improve security.
251
Authentication
MAC Addresses
• Some APs allow authorized MAC addresses to
connect to that AP.
• All the other request will be rejected.
• Administrator must maintain a list of authorized
MAC addresses to make sure no unauthorized MAC
address connects to AP.
252
Authentication
WEP
• This is an authentication Service.
• It authenticates workstation to AP.
• It does not authenticate AP to workstation, which
means workstation is not sure if AP is valid or not.
• WEP still has a chance of interception and Man-in-
Middle attacks.
253
Authentication
WEP
254
Wireless Security
Access Point Security
• APs in an organization should be very secure.
• When applying a WEP key, make sure to input a
strong WEP key which is difficult to guess.
• Use MAC Addresses to limit the workstations.
• Do not broadcast SSID unless and until it is
necessary.
• Limit the range of AP by placing it carefully.
255
Wireless Security
Transmission Security
• Although using WEP is recommended but using
other forms of security for sensitive environment is
also recommended.
• WEP is not full fledge, so firewalls are also
recommended in combination with WEP.
• VPN algorithms are also good form of security
when using Wireless networks.
256
Wireless Security
Workstation Security
• Protecting a WLAN is important but Workstations
should be secured as well.
• Even if network is compromised, each workstation
should have extra security to it as well.
257
Wireless Knowledge Check
What is approx. range of 802.11x indoor and
outdoor?
• Indoor = 50 – 100 m
• Outdoor = 300 – 500 m
258
Wireless Knowledge Check
What is the way of assigning a wireless node
to connect to a WLAN automatically without
assigning manual IP Addresses?
• DHCP
259
Wireless Knowledge Check
Name the three services that WEP provides
• Authentication
• Confidentiality
• Integrity
260
Wireless Knowledge Check
Since the AP is not authenticated back to the
workstation, what type of attack is possible?
• Man in the Middle
• Interception
261
Wireless Knowledge Check
How does MAC addresses assignment secure
the network?
• Only authorized Workstation can see the AP