See Our team
Wondering how we keep quality?
Got unsolved questions? Ask Questions
INS notes for 8th sem
INFORMATION AND NETWORK SECURITY NOTES FOR 8TH SEMESTER INFORMATION SCIENCE SUBJECT CODE: 06CS835
TEXT BOOKS: PRINCIPLES OF INFORMATION SECURITY – Michael E Whitman and Herbert J Mattord, 2nd Edition , Thomson
APPLICATIONS AND STANDARDS – NETWORK SECURITY ESSENTIALS, William stallings, CONTENTS: UNIT 2, UNIT 3, UNIT 4, UNIT 5, UNIT 7
Technical controls are essential to a well-planned information security program, particularly to enforce policy for the many IT functions that are not under direct human control. Networks and computer systems make millions of decisions every second and operate in ways and at speeds that people cannot control in real time.
The physical design of a security program is made up of two parts:
The team responsible for the physical design:
Selects specific technologies to support the information security blueprint
Identifies complete technical solutions based on these technologies including deployment, operations, and maintenance elements, to improve the security of the environment
Designs physical security measures to support the technical solution
Prepares project plans for the implementation phase that follows
A firewall in an information security program is similar to a building’s firewall in that it prevents specific types of information from moving between the outside world, known as the un trusted network (for example, the Internet), and the inside world, known as the trusted network. The firewall may be a separate computer system, a software service running on an existing router or server, or a separate network containing a number of supporting devices. Firewalls can be categorized by processing mode, development era, or structure.
PROCESSING MODES OF FIREWALLS
Firewalls fall into five major processing-mode categories:
layer firewalls, and
hybrids Packet-Filtering Firewall
examines the header information of data packets that come into a network.
determines whether to drop a packet (deny) or forward it to the next network connection (allow) based on the rules programmed into the firewall.
examine every incoming packet header and can selectively filter packets based on header information such as destination address, source address, packet type, and other key information.
scan network data packets looking for compliance with or violation of the rules of the firewall’s database.
If the device finds a packet that matches a restriction, it stops the packet from traveling from one network to another.
The restrictions most commonly implemented in packet-filtering firewalls are based on a combination of the following:
o IP source and destination address Direction (inbound or outbound)
o Protocol (for firewalls capable of examining the IP protocol layer)
o Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source and
o destination port requests (for firewalls capable of examining the TCP/UPD layer) Packet structure varies depending on the nature of the packet. The two primary service types are TCP and UDP (as noted above).
Simple firewall models examine two aspects of the packet header: the destination and source address too. They enforce address restrictions.
There are three subsets of packet-filtering firewalls:
Static filtering requires that the filtering rules be developed and installed with the firewall. The rules are created and sequenced either by a person directly editing the rule set, or by a person using a programmable interface to specify the rules and the sequence. A dynamic filtering firewall can react to an emergent event and update or create rules to deal with that event. While static filtering firewalls allow entire sets of one type of packet to enter in response to authorized requests, the dynamic packet-filtering firewall allows only a particular packet with a particular source, destination, and port address to enter. It does this by opening and closing “doors” in the firewall based on the information contained in the packet header.
Stateful inspection firewalls, also called stateful firewalls, keep track of each network connection between internal and external systems using a state table. A state table tracks the state and context of each packet in the conversation by recording which station sent what packet and when. Application Gateways
The application gateway, also known as an application-level firewall or application firewall, is frequently installed on a dedicated computer, separate from the filtering router, but is commonly used in conjunction with a filtering router.
The application firewall is also known as a proxy server since it runs special software that acts as a proxy for a service request.
This proxy server receives requests for Web pages, accesses the Web server on behalf of the external client, and returns the requested pages to the users. These servers can store the most recently accessed pages in their internal cache, and are thus also called cache servers.
One common example of an application-level firewall (or proxy server) is a firewall that blocks all requests for and responses to requests for Web pages and services from the internal computers of an organization, and instead makes all such requests and responses go to intermediate computers (or proxies) in the less protected areas of the organization’s network.
The primary disadvantage of application-level firewalls is that they are designed for one or a few specific protocols and cannot easily be reconfigured to protect against attacks on other protocols.
The circuit gateway firewall operates at the transport layer.
They do not usually look at traffic flowing between one network and another, but they do prevent direct connections between one network and another.
They accomplish this by creating tunnels connecting specific processes or systems on each side of the firewall, and then allowing only authorized traffic, such as a specific type of TCP connection for authorized users, in these tunnels. MAC Layer Firewalls
MAC layer firewalls are designed to operate at the media access control sublayer of the data link layer (Layer 2) of the OSI network model.
This enables these firewalls to consider the specific host computer’s identity, as represented by its MAC or network interface card (NIC) address in its filtering decisions. Thus, MAC layer firewalls link the addresses of specific host computers to ACL entries that identify the specific types of packets that can be sent to each host, and block all other traffic.
Hybrid firewalls combine the elements of other types of firewalls—that is, the elements of packet filtering and proxy services, or of packet filtering and circuit gateways.
A hybrid firewall system may actually consist of two separate firewall devices; each is a separate firewall system, but they are connected so that they work in tandem.
An added advantage to the hybrid firewall approach is that it enables an organization to make a security improvement without completely replacing its existing firewalls.
FIREWALLS CATEGORIZED BY GENERATION
First generation firewalls are static packet-filtering firewalls—that is, simple networking devices that filter packets according to their headers as the packets travel to and from the organization’s networks.
Second generation firewalls are application-level firewalls or proxy servers—that is, dedicated systems that are separate from the filtering router and that provide intermediate services for requestors.
Third generation firewalls are stateful inspection firewalls, which, as described previously, monitor network connections between internal and external systems using state tables.
Fourth generation firewalls, which are also known as dynamic packet-filtering firewalls, allow only a particular packet with a particular source, destination, and port address to enter.
Fifth generation firewalls include the kernel proxy, a specialized form that works under Windows NT Executive, stack which is the kernel of Windows NT. This type of firewall evaluates packets at multiple layers of the protocol, by checking security in the kernel as data is passed up and down the stack.
FIREWALLS CATEGORISED BY STRUCTURE
Firewalls can also be categorized by the structures used to implement them.
Commercial-Grade Firewall Appliances Firewall appliances are stand-alone, self contained combinations of computing hardware and software. These devices frequently have many of the features of a general-purpose computer with the addition of firmware based instructions that increase their reliability and performance and minimize the likelihood of their being compromised. These variant operating systems are tuned to meet the type of firewall activity built into the application software that provides the firewall functionality.
Commercial-Grade Firewall Systems A commercial-grade firewall system consists of application software that is configured for the firewall application and run on a general-purpose computer. Organizations can install firewall software on an existing general purpose computer system, or they can purchase hardware that has been configured to specifications that yield optimum firewall performance.
Small Office/Home Office (SOHO) Firewall Appliances As more and more small businesses and residences obtain fast Internet connections with digital subscriber lines (DSL) or cable modem connections, they become more and more vulnerable to attacks. One of the most effective methods of improving computing security in the SOHO setting is by means of a SOHO or residential-grade firewall. These devices, also known as broadband gateways or DSL/cable modem routers, connect the user’s local area network or a specific computer system to the Internetworking device—in this case, the cable modem or DSL router provided by the Internet service provider (ISP). The SOHO firewall serves first as a stateful firewall to enable inside-to-outside access and can be configured to allow limited TCP/IP port forwarding and/or screened subnet capabilities.
Residential-Grade Firewall Software Another method of protecting the residential user is to install a software firewall directly on the user’s system. Many people have implemented these residential-grade software-based firewalls (some of which also provide antivirus or intrusion detection capabilities), but, unfortunately, they may not be as fully protected as they think. The most commonly used of residential-grade software-based firewalls are McAfee Internet Security, Microsoft Windows Firewall etc.
The configuration that works best for a particular organization depends on three factors:
The objectives of the network,
the organization’s ability to develop and implement the architectures,
The budget available for the function. Although literally hundreds of variations exist, there are four common architectural implementations: Packet-filtering routers, screened host firewalls, dual-homed firewalls, and screened subnet firewalls. Packet-Filtering Routers
Most organizations with an Internet connection have some form of a router at the boundary between the organization’s internal networks and the external service provider. Many of these routers can be configured to reject packets that the organization does not want to allow into the network.
This is a simple but effective way to lower the organization’s risk from external attack. The drawbacks to this type of system include a lack of auditing and strong authentication.
Also, the complexity of the ACLs used to filter the packets can degrade network performance. Screened Host Firewalls
Screened host firewalls combine the packet-filtering router with a separate, dedicated firewall, such as an application proxy server.
This approach allows the router to pre-screen packets to minimize the network traffic and load on the internal proxy.
The application proxy examines an application layer protocol, such as HTTP, and performs the proxy services. This separate host is often referred to as a bastion host. Compromise of the bastion host can disclose the configuration of internal networks and possibly provide attackers with internal information. Since the bastion host stands as a sole defender on the network perimeter, it is commonly referred to as the sacrificial host. Dual-Homed Firewall
One NIC is connected to the external network, and
another NIC is connected to the internal network, providing an additional layer of protection.
With two NICs, all traffic must physically go through the firewall to move between the internal and external networks.
Implementation of this architecture often makes use of NAT.
NAT is a method of mapping real, valid, external IP addresses to special ranges of non-routable internal IP addresses, thereby creating yet another barrier to intrusion from external attackers. Screened Subnet Firewalls (with DMZ)
The architecture of a screened subnet firewall provides a DMZ.
The DMZ can be a dedicated port on the firewall device linking a single bastion host, or it can be connected to a screened subnet, as shown in Figure 6-14.
Connections from the outside or untrusted network are routed through an external filtering router.
Connections from the outside or untrusted network are routed into—and then out of—a routing firewall to the separate network segment known as the DMZ.
Connections into the trusted internal network are allowed only from the DMZ bastion host servers.
The screened subnet is an entire network segment that performs two functions:
o it protects the DMZ systems and information from outside threats by providing a network of intermediate security
o It protects the internal networks by limiting how external connections can gain access to them.
Another facet of the DMZ is the creation of an area known as an extranet.
An extranet is a segment of the DMZ where additional authentication and authorization controls are put into place to provide services that are not available to the general public. SOCKS Servers
SOCKS is the protocol for handling TCP traffic via a proxy server.
The SOCKS system is a proprietary circuit-level proxy server that places special SOCKS client-side agents on each workstation.
A SOCKS system can require support and management resources beyond those of traditional firewalls since it entails the configuration and management of hundreds of individual clients, as opposed to a single device or small set of devices.
SELECTING THE RIGHT FIREWALL When trying to determine which the best firewall for an organization is, you should consider the following questions:
1. Which type of firewall technology offers the right balance between protection and cost for the needs of the organization?
2. What features are included in the base price? What features are available at extra cost? Are all cost factors known?
3. How easy is it to set up and configure the firewall? How accessible are the staff technicians who can competently configure the firewall?
4. Can the candidate firewall adapt to the growing network in the target organization?
The most important factor is, of course, the extent to which the firewall design provides the required protection. The second most important factor is cost.
CONFIGURING AND MANAGING FIREWALLS
Once the firewall architecture and technology have been selected, the organization must provide for the initial configuration and ongoing management of the firewall(s). Good policy and practice dictates that each firewall device, whether a filtering router, bastion host, or other firewall implementation, must have its own set of configuration rules. In fact, the configuration of firewall policies can be complex and difficult. IT professionals familiar with application programming can appreciate the difficulty of debugging both syntax errors and logic errors. Syntax errors in firewall policies are usually easy to identify, as the systems alert the administrator to incorrectly configured policies. Configuring firewall policies is as much an art as it is a science. Each configuration rule must be carefully crafted, debugged, tested, and placed into the ACL in the proper sequence—good, correctly sequenced firewall rules ensure that the actions taken comply with the organization’s policy. In a well-designed, efficient firewall rule set, rules that can be evaluated quickly and govern broad access are performed before ones that may take longer to evaluate and affect fewer cases.
BEST PRACTICES FOR FIREWALLS / FIREWALL RULES
i. All traffic from the trusted network is allowed out.
ii. The firewall device is never directly accessible from the public network for configuration or management purposes.
iii. Simple Mail Transport Protocol (SMTP) data is allowed to enter through the firewall. iv. ICMP is a common method for hacker reconnaissance and should be turned off to prevent snooping.
v. Telnet (terminal emulation) access to all internal servers from the public networks should be blocked.
vi. HTTP traffic should be blocked from internal networks through the use of some form of proxy access or DMZ architecture.
vii. All data that is not verifiably authentic should be denied.
Content filter is another utility that can help protect an organisation's systems from misuse and un-intentional denial-of-service problems, and which is often closely associated with firewalls.
Content filters are also called reverse firewalls because their primary purpose is to restrict internal access to external material.
Content filters has two components: Rating is like a set of firewall rules for websites and is common in residential content filters. It can be:
complex, with multiple access control settings for different levels of the organization.
simple, with a basic allow/deny scheme like that of a firewall. The filtering is a method used to restrict specific access requests to the identified resources, which may be websites, servers, or whatever resources the content filter administrator configures
The most common content filters restrict users from accessing Web sites with obvious non-business related material, such as pornography, or deny incoming spam e-mail.
Content filters can be small add-on software programs for the home or office, such as NetNanny or SurfControl, or corporate applications, such as the Novell Border Manager.
The benefit of implementing content filters is the assurance that employees are not distracted by non-business material and cannot waste organizational time and resources. The downside is that these systems require extensive configuration and ongoing maintenance to keep the list of unacceptable destinations or the source addresses for incoming restricted e-mail up-to-date.
PROTECTING REMOTE CONNECTIONS
In the past, organizations provided the remote connections exclusively through dial-up services like Remote Authentication Service (RAS). Since the Internet has become more widespread in recent years, other options such as virtual private networks (VPNs) have become more popular.
o The connections between company networks and the Internet use firewalls to safeguard that interface.
o Unsecured, dial-up connection points represent a substantial exposure to attack.
o An attacker who suspects that an organization has dial-up lines can use a device called a war dialer to locate the connection points.
o A war dialer is an automatic phone-dialing program that dials every number in a configured range (e.g., o 555-1000 to 555-2000), and checks to see if a person, answering machine, or modem picks up.
o If a modem answers, the war dialer program makes a note of the number and then moves to the next target number.
o The attacker then attempts to hack into the network via the identified modem connection using a variety of techniques. RADIUS, TACACS, and Diameter o RADIUS and TACACS are systems that authenticate the credentials of users who are trying to access an organization’s network via a dial-up connection.
o The Remote Authentication Dial-In User Service (RADIUS) system centralizes the management of user authentication by placing the responsibility for authenticating each user in the central RADIUS server.
o When a remote access server (RAS) receives a request for a network connection from a dial-up client, it passes the request, along with the user’s credentials, to the RADIUS server.
o RADIUS then validates the credentials and passes the resulting decision (accept or deny) back to the accepting remote access server. Figure 6-16 shows the typical configuration of an RAS system.
o An emerging alternative that is derived from RADIUS is the Diameter protocol.
o The Diameter protocol defines the minimum requirements for a system that provides authentication, authorization, and accounting (AAA) services and can go beyond these basics and add commands and/or object attributes.
o Diameter security uses existing encryption standards including Internet Protocol Security (IPSec) or Transport Layer Security (TLS)
o The Terminal Access Controller Access Control System (TACACS) is another remote access authorization system that is based on a client/server configuration.
o There are three versions of TACACS: TACACS, Extended TACACS, and TACACS+. o The original version combines authentication and authorization services.
o The extended version separates the steps needed to authenticate the individual or system attempting access from the steps needed to verify that the authenticated individual or system is allowed to make a given type of connection.
SECURING AUTHENTICATION WITH KERBEROS
Kerberos consists of three interacting services, all of which use a database library: 1. Authentication server (AS), which is a Kerberos server that authenticates clients and servers. 2. Key Distribution Center (KDC), which generates and issues session keys. 3. Kerberos ticket granting service (TGS), which provides tickets to clients who request services. Kerberos is based on the following principles:
The KDC knows the secret keys of all clients and servers on the network.
The KDC initially exchanges information with the client and server by using these secret keys.
Kerberos authenticates a client to a requested service on a server through TGS and by issuing temporary session keys for communications between the client and KDC, the server and KDC, and the client and server.
Communications then take place between the client and server using these temporary session key Figures 6-17 and 6-18 illustrate this process. SESAME
o The Secure European System for Applications in a Multivendor Environment (SESAME) is similar to Kerberos in that the user is first authenticated to an authentication server and receives a token.
o The token is then presented to a privilege attribute server (instead of a ticket granting service as in Kerberos) as proof of identity to gain a privilege attribute certificate (PAC). o SESAME uses public key encryption to distribute secret keys.
o SESAME also builds on the Kerberos model by adding additional and more sophisticated access control features, more scalable encryption systems, improved manageability, auditing features, and the option to delegate responsibility for allowing access.
VIRTUAL PRIVATE NETWORKS
VPN is defined as “a private data network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of a tunnelling protocol and security procedures.” The VPNC defines three VPN technologies:
o A trusted VPN, also known as a legacy VPN, uses leased circuits from a service provider and conducts packet switching over these leased circuits. The organization must trust the service provider, who provides contractual assurance that no one else is allowed to use these circuits and that the circuits are properly maintained and protected—hence the name trusted VPN.
o Secure VPNs use security protocols and encrypt traffic transmitted across unsecured public networks like the Internet. o A hybrid VPN combines the two, providing encrypted transmissions (as in secure VPN) over some or all of a trusted VPN network. A VPN that proposes to offer a secure and reliable capability while relying on public networks must accomplish the following, regardless of the specific technologies and protocols being used:
Encapsulation of incoming and outgoing data, wherein the native protocol of the client is embedded within the frames of a protocol that can be routed over the public network and be usable by the server network environment.
Encryption of incoming and outgoing data to keep the data contents private while in transit over the public network, but usable by the client and server computers and/or the local networks on both ends of the VPN connection.
Authentication of the remote computer and, perhaps, the remote user as well. Authentication and the subsequent authorization of the user to perform specific actions are predicated on accurate and reliable identification of the remote system and/or user. VPN can be implemented using either Transport mode or Tunnel mode.
UNIT 3 SECURITY TECHNOLOGY – 2
This chapter builds on that discussion by describing additional and more advanced technologies—intrusion detection and prevention systems, honeypots, honeynets, padded cell systems, scanning and analysis tools, and access controls—that organizations can use to enhance the security of their information assets.
INTRUSION DETECTION AND PREVENTION SYSTEMS
An intrusion occurs when an attacker attempts to gain entry into or disrupt the normal operations of an information system, almost always with the intent to do harm. Even when such attacks are self-propagating, as in the case of viruses and distributed denial-of-service attacks, they are almost always instigated by someone whose purpose is to harm an organization.
Intrusion prevention consists of activities that deter an intrusion. Some important intrusion prevention activities are writing and implementing good enterprise information security policy, planning and executing effective information security programs, installing and testing technology-based information security countermeasures (such as firewalls and intrusion detection systems), and conducting and measuring the effectiveness of employee training and awareness activities.
Intrusion detection consists of procedures and systems that identify system intrusions.
Intrusion reaction encompasses the actions an organization takes when an intrusion is detected.
These actions seek to limit the loss from an intrusion and return operations to a normal state as rapidly as possible.
Intrusion correction activities finalize the restoration of operations to a normal state and seek to identify the source and method of the intrusion in order to ensure that the same type of attack cannot occur again—thus reinitiating intrusion prevention.
Information security intrusion detection systems (IDSs) became commercially available in the late 1990s.
An IDS works like a burglar alarm in that it detects a violation (some system activity analogous to an opened or broken window) and activates an alarm.
This alarm can be audible and/or visual (producing noise and lights, respectively), or it can be silent (an e-mail message or pager alert).
With almost all IDSs, system administrators can choose the configuration of the various alerts and the alarm levels associated with each type of alert. Many IDSs enable administrators to configure the systems to notify them directly of trouble via e-mail or pagers.
The configurations that enable IDSs to provide customized levels of detection and response are quite complex.
A current extension of IDS technology is the intrusion prevention system (IPS), which can detect an intrusion and also prevent that intrusion from successfully attacking the organization by means of an active response.
Because the two systems often coexist, the combined term intrusion detection and prevention system (IDPS) is generally used to describe current anti-intrusion technologies. IDPS TERMINOLOGY Alert or alarm An indication that a system has just been attacked or is under attack. IDPS alerts and alarms take the form of audible signals, e-mail messages, pager notifications, or pop-up windows. Evasion The process by which attackers change the format and/or timing of their activities to avoid being detected by the IDPS. False attack stimulus An event that triggers an alarm when no actual attack is in progress. Scenarios that test the configuration of IDPSs may use false attack stimuli to determine if the IDPSs can distinguish between these stimuli and real attacks. False negative The failure of an IDPS to react to an actual attack event. This is the most grievous failure, since the purpose of an IDPS is to detect and respond to attacks. False positive An alert or alarm that occurs in the absence of an actual attack. A false positive can sometimes be produced when an IDPS mistakes normal system activity for an attack. False positives tend to make users insensitive to alarms and thus reduce their reactivity to actual intrusion events. Noise Alarm events that are accurate and noteworthy but that do not pose significant threats to information security. Unsuccessful attacks are the most common source of IDPS noise, and some of these may in fact be triggered by scanning and enumeration tools deployed by network users without intent to do harm. Site policy The rules and configuration guidelines governing the implementation and operation of IDPSs within the organization. Site policy awareness A smart IDPS logs events that fit a specific profile instead of minor events, such as file modification or failed user logins. The smart IDPS knows when it does not need to alert the administrator True attack stimulus An event that triggers alarms and causes an IDPS to react as if a real attack is in progress. The event may be an actual attack, in which an attacker is at work on a system compromise attempt, or it may be a drill, in which security personnel are using hacker tools to conduct tests of a network segment. Tuning The process of adjusting an IDPS to maximize its efficiency in detecting true positives, while minimizing both false positives and false negatives. Confidence value The measure of an IDPS’s ability to correctly detect and identify certain types of attacks. Alarm filtering The process of classifying IDPS alerts so that they can be more effectively managed. Alarm filters are similar to packet filters in that they can filter items b