Lecture 5

Computer Network Security 2
Spoofing
Guessing or otherwise obtaining the
network authentication credentials of an
entity (a user, an account, a process, a node,
a device) permits an attacker to create a full
communication under the entity’s identity.
Examples of spoofing are masquerading,
session hijacking, and man-in-the-middle
attacks.

Masquerade
In a masquerade one host pretends to be another.
A common example is URL confusion. e.g. coca-
cola.com vs cocacola.com; xyz.net vs xyz.com
Domain names can easily be confused, or
someone can easily mistype certain names.
In another version of a masquerade, the attacker
exploits a flaw in the victim’s web server and is
able to overwrite the victim’s web pages.
Collect user information and perhaps pass it on to
the original

Session hijacking
Session hijacking is intercepting and carrying on a session
begun by another entity.
Suppose two entities have entered into a session but then a
third entity intercepts the traffic and carries on the session
in the name of the other.
A different type of example involves an interactive
session, e.g. If a system administrator logs in remotely to a
privileged account, a session hijack utility could intrude in
the communication and pass commands as if they came
from the administrator.

Man-in-the-Middle Attack
A man-in-the-middle attack is a similar form of
attack, in which one entity intrudes between two
others.
The difference between man-in-the-middle and
hijacking is that a man-in-the-middle usually
participates from the start of the session, whereas
a session hijacking occurs after a session has been
established.
The difference is largely semantic and not too
significant.

Man-in-the-Middle Attack
Man-in-the-middle attacks are frequently described in
protocols. To see how, suppose you want to exchange
encrypted information with your friend.
You contact the key server and ask for a secret key with
which to communicate with your friend. The key server
responds by sending a key to you and your friend.
One man-in-the-middle attack assumes someone can see
and enter into all parts of this protocol.
A malicious middleman intercepts the response key and
can then eavesdrop on, or even decrypt, modify, and re-
encrypt any subsequent communications between you and
your friend.

Intrusion Detection Systems
(IDS)

Intrusion Detection Systems (IDS)
An IDS is like an alarm system for your network.
The network is protected, but without the IDS (alarm), you
would never know whether an attacker was trying to gain
entry.
The goal of Intrusion detection is to monitor network
assets to detect unusual behaviour, inappropriate activity,
and attacks, or stop the attack (intrusion) and even provide
information to prosecute the attacker.
IDSs function on three premises:
Where to watch
What to watch for
What to do

The first premises “where to watch” tells the IDS the
logical location it will be monitoring for something to
happen.
The Second premises “what to watch for” tells the IDS
conditions for which it is supposed to be looking for to
raise an alarm or some kind of action.
The Third premises “what to do” is the action the IDS
has been told to take when a situation meets certain
parameters.
Real world examples of an IDS in action.
1. you install an IDs to watch the internet connection and those
trying to get into your network through your firewall.

2. You tell the IDS what types of hacks and attacks to look for based
on their packet and connection type and what activities these
might generate.
3. You tell the IDS to page you and send you an e-mail when one of
these attacks occurs.
There are some flaws in the whole IDS operating
principle.
First, the IDS can watch only one interface at a time.
Secondly, the IDS watches only for conditions that you
tell it about.
Finally, an IDS can actually become an ally to hackers.

IDS can be deployed in a variety of
locations within a network to further
increase in organization’s security and
protection.
In general, two basic forms of IDS are used
today.
Network intrusion detection system (NIDS).
Host intrusion detection system (HIDS).

Network Intrusion Detection Systems
(NIDS)
NIDS reside directly on the n/w and watches all
the traffic that traverses the n/w.
NIDS are effective at both watching for
inbound/outbound traffic flows and traffic
between hosts on or between local n/w segments.
NIDS are typically deployed in front of and
behind firewalls and VPN gateways to measure
the effectiveness of those security devices and
interact with them to add more depth to the
networks security.

Host Intrusion Detection Systems
(HIDS)
HIDS are specialized software application that are
installed on a computer (typically a user) to watch
all inbound and outbound communication traffic
to and from that server and to monitor the file
system for changes.
HIDS are extremely effective on mission-critical,
internet-accessible application server, such as web
server or e-mail servers, because they can watch
the application at source to protect them.

Both types of sensors offer different
techniques for detecting and deferring
malicious activity.
Both should be deployed to provide the
most effective enhancement to a layered
defence strategy.

What is a Firewall?
A firewall is a security device that sits on the edge
of your Internet connection and functions as an
Internet Border Security Officer.
It constantly looks at all the traffic entering and
exiting your connection, waiting for traffic it can
block or reject in response to an established rule.
The firewall is law and protection in a lawless
global web.
Firewalls can protect both individual computer
and corporate networks from hostile intrusions
from the internet.

Why Do I Need a Firewall?
It is no secret: hackers are out there, and they are
out to get us. Often, we do not know who they are,
but we do know where they are and where we do
not want them to be (in our n/w).
Like pirates of old roamed the seas, hackers roam
the wide expanses of the internet. You do not want
them to enter your n/w and roam among the
computers that connect to it.
You know that you must protect your n/w from
these attackers, and one of the most efficient
methods of protecting your n/w is to install a
firewall.

Why Do I Need a Firewall?
By default, any good firewall prevent n/w traffic
from passing between the internet and your
internal n/w. this does not mean that the firewall
will stop all traffic-that defeats the purpose of
being on the internet.
It does mean that the firewall is configured to
allow only web browsing (HTTP/port 80) to
access it from the internet.
Technically, a firewall is a specialized version of a
router. Apart from the basic routing functions and
rules, a router can be configured to perform the
firewall functionality, with the help of additional
software resources.

Common rules and features
Block incoming n/w traffic based on source or
destination- blocking unwanted incoming traffic is the
most common features of a firewall and is the main reason
for a firewall.
Block outgoing n/w traffic based on source or
destination- many firewalls can also screen n/w traffic
from your internal n/w to the internet. E.g. prevent your
employee from accessing inappropriate websites.
Block n/w traffic based on content- More advanced
firewall can screen n/w traffic for unacceptable content.
E.g. a firewall that is integrated with a virus scanner can
prevent files that contain viruses from entering your n/w.

Make internal resources available- Although the
primary purpose of a firewall is to prevent
unwanted n/w traffic from passing through it, you
can configure many firewalls to allow selective
access to internal resources, such as a public web
server, while still preventing other access from the
internet to your internal n/w.
Allow connections to internal n/w- A Common
method for employee to connect to a n/w is using
virtual private n/w (VPNs). VPNs allow to secure
connections from the internet to a corporate
networks. E.g. telesales and travelling people can
use a VPN to connect to corporate n/w

Make internal resources available-When
screening n/w traffic to and from the
internet, it is also important to know what
your firewall is doing, who tried to break
into your n/w, and who tried to access
inappropriate material on the internet.

Implementing a Firewall
The choice of available firewalls is almost
mind-boggling theses days; they come in
every shape, size and parameter.
The type of firewall you install depends on
exact requirement for protection and
management, as well as the size of your n/w
or what is to be protected by the firewall.
Firewalls usually fall into one of the
following categories

Implementing a Firewall
Persona firewall- is usually a piece of software that is
installed on a single PC to protect only the PC. These type
of firewalls are usually deployed on home PCs with
broadband connections or remote employees.
All-in-one-firewall- These kinds of firewalls are widely
used by broadband (cable or DSL) subscribers who have
the benefit of a single device that offers the following
features and functionality: router, Ethernet switches, WAP
and a firewall.
Small-to-medium office firewalls- These firewalls, such
as the Cisco PIX 501 or 506, are designed to provide
security and protection for small offices.
Enterprise firewalls- These firewalls, such as the Cisco
PIX 515, are designed for larger organization with
thousands of users.

ANY QUESTIONS
?

Lecture 5

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Lecture 5

Similar to Lecture 5 (20)

More from Education

More from Education (12)

Recently uploaded

Recently uploaded (20)

Lecture 5