Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
For More : https://www.ThesisScientist.co
UNIT 3
HOST AND NETWORK SECURITY
1 Network Management
What Is Network Management...
For More : https://www.ThesisScientist.co
The goal of performance management is to measure and make available various aspe...
For More : https://www.ThesisScientist.co
point. Some correction, of course, will be required to reach optimal access prac...
For More : https://www.ThesisScientist.co
• SNMP agent is software that runs on a piece of network equipment (host, router...
For More : https://www.ThesisScientist.co
• An OID can be represented as a sequence of integers separated by decimal point...
For More : https://www.ThesisScientist.co
ACCESS read-only
STATUS mandatory
DESCRIPTION
"The number of input datagrams for...
For More : https://www.ThesisScientist.co
– coldStart - unexpected restart (i.e., system crash)
– warmStart - soft reboot
...
For More : https://www.ThesisScientist.co
• SNMPv2 was supposed to fix security problems, but effort de-railed (The “c” in...
For More : https://www.ThesisScientist.co
Security is a property of entire systems, not an appendage that can be added in ...
For More : https://www.ThesisScientist.co
2.2 Physical security
For a computer to be secure it must be physically secure. ...
For More : https://www.ThesisScientist.co
• From outside the organization?
• From inside the organization (different host)...
For More : https://www.ThesisScientist.co
Finally: what risk is acceptable?
If we have a secret which is worth 4 lira, wou...
For More : https://www.ThesisScientist.co
Is a recently recognized security standard that is based upon the British Standa...
For More : https://www.ThesisScientist.co
documentation of changes to allow analysis in the case of problems. Procedures m...
For More : https://www.ThesisScientist.co
 Security attack: Any action that compromises the security of information owned...
For More : https://www.ThesisScientist.co
A second type of passive attack, traffic analysis, is subtler (Figure 1.3b). Sup...
For More : https://www.ThesisScientist.co
these messages. The opponent could determine the location and identity of
commun...
For More : https://www.ThesisScientist.co
replay attacks
An attack in which a service already authorized and completed is ...
For More : https://www.ThesisScientist.co
detect active attacks and to recover from any disruption or delays caused by the...
For More : https://www.ThesisScientist.co
Traffic Flow Confidentiality
The protection of the information that might be der...
For More : https://www.ThesisScientist.co
1) Specific security mechanisms
May be incorporated into the appropriate protoco...
For More : https://www.ThesisScientist.co
A security plan identifies and organizes the security activities for a computing...
For More : https://www.ThesisScientist.co
requirements are usually derived from organizational needs. Sometimes these need...
For More : https://www.ThesisScientist.co
The security requirements lay out the system's needs in terms of what should be
...
For More : https://www.ThesisScientist.co
If the implementation is to be a phased development (that is, the system will be...
For More : https://www.ThesisScientist.co
plan should incorporate users' views, especially with regard to usability and th...
For More : https://www.ThesisScientist.co
The system administrator's security responsibilities
The policy may require that...
For More : https://www.ThesisScientist.co
Security aspects come into play when it is necessary or desirable to protect the...
For More : https://www.ThesisScientist.co
4. Specify a protocol to be used by the two principals that makes use of the sec...
For More : https://www.ThesisScientist.co
access, the second line of defense consists of a variety of internal controls th...
For More : https://www.ThesisScientist.co
Here we are presuming Complete Mediation: Every request any subject makes will b...
For More : https://www.ThesisScientist.co
We have not yet distinguished among kinds of users, but we want some users (such...
For More : https://www.ThesisScientist.co
 Each entry of the matrix stores the access rights that the subject of that row...
For More : https://www.ThesisScientist.co
create object f
grant own rights to [p, f]
grant read rights to [p, f]
grant wri...
For More : https://www.ThesisScientist.co
Upon invoking the editor, the access matrix changes, and the r/w privileges move...
For More : https://www.ThesisScientist.co
a set of pairs, with each pair containing a subject and a set of rights. The nam...
For More : https://www.ThesisScientist.co
4. How are contradictory access control permissions handled? If one entry grants...
For More : https://www.ThesisScientist.co
Revocation of Rights
Revocation, or the prevention of a subject's accessing an o...
For More : https://www.ThesisScientist.co
Capabilities encapsulate object identity. When a process presents a capability o...
For More : https://www.ThesisScientist.co
Associated with a c-list are meta-instructions that allow capabilities to be cha...
For More : https://www.ThesisScientist.co
Each of these rules has some powerful implications when filtering IP and IPX pac...
For More : https://www.ThesisScientist.co
Configuration of extended access lists
Acme#config t
Acme(config)#access-list 11...
For More : https://www.ThesisScientist.co
 Passwords are not visible to ordinary users, but their encrypted form is often...
For More : https://www.ThesisScientist.co
At their most basic, firewalls block particular TCP/IP source/destination addres...
For More : https://www.ThesisScientist.co
 guards
 personal firewalls
1. Packet filtering gateways or screening routers
...
For More : https://www.ThesisScientist.co
compared with the second rule. If that matches, it‟s actioned; otherwise the thi...
For More : https://www.ThesisScientist.co
 They can allow reverse traffic automatically, without your having to enter spe...
For More : https://www.ThesisScientist.co
 When the client sends the answering ACK, the server removes the entry from the...
For More : https://www.ThesisScientist.co
 SPI firewalls can protect servers from this type of attack. Instead of passing...
For More : https://www.ThesisScientist.co
 Because the firewall must maintain state tables for each established TCP
conne...
For More : https://www.ThesisScientist.co
 The ALG acts as a proxy on behalf of the client. It accepts requests from the
...
For More : https://www.ThesisScientist.co
3. you could allow FTP GET requests but block PUT requests, so Internet
users ca...
HOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.com
HOST AND NETWORK SECURITY by ThesisScientist.com
Upcoming SlideShare
Loading in …5
×

HOST AND NETWORK SECURITY by ThesisScientist.com

1,008 views

Published on

Network management means different things to different people. In some cases, it involves a solitary network consultant monitoring network activity with an outdated protocol analyzer. In other cases, network management involves a distributed database, auto polling of network devices, and high-end workstations generating real-time graphical views of network topology changes and traffic. In general, network management is a service that employs a variety of tools, applications, and devices to assist human network managers in monitoring and maintaining networks.

Published in: Engineering
  • Be the first to comment

  • Be the first to like this

HOST AND NETWORK SECURITY by ThesisScientist.com

  1. 1. For More : https://www.ThesisScientist.co UNIT 3 HOST AND NETWORK SECURITY 1 Network Management What Is Network Management? Network management means different things to different people. In some cases, it involves a solitary network consultant monitoring network activity with an outdated protocol analyzer. In other cases, network management involves a distributed database, auto polling of network devices, and high-end workstations generating real-time graphical views of network topology changes and traffic. In general, network management is a service that employs a variety of tools, applications, and devices to assist human network managers in monitoring and maintaining networks. 1.1 Network Management Architecture Most network management architectures use the same basic structure and set of relationships. End stations (managed devices), such as computer systems and other network devices, run software that enables them to send alerts when they recognize problems (for example, when one or more user-determined thresholds are exceeded). Upon receiving these alerts, management entities are programmed to react by executing one, several, or a group of actions, including operator notification, event logging, system shutdown, and automatic attempts at system repair. Management entities also can poll end stations to check the values of certain variables. Polling can be automatic or user-initiated, but agents in the managed devices respond to all polls. Agents are software modules that first compile information about the managed devices in which they reside, then store this information in a management database, and finally provide it (proactively or reactively) to management entities within network management systems (NMSs) via a network management protocol.Well-known network management protocols include the Simple Network Management Protocol (SNMP) and Common Management Information Protocol (CMIP). Management proxies are entities that provide management information on behalf of other entities. Figure 6-1 depicts a typical network management architecture. 1.2 ISO Network Management Model The ISO has contributed a great deal to network standardization. Its network management model is the primary means for understanding the major functions of network management systems. This model consists of five conceptual areas, as discussed in the next sections. a) Performance Management
  2. 2. For More : https://www.ThesisScientist.co The goal of performance management is to measure and make available various aspects of network performance so that inter network performance can be maintained at an acceptable level. Examples of performance variables that might be provided include network throughput, user response times, and line utilization. Performance management involves three main steps. First, performance data is gathered on variables of interest to network administrators. Second, the data is analyzed to determine normal (baseline) levels. Finally, appropriate performance thresholds are determined for each important variable so that exceeding these thresholds indicates a network problem worthy of attention. Management entities continually monitor performance variables. When a performance threshold is exceeded, an alert is generated and sent to the network management system. Each of the steps just described is part of the process to set up a reactive system. When performance becomes unacceptable because of an exceeded user-defined threshold, the system reacts by sending a message. Performance management also permits proactive methods: For example, network simulation can be used to project how network growth will affect performance metrics. Such simulation can alert administrators to impending problems so that counteractive measures can be taken. b) Configuration Management The goal of configuration management is to monitor network and system configuration information so that the effects on network operation of various versions of hardware and software elements can be tracked and managed. Each network device has a variety of version information associated with it. An engineering workstation, for example, may be configured as follows: • Operating system, Version 3.2 • Ethernet interface, Version 5.4 • TCP/IP software, Version 2.0 • NetWare software, Version 4.1 • NFS software, Version 5.1 • Serial communications controller, Version 1.1 • X.25 software, Version 1.0 • SNMP software, Version 3.1 Configuration management subsystems store this information in a database for easy access. When a problem occurs, this database can be searched for clues that may help solve the problem. c) Accounting Management The goal of accounting management is to measure network utilization parameters so that individual or group uses on the network can be regulated appropriately. Such regulation minimizes network problems (because network resources can be apportioned based on resource capacities) and maximizes the fairness of network access across all users. As with performance management, the first step toward appropriate accounting management is to measure utilization of all important network resources. Analysis of the results provides insight into current usage patterns, and usage quotas can be set at this
  3. 3. For More : https://www.ThesisScientist.co point. Some correction, of course, will be required to reach optimal access practices. From this point, ongoing measurement of resource use can yield billing information as well as information used to assess continued fair and optimal resource utilization. d) Fault Management The goal of fault management is to detect, log, notify users of, and (to the extent possible) automatically fix network problems to keep the network running effectively. Because faults can cause downtime or unacceptable network degradation, fault management is perhaps the most widely implemented of the ISO network management elements. Fault management involves first determining symptoms and isolating the problem. Then the problem is fixed and the solution is tested on all-important subsystems. Finally, the detection and resolution of the problem is recorded. e) Security Management The goal of security management is to control access to network resources according to local guidelines so that the network cannot be sabotaged (intentionally or unintentionally) and sensitive information cannot be accessed by those without appropriate authorization. A security management subsystem, for example, can monitor users logging on to a network resource and can refuse access to those who enter inappropriate access codes. Security management subsystems work by partitioning network resources into authorized and unauthorized areas. For some users, access to any network resource is inappropriate, mostly because such users are usually company outsiders. For other (internal) network users, access to information originating from a particular department is inappropriate. Access to Human Resource files, for example, is inappropriate for most users outside the Human Resources department. Security management subsystems perform several functions. They identify sensitive network resources (including systems, files, and other entities) and determine mappings between sensitive network resources and user sets. They also monitor access points to sensitive network resources and log inappropriate access to sensitive network resources. Simple Network Management Protocol • SNMP is a framework that provides facilities for managing and monitoring network resources on the Internet. • Components of SNMP: – SNMP agents – SNMP managers – Management Information Bases (MIBs) – SNMP protocol itself
  4. 4. For More : https://www.ThesisScientist.co • SNMP agent is software that runs on a piece of network equipment (host, router, printer, or others) and that maintains information about its configuration and current state in a database • Information in the database is described by Management Information Bases (MIBs) • An SNMP manager is an application program that contacts an SNMP agent to query or modify the database at the agent. • SNMP protocol is the application layer protocol used by SNMP agents and managers to send and receive data. Interactions in SNMP MIBS • A MIB specifies the managed objects • MIB is a text file that describes managed objects using the syntax of ASN.1 (Abstract Syntax Notation 1) • ASN.1 is a formal language for describing data and its properties • In Linux, MIB files are in the directory /usr/share/snmp/mibs – Multiple MIB files – MIB-II (defined in RFC 1213) defines the managed objects of TCP/IP networks Managed Objects • Each managed object is assigned an object identifier (OID) • The OID is specified in a MIB file. iso(1) org (3) dod (6) internet (1) mib-2 (1) system (1) at (3) icmp (5) udp (7) snmp (11) ipForwDatagrams (6) directory (1) mgmt (2) experimental (3) private (4) interface (2) ip (4) tcp (6) egp (8) transmission (10) . root
  5. 5. For More : https://www.ThesisScientist.co • An OID can be represented as a sequence of integers separated by decimal points or by a text string: Example: – 1.3.6.1.2.1.4.6. – iso.org.dod.internet.mgmt.mib-2.ip.ipForwDatagrams • When an SNMP manager requests an object, it sends the OID to the SNMP agent. Organization of managed objects • Managed objects are organized in a tree-like hierarchy and the OIDs reflect the structure of the hierarchy. • Each OID represents a node in the tree. • The OID 1.3.6.1.2.1 (iso.org.dod.internet.mgmt.mib-2) is at the top of the hierarchy for all managed objects of the MIB-II. • Manufacturers of networking equipment can add product specific objects to the hierarchy Definition of managed objects in a MIB • Specification of ipForwDatagrams in MIB-II. ipForwDatagrams OBJECT-TYPE SYNTAX Counter iso(1) org (3) dod (6) internet (1) mib-2 (1) system (1) at (3) icmp (5) udp (7) snmp (11) ipForwDatagrams (6) directory (1) mgmt (2) experimental (3) private (4) interface (2) ip (4) tcp (6) egp (8) transmission (10) . root
  6. 6. For More : https://www.ThesisScientist.co ACCESS read-only STATUS mandatory DESCRIPTION "The number of input datagrams for which this entity was not their final IP destination, as result of which an attempt was made to find a route to forward them to that final destination. In entities which do not act as IP Gateways, counter will include only those packets which were Source-Routed via this entity, and the Source- Route option processing was successful." ::= { ip 6 } SNMP Protocol • SNMP manager and an SNMP agent communicate using the SNMP protocol – Generally: Manager sends queries and agent responds – Exception: Traps are initiated by agent. • Get-request. Requests the values of one or more objects • Get-next-request. Requests the value of the next object, according to a lexicographical ordering of OIDs. • Set-request. A request to modify the value of one or more objects • Get-response. Sent by SNMP agent in response to a get-request, get-next- request, or set-request message. • Trap. An SNMP trap is a notification sent by an SNMP agent to an SNMP manager, which is triggered by certain events at the agent. Traps • Traps are messages that asynchronously sent by an agent to a manager • Traps are triggered by an event • Defined traps include: – linkDown: Even that an interface went donw
  7. 7. For More : https://www.ThesisScientist.co – coldStart - unexpected restart (i.e., system crash) – warmStart - soft reboot – linkUp - the opposite of linkDown – (SNMP) AuthenticationFailure SNMP Versions • Three versions are in use today: – SNMPv1 (1990) – SNMPv2c (1996) • Adds “GetBulk” function and some new types • Adds RMON (remote monitoring) capability – SNMPv3 (2002) • SNMPv3 started from SNMPv1 (and not SNMPv2c) • Addresses security • All versions are still used today • Many SNMP agents and managers support all three versions of the protocol. Format of SNMP Packets • SNMPv1 Get/Set messages SNMP Security • SNMPv1 uses plain text community strings for authentication as plain text without encryption Version Community SNMP PDU PDU Type Request ID Error Status Object 1, Value 1 Object 2, Value 2 Error Index ...
  8. 8. For More : https://www.ThesisScientist.co • SNMPv2 was supposed to fix security problems, but effort de-railed (The “c” in SNMPv2c stands for “community”). • • SNMPv3 has numerous security features: – Ensure that a packet has not been tampered with (integrity), – Ensures that a message is from a valid source (authentication) – Ensures that a message cannot be read by unauthorized (privacy). • Security model of SNMPv3 has two components: 1.Instead of granting access rights to a community, SNMPv3 grants access to users. 2. Access can be restricted to sections of the MIB (Version-based Access Control Module (VACM). Access rights can be limited • by specifying a range of valid IP addresses for a user or community, • or by specifying the part of the MIB tree that can be accessed. SNMP has three security levels: • noAuthNoPriv: Authentication with matching a user name. • authNoPriv: Authentication with MD5 or SHA message digests. • authPriv: Authentication with MD5 or SHA message digests, and encryption with DES encryption 2 Host and Network Security: Security Planning, Categories of Security: C1, C2, C3, C4 2.1 Principles of Security:- Security management cannot be separated from network and system administration because security requires a fully systemic approach. Security is about protecting things of value to an organization, in relation to the possible risks. This includes material and intellectual assets; it includes the very assumptions that are the foundation of an organization or human–computer system. Anything that can cause a failure of those assumptions can result in loss, and must therefore be considered a threat. A system can be compromised by: • Physical threats: weather, natural disaster, bombs, power failures etc. • Human threats: cracking, stealing, trickery, bribery, spying, sabotage, accidents. • Software threats: viruses, Trojan horses, logic bombs, denial of service. Protecting against these issues requires both proactive (preventative) measures and damage control after breaches. Our task is roughly as follows: • Identify what we are trying to protect. • Evaluate the main sources of risk and where trust is placed. • Work out possible or cost-effective counter-measures to attacks. Four independent issues Principle 1 (Security is a property of systems).
  9. 9. For More : https://www.ThesisScientist.co Security is a property of entire systems, not an appendage that can be added in any one place, or be applied at any one time. It relies on the constant appraisal and re-appraisal (the integrity) of our assumptions about a system. There are usually many routes through a system that permit theft or destruction. If we try to „add security‟ in one place, an attacker or random chance will simply take a different route. Principle 2 (Access and privilege). A fundamental prerequisite for security is the ability to restrict access to data. This leads directly to a notion of privilege for certain users. The word privilege does not apply to loss by accident or natural disaster, but the word access does. If accidental actions or natural disasters do not have access to data, then they cannot cause them any harm. Any attempt to run a secure system where restriction of access is not possible is fundamentally flawed. There are four basic elements in security: • Privacy or confidentiality: restriction of access. • Authentication: verification of presumed identity. • Integrity: protection against corruption or loss (redundancy). • Trust: underlies every assumption. Some authors include the following as independent points: • Availability: preventing disruption of a service. • Non-repudiation: preventing deniability of actions. Principle 3(Security is about trust). Every security problem boils down to a question of whom or what do we trust? Once we have understood this, the topic of security is reduced to a litany of examples of how trust may be exploited and how it may be improved using certain technological aids. Failure to understand this point can lead to embarrassing mistakes being made. Usually, we introduce some kind of technology to move trust from a risky place to a safer place. For example, if we do not trust our neighbors not to steal our possessions, we might put a lock on our door. We no longer have to trust our neighbors, but we have to trust that the lock will do its job in the way we expect. This is easier to trust, because a simple mechanical device is more predictable than complicated human beings, but it can still fail. If we don‟t entirely trust the lock, we could install an alarm system which rings the police if someone breaks in. Now we are trusting the lock a little, the alarm system and the police. After all, who says that the police will not be the ones to steal your possessions? In some parts of the world, this idea is not so absurd. Trust is based on assumption. It can be bolstered with evidence but, just as science can never prove something is true, we can never trust something with absolute certainty. We only know when trust is broken. This is the real insight of security – not the technologies that help us to build trust.
  10. 10. For More : https://www.ThesisScientist.co 2.2 Physical security For a computer to be secure it must be physically secure. If we can get our hands on a host then we are never more than a screwdriver away from all of its assets. Such as  Disks can be removed.  Sophisticated users can tap network linesand listen to traffic.  The radiation from monitor screens can be captured and recorded, showing an exact image of what a user is looking at on his/her screen. Assuming that hosts are physically secure, we still have to deal with the issues of software security which is a much more difficult topic. Software security is about access control and software reliability. No single tool can make computer systems secure. Major blunders have been made out of the belief that a single product (e.g. a „firewall‟) would solve the security problem. The bottom line is that there is no such thing as a secure operating system. What is required is a persistent mixture of vigilance and adaptability. 2.3 Trust relationships There are many implicit trust relationships in computer systems. It is crucial to understand them. If we do not understand where we are placing our trust, that trust can be exploited by attackers who have thought more carefully than we have. For example, any host that shares users‟ home-directories (such as an NFS server or DFS server) trusts the identities and personal integrity of the users on the hosts which mount those directories Implicit trust relationships lie at the heart of so many software systems which grant access to services or resources that it would be impossible to list them all here. Trust relationships are important to grasp because they can lead to security holes. 2.4 Security policy and definition of security Security only has meaning when we have defined a frame of reference. It is intrinsically connected to our own appreciation of risks. It must be based on a thorough risk analysis. Principle (Risk). There is always a non-zero level of risk associated with any system. Definition (Secure system). A secure system is one in which every possible threat has been analyzed and where all the risks have been assessed and accepted as policy. Security must be balanced against convenience How secure must we be
  11. 11. For More : https://www.ThesisScientist.co • From outside the organization? • From inside the organization (different host)? • From inside the organization (same host)? • Against the interruption of services? • From user error? Finally, how much inconvenience are the users of the system willing to endure in order to uphold this level of security? This point should not be underestimated: if users consider security to be a nuisance, they try to circumvent it. What resources are we trying to protect? • Secrets: Some sites have secrets they wish to protect. They might be government or trade secrets or the solutions to a college exam. • Personnel data: In your country there are probably rules about what you must do to safeguard sensitive personal information. This goes for any information about employees, patients, customers or anyone else we deal with. Information about people is private. • CPU usage/System downtime: We might not have any data that we are afraid will fall into the wrong hands. It might simply be that the system is so important to us that we cannot afford the loss of time incurred by having someone screw it up. If the system is down, everything stops. • Abuse of the system: It might simply be that we do not want anyone using our system to do something for which they are not authorized, like breaking into other systems. Who are we trying to protect them from? • Competitors, who might gain an advantage by learning your secrets. • Malicious intruders. Note that people with malicious intent might come from inside or outside our organization. It is wrong to think that the enemy is simply everyone outside of our domain. Too many organizations think „inside/outside‟ instead of dealing with proper access control. If one always ensures that systems and data are protected on a need-to-know basis, then there is no reason to discriminate between inside or outside of an organization. • Old employees with a grudge against the organization. Next: what will happen if the system is compromised? • Loss of money • Threat of legal action against you • Missed deadlines • Loss of reputation. How much work will we need to put into protecting the system? Who are the people trying to break in? • Sophisticated spies • Tourists, just poking around • Braggers, trying to impress.
  12. 12. For More : https://www.ThesisScientist.co Finally: what risk is acceptable? If we have a secret which is worth 4 lira, would we be interested in spending 5 lira to secure it? Where does one draw the line? How much is security worth? The social term in the security equation should never be forgotten. One can spend a hundred thousand dollars on the top of the range firewall to protect data from network intrusion, but someone could walk into the building and look over an unsuspecting shoulder to obtain it instead, or use a receiver to collect the stray radiation from your monitors. Are employees leaving sensitive printouts lying around? Are we willing to place our entire building in a Faraday cage to avoid remote detection of the radiation expelled by monitors? In the final instance, someone could just point a gun at someone‟s head and ask nicely for their secrets. An example of security policies can be found at RFC 1244 and British Standard/ISO17799. RFC 2196 and BS/ISO 17799 Security standards are attempts at capturing the essence of security management. Rather than focusing on the technologies that can be used to implement security, as most texts do, these standards attempt to capture the more important points of how these technologies and methods can be used in concert to address the actual risks. There are two main standards 1) RFC 2196 Is a guide to producing a site security policy that is addressed at system administrators. It emphasizes that a policy must be closely tied to administrative practice. The document correctly points out that: • It must be implementable through system administration procedures, publishing of acceptable use guidelines, or other appropriate methods. • It must be enforceable with security tools, where appropriate, and with sanctions, where actual prevention is not technically feasible. • It must clearly define the areas of responsibility for the users, administrators and management. The standard goes on to describe the elements of such a policy, including purchasing guidelines, privacy policy, access policy, accountability policy, authentication policy, a statement of availability requirements, a maintenance policy and a reporting policy in case of security breach. It also iterates the importance of documentation and supporting information for users and staff. 2 ISO 17799 (Information Technology – Code of Practice for Security Management)
  13. 13. For More : https://www.ThesisScientist.co Is a recently recognized security standard that is based upon the British Standard BS7799, published in 1999.ISO 17799 was published in 2000 and accepted as a British Standard in 2001. It is an excellent starting place for formulating an organization‟s security policy. It is less technical than RFC 2196, but goes into greater detail from a logistic viewpoint. It has been constructed with great care and expertise. Compliance with ISO 17799 is far from trivial, even for the most security conscious of organizations. The document describes ten points: 1. Security policy: The standard iterates the importance of a security policy that sets clear goals, and demonstrates a commitment by an organization to the seriousness of its security. The policy should ensure that legal and contractual commitments are met, and that the economic ramifications of a security breach are understood. The policy itself must be maintained and updated by a responsible party. 2. Organizational security: A security team should be assembled that sets policy and provides multi-disciplinary advice. The team should allocate responsibilities within the organization for maintaining security of assets at all levels. Levels of authorization to assets must be determined. Contact with law-enforcement organizations and regulatory bodies should be secured and policies and procedures should be peer-reviewed for quality assurance. Any „outsourcing‟, i.e. third party contracts, must address the risks associated with opening the organization‟s security borders. 3. Asset classification and control: Organizations should have an inventory of their assets, which classifies each asset according to its appropriate level of security. Procedures for labelling and handling different levels of information, including electronic and paper transmission (post, fax, E-mail etc.) and speech (telephone or conversation over dinner) must be determined. 4. Personnel security: In order to reduce the risks of human error, malicious attacks by theft, fraud or vandalism, staff should be screened and given security responsibilities. Confidentiality (non-disclosure (NDA)) agreements, as well as terms and conditions of employment may be used as a binding agreement of responsibility. Most importantly, training of staff (users) in the possible threats and their combative procedures is needed to ensure compliance with policy. A response contingency plan should be drawn up and familiarized to the staff, so that security breaches and weaknesses are reported immediately. 5. Physical and environmental security: All systems must have physical security; this usually involves a „security perimeter‟ with physical constraints against theft and intrusion detection systems, as well as a controlled, safe environment. Secure areas can provide extra levels of security for special tasks. Equipment should be protected from physical threats (including fire, coffee, food etc.) and have uninterruptible power supplies where appropriate. Cables must be secured from damage and wire-tapping. Desks and screens and refuse/trash should be cleared when not in use, to avoid accidental disclosure of confidential information. 6. Communications and operations management: The processing and handling of information must be specified with appropriate procedures for the level of information. Change management should include appropriate authorizations and significant
  14. 14. For More : https://www.ThesisScientist.co documentation of changes to allow analysis in the case of problems. Procedures must be documented for responding to all kinds of threat. Analysis (causality) and audit trails should be planned for breaches. Housekeeping, backups, safe disposal of information and materials and other regular maintenance should be in place and be integrated into the scheme. System administration features heavily here: security and administration go hand in hand; they are not separate issues. This part of the standard covers many miscellaneous issues. 7. Access control: User management, password and key management, access rights, securing unattended equipment. Enforced pathways to assets that prevent „back-doors‟. Segregation of independent assets and authentication for access. Use of securable operating systems, restriction of privilege. Clock synchronization. Mobile computing issues. 8. Systems development and maintenance: Security should be built into systems from the start. Input output validation. Policy on cryptographic controls, including signatures and certificates. Interestingly, the standard recommends against open source software. Covert channels (secret channels that bypass security controls) must be avoided. 9. Business continuity management: Each organization should estimate the impact of catastrophes and security breaches on its business. Will the organization be able to continue after such a breach? What will be the impact? The standard suggests the testing of this continuity plan. 10. Compliance: Laws and regulations must be obeyed, with regard to each country and contractual obligation. Regulation of personal information and cryptographic methods must be taken into account in different parts of the world. Compliance with the organization‟s own policy must be secured by auditing. The ISO standard is a good introduction to human computer security that can be recommended for any organization. 4 The OSI Security Architecture To assess effectively the security needs of an organization and to evaluate and choose various security products and policies, the manager responsible for security needs some systematic way of defining the requirements for security and characterizing the approaches to satisfying those requirements. This is difficult enough in a centralized data processing environment; with the use of local and wide area networks, the problems are compounded. ITU-T[2] Recommendation X.800, Security Architecture for OSI, defines such a systematic approach.[3] The OSI security architecture is useful to managers as a way of organizing the task of providing security. The OSI security architecture focuses on security attacks, mechanisms, and services. These can be defined briefly as follows:
  15. 15. For More : https://www.ThesisScientist.co  Security attack: Any action that compromises the security of information owned by an organization.  Security mechanism: A process (or a device incorporating such a process) that is designed to detect, prevent, or recover from a security attack.  Security service: A processing or communication service that enhances the security of the data processing systems and the information transfers of an organization. The services are intended to counter security attacks, and they make use of one or more security mechanisms to provide the service Security Attacks a) Passive Attacks Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions. The goal of the opponent is to obtain information that is being transmitted. Two types of passive attacks are release of message contents and traffic analysis. The release of message contents is easily understood (Figure 1.3a). A telephone conversation, an electronic mail message, and a transferred file may contain sensitive or confidential information. We would like to prevent an opponent from learning the contents of these transmissions. Figure 1.3. Passive Attacks
  16. 16. For More : https://www.ThesisScientist.co A second type of passive attack, traffic analysis, is subtler (Figure 1.3b). Suppose that we had a way of masking the contents of messages or other information traffic so that opponents, even if they captured the message, could not extract the information from the message. The common technique for masking contents is encryption. If we had encryption protection in place, an opponent might still be able to observe the pattern of
  17. 17. For More : https://www.ThesisScientist.co these messages. The opponent could determine the location and identity of communicating hosts and could observe the frequency and length of messages being exchanged. This information might be useful in guessing the nature of the communication that was taking place. Passive attacks are very difficult to detect because they do not involve any alteration of the data. Typically, the message traffic is sent and received in an apparently normal fashion and neither the sender nor receiver is aware that a third party has read the messages or observed the traffic pattern. However, it is feasible to prevent the success of these attacks, usually by means of encryption. Thus, the emphasis in dealing with passive attacks is on prevention rather than detection. Active Attacks Active attacks involve some modification of the data stream or the creation of a false stream and can be subdivided into four categories: masquerade, replay, modification of messages, and denial of service. A masquerade takes place when one entity pretends to be a different entity (Figure 1.4a). A masquerade attack usually includes one of the other forms of active attack. For example, authentication sequences can be captured and replayed after a valid authentication sequence has taken place, thus enabling an authorized entity with few privileges to obtain extra privileges by impersonating an entity that has those privileges.
  18. 18. For More : https://www.ThesisScientist.co replay attacks An attack in which a service already authorized and completed is forged by another "duplicate request" in an attempt to repeat authorized commands. Its involves the passive capture of a data unit and its subsequent retransmission to produce an unauthorized effect (Figure 1.4b). Modification of messages simply means that some portion of a legitimate message is altered, or that messages are delayed or reordered, to produce an unauthorized effect (Figure 1.4c). For example, a message meaning "Allow John Smith to read confidential file accounts" is modified to mean "Allow Fred Brown to read confidential file accounts." The denial of service prevents or inhibits the normal use or management of communications facilities (Figure 1.4d). This attack may have a specific target; for example, an entity may suppress all messages directed to a particular destination (e.g., the security audit service). Another form of service denial is the disruption of an entire network, either by disabling the network or by overloading it with messages so as to degrade performance. Active attacks present the opposite characteristics of passive attacks. Whereas passive attacks are difficult to detect, measures are available to prevent their success. On the other hand, it is quite difficult to prevent active attacks absolutely, because of the wide variety of potential physical, software, and network vulnerabilities. Instead, the goal is to
  19. 19. For More : https://www.ThesisScientist.co detect active attacks and to recover from any disruption or delays caused by them. If the detection has a deterrent effect, it may also contribute to prevention. Security Services X.800 defines a security service as a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers. Perhaps a clearer definition is found in RFC 2828, which provides the following definition: a processing or communication service that is provided by a system to give a specific kind of protection to system resources; security services implement security policies and are implemented by security mechanisms. Security Services 1) AUTHENTICATION:- The assurance that the communicating entity is the one that it claims to be. Peer Entity Authentication Used in association with a logical connection to provide confidence in the identity of the entities connected. Data Origin Authentication In a connectionless transfer, provides assurance that the source of received data is as claimed. 2) ACCESS CONTROL:- The prevention of unauthorized use of a resource (i.e., this service controls who can have access to a resource, under what conditions access can occur, and what those accessing the resource are allowed to do). 3) DATA CONFIDENTIALITY:- The protection of data from unauthorized disclosure. Connection Confidentiality The protection of all user data on a connection. Connectionless Confidentiality The protection of all user data in a single data block Selective-Field Confidentiality The confidentiality of selected fields within the user data on a connection or in a single data block.
  20. 20. For More : https://www.ThesisScientist.co Traffic Flow Confidentiality The protection of the information that might be derived from observation of traffic flows. 4) DATA INTEGRITY The assurance that data received are exactly as sent by an authorized entity (i.e., contain no modification, insertion, deletion, or replay). Connection Integrity with Recovery Provides for the integrity of all user data on a connection and detects any modification, insertion, deletion, or replay of any data within an entire data sequence, with recovery attempted. Connection Integrity without Recovery As above, but provides only detection without recovery. Selective-Field Connection Integrity Provides for the integrity of selected fields within the user data of a data block transferred over a connection and takes the form of determination of whether the selected fields have been modified, inserted, deleted, or replayed. Connectionless Integrity Provides for the integrity of a single connectionless data block and may take the form of detection of data modification. Additionally, a limited form of replay detection may be provided. Selective-Field Connectionless Integrity Provides for the integrity of selected fields within a single connectionless data block; takes the form of determination of whether the selected fields have been modified. 5) NONREPUDIATION Provides protection against denial by one of the entities involved in a communication of having participated in all or part of the communication. Nonrepudiation, Origin Proof that the message was sent by the specified party. Nonrepudiation, Destination Proof that the message was received by the specified party. Security Mechanisms
  21. 21. For More : https://www.ThesisScientist.co 1) Specific security mechanisms May be incorporated into the appropriate protocol layer in order to provide some of the OSI security services. A) Encipherment :- The use of mathematical algorithms to transform data into a form that is not readily intelligible. The transformation and subsequent recovery of the data depend on an algorithm and zero or more encryption keys. B) Digital Signature:- Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery (e.g., by the recipient). C) Access Control :- A variety of mechanisms that enforce access rights to resources. D) Data Integrity:- A variety of mechanisms used to assure the integrity of a data unit or stream of data units. E) Authentication Exchange:- A mechanism intended to ensure the identity of an entity by means of information exchange. F) Traffic Padding:- The insertion of bits into gaps in a data stream to frustrate traffic analysis attempts G) Routing Control:- Enables selection of particular physically secure routes for certain data and allows routing changes, especially when a breach of security is suspected. H) Notarization:- The use of a trusted third party to assure certain properties of a data exchange 2) Pervasive security mechanisms Mechanisms that are not specific to any particular OSI security service or protocol layer A) Trusted Functionality That which is perceived to be correct with respect to some criteria (e.g., as established by a security policy). B) Security Label The marking bound to a resource (which may be a data unit) that names or designates the security attributes of that resource. C) Event Detection Detection of security-relevant events. D) Security Audit Trail Data collected and potentially used to facilitate a security audit, which is an independent review and examination of system records and activities. E) Security Recovery Deals with requests from mechanisms, such as event handling and management functions, and takes recovery actions. Contents of a Security Plan (Planning)
  22. 22. For More : https://www.ThesisScientist.co A security plan identifies and organizes the security activities for a computing system. The plan is both a description of the current situation and a plan for improvement. Every security plan must address seven issues. 1. policy, indicating the goals of a computer security effort and the willingness of the people involved to work to achieve those goals 2. current state, describing the status of security at the time of the plan 3. requirements, recommending ways to meet the security goals 4. recommended controls, mapping controls to the vulnerabilities identified in the policy and requirements 5. accountability, describing who is responsible for each security activity 6. timetable, identifying when different security functions are to be done 7. continuing attention, specifying a structure for periodically updating the security plan 1 Policy A security plan must state the organization's policy on security. A security policy is a high-level statement of purpose and intent. The policy statement should specify the following:  The organization's goals on security. For example, should the system protect data from leakage to outsiders, protect against loss of data due to physical disaster, protect the data's integrity, or protect against loss of business when computing resources fail? What is the higher priority: serving customers or securing data?  Where the responsibility for security lies. For example, should the responsibility rest with a small computer security group, with each employee, or with relevant managers?  The organization's commitment to security. For example, who provides security support for staff, and where does security fit into the organization's structure? 2. Current Security Status To be able to plan for security, an organization must understand the vulnerabilities to which it may be exposed. The organization can determine the vulnerabilities by performing a risk analysis: a careful investigation of the system, its environment, and the things that might go wrong. The risk analysis forms the basis for describing the current status of security. The status can be expressed as a listing of organizational assets, the security threats to the assets, and the controls in place to protect the assets. 3. Requirements The heart of the security plan is its set of security requirements: functional or performance demands placed on a system to ensure a desired level of security. The
  23. 23. For More : https://www.ThesisScientist.co requirements are usually derived from organizational needs. Sometimes these needs include the need to conform to specific security requirements imposed from outside, such as by a government agency or a commercial standard. Figure 8-1 illustrates how the different aspects of system analysis support the security planning process. As with the general software development process, the security planning process must allow customers or users to specify desired functions, independent of the implementation. The requirements should address all aspects of security: confidentiality, integrity, and availability. They should also be reviewed to make sure that they are of appropriate quality. In particular, we should make sure that the requirements have these characteristics:  Correctness: Are the requirements understandable? Are they stated without error?  Consistency: Are there any conflicting or ambiguous requirements?  Completeness: Are all possible situations addressed by the requirements?  Realism: Is it possible to implement what the requirements mandate?  Need: Are the requirements unnecessarily restrictive?  Verifiability: Can tests be written to demonstrate conclusively and objectively that the requirements have been met? Can the system or its functionality be measured in some way that will assess the degree to which the requirements are met?  Traceability: Can each requirement be traced to the functions and data related to it so that changes in a requirement can lead to easy reevaluation? 4. Recommended Controls
  24. 24. For More : https://www.ThesisScientist.co The security requirements lay out the system's needs in terms of what should be protected. The security plan must also recommend what controls should be incorporated into the system to meet those requirements. Throughout this book you have seen many examples of controls, so we need not review them here. As we see later in this chapter, we can use risk analysis to create a map from vulnerabilities to controls. The mapping tells us how the system will meet the security requirements. That is, the recommended controls address implementation issues: how the system will be designed and developed to meet stated security requirements. 5. Responsibility for Implementation A section of the security plan should identify which people are responsible for implementing the security requirements. This documentation assists those who must coordinate their individual responsibilities with those of other developers. At the same time, the plan makes explicit who is accountable should some requirement not be met or some vulnerability not be addressed. That is, the plan notes who is responsible for implementing controls when a new vulnerability is discovered or a new kind of asset is introduced. People building, using, and maintaining the system play many roles. Each role can take some responsibility for one or more aspects of security. Consider, for example, the groups listed here.  Personal computer users may be responsible for the security of their own machines. Alternatively, the security plan may designate one person or group to be coordinator of personal computer security.  Project leaders may be responsible for the security of data and computations  Managers may be responsible for seeing that the people they supervise implement security measures.  Database administrators may be responsible for the access to and integrity of data in their databases.  Information officers may be responsible for overseeing the creation and use of data; these officers may also be responsible for retention and proper disposal of data.  Personnel staff members may be responsible for security involving employees, for example, screening potential employees for trustworthiness and arranging security training programs. 6. Timetable A comprehensive security plan cannot be executed instantly. The security plan includes a timetable that shows how and when the elements of the plan will be performed. These dates also give milestones so that management can track the progress of implementation.
  25. 25. For More : https://www.ThesisScientist.co If the implementation is to be a phased development (that is, the system will be implemented partially at first, and then changed functionality or performance will be added in later releases), the plan should also describe how the security requirements will be implemented over time. Even when overall development is not phased, it may be desirable to implement the security aspects of the system over time. For example, if the controls are expensive or complicated, they may be acquired and implemented gradually. Similarly, procedural controls may require staff training to ensure that everyone understands and accepts the reason for the control. The plan should specify the order in which the controls are to be implemented so that the most serious exposures are covered as soon as possible. A timetable also gives milestones by which to judge the progress of the security program. 7. Continuing Attention Good intentions are not enough when it comes to security. We must not only take care in defining requirements and controls, but we must also find ways for evaluating a system's security to be sure that the system is as secure as we intend it to be. Thus, the security plan must call for reviewing the security situation periodically. As users, data, and equipment change, new exposures may develop. In addition, the current means of control may become obsolete or ineffective (such as when faster processor times enable attackers to break an encryption algorithm). The inventory of objects and the list of controls should periodically be scrutinized and updated, and risk analysis performed anew. The security plan should set times for these periodic reviews, based either on calendar time (such as, review the plan every nine months) or on the nature of system changes (such as, review the plan after every major system release). Security Planning Team Members Who performs the security analysis, recommends a security program, and writes the security plan? As with any such comprehensive task, these activities are likely to be performed by a committee that represents all the interests involved. The size of the committee depends on the size and complexity of the computing organization and the degree of its commitment to security. Organizational behavior studies suggest that the optimum size for a working committee is between five and nine members. Sometimes a larger committee may serve as an oversight body to review and comment on the products of a smaller working committee. Alternatively, a large committee might designate subcommittees to address various sections of the plan. The membership of a computer security planning team must somehow relate to the different aspects of computer security .Security in operating systems and networks requires the cooperation of the systems administration staff. Program security measures can be understood and recommended by applications programmers. Physical security controls are implemented by those responsible for general physical security, both against human attacks and natural disasters. Finally, because controls affect system users, the
  26. 26. For More : https://www.ThesisScientist.co plan should incorporate users' views, especially with regard to usability and the general desirability of controls. Thus, no matter how it is organized, a security planning team should represent each of the following groups.  computer hardware group  system administrators  systems programmers  applications programmers  data entry personnel  physical security personnel  representative users Assuring Commitment to a Security Plan After the plan is written, it must be accepted and its recommendations carried out. Acceptance by the organization is key; a plan that has no organizational commitment is simply a plan that collects dust on the shelf. Commitment to the plan means that security functions will be implemented and security activities carried out. Three groups of people must contribute to making the plan a success.  The planning team must be sensitive to the needs of each group affected by the plan.  Those affected by the security recommendations must understand what the plan means for the way they will use the system and perform their business activities. In particular, they must see how what they do can affect other users and other systems.  Management must be committed to using and enforcing the security aspects of the system. Writing a Security Policy Security is largely a "people problem." People, not computers, are responsible for implementing security procedures, and people are responsible when security is breached. Therefore, network security is ineffective unless people know their responsibilities. It is important to write a security policy that clearly states what is expected and from whom. A network security policy should define: The network user's security responsibilities The policy may require users to change their passwords at certain intervals, to use passwords that meet certain guidelines, or to perform certain checks to see if their accounts have been accessed by someone else. Whatever is expected from users, it is important that it be clearly defined.
  27. 27. For More : https://www.ThesisScientist.co The system administrator's security responsibilities The policy may require that every host use specific security measures, login banner messages, or monitoring and accounting procedures. It might list applications that should not be run on any host attached to the network. The proper use of network resources Define who can use network resources, what things they can do, and what things they should not do. If your organization takes the position that email, files, and histories of computer activity are subject to security monitoring, tell the users very clearly that this is the policy. The actions taken when a security problem is detected What should be done when a security problem is detected? Who should be notified? It is easy to overlook things during a crisis, so you should have a detailed list of the exact steps that a system administrator or user should take when a security breach is detected. This could be as simple as telling the users to "touch nothing, and call the network security officer." But even these simple actions should be in the written policy so that they are readily available. Security planning (assessing the threat, assigning security responsibilities, and writing a security policy) is the basic building block of network security, but the plan must be implemented before it can have any effect. A Model for Network Security A model for much of what we will be discussing is captured, in very general terms, in Figure 1.5. A message is to be transferred from one party to another across some sort of internet. The two parties, who are the principals in this transaction, must cooperate for the exchange to take place. A logical information channel is established by defining a route through the internet from source to destination and by the cooperative use of communication protocols (e.g., TCP/IP) by the two principals.
  28. 28. For More : https://www.ThesisScientist.co Security aspects come into play when it is necessary or desirable to protect the information transmission from an opponent who may present a threat to confidentiality, authenticity, and so on. All the techniques for providing security have two components:  A security-related transformation on the information to be sent. Examples include the encryption of the message, which scrambles the message so that it is unreadable by the opponent, and the addition of a code based on the contents of the message, which can be used to verify the identity of the sender  Some secret information shared by the two principals and, it is hoped, unknown to the opponent. An example is an encryption key used in conjunction with the transformation to scramble the message before transmission and unscramble it on reception. A trusted third party may be needed to achieve secure transmission. For example, a third party may be responsible for distributing the secret information to the two principals while keeping it from any opponent. Or a third party may be needed to arbitrate disputes between the two principals concerning the authenticity of a message transmission. This general model shows that there are four basic tasks in designing a particular security service: 1. Design an algorithm for performing the security-related transformation. The algorithm should be such that an opponent cannot defeat its purpose. 2. Generate the secret information to be used with the algorithm. 3. Develop methods for the distribution and sharing of the secret information.
  29. 29. For More : https://www.ThesisScientist.co 4. Specify a protocol to be used by the two principals that makes use of the security algorithm and the secret information to achieve a particular security service However, there are other security-related situations of interest that do not neatly fit this model. A general model of these other situations is illustrated by Figure 1.6, which reflects a concern for protecting an information system from unwanted access. Most readers are familiar with the concerns caused by the existence of hackers, who attempt to penetrate systems that can be accessed over a network. The hacker can be someone who, with no malign intent, simply gets satisfaction from breaking and entering a computer system. Or, the intruder can be a disgruntled employee who wishes to do damage, or a criminal who seeks to exploit computer assets for financial gain (e.g., obtaining credit card numbers or performing illegal money transfers). Another type of unwanted access is the placement in a computer system of logic that exploits vulnerabilities in the system and that can affect application programs as well as utility programs, such as editors and compilers. Programs can present two kinds of threats:  Information access threats intercept or modify data on behalf of users who should not have access to that data.  Service threats exploit service flaws in computers to inhibit use by legitimate users. The security mechanisms needed to cope with unwanted access fall into two broad categories (see Figure 1.6). The first category might be termed a gatekeeper function. It includes password-based login procedures that are designed to deny access to all but authorized users and screening logic that is designed to detect and reject worms, viruses, and other similar attacks. Once either an unwanted user or unwanted software gains
  30. 30. For More : https://www.ThesisScientist.co access, the second line of defense consists of a variety of internal controls that monitor activity and analyze stored information in an attempt to detect the presence of unwanted intruders. Access Control and Monitoring What is access control?  The ability to allow only authorized users, programs or processes system or resource access  The granting or denying, according to a particular security model, of certain permissions to access a resource  An entire set of procedures performed by hardware, software and administrators, to monitor access, identify users requesting access, record access attempts, and grant or deny access based on pre-established rules.  Access control is the heart of security Access Control Models (based on how security policies are managed)  Discretionary Access Control (DAC)  Mandatory Access Control (MAC)  Role-Based Access Control (RBAC) Access Control Models  The subjects are the active entities (a.k.a. principals) that do things  The objects are the passive entities to which things are done.  Examples of subjects might be a person or a process on a computer, an example of an object might be a file or a subroutine. The sets of subjects and objects need not be disjoint.  Our model of access control is illustrated as follows:
  31. 31. For More : https://www.ThesisScientist.co Here we are presuming Complete Mediation: Every request any subject makes will be checked and the decision is based on past actions (and perhaps some stored information that summarizes those past actions). In our example of the guard at the door, this assumption is equivalent to postulating that students are not allowed to come through the window---only through the door---where their ID is checked against a list (=stored information) DAC: Discretionary Access Control 1. Definition: An individual user can set an access control mechanism to allow or deny access to an object. 2. Relies on the object owner to control access. 3. DAC is widely implemented in most operating systems, and we are quite familiar with it. Strength of DAC:  Flexibility: a key reason why it is widely known and implemented in mainstream operating systems. Limitation of DAC:  Global policy: DAC let users to decide the access control policies on their data, regardless of whether those policies are consistent with the global policies. Therefore, if there is a global policy, DAC has trouble to ensure consistency.  Information flow: information can be copied from one object to another, so access to a copy is possible even if the owner of the original does not provide access to the original copy. This has been a major concern for military.  Malicious software: DAC policies can be easily changed by owner, so a malicious program (e.g., a downloaded untrustworthy program) running by the owner can change DAC policies on behalf of the owner.  Flawed software: Similarly to the previous item, flawed software can be “instructed” by attackers to change its DAC policies. MAC: Mandatory Access Control 1. Definition: A system-wide policy decrees who is allowed to have access; individual user cannot alter that access. 2. Relies on the system to control access. 3. Examples:  The law allows a court to access driving records without the owners' permission. 4. Traditional MAC mechanisms have been tightly coupled to a few security models. 5. Recently, systems supporting flexible security models start to appear (e.g., SELinux, Trusted Solaris, TrustedBSD, etc.) Role-Based Access Control (RBAC)
  32. 32. For More : https://www.ThesisScientist.co We have not yet distinguished among kinds of users, but we want some users (such as administrators) to have significant privileges, and we want others (such as regular users or guests) to have lower privileges. In companies and educational institutions, this can get complicated when an ordinary user becomes an administrator or a baker moves to the candlestick makers' group. Role-based access control lets us associate privileges with groups, such as all administrators can do this or candlestick makers are forbidden to do this. Administering security is easier if we can control access by job demands, not by person. Access control keeps up with a person who changes responsibilities, and the system administrator does not have to choose the appropriate access control settings for someone. Access Control Methods  Access Control Matrix  Access Control List  Capability List  Access Control Matrix  Access control matrix, a table in which each row represents a subject, each column represents an object, and each entry is the set of access rights for that subject to that object.  In general, the access control matrix is sparse (meaning that most cells are empty): Most subjects do not have access rights to most objects. The access matrix can be represented as a list of triples, having the form <subject, object, rights>. Searching a large number of these triples is inefficient enough that this implementation is seldom used  We can represent access rights enforced by complete mediation using an access control matrix. Let Subj be the set of subjects and Obj be the set of objects.  Neither set is ordered, and we postulate that Subj is a subset of Obj. Subjects are active entities, and we want subjects to be able to do things to other subjects (e.g., processes can send kill signals to other processes), so it is sensible that Subj be a subset of Obj.  The system state with respect to access control can be represented in a matrix, as follows:
  33. 33. For More : https://www.ThesisScientist.co  Each entry of the matrix stores the access rights that the subject of that row has to the object of that column. We denote this: [S, O].  Systems are not static, and there will often be changes in access rights of subjects to objects. We therefore specify commands that will change state as follows: name(O, O', O'', . . ., S, S', S'') if (R in [S, O]), (R' in [S', O']), . . . then Op1 Op2 Op3 .... Where the arguments to the command are names of elements in Obj. Note that the conditions of the if statement are predicates, either true or false. Operations (Op1, Op2, etc.) change the protection matrix. They include: create object O -- add a column, create subject S -- add a row, delete object O -- delete a column, and delete subject S -- delete a row, as well as operations that grant and take back rights such as: grant R to [S, O] which is equivalent to [S, O] := [S, O] union {R}, and delete R from [S, O] which is equivalent to [S, O] := [S, O] - {R}. We have described a simple programming language. For the purposes of our discussion, we disregard details such as how to handle deleting an object that does not exist. Using this language, we can postulate protection commands that model, for example, creating a file, conferring read rights and revoking read rights, as follows: create.file(p, f)
  34. 34. For More : https://www.ThesisScientist.co create object f grant own rights to [p, f] grant read rights to [p, f] grant write rights to [p, f] confer.read(p, q, f) if (own in [p, f]) then grant read to [q, f] revoke.read(p, q, f) if (own in [p, f]) then delete read from [q, f]. In the proposed scheme, any right a subject S has to an object can be conferred to any other subject S' if S has "own" rights over the object. A domain is a set of objects that a subject can access. In other words, a domain is the union of the elements of a row in the access matrix. A process that changes from one small protection domains to another as execution proceeds can obey the Principle of Least Privilege. We implement multiple small protection domains by associating multiple rows of the access control matrix with a process. Each row defines a domain. However, now we need to allow a domain (subject) to transfer control to another. An "enter" right for one domain to the other permits such a cross-domain transfer. The issue now is to identify criteria for a domain change, and make sure causing these domain changes does not end up adding work to the programmer. We solve this problem by overloading procedure call with domain changes to get protected procedures. Each protected procedure executes in its own protection domain. Thus, execution in a protected procedure has certain inalienable rights. Some of these rights come from arguments in the call, others from information obtained statically. We give an example of a protected domain. Imagine that subjects consist of a user and an editor, and that the objects are some files and a spelling-checker dictionary. The matrix may look as follows (without the dotted arrows):
  35. 35. For More : https://www.ThesisScientist.co Upon invoking the editor, the access matrix changes, and the r/w privileges move from the first column to the second (as indicated by the dotted arrows). Also, note that only the editor has access to the dictionary. Now, suppose there are two users that wish to invoke the editor: In this case, it appears that the editor has access to all three files. In practice, there will be two copies of the editor running and we desire that each copy only has access to the files of one user. The solution is to invent a "template" domain. A procedure call (such as invoking the editor) causes a new domain to be constructed based on the template. This adds a new subject/row to the matrix. Upon return from the procedure call the instantiated domain is destroyed and the process continues execution in the user domain. Disadvantage:  In a large system, the matrix will be enormous in size and mostly sparse. Access Control List In access control list there is one such list for each object, and the list shows all subjects who should have access to the object and what their access is. The column of access control matrix. An obvious variant of the access control matrix is to store each column with the object it represents. Thus, each object has associated with it
  36. 36. For More : https://www.ThesisScientist.co a set of pairs, with each pair containing a subject and a set of rights. The named subject can access the associated object using any of those rights. More formally: Consider the access control matrix in Figure 2-1, The set of subjects is process 1 and process 2, and the set of objects is file 1, file 2, process 1, and process 2. The corresponding access control lists are acl(file 1) = { (process 1, { read, write, own }), (process 2, { append }) } acl(file 2) = { (process 1, { read }), (process 2, { read, own }) } acl(process 1) = { (process 1, { read, write, execute, own }), (process 2, { read }) } acl(process 2) = { (process 1, { write }), (process 2, { read, write, execute, own }) } Each subject and object has an associated ACL. Thus, process 1 owns file 1, and can read from or write to it; process 2 can only append to file 1. Similarly, both processes can read file 2, which process 2 owns. Both processes can read from process 1; both processes can write to process 2. The exact meanings of "read" and "write" depend on the instantiation of the rights. Creation and Maintenance of Access Control Lists Specific implementations of ACLs differ in details. Some of the issues are as follows. 1. Which subjects can modify an object's ACL? 2. If there is a privileged user (such as root in the UNIX system or administrator in Windows NT), do the ACLs apply to that user? 3. Does the ACL support groups or wildcards (that is, can users be grouped into sets based on a system notion of "group" or on pattern matching)?
  37. 37. For More : https://www.ThesisScientist.co 4. How are contradictory access control permissions handled? If one entry grants read privileges only and another grants write privileges only, which right does the subject have over the object? 5. If a default setting is allowed, do the ACL permissions modify it, or is the default used only when the subject is not explicitly mentioned in the ACL? Which Subjects Can Modify an Object's ACL? When an ACL is created, rights are instantiated. Chief among these rights is the one we will call own. Possessors of the own right can modify the ACL. Creating an object also creates its ACL, with some initial value (possibly empty, but more usually the creator is initially given all rights, including own, over the new object). By convention, the subject with own rights is allowed to modify the ACL. However, some systems allow anyone with access to manipulate the rights. Do the ACLs Apply to a Privileged User? Many systems have users with extra privileges. The two best known are the root super- user on UNIX systems and the administrator user on Windows NT and 2000 systems. Typically, ACLs (or their degenerate forms) are applied in a limited fashion to such users Does the ACL Support Groups and Wildcards? In its classic form, ACLs do not support groups or wildcards. In practice, systems support one or the other (or both) to limit the size of the ACL and to make manipulation of the lists easier. A group can either refine the characteristics of the processes to be allowed access or be a synonym for a set of users (the members of the group). Conflicts A conflict arises when two access control list entries in the same ACL give different permissions to the subject. The system can allow access if any entry would give access, deny access if any entry would deny access, or apply the first entry that matches the subject. ACLs and Default Permissions When ACLs and abbreviations of access control lists or default access rights coexist (as on many UNIX systems), there are two ways to determine access rights. The first is to apply the appropriate ACL entry, if one exists, and to apply the default permissions or abbreviations of access control lists otherwise. The second way is to augment the default permissions or abbreviations of access control lists with those in the appropriate ACL entry.
  38. 38. For More : https://www.ThesisScientist.co Revocation of Rights Revocation, or the prevention of a subject's accessing an object, requires that the subject's rights be deleted from the object's ACL. Preventing a subject from accessing an object is simple. The entry for the subject is deleted from the object's ACL. If only specific rights are to be deleted, they are removed from the relevant subject's entry in the ACL. If ownership does not control the giving of rights, revocation is more complex Advantage:  Easy to determine who can access a given object.  Easy to revoke all access to an object Disadvantage:  Difficult to know the access right of a given subject.  Difficult to revoke a user's right on all objects. Used by most mainstream operating system Capability List Conceptually, a capability is like the row of an access control matrix. Each subject has associated with it a set of pairs, with each pair containing an object and a set of rights. The subject associated with this list can access the named object in any of the ways indicated by the named rights. More formally: The row of access control matrix. We abbreviate "capability list" as C-List. Again, consider the access control matrix in Figure 2-1 The set of subjects is process 1 and process 2. The corresponding capability lists are cap(process 1) = { (file 1, { read, write, own }), (file 2, { read }), (process 1, {read, write, execute, own}), (process 2, { write }) } cap(process 2) = { (file 1, { append }), (file 2, { read, own }), (process 1, { read }), (process 2, {read, write, execute, own}) } Each subject has an associated C-List. Thus, process 1 owns file 1, and can read or write to it; process 1 can read file 2; process 1 can read, write to, or execute itself and owns itself; and process 1 can write to process 2. Similarly, process 2 can append to file 1; process 2 owns file 2 and can read it; process 2 can read process 1; and process 2 can read, write to, or execute itself and owns itself.
  39. 39. For More : https://www.ThesisScientist.co Capabilities encapsulate object identity. When a process presents a capability on behalf of a user, the operating system examines the capability to determine both the object and the access to which the process is entitled. This reflects how capabilities for memory management work; the location of the object in memory is encapsulated in the capability. Without a capability, the process cannot name the object in a way that will give it the desired access Implementation of Capabilities Three mechanisms are used to protect capabilities: tags, protected memory, and cryptography. 1.A tagged architecture has a set of bits associated with each hardware word. The tag has two states: set and unset. If the tag is set, an ordinary process can read but not modify the word. If the tag is unset, an ordinary process can read and modify the word. Further, an ordinary process cannot change the state of the tag; the processor must be in a privileged mode to do so. 2. More common is to use the protection bits associated with paging or segmentation. All capabilities are stored in a page (segment) that the process can read but not alter. This requires no special-purpose hardware other than that used by the memory management scheme. But the process must reference capabilities indirectly, usually through pointers, rather than directly. The c-list is stored in the kernel's memory and is a table with rights and pointers to objects. Instead of giving capabilities directly to processes, we only provide processes with indices to the table. A process can utter only these indices, and thus a process can only talk about capabilities that it has, making it impossible to create new capabilities. We are using indirection to prevent processes from forging capabilities.
  40. 40. For More : https://www.ThesisScientist.co Associated with a c-list are meta-instructions that allow capabilities to be changed. These meta-instructions include: create a new c-list, copy a capability into the c-list, and delete a capability from a c-list. These operations allow processes to instruct the kernel to move capabilities around. 3. A third alternative is to use cryptography. The goal of tags and memory protection is to prevent the capabilities from being altered. This is akin to integrity checking. Cryptographic checksums are another mechanism for checking the integrity of information. Each capability has a cryptographic checksum associated with it, and the checksum is digitally enciphered using a cryptosystem whose key is known to the operating system. When the process presents a capability to the operating system, the system first recomputes the cryptographic checksum associated with the capability. It then either enciphers the checksum using the cryptographic key and compares it with the one stored in the capability, or deciphers the checksum provided with the capability and compares it with the computed checksum. If they match, the capability is unaltered. If not, the capability is rejected Comparison with Access Control Lists Two questions underlie the use of access controls: 1. Given a subject, what objects can it access, and how? 2. Given an object, what subjects can access it, and how? In theory, either access control lists or capabilities can answer these questions. For the first question, capabilities are the simplest; just list the elements of the subject's associated C-List. For the second question, ACLs are the simplest; just list the elements of the object's access control list. In an ACL-based system, answering the first question requires all objects to be scanned. The system extracts all ACL entries associated with the subject in question. In a capability-based system, answering the second question requires all subjects to be scanned. The system extracts all capabilities associated with the object in question. Advantage:  Easy to know the access right of a given subject.  Easy to revoke a user‟s access right on all objects. Disadvantage:  Difficult to know who can access a given object.  Difficult to revoke all access right to an object. A number of capability-based computer systems were developed, but have not proven to be commercially successful. Packet Filtering using ACL
  41. 41. For More : https://www.ThesisScientist.co Each of these rules has some powerful implications when filtering IP and IPX packets with access lists. There are two types of access lists used with IP and IPX: Standard access lists: These use only the source IP address in an IP packet to filter the network. This basically permits or denies an entire suite of protocols. IPX standards can filter on both source and destination IPX address. You create a standard IP access list by using the access list numbers 1–99. Extended access lists: this check for source and destination IP address, protocol field in the Network layer header, and port number at the Transport layer header. IPX extended access lists use source and destination IPX addresses, Network layer protocol fields, and socket numbers in the Transport layer header. You‟ll use the extended access list range from 100 to 199. Once you create an access list, you apply it to an interface with either an inbound or outbound list: Inbound access lists: Packets are processed through the access list before being routed to the outbound interface. Outbound access lists: Packets are routed to the outbound interface and then processed through the access list. This tells the list to deny any packets from host 172.16.30.2. The default command is Host In other words, if you type access-list 10 deny 172.16.30.2; the router assumes you mean host 172.16.30.2. Wildcards Wildcards are used with access lists to specify a host, network, or part network. To understand wildcards, you need to understand block size Block sizes are used to specify a range of addresses. The following lists some of the different block sizes available. Block Sizes: 64,32,16,8,4 To specify that an octet can be any value, the value of 255 is used. As an example, here is how a full subnet is specified with a wildcard: This tells the router to match up the first three octets exactly, but the fourth octet can be any value. Configuration of standard access lists Acme#config t Acme(config)#access-list 10 deny 172.16.40.0 0.0.0.255 Acme(config)#access-list 10 permit any Acme(config)#int e0 Acme(config-if)#ip access-group 10 out
  42. 42. For More : https://www.ThesisScientist.co Configuration of extended access lists Acme#config t Acme(config)#access-list 110 deny tcp any host 172.16.10.5 eq 21 Acme(config)#access-list 110 deny tcp any host 172.16.10.5 eq 23 Acme(config)#access-list 110 permit ip any any Acme(config)#int e2 Acme(config-if)#ip access-group 110 out Password security  Perhaps the most important issue for network security, beyond the realm of accidents, is the consistent use of strong passwords.  Unix-like operating systems which allow remote logins from the network are particularly vulnerable to password attacks.  The .rhosts and hosts.equiv files which allowed login without password challenge via rsh and rlogin were acceptable risks in bygone times, but these days one cannot afford to be lax about security.  The problem with this mechanism is that .rhosts and hosts.equiv use hostnames as effective passwords.  This mechanism trusts DNS name service lookups which can be spoofed in elaborate attacks.  Moreover, if a cracker gets into one host, he/she will then be able to log in on every host in these files without a password. This greatly broadens the possibilities for effective attack.  Typing a password is not such a hardship for users and there are alternative ways of performing remote execution for administrators, without giving up password protection (e.g. use of cfengine).  Password security is the first line of defence against intruders. Once a malicious user has gained access to an account, it is very much easier to exploit other weaknesses in security.  Some sites use schemes such as password aging in order to force users to change passwords regularly. This helps to combat password familiarity gained over time by local peer users, but it has an unfortunate side-effect.  Users who tend to set poor passwords will not appreciate having to change their passwords repeatedly and will tend to rebel by setting trivial passwords if they can.  Once a user has a good password, it is often advantageous to leave it alone.  The problems of password aging are insignificant compared with the problem of weak passwords. Finding the correct balance of changing and leaving alone is a challenge.
  43. 43. For More : https://www.ThesisScientist.co  Passwords are not visible to ordinary users, but their encrypted form is often visible. Even on Windows systems, where a binary file format is used, a freely available program like PwDump can be used to decode the binary format into ASCII.  There are many publicly available programs which can guess passwords and compare them with the encrypted forms, e.g. crack, which is available both for Unix and for Windows.  No one with an easy password is safe. Passwords should never be any word in a dictionary or a simple variation of such a word or name. It takes just a few seconds to guess these.  Modern operating systems have shadow password files or databases that are not readable by normal users. For instance, the Unix password file contains an „x‟ instead of a password, and the encrypted password is kept in an unreadable file. This makes it much harder to scan the password file for weak passwords.  Tools for password cracking (e.g. Alec Muffet‟s crack program) can help administrators find weak passwords before crackers do. What is a Firewall?  A process that filters all traffic between a protected or “inside” network and a less trustworthy or “outside” network.  Firewalls implement a security policy, which distinguish “good” traffic from “bad” traffic. Part of the challenge of protecting a network with a firewall is determining the security policy that meets the needs of the installation. Why firewall is required? “When you‟re connected to the Internet, the Internet is connected to you.” Your Internet connection is an open two-way channel; when you are connected to the Internet, any machine on the Internet can reach your machines. Therefore it can use any service running on your desktop PCs or servers – Microsoft Windows Networking (your shared files and printers), e-mail, telnet, NFS, your company database, etc. – unless you explicitly prevent it. Some services are protected by usernames and passwords, but operating systems and applications often have security holes that let a malign hacker bypass these basic checks. Or, the hacker may be able to install a “Trojan horse” program or sniffer to capture your passwords, and then use your servers posing as a legitimate user. This is where a firewall comes in. It‟s a single, secured point of entry and exit for your network: everything passes through here and nothing comes in or out anywhere else. It blocks access to your network at the perimeter of your site (Figure 24.1). Because the packets are blocked before they even reach the machines that are running your services, they protect you from (many of) the vulnerabilities in your applications and operating systems
  44. 44. For More : https://www.ThesisScientist.co At their most basic, firewalls block particular TCP/IP source/destination address/port combinations. For example, your mail server (IP number 192.0.2.66) listens on port 25, and your Web server (192.0.2.77) listens on port 80. Your firewall might have rules like: Features of a firewall are:  alerting you to hacker attacks, so you can take immediate evasive action if required  Logging your Internet activity. Because all access is through this one point, monitoring your firewall lets you track all your Internet traffic. Design of Firewalls:  By careful positioning of a firewall within a network, we can ensure that all network access that we want to control must pass through it.  A firewall is typically well isolated, making it highly immune to modification. Usually a firewall is implemented on a separate computer, with direct connections generally just to the outside and inside networks Types of Firewalls: Firewalls have a wide range of capabilities. Types of firewalls include:  packet filtering gateways or screening routers  stateful inspection firewalls  application proxies
  45. 45. For More : https://www.ThesisScientist.co  guards  personal firewalls 1. Packet filtering gateways or screening routers  The router performs the normal LAN-to-Internet routing function, but it‟s also configured to act as a packet filter with a set of rules to allow or deny packets based on their source and destination.  A packet is filtered only on the information in its header; the content or payload of the packet is not examined Figure 24.3 shows a set of packet filtering rules for a firewall of this type. Packet filtering is very fast, but because it only looks at each packet in isolation, it has significant limitations:  it doesn‟t maintain any state about established TCP connections, so there are certain types of attack it can‟t block  it has difficulty handling FTP, because of FTP‟s multiple-port operation. Some firewalls can only handle passive-mode FTP because of this  it doesn‟t handle user authentication which requires the firewall to keep state information about authenticated users. Ordering of security “permit/deny” rules The packet filtering rules in Figure 24.3 are applied top-down. When the firewall/router receives a packet, it compares the packet headers against the first rule; if the packet matches, the action specified in the rule is performed (“permit” in this case) on the packet, and that‟s the end of that. However, if the first rule doesn‟t match, the packet is
  46. 46. For More : https://www.ThesisScientist.co compared with the second rule. If that matches, it‟s actioned; otherwise the third rule is checked, and so on, until no rules are left. Usually there is an automatic, “deny- everything,” catch-all rule inserted at the end. 2. Stateful inspection firewalls  A stateful packet inspection (SPI) firewall maintains a table of current activity, e.g. information about each TCP connection, and uses this information in conjunction with the packet‟s source and destination addresses/ports to decide whether the packet should be allowed or denied (blocked)  Figure 24.4 illustrates how incoming traffic, even for the same port, is distinguished on the basis of whether it is part of an existing connection. By contrast, a packet filter would either allow traffic to port: 1234 or deny it; it could not distinguish between the two cases shown, because it keeps no record (state information) about what happened in the past. SPI firewalls have many advantages over basic packet filtering:
  47. 47. For More : https://www.ThesisScientist.co  They can allow reverse traffic automatically, without your having to enter specific rules. Consider an inside Web client connecting to a Web server outside on the Internet. The TCP connection will be from an ephemeral port (:1234, say) on the client, to port :80 on the server. With a packet filter you have a problem, because you won‟t know in advance what the ephemeral port is, and often just have to allow any incoming access to a whole range of ports that might be used as ephemeral ports by clients. By contrast, the SPI firewall records the ephemeral port number in its state table when the connection is first established through the firewall, and knows that only this Web server is allowed reply to this client on this port  Similarly, even though the firewall might “allow incoming Web connections to port 80 on internal server 192.0.2.55,” if an incoming packet for that destination isn‟t part of an existing connection, e.g. if the connection hasn‟t completed the normal three-way TCP handshake the firewall can deny it. So even though port 80 has been “opened” on the firewall, incoming traffic to port 80 is subjected to many other checks before being permitted. By contrast, on a packet filter, an “allow traffic to port 80 on 192.0.2.55” is a “blanket” allow – anything to that port is permitted. This is an important distinction: there are hacker attacks that work by sending a packet that looks like it‟s in the middle of a TCP session. SPI firewalls can block these attacks but packet filters can‟t  They can control UDP and ICMP traffic, even though these are connectionless, by creating “pseudo sessions.” For example, the firewall can recognize an outgoing ICMP ping packet and record the source and destination, ping identifier and sequence number, etc. in its state table, and permit only incoming packets that are replies to this  They can handle user authentication. An external user can connect to the firewall and authenticate (“logon”) to it and the firewall records this fact. It can then let this user access internal resources that are blocked to non-authenticated users. This allows external users to connect to private internal mail and Web servers from external sites, for instance. In short, SPI firewalls give much finer control over your traffic than do packet- filtering fire- walls. You will usually have far fewer rules too, which makes configuring them much easier and much less error-prone. Let‟s look at a specific example of how an SPI firewall can block a particular type of attack, using its state information.  A common denial of service (DoS) attack is the “SYN Flood.” Here‟s how it works. When a TCP connection is being established, client and server go through the normal SYN, SYN/ACK, ACK three-way handshake When the server receives the initial SYN from the client, it replies with SYN/ACK and creates an entry in an internal table saying it‟s awaiting an ACK from the client to complete the connection establishment (Figure 24.5)
  48. 48. For More : https://www.ThesisScientist.co  When the client sends the answering ACK, the server removes the entry from the “awaiting ACK” table because the connection is now fully established (Figure 24.7).  In a SYN flood, the attacker sends a large number of SYNs in quick succession and never completes the connection establishment. The server‟s internal table fills up (Figure 24.7) so it‟s unable to accept connections from any other, real clients. In this way it has denied service to legitimate users.
  49. 49. For More : https://www.ThesisScientist.co  SPI firewalls can protect servers from this type of attack. Instead of passing the initial SYN through to the server, the firewall itself sends the SYN/ACK, and awaits the establishing ACK. If the client is legitimate and sends the ACK, the firewall then performs its own three-way handshake with the server (Figure 24.8); when that‟s complete, it passes all traffic from the legitimate client to the server as normal. However, if the client is a hacker attempting a SYN flood, the real server is never contacted; the firewall detects the attack, recognizing the abnormal load of incomplete connection establishments and discarding them. The firewall may also raise an alert to inform the network manager of the attack
  50. 50. For More : https://www.ThesisScientist.co  Because the firewall must maintain state tables for each established TCP connection, for connections in the process of being established, and for UDP and ICMP packets, it can use a lot of memory. This is why you will often see a firewall advertised as “handling 5000 simultaneous connections” or similar. The busier your site, the more connections will be needed, so the firewall must have the memory and processing power to handle the likely volume 3. Application proxies or application-level gateways An application-level gateway (ALG) is a firewall program that runs at the application level of the TCP/IP stack, not at the IP packet level. Figure 24.9 shows a client on the Internet connecting to one of our internal servers via an ALG firewall.  the client establishes a connection to the ALG  the ALG connects to the server
  51. 51. For More : https://www.ThesisScientist.co  The ALG acts as a proxy on behalf of the client. It accepts requests from the client, analyzes them, and if they are acceptable according to the firewall‟s rules, re-issues them on the ALG‟s connection to the server. The ALG handles responses from the server in the same way. With an ALG there are two separate TCP connections, as illustrated in Figure 24.9. This is fundamentally different from packet filter and stateful packet inspection firewalls where there is a single connection from the client to the server with the firewall acting almost as a router (Figure 24.10). With the ALG, packets from the client are not forwarded to the server only the semantic information (protocol commands, etc.) extracted from the packets is relayed. Malformed packets sent from the client either because of a faulty client implementation or because they are deliberately malformed as part of a hacker attack can never reach the server. Advantages of application-level gateway firewalls  ALGs understand the application-level protocols being used, so they can check the meaning of requests and replies. Let‟s take some examples: 1. an early version of the sendmail mail server had a “backdoor” built in for debugging: if you used the WIZ (wizard) command, you could get root user (administrator) access. Because packet filters and SPI firewalls don‟t understand the SMTP protocol at this high level, they can‟t block valid but unwanted commands like this. Because the ALG does operate at the application level, it can easily block this type of request 2. ALGs can offer fine control over requests sent to a Web server. At the simplest level, the firewall could block certain URLs when requested by certain internal IP addresses. It could also block the Code Red worm‟s requests: they are valid according to the HTTP specs, but are recognizable because of the particular URL they request
  52. 52. For More : https://www.ThesisScientist.co 3. you could allow FTP GET requests but block PUT requests, so Internet users can retrieve files from your FTP server but can‟t deposit virus-laden or other troublesome files.  ALGs can give very detailed, protocol-specific logging. Disadvantages of application-level gateway firewalls  Because of the amount of state information and the number of open connections they maintain, ALGs need more memory and processing power than packet filters or SPI firewalls. They may also be slower because of the extra load of extracting and validating the application-level semantics  A separate proxy application must be provided within the firewall for each different protocol supported. When a new protocol or service is developed, there will usually be a delay before the firewall manufacturer releases a suitable proxy. For most people this delay won‟t matter, and anyway a generic proxy application can often be used as a stop gap. This will have no specific knowledge of the new protocol, but will allow it to operate through the firewall. Proxy programs are often only a few hundred lines of C program code, so they can be produced quickly  some old ALGs and proxies only worked with special versions of client applications or libraries that were aware they were using the ALG, but nowadays most ALGs are “transparent” giving the illusion that the client is connected directly to the server, and don‟t need any special client software. 4. Guards A guard is a sophisticated firewall. Like a proxy firewall, it receives protocol data units, interprets them, and passes through the same or different protocol data units that achieve either the same result or a modified result. The guard decides what services to perform on the user's behalf in accordance with its available knowledge, such as whatever it can reliably know of the (outside) user's identity, previous interactions, and so forth. The degree of control a guard can provide is limited only by what is computable. But guards and proxy firewalls are similar enough that the distinction between them is sometimes fuzzy. That is, we can add functionality to a proxy firewall until it starts to look a lot like a guard. Guard activities can be quite sophisticated, as illustrated in the following examples:  A university wants to allow its students to use e-mail up to a limit of so many messages or so many characters of e-mail in the last so many days. Although this result could be achieved by modifying e-mail handlers, it is more easily done by monitoring the common point through which all e-mail flows, the mail transfer protocol.

×