introduction to information security prof. salman [email protected] chapter# 1 1

1

INTRODUCTION TO INFORMATION SECURITY

Prof. Salman Naseer [email protected]

Chapter# 1

2

What is Information Security?

• Information security is prevention of information

from unauthorized access, misuse and

modification.

• Information can be any form of information and

security can be any form of security.

• We will mostly discuss about digital information

security.

• Discussion will be mostly about Networks.

3

History of Security

Physical Security

• In early days, everything was physical.

• Information was also physical.

• Mostly information was written on stones and then on

papers.

• To secure the information, physical preventions were used

• Walls

• Forts

• Guards

• Information sharing was done through messengers.

4

History of Security

Communication Security

• In Physical security, if a messenger is caught with the

information, that information is compromised.

• To overcome this difficulty, Caesar created a technique

called, “Caesar Cipher” which are encrypted messages and

even if intercepted, cannot be compromised.

• This concept was used by Germany in World War II.

• The encrypted messages where sent using “Enigma

Machine”

5

History of Security

Communication Security

Enigma Machine

6

History of Security

Emission Security

• The encrypted messages in early days were weak and

were sometimes easily decrypted.

• An Encryptor is an electronic device used to encrypt the

messages but give off electronic emissions.

• These messages are then sent using phone lines.

• However these phone lines are checked to see that they

also contain the original message in unencrypted form

which can be seen if intercepted properly.

7

History of Security

Emission Security

8

History of Security

Computer Security

• Simple Encryption was fine with old telegraphs.

• When Computer came, high security was required.

• All the information in the computer is in the form of

electronic information.

• If someone has access to the machine, they can access

the information.

• For this purpose, even today, different techniques like

passwords, security code and etc. are used.

9

History of Security

Network Security

• Increase in the computers, increased the need of sharing

information between electronic devices.

• This need gave birth to networking of different devices.

• Network Security hence came into being.

• Device connected together can share information which is

allowed but they can also access each others information

even if not allowed.

• For this purpose different network security techniques

have been developed and used these days.

10

History of Security

Information Security

• Today, combination of all the securities is used to secure the

information.

• Physical security using walls and doors.

• Communication Security for encryption techniques.

• Emission Security to standardize emissions for electronic

devices.

• Computer Security to secure information in computers.

• Network Security to secure information over the network.

• No Single security technique can promise maximum security

hence combination of most of them are used these days.

11

History of SecurityInformation Security

12

Security as a Process

• For an organization different security techniques are

used to secure the information or data.

• No single product can ensure the security of the

whole organizations.

• Combination of different products can maximize the

security of the information within an organization.

13


Antivirus Software

• Antivirus software are used to reduce the exposure of data

for an organization to a malicious program.

• They can reduce the risk but cannot fully remove the risk.

• They can stop viruses to damage the files.

• They can search for known virus definitions and remove

them.

• However, they cannot protect the information from a legal

user of the system who does not have access to files but still

accesses them.

14


Antivirus Software

15


Access Control

• Access Control programs can manage the files in a way that

they allow only legitimate users to access the files.

• They make sure that only users who have permissions to

access the file will actually access the files.

• There are lots of software available for Access Control in the

market.

• Majority of today’s operating systems have this functionality

of access control embedded into them.

16


Access Control

17


Firewalls

• Firewalls are used to protect the system from external

attacks.

• Firewalls can be hardware or software based.

• Hardware based firewalls are used as a gate keeper which

resides between the router and the network.

• Software firewalls are these days available within the routers

and can monitor incoming and outgoing traffic of a network.

18


Firewalls

Hardware Firewalls

19


Firewalls

Software Firewall within Router

20


Smart Cards

• Research showed that something you know is less effective

than something you have.

• Passwords are something you know and are used to protect

information.

• However passwords can be guessed and information can be

compromised.

• Smart cards are something you have and are widely used

these days for protecting information.

• Smart Cards are RFID, NFC cards or tags etc.

21


Smart Cards

22


Biometrics

• They are one step ahead of Smart Cards.

• They use scanners for verification of

• Finger prints

• Retina

• Facial

• Voice

• Many more

• In order to use this technique, data for matching a specific

record should be maintained.

23


Biometrics

24


Intrusion Detection

• These systems were assumed to remove all the risk of

information stealing by detecting intrusions and removing

them.

• These systems will keep monitoring the system and alert if

something goes wrong.

• These systems are still not mature and need a lot of work to

be done.

25


Policy Management

• This is a mechanism used in different organization to secure

the information.

• Different policies are designed for different users and system

will react according to the policies.

• However, these systems require user to do their work at their

part e.g. remembering password and not sharing the

passwords with anybody.

26


Encryption

• Encrypting the important information is also ongoing trend.

• It is always better to encrypt the sensitive information.

• Furthermore, most of the network sharing activities highly

encourage encryption of information.

• A lot of network devices actually encrypt the information

before sending them.

27


Physical Security Mechanism

• All the security mechanisms will fail if physical security is not

up to the mark.

• Physical security is keeping the system secure physically e.g.

doors, gates and walls etc.

28

TYPES OF ATTACKS


Chapter# 2

29

Attacks at Digital Information

• Attack at Digital Information can be in many forms

• Some one uses some tools to steal the information

• Some one pretends to be an employee and get information

• Some one copies the information and does not delete the

original information

• Some one destroys the information by damaging the

equipment

30

Types of Attacks

• There are different types of attacks to an

organization’s security

• Access

• Modification

• Denial of Service

• Repudiation

31

Access Attacks

• This is the kind of attack in which a person

accesses the information which he is not

authorized to access.

• Gaining access to the information can be through

many ways.

• This type of attack is an attack against the

confidentiality of the information.

32

Access Attacks

33

Access Attacks

Snooping

• It is to search for the information in the files.

• These files can be paper files or computer files.

• An attacker keeps on searching the files unless and until he

finds something interesting about the organization.

• In paper files, attacker will open a drawer and search for

files paper by paper.

• In computer files, the attacker will open up the folders and

search for information in the files by opening file to file until

he finds something.

34

Access Attacks

Eaves Dropping

• It is about listening to the information which a person is not

authorized to listen.

• For such a process, the person should position himself so

that he can listen to the information.

• Wireless transmission of information has increased the

chances of eaves dropping since no wires are required to

steal the information from different connected devices.

35

Access Attacks

Eaves Dropping

36

Access Attacks

Interception

• It is the process in which an attacker places himself in

between the information source and destination.

• Once he is done with the information, he lets it pass to the

destination.

• This is unlike eavesdropping where information is passing

from source to destination and attacker is in between

without the knowledge of anyone.

37

Access Attacks

Interception

38

Access Attacks Accomplishment

• Access Attacks can be accomplished depending

upon the type of the information

• Paper

• Electronic

39

Information on Paper

• Information on the paper can be compromised by placing

• In filing cabinets

• In desk file drawers

• On desktops

• In fax machines

• In printers

• In the trash

• In long-term storage

• Information can be secured with proper physical security


40

Electronic Information

• Electronic Information can be compromised by placing

• In desktop machines

• In servers

• On portable computers

• On floppy disks

• On CD-ROMs

• On backup tapes


41



42

Modification Attacks

• This is the kind of attack in which a person modifies

the information which he is not authorized to

modify.

• Gaining access to the information can be through

many ways.

• This type of attack is an attack against the integrity

of the information.

43


Changes

• An attacker can change the existing information.

• Attacker can change the structure of database

• Attacker can change any record in the database

• Information is not lost but it is not modified and may be

incorrect.

• Such attacks can be made without alarming the system.

• Changing an employee’s salary can be one example

44


Insertion

• An Attacker can insert some information.

• Insertion is made in alignment with information so that it

does not ring the bells.

• Inserting a bank transaction in the banking system can be

an example

45


Deletion

• An Attacker can delete some information.

• This information is deleted in such a way that it does not

allow to be reclaimed.

• Deleting a bank transaction can cause lose of transaction

information in the banking system.

46

Modification Attacks Accomplishment


• Modifying, deleting or inserting an information on the paper

is very difficult.

• It normally contains signature, so modifying the document

might require signing the document again which can be a

difficult task.

47

Modification Attacks Accomplishment


• Modifying, deleting or inserting an Electronic Information is

easier than Paper information.

• Information can be easily changed in databases without

even leaving traces.

• Similarly information can be inserted or deleted in the digital

files without alarming.

48

Denial of Service Attacks

• This is the kind of attacks deny the request of

legitimate users for the use of resources.

• These kind of attacks normally do not allow the

attacker to modify information.

• They simply create problems for already available

user permissions.

49


Denial of Access to Information

• This causes the information to be unavailable for the users.

• Information is not deleted in fact has been moved to a

location where users cannot access it.

• Sometimes the information is available but is not in usable

form.

50


Denial of Access to Applications

• It cause denial of access to the applications which an

organization uses to perform different tasks.

• Applications are made unavailable or are placed in the

location where users can not access them.

51


Denial of Access to Systems

• It cause denial of access to the systems.

• The whole system with all its resources are made to be

down so that information is not available to the users.

52


Denial of Access to Communication

• It cause denial of access to communication by cutting wires,

deleting access points etc.

• The information is available but users cannot communicate

with them since the network is down.

53

Denial of Service Attacks Accomplishment


• Loss of information on the paper can be down intentionally

or unintentionally.

• The information can be lost because of fire or some other

accident.

• The information can be lost intentionally by destroying the

information.

54

Denial of Service Attacks Accomplishment


• Applications and documents can be uninstalled

• A bug is installed which disallows all the information.

• Communication medium is destroyed to deny the access of

information on the network.

55

Repudiation Attacks

• This attack is against the credibility of information.

• This attack is against the accountability of

information.

• It is about giving false information about the data.

• It is about denying the fact that information actually

existed.

56

Repudiation Attacks

Masquerading

• It is to act like someone else.

• This attack can occur in

• Personal Communication

• System to System

• Transactions

57

Repudiation Attacks

Denying an Event

• It is to deny the fact that event actually occurred.

• For example purchasing something through the credit card

and when bill arrives, totally rejecting it that the purchase

was not done by me.

58

Repudiation Attacks Accomplishment


• Information on paper can be repudiated by simply forging

the signature

• Information on paper can also be repudiated by simply

rejecting the invoice billed against the name or credit card.

59

Repudiation Attacks Accomplishment


• Electronic Information can be masqueraded by altering the

information on behalf of someone else.

• For example, any computer can take IP addresses using

proxy servers.

60

HACKERS TECHNIQUES


Chapter# 3

61

Hacker’s Motivation

• One of important things behind hacking a system

is the motivation.

• Motivation is the reason that drives the hacker to

hack a system.

• Understanding a motivation sometimes helps in

securing a system.

62


Challenge

• In old times, and it is true these days as well, one of the

biggest reason for hackers to hack a system is

CHALLENGE.

• Hacking a difficult system can be challenging which urges

hackers to hack it.

• Sometimes, Challenge is about being the first one to hack

a system.

• Hacking is not always about leaking the information or

breaching the security for bad intents.

63


Greed

• Greed is definitely one of the motivations for hacking.

• A hackers is hungry for information

• Credit Card

• Employee details

• Confidential data

• Most of the companies simply rectify the security breach and go

back to work.

• Some companies actually want to trace the hacker and give him

penalty.

• Even if penalties are there, still those penalties are not very

serious.

64


Malicious Intent

• A Hacker at times, simply wants to harm an organization

by hacking their system.

• In such cases, the targets are specific.

• Intentions are not only to gain access to the systems but

to damage the system.

65

Hacking Techniques

Open Sharing

• Internet was invented for information sharing on the open

platform.

• Old OS allowed mounting of drives on the remote system

which allowed reading of information.

• Some UNIX based systems allowed root file system

mounting on remote systems which was very dangerous

because anyone can remote modify system files.

• Modern operating systems tackle this situation by allowing

different file systems with password protection, encryption

techniques and firewalls.

66

Hacking Techniques

Open Sharing

67

Hacking Techniques

Bad/Weak Passwords

• Passwords are still the most common way of securing a

system.

• If passwords comprise of less characters, it is easy to guess

it.

• A technique called “Brute Force” is used by the hackers to

guess the password by combining different characters.

• Default passwords are also sometimes cause of system

security breaches. E.g. ‘root’ and ‘toor’.

• Increasing the no. of characters for the password will

decrease the chances of hacking.

68

Hacking Techniques

Programming Flaws

• Hackers take advantage of programming flaws to hack the

system.

• Sometimes programmers leave backdoors to enter a

software which if goes public can be disastrous.

• In websites, sometimes information is displayed in the URL

when switching between pages, which can be manually

changed.

• Programmers should never leave sensitive information to

be displayed on a public forum like websites.

69

Hacking Techniques

Social Engineering

• It is more of non-technical way of gaining access to the

information.

• Pretending to be someone to gain access to information is

the most famous way.

• Researching for information on internet is another form of

Social Engineering.

• However it takes time and requires patience.

70

Hacking Techniques

Buffer Overflows

• It is more of a technical way to gain access.

• Experts in programming usually use this technique.

• In Buffer Overflow, any command can be executed to

perform any task

• Gain access to information

• Gain access privileges

• Control resources

• Steal information

71

Hacking Techniques

Understanding a Buffer Overflows

• Buffer Overflow occurs if some program or variable or

object is forced to store more than it actually can store.

• A variable of eight bytes if asked to store 9 bytes, a buffer

overflow can occur.

• OS use Stack to temporarily hold the information which is

next to be executed.

• If buffer overflow occurs and a hacker stores the

information in the variable which is stored in a stack that

information can later on be used to perform any action.

73

Hacking Techniques

Denial of Service (DoS)

• These attacks are not to access the information or

resources but to deny the access to the information or

resources.

• Hacker can spoof his location or IP Address.

• In such attacks hacker can target a specific system or

network of systems.

74

Hacking Techniques


Single Source DoS Attacks

• In this attack, single source is targeted.

• Connection requests are send without responding to the

acknowledgment requests.

• Ignoring the acknowledgment requests and keep

sending the connection request will fill up the connection

buffer and server might crash or at least wont respond

to upcoming connections.

75


Single Source DoS Attacks

76

Hacking Techniques


Distributed DoS Attacks

• In this attack, single source is targeted but through

multiple systems.

• Normally a broadcast message is sent to the network

spoofing the address to be the target system.

• All those systems then send packets to that single target

system.

• The system will get busy in responding to those requests

and might crash at some time.

77


78


79

Advanced Hacking Techniques

Sniffing Switch Techniques

• After the system is compromised, the network card of

the system can be put in promiscuous mode which

means NIC will get all the packets on the network.

• This is called Sniffing of network and such devices are

called Sniffers.

• In Switch network, the information is sent to specific

ports and is not broadcasted, however if sniffers are

used information can be gathered at a single port.

80


Sniffing Switch Techniques

Redirecting Traffic

• Switch directs traffic to ports using MAC address.

• Switch knows which port is connected to which MAC

address.

• Sending traffic to sniffer can be done by

• ARP spoofing

• MAC duplication

• DNS Spoofing

81


ARP Spoofing

• ARP is Address Resolution Protocol.

• It translated between IP and MAC addresses.

• Sender will send an ARP request for Destination IP

address.

• Receiver will respond using ARP response with MAC

address and information sharing starts.

• Sniffer will respond to ARP request with its MAC address

• Sending system will now send all the info to Sniffer.

82

ARP Spoofing

83


MAC Duplication

• Sniffer should convince the switch that it has the MAC

address of the target machine.

• MAC address changing is normally considered as

impossible however, some software can change the

MAC change in the soft form.

84


DNS Spoofing

• Sniffer sends replies to the DNS requests.

• Sniffer provides IP address of the attacker computer

as a victim’s computer IP address.

• Sniffer should also send traffic back to the original

victim to avoid an Interception Attack.

85

Real DNS operation

86

Spoofed DNS operation

87


IP Spoofing

• IP Spoofing can be done to establish a connection

with the target system.

• ISN (Initial Sequence Number) should be provided

correctly in the final ACK response to establish a

connection.

• ISN can be guessed if it is not a random generated

number.

88


IP Spoofing

90

INFORMATION SECURITY SERVICES


Chapter# 4

91

Information Security Services

• Confidentiality

• Integrity

• Availability

• Accountability

92

Information Security Services

• Information security services can have different

affect on different types of information

93

Confidentiality

• This service provides secrecy of information.

• This service allows only authorized users to access

certain information.

• It protects against the access attacks.

• The service takes into account that information is

in

• Paper form

• Electronic form

94

Confidentiality

Paper Form

• Confidentiality for paper form should have physical

access controls

• Door Locks

• Guards

• The location of the paper information itself should

be protected

95

Confidentiality

Electronic Form

• Files can exist in different locations

• Hard Disk

• ROMS

• Cloud

• Information along with the location must be secured.

• Computer location must be secured using computer security.

• ROMS must be secured using Encryption.

• Cloud must be secured with Network Security or Cloud

Security.

96

Confidentiality

Electronic Form

97

Confidentiality

Confidentiality of Files in Transmission

• Protecting the files is not sufficient.

• Files can be attacked on their way in transmission.

• Transmission should also be protected which can be done

through encryption.

• Information can be protected on per message basis or per

link basis.

• However, encryption cannot prevent from interception.

• To prevent from interception, information should be properly

identified and authenticated.

98

Confidentiality


99

Confidentiality


100

Confidentiality

Traffic Flow Confidentiality

• In some cases traffic flow is meaningful.

• It is important to make sure that traffic flow does not leak

any information.

• To avoid ringing bells because of inconsistent traffic flow,

constant traffic flow is required.

• Traffic flow should be the same no matter information is

travelling or not.

• This constant traffic flow can be achieved using some

garbage information.

101

Confidentiality

Traffic Flow Confidentiality

102

Integrity

• This service deals with correctness of information.

• This is to make sure that information is correct and

has not been modified.

• It protects against modification attacks.

• Information protected by this service must be in

• Paper Form

• Electronic Form

103

Integrity

Paper Form

• It is sometimes difficult to modify the information

in paper form.

• Integrity of paper form can be done using

• Signature pages

• Binding information

• Distribution of file

104

Integrity

Electronic Form

• It is much easier to modify information in

electronic form.

• Modification can be prevented using Access

Control.

• It is also be protected by proper

• Identification

• Authentication

105

Information Integrity during Transmission

• Information integrity can be achieved during

transmission by avoiding interception.

• Encryption can help in avoiding interception

• Authentication and Identification can help in

avoiding interception to large extent.

106

Integrity

Integrity of Files in Transmission

107

Integrity

Integrity of Files in Transmission

108

Availability

• This service deals with availability of information.

• The information, system and applications should to

be available to be used.

• This allows users to access the information

• It also provides communication between the

systems which are carrying the information.

109

Availability

Backup

• It is one of the simplest form of availability.

• It is the second copy of the information to be

available if first copy is not available.

• These backups can be in

• Paper form

• Electronic form

• They prevent complete loss of information because

of accident or attack.

112

Availability

Fail-overs

• It is an operation that automatically switches to

standby servers in case of failures.

• These systems can detect failure and redirects the

requests to the alternate servers.

113

Availability

Fail-overs

114

Availability

Disaster Recovery

• It is a process of recovering the information from

disasters like fire, flood etc.

• It can be a combination of both backups and fail-

overs.

• It can be important to see the critical point in it

when all the rooms and buildings are damaged

and information is not available at all.

115

Availability

Disaster Recovery

116

Accountability

• This service is more of an add-on with other

services like Integrity and Confidentiality.

• This service alone can not tackle security

breaches.

117

Accountability

Identification and Authentication

• It serves two purposes

• It identifies the individual

• It checks for authentication of that user

• Lots of identification and authentication processes

are available these days

• Paper form

• Electronic form

118

Accountability


119

Accountability


120

Accountability

Audit

• It records the actions performed by a certain user.

• In electronic form, the audit is done in the form of

log files.

• The actions performed by a user are recorded in

the log file.

• These log files should be protected against

modification to maintain integrity.

121

Accountability

Audit

122

SECURITY POLICY DESIGNING


Chapter# 5

123

Security Policies

• Policies for an organization normally does not

require any technical knowledge.

• Policies are normally designed in a generic way.

• Policies set rule.

• Policies force people to do certain things in certain

ways.

124

Why Policy is important?

• Policies provide rules that govern how employees

in an organization should work in certain

circumstances.

• Policies also define how and what should be done

in case of unusual circumstances.

• Security Policies

• Define what kind of security should be implemented.

• Puts everyone on same page to make them understand

what policies are about.

125

Policy about Security of an organization - I

• Policy defines what kind of security an organization

should use?

• It includes

• System Configurations

• Firewall Settings

• ACL Profile building

• And many more

• Security Policy does have technical aspects for an

organization.

126

Policy about Security of an organization - II

• Policies are also designed for unusual

circumstances

• Accidents

• System Failure

• These policies explain what should be done in such

circumstances.

• How employees should react in such cases?

• How system will reach in such cases?

127

Put everyone on the same page

• Defining policies is one part, making people follow

them is another part.

• It is important to make employees of an

organization to follow defined policies.

• Different automated systems are available for this

purpose.

• Some organizations follow manual systems for

policy implementation

128

Information Policy

• It defines what sensitive information is within an

organization and how it should be protected?

• Sensitive information should be kept at save place and

should be protected with password or through encryption

techniques.

• In some cases information is kept encrypted even from

the administrators.

• Trash information should be removed from the computer

using special software because normal deletion can still

be used to retrieve the information.

129

Security Policy

• It defines the technical ways in which the information

can be secured on computers and network.

• It defines how users are identified and authenticated.

• It includes

• Access Control

• Audit

• Network Connectivity

• Malicious Code

• Encryption

130

Computer Policy

• It defines who can use the computer and how a

computer can be used.

• Most organizations expect employees to use their

provided computers only even at home.

• The information in these computers may be

monitored by the admin and employee should

understand this fact.

131

Internet Policy

• It defines how internet can be used and who can

use the internet?

• In some cases specific websites are blocked.

• Specific gateways might be blocks.

• Use of specific DNS is allowed, other DNS is not

allowed.

132

Email Policy

• It defines what type of email should be allowed.

• It may also include the type of content of the email

e.g. keywords etc.

• Some organizations allow their employees to email

through their provided email addresses because

they are more secure.

133

Firewalls

134

Firewall

• It is a network access control mechanism.

• It only allows traffic inside outside which is explicitly

specified through rules.

• Firewalls can be configured to allow traffic based on

• Services

• Ports

• IP Addresses

• Firewalls provide centralized security management.

135

Types of Firewalls

• Application Layer Firewalls

• Packet Filtering Firewall

136

Application Layer Firewall - I

• It is also called Proxy Firewalls.

• They are normally software based that work on the

top of an OS.

• Set or rules are defined on how the traffic will go

out and come into the network.

• If these rules are not followed, traffic will be denied

or packets will be dropped.

• Rules are enforced through proxy.

137

Application Layer Firewall - II

• On application layer firewall, each protocol follows a

proxy.

• Normally built in protocols are used.

• For example HTTP proxy understands HTTP

(protocol).

• In Application layer firewall, all connections

terminates at firewall.

• Normally connection starts at Client System and

goes to the firewall.

138

Application Layer Firewall - III

• Firewall analyzes the contents and protocol and if

everything is fine, it starts a connection to the

server.

• This way the client computer is hidden from the

server and from the outside world.

• This makes the system secure.

139

Application Layer Firewall - IV

140

Packet Filtering Firewall

• They can also be software packages sitting on top of OS

and monitoring.

• They monitor packets.

• Only the packets allowed are welcome, rest are denied.

• If a connection is to be made and SYN command is sent.

• The firewall will accept either ACK or RESET command.

• If any other packet comes, that packet is denied.

141


• In this techniques, connections do not terminate at

firewall.

• The connections are first checked by the firewall, If

specified rules allow, these connections are

allowed to go to destination.

• These types of connection can support large no. of

connections since no new connections are made at

firewall so no overhead of connections.

142


143

Firewall Configurations

• Different Firewall configurations can be done to

protect the system against attacks.

• All these configurations depend upon what type of

system an organization has.

• All these configurations are done based on Firewall

Policies.

144

Firewall Configurations

Proposed System

• Web Server allows service on Port 80 only.

• Mail Server allows service on Port 25 only.

• Internal DNS system requests ISP for domain names.

• Internet policy allows following protocols: -

• HTTP

• HTTPS

• FTP

• Telnet

• SSH

145

Configuration No. 1

146

Firewall Rule No. 1

• Mail Server and Web Server are not protected by firewall.

• Firewall only protects internal network in this configuration.

• Filtering can be done at router’s part

147

Configuration No. 2

148

Firewall Rule No. 2

• Mail Server and Web Server are protected by firewall.

• Firewall also protects internal network in this configuration.

• Filtering can be done at firewall.

149

Configuration No. 3

150

Firewall Rule No. 3

151

Firewall Rule No. 3

• There are two different firewalls.

• First is protecting

• Mail Server

• Web Server

• Second is protecting the internal system

• Both have different rules.

152

Designing Firewall Rule Set

• Designing rules for Firewall is very important.

• While designing the rules, it is important to keep into

consideration the processing time.

• If more rules are set, the processing time of the

firewall will increase.

• Most Firewalls work on “First Match” Algorithm in

order to decide whether to accept or reject the

packet.

153

Designing Firewall Rule Set

First Match Algorithm

• In this algorithm, most specific rules are placed on

the top of the list.

• Least specific or general rules are placed at the

bottom of the list or at the lowest end of the rule list.

• For example, allowing HTTP at port 80 is specific

which can be placed at the top.

• Similarly, allowing email incoming from all the ports is

less specific so should be at the lowest end of the list

154

VIRTUAL PRIVATE NETWORKS


Chapter# 6

155

Private Networks

• Private networks are means of transferring

information within an organization.

• This information transfer can be to a remote

branch as well.

• Private lines are leased from Providers for this

purpose.

• Can be very costly.

156

Private Networks

157

Private Networks are very costly!

158

Virtual Private Networks (VPNs)

• Information flows through the internet

• Less costly

• Secure

• Maintains confidentiality

• Traffic is encrypted

• Multiple protocols are supported

• Connection is normally point to point

159

Virtual Private Networks

160

Multiple Protocols in VPN

• Unlike other servers e.g. Web Server, Mail Server

etc., VPN supports multiple protocols specially at

Application Layer.

• VPN can support HTTP and SMTP at the same time.

• These protocols can run over the same VPN

channel.

161

Multiple Protocols in VPN

162

User VPN

• In this type of VPN, a user accesses the internal

network of an organization from outside, remotely.

• An employee can access the file server of the

organization from home using VPN.

• Organization can limit the use of the system for

the employee.

• Normally VPN is handled by a separate software on

user’s computer.

163

User VPN

164

Benefits of User VPN

• Users do not need to dial calls to connect to the

server to have access to files and mails.

• Users do not need to use leased lines to access

their data on the server of an organization.

• Same data is readily available to the user even

outside the organization.

165

Problems of User VPN

• Since user can use both VPN and Internet at the

same computer, there are chances that

• A Trojan in the computer can access the VPN

• Using VPN, data of the organization can be compromised

• Delay can be an issue if lots of users are sending

and receiving data from VPN server.

166

Problems of User VPN

167

Site VPN

• In this type of VPN, an organization wants to

connect to another organization.

• In some cases an organization wants to connects

to its remote branch office for sharing data.

168

Site VPN

169

Benefits of Site VPN

• Like User VPN, the primary benefit of Site VPN is

cost saving.

• In such case head office of an organization can

connect to its multiple remote branches using

VPNs without worrying about cost of Leased Lines.

170

Problems of Site VPN

• If a remote branch is compromised, there are

chances that Head Office can be compromised.

• Proper measures must be taken to avoid intrusion

at both Head and Branch offices.

• If there is a lot of Traffic at VPN server, delays can

occur.

171

Components of VPN

• VPN Server

• Encryption Algorithm

• Authentication System

• VPN Protocol

172

Components of VPN

VPN Server

• It is a computer system that acts as an end point to

VPN.

• Specifications of VPN Servers should be considered

properly.

• VPN Servers should be able to handle load from

various clients.

• Some VPN Software vendors provide specifications for

the hardware.

173

Components of VPN

VPN Server

• Multiple VPN Servers are recommended if single

server cannot handle the load.

• Fail-Over Systems can also be used for VPN.

• In some cases Firewall acts as a VPN.

• VPN Server can also be standalone system.

• VPN Servers are considered more secure than Web,

File and Mail Servers.

174

Components of VPN

VPN Server

175

Components of VPNVPN Server

176

Components of VPN

Encryption Algorithm

• An encryption technique is required to keep data in

VPN secure.

• For this purpose lots of encryption algorithms are

available in the market.

• In come cases when buying a VPN package, an

encryption algorithm is included in the package.

177

Components of VPN

Encryption Algorithm

• In order to get the information from the VPN, an

attacker must

• Capture the entire session between the end points

• To capture session, sniffer is required to be placed between end

points.

• Spend time and effort to brute force to decrypt data.

178

Components of VPNEncryption Algorithm

179

Components of VPN

Authentication Systems

• VPN should authenticate users or sites before they

can retrieve information from them.

• Normally passwords are used for this purpose.

• In some cases, smart cards are also used.

• Policies for passwords are kept very strong for VPNs.

• Passwords expire every 30 days.

• Passwords should included numeric, alphabetic and symbolic

characters etc.

180

Components of VPNAuthentication Systems

181

Components of VPN

VPN Protocol

• Some rules need to be defined in order for VPN to

operate.

• If site VPN is used, it is important to make sure how to

use internet.

• In VPN encryption keys will also be exchanged

between the sites using a connection.

• If this connection itself is not secure, security keys

can be compromised.

182

Components of VPN

VPN Protocol

• Different protocols are available for this purpose.

• One of the most Important one is IPSec (IP

Security).

• Two modes are used for IPSec

• Transport Mode

• Encrypts message in the data packet only

• Tunneling Mode

• Encrypts the whole data packet

183

Types of VPN

• Hardware Based

• Software Based

• Web Based

184

Types of VPN

Hardware Based

• Hardware appliance is used with the combination of

software for VPN.

• These VPNs can handle both User and Site VPNs.

• Special Hardware and Software are used for this

purpose.

• Vendors can have their own Hardware and

Customized Software for such VPNs.

185

Types of VPN

Hardware Based

186

Types of VPN

Hardware Based

• Benefits

• Because of high specifications, speed is the major

benefit.

• Security is another benefit, since, if system is

going to be used as a VPN, other software are

removed from this system.

187

Types of VPN

Software Based

• VPNs can be software based.

• These types of VPN are one of the most famous

these days.

• Different software are available for setting up VPN

• openVPN

• ExpressVPN

188

Types of VPN

Software Based

• Benefits

• Less costly than hardware based

• Customizable

• Easy to use

189

Types of VPN

Web Based

• VPNs can use browsers as their front face as well.

• Users / Organizations can use Web Based VPNs to

connect.

• No need to install extra software.

• However Web-Based VPNs are limited to few

applications.

190

Types of VPN

Web Based

• Benefits

• Less costly than both Software and Hardware

based

• No extra software to install

• Easy to use

191

ENCRYPTION


Chapter# 7

192

Encryption

• It is a way of keeping information secure.

• Only a person or a system having a proper

decryption algorithm with proper keys can use that

information.

• Unauthorized people having no proper information

cannot access the encrypted information.

• A lot of algorithms are available for encryption.

193

Encryption

194

Types of Encryption

• Private Key Encryption

• Public Key Encryption

195

Private Key Encryption

• In this case, both encryption and decryption

algorithm use the same key.

• Sender and Receiver should have the same key.

• Private Key Encryption is fast and convenient.

• It provides confidentiality of information since

people having key can access the information.

196

Private Key Encryption

197

One Time Pad

• It is used for encrypting the short messages.

• In this type of encryption, a random generated

number is used.

• It is called the most secure way of encrypting the

message since every time a new number will be

generated.

198

One Time Pad

199

Private Key Algorithms

• Various Private Key based Algorithms are

available:-

• DES

• IDEA

• Skipjack

• RC5

200

DES (Data Encryption Standard)

• It was developed by IBM.

• It has a 56 bit Key.

• Works on 64 bit block of plain text.

• It has 16 rounds of encryption.

• Blocks are divided into half (32 bits).

• 56 bits keys can generate around 256 different keys.

202

Triple DES

• It was found in different researches, that DES can

be used a couple of times to make information

even securer.

• For this purpose Triple DES is used.

• It can have 2 or 3 keys.

• Text is first DES encrypted with key, then

Decrypted with Key and then encrypted with key

again.

203

Triple DES

204

Password Encryption

• Unix System uses DES for password encryption.

• 8 Characters are used for passwords

• If less than 8, random characters are added.

• If more than 8, characters are truncated.

• Password is then transformed into 56 bit number

• Taking 7 bits from each character.

• System time is used as 12 bit number

• This is called Salt.

205

Password Encryption

206

Public Key Encryption

• In this case, both encryption and decryption

algorithm use the different keys.

• One key is used for encryption and another different

key is used for decryption.

• It is also called Asymmetric Encryption Operation.

• Keys are related to each other and are called Key

Pair, however both are different.

• If K1 is used for Encryption, only its pair key K2 can

decrypt the information.

207

Public Key Encryption

208

Diffie Hellman Key Exchange

P1 and P2 agree for some large numbers

P1 choses a random number i and send I to P2

P2 choses a random number j and send J to P1

P1 computes k1

P2 computes k2

1< a < b

I = ai mod b

J = aj mod b

k1 = Ji mod b

k2 = Ij mod b

210

Diffie Hellman Key Exchange

211

Digital Signatures

• This is a way of knowing that information is sent by

some legitimate user.

• The concept is same like real world signature.

• For Digital Signatures, info is first passed to a Hash

Function which creates a checksum.

• This checksum is encrypted with user’s private key.

• This information and encrypted checksum is then

sent to other user.

213

Secure Hash Functions

• Hash Function is said to be secure if it is one way

• Function creates a checksum from the information but

cannot create information from checksum.

• Hash function should create at least 128 bit

checksum.

• Two famous Hash functions are

• MD5 (Message Digest) – 128 bits

• SHA (Secure Hash Algorithm) – 160 bits

214

INTRUSION DETECTION


Chapter# 8

215

Intrusion Detection Systems (IDS)• It is a way or a tool to protect the security of an

organization.

• Ideally, such systems alarm only when a

successful attack attempt is made.

• Real world examples are

• Watchman guarding the building

• Alarm system in the cars

• Alarm systems in houses or buildings

216

Intrusion Detection Systems

• The basic aim is to detect any penetration into the

security of the system

• Home

• Car

• Building

• Computers

• Network

• OSSEC is an open source IDS available in the

market.

217

Types of IDS

There are normally two types of IDS

• Host Based IDS (HIDS)

• Network Based IDS (NIDS)

218

Types of IDS

219

Host based IDS

• These are based on various sensors called HIDS

sensors.

• These sensors are installed in the servers and are

controlled by some central manager.

• HIDS are normally more expensive than NIDS.

• HIDS require processing time of the processor of a

server, sometimes up to 5 – 10%

220

Host based IDS

• This type of system has some sensors installed.

• Below are most famous sensors for HIDS

• Log Analyzer

• Signature based Sensors

• System call analyzers

• Application behavior analyzers

• File Integrity checkers

221

Host based IDS

Log Analyzers

• A Process runs on the server and analyzes specific

log files on the server.

• If an entry appears which matches a pre-defined

criteria, a proper action is taken.

• They normally react after an event occurs.

• They normally do not prevent system from attack,

instead they notify about the attack.

222

Host based IDS

Log Analyzers

223

Host based IDS

Signature based sensors

• It checks for proper signature for incoming traffic.

• They can see the incoming attack, so they can

notify about it as well.

• They can even be used for keeping track for

internal users for accessing specific files.

224

Host based IDS

System Call Analyzers

• They actually analyzes, calls from applications to

OS.

• They keep on monitoring the calls from different

applications and check them against the rules or

policies.

• As soon as something is wrong they not only notify

it but also have the capability of stopping or

rejecting the call.

225

Host based IDS

System Call Analyzers

Application

Operating System

Server

Buffer overflow

226

Host based IDS

Application Behavior Analyzers

• They analyze the behavior of an application

instead of checking the calls to the operating

system.

• They see whether an application is allowed to

perform some action or not.

• If not they can stop it and notify it too.

227

Host based IDS

Application Behavior Analyzers

Application

Server

Read

Write

228

Host based IDS

File Integrity Check

• It is used to check the integrity of the file.

• At start each file is checked for changes and

signature is maintained.

• Periodically each file is checked for its changes

against the initial signature for integrity.

229

Network based IDS

• These types of systems normally have two network

cards.

• One card is in stealth mode

• It does not have an IP address

• It does not implement common protocols

• Second card is also hidden but connected to IDS

management to send notifications.

230

Network based IDS

231

Advantages of NIDS

• NIDS can be hidden, so attacker cannot tell is he is

being monitored or not.

• It can monitor large number of systems.

• It can capture all the packets travelling to the

system.

• Less expensive than HIDS

232

Disadvantages of NIDS

• NIDS can notify only if signature matches.

• It can miss traffic of interest due to high bandwidth

at times.

• It cannot determine of attack was successful.

• Encrypted traffic cannot be monitored.

• Special configurations are required for complex

networks.

233

Choosing what to Monitor?

• In IDS, the most important question is what to

monitor?

• For this purpose, different policies are required to

be designed depending upon the architecture of

organization.

234

Choosing what to Monitor?

235

Responding to Attacks

There are two types of responses

• Passive Response

• Active Response

236


Passive Response

• It means not to directly hinder the act of attacker.

• It is one of the most common responses.

• It is easy to implement.

• It does not largely affect the traffic of a network.

237

Types of Passive Responses

Shunning

• It means to ignore the attempt of attack.

• They are most common forms of passive responses.

• Organizations install security measures and assume they

will secure the network

• Installing a firewall

• Installing an antivirus

• Sometimes attacks are not applicable on all the

environments, shunning is the right choice in those cases.

238


Logging

• Logging the information is also a type of passive

response.

• If attack takes place, system should gather

information and log in to the files.

• Sometimes extensive logging is done.

239


Notification

• Notification is a popular form of passive response.

• If attack takes place, it should be notified to

concerned authorities.

240


Active Response

• It means to quickly take an action against the

attack.

• It requires careful consideration before reacting to

the attack.

• It can even deny legitimate users denial of access

to system for unknown time period.

241

Types of Active Response

Termination of Connection

• The most famous of active responses is

termination of connection.

• If attacker is using a TCP connection, that

connection should be terminated.

• If a process is taking too much memory for

worthless takes, terminate that process.

242


Network Reconfiguration

• If attacks are being made from a legitimate IP

address, a call for network reconfiguration should

be made.

• Rules must be reconfigured.

• New policies must be designed if possible.

243


Deception

• In such attacks, attackers are fooled to believe

that they are not being watched.

• Instead they are watch and monitored carefully.

• In some cases, important information is moved to

some safe location and attacker is exposed to fake

information.

244

Automatic vs. Automated Response

Automatic Response

• It is the set of predefined actions taken as a result

of particular event.

• These actions can be active or passive.

Automatic Response

• When a response is taken by a computer without

human intervention, such responses are called

automatic responses.

245

Intrusion Prevention using IDS

• Once the intrusion is detected, it must be

prevented so systems are not compromised.

• In HIDS, application behavior analyzer and System

call analyzer prevent the intrusion.

• In NIDS it is a little complicated, since sensors

should be placed where it can monitor the traffic

and response time is less.

246

Problems with Intrusion PreventionsDenial of Service

• If attack is not properly recognized, a legitimate

user might be denied of service.

Availability

• The sensors installed must be available all the

time, which is difficult in high traffic environment.

247

WIRELESS SECURITY


Chapter# 9

248

Typical Wireless Connections

249

Transmission Security

• In WLAN, since the information is transmitted over

the air, proper security is required.

• WLAN normally uses WEP (Wired Equivalent

Privacy)

• WEP has 3 major services

• Authentication

• Confidentiality

• Integrity

250

Authentication

Service Set Identifier (SSID)

• It is a 32 bytes string used as network name.

• Normally SSID is broadcasted by Access Points

(APs)

• However at times, SSID is not broadcasted to

improve security.

251

Authentication

MAC Addresses

• Some APs allow authorized MAC addresses to

connect to that AP.

• All the other request will be rejected.

• Administrator must maintain a list of authorized

MAC addresses to make sure no unauthorized MAC

address connects to AP.

252

Authentication

WEP

• This is an authentication Service.

• It authenticates workstation to AP.

• It does not authenticate AP to workstation, which

means workstation is not sure if AP is valid or not.

• WEP still has a chance of interception and Man-in-

Middle attacks.

253

Authentication

WEP

254

Wireless Security

Access Point Security

• APs in an organization should be very secure.

• When applying a WEP key, make sure to input a

strong WEP key which is difficult to guess.

• Use MAC Addresses to limit the workstations.

• Do not broadcast SSID unless and until it is

necessary.

• Limit the range of AP by placing it carefully.

255

Wireless Security

Transmission Security

• Although using WEP is recommended but using

other forms of security for sensitive environment is

also recommended.

• WEP is not full fledge, so firewalls are also

recommended in combination with WEP.

• VPN algorithms are also good form of security

when using Wireless networks.

256

Wireless Security

Workstation Security

• Protecting a WLAN is important but Workstations

should be secured as well.

• Even if network is compromised, each workstation

should have extra security to it as well.

257

Wireless Knowledge Check

What is approx. range of 802.11x indoor and

outdoor?

• Indoor = 50 – 100 m

• Outdoor = 300 – 500 m

258


What is the way of assigning a wireless node

to connect to a WLAN automatically without

assigning manual IP Addresses?

• DHCP

259


Name the three services that WEP provides

• Authentication

• Confidentiality

• Integrity

260


Since the AP is not authenticated back to the

workstation, what type of attack is possible?

• Man in the Middle

• Interception

261


How does MAC addresses assignment secure

the network?

• Only authorized Workstation can see the AP