Network and web security
Upcoming SlideShare
Loading in...5

Network and web security







Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft Word

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Network and web security Network and web security Document Transcript

    • WHAT IS NETWORK SECURITY?The networks are computer networks, both public and private, that are used every day to conduct transactions andcommunications among businesses, government agencies and individuals. The networks are comprised of "nodes",which are "client" terminals (individual user PCs) and one or more "servers" and/or "host" computers. They are linked bycommunication systems, some of which might be private, such as within a company, and others which might be open topublic access. The obvious example of a network system that is open to public access is the Internet, but many privatenetworks also utilize publicly-accessible communications. Today, most companies host computers can be accessed bytheir employees whether in their offices over a private communications network, or from their homes or hotel roomswhile on the road through normal telephone lines.Computer securityis a branch of computer technology known as information security as applied to computers and networks. The objective of computersecurity includes protection of information and property from theft, corruption, or natural disaster, while allowing the information andproperty to remain accessible and productive to its intended users. The term computer system security means the collectiveprocesses and mechanisms by which sensitive and valuable information and services are protected from publication, tampering orcollapse by unauthorized activities or untrustworthy individuals and unplanned events respectively. The strategies and methodologiesof computer security often differ from most other computer technologies because of its somewhat elusive objective of preventingunwanted computer behavior instead of enabling wanted computer behavior.Cyber securityThe Nation’s information technology (IT) infrastructure, still evolving from U.S. technological innovations such as thepersonal computer and the Internet, today is a vast fabric of computers – from supercomputers to handheld devices – andinterconnected networks enabling high-speed communications, information access, advanced computation, transactions,and automated processes relied upon in every sector of society. Because much of this infrastructure connects one way oranother to the Internet, it embodies the Internet’s original structural attributes of openness, inventiveness, and theassumption of good will.AuthenticationComputer security authentication means verifying the identity of a user logging onto a network. Passwords, digitalcertificates, smart cards and biometrics can be used to prove the identity of the user to the network. Computer securityauthentication includes verifying message integrity, e-mail authentication and MAC (Message Authentication Code),checking the integrity of a transmitted message. There are human authentication, challenge-response authentication,password, digital signature,IPspoofingandbiometrics.intrusion detection systemAn intrusion detection system is used to monitor network traffic, check for suspicious activities and notifies the network administratoror the system. In some instances, the IDS might also react to malicious or anomalous traffic and will take action such as barring theuser or perhaps the IP address source from accessing the system.
    • TypesFor the purpose of dealing with IT, there are two main types of IDS:Network intrusion detection system (NIDS) is an independent platform that identifies intrusions by examining network traffic and monitors multiple hosts. Network intrusion detection systems gain access to network traffic by connecting to a network hub,network switch configured for port mirroring, or network tap. In a NIDS, sensors are located at choke points in the network to be monitored, often in the demilitarized zone (DMZ) or at network borders. Sensors capture all network traffic and analyzes the content of individual packets for malicious traffic. An example of a NIDS is Snort. Host-based intrusion detection system (HIDS) It consists of an agent on a host that identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability databases, Access control lists, etc.) and other host activities and state. In a HIDS, sensors usually consist of a software agent. Some application-based IDS are also part of this category. An example of a HIDS is OSSEC. Stack-based intrusion detection system (SIDS)This type of system consists of an evolution to the HIDS systems. The packets are examined as they go through the TCP/IPstack and, therefor, it is not necessary for them to work with the network interface in promiscuous mode. This fact makes itsimplementation to be dependent on the Operating System that is being usedTerminology Alert/Alarm: A signal suggesting that a system has been or is being attacked.[2] True Positive: A legitimate attack which triggers an IDS to produce an alarm.[2] False Positive: An event signaling an IDS to produce an alarm when no attack has taken place.[2] False Negative: A failure of an IDS to detect an actual attack.[2] True Negative: When no attack has taken place and no alarm is raised. Noise: Data or interference that can trigger a false positive.[2] Site policy: Guidelines within an organization that control the rules and configurations of an IDS.[2] Site policy awareness: An IDSs ability to dynamically change its rules and configurations in response to changing environmental activity. [2] Confidence value: A value an organization places on an IDS based on past performance and analysis to help determine its ability to effectively identify an attack.[2] Alarm filtering: The process of categorizing attack alerts produced from an IDS in order to distinguish false positives from actual attacks. [2] Attacker or Intruder: An entity who tries to find a way to gain unauthorized access to information, inflict harm or engage in other malicious activities. Masquerader: A user who does not have the authority to a system, but tries to access the information as an authorized user. They are generally outside users. Misfeasor: They are commonly internal users and can be of two types: 1. An authorized user with limited permissions. 2. A user with full permissions and who misuses their powers. Clandestine user: A user who acts as a supervisor and tries to use his privileges so as to avoid being captured.What are System Integrity Verifiers?System Integrity Verifiers (SIV) monitor system files to detect the Trojan versions of system binaries. An example of SIVis Tripwire. System Integrity Verifiers are used for the following purposes: To monitor and detect changes in the crucial system files made by an attacker. To issue alerts corresponding to the changes in the crucial system files. To detect components such as the Windows registry and the chron configuration To monitor unauthorized root/administrator level access
    • Penetration Testing Penetration testing is designed to find weak spots in a security system. This is a thorough, systematic process, and it’s absolutely essential when you need to identify security vulnerabilities. Penetration testing does a comprehensive test of the systems, analyzing the systems for security issues and importantly assigning risk levels. This testing provides extremely valuable information, mapping security issues clearly. Types of penetration testing Internal: This type of test mimics an attack by a visitor with basic access to the system. These tests are done within the organization’s technological parameters. External: This test is conducted from outside the organization. It’s a “cold” test, in which the testing party uses available technology to attempt to breach security from outside. This test is usually done “from scratch”, with or without disclosure of access information to the tester. Blackbox Black-box testing involves performing a security evaluation and testing with no prior knowledge of the network infrastructure or system to be tested. Testing simulates an attack by a malicious hacker outside the organization’s security perimeter. Whitebox White-box testing involves performing a security evaluation and testing with complete knowledge of the network infrastructure such as a network administrator would have Greybox: Grey-box testing involves performing a security evaluation and testing internally. Also examines the extent of access by insiders within the network. Penetration Testing Methodology Four phases of penetration testing1. 1. Planning2. 2. Discovery3. 3. Attack4. 4. Reporting elliptical curve cryptography (ECC) Elliptical curve cryptography (ECC) is a public key encryption technique based on elliptic curve theory that can be used to create faster, smaller, and more efficient cryptographickeys. ECC generates keys through the properties of the elliptic curve equation instead of the traditional method of generation as the product of very large prime numbers. The technology can be used in conjunction with most public key encryption methods, such asRSA, and Diffie-Hellman. According to some researchers, ECC can yield a level of security with a 164-bit key that other systems require a 1,024- bit key to achieve. Because ECC helps to establish equivalent security with lower computing power and battery resource usage, it is becoming widely used for mobile applications. ECC was developed by Certicom, a mobile e- business security provider, and was recently licensed by Hifn, a manufacturer of integrated circuitry (IC) and network security products. RSA has been developing its own version of ECC. Many manufacturers, including 3COM, Cylink, Motorola, Pitney Bowes, Siemens, TRW, and VeriFone have included support for ECC in their products.
    • Diffie hellman key exchange algorithmDiffie Hellman was the first public key algorithm ever invented, in 1976. Alice and Bob want to be able togenerate a key to use for subsequent message exchange. The key generating exchange can take place over anunsecure channel that allows eavesdropping. The ingredients to the protocol are: p, a large prime and g, aprimitive element of Zn. This means that all numbers n=1, ... , p-1 can be represented as n = gi. These twonumbers do not need to be kept secret. For example, Alice could send them to Bob in the open. The protocolruns as follows: 1. Alice choses a large random integer x and sends Bob X=gx mod p 2. Bob choses a large random integer y and sends Alice Y=gy mod p 3. Alice computes k=Yx mod p 4. Bob computes k=Xy mod pk is the key. k is equal to gxy mod p. In order to attack this scheme, an eavesdropper would need to know howto calculate x from X or y from Y. This problem seems to be computationally hard.DIFFIE HELLMAN KEY EXCHANGE ALGORITHMDiffie Hellman key exchange algorithm uses asymmetric key principles for the distribution of symmetric keys to both parties in acommunication network. Key distribution is an important aspect of conventional algorithm and the entire safety is dependent on thedistribution of key using secured channel. Diffie Hellman utilizes the public& private key of asymmetric key cryptography to exchangethe secret key.Before going in depth of Diffie Hellman Algorithm,we define primitive root of a prime number p as one whose powers generate allthe integers from 1 to p-1, i.e. if a is the primitive root of a prime no p, then,a mod p , a2 mod p , a 3 mod p, .............. ap-1 mod p generate all distinct integers from 1 to (p-1) in some permutation.The steps for Diffie Hellman key exchange algorithm are:Step 1 : GLOBAL PUBLIC ELEMENTSSelect any prime no : qCalculate the primitive root of q : a such that a<qStep 2 : ASYMMETRIC KEY GENERATION BY USER ASelect a random number as the private key XA where XA < qCalculate the public key YA where YA = aXA mod qStep 3 : KEY GENERATION BY USER BSelect a random number as the private key XB where XB < qCalculate the public key YB where YB = aXB mod qStep 4 : Exchange the values of public key between A & BStep 5 : SYMMETRIC KEY (K) GENERATION BY USER AK= YB XA mod qStep 6 : SYMMETRIC KEY (K) GENERATION BY USER BK= YA XB mod qIt can be easily be proved that the key K generated by this algorithm by both parties are the same.
    • Public key cryptographyA cryptographic system that uses two keys -- a public key known to everyone and a private or secret key known only to the recipient ofthe message. When John wants to send a secure message to Jane, he uses Janes public key toencrypt the message. Jane thenuses her private key to decrypt it.An important element to the public key system is that the public and private keys are related in such a way that only the public key canbe used to encrypt messages and only the corresponding private key can be used to decrypt them. Moreover, it is virtually impossibleto deduce the private key if you know the public key.Public-key systems, such as Pretty Good Privacy (PGP), are becoming popular for transmitting information via the Internet. They areextremely secure and relatively simple to use. The only difficulty with public-key systems is that you need to know the recipientspublic key to encrypt a message for him or her. Whats needed, therefore, is a global registry of public keys, which is one of thepromises of the new LDAP technology.Public key cryptography was invented in 1976 by Whitfield Diffie and Martin Hellman. For this reason, it is sometime called Diffie-Hellman encryption. It is also called asymmetric encryption because it uses two keys instead of one key (symmetric encryption).SteganographySteganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intendedrecipient, suspects the existence of the message, a form of security through obscurity. The word steganography is of Greek origin andmeans "concealed writing" from the Greek words steganos (στεγανός) meaning "covered or protected", and graphei (γραυή) meaning"writing". The first recorded use of the term was in 1499 by Johannes Trithemius in his Steganographia, a treatise on cryptographyand steganography disguised as a book on magic. Generally, messages will appear to be something else: images, articles, shoppinglists, or some other covertext and, classically, the hidden message may be in invisible ink between the visible lines of a private letter.The advantage of steganography, over cryptography alone, is that messages do not attract attention to themselves. Plainly visibleencrypted messages—no matter how unbreakable—will arouse suspicion, and may in themselves be incriminating in countries [1]where encryption is illegal. Therefore, whereas cryptography protects the contents of a message, steganography can be said toprotect both messages and communicating parties.Steganography includes the concealment of information within computer files. In digital steganography, electronic communicationsmay include steganographic coding inside of a transport layer, such as a document file, image file, program or protocol. Media filesare ideal for steganographic transmission because of their large size. As a simple example, a sender might start with an innocuousimage file and adjust the color of every 100th pixel to correspond to a letter in the alphabet, a change so subtle that someone notspecifically looking for it is unlikely to notice it.What is SHA-1?SHA-1 (Secure Hash Algorithm) is a most commonly used from SHA series of cryptographic hash functions, designed by the NationalSecurity Agency of USA and published as their government standard.SHA-1 produce the 160-bit hash value. Original SHA (or SHA-0) also produce 160-bit hash value, but SHA-0 has been withdrawn bythe NSA shortly after publication and was superseded by the revised version commonly referred to as SHA-1. The other functions ofSHA series produce 224-, 256-, 384- and 512-bit hash values.History of SHA series.SHA-0 published in 1993 as the Secure Hash Standard, FIPS PUB 180 by National Institute of Standards and Technology.SHA-1 published in 1995 in FIPS PUB 180-1.SHA-256, SHA-384 and SHA-512 first published in 2001 as draft FIPS PUB 180-2 and released as official standard in 2002.SHA-224 published in 2004 as change notice for FIPS PUB 180-2.KerberosKerberos is an authentication system based on private-key cryptography. In the Kerberos system, a trusted third-partyissues session keys for interactions between users and services. It is mature technology which has been widely used,although it has known limitations.
    • Kerberos is a computer network authentication protocol which works on the basis of "tickets" toallow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Itsdesigners aimed primarily at a client–server model, and it provides mutual authentication—both the user and the serververify each others identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.Kerberos builds on symmetric key cryptography and requires a trusted third party, and optionally may use public-key [1]cryptography by utilizing asymmetric key cryptography during certain phases of authentication. Kerberos uses port 88by default.Difference between version 4 & 5 of KerberosIn version 5, an encrypted message is tagged with an encryption algorithm identifier.It gives the user the option of another algorithmIt supports a technique known as authentication forwarding.It allows credentials issued to one client to be forwarded to some other host and used by some other client. (Version 4 does notsupport)It supports a method for interrealm authentication that requires power secure key exchange than in v4.Message authentication codeIn cryptography, a message authentication code (often MAC) is a short piece of information usedto authenticate a message.A MAC algorithm, sometimes called a keyed (cryptographic) hash function, accepts as input a secret key and anarbitrary-length message to be authenticated, and outputs a MAC (sometimes known as a tag). The MAC value protectsboth a messages data integrity as well as its authenticity, by allowing verifiers (who also possess the secret key) todetect any changes to the message content.MD5 Message-Digest Algorithmis a widely used cryptographic hash function that produces a 128-bit (16-byte) hash value. Specified in RFC 1321, MD5has been employed in a wide variety of security applications, and is also commonly used to check data integrity. MD5was designed by Ron Rivest in 1991 to replace an earlier hash function, MD4. An MD5 hash is typically expressed as a32-digit hexadecimal number. [3]However, it has since been shown that MD5 is not collision resistant; as such, MD5 is not suitable for applicationslike SSL certificates or digital signatures that rely on this property. In 1996, a flaw was found with the design of MD5, andwhile it was not a clearly fatal weakness, cryptographers began recommending the use of other algorithms, suchas SHA-1 - which has since been found also to be vulnerable. In 2004, more serious flaws were discovered in MD5,making further use of the algorithm for security purposes questionable - specifically, a group of researchers described [4][5]how to create a pair of files that share the same MD5 checksum. Further advances were made in breaking MD5 in [6]2005, 2006, and 2007. In December 2008, a group of researchers used this technique to fake SSL certificate [7][8]validity. , andUS-CERT now says that MD5 "should be considered cryptographically broken and unsuitable for further [9] [10]use." and most U.S. government applications now require theSHA-2 family of hash functions.
    • Secure Sockets Layer (SSL)The Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of a message transmission onthe Internet. SSL has recently been succeeded by Transport Layer Security (TLS), which is based on SSL. SSL uses aprogram layer located between the Internets Hypertext Transfer Protocol (HTTP) and Transport Control Protocol (TCP)layers. SSL is included as part of both the Microsoft and Netscape browsers and most Web server products. Developedby Netscape, SSL also gained the support of Microsoft and other Internet client/server developers as well and becamethe de facto standard until evolving into Transport Layer Security. The "sockets" part of the term refers tothe sockets method of passing data back and forth between a client and a server program in a network or betweenprogram layers in the same computer. SSL uses the public-and-private key encryption system from RSA, which alsoincludes the use of a digital certificate.Digital certificate A digital certificate is an electronic "credit card" that establishes your credentials when doing business or othertransactions on the Web. It is issued by a certification authority (CA). It contains your name, a serial number, expirationdates, a copy of the certificate holders public key (used for encrypting messages and digital signatures), and the digitalsignature of the certificate-issuing authority so that a recipient can verify that the certificate is real. Some digitalcertificates conform to a standard, X.509. Digital certificates can be kept in registries so that authenticating users canlook up other users public keys.IPsecShort for IP Security, a set of protocols developed by the IETF to support secure exchange of packets at the IP layer. IPsec has beendeployed widely to implement Virtual Private Networks (VPNs).IPsec supports two encryption modes: Transport and Tunnel. Transport mode encrypts only the data portion (payload) of each packet, but leavesthe headeruntouched. The more secure Tunnel mode encrypts both the header and the payload. On the receiving side, an IPSec-compliant devicedecrypts each packet.For IPsec to work, the sending and receiving devices must share a public key. This is accomplished through a protocol known as Internet SecurityAssociation and Key Management Protocol/Oakley (ISAKMP/Oakley), which allows the receiver to obtain a public key and authenticate the senderusingdigital certificates.Secure Electronic TransactionSET, short for Secure Electronic Transaction, is a standard that will enablesecure credit card transactions on the Internet. SET has been endorsed byvirtually all the major players in the electronic commerce arena, includingMicrosoft, Netscape, Visa, and Mastercard.By employing digital signatures, SET will enable merchants to verify that buyers are who they claim to be. And it will protect buyers by providing amechanism for their credit card number to be transferred directly to the credit card issuer for verification and billing without the merchant being able tosee the number.Definition of Secure Electronic Transaction - SETA form of protocol for electronic credit card payments. As the name implies, the secure electronic transaction (SET) protocol is usedto facilitate the secure transmission of consumer credit card information via electronic avenues, such as the Internet. SET blocksout the details of credit card information, thus preventing merchants, hackers and electronic thieves from accessing thisinformation.Secure electronic transactions are backed by most of the major providers of electronic transactions, such as Visa and MasterCard.SET allows merchants to verify their customers card information without actually seeing it, thus protecting the customer. Theinformation on the card is instead transferred directly to the credit card company for verification.
    • FIREWALL DESIGN PRINCIPLESFIREWALLA firewall is a dedicated hardware, or software or a combination of both, which inspects network trafficpassing through it, and denies or permits passage based on a set of rules.FIREWALL CHARACTERISTICSFirewall CapabilitiesA firewall defines a single choke point that keeps unauthorized users out the protected network……..A firewall provides a location for monitoring security-related events. Audits and alarms can be implementedon the firewall system.A firewall is a convenient platform for several Internet functions that are not security related.A firewall can serve as the platform for IPSec. Using the tunnel mode capability, the firewall can be used toimplement virtual private network.Firewall LimitationsThe firewall cannot protect against attacks that bypass the firewall (dial-up…).The firewall does not protect against internal threats.The firewall cannot protect against the transfer of virus-infected programs or files.DESIGN GOALSAll traffic from inside to outside, and vice verse, must pass through the firewall.Only authorized traffic, as defined by the local security policy, will be allowed to pass.The firewall itself is immune to penetration. This implies the use of a trusted system with a secure operatingsystemMETHODS OF CONTROL IN FIREWALLUser controlOnly authorized users are having access to the other side of the firewallAccess controlThe access over the firewall is restricted to certain services. A service is characterized e.g. by IP address andport number.Behavior controlFor an application, the allowed usage scenarios are known. E.g. filters for e-mail attachments (virus removing)Direction controlDifferent rules for traffic into the Intranet and outgoing traffic to the Internet can be definedTYPES OF FIREWALLPacket FilteringPacket filtering is the simplest packet screening method. A packet filtering firewall does exactly what its nameimplies -- it filters packets. The most common implementation is on a router or dual-homed gateway. Thepacket filtering process is accomplished in the following manner. As each packet passes through the firewall, itis examined and information contained in the header is compared to a pre-configured set of rules or filters. Anallow or deny decision is made based on the results of the comparison. Each packet is examined individuallywithout regard to other packets that are part of the same connection.Application Gateways/Proxies
    • An application gateway/proxy is considered by many to be the most complex packet screening method. Thistype of firewall is usually implemented on a secure host system configured with two network interfaces. Theapplication gateway/proxy acts as an intermediary between the two endpoints. This packet screening methodactually breaks the client/server model in that two connections are required: one from the source to thegateway/proxy and one from the gateway/proxy to the destination. Each endpoint can only communicate withthe other by going through the gateway/proxy.Circuit-level GatewayUnlike a packet filtering firewall, a circuit-level gateway does not examine individual packets. Instead, circuit-level gateways monitor TCP or UDP sessions. Once a session has been established, it leaves the port open toallow all other packets belonging to that session to pass. The port is closed when the session is terminated. Inmany respects this method of packet screening resembles application gateways/proxies and adaptive proxies,but circuit-level gateways operate at the transport layer (layer 4) of the OSI model.Web application security scannerA web application security scanner is program which communicates with a web application through the web front-end [1]in order to identify potential security vulnerabilities in the web application and architectural weaknesses. It performsa black-box test. Unlike source code scanners, web application scanners dont have access to the source code andtherefore detect vulnerabilities by actually performing attacks.Weaknesses and limitations Because the tool is implementing a dynamic testing method, it cannot cover 100% of the source code of the application and then, the application itself. The penetration tester should look at the coverage of the web application or of its attack surface to know if the tool was configured correctly or was able to understand the web application. It is really hard for a tool to find logical flaws such as the use of weak cryptographic functions, information leakage, etc. ....... Even for technical flaws, if the web application doesnt give enough clue, the tool cannot catch them The tool cannot implement all variants of attacks for a given vulnerability. So the tools generally have a predefined list of attacks and do not generate the attack payloads depending on the tested web application. The tools are usually limited in their understanding of the behavior of applications with dynamic content such as JavaScript, Flash, etc.What type of traffic are you denying at the firewall?  There should be a default deny rule on all firewalls to disallow anything  that is not explicitly permitted. This is more secure than explicitly denying  certain traffic because that can create holes and oversights on some  potentially malicious traffic.How are you monitoring for Trojans and backdoors?  In addition to periodic vulnerability scanning, outgoing traffic should  be inspected before it leaves the network, looking for potentially  compromised systems. Organizations often focus on traffic and  attacks coming into the network and forget about monitoring  outgoing traffic. Not only will this detect compromised systems with  Trojans and backdoors, but it will also detect potentially malicious  or inappropriate insider activity.