Module 3

1. Access Control and Intrusion Detection

2. Server Management and Firewalls
3. Security for VPN and Next Generation
Technologies

1.Access Control and Intrusion

Detection
It is better to prevent something
than to plan for loss.

01/28/17

Misuse Prevention
Prevention techniques: first line of
defense
Secure local and network resources
Techniques: cryptography,
identification, authentication,
authorization, access control,
security
filters, etc.
Problem:
Losses
occur!
01/28/17

Contributing Factors for Misuse

Many security flaws in systems
Secure systems are expensive
Secure systems are not userfriendly
Secure systems still have flaws
Insider Threat
Hackers skills and tools improve
01/28/17

Need:
Intrusion Prevention: protect
system resources
Intrusion Detection: (second line
of defense) discriminate intrusion
attempts from normal system usage
Intrusion Recovery: cost effective
recovery models
01/28/17

Intrusion Detection
systems

Terminology
Audit: activity of looking at user/system
behavior, its effects, or the collected data
Profiling: looking at users or systems to
determine what they usually do
Anomaly: abnormal behavior
Misuse: activity that violates the security policy
Outsider: someone without access right to the
system
Insider: someone with access right to the
system
Intrusion: misuse by outsiders and insiders
01/28/17

Phases of Intrusion
Intelligence gathering: attacker
observes the system to determine
vulnerabilities
Planning: attacker decide what
resource to attack (usually least
defended component)
Attack: attacker carries out the plan
Hiding: attacker covers tracks of attack
Future attacks: attacker installs
backdoors for future entry points
01/28/17

Definitions
Intrusion
A set of actions aimed to compromise
the security goals, namely
Integrity, confidentiality, or availability, of
a computing and networking resource

Intrusion detection
The process of identifying and
responding to intrusion activities
01/28/17

Intruders
significant issue for networked systems is
hostile or unwanted access
either via network or local
can identify classes of intruders:
masquerader
Misfeasor (a person who is guilty of
misfeasance: the wrongful performance of a
normally lawful act; the wrongful and injurious
exercise of lawful authority).
clandestine (secret) user

varying levels of competence

01/28/17

10

Intruders
clearly a growing publicized problem
may seem benign, but still cost
resources
may use compromised system to
launch other attacks

01/28/17

11

Intrusion Techniques
aim to increase privileges on system
basic attack methodology

target acquisition and information gathering

initial access
privilege escalation
covering tracks

key goal often is to acquire passwords

so then exercise access rights of owner

01/28/17

12

IDS/IPS Definition and

Classification

Contents
Overview of IDS/IPS
Components of an IDS/IPS
IDS/IPS classification
By scope of protection
By detection model

14/57

Overview of IDS/IPS
Intrusion
A set of actions aimed at compromising
the security goals (confidentiality,
integrity, availability of a
computing/networking resource)

Intrusion detection
The process of identifying and
responding to intrusion activities

Intrusion prevention
The process of both detecting intrusion
activities and managing responsive
actions throughout
the network.
15/57

Overview of IDS/IPS
Intrusion detection system (IDS)
A system that performs automatically the
process of intrusion detection.

Intrusion prevention system (IPS)

A system that has an ambition to both
detect intrusions and manage responsive
actions.
Technically, an IPS contains an IDS and
combines it with preventive measures
(firewall, antivirus, vulnerability assessment)
that are often implemented in hardware.
16/57

Components of an IDS/IPS
System activities are
observable

Incoming
traffic/logs

Data preprocessor
Activity data
Detectio
n
model(s)
Decision
criteria

Detection
algorithm
Alerts
Alert filter

17/57

Normal and intrusive

activities have distinct
evidence
Action/Repor
t

Components of an IDS/IPS
Data pre-processor
Collects and formats the data to be analyzed by
the detection algorithm.

Detection algorithm
Based on the detection model, detects the
difference between normal and intrusive audit
records.

Alert filter
Based on the decision criteria and the detected
intrusive activities, estimates their severity and
alerts the operator/manages responsive
activities (usually blocking).
18/57

Components of an IDS/IPS
Incoming traffic/log data
Packets headers contain routing
information, content may (and is more
and more) also be important for detecting
intrusions.
Logs a chronological set of records of
system activity.

19/57

Components of an IDS/IPS
Incoming traffic/log data (cont.)
Problems related to data
Inadequate format for intrusion detection
Information important for intrusion detection
is often missing (e.g. in log files).

Thus we need some data pre-processing

Adjust data format (relatively easy)
Resolve for missing data (not so easy)
Insertion of reconstructed values
Special distances (for unequal-length data
patterns).
20/57

Components of an IDS/IPS
Detection algorithm
Checks the incoming data for presence of
anomalous content.
A major detection problem
There is no sharp limit between normal and
intrusive it often depends on the context
hence statistical analysis of the input data
may be useful.
To determine the context, a lot of memory is
needed.
21/57

Components of an IDS/IPS
Alert filter
Determines the severity of the detected
intrusive activity.
A major decision problem
It is difficult to estimate the severity of
threat in real time.
Filtering is normally carried out by means of
a set of thresholds (decision criteria).
Thresholds should be carefully set in order to
maintain a high level of security and a high
level of system performance at the same
time.
22/57

IDS/IPS classification
By scope of protection (or by location)
Host-based IDS
Network-based IDS
Application-based IDS
Target-based IDS

By detection model
Misuse detection
Anomaly detection
23/57

Password Guessing

one of the most common attacks

attacker knows a login (from email/web page etc)
then attempts to guess password for it

try default passwords shipped with systems

try all short passwords
then try by searching dictionaries of common words
intelligent searches try passwords associated with the user
(variations on names, birthday, phone, common
words/interests)
before exhaustively searching all possible passwords

check by login attempt or against stolen password file

success depends on password chosen by user
surveys show many users choose poorly

01/28/17

24

Password Capture
another attack involves password
capture
watching over shoulder as password is entered
using a trojan horse program to collect
monitoring an insecure network login (eg.
telnet, FTP, web, email)
extracting recorded info after successful login
(web history/cache, last number dialed etc)

using valid login/password can

impersonate user
users need to be educated to use suitable
precautions/countermeasures
01/28/17

25

Why Is Intrusion
Detection Necessary?

Prevent

Detect

React/
Survive

Securityprinciples:layeredmechanisms
01/28/17

26

Intrusion Detection Techniques

1. Anomaly Detection
2. Misuse Detection

01/28/17

27

Rules and Profiles

Statistical techniques:
Collect usage data to statistically analyze data
Good for both anomaly-based and misusebased detection:
Anomaly-based: standards for normal behavior.
Warning when deviation is detected
Misuse-based: standards for misuse. Warning when
phases of an identified attack are detected

Threshold detection
E.g., number of failed logins, number of accesses to
resources, size of downloaded files, etc.

01/28/17

28

Rules and Profiles

Rule-based techniques:
Define rules to describe normal behavior
or known attacks
Good for both anomaly-based and
misuse-based detection:
Anomaly-based: looks for deviations from
previous usage
Misuse-based: define rules to represent
known attacks

01/28/17

29

Anomaly Detection Techniques

Assume that all intrusive activities are
necessarily anomalous flag all
system states that vary from a
normal activity profile .

01/28/17

30

Misuse Detection Techniques

Represent attacks in the form of
pattern or a signature (variations of
same attack can be detected)
Problem!
Cannot represent new attacks

01/28/17

31

Intrusion Types

Doorknob rattling
Masquerade attacks
Diversionary Attack
Coordinated attacks
Chaining
Loop-back

01/28/17

32

Doorknob Rattling
Attack on activity that
can be audited by the
system (e.g.,
password guessing)
Number of attempts is
lower than threshold
Attacks continue until
All targets are covered
or
Access is gained

01/28/17

33

Masquerading
Target 1
Change identity:
Im Y

Target 2
Login as
Y

Login as
X

Y
Legitimate
user
Attacker

01/28/17

34

Diversionary Attack
Create diversion to draw
attention away from
real target

TARGET

Real attack
Fake attacks
01/28/17

35

Coordinated attacks
Attacker

Target

Compromise system
to attack target

Multiple attack sources,

maybe over extended period
of time

01/28/17

36

Chaining
Attacker

Move from place to place

To hide origin and make
tracing more difficult

Target

01/28/17

37

Honeypots
In computer terminology, a honeypot is a trap
set to detect, deflect or in some manner
counteract attempts at unauthorized use of
information systems.
Generally it consists of a computer, data or a
network site that appears to be part of a network
but which is actually isolated and protected, and
which seems to contain information or a resource
that would be of value to attackers.
A honeypot that masquerades as an open proxy is
known as a sugarcane.

01/28/17

38

Honeypots
A honeypot is valuable as a surveillance and early-warning tool.
While often a computer, a honeypot can take on other forms, such as files or
data records, or even unused IP address space.
Honeypots should have no production value and hence should not see any
legitimate traffic or activity.
Whatever they capture can then be surmised as malicious or unauthorized.

One very practical implication of this is that honeypots designed to thwart

spam by masquerading as systems of the types abused by spammers to
send spam can categorize the material they trap 100% accurately: it is all
illicit. A honeypot needs no spam-recognition capability, no filter to separate
ordinary e-mail from spam. Ordinary e-mail never comes to a honeypot.

Honeypots can carry risks to a network, and must be handled with care.
If they are not properly walled off, an attacker can use them to actually break
into a system.

2. Server Management and

Firewalls

01/28/17

40

Firewalls
Similar to a Security Guard
Protects an organizations
network
Stands between internet and
Intranet
01/28/17

41

Firewall Concept

N
e
t
w
o
r
k
B
a
c
k
b
o
n
e

To
Internet

Corporate network

01/28/17

Firewall

42

What is a firewall?

Device that provides secure connectivity between

networks (internal/external; varying levels of
trust)
Used to implement and enforce a security policy
for communication between networks
Trusted Networks

Untrusted Networks
& Servers

Firewall

Untrusted Users

Internet
Router

Intranet
DMZ

Public Accessible
Servers & Networks
Trusted Users

01/28/17

43

Firewalls

From Websters Dictionary: a wall

constructed to prevent the spread of
fire
Internet firewalls are more the moat
around a castle than a building
firewall
Controlled access point

01/28/17

44

Firewalls can:
Restrict incoming and outgoing traffic
by IP address, ports, or users
Block invalid packets

01/28/17

45

Firewalls Cannot Protect

Traffic that does not cross it
routing around
Internal traffic

When misconfigured

01/28/17

46

Hardware Firewall

01/28/17

47

Software Firewall

01/28/17

48

A Firewall
Can filter traffic based on their source and
destination addresses, port numbers, protocol used,
and packet state.
Cannot prevent individual users with modems from
dialing in and out of the network.
Cannot protect against social engineering and
dumpster diving (Prevalent in the 1980s due to lax
security was the process of `dumpster diving'. A
curious hacker or malicious cracker would search in
the dumpsters of major corporations for thrown-out
manuals, passwords, credit card numbers, et cetera.
When corporations became aware of the need for
increased security (in the early 1990s), sensitive
documents were shredded before being placed in
dumpsters).
01/28/17

49

Who needs a firewall?

Anyone who is responsible for a
private network that is connected to
a public network.
Anyone who connects so much as a
single computer to the internet via
modem.

01/28/17

50

Basic Firewall Operation

01/28/17

51

Professional Firewall Model

01/28/17

52

Types of Firewalls

Packet Filter
Circuit Level Gateways
Application Level Gateways
Stateful Multilayer Inspection

01/28/17

53

Packet Filtering Firewall

01/28/17

54

Circuit Level Gateway

01/28/17

55

Application Level Gateway

01/28/17

56

Stateful Multilayer Inspection

01/28/17

57

Firewalls in Practice
A computer may be protected by
both a hardware and a software
firewall

Mode of Operation
A firewall that stands in between two
networks will inspect a packet that is
ready to pass between the networks
and allow or block the packet based
on the rules set for the firewall to
operate

General Firewall Features

Port Control
Network Address Translation
Application Monitoring (Program
Control)
Packet Filtering

Additional Firewall Features

Data encryption
Hiding presence
Reporting/logging
e-mail virus protection
Pop-up ad blocking
Cookie digestion
Spy ware protection etc.

Viruses and Firewalls

In general, firewalls cannot protect against
viruses
An anti-virus software is needed for that
purpose

However, many security suites such as

those offered by MacAfee and Norton offer
the complete protection
Some software firewalls such as Zone
Alarm Pro may contain limited virus
protection features

A Rule of Thumb
Use the best firewall and virus
protection although each may
originate from a different company

DMZ
Demilitarized zone
Neither part of the internal network
nor part of the Internet
Never offer attackers more to work
with than is absolutely necessary

Firewall Scenario
Microsoft Internet Security and
Acceleration (ISA) Server as a
Dedicated Server

Network Configuration
Local Area Network

Single Computer
Small Office Network
Less than 250 Clients
IP Network Protocol
Demand Dial Connectivity

Larger Organization
Array of ISA Server

Internet

ISA Server

Software Firewalls
Firewall for Windows
Zone Alarm
Winroute
Trojan Trap - Trojan Horse

Firewall for Linux

Iptables

Firewall for Mac

Netbarrier

Hardware Firewall

What is it?
What it does.
An example.
Firewall use.
What it protects you from.

Hardware Firewall (Cont.)

What is it?

It is just a software firewall running on a

dedicated piece of hardware or
specialized device.
Basically, it is a barrier to keep
destructive forces away from your
property.
You can use a firewall to protect your
home network and family from offensive
Web sites and potential hackers.

Hardware Firewall (Cont.)

What it does !
It is a hardware device that filters the
information coming through the Internet
connection into your private network or
computer system.
An incoming packet of information is
flagged by the filters, it is not allowed
through.

Hardware Firewall (Cont.)

An example !

Hardware Firewall (Cont.)

Firewalls use:
Firewalls use one or more of three
methods to control traffic flowing in
and out of the network:
Packet filtering
Proxy service
State-full inspection

Hardware Firewall (Cont.)

Packet filtering - Packets are analyzed against
a set of filters.

Proxy service - Information from the Internet is

retrieved by the firewall and then sent to the
requesting system and vice versa.

State-full inspection It compares certain key

parts of the packet to a database of trusted
information. Information traveling from inside to
the outside is monitored for specific defining
characteristics, then incoming information is
compared to these characteristics.

Hardware Firewall (Cont.)

What it protects you from:

Remote logins
Application backdoors
SMTP session hijacking
E-mail Addresses
Spam
Denial of service
E-mail bombs
E-mail sent 1000s of times till mailbox is full
Macros
Viruses

Software Firewall
What it is?
Also called Application Level Firewalls
It is firewall that operate at the
Application Layer of the OSI
They filter packets at the network layer
It Operating between the Datalink Layer
and the Network Layer
It monitor the communication type (TCP,
UDP, ICMP, etc.) as well as the
origination of the packet, destination port
of the packet, and application (program)
the packet is coming from or headed to.

Software Firewall (Cont.)

How does software firewall
works ?

Software Firewall (Cont.)

Benefit of using application firewalls:

allow direct connection between client and host

ability to report to intrusion detection software
equipped with a certain level of logic
Make intelligent decisions
configured to check for a known Vulnerability
large amount of logging

Software Firewall (Cont.)

Benefit of application firewalls

(Cont.)

easier to track when a potential vulnerability

happens
protect against new vulnerabilities before they
are found and exploited
ability to "understand" applications specific
information structure
Incoming or outgoing packets cannot access
services for which there is no proxy

Software Firewall (Cont.)

Disadvantage of Firewall:
slow down network access dramatically
more susceptible to distributed denial of service
(DDOS) attacks.
not transparent to end users
require manual configuration of each client
computer

Top Picks Personal

Firewalls
Norton Personal Firewall
ZoneAlarm Free/Plus/Pro

Web References

www.firewall.com
www.firewall-net.com
www.firewallguide.com
www.msdn.microsoft.com
www.winroute.com
www.tinysoftware.com
www.sunsite.unc.edu

Benefits of Firewall-Summary

Prevent intrusion
Choke point for security audit
Reduce attacks by hackers
Hide network behind a single IP
address
Part of total network security policy

References
http:// www.howstuffworks.com
http://www.microsoft.com
http://www.securityfocus.com
http://grace.com/us-firewalls.htm
http://www.kerio.com/us/supp_kpf_manual.h
tml
http://www.broadbandreports.com/faq/securit
y/2.5.1
.
http://www.firewall-software.com

Port Numbers
The Well Known Ports are those from 0
through 1023.
The Registered Ports are those from 1024
through 49151.
The Dynamic and/or Private Ports are
those from 49152 through 65535.
http://www.iana.org/assignments/port-numbers
ftp://ftp.isi.edu/in-notes/rfc1700.txt

Well-know TCP / UDP ports

TCP Port Number

Description

20

FTP (Data Channel)

21

FTP (Control Channel)

23

Telnet

80

HyperText Transfer Protocol (HTTP)

used for the World Wide Web

139

NetBIOS session service

UDP Port Number

Description

53

Domain Name System (DNS) Name

Queries

69

Trivial File Transfer Protocol (TFTP)

137

NetBIOS name service

138

NetBIOS datagram service

161

Simple Network Management Protocol

(SNMP)

References
http://www.tlc.discovery.com/convergence/hacker
s/hackers.html
http://www.tuxedo.org/~esr/faqs/hacker-howto.ht
ml
http://www.iss.net/security_center/advice/Underg
round/Hacking/Methods/Technical/
http://www.infosecuritymag.com/articles/march01/
features4_battle_plans.shtml
http://www.nmrc.org/faqs/www/wsec09.html
http://www.microsoft.com/. Tim Rains Technical Lead Networking
Team

Q310099, "Description of the Portqry.exe

Command-Line Utility"

Some Hardware Firewall

Manufacturers
DLink
Linksys
CISCO

Some Software Firewall

Features
Network access control
Trusted zones, Internet zones and
Blocked zones

Program access control

Program access to the Internet

Privacy control

Some Software Firewalls

Zone Alarm
Microsoft Widows Firewall
MacAfee Security Suite
Norton Security Suite

3. Security for VPN and Next

Generation Technologies

01/28/17

90

Traditional Connectivity

[From Gartner Consulting]

What is VPN?
Virtual Private Network is a type of private
network that uses public
telecommunication, such as the Internet,
instead of leased lines to communicate.
Became popular as more employees
worked in remote locations.
Terminologies to understand how VPNs
work.

Virtual Private Networks

Employees can access the network (Intranet)
from remote locations.
Secured networks.
The Internet is used as the backbone for VPNs
Saves cost tremendously from reduction of
equipment and maintenance costs.
Scalability

Remote Access Virtual

Private Network

(From Gartner Consulting)

Brief Overview of How it

Works
Two connections one is made to the
Internet and the second is made to
the VPN.
Datagrams contains data,
destination and source information.
Firewalls VPNs allow authorized
users to pass through the firewalls.
Protocols protocols create the VPN
tunnels.

Four Critical Functions

Authentication validates that the data
was sent from the sender.
Access control limiting unauthorized
users from accessing the network.
Confidentiality preventing the data to
be read or copied as the data is being
transported.
Data Integrity ensuring that the data
has not been altered

Encryption
Encryption -- is a method of
scrambling data before
transmitting it onto the Internet.
Public Key Encryption Technique
Digital signature for authentication

Tunneling
A virtual point-to-point connection
made through a public network. It
transports
Original Datagram
encapsulated datagrams.
Encrypted Inner Datagram
Datagram Header

Outer Datagram Data Area

Data Encapsulation [From Comer]

Two types of end points:

Remote Access
Site-to-Site

Four Protocols used in

VPN
PPTP -- Point-to-Point Tunneling Protocol
L2TP -- Layer 2 Tunneling Protocol
IPsec -- Internet Protocol Security
SOCKS is not used as much as the
ones above

VPN Encapsulation of Packets

Types of
Implementations
What does implementation mean
in VPNs?
3 types
Intranet Within an organization
Extranet Outside an organization
Remote Access Employee to Business

Virtual Private Networks (VPN)

Basic Architecture

Device Types
What it means
3 types
Hardware
Firewall
Software

Device Types: Hardware

Usually a VPN type of router
Pros

Cons

Highest network throughput

Cost

Plug and Play

Lack of flexibility

Dual-purpose

Device Types: Firewall

More security?
Pros

Cons

Harden Operating System

Still relatively costly

Tri-purpose
Cost-effective

Device Types: Software

Ideal for 2 end points not in same
org.
Great when different firewalls
implemented
Pros
Cons
Flexible

Lack of efficiency

Low relative cost

More labor
training required
Lower
productivity; higher
labor costs

Advantages
VS.
Disadvantages

Advantages: Cost
Savings
Eliminating the need for expensive longdistance leased lines
Reducing the long-distance telephone
charges for remote access.
Transferring the support burden to the
service providers
Operational costs

Cisco VPN Savings Calculator

Advantages: Scalability
Flexibility of growth
Efficiency with broadband technology

Disadvantages
VPNs require an in-depth understanding of
public network security issues and proper
deployment of precautions
Availability and performance depends on
factors largely outside of their control
Immature standards
VPNs need to accommodate protocols other
than IP and existing internal network
technology

Applications: Site-to-Site
VPNs
Large-scale encryption between
multiple fixed sites such as remote
offices and central offices
Network traffic is sent over the
branch office Internet connection
This saves the company hardware
and management expenses

Site-to-Site VPNs

Applications: Remote
Access

Encrypted connections between mobile or

remote users and their corporate networks
Remote user can make a local call to an
ISP, as opposed to a long distance call to
the corporate remote access server.
Ideal for a telecommuter or mobile sales
people.
VPN allows mobile workers &
telecommuters to take advantage of
broadband connectivity.
i.e. DSL, Cable

Industries That May Use a

VPN

Healthcare: enables the transferring of confidential patient

information within the medical facilities & health care provider

Manufacturing: allow suppliers to view inventory & allow clients to

purchase online safely
Retail: able to securely transfer sales data or customer info between
stores & the headquarters
Banking/Financial: enables account information to be transferred
safely within departments & branches
General Business: communication between remote employees can
be securely exchanged

Statistics From GartnerConsulting*

*Source: www.cisco.com

Some Businesses using a

VPN
CVS Pharmaceutical Corporation upgraded
their frame relay network to an IP VPN
ITW Foilmark secured remote location
orders, running reports, & internet/intranet
communications w/ a 168-bit encryption
by switching to OpenReach VPN
Bacardi & Co. Implemented a 21-country,
44-location VPN

Where Do We See VPNs

Going in the Future?
VPNs are continually being enhanced.
Example: Equant NV
As the VPN market becomes larger, more
applications will be created along with
more VPN providers and new VPN types.
Networks are expected to converge to
create an integrated VPN
Improved protocols are expected, which
will also improve VPNs.

Pop Quiz!
Q.1
VPN stands for
a) Virtual Public Network

b) Virtual Private Network

c) Virtual Protocol Network

d) Virtual Perimeter Network

Pop Quiz!
A.1
VPN stands for

b) Virtual Private Network

VPN stands for "Virtual Private Network" or "Virtual Private Networking." A VPN is a
private network in the sense that it carries controlled information, protected by various
security mechanisms, between known parties. VPNs are only "virtually" private, however,
because this data actually travels over shared public networks instead of fully dedicated
private connections.

Pop Quiz!
Q.2
What are the acronyms for the 3 most common VPN
protocols?

Pop Quiz!
A.2
3 most common VPN protocols are

PPTP
L2TP
IPsec
PPTP, IPsec, and L2TP are three of today's most popular VPN tunneling protocols. Each
one of these is capable of supporting a secure VPN connection.

Pop Quiz!
Q.3
What does PPTP stand for?

Pop Quiz!
A.3
PPTP = Point-to-Point Tunneling Protocol !

Pop Quiz!
Q.4
What is the main benefit of VPNs compared to
dedicated networks utilizing frame relay, leased
lines, and traditional dial-up?
a) better network performance

b) less downtime on average

c) reduced cost

d) improved security

Pop Quiz!
A.4
The main benefit of VPNs is

c) reduced cost
The main benefit of a VPN is the potential for significant cost savings compared to
traditional leased lines or dial up networking. These savings come with a certain amount
of risk, however, particularly when using the public Internet as the delivery mechanism
for VPN data.

Pop Quiz!
Q.5
In VPNs, the term "tunneling" refers to

a) an optional feature that increases

network performance if it is turned on

b) the encapsulation of packets inside packets of

a different protocol to create and maintain the
virtual circuit

c) the method a system administrator uses to detect hackers on the network

d) a marketing strategy that involves selling VPN products for very low prices in return for expensive service contracts

Pop Quiz!
A.5
In VPNs, the term "tunneling" refers to

b) the encapsulation of packets inside packets

of a different protocol to create and
maintain the virtual circuit