solution number 4

7/31/2019 Solution Number 4

1/24

FACULTY OF COMPUTER SCIENCE AND INFORMATION TECHNOLOGY

SSK4505 COMPUTER SECURITYSYSTEM

ASSIGNMENT 4

Lecturer: Sharifah Binti Md Yasin[Group 2]

Group1:

Dong Yew Leong 151593

Tan Yeong Zhuang 154725Chu Er Quan 155054

Sham Wai Rock 151595

Mohamad Javad Pishraft 159885


2/24

Solution number 1

1.0 Intrusion (pelanggaran) Detection System

Intrusion detection system is a software application that has been used in monitor the

network and system activities so that the malicious program could be detected.The goal of the intrusion detection system is to detect an intrusion as it happens andbe able to respond to it as soon as possible. Besides, through the system, the user want to minimize both false negative and false positive.

1.1 Technique

Intrusion detection techniques have been traditionally classified into one of twomethodologies:

Anomaly detection or misuse detection.

1.1.1 Anomaly detection

Based on model of intrusions Anomaly detection model is the intrusion detectionsystem detects intrusions by looking for activity that is different from a user's or systems normal behavior.

1.1.2 Misuse detection model

The intrusion detection system detects intrusions by looking for activity thatcorresponds to known intrusion techniques (signatures) or system vulnerabilities.

1.2 Strengths of Intrusion Detection Systems

Intrusion detection systems can be used in monitoring and analysis of system eventsand user behaviors. The following are the functions of the Intrusion DetectionSystems.:

Testing the security states of system configurations

Recognizing patterns of system events that correspond to known attacks

Recognizing patterns of activity that statisticall y vary from normal activity

Managing operating system audit and logging mechanisms and the datathey generate

Alerting appropriate staff by appropriate means when attacks are detected

Measuring enforcement of security policies encoded in the analy sis engine

Providing default information security policies

Allowing non -security experts to perform important security monitoringfunctions


3/24

1.3 Limitations of Intrusion Detection Systems

Intrusion detection systems cannot perform the following functions:

Compensating for weak or missing security mechanisms in the protectioninfrastructure. Such mechanisms include firewalls, identification and NISTSpecial Publication on Intrusion Detection Systems

Instantaneously detecting, reporting, and responding to an attack, whenthere is heavy network or processing load.

Detecting newly published attacks or variants of existing attacks.

Effectively responding to attacks launched by sophisticated attackers

Automatically investigating attacks without human intervention.

Resisting attacks that are intended to defeat or circumvent them

Compensating for problems with the fidelity o f information sources

Dealing effectively with switched networks.

1.4 False positives

A false positive is a situation where something abnormal (as defined by the IDS) isreported, but it is not an intrusion.

Too many false positives you will quit monitoring your IDS because of noise.

1.5 False negatives

A false negative is a situation where an intrusion is really happening, but your IDS donot report it.

One false negative the system is compromised.

1.6 Examples of an IDS system:

1.6.1 Network Intrusion Detection System (NIDS)

An independent platform that identifies intrusions by examining network trafficand monitors multiple hosts. Network intrusion detection systems gain access

to network traffic by connecting to a network hub, switch configured for port

mirroring, or network tap. In a NIDS, sensors are located at choke points in

the network to be monitored, often in the demilitarized zone (DMZ) or at

network borders. Sensors capture all network traffic and analyzes the content

of individual packets for malicious traffic. An example of a NIDS is Snort.
http://en.wikipedia.org/wiki/Network_intrusion_detection_systemhttp://en.wikipedia.org/wiki/Network_hubhttp://en.wikipedia.org/wiki/Port_mirroringhttp://en.wikipedia.org/wiki/Port_mirroringhttp://en.wikipedia.org/wiki/Network_taphttp://en.wikipedia.org/wiki/Demilitarized_zone_(computing)http://en.wikipedia.org/wiki/Snort_(software)http://en.wikipedia.org/wiki/Snort_(software)http://en.wikipedia.org/wiki/Demilitarized_zone_(computing)http://en.wikipedia.org/wiki/Network_taphttp://en.wikipedia.org/wiki/Port_mirroringhttp://en.wikipedia.org/wiki/Port_mirroringhttp://en.wikipedia.org/wiki/Network_hubhttp://en.wikipedia.org/wiki/Network_intrusion_detection_system


4/24

1.6.2 Host-based Intrusion Detection System (HIDS)

It consists of an agent on a host that identifies intrusions by analyzing system

calls, application logs, file-system modifications (binaries, password files,

capability databases, Access control lists, etc.) and other host activities and

state. In a HIDS, sensors usually consist of a software agent. Some

application-based IDS are also part of this category. Examples of HIDS

are Tripwire and OSSEC.
http://en.wikipedia.org/wiki/Host-based_intrusion_detection_systemhttp://en.wikipedia.org/wiki/Access_control_listhttp://en.wikipedia.org/wiki/Software_agenthttp://en.wikipedia.org/wiki/Tripwire_(company)http://en.wikipedia.org/wiki/OSSEChttp://en.wikipedia.org/wiki/OSSEChttp://en.wikipedia.org/wiki/Tripwire_(company)http://en.wikipedia.org/wiki/Software_agenthttp://en.wikipedia.org/wiki/Access_control_listhttp://en.wikipedia.org/wiki/Host-based_intrusion_detection_system


5/24

Solution number 22.0 E-mail security

Nowadays, E- mail has become a vital and crucial tool for today s commerce, as wella comfortable and convenient medium for communication among ordinary users. It is

playing an important role especially for those who are involved in big industries andcompanies. This tool has enlightened the work of communication between peopleamong the world. But, e-mail is considered as very public which exposed at everypoint from the sender s workstation to the recipient screen. We must also bear inmind that e-mail messages might expose to others reveal. Therefore, there arecertain security issues that we should concern about. By ensuring the email to bemore secure, we have to start with examining the exposures of ordinary email.

2.1 Threats to email

There are several threats for electronic mail, such as

Message interception (confidentiality)Message interception (blocked delivery)Message interception and subsequent replayMessage content modificationMessage origin modificationMessage content forgery by outsider Message origin forgery by outsider Message content forgery by recipientMessage origin forgery by recipient

Denial of message transmission


6/24

For a secured email, the fundamental requirements are mainly include the followingprotections:

Message confidentiality(the message is not exposed en route to the receiver)Message integrity(what the receiver sees is what was sent)

Sender authenticity(the receiver is confident who the sender was)Nonrepudiation(the sender cannot deny having sent the message)

In providing confidentiality enhancements, the senders have to choose a symmetricalgorithm encryption key. Then, the sender encrypts a copy of the entire message tobe transmitted. The encryption part should be including FROM:, TO:, SUBJECT :,and DATE: headers. For key management, the sender encrypts the message keyrecipient s public key and attaches that to the message as well. On the other hand,encryption can yield any string to output. Therefore, email handlers will expect thatmessage traffic will not contain characters other than the normal printable characters.The encrypted email standard works by using both symmetric and asymmetricencryption. To use symmetric, the sender and receiver must have previouslyestablished a shared secret encryption key. The processing type (Proc - Type) fieldindicate what privacy enhancement services have been applied. In the dataexchange key field(DEK -Info) field contains the message encryption key, encryptedunder this shared encryption key. By using asymmetric encryption, the key exchangefield would contain the message e ncryption field, encrypted under the recipient spublic key and also the sender s certificate.

On the other hand, we can also focus on integrity of secure email. Encrypted e-mailmessages always carry a digital signature, so the authenticity and non-repudiability

of the sender is assured. By having the hash function features provided in the digitalsignature, the integrity can be easily assured. In this case, the email is fully secureand encrypted for confidentiality and also integrity.

Figure 2.0: Encrypted Email Processing in Message Transmission

When sending an email, the user can choose to send enhanced and nonenhancedmeesage. If the user chooses to add enhancements, an extra bit of encrypted email

Com ose messa e

Encryption

ProcessingRequested

Send message

Crypto

Receive message

Encrypted?

View messa e

Crypto

Yes Yes

No

No


7/24

processing is invoked on the sender s end. On the other hand, the receiver must alsoremove the enhancements. But without enhancements, messages flow through themail handlers as usual.

Example of secure email system is PGP. PGP addresses the key distribution

problem with what is called a ring of trust or a user s keyring. The concept is oneuser directly gives a public key to another or the second user fetches the first s publickey from a server. And one person can give a second person s key to a third and soon. The trustworthy of the key given is depends on the provider itself. The philosophyis that if I trust you, I may also trust the keys you give me for other people. The PGPprocessing performs several actions such as:

Create a random session key for a symmetric algorithmEncrypt the message, suing the session key(for message confidentiality)

Encrypt the session key under the recipient s public key. Generate a message digest or hash of the message; sign the hash byencrypting it with the sender s private key (for message integrity andauthenticity)Attach the encrypted session key to the encrypted message and digest.Transmit the message to the recipient.

On the other hand, the recipient reverses these steps to retrieve the messagecontent.


8/24

Solution number 33.0 Online auction and online payment

In an e-commerce transaction, the credit/debit card is the most widely used methodof payment in internet banking solution. Therefore, the credit/debit card numbers is a

serious threat for the e-commerce consumers.

The first security element in an e-commerce system is SSL (Secure Socket Layer)protection. SSL is able to encrypt the credit card numbers as well as other personalidentification details. This protection will not allow the intruders to steal theinformation of the consumers. SSL interfaces between applications and the TCP/IPprotocols to provide server authentication, optional client authentication, andencrypted communications channel between client and server. To use SSL, the clientrequests an SSL session. The server responds with its public key certificate so thatthe client can determine the authenticity of the server. The client returns part of asymmetric session key encrypted under the server s public key. Both the server andclient compute the session key, and then they switch to encrypted communication,using the shared session key.

3.1 SSL Protocol layers

The four protocol layers of the SSL protocol (Record Layer, ChangeCipherSpecProtocol, Alert Protocol, and Handshake Protocol) encapsulate all communicationbetween the client machine and the server.

1. Record Layer The record layer formats the Alert, ChangeCipherSpec, Handshake and

application protocol messages. This formatting provides a header for eachmessage, and a hash, generated from a Message Authentication Code (MAC)at the end. The fields that comprise the five-byte header of the Record Layer are: Protocol Definition (1 byte), Protocol Version (2 bytes) and the Length (2bytes). The protocol messages that follow the header cannot be longer than16,384 bytes, as specified by the SSL protocol.

2. ChangeCipherSpec ProtocolThe ChangeCipherSpec layer is composed of one message that signals thebeginning of secure communications between the client and server. Though

the ChangeCipherSpec Protocol uses the Record Layer format, the actualChangeCipherSpec message is only one byte long, and signals the change incommunications protocol by having a value of 1 .

3. Alert ProtocolThis protocol sends errors, problems or warnings about the connectionbetween the two parties. This layer is formed with two fields: the SeverityLevel and Alert Description.

a. Severity Level

The Severity Level sends messages with a 1 or 2 value, depending on thelevel of concern. A message with a value of 1 is a cautionary or warning


9/24

message, suggesting that the parties discontinue their session and reconnectusing a new handshake. A message with a value of 2 is a fatal alertmessage, and requires that the parties discontinue their session.

b. Alert DescriptionThe Alert Description field indicates the specific error that caused the AlertMessage to be sent from a party. This field is one byte, mapped to one of twelve specific numbers, and can take on one of the following meanings.Those descriptions that always follow a fatal alert message are underlined.

i. CloseNotifyii. UnexpectedMessageiii. BadRecordMACiv. DecompressionFailurev. HandshakeFailurevi. NoCertificate

vii. BadCertificateviii. UnsupportedCertificateix. CertificateRevokedx. CertificateExpiredxi. CertificateUnknownxii. IllegalParameter

4. Handshake ProtocolMessages passed back and forth between the user s browser (client) andweb application (server) establish a handshake that begins a secureconnection. The following steps are how a SSL handshake is performed. Themessages that compose this handshake are: ClientHello, ServerHello,ServerKeyExchange, ServerHelloDone, ClientKeyExchange,ChangeCipherSpec, Finished, ChangeCipherSpec, Finished. (Thomas, 40)The following sections will detail these messages and, where appropriate, willexplain how they are used in the webmail example seen earlier in this paper.

a. ClientHelloThe first message is the ClientHello. Since the client machine isrequesting the secure communication session, this message involves a

set of options that the client is willing to use in order to communicate withthe server. The option categories are: Version of SSL to be used,CipherSuites supported by the client, and CompressionMethods used bythe client. Other information that is included in this message is a 32-byteRandomNumber that assists the client in establishing encryptedcommunications, and a SessionID field that is blank. This message isgenerated by the client in the web e-mail example when our user wants tocheck her email and clicks on the secure connection option that is madeavailable on many websites.


10/24

b. ServerHelloThe second message of the SSL handshake is the ServerHello. In thismessage, the server makes choices based on the ClientHello message.The server returns five fields, just like the ClientHello message, but fills inthe SessionID, and makes firm decisions on the Version of SSL to beused, the CompressionMethod and CipherSuite. The date and time stampreplaces four bytes of the RandomNumber field to avoid repeated randomvalues, and Thomas adds that the remaining bytes should be created bya cryptographically secure random number generator.

c. ServerKeyExchangeNow that the server has made decisions for the transmission of data,information must be passed between the parties to determine how datawill be encrypted. Since no algorithm has been previously agreed upon,this information is sent with no encryption. This means that all

communication for this segment must already be in the public domain.The server s public key is used to encrypt a separate session key to bemaintained for this secure communication. Both the client and server willuse this same key to encrypt data to be transmitted. To ensure that thecommunicating parties are who they claim to be, digital certificates areused to provide electronic identification. Digital certificates combine thepublic key and connect it to the name of the certificate owner. Additionally,these certificates contain public keys to certification authorities like RSASecurity or VeriSign and an expiration date so that the person receivingthe digital certificate can verify the link between the certificate owner and

the certification authority. The certificate only contains the public key, andshould never include the private key, else the private key would becompromised, and the entire purpose of having the digital certificatewould be voided. (Martin, 3/14/03)

d. ServerHelloDoneOnce the Server has completed the ServerKeyExchange message, theclient receives a ServerHelloDone message to indicate that the server isthrough with its messages. It is similar to a two-way radio conversationwhen the sending party s ays OVER to announce that he is donesending a message, and signals the receiving party to acknowledge themessage that was sent.

e. ClientKeyExchangeSince SSL does not require a client to have public and private keys inorder to establish a SSL session, the ClientKeyExchange messagecontains information about the key that the client and server will use tocommunicate. Thomas explains that this is the point where the man inthe middle attack is mitigated since a masquerader must know theserver s priva te key in order to decrypt this message. (Thomas, 46) Thismessage completes the negotiation processes between the client and theserver. SANS Institute 2003, Author retains full rights


11/24

f. ChangeCipherSpecThe two ChangeCipherSpec messages signal the change of datatransmission from an insecure state to a secure state. As each computer sends the ChangeCipherSpec message, it changes its side of theconnection into the agreed-upon secure state.

g. FinishedThe two messages signaling the final messages of the SSL handshakeensure that three things are verified before the initial handshake iscomplete. These are:

i. Key Informationii. Contents of all previous SSL handshake messages exchanged by the

systemsiii. A special value indicating whether the sender is a client or server

At the end of this handshake process, the user will see a lock icon in the corner of her browser to indicate that a secure protocol has been agreed upon, and is in useby her browser and the web e-mail server.

The whole communication that was being encrypted between the client and server isactually promoting one of the security goals which is Privacy/Confidentiality . It isbecause the details have been securely transferred without tapped by third party.Therefore, no one knows the information except the sender and receiver.

Integrity is addressed through the use of message authentication in each message

from the first handshake. Additionally, non-repudiation is accounted for throughcertificate passing in addition to the integrity check from the message authentication.

Though more responsibility for the Availability portion of the model is placed on theserver, Availability is slightly addressed since secure communications preventmalicious users from having direct access to the system.


12/24

Solution number 44.0 Smart Card

Smart card more or less will be the same as the credit card. However Smart cardreplaces the magnetic storage unit of the credit card with an embedded

microprocessor which is act as the central processing unit, random access memory(RAM) and data storage of around 10MB.

4.0.1 Requirement of Smart CardThe PIN is normally set previously of the software provided by the manufacturer of the smart cards. Once a user has a smart card and PIN, two more things arerequired: a computer running an OS that supports smart card authentication and asmart card reader installed in or attached to the computer or terminal. The user inserts the card into the reader, is prompted to enter the PIN associated with thatcard, and is permitted to log on.

4.0.2 Authentication Process

Smart card is validating a user s identity to the network through the digital certificateswhich is stored in the Smart card itself. Digital certificates must be issued by a trustedthird party this can be an entity outside an organization, such as VeriSign, or acertification authority (CA) set up with in a company s private network.

Digital certificates are an important part of an organization s publi c key infrastructure(PKI). Information that the certificate contains includes: The user s identification information. The user s public key (part of a public/private key pair). The issuing entity s digital signature, which verifies that the certificate wasissued by a valid certification authority. A time period for which the certificate is valid or an expiration date.

Figure 4.0: Authentication process of the Smart card

Smart card certificates are usually requested from a CA by an authorized enrollmentagent. Such agents have a special certificate allowing them to both requestcertificates on behalf of other users and bind these certificates to the smart cards tobe issued to the users.

Card Client Program Application Server

(1)Send Request (2)Send the time

(3)Send the username,

password and time

(4)If data valid,

encrypt, sign and

send the message

(5)Send a request to the

certificate authorization

(6)Certification

Authority

(7)Send the requested

certificate to the client(8)Verify the signed

message from (4).


13/24

4.0.3 Strength1) This simple technology has revolutionized the payment card industry andincreased the level of card security. These cards use encryption and authenticationtechnology which is more secure than previous methods associated with paymentcards. The microprocessor chip embedded at the heart of the smart card requirescontact to the card reader and certain areas of the chip can be programmed for specific industries.

2) Another advantage to having a smart card is their use in the banking industry(and many other sectors). These cards give the holder freedom to carry large sumsof money around without feeling anxious about having the money stolen. In thisregard, they are also safe because the cards can be easily replaced, and the personwould have to know the pin number to access its stored value. This takes care of theproblem with cash; once it is stolen it is nearly impossible to trace and recover it.

3) The third advantage of using a smart card is that they can provide completeidentification in certain industries. There are numerous benefits of using smart cards

for identification. A driver's license that has been created using smart cardtechnology can give the police the ability to quickly identify someone whose beenstopped for speeding or reckless driving. These cards can be used by healthprofessionals to identify someone who is brought in by an ambulance butunconscious or unable to speak.

4.0.4 Limitation1) If used as a payment card, not every store or restaurant will have thehardware necessary to use these cards. One of the reasons for this is since thetechnology is more secure, it is also more expensive to produce and use. Therefore,some stores may charge a basic minimum fee for using smart cards for payment,rather than cash.

2) When used correctly for identification purposes, they make the jobs of lawenforcement and healthcare professionals easier. However, for criminals seeking anew identity, they are like gold, based on the amount of information it can contain onan individual.

4.1 RFIDRFID-Radio Frequency Identification is a technology for tagging using radio waves. ARFID tag is a small electronic device, supplemented with an antenna that cantransmit and receive data. RFID tags do not require physical contact for identificationso it can identify and authenticate objects or subjects wirelessly, using transpondersor micro-circuits with an antenna with queried by readers through a radio frequencychannel. The RFID technology is designed for unique identification of different kindsof objects.

4.1.1 Requirement of RFIDRFID systems consist of three main components: tags, readers and back-enddatabases. 1) Tags are radio transponders attached to physical objects. Each tagcontains a microchip with a certain amount of computational and storage capabilitiesand a coupling element. Such devices can be classified according to memory typeand power source.2) Radio transceivers, or readers, query these tags for some (potentially unique)identifying information about the objects to which tags are attached.3) Database is a small amount of memory that uses as a data repository that can belocated in anywhere.


14/24


15/24


16/24

Each decision of the guard is logged in order to be able to backtrack decisions if necessary. The source is in this case a person who provides biometric information(usually in combination with other identification information) to a guard. The guardnow uses some sort of algorithm to process the given biometric information and after a comparison with stored samples it decides to grant the person access or not.

The authentication and authorization process can be categorized into two differenttypes which are biometric verification and biometric identification. The first one isbiometric verification, the verification occurs when the user claims to be alreadyenrolled in the system (presents an ID card or login name); in this case theverification biometric data obtained from the user is compared to the user s data thatare already stored in the database(one-to-one comparison). The second one is thebiometric identification also called search identity. The identification occurs when theuser s identity is a priori unknown. In this case the user s biometric data is matchedagainst all the records in the database as the user can be anywhere in the databaseor he/she actually does not have to be there at all(one-to-many comparison).Now the system is able to identify the unknown personality. This process takes much

more time than the process of biometric verification. In this case a person providesbiometric information to a system and claims that a particular identity belongs to thisdata (one-to-one). Now the system can reject the claim easily if no sample biometricdata for the claimed identity can be found or if the provided biometric data and thesample data of the claimed identity don t match. In most authentication processesbiometric verification is used.

The sample biometric data sets which are used for comparison in an authenticationprocess are produced and saved in an enrolment phase. Each authorized user has togo through this step in which for example a fingerprint is taken, processed and savedfor example in a database or on an identification card. In the testing phase, when anindividual seeks access to a system, the sample saved in the enrolment phase is

used by the guard of the system to decide whether to grant access or not. Theenrolment phase is much more important for a biometric system than for a systemusing user name and password. If the sample taken from a person is for example notgood enough, the probability that the system refuses access to this person is muchhigher.

4.2.2 Limitation1) The false rejection and false acceptance often occurs in a biometric system isrepresent in the percentage from the rate of false rejection and false acceptance.These rates are called the false rejection rate (FRR)/false acceptance rate (FAR).The percentage of false rejections rate and the number of false acceptances rate areinversely proportional. So in order to get the balancing, decision must be make and itis totally depends on the system requirements.

2) Biometric data contains information acquired from individuals, which can be usedto identify them. This raises issues of privacy and data protection. If the biometricdata is recorded in a central database, privacy concerns may be higher than for systems where an individual s data is stored only on a c ard retained by the individual.Note however, some biometric applications require a central database for their basicfunctionality e.g. to check for multiple enrolment attempts.

4.2.3 Strength1) Eliminate problems caused by lost IDs or forgotten passwords by usingphysiological attributes. This is very helpful in preventing unauthorized use of lost,stolen ID cards.


17/24

2) Integrate a wide range of biometric solutions and technologies, customer applications and databases into a robust and scalable control solution for facility andnetwork access and make it possible, automatically, to know WHO did WHAT,WHERE and WHEN!

3) The various biometrics systems have been developed around uniquecharacteristics of individuals. The probability of 2 people sharing the same biometricdata is virtually null. Since the biometric data is unique so it can t be shared becauseit is an intrinsic property of an individual, it is extremely difficult to duplicate.


18/24

Solution number55.0 Firewall

A firewall is a device that filters all traffic between a protected and a less trustworthynetwork. Usually a firewall runs on a dedicated device. A firewall is used to protectthe resources of a private network from users from other networks. The purpose of

firewall is to keep any outsider from a protected environment. For example, anenterprise with an intranet that allows its workers access to the wider Internet installsa firewall to prevent outsiders from accessing its own private data resources and for controlling what outside resources its own users have access to.

Basically, a firewall, working closely with a router program, examines each networkpacket to determine whether to forward it toward its destination. A firewall alsoincludes or works with a proxy server that makes network requests on behalf of workstation users. A firewall is often installed in a specially designated computer separate from the rest of the network so that no incoming request can get directly atprivate network resources.

5.1 Design of Firewall A firewall is a special form of reference monitor. A firewall is allocated within anetwork in order to ensure that all networks that we want to control must passthrough it. In other term, this condition is known as always invoked. A firewall istypically well isolated, making it highly immune to modification. Usually a firewall isimplemented on a separate computer with direct connection only to outside andinside network. This isolation is expected to meet the tamperproof requirement. Andfirewall functionality should be always simple.

5.2 Type of firewall1. Packet Filtering GatewayPacket filtering gateway or screening router is the simplest and most effective type of firewall. A packet filtering gateway controls access to packets based on packetaddress (source and destination) or specific transport protocol type (such as HTTPweb traffic). Packet filters do not see inside a packet; they block or acc ept packetssolely on the basis of the IP addresses and port. Besides, packet filters can performthe very important service of ensuring the validity of inside address. Inside hoststypically trust other inside hosts for all the reasons described as characteristics of LANs. The only ways an inside host can distinguish another inside host is by theaddress shown in the source field of a message. However the source address inpackets can be forged, so an inside application might think I t was communicatingwith another host on the inside instead of an outside forger. A packet filters sitsbetween the inside and outside net, so it can know if a packet from the outside isforging an inside address. A packet filters might configured to block all the packetsfrom the outside that claimed their source address was an inside address.

2. Stateful Inspection FirewallFiltering firewalls work on packets one at a time, accepting or rejecting each packetand moving on to the next. They have no concept of State or context from onepacket to the next. A stateful inspection firewall maintains state information from onepacket to another in the input stream. One classic approach used by attackers isbreaking an attack into multiple packets by forcing some packets to have very shortlengths so that a firewall will not able to detect the signature of an attack split acrosstwo or packets. A stateful inspection firewall would track the sequence of packets andconditions from one packet to another to thwart such an attack.


19/24

3. Application Proxy An application proxy gateway, also called a bastion host, is a firewall that simulatesthe effects of an application so that the application will receive only request to actproperly. A proxy gateway is a two-headed device, it looks to the inside as if it is theoutside connection, while to the outside it responds just as the insider would. Anapplication proxy runs pseudoapplications. For instance, when electronic mail istransferred to a location, a sending process at one site and a receiving process at thedestination communicate by a protocol that establishes the legitimacy of the mailtransfer and then actually the transfers the mail message. The protocol betweensender and destination is carefully defined. A proxy gateway essentially intrudes inthe middle of this protocol exchange, seeming like a destination in communicationwith the sender that is outside the firewall and seeming like the sender incommunication with the real destination on the inside. The proxy in the middle hasthe opportunity to screen the mail transfer, ensuring that only acceptable emailprotocol commands are sent to be destination.

4. Personal Firewalls

A personal firewall is an application program that runs on a workstation to blockunwanted traffic, usually from the network. A personal firewall can complement thework of a conventional firewall by screening the kind of data is a single host willaccept, or it can compensate for the lack of regular firewall as in private DSL or cablemodem connection. A personal firewall screens traffic on a single workstation. Aworkstation could be vulnerable to malicious code or malicious active agent, leakageof personal data stored on the workstation, and vulnerability scans to identifypotential weaknesses. Commercial implementations of personal firewalls includeNorton personal Firewall from Symantec, McAfee Personal Firewall and Zone Alarmfrom Zone Labs. The personal firewall is configured to enforce some policy. For example, the user may decide that certain site, such as computers on the companynetwork. Personal firewall can also generate logs of accesses, which can be useful to

examine in case something harmful does slip through the firewall. Combining a virusscanner with a personal firewall is both effective and efficient because the firewall willdirect all incoming email to the virus scanner, which examine every attachment themoment it reaches the target host and before it is opened instead of detect a problemonly after the fact. A personal firewall can provide reasonable protection to clientsthat are not behind a network firewall.

5.3 Strength and limitation

Although firewalls have a number of potential advantages, they do not providefoolproof protection and also have some potential disadvantages. As Steffano Korper and Juanita Ellis wrote in The E-Commerce Book, firewalls cannot protect againstcomputer viruses or against data theft by authorized users of a company's computer network. In addition, firewalls can be expensive for small businesses to purchase andmaintain, and they do require technical expertise for proper installation. Furthermore,firewalls may limit a company's access to some Internet services or make theInternet less convenient or slower for employees to use.

Some small businesses avoid the need for a firewall by using a simple securitymeasure known as "air gapping." This means that the company's computer networkis kept completely separate from the Internet. One method of air gapping involvesaccessing the Internet only from a standalone computer that is not connected to theinternal network and does not contain any confidential information. Another method
http://www.answers.com/topic/foolproofhttp://www.answers.com/topic/foolproofhttp://www.answers.com/topic/virushttp://www.answers.com/topic/virushttp://www.answers.com/topic/foolproof


20/24

involves only running Web servers that outsiders can reach on a secure systembelonging to an Internet Service Provider (ISP).

Small businesses that choose not to use a firewall should take some basicprecautions when connecting to the Internet. For example, Emery emphasizes theimportance of using the latest release of networking software, which is less likely tocontain known bugs that make it vulnerable to hackers. It is also a good idea to turnoff or restrict access to any unnecessary Internet services. In addition, Emeryrecommends blocking access to Web ports that have been used by hackers for "sneak attacks." A list of these ports is available from the Computer EmergencyResponse Team (CERT) at www.cert.org.
http://www.answers.com/topic/sneakhttp://www.cert.org./http://www.cert.org./http://www.answers.com/topic/sneak


21/24

Solution number66.0 Describe attack on network

6.1 Eavesdropping

This type of network attack occurs when an attacker monitors or listens to networktraffic in transit then interprets all unprotected data. While users need specializedequipment and access to the telephone company switching facilities to eavesdrop ontelephone conversations, all they need to eavesdrop on an Internet Protocol (IP)based network is a sniffer technology to capture the traffic being transmitted. This isbasically due to the Transmission Control Protocol/Internet Protocol (TCP/IP) beingan open architecture that transmits unencrypted data over the network.

6.2 Spoofing

Guessing or otherwise obtaining the network authentication credentials of an entity (a

user, an account, a process, a node, a device) permits an attacker to create a fullcommunication under the entity. Examples of spoofing are masquerading, sessionhijacking and man-in-the-middle attack.

MasqueradeIn masquerade the attacker will pretends to be another host. They register domainname of their site slightly different to the site they wish to attack for example coca-cola.com versus cocacola.com. In this case, people might mistype and confused withthe real site they want to visit. The attacker will create the fake site as similar to thereal one so that people will login with their name, account number and password or pin. After obtaining the information, the attacker able to transfer this connectionsmoothly to an authenticated access of the real site without user realizes thedeviation.

Session hijackingSession hijacking is intercepting and carrying on a session begun by another entity.Suppose two entities have entered into a session but then a third entity intercepts thetraffic and carries on the session in the name of the other. Example of Book-Maycould be an instance of this technique. If Book Depot used a wiretap to interceptpackets between you and Book May, Book Depot could simply monitor theinformation flow, letting Book May do the hard part of displaying titles for sale and

convincing the user to buy. Then, when the user has completed the order, BookDepot intercepts the I m ready to check out packet, and finishes the order with theuser, obtaining the shipping address, credit card details and so forth. To Book May,the transaction would like incomplete transaction and we would say that Book Depothas hijacked the session.

Man-in-the-Middle Attack A man-in-the-middle attack is similar form of attack to session hijacking, in which oneentity intrudes between two others. The difference between man-in-the-middle andhijacking is that a-man-in-middle usually participates from the start of the session

whereas a hijacking occurs after a session has been established. Man-in-the-middleattacks are frequently described in protocols. To see how, suppose you want to


22/24

exchange encrypted information with your friend. You contact the key server and askfor a secret key with which to communicate with your friend. One man-in-the-middleattack assumes someone can see and enter into all parts of this protocol, interceptsthe response key and can then eavesdrop on, or even decrypt, modify and reencryptany subsequent communications between you and your friend.

6.3 Denial of services

Availability attacks, sometimes called denial-of-service or DOS attacks, are muchmore significant in networks than in other contexts. There are many accidental andmalicious threats to availability or continued service.

Transmission FailureThe connection between you and the network is break because of some reason. Thereason of communication fail could be either physical or non-physical. For example, aline is cut, network noise and saturated devices. The physical threats are prettyobvious but it is not easy to be repaired. A break in the single communications line toyour computer (for example, from the network to your network interface card or thetelephone line to your modem) can be fixed only by establishment of an alternativelink or repair of the damaged one.

Connection FloodingThe most primitive denial-of-service attack is flooding a connection. If an attacker sends you as much data as your communications system can handle, you areprevented from receiving any other data. Even if an occasional packet reaches youfrom someone else, communication to you will be seriously degraded. Moresophisticated attacks use elements of Internet protocols. In addition to TCP and UDP,there is a third class of protocols, called ICMP or Internet Control Message Protocols.Normally used for system diagnostics, these protocols do not have associated user applications. ICMP protocols include:

- ping, which requests a destination to return a reply, intended to show that thedestination system is reachable and functioning- echo, which requests a destination to return the data sent to it, intended toshow that the connection link is reliable (ping is actually a version of echo)destination unreachable, which indicates that a destination address cannot be

accessed- source quench, which means that the destination is becoming saturated andthe source should suspend sending packets for a while

These protocols have important uses for network management. But they can also beused to attack a system. The protocols are handled within the network stack, so theattacks may be difficult to detect or block on the receiving host. We examine how twoof these protocols can be used to attack a victim.

Echo-Chargen

This attack works between two hosts. Chargen is a protocol that generates astream of packets; it is used to test the network's capacity. The attacker sets


23/24


24/24

connection, and they use gateway protocols to share information about their capabilities. Each router advises its neighbors about how well it can reachother network addresses. This characteristic allows an attacker to disrupt thenetwork. To see how, keep in mind that, in spite of its sophistication, a router is simply a computer with two or more network interfaces. Suppose a router advertises to its neighbors that it has the best path to every other address inthe whole network. Soon all routers will direct all traffic to that one router. Theone router may become flooded, or it may simply drop much of its traffic. Ineither case, a lot of traffic never makes it to the intended destination.

DNS AttacksOur final denial-of-service attack is actually a class of attacks based on theconcept of domain name server. A domain name server (DNS) is a table thatconverts domain names like ATT.COM into network addresses like211.217.74.130; this process is called resolving the domain name. A domain

name server queries other name servers to resolve domain names it does notknow. For efficiency, it caches the answers it receives so it can resolve thatname more rapidly in the future. In the most common implementations of Unix,name servers run software called Berkeley Internet Name Domain or BIND or named (a shorthand for "name daemon"). There have been numerous flawsin BIND, including the now-familiar buffer overflow. By overtaking a nameserver or causing it to cache spurious entries, an attacker can redirect therouting of any traffic, with an obvious implication for denial of service.

Distributed Denial of Service

The denial-of-service attacks we have listed are powerful by themselves. Butan attacker can construct a two-stage attack that multiplies the effect manytimes. This multiplicative effect gives power to distributed denial of service. Toperpetrate a distributed denial-of-service (or DDoS) attack, an attacker doestwo things. In the first stage, the attacker uses any convenient attack (such asexploiting a buffer overflow or tricking the victim to open and install unknowncode from an e-mail attachment) to plant a Trojan horse on a target machine.That Trojan horse does not necessarily cause any harm to the target machine,so it may not be noticed. The Trojan horse file may be named for a popular editor or utility, bound to a standard operating system service, or entered intothe list of processes (daemons) activated at startup. No matter how it issituated within the system, it will probably not attract any attention. Theattacker repeats this process with many targets. Each of these target systemsthen becomes what is known as a zombie. The target systems carry out their normal work, unaware of the resident zombie. At some point the attacker chooses a victim and sends a signal to all the zombies to launch the attack.Then, instead of the victim's trying to defend against one denial-of-serviceattack from one malicious host, the victim must try to counter n attacks fromthe n zombies all acting at once. Not all of the zombies need to use the sameattack; for instance, some can use smurf attacks and others syn floods toaddress different potential weaknesses. In addition to their tremendousmultiplying effect, distributed denial-of-service attacks are a serious problembecause they are easily launched from scripts.

solution number 4

Documents