Chapter 4 Computer Security Technology and Intrusion Detection

Q. 1What is firewall? List different types of Firewall. S-11, W-11, W-12.

Ans. :
Firewall :
A firewall is a device that can be software or a Hardware device. The main aim
of a firewall is to separate a secure area from a less secure area and it will control
communications between the inside and outside world.
Following are the types of firewall
a. Software Firewall
. Hardware Firewall
b
c. Packet Filtering Router
. Proxy Server
d
e. Hybrid
.f Application Level Gateways
. Circuit Level Gateways
g

Q.2 Explain working of firewall, design principles its capabilities and limitations
S-13.
OR What are the limitations of Firewall. S-09.
OR Describe the working principle of firewall. W-10.
Ans.
. The firewall is a partition between private (trusted) networks and public (un-
1
trusted) network and it will inspect all traffic (packets) which is passing through
it.
The firewalls should have following attributes:
a. All the traffic should pass through the firewalls
. The firewall should allow only authorized traffic
b
c. The firewall itself can stop attacks
2. It is effective means of protecting a system or network from network-based threats
and at the same time it should allows for accessing the outside world via wide area
networks and Internet.
3. A firewall is always placed at a network gateway server to protect the internal
resources of a private network from the public network.
4. In an organization, they install a firewall to prevent outsiders from accessing its
own private data resources and it will allow their employees to access outside resources.
Firewall will control the outside resources that organization’s employees are accessing.

1|Page
 5. Working of Firewall is similar to a router program- it examines each network
packet to determine whether to forward it toward its destination or not. A firewall can
work with a proxy server which makes requests on behalf of workstation users in a
network.

Principle of firewall:
For any corporation, government agencies, and other organizations, the
information system must have:
. Centralized data processing system: The system must have a central mainframe
1
which supports a number of terminals which are directly connected.
. Local area networks: LANs interconnecting PCs and terminals to each other, and
2
also with the mainframe.
. Network location: It consists of a number of LANs, interconnecting PCs, servers,
3
and one or two mainframes.
. Enterprise-wide network: It consists of multiple, geographically distributed
4
location of networks that are interconnected by a private wide area network
(WAN).
. Internet connectivity : It is where the various located networks are hook into the
5
Internet and may or may not be connected by a private WAN

Capabilities of Firewall:
. All traffic must pass through the firewall either from inside to outside, and vice
1
versa. This is achieved by physically blocking all access to the local network
except via the firewall.
. Only authorized traffic which is defined by the local security policy will be
2
allowed to pass through the firewall. Different types of firewalls will implement
different types of security policies.
. The firewall itself is immune to penetration.
3

Fig.: Firewall

2|Page
Limitations of Firewall
. Firewall cannot protect against attacks that bypass the firewall.
1
. Firewall does not protect against internal threats like employees innocently
2
cooperates with an external attackers.
. Firewall cannot protect against the transfer of virus infected programs or files.
3

Q. 3Explain Software and Hardware type of Firewall. S-11

Ans. :
Software Firewall:
a. Software firewalls are designed to run on a single computer so it is also known
as personal firewalls.
b. Firewall will prevent unauthorized access to the computer over a network
connection by identifying risky ports.
c. It also prevents communication over such risky ports. For example - computers
uses port 80 to access Web pages and uses port 443 for secure Web
communications.
. A personal computer can receive data over these ports. However, a software
d
firewall can probably block any access from the Internet over port, which it does
not expect to receive data. Software firewalls can be able to detect “suspicious”
activity from the outside world.
e. They can block access to a personal computer from an outside address when
activity matches certain patterns for example port scanning. There are some
software firewalls which allows configuration of trusted zones.
.f It permits unlimited communication over a wide variety of ports. This type of
access may be necessary when a user starts a VPN client to access a corporate or
business intranet.
Hardware Firewall:
a. Hardware firewalls are more complex than software. They will have some
software components and it will run either on network devices or on a server
dedicated to the firewall.
. The operating system underlying a hardware firewall should be basic and very
b
difficult to attack. Other software should not run on these machines so they are
difficult to compromise and tend to be extremely secure.
c. A hardware firewall is placed between a network like a corporation, and a less
secure area like the Internet. Various versions of hardware firewalls are also
available for home users who want very strong protection from potential Internet
attacks.

3|Page
 d. There are many different default configurations - some will not allow
communications from the outside and will be configured using set of rules,
whereas others will configured to block access over risky ports.
e. In addition, firewalls can have a wide variety of functionality - it can act as
caching servers, VPNs, routers etc.

Q. 4 Describe the working of single homed bastion and screen host gateway type of
firewall with suitable sketch. W-13.
Ans.: Screened Host firewall, Single-Homed Bastion :
1. Here, the firewall configuration consists of two parts - a packet filter router and
an application level gateway.
2. A packet filter router will ensure that the incoming traffic is allowed only if it is
intended for the application gateway, by examining the destination address field of
each incoming IP Packet.

Fig.: Single-Homed Bastion

. It will also ensure that the outgoing traffic is allowed only if it is originated from
3
application level gateway, by examining the source address field of every outgoing
IP Packet. An application level gateway performs authentication as well as proxy
functions
Advantages:
. It improves security of the network by performing checks at both levels- packet
1
and application level
. It provides flexibility to the network administrator to define more security
2
policies.
Disadvantages:
. Internal users are connected to the application gateway as well as packet filter
1
router. So, if any how the packet filter is attacked, then the whole internal network
is exposed to the attacker

4|Page
Q5. Explain VPN with neat diagram. Enlist different VPN protocol. W-10.
OR State the meaning of Virtual Private Network with suitable sketch. W-13.
OR Explain virtual private network with diagram. S-13.
Describe VPN S-09, W-09.
Ans. :
. A virtual private network (VPN) is a network that uses a public
1
telecommunication infrastructure, such as the Internet, to provide remote offices or
individual users with secure access to their organization's network.
. VPN is a mechanism of employing encryption, authentication and integrity
2
protection, so that the Public Network can use as Private Network.
. A VPN can connect distant networks of an organization, or it can be used to allow
3
traveling users to remotely access the organization's intranet e.g. private network.
. VPN is a mechanism to create a private network over a public network like
4
Internet. It depends on the use of virtual connections, these connections are
temporary, and do not have any physical presence. They are made up of packets.
. Suppose an organization has two networks, Network 1 and Network 2, which are
5
physically separate from each other and user want to connect them using the

Fig. : VPN Between two

Private Networks

VPN.
. In this case, user needs to set up two firewalls, Firewall 1 and Firewall 2 for
6
encryption and decryption purpose.
. Fig. shows that Network 1 connects to the Internet via a Firewall 1 and Network 2
7
via Firewall 2.
. The important point here is that the two firewalls are virtually connected to each
8
other via the Internet with the help of a VPN tunnel between the two firewalls.
VPN Protocols :
a. PPTP (Point-to-Point Tunnelling Protocol)
. L2TP (Layer 2 Tunnelling Protocol)
b
c. IPSec

5|Page
Q. 6What is Kerberos? Explain with diagram different servers involved in
Kerberos. W-08.
Ans.

Kerberos:
Kerberos is a network authentication protocol and it is designed to provide strong
authentication for client/server applications. It uses secret-key cryptography.
Different servers involved in Kerberos:
. The authentication service (AS), receives the request from the client and then AS
1
verifies that the client is indeed. This is by just looking into a simple database of
the user’s ID.
. After verification, a timestamp is created. It will put the current time in a user
2
session, with an expiration date. The default expiration date is 8 hours for time
stamp. Then, the encryption key is created. The timestamp tells that after
8 hours, the encryption key is useless.
6|Page
 (This is helpful to check that a hacker doesn’t intercept the data, and try to crack
the key. All keys are possible to cracked, but it will take a lot longer than 8 hours
to do so)
3. Now, the key is sent back to the client in the form of a ticket-granting ticket
(TGT). It is a simple ticket which is issued by the authentication service (AS) and
used for authenticating the client for future reference.
.
4 Then the client submits this TGT (ticket-granting ticket) to the ticket-granting
server (TGS), for authentication.
5. Here, TGS creates an encrypted key with a timestamp, and grants a service ticket
to the client
6. Then the client decrypts the ticket, intimate the TGS that it has done, and sends its
own encrypted key to the service server (SS) or application.
7. The service server decrypts the key send by client, and checks the validity of the
timestamp. If timestamp is valid, the service server contacts the key distribution
center (KDC) to receive a session which is returned to the client.
.
8 The client then decrypts the ticket. If the keys are still valid then the
communication is initiated between client and server/application.

Q.7 What is Security Topology? Describe security zone in detail. W-10, W-12.
OR What is Security Zone? List and explain the key aspects of creating and
designing security zones. W-11.
Ans. :
Security Topology:
Security topology is a logical map which shows the interconnectivity between
security devices, networks which are protected by security devices, and security domains.
Security topology helps to create IPsec VPNs on network and to configure firewall
policies on security devices.
Security Zone :
Security zones is a way to classify websites into different security categories.
Following are three main security zones.
1. Trusted sites : This zone is for sites that you trust.
2. Unclassified sites : This zone is for sites that you haven’t classified or
you are not sure of it.
3. Restricted sites : This zone is for sites that you don’t trust and want to
restrict the access.
The Key Aspects of Creating and Designing Security Zones :
a. Internet Zone :

7|Page
 In this zone the Web sites are not on the computer or on the local intranet, or that
are not already assigned to another zone. The default security level is Medium.
b. Local Intranet Zone :
It contains all network connections which are established by using a Universal
Naming Convention (UNC) path, and Web sites which bypass the proxy server or have
names that do not include periods like - http://local, as long as they are not assigned to
either the Restricted Sites or Trusted Sites zone.
The default security level is set to Medium for Internet Explorer 4 or Medium-
low for Internet Explorer 5 and 6. When accessing a local area network (LAN) or an
intranet share, or an intranet Web site by using an Internet Protocol (IP) address or by
using a fully qualified domain name (FQDN), the share or Web site is identified as the
Internet zone instead of in the Local intranet zone.
c. Trusted Sites Zone :
Here are the Web sites that are trusted as safe for example - Web sites that are on
your organization's intranet or that come from companies on which you have confidence.
When anyone add a Web site to the Trusted Sites zone, means that he believe
that files that are downloaded or that runs from the Web site will not damage the
computer or data. By default, the security level is set to Low.
d. Restricted Sites Zone :
This zone contains Web sites which are not trust by use. When anyone adds a
Web site to this zone, he believes that the files that are downloaded or runs from the Web
site may damage the computer or data. By default, the security level is set to High.
These are the Web sites that are neither on the computer nor not on the local
intranet, or that are not already assigned to another zone. The default security level is set
to Medium.

Q. 8 Explain VLAN, types of VLAN. S-13

Ans. :
VLAN :
Virtual LANs are a method of using a single switch and dividing it into multiple
broadcast domain and / or multiple network segments
Types of VLANs :
1. Port Based VLANs (Layer 1) :
a. Here, all the traffic arrives at particular port is assigned to a specific VLAN
independent of the user or system attached to the port.

8|Page
 Fig. Port based VLAN

. This means all users or systems attached to the port should be members in the
b
same VLAN.
c. The network administrator typically performs the VLAN assignment. The port
configuration is static and cannot be automatically changed to another VLAN
without manual reconfiguration.
. Hence it is possible to connect several VLANs to a single switch and they operate
d
concurrently.
e. With this VLAN, the data frame which is received on a particular port is not
altered but it is forwarded to the correct port as per configuration.

2. MAC Based VLANs (Layer 2) :

a. The MAC-based VLAN feature allows incoming
traffic to be assigned to a VLAN and thus classify
traffic based on the source MAC address of the
packet.
.
b This will help to connect all the computers to all the
ports of a switch and each switch will be associated
Fig. : Mac based VLAN
to the appropriate VLAN.
c. This approach is easy because it removes the
physical requirement of connection of a particular
device to a particular port.
.
d It requires management overhead because every computer should to be manually
assigned to some VLAN.

3. Protocol Based VLANs (Layer 2) :

•In this type of VLAN, the traffic is forwarded through ports based on
protocol used for transmission.
•The protocols are assigned to different port for example - IP protocol
traffic is assigned to port 1 and all other remaining traffic to some other
port.
•Because of this the network will be logically segmented, based on the
type of traffic used in each network.
4. IP Subnet Based VLANs (Layer 3) :

9|Page
 a. In this type of VLAN, all the incoming traffic will be divided according to the IP
subnet address of each source/destination.
. This will provide great flexibility in network because the users can move
b
computers from one location to another location and can remain in the same
VLAN.
c. The disadvantage of VLAN is that it needs additional processing for the layer 3
header and therefore it adds more latency than the other VLAN segmentation
methods.

Q. 9 What is intrusion detection system? Explain host based and network based
intrusion detection system. W-12, W-11, W-09.
OR Describe IDS and its two types. S-09, S-13, S-12
OR Describe the two categories of Intrusion detection system. W-10
Ans. :
1. Intrusion Detection is the process of monitoring the events happening in a
computer system or network.
. Intrusion Detection process analyzes them for possible incidents, which are threats
2
of violation of computer security policies, standard security practices or acceptable
use policies.
3. An Intrusion Detection System is same like a burglar alarm system installed in a
house.
. In case of an intrusion, the IDS system will provide some type of warning or alert.
4
. Intrusion Detection Systems are mainly divided into two categories, depending on
5
the monitoring activity.
Host-Based IDS :
This examines activity on an individual system like a mail server, web server, or
individual PC. It concerned only with an individual system and usually has no visibility
into the activity on the network or systems around it.

Network-Based IDS :
This examines activity on the network itself. It has visibility only into the traffic
monitoring it crossing the network link and typically has no idea of what happening on
individual systems.

Q.10 Describe Host based intrusion detection IDS? Also state its advantages and
disadvantages. W-08.
OR Explain the working of host based Intrusion Detection System. W-13.
Ans. :
10 | P a g e
 . A host based IDS check log files, audit trails and network traffic coming into or
1
leaving a specific host.
. HIDS can operate in real time, looking for activity as it arises, or batch mode,
2
looking for activity on a periodic basis.
. Typically Host based systems are self contained, but many new commercial
3
products are designed for reporting to and be managed by a central system. These
systems are also taking local system resources to operate.
. Older version of host-based IDSs was operating in batch mode, looking for
4
suspicious activity on an hourly or daily basis and typically looked for particular
events in the system’s log files.
. In the new version of host-based IDS, processor speed is increased and IDSs start
5
looking through the log files in real time and the ability to examine the data traffic
the host was generating and receiving is also added.
. Many host-based IDS focus on the log files or audit trails produced by local
6
operating system. On windows systems, the examined logs are typically
Application, System and Security event logs. On Unix system, the examined logs
are generally message, kernel and error logs.
. Some host based IDSs have the ability to cover specific applications by examining
7
the logs produced by that specific applications or examining the traffic from the
services themselves like FTP, or web services.
. HIDS is looking for certain activities in the log file
8
are -
a. Logins at odd hours
. Login authentication failure
b
c. Adding new user account
. Modification or access of critical system files
d
e. Modification or removal of binary files
.f Starting or stopping processes
. Privilege escalation
g
. Use of certain programs.
h
Fig. : Components of Host-based IDS

Advantages:
. Operating system specific and detailed signatures.
1
. Examine data after it has been decrypted.
2
. Very application specific.
3
. Determine whether or not an alarm may impact that specific.
4

11 | P a g e
Disadvantages:
. Should a process on every system to watch.
1
. High cost of ownership and maintenance.
2
. Uses local system resources.
3
. Very focused view and cannot relate to activity around it.
4
. If logged locally, could be compromised or disable.
5

Q.11 Explain E-mail security in details. S-12.

Ans. :
. Now a day’s security for Email messages has become an extremely important
1
issue.
. For text Email transmission, the message is considered as two portions : Contents
2
and header, similar to postal system.
. Every Email message consists of a number of header lines which are followed by
3
the actual message contents means a keyword, followed by a colon. Header
keywords are From, To, Subject and Date.

Q.12 Explain Email Security techniques (protocols). W-09.

Ans. :
1.SMTP :
a. SMTP - Simple Mail Transfer
Protocol, is used for email
communication. SMTP is
“request/response” based, which
means the email client software
at the sender’s end gives the
email message to the SMTP
server. Fig. :Email using SMTP protocol

. Actually, SMTP server transfers the message to the receiver’s SMTP server. The
b
job of SMTP’s mail is to carry the email message between the sender and the
receiver.
Email communication consists of following steps :
.A At the sender’s end, an SMTP server takes the message sent by a user’s computer.
B. At the sender’s end, the SMTP server at the sender’s then transfers the message to
the SMTP server of the receiver.

12 | P a g e
 C. The receiver’s computer then drags the email message from SMTP server at the
receiver’s end, using other email protocols like POP (Post Office Protocol) or
IMAP (Internet Mail Access Protocol).
2. POP :
a. Post Office Protocol is built almost like SMTP, but POP is used only to retrieve
email. It uses plaintext to communicate and it mimics the SMTP answer/reply
mechanisms as well.
. To denote success, the pop server sends plus (+) at the beginning of the response,
b
as opposed to a minus (–) to denote failure.

3. IMAP:
a. Internet Message Access Protocol, is a plaintext mail protocol that combines
aspects of both POP and SMTP. That is, it allows the user to send outgoing
. users to create directories and a catalog their email mail, but it require an SMTP
b
server to do so.
c. The user connects to the IMAP server, authenticates itself, and can then start
working. Unlike POP and SMTP, IMAP can work in two persistency modes : it
can store all the data on the server or allow the user to work offline by storing the
data locally, although remote storage is default mode.

Q.13 Describe the working of PEM email security. W-13.

OR How PEM is used for email security. S-13.
Ans. : 1. Privacy-Enhanced Mail (PEM) is an Internet standard which provides the secure
exchange of electronic mail. It employs a range of cryptographic techniques that
allows confidentiality, authentication, and integrity.
2. PEM supports three main cryptographic functions of encryption, non-
repudiation and message integrity.
PEM Operations :
Step 1 : Canonical Conversion
a. Internet works on any computer that has a TCP/IP stack,
regardless of its architecture or operating system. So, there is a
possibility that the same thing is represented differently in
these different computers.
. Canonical conversion transforms all email messages into an
b
abstract, canonical representation regardless of the architecture
and the operating system of the senders and receivers
computers. The email messages are travels in a uniform and in a Fig. :PEM Operations
independent format.
13 | P a g e
 Step 2 : Digital Signature
a. It starts by creating message digest of the email message using an MD2 or MD5
algorithm.
b. The created message digest then encrypted with the sender’s private key to form
the sender’s digital signature.

Fig.: Message digest creation of the original Fig. Creation of the sender’s digital signature
email message over the email message

Step 3 : Encryption
Here original email and the digital signature are encrypted with a symmetric key.
For this DES or DES-3 algorithm in Cipher Block Code (CBC) mode is used.

Fig.: Encryption in PEM

Step 4 : Base-64 Encoding

a. This process transforms arbitrary binary input into printable character output.
. In this step the binary input is processed in block of 3 octets, or 24 bits.
b
c. These 24 bits are considered as made up of 4 sets, each of having 6 bits. This set
of 6 bits is mapped into 8-bit output character in this process.

Fig.: Base-64 encoding

concept

14 | P a g e
Q.14 How PGP is used for email security. S-11.
OR Explain how pretty good privacy e-mail security works. W-11
Ans. :
a. This is used for encryption and decryption of e-mail over the Internet.
. This protocol is used to send an encrypted digital signature because of this the
b
receiver can verify the sender's identity and he understands that the message was
not changed during transmission.
c. PGP is freely available and cost very low for commercial version. Basically, it is
widely used as a privacy-ensuring program by individuals and also by many
organizations.
How it works ?
1. Authentication :
a. The sender creates a message.
. SHA-1 is used to generate 160 bit hash code of the message.
b
c. The hash code is encrypted using the sender’s private key and the result is
pretended to the message.
. The receiver uses sender’s public key to decrypt and recover the hash code.
d
e. The receiver generates a new hash code for the message and compares it with the
decrypted hash code. If match is found, then the message is accepted as authentic.

2. Confidentiality :
a. PGP provides one more basic service i.e. confidentiality. It is provided by
encrypted message to be transmitted or to be stored locally as file.
. The sender generates a message, and a random 128 bit number. This 128 bit
b
number is used as a session key for this message only.
c. Then the message is encrypted (using algorithms like 3DES) with the help of
session key.
. Then the session key is also encrypted using the recipient’s public key and it is
d
pretended to the message.
e. The receiver with its private key can only decrypt and recover the session key.
.f Further this session key is used to decrypt the message.

Q.15 What is IP Security ? Describe Authentication Header mode of IP Security.

W-08, S-10, W-12, W-13.
OR What is IPSecurity? Describe two modes of IPSecurity with suitable sketch
showing modes. W-11
Ans. :

15 | P a g e
 a. IP packet consists of 2 portions :
(i) IP Header (ii) Actual Data
. The IPSec are implemented by adding the IP header to standard default IP header.
b
c. Such extension IP header follows the standard IP headers.
. Basically IPSec offers 2 main services :
d
(i) Authentication
(ii) Confidentiality
e. Every service needs its own extension header. Hence for above services, IPSec
defines two IP extension headers – one header for authentication and another
header for confidentiality.
.f IPSec consists of following two main protocols.

1. Authentication Header (AH) :

a. The AH, when added to an IP datagram, ensures the integrity of the data the
authenticity of data’s origin and optional anti replay service.
. By protecting the non-changing elements in the IP header, the AH protects the IP
b
address, which enables data origin authentication.
c. IPSec AH is a header in an IP packet with a cryptographic checksum for contents
of the packet. The AH header is simply inserted between IP header and between
any subsequent packet contents.
. There is no need to changes the data contents of the packet. In this way, the
d
security resides completely in the contents of
the AH.
2. Encapsulating Security Payload (ESP):
a. ESP provides security services for the higher level protocol portion of the packet
not the IP header.
b. This protocol provides data confidentiality. The ESP protocol also defines a new
header to be inserted into the IP packet.
c. ESP processing also includes the transformation of the protected data into an
unreadable encrypted form. Under normal circumstances, the ESP will be inside
AH i.e. encryption happens first and then authentication.

16 | P a g e
 . AH & ESP can be used separately or in combination, depending on the level and
d
types of security desired. Both work in the transport & tunnel mode of IPSec
protocols.
e. Both AH and ESP can work in two modes transport mode and tunnel mode.
AH transport mode : Here, the Authentication Header (AH) is placed in between the
original IP header and the original TCP header of the IP packet.
AH Tunnel Mode : In tunnel mode, complete original IP packet is authenticated
and the AH is placed between the Original IP Header and New outer IP Header. The
inner IP header has the final source and destination IP address, whereas the outer IP
header may contains different IP address.

Fig. : AH in Transport and Tunnel Mode

Q.16 How IPSec works in security? Explain in detail. S-12

Ans. :
. IPSec is a set of protocols developed by the Internet Engineering Task Force
1
(IETF).
. IPSec is developed for exchange of packets at the network layer of the OSI model
2
securely.
. The overall idea of IPSec is to encrypt and seal the transport and application layer
3
data during transmission.
. Once an IPSec connection is formed, it is possible
4
to tunnel across other network at the lower levels of
the OSI model.
. At the network layer of the OSI model, the set of
5
security services, which is provided by IPSec, takes
place. Because of this higher layer protocols like
TCP, UDP, BGP etc are not affected by the
implementation of IPSec services.
. The IPSec protocol is designed to provide a
6

17 | P a g e Fig.: IPSec in TCP/IP protocol

 comprehensive array of services but it is not limited to access control,
connectionless integrity, traffic-flows confidentiality, rejection of replayed
packets, data security and data origin authentication etc.
There are two methods of IPSec
Transport :
a. This method encrypts only the data portion of the
packet, thus enabling an outsider to see source and
destination IP addresses.
. This protects the data being transmitted, but
b
allows knowledge of the transmission itself.
Protection of a data portion of a packet is referred
to as content protection. Fig.: IPSec transport mode
c. In this mode, IPSec takes the transport layer payload, adds IPSec Header and
trailer encrypts the whole thing and then adds the IP header. Thus, the IP header is
not encrypted.
Tunneling :
a. This provides encryption of source and
destination IP addresses, as well as of the data
itself.
b. This provides the greatest security, but it can
only be done between IPSec servers because the
final destination needs to be known for
delivery.
c. Protection of the header information is known
as context protection.
. It accepts an IP datagram with IP header and adds IPSec
d
Fig.: IPSec tunnel mode
header and trailer to it. Then it will encrypt the whole
packet and add the new IP header to the encrypted datagram.

e. Different level of security is provided by these methods.

.f It is also possible to use both methods at the same time, by using transport within
one network to reach an IPSec server, and then uses the transport method of the
target network’s IPSec server to the target host.
. IPSec has three connections - host to server, server-to-server and host-to-host.
g

18 | P a g e