Chapter-2 Telecommunications & Network Security

Chapter 2: Telecommunications & Network Security
Firewalls :
Page 1 of 100
Page 2 of 100
Page 3 of 100
Screened Subnet firewall is most secure and act as a Perimeter network. Access o Primary Firewall Administrator o Backup Firewall Administrator o Network service Manager. Boundary Controls eg . Fences and firewalls State Packet Filter Firewall is simple , inexpensive and quick to implement. Firewall eg. Boundary access control. Static packet filter firewall low-risk computing environment. Hybrid gateway firewall- medium to high-risk computing environment. Stateful and dynamic filter firewall- high risk computing environment. A rulebase facilities implementing security controls in a firewalls. Firewall on a packet Accept/Deny and Discard. Best backup strategy Day Zero Backup. Firewalls- protected for fail-safe performance. RPC,NFS and SNMP should always be blocked and FTP should be restricted. Provide a Line of perimeter defense against attacks Traffic to and from the Internet. Firewall Compromised correct steps to rebuild the Firewll. o Bring down the primary firewall o Deploy the secondary Firewall o Reconfigure the primary Firewall o Restore the primary firewall. Packet filtering firewall are most vulnerable to attack.
Page 4 of 100

Primary component of Fiewalls o Protocol filtering o Application gateways o Extended logging capability. Firewall implementations is a by-product of administering the security policy. Firewall is an effective security control over an Internet.
Attacks: Denial of Service Attack : DOS name Land Type Malformed Packet Description The land attack uses a spoofed SYN packet that includes the victims IP address and TCP port as both source and destination. This attack targets the TCP/IP stack of older unpatched windows system. A smurf attck involves ICMP flooding. The attacker sends ICMP Echo Request messages with spoofed source addresses of the victim to the directed broadcast address of a network known to be a Smurf amplifier. A Smurf amplifier is a public facing network that is misconfigured such that it will forward packets sent to the network broadcast address to each host in the network. Assuming a /24 Smurf amplifier, this means that for every single spoofed ICMP Echo Request sent the victim could receive up to 254 ICMP Echo Responses. As with most of resource exhaustion denial of service attack, prevention involves having infrastructure that can filter the DOS traffic Counter Measure
Smurf
Resource Exhaustion
Page 5 of 100

and /or an ISP that can provide assistance in the traffic. SYN Floods are the most basic type of resource exhaustion attacks, and involve an attacker , or attacker controlled machines, initiating many connections to the victim, but not responding to the victims SYN/ACK packets. The vicitims connection queue will eventually be unable to process any more new connections. Configuring a system to more quickly recycle half-open connections can help with this technique. As with most of the resource exhaustion denial of service attacks, prevention involves having infrastructure that can filter the DOS traffic and/or an ISP that can provide assistance in filtering the traffic. The teardrop attack is a malformed packet attack that targets issues with systems fragmentation reassembly. The attack involves sending packets with overlapping fragment offsets, which can cause a system attempting to reassemble the fragments issues. The Ping of Death denial of service involved sending a malformed ICMP Echo Request (ping) that was larger than the maximum size of an IP packet. Historically, sending the Ping of Death would crash systems. The Fraggle attack is a variation of the smurfs attack. The main difference between smurf and fraggle leverages UDP for the request portion, and stimulates, most likely, and ICMP Port Unreachable message being sent to the victim rather than an ICMP Echo Response. A more recent denial of service technique that, like the smurf attack, leverages a third party is the DNS reflection attack. The attacker who has poorly configured third party DNS server query an attackercontrolled DNS server and cache the response(a maximum-size DNS record). Once the large record is cached by many third party DNS Servers, the attacker sends DNS requests for those records with a spoofed source of the victim. This causes these extremely large DNS records to be sent to the victim in response. As with most of resource exhaustion denial of service
SYN Flood
Resource Exhaustion
Teardrop
Malformed Packet
Ping of Death
Malformed Packet
Patching the TCP/IP stacks of systems removed the vulnerability of this DOS attack.
Fraggle
Resource Exhaustion
DNS Reflection
Page 6 of 100

attacks, prevention involves having infrastructure that can filter the DOS traffic and/or an ISP that can provide assistance in filtering the traffic.
Computer Virus
Common virus Malicious Code A malicious code that replicates using a host program. An effective defence against computer viruses does not include Virus scanning programs. The boot sector virus works during computer booting , where the master boot sector and boot sector code are read and executed. A worm is a self-replicating program that is self-contained and does not require a host program. The worm searches the network for idle computing resources and uses them to execute the program in small segments. A multi-partite virus combines both sector and file infector virus. It raises privacy issues such as what information is collected and how it is used. Internet privacy is not enhanced when the cookies file is delted. Deleting cookies file will not protect the user since a new file is created by the browser therefore, the cookies file is a security concern on the internet. Manipulate the directory structure of the media on which they are stored pointing to the OS to virus code instead of legitimate code. Stored in a spread sheet or word processing document. Maximum number of encounters.it is difficult to detect.
Boot Sector Virus
Worm
Multi-partite Cookies Web
Link Viruses
Macro
Attacks : Data leakage attack
Asynchronous attacks
Inference
Data leakage is removal of data from a system by covert means. It might be conducted through the use of Trojan horse, logic bomb, or scavenging methods. Are indirect attacks on a computer program that act by altering legitimate data or codes at a time when the programs is idle, then causing the changes to be added to the target program at later execution. An inference attack is where a user or an
Access controls
Page 7 of 100

Attack intruder is able to deduce information to which he had no privilege from information to which he has privilege. Data & Information Based on data and information
Hidden code attacks
Trapdoor attacks
Trapdoors are entry points built into a program created by programmers for debugging purposes. Major Risks: software disconnection and hacker entry. Back door is wide open for hackers The vendor can modify the software at will without the users knowledge or permission.
Use layered protection and disable activecontent code. (e.g. Active-X and Java script) from the Web browser are effective controls against such attacks. War dialling software
Spoofing attacks TOC/TOU is an e.g. of asynchronous attacks Traffic analysis Attack CG Script vulnerable Logic bomb
Firewall It takes advantage of timing differences between two events. Applying task sequence rules. Apply encryption tools Traffic padding technique Because it can be interpreted. A time bomb is a part of a logic bomb. A time bomb is a Trojan horse set to trigger at a particular time while the logic bomb is set to trigger at a particular condition ,event or command. Is a penetration technique capitalizing on a potential weakness in an OS that does not handle asynchronous interrupts properly, thus leaving the system in an unprotected state during such interrupts. It is a program that performs a useful function and an unexpected action as well as a form of virus. DAC is most vulnerable to Trojan horse attack. Back Office is a Trojan horse in windows OS. Computer viruses affect integrity, availability and usability. e-mail server is the best place to check for computer virus.
Nak attack
Trojan horse
Malicious code
Computer Virus
Malicious code
Page 8 of 100

Applets Malicious code Applets are small application programs written in various programming languages that are automatically downloaded and executed by applet-enabled web browsers. Anti-virus software scans every boot-up Uses a mutation engine to transform simple viruses into polymorphic ones for proliferation purposes. Remove and Clean are used interchangeably. Its a resident virus. Can be easily exploited when executing behind firewalls. Forms the basic component technology of the Active-X framework for Microsofts software component technology , it is platform specific in that Active-X contents can be executed by only a 32-bit windows platform . it is language independent can be written in C,C++,VisualBasic and Java. Has a sound security model to prevent malicious code behaviour. An effective means of preventing and detecting computer virus on a network . Technical measures to defend against computer virus.
Antivirus Methods Polymorphic virus Malicious code defn. Stealth virus Active-X controls
Malicious code Malicious code
Java applets Computer Virus Malicious code
Eavesdropping attack from remote access to Firewall s
Certify all disks prior to their use. Access controls , Audit trails, Least Privilege Principle. Session encryption is used to encrypt data between applications and end users. This provides strong authentication. Stream encryption encrypts and decrypts arbitrarily sized messages, not a strong authentication
Cryptographic attacks Ciphertextonly attack Replay an earlier successful authentication exchange
Focus on Cryptographic parameters(CSPscritical security parameters) contain keys , passwords, PINs. The most common attack against cryptographic. A time-stamp ,A sequence number, An unpredictable value.
Page 9 of 100
Attacks Eavesdropping and loss of confidentiality Eavesdropping also known as sniffing or snooping of network traffic. Telephone cloning
Telephone Tumbling attack Tumbling Attack A technique used to perpetrate wireless Fraud Login Spoofing
Counter Measure Encrypting the contents of the message or encrypting the contents of the channel over which it is transmitted. Electronic Signatures Call-screening System Digital technologies Pre-Call Validation system Analog Cellular Phone Cloning Providing a secure channel between the user and the system. Installing a hardware reset button Implementing a cryptographic authentication techniques. SSL
Session hijacking and Eavesdropping (intrusion) Session hijacking : An attacker connecting a covert computer terminal to a data communication line between the authorized terminal and the computer. Eavesdropping : A source of eavesdropping on the WWW web server is : System logs E-mail Spoofing
Pretty good Privacy (PGP)for the protection of computer files and electronic mail.
Page 10 of 100

Reprograms a Cellular phone with an ESN/MIN Pair from another phone IP Address Spoofing : e.g. session hijacking attacks. Not detected & reported by IDS. TCP session hijacking Confidentiality protection. Cloners
User Firewall,Disable active-content, use timestamps. Remove default accounts, install software patches, use encryption tools. Voice encryption Use secure shell protocol, apply end-to-end encryption, and Implement robust authentication techniques. Use packet filters Every possible key will be tried. This is similar to a known plain text attack. Change keys and increase in key length. Prevent and Intervenebest approach Caused by Temporary accounts setup by the ISP
Cloning of Cellular phones Sniffers
Flooding attacks Brute Force Attack
Network Attack Mail bombings Tunnelling Attack To exploit a weakness in a system that exists at a level below the developers design level (such as through operating system code versus application code). Active Attack: Non Preventable and detectable E.g. Active Threats : 1.Denial of message service 2.Masquerding. 3.Modification of message service. Passive Attack: Preventable but difficult to detect e.g. 1. Listing to a system password when the user types it. 2. Release of message contents and traffic analysis. Asynchronous Attacks
Cryptography
Cryptography
Take the advantage of dynamic
Page 11 of 100

system actions and the ability to manipulate the timing of those actions. Hackers-trying to login to computer systems Password sniffing Dial-back modems and firewalls One-time passwords and encryption. One time passwords are not susceptible to eavesdropping. Attack modem pools and access data networks through the private branch exchange (PBX) system. Can steal information and damage computer systems. A Call-accounting system provides hacking patterns. 1.Turning off direct inward system access(DISA) ports during nonworking hours. 2. disconnecting dial-in maintenance ports. Firewalls
Voice hacker :
Data hacker : Voice mail fraud Voice mail fraud prevention controls can be counter productive and counter balancing. Spoofing attack :-
Is tempering activity active attack Impersonating a user or system Spoofing synonymous : Mimcking,impersonating,Masquerding
Spamming : Posting indentical messages to multiple unrelated newsgroup on the internet. Sniffing or snooping : observing packets passing by on the network. Sniffing precedes Spoofing Is a surveillance activity and is a passive attack. Scanning,snooping and sniffing are lead to penetration attacks. Sniffing is monitoring network traffic. Hiddencode,Inference and Traffice analysis are based on data and information. Bufferoverflow eg. Of input validation error. Ping of death e.g. Buffer overflow attack, a part of Denial of service attack
E-mail filters are effective.
Hidden code 1. Use layered protections. 2. Disable active-content code.
Page 12 of 100

Denial of service attack Example : Flow exploitation attacks, Flooding attack,Distributed attacks,Smurf attack, SYN flood attack, Sendmail attack It compromise Availability properties of information systems. Most malicious Internet-based attack. Connection clogging denial-of-service attacks is less common in occurance. 1.Use faster hardware 2.use packet filters. 3. it can be prevented by Redundancy
MIM attacks
1.Implement digital signatures 2.use split knowledge procedures.
Locking-based attacksDegradation of service. Shoulder surfing
1.promoting education and awareness 2.preventing password guessing. 3.Asking people not to watch while password is being typed. Packet spoofing : Is the most sophisticated tool or technique that attackers use against computer systems. Packet-time stamping and packet-sequence counting.
Packet replay Impersonation :can be achieved by Forgery , Relay and Interception. Masquerading attacks
Analysing audit logs and journals
Attacks plus breach TCP Sequence number check e.g. Session hijacking attack. Piggyback attack : An intruder gains unauthorized access to a system by using a valid users
Detective controls : Reporting of the last time user accessed the system. Passive detection methods, logs are not reviewed unless there is a suspicion. A Penetration
Page 13 of 100

connection. Teardrop attack : Freezes vulnerable windows95 and linux hosts by exploiting a bug in the fragemented packet reaassembly routines. Locking attack : Prevents users from accessing and running shared programs such as those found in Microsoft office. Boot Sector : During computer booting ,where the master boot sector and boot sector code are read and executed. Worm :
A worm is self replicating program that is self-contained and does not require a host program. Searches the network for the idle computing resources and executes the program in small segments.
Multi-partite virus : Combines both sector and file infector viruses. Antivirus software : eg. of both preventive and detective control. Audit Trails : Detective control Policies and procedure : directive controls Contingency plan : recovery controls. Data leakage attacks : is removal of data from a system by covert means.it might be conducted through the use of Trojan horse,logic bombs, or scavenging methods. Inference attacks are based on : Data and information Link viruses : manipulate the directory structure of the media on which they are
Page 14 of 100

stored, pointing the operating system to virus code instead of legitimate code. Macro virus
Trapdoor
are stored In a spreadsheet or word processing document. Had the maximum number of encounters. It is difficult to detect. It resides in documents. Programmers frequently create entry points into a program for debugging purposes and/or insertion of new program codes at a later date.its also called as hooks and back doors. Software disconnection and hacker entry are major risk.
War dialing software
Time-of-check to time-ofuse(TOC/TOU) e.g. of Asynchronous attack Traffic analysis attack Data inference attacks Logic bomb(time bomb) :
1.Apply task sequence rules. 2.Apply encryption rules. Traffic padding technique Access controls A malicious unauthorized act that is triggered upon information of a predefined event or condition and resides within a computer program is known as . A time bomb is a Trojan horse set to trigger at a particular time while the logic bomb is set to trigger at a particular condition,event or command. The Logic bomb could be a computer program or a code fragment. It is a program that performs a useful function and unexpected action as well a form of virus. Discretionary access control most vulnerable to Trojan horse attack. Backoffice is a Trojan horse in a Windows operating system. Affect integrity,availability and useability. Remove and Clean are used interchangeably. Password : technical measure . Anti-virus software scans evry bootup. Best place to check for Computer virus. Used A Mutation Engine
Trojan horse
Computer Virues
Antivirus method e-Mail Server A Polymorphic Virus
Page 15 of 100

Stealth Virus Malicious code Resident Virus Active-X controls can be easily exploited when executing behind firewalls. Java applets has a sound security model to prevent malicious code behaviour. Active-X control s form the basic component technology of Active-X framework. The recording and retransmission of message packets in the network. Most common attack against cryptographic.
Replay attack A ciphertext-only attack Effective controls to detect attempts to replay an earlier successful authenticationexchange Common method of computer system Social engineering
Timestamps,Nonces,Kerberos
A Time-stamps, A sequence number, An unpredictable value. Password cracking, Packet sniffing Send mail e.g. Trickery or coercion techniques people into divulging their passwords. An attack in which someone compels system users or administrators into revealing information that can be used to gain access to the system for personal gain . Trojan horse, Trapdoor, time bomb, virus or worm to perform intentional harm or damage. Discarded storage media, such as Using a data destruction paper documents and reports is a process. major and common problem. Obtaining information that may be left in or around a computer system after the execution of a job. Involves changing data before or during input to computers or during out from a computer system. Theft of small amounts of assets (money) from a number of sources. Physically or electronically- both methods involve gaining access to a controlled area without authorization. Passive wiretapping Traffic padding can be used to prevent traffic analysis attack.
Computer sabotage
Dumpster driving
Scavenging
Data diddling
Salami Technique Piggy-backing
Traffic analysis Traffic analysis
Page 16 of 100

Active Wiretapping Message stream modifications, including delay, duplication, deletion, or counterfeiting.
Tools : 1. Packet spoofing : Is the most sophisticated tool or technique that attackers use against computer systems. 2.Nmap is a sophisticated network-scanning tool.
Ping : Tells the location of a phone user. Merit Protection : o Privacy of location and privacy of transmission of contents. Secure o Digital systems are inherently more secure that analog cellular telephony because of their digital formats and error-checking and correction protocols.
Page 17 of 100

TDMA or CDMA use spread spectrum much more effectively than analog cellular and other traditional systems. o CDMA is inherently efficient and difficult to intercept. Its more efficient and secure than TDMA because its uses spread spectrum technology more efficiently. Its more difficult to crack because the coding scheme changes with each conversation and is given only once at the beginning of the transmission. RSA - Voice encryption schemes are based on RSA algorithm to provide privacy protection over mobile or cellular phones. As per the U.S. law o when scanner is used with intent to defraud is illegal. Possession or sale of electronic serial number (ESN) altering software is currently legal. o Phone cloning and call selling illegal. Remote Access: RAS Provides a security service in authenticating a remote network access. o
Protocols: Protocols SSL Characteristics Session-oriented protocol Public key (digital certificates) + symmetric key(DES) cryptography to perform
Page 18 of 100

authentication and encryption. It has become the de facto standard for secure communication on the internet. Strong authentication for Web server. All the Web network traffic dealing with a Firewall system is secured. TLS supports the SSL to perform client-to-server authentication process. Hiding capabilities and is useful to implement end-to-end VPN IPSEC- Supersedes PPTP Authentication at end nodes(limitations) Implemented on a Firewall for VPNs. Connectionless data communications. Connection oriented data communication. Connection oriented data communication. Connection oriented data communication. Communications protocol that allows a cellular phones to send and receive encrypted information over the internet. Wireless transaction protocol Wireless session protocol Wireless datagram protocol Wireless access protocol is an internet protocol that defines the way in which cell phones and similar devices can access the internet. Diffie-Hellman key each user has a private/public key. The authentication servers provides public/private keys to servers and clients. Provides authentication service. Provides a dynamic mapping of a 32 bit IP Address to a 48-bit physical hardware address. PEM standard for secure e-mail on the internet that support services such as encryption, digital signatures and digital certificates. Data encryption algorithm Message authentication Cryptographic key management for financial institution key management. Packet switching
PPTP
IPSEC Ethernet X.25 TCP WAN WTLS WTP WSP WDP WAP Secure RPC ARP X.509 X3.93 X9.9 X9.17 X.25 Frame Relay X9.63 X9.44 X.75 SET TLS CHAP SLIP ICMP
TCP SNA DECnet MAP
Key establishment schemes that employ asymmetric techniques. Is transport of symmetric algorithm keys using reversible public key cryptography. Public packet switched communications between network hubs. Secure transactions over the internet in terms of buying and selling of goods and services. Prevent Eavesdropping , tampering or message forgery. Communication privacy and data integrity over the internet. Re-authentication Does not provide error detection or correction mechanism. Function-Redirecting messages is used to trick routers and hosts. Checking remote hosts function of ICMP of TCP/IP cause a buffer overflow on the target machine. Used by the Internet Used by IBM Used by Digital Equipment Corporation Manufacturing Automation Protocol.
Page 19 of 100

Privacy enhanced Mail(PEM), PGP,X.400 X.500 Electronic Mail System. PEM & PGP are electronic-mail security programs. They both encrypt messages,sign messges, and are based on public key cryptography. X.400- message handling services for the e-mail scheme. Directory service
Web Server :
Page 20 of 100

SSL : Strong authentication for the Web Server. VPN : A VPN creates a secure , private network over the internet Encryption, Packet tunnelling , Firewalls. Make only one entry point to a companys network from the internet.
Intranet:
The integration of personal computers, LAN, WAN , mainframe legacy systems, and external systems. It can be used to link employees together , thus enabling easy communication, collaboration, and workflow. Help in resolving document distribution problems and in increasing employee productivity in an organization.
Communications and Network Security : Bypass Switch Fallback Switch Crossover Switch Matrix Switch
Page 21 of 100
Page 22 of 100
Page 23 of 100
Page 24 of 100
Page 25 of 100
Page 26 of 100
Page 27 of 100
Page 28 of 100
Page 29 of 100
Page 30 of 100
Page 31 of 100
Page 32 of 100
Page 33 of 100
Page 34 of 100
Page 35 of 100
Page 36 of 100
Page 37 of 100
Page 38 of 100
Page 39 of 100
Page 40 of 100
Page 41 of 100
Page 42 of 100
Page 43 of 100
Page 44 of 100
Page 45 of 100
Page 46 of 100
Page 47 of 100
Page 48 of 100
Page 49 of 100
Page 50 of 100
Page 51 of 100
Page 52 of 100
Page 53 of 100
Page 54 of 100
Page 55 of 100
Page 56 of 100
Page 57 of 100
Page 58 of 100
Page 59 of 100
Page 60 of 100
Page 61 of 100
Page 62 of 100
Page 63 of 100
Page 64 of 100
Page 65 of 100
Page 66 of 100
Page 67 of 100
Page 68 of 100
Page 69 of 100
Page 70 of 100
Page 71 of 100
Page 72 of 100
Page 73 of 100
Page 74 of 100
Page 75 of 100
Page 76 of 100
Page 77 of 100
Page 78 of 100
Page 79 of 100
Page 80 of 100
Page 81 of 100
Page 82 of 100
Page 83 of 100
Page 84 of 100
Page 85 of 100
Page 86 of 100
Page 87 of 100
Page 88 of 100
Page 89 of 100
Page 90 of 100
Page 91 of 100
Page 92 of 100
Page 93 of 100
Page 94 of 100
Page 95 of 100
Page 96 of 100
Page 97 of 100
Page 98 of 100
Page 99 of 100
Page 100 of 100

Chapter-2 Telecommunications &amp; Network Security

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter-2 Telecommunications &amp; Network Security

Uploaded by

Copyright:

Available Formats

Chapter 2: Telecommunications & Network Security