Professional Documents
Culture Documents
Chapter 4 Computer Security Technology and Intrusion Detection PDF
Chapter 4 Computer Security Technology and Intrusion Detection PDF
Q.2 Explain working of firewall, design principles its capabilities and limitations
S-13.
OR What are the limitations of Firewall. S-09.
OR Describe the working principle of firewall. W-10.
Ans.
. The firewall is a partition between private (trusted) networks and public (un-
1
trusted) network and it will inspect all traffic (packets) which is passing through
it.
The firewalls should have following attributes:
a. All the traffic should pass through the firewalls
. The firewall should allow only authorized traffic
b
c. The firewall itself can stop attacks
2. It is effective means of protecting a system or network from network-based threats
and at the same time it should allows for accessing the outside world via wide area
networks and Internet.
3. A firewall is always placed at a network gateway server to protect the internal
resources of a private network from the public network.
4. In an organization, they install a firewall to prevent outsiders from accessing its
own private data resources and it will allow their employees to access outside resources.
Firewall will control the outside resources that organization’s employees are accessing.
1|Page
5. Working of Firewall is similar to a router program- it examines each network
packet to determine whether to forward it toward its destination or not. A firewall can
work with a proxy server which makes requests on behalf of workstation users in a
network.
Principle of firewall:
For any corporation, government agencies, and other organizations, the
information system must have:
. Centralized data processing system: The system must have a central mainframe
1
which supports a number of terminals which are directly connected.
. Local area networks: LANs interconnecting PCs and terminals to each other, and
2
also with the mainframe.
. Network location: It consists of a number of LANs, interconnecting PCs, servers,
3
and one or two mainframes.
. Enterprise-wide network: It consists of multiple, geographically distributed
4
location of networks that are interconnected by a private wide area network
(WAN).
. Internet connectivity : It is where the various located networks are hook into the
5
Internet and may or may not be connected by a private WAN
Capabilities of Firewall:
. All traffic must pass through the firewall either from inside to outside, and vice
1
versa. This is achieved by physically blocking all access to the local network
except via the firewall.
. Only authorized traffic which is defined by the local security policy will be
2
allowed to pass through the firewall. Different types of firewalls will implement
different types of security policies.
. The firewall itself is immune to penetration.
3
Fig.: Firewall
2|Page
Limitations of Firewall
. Firewall cannot protect against attacks that bypass the firewall.
1
. Firewall does not protect against internal threats like employees innocently
2
cooperates with an external attackers.
. Firewall cannot protect against the transfer of virus infected programs or files.
3
3|Page
d. There are many different default configurations - some will not allow
communications from the outside and will be configured using set of rules,
whereas others will configured to block access over risky ports.
e. In addition, firewalls can have a wide variety of functionality - it can act as
caching servers, VPNs, routers etc.
Q. 4 Describe the working of single homed bastion and screen host gateway type of
firewall with suitable sketch. W-13.
Ans.: Screened Host firewall, Single-Homed Bastion :
1. Here, the firewall configuration consists of two parts - a packet filter router and
an application level gateway.
2. A packet filter router will ensure that the incoming traffic is allowed only if it is
intended for the application gateway, by examining the destination address field of
each incoming IP Packet.
. It will also ensure that the outgoing traffic is allowed only if it is originated from
3
application level gateway, by examining the source address field of every outgoing
IP Packet. An application level gateway performs authentication as well as proxy
functions
Advantages:
. It improves security of the network by performing checks at both levels- packet
1
and application level
. It provides flexibility to the network administrator to define more security
2
policies.
Disadvantages:
. Internal users are connected to the application gateway as well as packet filter
1
router. So, if any how the packet filter is attacked, then the whole internal network
is exposed to the attacker
4|Page
Q5. Explain VPN with neat diagram. Enlist different VPN protocol. W-10.
OR State the meaning of Virtual Private Network with suitable sketch. W-13.
OR Explain virtual private network with diagram. S-13.
Describe VPN S-09, W-09.
Ans. :
. A virtual private network (VPN) is a network that uses a public
1
telecommunication infrastructure, such as the Internet, to provide remote offices or
individual users with secure access to their organization's network.
. VPN is a mechanism of employing encryption, authentication and integrity
2
protection, so that the Public Network can use as Private Network.
. A VPN can connect distant networks of an organization, or it can be used to allow
3
traveling users to remotely access the organization's intranet e.g. private network.
. VPN is a mechanism to create a private network over a public network like
4
Internet. It depends on the use of virtual connections, these connections are
temporary, and do not have any physical presence. They are made up of packets.
. Suppose an organization has two networks, Network 1 and Network 2, which are
5
physically separate from each other and user want to connect them using the
VPN.
. In this case, user needs to set up two firewalls, Firewall 1 and Firewall 2 for
6
encryption and decryption purpose.
. Fig. shows that Network 1 connects to the Internet via a Firewall 1 and Network 2
7
via Firewall 2.
. The important point here is that the two firewalls are virtually connected to each
8
other via the Internet with the help of a VPN tunnel between the two firewalls.
VPN Protocols :
a. PPTP (Point-to-Point Tunnelling Protocol)
. L2TP (Layer 2 Tunnelling Protocol)
b
c. IPSec
5|Page
Q. 6What is Kerberos? Explain with diagram different servers involved in
Kerberos. W-08.
Ans.
Kerberos:
Kerberos is a network authentication protocol and it is designed to provide strong
authentication for client/server applications. It uses secret-key cryptography.
Different servers involved in Kerberos:
. The authentication service (AS), receives the request from the client and then AS
1
verifies that the client is indeed. This is by just looking into a simple database of
the user’s ID.
. After verification, a timestamp is created. It will put the current time in a user
2
session, with an expiration date. The default expiration date is 8 hours for time
stamp. Then, the encryption key is created. The timestamp tells that after
8 hours, the encryption key is useless.
6|Page
(This is helpful to check that a hacker doesn’t intercept the data, and try to crack
the key. All keys are possible to cracked, but it will take a lot longer than 8 hours
to do so)
3. Now, the key is sent back to the client in the form of a ticket-granting ticket
(TGT). It is a simple ticket which is issued by the authentication service (AS) and
used for authenticating the client for future reference.
.
4 Then the client submits this TGT (ticket-granting ticket) to the ticket-granting
server (TGS), for authentication.
5. Here, TGS creates an encrypted key with a timestamp, and grants a service ticket
to the client
6. Then the client decrypts the ticket, intimate the TGS that it has done, and sends its
own encrypted key to the service server (SS) or application.
7. The service server decrypts the key send by client, and checks the validity of the
timestamp. If timestamp is valid, the service server contacts the key distribution
center (KDC) to receive a session which is returned to the client.
.
8 The client then decrypts the ticket. If the keys are still valid then the
communication is initiated between client and server/application.
Q.7 What is Security Topology? Describe security zone in detail. W-10, W-12.
OR What is Security Zone? List and explain the key aspects of creating and
designing security zones. W-11.
Ans. :
Security Topology:
Security topology is a logical map which shows the interconnectivity between
security devices, networks which are protected by security devices, and security domains.
Security topology helps to create IPsec VPNs on network and to configure firewall
policies on security devices.
Security Zone :
Security zones is a way to classify websites into different security categories.
Following are three main security zones.
1. Trusted sites : This zone is for sites that you trust.
2. Unclassified sites : This zone is for sites that you haven’t classified or
you are not sure of it.
3. Restricted sites : This zone is for sites that you don’t trust and want to
restrict the access.
The Key Aspects of Creating and Designing Security Zones :
a. Internet Zone :
7|Page
In this zone the Web sites are not on the computer or on the local intranet, or that
are not already assigned to another zone. The default security level is Medium.
b. Local Intranet Zone :
It contains all network connections which are established by using a Universal
Naming Convention (UNC) path, and Web sites which bypass the proxy server or have
names that do not include periods like - http://local, as long as they are not assigned to
either the Restricted Sites or Trusted Sites zone.
The default security level is set to Medium for Internet Explorer 4 or Medium-
low for Internet Explorer 5 and 6. When accessing a local area network (LAN) or an
intranet share, or an intranet Web site by using an Internet Protocol (IP) address or by
using a fully qualified domain name (FQDN), the share or Web site is identified as the
Internet zone instead of in the Local intranet zone.
c. Trusted Sites Zone :
Here are the Web sites that are trusted as safe for example - Web sites that are on
your organization's intranet or that come from companies on which you have confidence.
When anyone add a Web site to the Trusted Sites zone, means that he believe
that files that are downloaded or that runs from the Web site will not damage the
computer or data. By default, the security level is set to Low.
d. Restricted Sites Zone :
This zone contains Web sites which are not trust by use. When anyone adds a
Web site to this zone, he believes that the files that are downloaded or runs from the Web
site may damage the computer or data. By default, the security level is set to High.
These are the Web sites that are neither on the computer nor not on the local
intranet, or that are not already assigned to another zone. The default security level is set
to Medium.
8|Page
Fig. Port based VLAN
. This means all users or systems attached to the port should be members in the
b
same VLAN.
c. The network administrator typically performs the VLAN assignment. The port
configuration is static and cannot be automatically changed to another VLAN
without manual reconfiguration.
. Hence it is possible to connect several VLANs to a single switch and they operate
d
concurrently.
e. With this VLAN, the data frame which is received on a particular port is not
altered but it is forwarded to the correct port as per configuration.
9|Page
a. In this type of VLAN, all the incoming traffic will be divided according to the IP
subnet address of each source/destination.
. This will provide great flexibility in network because the users can move
b
computers from one location to another location and can remain in the same
VLAN.
c. The disadvantage of VLAN is that it needs additional processing for the layer 3
header and therefore it adds more latency than the other VLAN segmentation
methods.
Q. 9 What is intrusion detection system? Explain host based and network based
intrusion detection system. W-12, W-11, W-09.
OR Describe IDS and its two types. S-09, S-13, S-12
OR Describe the two categories of Intrusion detection system. W-10
Ans. :
1. Intrusion Detection is the process of monitoring the events happening in a
computer system or network.
. Intrusion Detection process analyzes them for possible incidents, which are threats
2
of violation of computer security policies, standard security practices or acceptable
use policies.
3. An Intrusion Detection System is same like a burglar alarm system installed in a
house.
. In case of an intrusion, the IDS system will provide some type of warning or alert.
4
. Intrusion Detection Systems are mainly divided into two categories, depending on
5
the monitoring activity.
Host-Based IDS :
This examines activity on an individual system like a mail server, web server, or
individual PC. It concerned only with an individual system and usually has no visibility
into the activity on the network or systems around it.
Network-Based IDS :
This examines activity on the network itself. It has visibility only into the traffic
monitoring it crossing the network link and typically has no idea of what happening on
individual systems.
Q.10 Describe Host based intrusion detection IDS? Also state its advantages and
disadvantages. W-08.
OR Explain the working of host based Intrusion Detection System. W-13.
Ans. :
10 | P a g e
. A host based IDS check log files, audit trails and network traffic coming into or
1
leaving a specific host.
. HIDS can operate in real time, looking for activity as it arises, or batch mode,
2
looking for activity on a periodic basis.
. Typically Host based systems are self contained, but many new commercial
3
products are designed for reporting to and be managed by a central system. These
systems are also taking local system resources to operate.
. Older version of host-based IDSs was operating in batch mode, looking for
4
suspicious activity on an hourly or daily basis and typically looked for particular
events in the system’s log files.
. In the new version of host-based IDS, processor speed is increased and IDSs start
5
looking through the log files in real time and the ability to examine the data traffic
the host was generating and receiving is also added.
. Many host-based IDS focus on the log files or audit trails produced by local
6
operating system. On windows systems, the examined logs are typically
Application, System and Security event logs. On Unix system, the examined logs
are generally message, kernel and error logs.
. Some host based IDSs have the ability to cover specific applications by examining
7
the logs produced by that specific applications or examining the traffic from the
services themselves like FTP, or web services.
. HIDS is looking for certain activities in the log file
8
are -
a. Logins at odd hours
. Login authentication failure
b
c. Adding new user account
. Modification or access of critical system files
d
e. Modification or removal of binary files
.f Starting or stopping processes
. Privilege escalation
g
. Use of certain programs.
h
Fig. : Components of Host-based IDS
Advantages:
. Operating system specific and detailed signatures.
1
. Examine data after it has been decrypted.
2
. Very application specific.
3
. Determine whether or not an alarm may impact that specific.
4
11 | P a g e
Disadvantages:
. Should a process on every system to watch.
1
. High cost of ownership and maintenance.
2
. Uses local system resources.
3
. Very focused view and cannot relate to activity around it.
4
. If logged locally, could be compromised or disable.
5
. Actually, SMTP server transfers the message to the receiver’s SMTP server. The
b
job of SMTP’s mail is to carry the email message between the sender and the
receiver.
Email communication consists of following steps :
.A At the sender’s end, an SMTP server takes the message sent by a user’s computer.
B. At the sender’s end, the SMTP server at the sender’s then transfers the message to
the SMTP server of the receiver.
12 | P a g e
C. The receiver’s computer then drags the email message from SMTP server at the
receiver’s end, using other email protocols like POP (Post Office Protocol) or
IMAP (Internet Mail Access Protocol).
2. POP :
a. Post Office Protocol is built almost like SMTP, but POP is used only to retrieve
email. It uses plaintext to communicate and it mimics the SMTP answer/reply
mechanisms as well.
. To denote success, the pop server sends plus (+) at the beginning of the response,
b
as opposed to a minus (–) to denote failure.
3. IMAP:
a. Internet Message Access Protocol, is a plaintext mail protocol that combines
aspects of both POP and SMTP. That is, it allows the user to send outgoing
. users to create directories and a catalog their email mail, but it require an SMTP
b
server to do so.
c. The user connects to the IMAP server, authenticates itself, and can then start
working. Unlike POP and SMTP, IMAP can work in two persistency modes : it
can store all the data on the server or allow the user to work offline by storing the
data locally, although remote storage is default mode.
Fig.: Message digest creation of the original Fig. Creation of the sender’s digital signature
email message over the email message
Step 3 : Encryption
Here original email and the digital signature are encrypted with a symmetric key.
For this DES or DES-3 algorithm in Cipher Block Code (CBC) mode is used.
14 | P a g e
Q.14 How PGP is used for email security. S-11.
OR Explain how pretty good privacy e-mail security works. W-11
Ans. :
a. This is used for encryption and decryption of e-mail over the Internet.
. This protocol is used to send an encrypted digital signature because of this the
b
receiver can verify the sender's identity and he understands that the message was
not changed during transmission.
c. PGP is freely available and cost very low for commercial version. Basically, it is
widely used as a privacy-ensuring program by individuals and also by many
organizations.
How it works ?
1. Authentication :
a. The sender creates a message.
. SHA-1 is used to generate 160 bit hash code of the message.
b
c. The hash code is encrypted using the sender’s private key and the result is
pretended to the message.
. The receiver uses sender’s public key to decrypt and recover the hash code.
d
e. The receiver generates a new hash code for the message and compares it with the
decrypted hash code. If match is found, then the message is accepted as authentic.
2. Confidentiality :
a. PGP provides one more basic service i.e. confidentiality. It is provided by
encrypted message to be transmitted or to be stored locally as file.
. The sender generates a message, and a random 128 bit number. This 128 bit
b
number is used as a session key for this message only.
c. Then the message is encrypted (using algorithms like 3DES) with the help of
session key.
. Then the session key is also encrypted using the recipient’s public key and it is
d
pretended to the message.
e. The receiver with its private key can only decrypt and recover the session key.
.f Further this session key is used to decrypt the message.
15 | P a g e
a. IP packet consists of 2 portions :
(i) IP Header (ii) Actual Data
. The IPSec are implemented by adding the IP header to standard default IP header.
b
c. Such extension IP header follows the standard IP headers.
. Basically IPSec offers 2 main services :
d
(i) Authentication
(ii) Confidentiality
e. Every service needs its own extension header. Hence for above services, IPSec
defines two IP extension headers – one header for authentication and another
header for confidentiality.
.f IPSec consists of following two main protocols.
16 | P a g e
. AH & ESP can be used separately or in combination, depending on the level and
d
types of security desired. Both work in the transport & tunnel mode of IPSec
protocols.
e. Both AH and ESP can work in two modes transport mode and tunnel mode.
AH transport mode : Here, the Authentication Header (AH) is placed in between the
original IP header and the original TCP header of the IP packet.
AH Tunnel Mode : In tunnel mode, complete original IP packet is authenticated
and the AH is placed between the Original IP Header and New outer IP Header. The
inner IP header has the final source and destination IP address, whereas the outer IP
header may contains different IP address.
18 | P a g e