Notes prepared by R.

Gurunath

CHAPTER 1

Network security fundamentals

Security is a state of well being of information and infrastructure in which the possibility
of successful yet undetected theft, tampering and disruption of information and services
is kept low or tolerable.
OR
Security is freedom from risk or danger i.e. safety and also security mean freedom from
doubt, anxiety or fear i.e. confidentiality.

It is impossible to talk about computer networks without security and it is impossible to

talk about computer security without networks. The two are interconnected with each
other.

THE ONLY SAFE COMPUTER IS A DEAD COMPUTER

Most Businesses use “data systems” to store sensitive company information. To secure an
information system today, you should able to balance authorized access needs with
system and data protection. Because too much of security prevents access, while too little
security leaves the system vulnerable to data theft or attack, controlling access to
information systems will help you ensure a proper balance of security and access.

Security vulnerabilities and threats

 A threat is:
o a person, thing, event or idea which poses some danger to an asset (in
terms of confidentiality, integrity, availability or legitimate use).
 An attack is a realisation of a threat.

Threats to computers and networks have been an issue since computers began to be used
widely by the general public. Nowadays, any computer or network that is connected to
the Internet is at risk.

Basic Types of Threats

 Probes and scans - attempts to gain access or discover information about remote
computers
 Account compromise - discovery of user accounts and their passwords
 Packet sniffing - capturing data that is sent across a network; the data can contain
sensitive information like passwords
 Denial of service - flooding a network with requests that can overwhelm it and
ultimately make a computer slow down or ultimately crash
 Malicious code - Trojan horses, worms, viruses

[A Trojan horse is a program in which malicious or harmful code is contained inside

apparently harmless programming or data in such a way that it can get control and do
 Notes prepared by R. Gurunath

its chosen form of damage, such as ruining the file allocation table or hard disk. A
Trojan horse may be widely redistributed as part of a computer virus.]

[A computer worm is a self-replicating computer program, similar to a computer

virus. A virus attaches itself to, and becomes part of, another executable program; a
worm is self-contained and does not need to be part of another program to propagate
itself.]

 Spoofing - making a computer look like a "trusted computer"

Basic Types of Vulnerabilities

Although there are many, many vulnerabilities in computer systems and networks today,
the main vulnerabilities that are likely to cause you harm are:

1. Default software installations

2. Ineffective use of authentication
3. Patches not applied
4. Too many open ports and services running
5. Not analyzing incoming packets
6. Backups not maintained and verified
7. Lack of protection against malicious code

Classification of security services

To assess the security needs of an organization and evaluate and choose various security
products, and security policies the manager responsible for security needs some
systematic way of defining requirements, approaches to satisfy.

The security architecture focuses on Services, Attacks and Mechanisms.

Security Services

A processing or communication service that enhances the security of data systems and
information transfers of an organization. These services are intended to counter security
attacks and they make use of one or more security mechanisms to provide the service.

Security over the Internet is mainly concerned with securing communications in and out
of a particular site. Many frameworks used to describe the security aspects of systems,
the following is one used by ISO 7498-2. There are six main security services,
Authentication, Access Control, Confidentiality, Integrity, Non-repudiation and
Availability .

Authentication relates to ensuring that users and computers are who they claim to be by
establishing proof of identity. Authentication can be accomplished for example through
 Notes prepared by R. Gurunath

biometric identifiers, use of smart cards, tokens, or password or a combination of the

above.

Access Control is the means by which the ability to use a computer resource is explicitly
enabled or restricted. This protects against the unauthorised use and manipulation of
resources. This should protect confidentiality, integrity and legitimate use of a system.

Confidentiality is the act of limiting disclosure of private information maintaining the

trust that an individual has placed in one which has been entrusted with private matters.
There are two types of confidentiality components, one relating to Data and the other to
Traffic flow. Data confidentiality safeguards the contents of data from unauthorised
disclosure, by using for example encryption. Traffic flow confidentiality prevents the
exploitation of information relating to traffic flow, by again using encryption or traffic
padding.

Integrity is the property that information is changed only in specified and authorised
manner. There are several components to integrity, these are data integrity, program
integrity, system integrity, and network integrity. Data integrity refers to the accuracy,
consistency and completeness of data. Program integrity refers to the quality of the
software design and protection against changes. System integrity is the capability of an
automated system to perform its intended function in an unimpaired manner, free from
deliberate or inadvertent unauthorised manipulation. Network integrity extends system
integrity to networks.

Non-repudiation assures that information and/or actions that purport to be from (or
purport not to be from) a user or system are as claimed. In other words, it provides
evidence to prevent a person from unilaterally modifying or terminating obligations
arising out of a transaction effected by computer-based means.

Availability, A variety of attacks can result in the loss of or reduction in availability.

These attacks are challenged by way of countermeasures, such as authentication and
encryption to safeguard the information

Attacks on security

Any action that compromises the security of information. There are two groups of
attacks:
 Passive attacks
 Active attacks
Passive attacks: In a passive attack, the attacker’s goal is to obtain information.
This means that attack does not modify data or harm the system. These attacks are
difficult to detect.
Active attacks: An active attack may change the data or harm the system. Active
attacks are normally easier to detect than prevent, because an attacker can launch them in
variety of ways.
The following table shows the examples of active and passive attacks:
 Notes prepared by R. Gurunath

Attacks Passive/Active Threatening

Snooping Pasive Confidentiality
Traffic Analysis
Modification Active Integrity
Masquerading
Replaying
Repudiation
Denial of Service Active Availability

Snooping : refers to unauthorized access to or interception of data. To prevent snooping

data can be made non intelligible to the interceptor by using encipherment techniques.
Traffic analysis: Although encipherment of data may make it noninteligible for the
interceptor, but obtain some other type of information by monitoring online traffic. Eg.
Email address.
Modification: After intercepting or accessing information, the attacker modifies the
information to make it beneficial. Eg. Intercepting messages of a bank transaction and
subsequently changes the type of transaction.
Masquerading: or Spoofing, happens when the attacker impersonate somebody else. Eg.
A user tries to contact a bank, but another site pretends that it is the bank and obtains
some information from the user.
Replaying: Replaying is another attack. The attacker obtains a copy of a message sent by
a user and later tries to replay it. Eg. A person sends a request to the bank to ask for
payment to another person. The attacker intercepts the message and sends it again to
receive another payment from the bank.
Repudiation: This attack is performed by one of the two parties in the communication.
The sender of the massage might later deny that he has sent the message; the receiver of
the message might later deny that he has received the message.

Security Mechanisms

A process designed to detect, prevent and recover from security attacks. The following
are the ones:
Encipherment: hiding or cover data, can provide confidentiality. Cryptography is used for
encrypting messages.
Data integrity: This mechanism appends to the data a short checkvalue that has been
created by specific process from the data itself. The receiver receives the data and the
checkvalue. Creates a new checkvalue from the received data and compares the newly
created check value with the one received. If the two checkvalues are the same the
integrity of the data is preserved.
Digital Signature: this mean by the sender can electronically sign the data and receiver
can electronically verify the signature.
Authentication exchange: Two entities exchange some messages to prove their identity to
each other.
Traffic padding: means inserting some bogus data into the data traffic to prevent
interceptor’s attempt by to use the traffic analysis.
 Notes prepared by R. Gurunath

Routing control: means selecting and continuously changing different available routes
between the sender and receiver to prevent the opponent from evesdropping on a
particular route.
Notarization: means selecting a trusted third party to control the communication between
two entities.
Access control: uses methods to prove that a user has access right to the data or resources
owned by a system. Eg. Proofs like password and PIN.

--------------

Additional information on threats and vulnerabilities

Probes and Scans

A probe is characterized by unusual attempts to gain access to a system or to discover information

about the system. A scan is a way of performing multiple probes using an automated tool. The
most common kind of scan is a "port scan." This kind of scan queries for listening ports on a
remote computer. Scans are often a prelude to a more directed attack on systems that the intruder
has found to be vulnerable.

Account Compromise

Account compromise is the discovery of user accounts and their passwords on a system. It allows
an unauthorized user to gain access to all resources for which that user account is authorized. An
account compromise might expose the victim to serious data loss, data theft, or theft of services.
Limiting the amount of user accounts that have root-level access or administrative privileges
minimizes potential damage; however, access to a user-level account is often an entry point for
greater access to the system.

Packet Sniffer

A packet sniffer is a program that captures data from information packets as they travel over the
network. That data may include user names, passwords, and proprietary information that travels
over the network. If the data captured by a packet sniffer is encrypted it is unlikely that someone
will be able to reveal any sensitive information. However, if the data is not encrypted, just about
any information sent is vulnerable to being compromised.

Denial of Service

The goal of denial of service attacks is not to gain unauthorized access to machines or data, but to
prevent legitimate users of a service from using it. A denial of service attack can come in many
forms. Attackers may "flood" a network with large volumes of data or deliberately consume a
scarce or limited resource such as process control blocks or pending network connections. They
may also disrupt physical components of the network or manipulate data in transit, including
encrypted data.
 Notes prepared by R. Gurunath

Malicious Code

Malicious code is a general term for programs that, when executed, can cause undesired results
on a system. Users of the system usually are not aware of the program until they discover the
damage. Malicious code includes Trojan horses, viruses, and worms. These sorts of programs can
lead to serious data loss, downtime, denial of service, and other types of undesirable effects.

Spoofing

Computers on networks often have trust relationships with one another. For example, before
executing some commands, the computer checks a set of files that specify which other computers
on the network are permitted to use those commands. If attackers can forge their identity,
appearing to be using the trusted computer, they may be able to gain unauthorized access to other
computers.

Default Software Installations

A default software installation is where an operating system or application software is installed

using all the default settings built in by the programmers. Performing a default software
installation on computers with sensitive data is not good practice, especially when the chosen
software is likely to be used by many people, such as on a public access computer or web server.

Servers are installed with default user accounts. It is therefore important to:

 Disable guest accounts

 Disable the Everyone group account for Windows NT/2000/XP
 Don't run important daemons as root (inetd)
 Rename the administrator account
 Set a strong password for the administrator account

Ineffective Use of Authentication

Authentication is the process of proving who you are to a system using one or more
authentication methods. Authentication can be based on what you know (such as a password),
based on what you have (such as a smart card), or based on who you are (such as biometrics).
Most organizations rely on authentication via passwords. Passwords can be a fairly secure form
of authentication when they are created properly.

Patches Not Applied

All too frequently, patches for known security problems are not applied during a default
installation.

Too Many Open Ports and Services Running

Ports are labels—ways to identify services that are running on particular machines. Ports have
identification numbers which are included with every TCP or UDP packet. Services that are
running on a machine are programmed to be on the alert to "listen" for packets that arrive from
other computers with matching port numbers. Thus, the types of ports your server has open can
 Notes prepared by R. Gurunath

give away a lot of information about it. In addition, the more ports your servers have open, the
more options there are to connect to that server.

Not Analyzing Incoming Packets

All information—web pages, email messages, etc.—are broken down into packets before being
transmitted. Each packet of a transmission has the service's port number, the sender's IP address,
the destination IP address, and a packet number. All of the packets in a transmission are
numbered in sequential order. Analyzing incoming packets allows you to weed out packets that
don't match the rules that have been built into a network device's table of acceptable traffic, such
as spoofed packets or packets utilizing the wrong port for a service.

Backups Not Maintained and Verified

One of the aims of risk assessment is to show how many hours an asset such as a server can be
down before it starts to impact the library's mission. If backups are not made daily, or at an
interval acceptable to your library, you won't be able to quickly recover from data loss caused by
security breaches, other disasters (such as utility problems), or acts of nature (like floods).
Backups also should be tested to ensure that data has been backed up properly and that staff has
enough familiarity with the recovery procedure. Backups should be maintained offsite along with
copies of the hardware specifications and the backup software installation media.

Lack of Protection against Malicious Code: Viruses, Worms, Trojan Horses

A virus is a program that reproduces by attaching to another program. It may damage data
directly, or it may degrade system performance by taking over needed system resources which are
then not available to authorized users. Worms are independent programs that reproduce by
copying themselves from one system to another, usually over a network. Trojan horses are
programs that appear to perform a useful function but actually hide another unauthorized program
inside them. When an authorized user performs the apparent function, the Trojan horse performs
the unauthorized function as well (often usurping the privileges of the user).

All of these threats and vulnerabilities must be anticipated, especially when the threat is due to
staff ignorance. They certainly must not be ignored—an ostrich with its head in the sand is only
getting its head dirty. Threats and vulnerabilities must be carefully examined to see whether or
not they apply to your library's computers and networks, staff and procedures. Then they must be
analyzed to devise strategies to counter them.