Information Security, Network Security,

System Security Tutorials and Study

materials

Introduction to Information Security

Security can be defined as state of freedom from a danger, risk or attack. Information security can be
defined as the task of guarding information which is processed by a server, stored on a storage device,
and transmitted over a network like Local Area Network or the public Internet. Information security
means protecting information and information systems from unauthorized access, use, disclosure,
disruption, modification or destruction

Introduction to AAA

AAA stands for Authentication, Authorization and Accounting. AAA are a set of primary concepts that aid
in understanding computer and network security as well as access control. These concepts are used daily
to protect property, data, and systems from intentional or even unintentional damage. AAA is used to
support the Confidentiality, Integrity, and Availability (CIA) security concept.

Confidentiality: The term confidentiality means that the data which is confidential should remain
confidential. In other words, confidentiality means secret should stay secret.

Integrity: The term integrity means that the data being worked with is the correct data, which is not
tampered or altered.

Availability: The term availability means that the data you need should always be available to you.

Authentication provides a way of identifying a user, typically requiring a Userid/Password combo before
granting a session.  Authentication process controls access by requiring valid user credentials.  After the
Authentication process is completed successfully, a user must be given authorization (permission) for
carrying out tasks within the server. Authorization is the process that determines whether the user has
the authority to carry out a specific task. Authorization controls access to the resources after the user has
been authenticated. The last one is Accounting. Accounting keeps track of the activities the user has
performed in the server.
What is authentication? What is the need for authentication? Different
protocols for authentication

Authentication is the process which allows a sender and receiver of information to validate each other. If
the sender and receiver of information cannot properly authenticate each other, there is no trust in the
activities or information provided by either party.  Authentication can involve highly complex and secure
methods or can be very simple.  The simplest form of authentication is the transmission of a shared
password between entities wishing to authenticate each other. Today’s authentication methods uses
some of the below factors.

1) What you know

An example of this type of Authentication is a "Password". The simple logic here is that if you know the
secret password for an account, then you must be the owner of that account. The problems associated
with this type of Authentication is that the password can be stolen, someone might read it if you wrote it
somewhere. If anyone came to know your password, he might tell someone else. If you have a simple
dictionary password, it is easy to crack it by using password cracking software.

2) What you have

Examples of this type of Authentication are smart cards, tokens etc.  The logic here is if you have the
smart card with you, you must be the owner of the account. The problems associated with this type of
authentication are you might lose the smart card, it can be stolen, or someone can duplicate the smart
card etc.

3) What you are

Examples of this type of authentication are your fingerprint, handprint, retina pattern, voice, keystroke
pattern etc. Problems associated with this type of authentication are that there is a chance of false
positives and false negatives. Chances are there that a valid user is rejected and an invalid user is
accepted. Often people are not comfortable with this type of authentication.

Network Authentication are usually based on Authentication protocols, Digital Certificates,

Username/Password, smart card etc. Some of the most important authentication protocols which are
used today are Kerberos, Challenge Handshake Authentication Protocol (CHAP), Microsoft Challenge
Handshake Authentication Protocol (MSCHAP) etc.  We will learn about these protocols in coming lessons.

Kerberos Authentication, Key Distribution Center (KDC), Ticket

Granting Ticket (TGT)
Kerberos was originally developed by Massachusetts Institute of Technology (MIT) Project Athena. It
was published as a suite of free software by Massachusetts Institute of Technology (MIT) that
implements this protocol. The name "Kerberos" is taken from the three-headed dog of Greek
mythology, Kerberos is designed to work across the Internet, an inherently insecure environment.
 The Kerberos protocol is a secure protocol, and it provides mutual authentication between a client
and a server. In Kerberos protocol, the client authenticates against the server and also the server
authenticates itself against the client. With mutual authentication, each computer or a user and
computer can verify the identity of each other. Kerberos is extremely efficient for authenticating
clients in large enterprise network environments. Kerberos uses secret key encryption for
authentication traffic from the client.
The same secret key is also used by the Kerberos protocol on the server to decrypt the authentication
traffic.

Kerberos protocol is built on top of a trusted third party, called as Key Distribution Center (KDC). Key
Distribution Center (KDC)   acts as both an Authentication Server and as a Ticket Granting Server.
When a client needs to access a resource on the server, the user credentials (password, Smart Card,
biometrics) are presented to the Key Distribution Center (KDC) for authentication. If the user
credentials are successfully verified in the Key Distribution Center (KDC), Key Distribution Center
(KDC) issues a Ticket Granting Ticket (TGT) to the client. The Ticket Granting Ticket (TGT) is cached in
the local machine for future use. The Ticket Granting Ticket (TGT) expires when the user disconnects
or log off the network, or after it expires. The default expiry time is one day (86400 seconds).

When the client wants to access a resource on a remote server, the client presents the previously
granted and cached Ticket Granting Ticket (TGT) to the authenticating KDC. The authenticating Key
Distribution Center (KDC) returns a session ticket to the client to access to the resource. The client
presents the session ticket to the remote resource server. The remote server allows the session to be
established to the resource after accepting the session ticket.

What is Challenge Handshake Authentication Protocol (CHAP)

Authentication, working of Challenge Handshake Authentication
Protocol (CHAP) Authentication
Challenge Handshake Authentication Protocol (CHAP) is a remote access authentication protocol used in
conjunction with Point to Point Protocol (PPP) to provide security and authentication to users of remote
resources. CHAP is described in RFC 1994, which can be viewed from http://www.rfc-editor.org/.
Challenge Handshake Authentication Protocol (CHAP) uses a challenge method for authentication.
Challenge Handshake Authentication Protocol (CHAP) doesn’t use a user ID/password mechanism. In
Challenge Handshake Authentication Protocol (CHAP), the initiator sends a logon request to the server.
The server sends a challenge back to the client. The challenge is encrypted and then sent back to the
server. The server compares the value from the client and, if the information matches, grants the session.
If the response fails, the session is denied, and the request phase starts over.

Challenge Handshake Authentication Protocol (CHAP) periodically verify the identity of the peer using a
three-way handshake. The verification the identity of the peer is done initially, and may be repeated
anytime after the link has been established.

Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) is the Microsoft implementation of

Challenge Handshake Authentication Protocol (CHAP). There are two versions of Microsoft Challenge-
Handshake Authentication Protocol (MS-CHAP),  MS-CHAPv1 and MS-CHAPv2. Microsoft Challenge-
Handshake Authentication Protocol (MS-CHAP) has some additional features, such as providing a method
for changing passwords and retrying in the event of a failure.
Retina Pattern, Iris Scan, Fingerprint, Handprint, Voice Pattern,
Keystroke Biometric Authentication
Each person has a set of unique characteristics that can be used for authentication. Biometrics uses these
unique characteristics for authentication. Today’s Biometric systems examine retina patterns, iris
patterns, fingerprints, handprints, voice patterns, keystroke patterns etc for authentication. But most of
the biometric devices which are available on the market, only retina pattern, iris patterns, fingerprint and
handprint systems are properly classified as biometric systems. Others are more classified as behavioral
systems.

Biometric identification systems normally work by obtaining unique characteristics from you, like a
handprint, a retina pattern etc. The biometric system then compares that to the specimen data stored in
the system.

Biometrics authentication is much better when compared with other types of authentication methods.
But the users are reluctant in using biometric authentication. For example, many users feel that retina
scanner biometric authentication system may cause loss of their vision. False positives and false negatives
are a serious problem with Biometric authentication.

Retina Pattern Biometric Systems

Everybody has a unique retinal vascular pattern. Retina Pattern Biometric system uses an infrared beam
to scan your retina. Retina pattern biometric systems examine the unique characteristics of user’s retina
and compare that information with stored pattern to determine whether user should be allowed access.
Some other biometric systems also perform iris and pupil measurements. Retina Pattern Biometric
Systems are highly reliable. Users are often worried in using retina scanners because they fear that retina
scanners will blind or injure their eyes.

Iris Scans Biometric Systems

Iris scan verify the identity by scanning the colored part of the front of the eye. Iris scan is is much easier
and very accurate.

Fingerprints Biometric Systems

Fingerprints are used in forensic and identification for long time. Fingerprints of each individual are
unique. Fingerprint Biometric Systems examine the unique characteristics of your fingerprints and use
that information to determine whether or not you should be allowed access.

The theoretical working of the fingerprint scanner is as described below. The user’s finger is placed on the
scanner surface. Light flashes inside the machine, and the reflection is captured by a scanner, and it is
used for analysis and then verified against the original specimen stored in the system. The user is allowed
or denied based on the result of this verification.

Handprints Biometric Systems

As in the case of finger print, everybody has unique handprints. A handprint Biometric Systems scans hand
and finger sand the data is compared with the specimen stored for you in the system. The user is allowed
or denied based on the result of this verification.
Voice Patterns Biometric Systems
Voice Patterns Biometric Systems can also be used for user authentication. Voice Patterns Biometric
Systems examine the unique characteristics of user’s voice.

Keystrokes Biometric Systems

Keystroke Biometric Systems examine the unique characteristics of user’s keystrokes and use that
information to determine whether the user should be allowed access.  

What is token authentication?

Token technology is another method that can be used to authenticate users. Tokens are physical devices
used for the randomization of a code that can be used to assure the identity of the user. Tokens provide
an extremely high level of authentication. 

There are different types of tokens. A particular type token is a small device with a keypad to key in
values. The server issues a challenge with a number when the user try to login. The user keys this number
into the token card, and the card displays a response.  
The user inputs this response and sends it to the server, which calculates the same result it expects to see
from the token. If the numbers match, the user is authenticated.

Another type of token is based on time. This type of token display numbers at different intervals of time.
The user who needs the authentication should key in this time based values also at the time of
authentication. If the value from the token matches a value the server has calculated, the account is
authenticated, the user is allowed access.

What is Multi-Factor Authentication

In multi-factor authentication, we expand on the traditional requirements that exist in a single factor
authentication.To accomplish this, multi-factor authentication will use another factor for
authentication in addition to the traditional password authentication.

For example, most password-based single authentication methods use a password. In multi-factor
authentication methods, we can tighten the authentication by adding a finger print biometric scanner
system also.

Multi-factor authentication is more secure single factor authentication, because it adds steps that
increase the layers of security.

What is Access Control?

Access control can be a policy, a software, or a hardware device which is used to allow or deny access
to a resource. Access control can be by using devices like biometric device, switches, routers, Remote
Access Service (RAS), virtual private networks (VPNs), etc. Access control can also be implemented on
File System level like Microsoft's New Technology File System (NTFS), GNU/Linux's ext2/ext3/ext4
 etc. The following are the three main concepts of Access Control.

• Discretionary access control (DAC)

• Mandatory access control (MAC)

• Role-based access control (RBAC)

What is Discretionary Access Control (DAC)?

Discretionary Access Control (DAC) allows authorized users to change the access control attributes of
objects, thereby specifying whether other users have access to the object. A simple form of Discretionary
Access Control (DAC) might be file passwords, where access to a file requires the knowledge of a
password created by the file owner. In Linux, the file permission is the general form of Discretionary
Access Control (DAC).

Discretionary Access Control (DAC) is the setting of permissions on files, folders, and shared resources.
The owner of the object (normally the user who created the object) in most operating system (OS)
environments applies discretionary access controls. This ownership may be transferred or controlled by
root/administrator accounts. Discretionary Access Control (DAC) is controlled by the owner or
root/administrator of the Operating System, rather than being hard coded into the system.

The Discretionary Access Control (DAC) mechanisms have a basic weakness, and that is they fail to
recognize a fundamental difference between human users and computer programs.

What is Mandatory Access Control (MAC)?

Mandatory Access Control (MAC) is another type of access control which is hard-coded into Operating
System, normally at kernel level. Mandatory Access Control (MAC) can be applied to any object or a
running process within an operating system, and Mandatory Access Control (MAC) allows a high level of
control over the objects and processes. Mandatory Access Control (MAC) can be applied to each object,
and can control access by processes, applications, and users to the object. Mandatory Access Control
(MAC) cannot be modified by the owner of the object.

Mandatory Access Control (MAC) mechanism constrains the ability of a subject (users or processes) to
access or perform some sort of operation on an object (files, directories, TCP/UDP ports etc). Subjects and
objects each have a set of security attributes. Whenever a subject attempts to access an object, an
authorization rule enforced by the operating system kernel examines these security attributes and
decides whether the access can take place.

Under Mandatory Access Control (MAC), the super user (root) controls all interactions of software on the
system.

What is Role-based Access Control (RBAC)?

Role-based Access Control (RBAC) is another method of controlling user access to file system objects. In
Role-based Access Control (RBAC), the system administrator establishes Roles based on functional
requirements or similar criteria. These Roles have different types and levels of access to objects. The easy
way to describe Role-based Access Control (RBAC) is user group concept in Windows and GNU/Linux
Operating Systems. A role definition should be defined and created for each job in an organization, and
access controls are based on that role.

In contrast to DAC or MAC systems, where users have access to objects based on their own and the
object's permissions, users in an Role-based Access Control (RBAC) system must be members of the
appropriate group, or Role, before they can interact with files, directories, devices, etc.

Auditing
Auditing is useful in tracking and logging the activities on computers and computer networks. By
auditing, we can track the activities in computer or computer network and link these activities to
specific user accounts or sources of activity. By using auditing or audit logs, later we can collect
evidences for finding illegal activities.

All the latest Operating Systems include functions for auditing. Next lesson we will learn how to
configure auditing in Windows Server 2003 for illegal access to open files.

Introduction to Auditing in Windows 2003

Auditing is specifically designed into most features in Windows Server 2003.

Auditing waits for a specific event to occur, and then reports on it within the Event Viewer. Auditing
events in Windows 2003 can be divided into two types and they are success events and failure events.
Auditing can be used for user logon/logoff events and file access events. Auditing can be turned on
through a Audit Policy, which is a part of Group Policy.

There arenine auditing settings that can be configured on Windows 2003 computer

Audit Account Logon Events: Tracks user logon and logoff events.

Audit Account Management: Reports changes to user accounts

Audit Directory Service Access: Reports access and changes to the directory service.

Audit Logon Events: Reports user logging in and logging off or making a network connection to the
computer configured to audit logon events.

Audit Object Access: Reports file and folder access.

Audit Policy Change: Reports changes to group policies

Audit privilege use: Reports events that is related to a user performing a task that is controlled by a user
right.

Audit process tracking: Reports events that is related to processes running on the computer.

Audit System Events: Reports standard system events. Not security related.

Auditing can be configured on Audit Policy, which is a part of Group Policy as shown below. You should
select the corresponding GPO according to your requirement.
Types of Network Attacks

Networks are always susceptible to unauthorized monitoring and different types of network attacks. If
you have not implemented proper security measures and controls in your network, there is a chance for
network attacks from inside and outside your network. Following chapters explain different types of
networks attacks, which are listed below.

• Denial of Service (DoS) attack

• Distributed Denial of Service (DDoS) attack

• SYN attack

• Sniffer Attack

• Man-In-The-Middle (MITM) attack

• IP Address Spoofing Attack

• ARP (Address Resolution Protocol) Spoofing Attacks

• DNS (Domain Name System) Spoofing Attacks

• Phishing and Pharming Spoofing attacks

• Backdoor Attacks

• Password Guessing Attacks

• SQL Injection Attacks

Types of attacks - Denial of Service (DoS) attack

The idea of DOS attack is to reduce the quality of service offered by server, or to crash server with heavy
work load. DoS (Denial of Service) attack does not involve breaking into the target server. This is normally
achieved by either overloading the target network or target server, or by sending network packets that
that may cause extreme confusion at target network or target server.

A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users

of a service from using that service. Some of the examples are

• Attempts to "flood" a network, thereby preventing legitimate network traffic.

• Attempts to disrupt connections between two machines, thereby preventing access to a service.

• Attempts to prevent a particular individual from accessing a service.

• Attempts to disrupt service to a specific system or person.

One simple DoS (Denial of Service) attack was called the "Ping of Death." The Ping of Death was able to
exploit simple TCP/IP troubleshooting ping tool. Using ping tool, hackers would flood a network with large
packet requests that may ultimately crash the target server.

How to minimize the Denial of Service (DoS) attack impact

The impact of Denial of Service (DoS) attack can be minimized if you take precaution against it. The
following tips can help in minimizing the Denial of Service (DoS) attack.

• Monitor the server's system performance and tabulate normal operating activity for disk, CPU, and
network traffic. Monitor the server's system performance to detect any deviation from above values.

• Monitor the amount of network packets and the type of nature that travel through your network or
gateways.

• Update your softwares with any available update and always watch reports from security
organizations about any new threat.

• Implement network security devices which can detect any Denial of Service (DoS) attack.

• Record the details of any Denial of Service (DoS) attack to prevent future attacks. Log and report
the following details.

1) The time of the attack

2) Your IP address at the time of attack

3) The attacker's IP address

4) Other details and the nature of attack

• Report the details of attack to your Service Provider and seek their help.

Types of attacks -Distributed Denial of Service (DDoS) attack

 A Distributed Denial of Service (DDoS) attack is a type of Denial of Service (DoS). In Distributed Denial
of Service (DDoS) attack multiple systems flood the bandwidth or overload the resources of a
targeted server.

In Distributed Denial of Service (DDoS), an intruder compromise one computer and make it
Distributed Denial of Service (DDoS) master. Using this Distributed Denial of Service (DDoS) master,
the intruder identifies and communicates with other systems that can be compromised. Then the
intruder installs Distributed Denial of Service (DDoS) tools on all compromised systems. With a single
command, the intruder instructs the compromised computers to launch flood attacks against the
target server. Here thousands of compromised computers are flooding or overloading the resources
of the target server preventing the legitimate users from accessing the services offered by the
server. 

Types of attacks - SYN attack

Before understanding what is SYN attack, we need to know about TCP/IP three-way handshake
mechanism.  Transmission Control Protocol/Internet  Protocol (TCP/IP) session is initiated with a three-
way handshake. The two communicating computers exchange a SYN, SYN/ACK and ACK to initiate a
session. The initiating computer sends a SYN packet, to which the responding host will issue a SYN/ACK
and wait for an ACK reply from the initiator. Click the following link to learn more about TCP/IP three-way
handshake mechanism.

The SYN flood attack is the most common type of flooding attack. The attack occurs when the attacker
sends large number of SYN packets to the victim, forcing them to wait for replies that never come. The
third part of the TCP three-way handshake is not executed. Since the host is waiting for large number of
replies, the real service requests are not processed, bringing down the service.  The source address of
these SYN packets in a SYN flood attack is typically set to an unreachable host. As a result it is impossible
to find the attacking computer.

SYN cookies provide protection against the SYN flood. A SYN cookie is implemented by using a specific
initial TCP sequence number by TCP software and is used as a defense against SYN Flood attacks. By using
stateful firewalls which reset the pending TCP connections after a specific timeout, we can reduce the
effect of SYN attack.

Types of attacks - Sniffer Attack

A sniffer is an application that can capture network packets. Sniffers are also known as network protocol
analizers. While protocol analyzers are really network troubleshooting tools, they are also used by hackers
for hacking network. If the network packets are not encrypted, the data within the network packet can be
read using a sniffer. Sniffing refers to the process used by attackers to capture network traffic using a
sniffer. Once the packet is captured using a sniffer, the contents of packets can be analyzed. Sniffers are
used by hackers to capture sensitive network information, such as passwords, account information etc.

Many sniffers are available for free download. Leading packet sniffers are wireshark, Dsniff, Etherpeek,
sniffit etc.
Types of attacks - Man-In-The-Middle (MITM) attack
Man-In-The-Middle (MITM) attack is the type of attack where attackers intrude into an existing
communication between two computers and then monitor, capture, and control the communication. In
Man-in-the-middle attack, an intruder assumes a legitimate users identity to gain control of the network
communication. The other end of the communication path might believe it is you and keep on exchanging
the data.

Man-in-the-Middle (MITM) attacks are also known as "session hijacking attacks", which means that the
attacker hijacks a legitimate user's session to control the communication.

Many preventive methods are available for Man-In-The-Middle (MITM) attack and some are listed below.

• Public Key Infrastructure (PKI) technologies,

• Verifying delay in communication

• Stronger mutual authentication

Types of attacks - IP Address Spoofing Attack

IP address spoofing is a type of attack when an attacker assumes the source Internet Protocol (IP)
address of IP packets to make it appear as though the packet is coming from another valid IP address. In IP
address spoofing, IP packets are generated with fake source IP addresses in order to impersonate other
systems or to protect the identity of the sender.

To explain this clearly, in IP address spoofing, the IP address information placed on the source field of the
IP header is not the real IP address of the source computer, where the packet was originated. By changing
the source IP address, the actual sender can make it look like the packet was sent by another computer
and therefore the response from the target computer will be sent to the fake address specified in the
packet and the identity of tha attacker is also protected.

Packet filtering is a method to prevent IP spoofing attacks. Blocking of packets from outside the network
with a source address inside the network (ingress filtering) and blocking of packets from inside the
network with a source address outside the network (egress filtering) can help preventing IP spoofing
attacks.

Backdoor Attacks
A backdoor in an Operating System or a complex application is a method of bypassing normal
authentication and gain access. During the development of an Operating System or application,
programmers add back doors for different purposes. The backdoors are removed when the product is
ready for shipping or production. When a backdoor is detected, which is not removed, the vendor
releases a maintenance upgrade or patch to close the back door.

Another type of back door can be an installed program or could be a modification to an existing program.
The installed program may allow a user log on to the computer without a password with administrative
privileges. Many programs ara available on internet to create back door attacks on systems. One of the
more popular tools is Back Orifice which is also available for free download on internet.
Password Guessing Attacks, Brute Force Attack, Dictionary Attack
Another type of network attack is Password Guessing attack. Here a legitimate users access rights to
a computer and network resources are compromised by identifying the user id/password
combination of the legitimate user.

Password guessing attacks can be classified into two.

Brute Force Attack: A Brute Force attack is a type of password guessing attack and it consists of trying
every possible code, combination, or password until you find the correct one. This type of attack may
take long time to complete. A complex password can make the time for identifying the password by
brute force long.

Dictionary Attack: A dictionary attack is another type of password guessing attack which uses a
dictionary of common words to identify the user’s password.

Defense against Network Attack

The following tips will help you to keep your network secure against unauthorized monitoring and
network attacks.

Configuration Management
The main weapon in network attack defence is tight configuration management. The following measures
should be strictly implemented as part of configuration management.

• If the machines in your network should be running up-to-date copies of the operating system and they
are immediately updated whenever a new service pack or patch is released.

• All your configuration files in your Operating Systems or Applications should have enough security.

• All the default passwords in your Operating Systems or Applications should be changed after the
installation.

• You should implement tight security for root/Administrator passwords.

Firewalls
Another weapon for defense against network attack is Firewall. Firewall is a device and/or a sotware that
stands between a local network and the Internet, and filters traffic that might be harmful. Firewalls can be
classified in to four based on whether they filter at the IP packet level, at the TCP session level, at the
application level or hybrid.

1. Packet Filtering: Packet filtering firewalls are functioning at the IP packet level. Packet filtering firewalls
filters packets based on addresses and port number. Packet filtering firewalls can be used as a weapon in
network attack defense against Denial of Service (DoS) attacks and IP Spoofing attacks.

2. Circuit Gateways: Circuit gateways firewalls operate at the transport layer, which means that they can
reassemble, examine or block all the packets in a TCP or UDP connection. Circuit gateway firewalls can
also Virtual Private Network (VPN) over the Internet by doing encryption from firewall to firewall.
3. Application Proxies: Application proxy-based firewalls function at the application level. At this level, you
can block or control traffic generated by applications. Application Proxies can provide very comprehensive
protection against a wide range of threats.

4. Hybrid: A hybrid firewall may consist of a pocket filtering combined with an application proxy firewall,
or a circuit gateway combined with an application proxy firewall.

Encryption
Encryption is another great weapon used in defense against network attacks. Click the following link to
get a basic idea of encryption.

Encryption can provide protection against eavesdropping and sniffer attacks. Private Key Infrastructure
(PKI) Technologies, Internet Protocol Security (IPSec), and Virtual Private Networks (VPN) when
implemented properly, can secure you network against network attacks.

Other tips for defense against network attack are

• Privilege escalation at different levels and strict password policies

• Tight physical security for all your machines, especially servers.

• Tight physical security and isolation for your back up data.

What is malware and different types of malwares

Malware is abbreviation of "malicious software". Malware programs are designed to infiltrate a computer
without the owner's knowledge. Malware includes all the malicious software like tracking cookies (which
are used to monitor your surfing habits), keyloggers, Trojan horses, worms, and viruses.

Following lessons give you a basic knowledge in different types of malwares like

• Adwares, Toolbars and Hijackers

• Keyloggers

• Computer Viruses

• Types of Computer Viruses

• Worms

• Logic Bombs

• Trojan Horses

• Rootkits

Adwares, Toolbars and Hijackers

Adwares
Adware is a type of malware which download advertisement content from internet and displays
advertisements in the form of pop-ups, pop-unders etc. Once the Adware in installed on computer, they
are not dependent on your browsers and they can display advertisements stand-alone. The pop-up
blockers also cannot block these pop-ups. Adware is always an annoyance to the computer user.

Toolbars
Toolbars are available as plug-ins to browsers which provide additional functionality such as search forms
or pop-up blockers. Examples of useful toolbars are Google Toolbar, Yahoo toolbar, Ask toolbar etc. There
are malware toolbar plug-ins which are installed without the users consent and display advertisements
and perform other nuisance activities.

Hijackers
Hijackers are another type of malware that take control of the behavior of your web browser like the
home page, default search pages, toolbar etc. Hijackers redirect your browser to another URL if you
mistype the URL of the website you want to visit. Hijackers can also prevent you from opening a particular
web site. Hijackers are annoyance to the users who use the browser often.

What are keyloggers - Key stroke logger

A keylogger or keystroke logger is a program or a hardware that logs every keystroke you make in
your computer and then sends that information, including passwords, bank account numbers, and
credit card numbers, to who is controlling the malware.

A hardware key logger is a small hardware device which is normally installed between the keyboard
port and the keyboard. The hardware key logger then track all user keystrokes and save the
keystrokes to it's internal memory. Hardware keyloggers is available in different memory capacities.

A software keylogger is a program which can track and save all the key strokes of the user in to
computer. Software keyloggers are normally cheaper than hardware keyloggers. The software
keyloggers run invisibly to the user being monitored and hide itself from the Task Manager and from
the Add/Remove Programs. Many software keyloggers support remote installation also.

Computer Viruses
A Computer Virus is another type of malware which when executed tries to replicate itself into other
executable code which is available in the infected computer. If the virus was able to replicate it to
other executable code, it is then infected with the computer virus. When the infected executable
code is executed can infect again other executable codes. The key difference between virus and other
malwares is this self-replication capability.

Normally, viruses propagate within a single computer, or may travel from one computer to another
using storage media like CD-ROM, DVD-ROM, USB flash drive etc.

A Computer Virus program normally has the following mechanisms.

 • A propagation mechanism that allows the virus to move from one computer to another computer.

• A replication mechanism that allows the virus to attach itself to another executable program.

• A trigger mechanism that is designed to execute the replication mechanism of the virus.

• A different tasks to perform the mischievous activities on the victim computer.

Different types of Computer Viruses - Computer Virus Classification

Computer Viruses are classified according to their nature of infection and behavior. Different types of
computer virus classification are given below.

• Boot Sector Virus: A Boot Sector Virus infects the first sector of the hard drive, where the Master Boot
Record (MBR) is stored. The Master Boot Record (MBR) stores the disk's primary partition table and to
store bootstrapping instructions which are executed after the computer's BIOS passes execution to
machine code. If a computer is infected with Boot Sector Virus, when the computer is turned on, the virus
launches immediately and is loaded into memory, enabling it to control the computer.

• File Deleting Viruses: A File Deleting Virus is designed to delete critical files which are the part of
Operating System or data files.

• Mass Mailer Viruses: Mass Mailer Viruses search e-mail programs like MS outlook for e-mail addresses
which are stored in the address book and replicate by e-mailing themselves to the addresses stored in the
address book of the e-mail program.

• Macro viruses: Macro viruses are written by using the Macro programming languages like VBA, which is
a feature of MS office package. A macro is a way to automate and simplify a task that you perform
repeatedly in MS office suit (MS Excel, MS word etc). These macros are usually stored as part of the
document or spreadsheet and can travel to other systems when these files are transferred to another
computers.

• Polymorphic Viruses: Polymorphic Viruses have the capability to change their appearance and change
their code every time they infect a different system. This helps the Polymorphic Viruses to hide from anti-
virus software.

• Armored Viruses: Armored Viruses are type of viruses that are designed and written to make itself
difficult to detect or analyze. An Armored Virus may also have the ability to protect itself from antivirus
programs, making it more difficult to disinfect.

• Stealth viruses: Stealth viruses have the capability to hide from operating system or anti-virus software
by making changes to file sizes or directory structure. Stealth viruses are anti-heuristic nature which helps
them to hide from heuristic detection.

• Polymorphic Viruses: Polymorphic viruses change their form in order to avoid detection and
disinfection by anti-virus applications. After the work, these types of viruses try to hide from the anti-virus
application by encrypting parts of the virus itself. This is known as mutation.

• Retrovirus: Retrovirus is another type virus which tries to attack and disable the anti-virus application
running on the computer. A retrovirus can be considered anti-antivirus. Some Retroviruses attack the anti-
virus application and stop it from running or some other destroys the virus definition database.
• Multiple Characteristic viruses: Multiple Characteristic viruses has different characteristics of viruses
and have different capabilities.

Computer Worms, different types of computer worms

A worm has similar characteristics of a virus. Worms are also self-replicating, but self-replication of a
worm is in a different way. Worms are standalone and when it is infected on a computer, it searches for
other computers connected through a local area network (LAN) or Internet connection. When a worm
finds another computer, it replicates itself to the new computer and continues to search for other
computers on the network to replicate.

Due to the nature of replication through the network, a worm normally consumes much system resources
including network bandwidth, causing network servers to stop responding.

Different types of Computer Worms are:

• Email Worms: Email Worms spread through infected email messages as an attachment or a link of an
infected website.

• Instant Messaging Worms: Instant Messaging Worms spread by sending links to the contact list of
instant messaging applications.

• Internet Worms: Internet worm will scan all available network resources using local operating system
services and/or scan the Internet for vulnerable machines. If a computer is found vulnerable it will
attempt to connect and gain access to them.

• IRC Worms: IRC Worms spread through IRC chat channels, sending infected files or links to infected
websites.

• File-sharing Networks Worms:File-sharing Networks Worms place a copy of them in a shared folder
and spread via P2P network.

Logic Bombs, How Logic Bombs work

A logic bomb is a program, or a part of another program, which will trigger a malicious function when
specified conditions are met. Normally a logic bomb does not replicate itself and therefore logic bomb will
not spread to unintended victims. Logic bombs are written and targeted against a specific victim.

A logic bomb is code which consists of two parts: 

• A pay load, which is an action to perform which normally, has malicious effect.

• A trigger, a Boolean condition that is evaluated and controls when the payload is executed. The trigger
can be date, the user logged in conditions, network conditions etc.

Computer Trojan Horses

The Trojan Horse is another malware which got its name from mythological Trojan horse. In Trojan War,
Greeks conquered and destroyed the city of Troy by constructing a huge wooden horse, and hiding Greek
soldiers inside. Trojans pulled the Horse into their city as a victory trophy. At night the Greek soldiers
came out of the Horse and opened the gates for the rest of the Greek army to capture the Troy city.
The Trojan Horse malware, normally appear to be useful software but will actually do damage once
installed or run on your computer. Trojan Horses are normally designed to give hackers access to system.
Trojan Horses will appear as useful programs but gives hackers the ability to change file settings, steal files
or passwords, damage or alter files, or monitor users on computers etc.

Trojan Horses can alter or delete files from the infected computer, download files to the infected
computer, modify registry settings, steal passwords, log keystrokes, disable anti-virus applications etc.

Rootkits, Different types of rootkits

A rootkit is another type of malware that has the capability to conceal itself from the Operating
System and antivirus application in a computer. A rootkit provide continuous root level (super user)
access to a computer where it is installed. The name rootkit came from the UNIX world, where the
super user is "root" and a kit.

Rootkits are installed by an attacker for a variety of purposes. Root kits can provide the attacker root
level access to the computer via a back door, rootkits can conceal other malwares which are installed
on the target computer, rootkits can make the installed computer as a zombie computer for network
attacks, Rootkits can be used to hack encryption keys and passwords etc. Rootkits are more
dangerous than other types of malware because they are difficult to detect and cure.

Different types of Rootkits are explained below.

Application Level Rootkits: Application level rootkits operate inside the victim computer by changing
standard application files with rootkit files, or changing the behavior of present applications with
patches, injected code etc.

Kernel Level Rootkits: Kernel is the core of the Operating System and Kernel Level Rootkits are
created by adding additional code or replacing portions of the core operating system, with modified
code via device drivers (in Windows) or Loadable Kernel Modules (Linux). Kernel Level Rootkits can
have a serious effect on the stability of the system if the kit’s code contains bugs. Kernel rootkits are
difficult to detect because they have the same privileges of the Operating System, and therefore they
can intercept or subvert operating system operations.

Hardware/Firmware Rootkits: Hardware/Firmware rootkits hide itself in hardware such a network

card, system BIOS etc.

Hypervisor (Virtualized) Level Rootkits: Hypervisor (Virtualized) Level Rootkits are created by

exploiting hardware features such as Intel VT or AMD-V (Hardware assisted virtualization
technologies). Hypervisor level rootkits hosts the target operating system as a virtual machine and
therefore they can intercept all hardware calls made by the target operating system.

Boot loader Level (Bootkit) Rootkits: Boot loader Level (Bootkit) Rootkits replaces or modifies the
legitimate boot loader with another one thus enabling the Boot loader Level (Bootkit) to be activated
even before the operating system is started. Boot loader Level (Bootkit) Rootkits are serious threat to
security because they can be used to hack the encryption keys and passwords.

Infrastructure and Email Security

Introduction to Infrastructure Security
Network Infrastructure includes networks, network devices, servers, workstations, and other devices.
The software running on these devices are also the part of Network Infrastructure. To make sure your
network is secure, you should make sure every time a configuration is changed or new device is
added, you are not creating a hole in your security. A normal network comprise of routers, firewalls,
switches, servers and workstations. A typical layout of network infrastructure devices is shown
below.

The following lessons explain the Network Infrastructure devices in detail.

• Firewall

• Routers

• Hubs

• Bridges and Switches

• Modems

Firewalls, Packet Filtering Firewalls, Circuit Gateways, Application

Firewalls (Proxies), Hybrid Firewalls
A firewall is a hardware and/or software which functions in a networked environment to block
unauthorized access while permitting authorized communications. Firewall is a device and/or a
sotware that stands between a local network and the Internet, and filters traffic that might be
harmful. Firewalls can be either stand-alone systems or included in other devices such as routers or
servers.

Hardware firewalls are separate devices which function as dedicated firewalls (They also contain
software but normally stored in ROM to prevent tampering). Cisco and Checkpoint are the two
leading companies which make hardware firewalls.

Software firewalls can be installed on servers or workstations and they help to prevent unwanted
inbound and outbound traffic. Microsoft ISA Server, Zone Alarm, Comodo etc are some leading
software based firewalls. Linux Operating System include and Open Source firewall called iptables.

Firewalls can be classified in to four based on whether they filter at the IP packet level, at the TCP
session level, at the application level or hybrid.

1. Packet Filtering Firewalls: Packet filtering firewalls are functioning at the IP packet level. Packet
filtering firewalls filters packets based on addresses and port number. Packet filtering firewalls can
be used as a weapon in network attack defense against Denial of Service (DoS) attacks and IP
Spoofing attacks.

2. Circuit Gateways: Circuit gateways firewalls operate at the transport layer, which means that
they can reassemble, examine or block all the packets in a TCP or UDP connection. Circuit gateway
firewalls can also Virtual Private Network (VPN) over the Internet by doing encryption from firewall
to firewall.

3. Application Level Firewalls (Proxies): Application proxies are configured in multi-homed server
and they are often used instead of router-based traffic controls, to prevent traffic from passing
directly between networks. Application proxy-based firewalls function at the application level. At
this level, you can block or control traffic generated by applications. Application-Level Firewalls can
enforce correct application behavior, and can help to block malicious. Application-Level Firewalls
can log user activity also. Application-level firewalls may also include protection against spam and
viruses. Application-Level Firewalls can block Web sites based on its content rather than just IP
address. Application Proxies can provide very comprehensive protection against a wide range of
threats.

4. Hybrid Firewalls: A hybrid firewall may consist of a pocket filtering combined with an application
proxy firewall, or a circuit gateway combined with an application proxy firewall.

What is a router and the functions of router

 A router is another network infrastructure device that directs packets through the network based
on information from Network Layer (Layer 3) of OSI model. A router uses a combination of
hardware and software to "route" data from its source to its destination. A router can be
configured to route data packets from different network protocols, like TCP/IP, IPX/SPX, and
AppleTalk. Click the following link to learn more about routers.

Routers segment large networks into logical segments called subnets. The division of the network is
based on the Layer 3 addressing system, like IP addresses. If the Network Layer (Layer 3) Data
packet (IP Datagram) is addressed to another device on the local subnet, the packet does not cross
the router and create a traffic congestion problem in another network. If data is addressed to a
computer outside the subnet, the router forwards the data to the addressed network. Thus routing
of network data helps conserve network bandwidth.

Routers are the first line of defense for your netwprk and they must be configured to pass only
traffic that is authorized by the network administrators. Thus a router can function as a firewall if
it’s configured properly.

The following picture shows a Cisco 2800 Series Router.

What is a hub - How hubs work

What is a Hub?

Hubs were the common network infrastructure devices used for LAN connectivity but switches are
rapidly replacing hubs. Hubs function as the central connection point for LANs. Hubs are designed to
work with Twisted pair cabling and normally use RJ45 jack to connect the devices. Network devices
(Servers, Workstations, Printers, Scanners etc) are attached to the hub by individual network cables.
Hubs usually come in different shapes and different numbers of ports.

When a hub receives a packet of data (an Ethernet frame) at one of its ports from a network device, it
transmits (repeats) the packet to all of its ports to all of the other network devices.  If two network
devices on the same network try to send packets at the same time a collision is said to occur.

Hubs operate in such a way that all data received through one port is sent to all other ports. This type
of operation creates an extremely unsecure environment and anyone can sniff the network using a
sniffer and any unencrypted traffic over the network is not secure. Hubs are unsecure LAN devices
that should be replaced with switches for security and increased bandwidth.

Hubs are considered to operate at Physical Layer (Layer 1) of OSI model. An 8 port hub is shown
below.
What are bridges and switches
A bridge is a network device that operates at the Data Link layer (Layer 2) of OSI model. There are
many different types of bridges and include Transparent bridges, Encapsulation bridges, Source-
route bridges. Source-route bridges are for Token Ring network. Bridges allow segmenting a Local
Network into multiple segments, thus reducing the network traffic. A bridge performs the
segmenting function by examining the Data Link Layer (Layer 2) data packet (Ethernet Frame) and
forwarding the packet to other physical segments only if necessary. Both swiches and bridges
function using Data Link Layer (Layer 2) addressing system, also known as MAC addresses.

Bridge can connect only two Networks, LANs or Hosts, which means that bridge has only two ports.
While Switch can connect more than two networks or LANs or Hosts because normally switch has
more than two ports (usually 24 ports or 48 ports). Simply you can say that a Bridge with more than
two ports is known as a Switch. Brides and Switches are considered to operate at Data Link Layer
(Layer 2) of OSI model.

The following picture shows a 24 port, 10/100, Cisco 2500 Catalist Switch.

  

What are modems

A modem (modulator-demodulator) is a hardware device that connects the digital signals from a
computer to an analog telephone line. The sending modem modulates the data into a signal that is
compatible with the phone line, and the receiving modem demodulates the signal back into digital
data for the computer. This allows the signals to be transmitted longer distances than are normally
possible.

Modem speeds at different years are shown below.

• 300 bps - 1960s through 1983

• 1200 bps - 1984 and 1985

• 9600 bps - 1991

• 56 Kbps - 1998

• ADSL (up to 8 megabits per second (Mbps)) – 1999

Modems normally respond to any call made to them when connected to an outside line and allow a
connection. This may allow instant unsecured access to the network or the computers. If the modem
is not really required, it should be disabled or removed from network work stations. If disabling the
modem is not possible, it should be configured to prevent auto-answer.

Remote Access Services (RAS), What is Remote Access Services

(RAS)
Remote Access Services (RAS) refers to any combination of hardware and software which allows you
to connect from your computer at home or a remote location to your corporate network and work as
if you are connected directly to the corporete network.

Corporate users can connect to the corporate network using direct Dial-up network or
through Virtual Private Network (VPN), where a low cost intermediate network (such as the Internet)
to connect to the corporate network. Microsoft Routing and Remote Access Services is an example
for Remote Access Services (RAS).

Dial-up networking is a Remote Access connection when a remote access client makes a
nonpermanent, dial-up connection to a physical port on a Remote Access server by using the service
of a third party telecom service provider using analog phone or ISDNconnection.

Virtual Private Networking (VPN) is a logical, indirect connection between the Virtual Private
Networking (VPN) client and the Virtual Private Networking (VPN) server over a low cost public
network such as the Internet. A Virtual Private Networking (VPN) client uses Virtual Private
Networking (VPN) protocols called tunneling protocols to make a virtual call to a virtual port on a
Virtual Private Networking (VPN) server.

Virtual Private Networks (VPNs), What is Virtual Private Networks

(VPNs)
A Virtual Private Network (VPN) can be viewed as a private network which is connected through a
public network. Virtual Private Networks (VPNs) are used to connect LANs together across the
Internet. Using Virtual Private Network (VPN) technologies, remote users can connect to enterprise
network securely over the public internet as if their computers are physically connected to the
network.

Virtual Private Network (VPN) connections use either Point-to-Point Tunneling Protocol (PPTP) or
Layer Two Tunneling Protocol/Internet Protocol security (L2TP/IPSec) over internet. Internet
connections are usually cheaper than leased line, Dial-up, ISDN or similar type of connections. Since
Internet is the connection medium, Virtual Private Network (VPN) can save huge telecom costs. 
Point-to-Point Tunneling Protocol (PPTP)
PPTP was created by Microsoft and available since Windows NT 4.0 Routing and Remote Access
Services. Point-to-Point Tunneling Protocol (PPTP) encrypts the data it encapsulates, but the header
is not encrypted. Since the VPN header is not encrypted, an eavesdropper can read the VPN header
but the data is somewhat secure since the contents are encrypted.

Layer 2 Tunneling Protocol (L2TP)

Layer 2 Tunneling Protocol (L2TP) is another VPN tunneling protocol which is used together
with Internet Protocol Security (IPSec). IPSec encrypts the entire L2TP packet. A advantage of L2TP
over PPTP is that eavesdroppers cannot identify that a VPN is in use, because IPSec encrypts the L2TP
header information also. Hence L2TP/IPSec protocol is much more secure than Point-to-Point
Tunneling Protocol (PPTP).

Intrusion Detection Systems (IDS), Network Intrusion Detection System (NIDS), Host Intrusion
Detection System (HIDS), Signatures, Alerts, Logs, False Alarms. Sensor

Intrusion detection is a set of techniques and methods that are used to detect suspicious activity
both at the network and host level. Intrusion detection is the act of detecting a hostile user or
intruder who is attempting to gain unauthorized access or trying to disturb the services or deny the
services to legitimate users. An Intrusion Detection System (IDS) is software or a device or a
combination of both that monitors and track network intrusion attempts, malicious activities or
policy violations and produces reports for the security administrators.

Basically an Intrusion Detection System (IDS) is also a sniffer. An Intrusion Detection System (IDS)
detect an intrusion by sniffing and analysing the network packets.

The most popular Open Source Intrusion Detection System (IDS) is Snort, developed
by SourceFire. Snort can detect thousands of worms, vulnerability exploit attempts, port scans, and
other suspicious activities. Snort is available for both Linux and Windows platforms as source files
and binaries. Click the following link to download Snort.

Following are some defenitions which are related with Intrusion Detection System (IDS).

Intrusion Detection System (IDS)

Intrusion Detection System (IDS) is software, or a device or combination of both used to detect
intruder activity. 

Network Intrusion Detection System (NIDS)

Network Intrusion detection systems (NIDS) usually consists of a network appliance (or sensor)
with a Network Interface Card (NIC) operating in promiscuous mode and a separate management
interface. The IDS is placed along a network segment or boundary and monitors all traffic on that
segment. Depending upon whether a packet is matched with an intruder signature, an alert is
generated or the packet is logged to a file or database. 
Host Intrusion Detection System (HIDS)
A Host Intrusion detection systems (HIDS) and software applications (agents) installed on
workstations which are to be monitored. The agents monitor the operating system and write data
to log files and/or trigger alarms. A Host Intrusion detection systems (HIDS) can only monitor the
individual workstations on which the agents are installed and it cannot monitor the entire network.

Signatures
Signature is the pattern that you look for inside a data packet. Each attack has its own specific
signatures and a signature is used to detect one or multiple types of attacks. Signatures can be
identified from IP header, transport layer protocol header (TCP or UDP header) or from data.

Alerts
Alerts are any sort of user notification of an intruder activity. When an IDS detects an intruder, it
has to inform security administrator about this using alerts.

Logs
The log messages are usually saved in file for future analysis. 

False Alarms
False alarms are alerts generated due to an indication that is not an intruder activity.

Sensor
The machine on which an intrusion detection system is running is also called the sensor in the
literature because it is used to "sense" the network.

Difference between Firewall and Intrusion Detection System

A firewall is a hardware and/or software which functions in a networked environment to block
unauthorized access while permitting authorized communications. Firewall is a device and/or a
sotware that stands between a local network and the Internet, and filters traffic that might be
harmful.

An Intrusion Detection System (IDS) is a software or hardware device installed on the network
(NIDS) or host (HIDS) to detect and report intrusion attempts to the network.

We can think a firewall as security personnel at the gate and an IDS device is a security camera
after the gate. A firewall can block connection, while a Intrusion Detection System (IDS) cannot
block connection. An Intrusion Detection System (IDS) alert any intrusion attempts to the security
administrator.

However an Intrusion Detection and Prevention System (IDPS) can block connections if it finds the
connections is an intrusion attempt. 

Types of Intrusion Detection Systems (IDS)

Intrusion detection systems (IDS) can be classified into different ways. The major classifications are
Active and passive IDS, Network Intrusion detection systems (NIDS) and host Intrusion detection
systems (HIDS)

Active and passive IDS

An active Intrusion Detection Systems (IDS) is also known as Intrusion Detection and Prevention
System (IDPS). Intrusion Detection and Prevention System (IDPS) is configured to automatically
block suspected attacks without any intervention required by an operator. Intrusion Detection and
Prevention System (IDPS) has the advantage of providing real-time corrective action in response to
an attack.

A passive IDS is a system that’s configured to only monitor and analyze network traffic activity and
alert an operator to potential vulnerabilities and attacks. A passive IDS is not capable of performing
any protective or corrective functions on its own.

Network Intrusion detection systems (NIDS) and Host Intrusion

detection systems (HIDS)
Network Intrusion Detection Systems (NIDS) usually consists of a network appliance (or sensor)
with a Network Interface Card (NIC) operating in promiscuous mode and a separate management
interface. The IDS is placed along a network segment or boundary and monitors all traffic on that
segment.

A Host Intrusion Detection Systems (HIDS) and software applications (agents) installed on
workstations which are to be monitored. The agents monitor the operating system and write data
to log files and/or trigger alarms. A host Intrusion detection systems (HIDS) can only monitor the
individual workstations on which the agents are installed and it cannot monitor the entire network.
Host based IDS systems are used to monitor any intrusion attempts on critical servers.

The drawbacks of Host Intrusion Detection Systems (HIDS) are

• Difficult to analyse the intrusion attempts on multiple computers.

• Host Intrusion Detection Systems (HIDS) can be very difficult to maintain in large networks with
different operating systems and configurations

• Host Intrusion Detection Systems (HIDS) can be disabled by attackers after the system is
compromised.

Knowledge-based (Signature-based) IDS and behavior-based

(Anomaly-based) IDS
A knowledge-based (Signature-based) Intrusion Detection Systems (IDS) references a database of
previous attack signatures and known system vulnerabilities. The meaning of word signature, when
we talk about Intrusion Detection Systems (IDS) is recorded evidence of an intrusion or attack. Each
intrusion leaves a footprint behind (e.g., nature of data packets, failed attempt to run an
application, failed logins, file and folder access etc.). These footprints are called signatures and can
be used to identify and prevent the same attacks in the future. Based on these signatures
Knowledge-based (Signature-based) IDS identify intrusion attempts.

The disadvantages of Signature-based Intrusion Detection Systems (IDS) are signature database
must be continually updated and maintained and Signature-based Intrusion Detection Systems
(IDS) may fail to identify a unique attacks.

A Behavior-based (Anomaly-based) Intrusion Detection Systems (IDS) references a baseline or

learned pattern of normal system activity to identify active intrusion attempts. Deviations from this
baseline or pattern cause an alarm to be triggered.

Higher false alarms are often related with Behavior-based Intrusion Detection Systems (IDS).

Leading Intrusion Detection Systems (IDS) Products

Some leading Intrusion Detection Systems (IDS) Products are

• Snort

Snort® is an open source network intrusion prevention and detection system (IDS/IPS) developed
by Sourcefire. Combining the benefits of signature, protocol and anomaly-based inspection, Snort is
the most widely deployed IDS/IPS technology worldwide. With millions of downloads and
approximately 300,000 registered users, Snort has become the de facto standard for IPS.

• CounterAct

CounterACT Edge security appliance delivers an entirely unique approach to preventing network
intrusions: Stop attackers based on their "proven intent" to attack without using signatures,
anomaly detection or pattern matching of any kind.

Attackers follow a consistent pattern. To launch an attack, they need knowledge about a network's
resources. Potential intruders, whether humans or self-propagating threats, compile vulnerability
and configuration information through scanning and probing prior to an attack. The information
received is then used to launch attacks based on the unique structure and characteristics of the
targeted network.

• AirMagnet

AirMagnet Enterprise provides a simple, scalable WLAN monitoring solution that enables any
organization to proactively mitigate all types of wireless threats, enforce enterprise policies,
prevent performance problems and audit the regulatory compliance of all their WiFi assets and
users worldwide.

• Bro Intrusion Detection System

Bro is an open-source, Unix-based Network Intrusion Detection System (NIDS) that passively
monitors network traffic and looks for suspicious activity. Bro detects intrusions by first parsing
network traffic to extract its application-level semantics and then executing event-oriented
analyzers that compare the activity with patterns deemed troublesome. Its analysis includes
detection of specific attacks (including those defined by signatures, but also those defined in terms
of events) and unusual activities (e.g., certain hosts connecting to certain services, or patterns of
failed connection attempts).

• Cisco Intrusion Prevention System (IPS)

Cisco IPS is one of the most widely deployed intrusion prevention systems, providing:

Protection against more than 30,000 known threats, Timely signature updates and Cisco Global
Correlation to dynamically recognize, evaluate, and stop emerging Internet threats
Cisco IPS includes industry-leading research and the expertise of Cisco Security Intelligence
Operations.

Cisco IPS protects against increasingly sophisticated attacks, including Directed attacks, Worms,
Botnets, Malware, Application abuse.

Cisco IPS also helps your organization comply with government regulations and consumer privacy
laws. It provides intrusion prevention that Stops outbreaks at the network level, before they reach
the desktop, Prevents losses from disruptions, theft, or defacement, Collaborates with other
network components, for end-to-end, networkwide intrusion prevention, Supports a wide range of
deployment options, with near-real-time updates for the most recent threat, Decreases legal
liability, protects brand reputation, and safeguards intellectual property.

• Juniper Networks Intrusion Detection & Prevention (IDP)

Juniper Networks IDP Series Intrusion Detection and Prevention Appliances with Multi-Method
Detection (MMD), offers comprehensive coverage by leveraging multiple detection mechanisms.
For example, by utilizing signatures, as well as other detection methods including protocol anomaly
traffic anomaly detection, the Juniper Networks IDP Series appliances can thwart known attacks as
well as possible future variations of the attack. Backed by Juniper Networks Security Lab, signatures
for detection of new attacks are generated on a daily basis. Working very closely with many
software vendors to assess new vulnerabilities, it’s not uncommon for IDP Series to be equipped to
thwart attacks which have not yet occurred. Such day-zero coverage ensures that you’re not
merely reacting to new attacks, but proactively securing your network from future attacks.

• McAfee Host Intrusion Prevention for server

Defend your servers from known and new zero-day attacks with McAfee Host Intrusion Prevention.
Boost security, lower costs by reducing the frequency and urgency of patching, and simplify
compliance.

• Sourcefire Intrusion Prevention System (IPS)

Built on the foundation of the award-winning Snort® rules-based detection engine, Sourcefire IPS™
(Intrusion Prevention System) uses a powerful combination of vulnerability- and anomaly-based
inspection methods—at throughputs up to 10 Gbps—to analyze network traffic and prevent critical
threats from damaging your network. Whether deployed at the perimeter, in the DMZ, in the core,
or at critical network segments, and whether placed in inline or passive mode, Sourcefire’s easy-to-
 use IPS appliances provide comprehensive threat protection.

• Strata Guard IDS/IPS

The award-winning Strata Guard® high-speed intrusion detection/prevention system (IDS/IPS) gives
you real-time, zero-day protection from network attacks and malicious traffic, preventing Malware,
spyware, port scans, viruses, and DoS and DDoS from compromising hosts, Device and network
outages, Data leakage, High-risk protocols, such as BitTorrent™, Kazaa™, and TelNet, from running
on your network, Unauthorized access to sensitive data.

Introduction to Honeypots
A honeypot is a closely monitored computing resource that we want to be probed, intruded,
attacked, or compromised. A honeypot is defined as "an information system resource whose value
lies in unauthorized or illicit use of that resource". A honeypot can capture every action an intruder
or attacker makes inside the honeypot. A honeypot can log access attempts, can capture
keystrokes, can identify the files accessed and modified, can identify the programs executed within
honeypot. If an attacker is unaware that he’s inside a honeypot, we can even identify his ultimate
intentions.

Honeypots can be placed inside the network, outside the network or inside DMZ (Demilitarized
Zone). They can even be placed in all of the above locations.

Honeypots are necessary to learn how intruders and attackers probe and attempt to gain access to
your systems. By learning and recording how intruders and attackers probe and attempt to gain
access to the systems, we can gain insight into attack methodologies to protect our real production
systems.

Honeypots are also necessary to record and provide forensic information of an attack to
government law enforcement agencies. These records generated by the honeypots are required to
prosecute the intruders and attackers.

Types of Honeypots - Low Interaction Honeypots and High

Interaction Honeypots
Low Interaction Honeypots
Low Interaction Honeypots allow only limited interaction for an attacker or malware. All services
offered by a Low Interaction Honeypots are emulated. Thus Low Interaction Honeypots are not
themselves vulnerable and will not become infected by the exploit attempted against the emulated
vulnerability.

High Interaction Honeypots

High Interaction Honeypots make use of the actual vulnerable service or software. High-interaction
honeypots are usually complex solutions as they involve real operating systems and applications. In
High Interaction Honeypots nothing is emulated everything is real. High Interaction Honeypots
provide a far more detailed picture of how an attack or intrusion progresses or how a particular
malware execute in real-time. Since there is no emulated service, High Interaction Honeypots helps in
identifying unknown vulnerabilities. But High Interaction Honeypots are more prone to infections and
High Interaction Honeypots increases the risk because attackers can use these real honeypot
operating systems to attack and compromise production systems.

Leading Honeypot Products

Some leading honeypot products are

•Honeyd

Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run
arbitrary services, and their personality can be adapted so that they appear to be running certain
operating systems. Honeyd enables a single host to claim multiple addresses - I have tested up to
65536 - on a LAN for network simulation. Honeyd improves cyber security by providing mechanisms
for threat detection and assessment. It also deters adversaries by hiding real systems in the middle of
virtual systems. Honeyd is created for Unix Operating Systems and Honeyd is open source software
released under GNU General Public License.

•HoneyBOT

HoneyBOT is a windows based low interaction honeypot solution. HoneyBOT works by opening a
large range of listening sockets on your computer from which a selection of these sockets are
designed to mimic vulnerable services. When an attacker connects to these services they are fooled
into thinking they are attacking a real server. The honeypot safely captures all communications with
the attacker and logs these results for future analysis. Should an attacker attempt an exploit or
upload a rootkit or trojan to the server the honeypot environment can safely store these files on your
computer for malware collection and analysis purposes.

• MultiPot

Multipot is a emulation based honeypot designed to capture malicious code which spreads through
various exploits across the net. Design specifications for this project mandated that the captures be
done in such a way so that the host machine would require only minimal supervision and would not
itself risk getting infected. Multipot was designed to emulate exploitable services to safely collect
malicious code.

• Glastopf Project

Many of today's most advanced attacks now happen at the web application layer. This solution is
designed to capture information on the latest web application attacks using scalable and easy to
deploy low-interaction server honeypots. Glastopf is a minimalistic web server emulator written in
Python. The honeypot tool collects information about web application-based attacks like for example
remote file inclusion, SQL injection, and local file inclusion attacks. Glastopf scans the incoming
request for strings like "=http://" or "=ftp://". If this matches, we try to download and analyze the file
and respond as close as possible to the attacker's expectations. If we fulfill them, the attacker sends
us for example a bot, shell or spreader. Those files could for example be analyzed for IRC information
to infiltrate the botnet behind this kind of attacks. The collected data is stored in a MySQL database
that can be browsed via a web interface.
• Argos

Argos is a full and secure system emulator designed for use in honeypots. It is based on Qemu, an
open source emulator that uses dynamic translation to achieve a fairly good emulation speed.

Argos extends Qemu to enable it to detect remote attempts to compromise the emulated guest
operating system. Using dynamic taint analysis it tracks network data throughtout execution and
detects any attempts to use them in an illegal way. When an attack is detected the memory footprint
of the attack is logged.

• KFSensor

KFSensor is a Commercial Windows based honeypot Intrusion Detection System (IDS).

It acts as a honeypot to attract and detect hackers and worms by simulating vulnerable system
services and trojans.
By acting as a decoy server it can divert attacks from critical systems and provide a higher level of
information than can be achieved by using firewalls and NIDS alone.

•NetBait

NetBait is a proprietary technology developed by NetBait, Inc. to prevent, detect and analyze
intruders' attacks on companies' networks. NetBait is based on the concept of a "Honeypot," which
means that it is a decoy which lures intruders away from actual network data and instead gives them
"bait" with false information.

•GHH - The "Google Hack" Honeypot

Google Hack Honeypot is the reaction to a new type of malicious web traffic: search engine hackers.
GHH is a “Google Hack” honeypot. It is designed to provide reconaissance against attackers that use
search engines as a hacking tool against your resources. GHH implements honeypot theory to provide
additional security to your web presence.

Honeypot Clients (HoneyClients), HoneyC, Shelia, The Strider

HoneyMonkey Project (Microsoft)
Leading Honeypots emulate servers and services. They act as servers and wait passively to be
attacked. HoneyClients are another type of Honeypots which actively search malicious servers
that attack clients. Many malicious web servers host malicious exploits which are targeted
against specific web browsers. Once the web client connects the malicious web site, it can
download and install malware inside victim's machine. HoneyClients crawl websites, and through
various methods, determine the websites that attack the web browser, download these
malwares for analysis.

Leading HoneyClients are

• HoneyC

HoneyC is a low interaction client honeypot / honeyclient that allows to identify malicious
servers on the web. Instead of using a fully functional operating system and client to perform
 this task (which is done by high interaction client honeypots, such as Honeymonkey or
Honeyclient), HoneyC uses emulated clients that are able to solicit as much of a response from a
server that is necessary for analysis of malicious content. HoneyC is expandable in a variety of
ways: it can use different visitor clients, search schemes, and analysis algorithms.

• Shelia

Shelia is an intrusion detection system for the client side. It comes with a client emulator that
scans through a mail folder specified on the command line. Typically, this would be the spam
folder. In this folder the client emulator is capable of following every url and opening every
attachment.

• The Strider HoneyMonkey Project (Microsoft)

Strider HoneyMonkey is a Microsoft Research project to detect and analyze Web sites hosting
malicious code. The intent is to help stop attacks that use Web servers to exploit unpatched
browser vulnerabilities and install malware on the computers of unsuspecting users.

 Introduction to Network Protocol Analyzers (Sniffers)

monitoring, network traffic analysis,
opping etc) is the process of capturing
cting it to troubleshoot the network
e data packets of network protocols and
network protocol analyzer has many uses.

orms, viruses, compromised computers and

e they can catch the network traffic and read

m a favorite weapon of network intruders.
tial information (unencrypted) over the
pturing usernames and passwords which are
he users on a network, Capturing VoIP

ark of Network General. Network General

 How Network Protocol Analyzers (Sniffers) work?
First network protocol analyzer (Sniffer) switches the selected network interface into promiscuous
mode. In promiscuous mode the network card can listen for all network traffic on its particular
network segment. The network protocol analyzer (Sniffer) uses this mode along with low-level access
to the interface to capture the raw binary data from the wire. The captured binary data is then
converted into a readable format. After it is converted in to readable format it is then analyzed based
on the protocol.

The network protocol analyzer (Sniffer) can analyze large number of network protocols including
ARP, IP, ICMP, TCP, UDP, DCCP, HTTP, FTP, DNS, and DHCP. 

Leading Network Protocol Analyzer (Sniffer) products

Some leading Network Protocol Analyzer (Sniffer) products are

• Wireshark Network Protocol Analyzer

Wireshark is the world's foremost network protocol analyzer, and is the de facto (and often de jure)
standard across many industries and educational institutions.

• tcpdump

tcpdump is a common packet analyzer that runs under the command line. It allows the user to
intercept and display TCP/IP and other packets being transmitted or received over a network to
which the computer is attached. Distributed under the BSD license,[1] tcpdump is free software.

• WinDump: tcpdump for Windows

WinDump is the Windows version of tcpdump, the command line network analyzer for UNIX.
WinDump is fully compatible with tcpdump and can be used to watch, diagnose and save to disk
network traffic according to various complex rules.

• OmniPeek Network Analyzer

OmniPeek is a commercial Network Protocol Analyzer (Sniffer). OmniPeek gives network engineers
real-time visibility and Expert Analysis into every part of the network from a single interface,
including Ethernet, Gigabit, 10 Gigabit, 802.11a/b/g/n wireless, VoIP, and Video to remote offices.
Using OmniPeek’s intuitive user interface and "top-down" approach to visualizing network
conditions, network engineers—even junior staff—can quickly analyze, drill down and fix
performance bottlenecks across multiple network segments, maximizing uptime and user
satisfaction.

• Windows Network Monitor

Windows Network Monitor is a built-in Network Protocol Analyzer (Sniffer) product for Windows
Server Operating Systems.

• dsniff
 dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf,
msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail,
files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally
unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active
monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings
in ad-hoc PKI.

• Ettercap

Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections,
content filtering on the fly and many other interesting tricks. It supports active and passive dissection
of many protocols (even ciphered ones) and includes many feature for network and host analysis.

• ntop

ntop is a network traffic probe that shows the network usage, similar to what the popular top Unix
command does. ntop is based on libpcap and it has been written in a portable way in order to
virtually run on every Unix platform and on Win32 as well. ntop users can use a a web browser (e.g.
netscape) to navigate through ntop (that acts as a web server) traffic information and get a dump of
the network status. In the latter case, ntop can be seen as a simple RMON-like agent with an
embedded web interface.

• EtherApe

EtherApe is a graphical network monitor for Unix modeled after etherman. Featuring link layer, ip
and TCP modes, it displays network activity graphically. Hosts and links change in size with traffic.
Color coded protocols display. It supports Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It
can filter traffic to be shown, and can read traffic from a file as well as live from the network.

• Kismet

Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet
will work with any wireless card which supports raw monitoring (rfmon) mode, and (with appropriate
hardware) can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic. Kismet also supports plugins
which allow sniffing other media such as DECT. Kismet identifies networks by passively collecting
packets and detecting standard named networks, detecting (and given time, decloaking) hidden
networks, and infering the presence of nonbeaconing networks via data traffic.

How to detect Network Protocol Analyzer (Sniffers) in your network

As discussed in previous lesson, Sniffers are dangerous to network security because they can catch the
network traffic and read unencrypted data from network which makes them a favorite weapon of
network intruders. Sniffers do not transmit any information, and sniffers collect network data packets
passivly. Hence it is difficult to detect Sniffers in network. The following methods can be used to detect
sniffers.

Detecting Promiscuous Mode

A sniffer can run in one of two modes: Non-promiscuous mode and Promiscuous mode. Sniffers operate
in non-promiscuous mode can collect data from the network that is addressed to or sent from the
computer that is running the sniffer. Promiscuous mode allows a network adapter to collect all the
network traffic data that passsing over the network, regardless of the destination address. Promiscuous
mode enables Sniffers to capture all network traffic. To detect Promiscuous mode in a UNIX type
operating system, use the command "ifconfig -a" (without quotes). Search for the PROMISC flag in the
output.

[root@Fed13 /]# ifconfig -a

eth0 Link encap:Ethernet HWaddr 00:0C:29:10:8A:DC 
inet6 addr: fe80::20c:29ff:fe10:8adc/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000 
RX bytes:0 (0.0 b) TX bytes:468 (468.0 b)
Interrupt:18 Base address:0x2000

lo Link encap:Local Loopback 

inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:104 errors:0 dropped:0 overruns:0 frame:0
TX packets:104 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0 
RX bytes:13880 (13.5 KiB) TX bytes:13880 (13.5 KiB)

Other command which can be used to detect is promiscuous mode in UNIX type operating systems "ip
link".

[root@Fed13 ~]# ip link

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:0c:29:10:8a:dc brd ff:ff:ff:ff:ff:ff

To detect promiscuous mode in Windows Operating Systems, the free tool Promqry can be

used. Promqry is available for download from Microsoft web site.

Address Resolution Protocol (ARP) Method

Address Resolution Protocol (ARP) is used to resolve IP addresses to MAC addresses. A computer caches
resolved addresses for future use. Here we send a non-broadcast ARP. A machine in promiscuous mode
will cache your ARP address. Next we send a broadcast ping packet with our IP, but a different MAC
address. Only the machine which has our correct MAC address from the previous sniffed ARP frame will
be able to respond to broadcast ping request.

Latency Method
In Latency Method, huge amount of data is sent on the network and the suspect machine is pinged before
and after flooding. If sniffer is running on the machine it will be in promiscuous mode and it may need to
parse the data thus increasing the load on it. Because of the load, it will take extra time to respond to the
ping request. This latency may indicate a sniffer running in the target machine.

Monitoring the Hosts

In a busy network, capturing and analyzing huge network data may cause the CPU work load to increase.
Large disk space is also required to save the captured network data. Increased CPU work load and disk
usage without any reason may indicate a sniffer running in that machine.

Network Access Control

Networks contain many networking devices like hubs, switches, routers, firewalls, wireless access
points, cabling systems, workstations, servers, different software applications etc. Maintaining
security with multiple devices and many different software applications is a serious issue. Every new
device added or software installed may create a security hole. Network Access Control (NAC) can be
defined as a method of enforcing endpoint security (Anti-virus, Anti-virus status, Host Intrusion
Detection System, vulnerability assessment), user security, system authentication and network
security. Two major Network Access Control (NAC) implementations are Network Access Protection
(NAP) which is a Microsoft technology for controlling network access of a computer host, and
Network Admission Control (NAC) is Cisco’s technology for controlling network admission.

Microsoft’s Network Access Protection (NAP) measure the connecting system’s health like anti-virus
protection, anti-virus status, OS patches and updates, and system policies.

Cisco’s Network Admission Control (NAC) is available as an architecture-based framework solution

designed to take advantage of an existing base of both Cisco network technologies and existing
deployments of security and management solutions from other manufacturers. Cisco’s Network
Admission Control (NAC) enforces policies chosen by the network administrators.

DMZ (Demilitarized Zone), DMZ Servers, What is Bastion Host

DMZ is an abbreviation for Demilitarized Zone. DMZ (Demilitarized Zone) refers to a part of the
network that is neither part of the internal network nor directly part of the Internet. Normally, DMZ
(Demilitarized Zone) is the area between your Internet access router and your bastion host (A bastion
host is computer on a network which is configured to withstand attacks).

DMZ (Demilitarized Zone) is also known as Perimeter Network. DMZ (Demilitarized Zone) add an
additional layer of security to an organization's internal network and an external attacker has only
has access to network devices and servers in the DMZ (Demilitarized Zone). By creating a DMZ
(Demilitarized Zone) an outside user need to make at least one hop in the DMZ (Demilitarized Zone)
before he can access sensitive information inside the trusted network.

DMZ (Demilitarized Zone) normally hold Web servers, FTP servers, Name servers (DNS), E-mail
Servers, Honeypots.
How to secure Workstations and Servers
Workstations are normally operated by end users with limited computer knowledge and hence
they require much attention. Workstations communicate with other workstations and servers
using services such as file sharing, network services, and other applications programs.

Following tips are helpful for securing workstations and servers.

• Select an operating system which is more secure and has less vulnerability. Download and
install hot fixes, Service Packs and updates without delay.

• Install a trusted and good antivirus and update it regularly.

• Install a good anti-spyware and update it regularly.

• Install Host Intrusion Detection System (HIDS) software such as ossec, tripwire or rkhunter.

• Install good firewall and configure it properly for workstations and servers. Close all ports
which are not required.

• Enforce strong password policy to users, which may protect against brute force and dictionary
attacks.
 • Select a web browser which is more stable and secure, because attacks can be launched using
browsers. If possible disable scripts execution.

• Download and install software’s from trusted site only. Try to install digitally signed software’s
and view the digital certificate to check whether the certificate is OK.

• Close all services and protocols and run only the services and protocols which are necessary.
Many services have known vulnerabilities and the attacker may exploit these vulnerabilities to
gain access to your workstation or server.

• Remove all shares that are not necessary.

• Attackers can launch attacks targeted at specific Operating System and services once the
Operating System and server application is identified. Example: By default, many web server
applications show information regarding the web server application name, web server
application version, Operating System and Operating System version in error messages. This may
help an attacker to exploit vulnerabilities of the web server application and Operating System.
Web server application should be configured to hide this information.

• If possible, try to change default administrative account names and passwords for Operating
Systems, Databases and other sensitive applications and services.

• Conduct a penetration test to check your workstations and servers.

• Keep all the sensitive data encrypted.

• Physical security is an important factor and if there is no physical security all the above tips are
of NO use.

Introduction to Wireless Networks

A wireless network requires less cabling than the normal wired network. The wireless network is
made up of transmitters that broadcast the packets using radio frequencies (microwave). The
wireless network contains special transmitters called wireless Access Points. The workstations and
network devices have a special transmitter-receiver, which allows them to receive broadcasts and
transmit requested data back to the cell access point. The cell access point is connected to the
physical network by a cable, which allows it, and other wireless clients, to communicate with systems
on the wired network. The network devices and the Access Point communicate using one of several
communications protocols, including IEEE 802.11. Wireless network technology can connect a
campus, a building, or even a whole city.

The advantages are wireless networks over wired networks are easy to troubleshoot and need less
cabling. Main disadvantage of wireless networks is that they can be extremely unsecure if not
configured properly. Other disadvantages are greater chance of signal interference, blockage, and
interception.
Institute of Electrical and Electronics Engineers (IEEE) 802.11
Wireless Standards
Wireless LANs are specified by the Institute of Electrical and Electronics Engineers (IEEE) 802.11 series
standard. IEEE 802.11 series standard defines technologies and protocols for wireless LANs operating
from 2 Mbps to 248 Mbps.

The Institute of Electrical and Electronics Engineers (IEEE), started development for a standard for
WLANs that operate at a speed of 1 and 2 Mbps in 1990. Institute of Electrical and Electronics
Engineers (IEEE) 802.11 WLAN standard was approved in 1997. Since the bandwidth of 2 Mbps was
not sufficiant for new networks, a new IEEE 802.11b amendment was created and added 5.5 Mbps
and 11 Mbps with a support of wireless devices that are up to 115 meters at 2.4 GHz frequency in
1999.

Institute of Electrical and Electronics Engineers (IEEE) proposed another standard 802.11a which
specifies a maximum speed of 54 Mbps using the 5 GHz spectrum. The IEEE 802.11g standard was
ratified in 2003 and can support devices transmitting at 54 Mbps.

802.11n is another amendment which improves the previous standards by adding multiple-input
multiple-output antennas (MIMO) and other newer features. The IEEE has approved the 802.11n
amendment and it was published in October 2009.

Standar
Description
d

The IEEE 802.11 WLAN standard (1997) was originally 1

Mbit/s and 2 Mbit/s, 2.4 GHz RF and infrared standard.
802.11
802.11 uses either frequency hopping spread spectrum
(FHSS) or direct sequence spread spectrum (DSSS).

The IEEE 802.11a WLAN standard (1999, shipping

products in 2001) is an extension to 802.11 which provides
802.11a up to 54-Mbps in the 5GHz band. 802.11a uses an
orthogonal frequency division multiplexing encoding
scheme.

The IEEE 802.11b WLAN standard (1999) is an extension

to 802.11 that applies to wireless LANS and provides 11
802.11 Mbps transmission (with a fallback to 5.5, 2 and 1-Mbps)
b in the 2.4 GHz band. 802.11b standard allows wireless
functionality comparable to Ethernet. 802.11b standard
uses DSSS.

The IEEE 802.11g WLAN standard (2003) is an

802.11 amendment to the IEEE 802.11 specification that extended
g throughput to up to 54 Mbit/s using the same 2.4 GHz band
as 802.11b.

802.11 The IEEE 802.11n WLAN standard (2009) is based upon

n previous 802.11 standards by adding multiple-input
multiple-output (MIMO). The additional transmitter and
 receiver antennas allow for increased data throughput.

Beause of the nature of operation, the original IEEE 802.11 committee identified the possible threats
of wireless networks and the members implemented several wireless security protections in the
original 802.11 standard. These can be divided into three categories: controlling access, Wired
Equivalent Privacy (WEP) encryption, and device authentication.

Wireless Application Protocol (WAP)

Wireless Application Protocol (WAP) is an open international standard designed for use with wireless
devices. The Wireless Application Protocol (WAP) protocol was designed to show internet contents on
wireless clients, like mobile phones. The idea behind Wireless Application Protocol (WAP) was to show
internet contents on wireless clients. Wireless Application Protocol (WAP) is an application
communication protocol and Wireless Application Protocol (WAP) is used to access services and
information

Wireless Application Protocol (WAP) has become a standard adopted by many wireless equipment
manufacturers, including Motorola and Nokia. Wireless Application Protocol (WAP) functions are
equivalent to TCP/IP functions in the wired network. The Wireless Application Protocol (WAP) standard is
based on other leading internet standards like.HTML, XML. It consists of a WML language specification, a
WMLScript specification, and a Wireless Telephony Application Interface (WTAI) specification.

Wireless Application Protocol (WAP) uses a markup language called Wireless Markup Language (WML) to
display internet content, which is a tag based language, similar to.HTML. Wireless Markup Language
(WML) uses WMLScript to run simple code on the client. WMLScript is a similar to JavaScript which is used
along with.HTML to generate dynamic content at browser side. 

Wired Equivalent Privacy (WEP) and the security weakness of Wired

Equivalent Privacy (WEP)
Wired Equivalent Privacy (WEP) was introduced as part of the original 802.11 protocol in 1997, to
provide confidentiality as that of wired network. Wired Equivalent Privacy (WEP) has many security
flaws, one of which involves its use of Initialization Vectors (IV). Wired Equivalent Privacy (WEP)
Initialization Vectors (IVs) are 24 bits long. For encryption, Wired Equivalent Privacy (WEP) can use
only a 64-bit or 128-bit number, which is made up of a 24-bit Initialization Vector (IV) and a 40-bit or
104-bit default key. The use of short keys reduces the encryption strength, because short keys are
easy to break. The Wired Equivalent Privacy (WEP) also creates a detectable pattern for attackers.
The above characteristics make Wired Equivalent Privacy (WEP) wireless networks susceptible to
intrusion.

Wired Equivalent Privacy (WEP) uses the RC4 encryption algorithm for encryption.

The process is described before.

The plaintext message is run through an integrity check algorithm and the Integrity Check Value (ICV)
is appended to the end of the original plaintext message. A 24-bit initialization vector (IV) is
generated and added to the beginning of the secret key that is then input to the RC4 Key Scheduling
Algorithm (KSA) to generate a seed value for the Wired Equivalent Privacy (WEP) Pseudo-Random
Number Generator (PRNG). The Wired Equivalent Privacy (WEP) Pseudo-Random Number Generator
(PRNG) then generates the encrypting cipher-stream. The above generated cipher-stream is then
XOR’d with the plaintext/ICV message to create the Wired Equivalent Privacy (WEP) cipher text. Last
the cipher text is then added with the IV (in plaintext) and then transmitted.

The decryption process is the reverse of the encryption process. First, the Initialization Vector (IV) is
removed from the data packet and merged with the shared password. This value is then used with
KSA, and subsequently used to recreate the key stream. The stream and encrypted data packet are
XORed together, which results in the plaintext output. The Integrity Check Value (ICV) is then
removed from the plaintext and compared against a recalculated Integrity Check Value (ICV) and the
packet is then either accepted or rejected according to the results of calculation.

The weakness of Wired Equivalent Privacy (WEP) is because of the small value of IVs. Within a short
period of time all keys are reused. This weakness of Wired Equivalent Privacy (WEP) is the same for
different encryption levels, because all use the 24 bit IV.

Wi-Fi Protected Access (WPA)

The Wi-Fi Alliance introduced an interoperable security protocol known a Wi-Fi Protected Access
(WPA), based on draft 3 of the IEEE 802.11i standard in April 2003. The Wi-Fi Protected Access (WPA)
and Wi-Fi Protected Access 2 (WPA2) technologies were designed to address the weaknesses
associated with Wired Equivalent Privacy (WEP). Wi-Fi Protected Access (WPA) was meant to replace
for Wired Equivalent Privacy (WEP) without additional hardware or replacement hardware.

The original Wi-Fi Protected Access (WPA) was implemented in such a way that it can communicate
with older wireless hardware. The WPA2 implements the full standard and is not compatible with
older hardware.

WPA uses Temporal Key Integrity Protocol (TKIP) based on the RC4 cipher, which dynamically
changes keys. Temporal Key Integrity Protocol (TKIP) was designed by the IEEE 802.11i task group
and the Wi-Fi Alliance as a solution to replace WEP without requiring the replacement of legacy
hardware. WPA also support for Extensible Authentication Protocol (EAP), Extensible Authentication
Protocol Transport Layer Security (EAP-TLS), Extensible Authentication Protocol-Tunneled Transport
Layer Security (EAP-TTLS), or Protected Extensible Authentication Protocol (PEAP).

Common Wireless Attacks, War Driving, War Chalking, Rogue Access

Points, Jamming Attacks (Denial of Service)
Wireless networks face many network attacks. Some wireless network attacks are listed below.

War Driving
War Driving is defined as the act of searching for Wi-Fi wireless networks by a person in a moving
vehicle, using a portable computer or PDA. The term War Driving is derived from the 1980s phone
hacking method known as war dialing. War dialing involves dialing all the phone numbers in a given
sequence to search for modems. The War Driving gained popularity in 2001, because that time
wireless network scanning tools became widely available.

Some people do War Driving as a hobby and map out different wireless networks. But hackers will
look for wireless networks and then break into the networks to steal data or to perform malicious
activities.

The initial war driving tools included simple software coupled with the WNIC (Wide-area Network
Interface Coprocessor). Many organizations are not worried about their wireless networks because
they could spot the war drive attacker inside their parking space and have onsite security pick and
throw them out. But recent wireless technology developments enable a network to extend far
beyond the parking space of an office building. In some cases, a wireless network has the ability to
span several miles. Now an attacker can stay far away from the building and still catch a strong signal

from the network. A good war driving software package is  NetStumbler.

War Chalking is a method to display information on wireless networks by using chalks on the
sorrounding walls. War drivers search for networks and then the war driver will mark a network with
chalk that gives information about the network to other war drivers.

Rogue Access Points

A Rogue Access Point is an Access Point that has either been installed on a secure company network
without explicit planning, permission or authorization from network administrator or has been
installed by a hacker to conduct a man-in-the-middle attack. If the hacker is able to find the SSID
(Service Set Identifier) in use by the network and the rogue AP has enough strength, it is easy for
them to perform a man-in-the-middle attack and the wireless users will have no way of knowing that
they are connecting to a Rogue Access Point.

The rogue access points are normally installed by employees who need additional freedom to move
about at work. These types of rogue access points can be very dangerous since most users are not
aware of all the security issues associated with wireless devices.

Jamming Attacks (Denial of

Service)
Jamming is a type of Denial of Service (DoS) attack targeted to wireless networks. Jamming happens
when RF frequencies interfere with the operation of the wireless network. Normally jamming is not
malicious and is caused by the presence of other wireless devices that operate in the same frequency
as the wireless network. Hackers can perform Denial of Service (DoS) jamming attacks by analyzing
the spectrum used by wireless networks and then transmitting a powerful signal to interfere with
communication on the discovered frequencies.

E-mail Security, E-mail Threats like Eavesdropping, Spam E-mails, E-

mail Viruses and Worms, E-mail Bombs, how to mitigate threats using
S/MIME and PGP
Electronic mail (E-mail) is a method of exchanging digital messages across the Internet or
other computer networks. E-mail is the backbone of today's communication and it is a
convenient medium for communications for all segment of users. First E-mail was sent in
1971 by an engineer Ray Tomlinson. Before this, email was limited to users within a
single machine. Tomlinson's was able send messages to other machines on the Internet,
using the @ sign to designate the receiving machine. Email messages are normally plain
text messages, with or without attachments. An E-mail consists of two parts, the
message header, and the message body. The message header normally contains
originator's email address, one or more recipient addresses and other control
information.

An E-Mail server is an application that receives incoming e-mail from local users and
remote senders and forwards outgoing e-mail for delivery. Example: MS Exchange
Server, SendMail, QMail etc. All recent E-mail servers work on Simple Mail Transfer
Protocol (SMTP).

E-Mail clients are programs which are used to create, send, receive, and view e-mails.
Example: Mozilla Thunderbird, MS Outlook etc. All recent versions of E-mail clients allow
messages to be formatted in plain text or.HTML (Hypertext Markup Language).

E-mails and mail system are also targets of attackers. Some common E-Mail threats are
explained below.

Eavesdropping

Normally all E-mail messages (including userids and passwords) are transmitted between
computer and E-mail servers as plain text. This is not secure and anyone who can
intercept this can read your email and obtain your userids, passwords and sensitive E-
mail content.

Spam E-mails

Spam is flooding the internet with many copies of unsolicited bulk E-mail messages.
Spam E-mails are usually commercial advertisements like replica watches, cheap drugs,
get rich quick and other dubious products. Spam E-mails decreases productivity and
increases the cost of email use. Many legitimate E-mails are also filtered by spam filters.

E-mail Viruses and Worms

Many viruses and worms are spread as attachment of emails. Once your computer is
infected, the Viruses and Worms may spread your network computers also. These
malwares can send your private information to attackers, destroy your precious data or
disrupt productivity.

Your E-mail server should be equipped with strong anti-virus application and spam filters
to stop spam, viruses, and other unwanted content before they reach your
infrastructure and users. Anti-virus application and spam filters should actively protect
you against email bombs and other attacks, and greatly reduce the impact of spam and
viruses.

E-mail Bombs

Email Bombs are a type of Denial of Service (DoS) attack which target mail servers.
“Email bombs” occur when you receive a large number of E-mail messages in a very
short time to overflow the mailbox or overload the server. Different types of E-mail
bombs are Mass mailing (sending mass emails to the victims E-mail inbox), link listing
(linking the victims E-mail address to different E-mail lists, so that the inbox is flooded
with unwanted e-mails) and Zip bombing (a type of attack targeted to server where large
number of compressed files are sent to servers).

How to mitigate E-mail Threats

Your E-mail server should be equipped with a trusted and updated anti-virus application
and spam filters to stop spam, viruses, and other unwanted content before they reach
your infrastructure and users. Anti-virus application and spam filters should actively
protect you against email bombs and other attacks, and greatly reduce the impact of
spam and viruses.

To protect yourself from eavesdropping attacks, encrypt your E-mail messages.

Encryption scrambles the contents of the E-mail message and its attachments, and then
reassembles the contents back at receiving side. Anyone intercept the data in between
can catch only the encrypted packets. Most popular encryption methods available for E-
mails are Secure/Multipurpose Internet Mail Extensions (S/MIME) and PGP.

Secure/Multipurpose Internet Mail Extensions (S/MIME): MIME (Multi-Purpose

Internet Mail Extensions) is an extension of Simple Mail Transfer Protocol (SMTP). MIME
(Multi-Purpose Internet Mail Extensions) provides the ability to transfer different types
of data formats like audio, video, images, compressed files, and applications etc as
attachments. The MIME (Multi-Purpose Internet Mail Extensions) header is inserted at
the beginning of the E-mail, and the E-mail clients use the MIME (Multi-Purpose Internet
 Mail Extensions) information to determine which program associated with the attached
file. MIME does not provide any security to the E-mails. S/MIME (Secure/Multipurpose
Internet Mail Extensions) is a protocol that adds digital signatures and encryption to
Internet MIME (Multipurpose Internet Mail Extensions) messages. S/MIME
(Secure/Multipurpose Internet Mail Extensions) provides authentication, message
integrity and non-repudiation of origin (using digital signatures) and privacy and data
security (using encryption) to E-Mails. E-mail Messages are encrypted using a symmetric
encryption, and a public-key algorithm is used for key exchange and digital signatures.
DES, 3DES, or RC2 encryption can be used for encryption.

PGP (Pretty Good Privacy): PGP (Pretty Good Privacy) is another encryption method
for E-mails. PGP (Pretty Good Privacy) uses both symmetric encryption and asymmetric
encryption. PGP uses symmetric encryption algorithm to encrypt the E-mail message to
be sent. After encrypting the E-mail message PGP (Pretty Good Privacy) encrypts the
symmetric key used to encrypt the E-mail message with the public key of the intended
recipient. The encrypted key and E-mail message are then sent to the intended recipient.
At The receiving side, PGP (Pretty Good Privacy) will first decrypt the symmetric key with
the private key supplied by the recipient and will then use the decrypted symmetric key
to decrypt the E-mail message.

Note: Visit Public Key Infrastructure section to learn more about the terms encryption,
symmetric encryption, asymmetric encryption, public key, private key and other related
terms.

Internet Information Services (IIS) 7 Security

Why Web Server Security is Important

Web Servers usually store the content which are available for the public like product information, pricing,
technical support, contact information etc.   The contents of the websites are normally stored as
Hypertext Markup Language .HTML) files, Dynamic Hypertext Markup Language (.HTML) files, Active
Server Pages (ASP) files, Extensible Markup Language (XML) files, Cascading Style Sheets (CSS) files,
JavaScript files, graphics, sounds etc.

Web Servers may also contain other business data that may be confidential. Since the Web Servers are
accessible for the public, there is a chance for it to get compromised by the malicious users. Small
businesses often have a single physical server that performs many server functions for the organization,
like a Web Server, Database Server, E-mail Server etc. Here compromising a single server can expose the
entire business data of the organization to a malicious user.  Dedicated Web server also may also pose
threat to security, since it is publicly available and compromising the mail server may help the malicious
user to compromise other servers also. So the securing Web Servers are very important and vital to
secure the IT infrastructure.
How a Web Server Serve Clients
The Web Servers serve the contents to the clients using Hyper Text Transfer Protocol. The process is
explained as below.

1. The end user opens the browser in client machine and enters the desired URL (normally a Fully
Qualified Domain Name (FQDN)).

2. The client computer sends the request to the Domain Name Server (DNS server) to resolve the Fully
Qualified Domain Name (FQDN) to an IP address. Domain names are created for humans to remember
the names easily. Computers communicate with each other using IP Addresses. To start communicating
with the Web Server, the Fully Qualified Domain Name (FQDN) of the web server must be resolved to an
IP address.

3. The DNS server checks its own records to find a mapping for the Fully Qualified Domain Name (FQDN)
to an IP address. If it is unable to resolve itself, it will query another DNS server until it finds a record for
the requested Fully Qualified Domain Name (FQDN).

4. The DNS server responds to the original Fully Qualified Domain Name (FQDN) resolution request with
the IP address of the web site.

5. The client checks whether the IP address of the web site is in local network. If it cannot find the web
site in local network, it uses Address Resolution Protocol (ARP) to locate the hardware address of the
router (gateway) that forwards the network traffic to reach the remote network.

6. The client then sends an HTTP GET request to the Web site.

7. After receiving the HTTP request, the web server checks to see if the requesting user has the proper
permissions to access the file. If so, the server sends back the requested document.

Introduction to Internet Information Services (IIS) 7

The advent of the World Wide Web (WWW) in the mid-1990s has completely revolutionized the way
world communicate. There is a need to secure the Web Servers, secure the Web communications and
web transactions, Web Browsers and everything which is related with web. To learn web security in deep,
you should have a thorough knowledge of TCP/IP protocol suit. Click the following link to refresh your
knowledge in TCP/IP.

Leading Web Server Software products are Apache Web Server, Internet Information Services (IIS), Zeus
Web Server, AOL Server, Oracle iPlanet Web Server (Formerly Sun Java System Web Server) etc.

Internet Information Services (IIS) is a Microsoft product and it is designed to use with  Windows Server
products. Internet Information Services (IIS) was initially available with Windows NT 3.51. Internet
Information Services (IIS)  2.0 was available with Windows NT 4.0. The support for server side scripting
Active Server Pages (ASP) for dynamic content was included in IIS 3.0.

Internet Information Services (IIS) 7 is a major upgrade of IIS, and it is available with Windows Vista and
Windows 2008 Server.  It includes several new functionalities and some of them are listed below.

• The ability to have HttpModules and HttpHandlers participate in all requests to a server.  No need to
map requests to the ASP.NET ISAPI in order to write managed modules that participate in requests. 
• Integration of the ASP.NET configuration system with IIS.  IIS now uses the same web.config
configuration model as ASP.NET, which means you can have both ASP.NET and IIS configuration settings in
the same file together. 

• An integrated management tool that manages both IIS and ASP.NET settings together. 

• Better request auditing and error debugging available. 

• Better configuration APIs and command-line tools. 

How to install Internet Information Services (IIS) 7 on Windows 2008 Server

1) To install Internet Information Services (IIS) 7 on Windows 2008 Server, open the Server Manager by
clicking Start > Administrative Tools > Server Manager. Right Click the Roles node and select "Add Roles"
from the context menu.

2) Click "Next" in the Server Roles Wizard to add new Role.

 
 

3) Check Web Server (IIS) check box and click "Next".

 
4) Click Next in the Introduction to Web Server (IIS) screen.

5) Select any additional Role Services you need in the next screen and click "Next" to continue.

 
 

6) Confirm the installation in next screen and click "Install" to install Internet Information Services (IIS) 7
Web Server. The wizard will now display the progress of installation.

7) Click close in the "Installation Results" to complete the installation.

 
Securing Access Control in Internet Information Services (IIS) 7 , Anonymous Web Server Access,
IUSER accout

Internet Information Services (IIS) 7 uses a named user account to authenticate anonymous web site
visitors.  This account on Internet Information Services (IIS) 7 server is created when you install
Internet Information Services (IIS) 7 on Windows Operating System. The used account which is used
to authenticate anonymous web site visitors to Internet Information Services (IIS) 7 web site is called
IUSER_<computer_name>. This user account is visible when you open Local Users and Groups node
in Server Manager, as shown below.

When a Web visitor accesses a Web site, the Internet Information Services (IIS) 7  will automatically
logs that user on using the IUSER_<computer_name> account. This method of authenticate
anonymous web site visitors using the IUSER_<computer_name> account allows system
administrators granular access control on a Web server so that all anonymous users have the same
level of access. This also allows the users who accessing the web site through their own user accounts
for another level of access.

The access permissions of the web user accounts for anonymous logins should be restricted to the
lowest level, so they cannot log on locally to the server nor access any resource outside the root of
the web site.

IUSER_<computer_name> account ideally should not have the permission to write server hard disk or
execute programs on server. If there is a need for other user accounts to grant certain users a higher
level of access permission than the anonymous IUSER_<computer_name> account, administrator
should create user accounts in server only to access the web site. Internal user accounts should not
be used to login to the web server. It is a great threat to security if internal users, who can logon
locally to internal machines, are exposed outside.

Securing Directory and Data Structures in

Internet Information Services (IIS) 7
Organizing the file system hierarchy or structure of the root of the web site is important in the
 security of a Web server. The root is the top level of directory structure of the web site.It is an
important security practice to store all the contents .HTML files, .HTML files, CSS files, JavaScript files,
Image files, sound files etc) of the web site within the root.

Another important feature available with latest Web Servers including Internet Information Services
(IIS) 7 is Virtual Directories. Virtual directories are folders that are not contained within the Web server
file system hierarchy (they can even be on a file system on a different computer), but appear to the
user to be part of file system hierarchy of the web site. This is a great feature which helps to conceal
the real file system structure of the web site. It is always ideal to configure the Virtual Directories
within DMZ itself and not to configure Virtual Directories in an internal computer. If the Web Server
is compromised by an intruder, he may then gain access to internal computer.

If the web users need access to data within a database, it is ideal to configure a database for the web
server, which is only read only to the web user or web server process. Any write to the database for
the web server should be only from the protected internal database server. It the user input from the
web pages is need to be stored inside the database server, all the server-side sripts and the SQL
queries should be verified thorughly for any any vulnerability and all the inputs should be validated to
prevent attacks like SQL injection.

If the web users need access to data within a database, it is ideal to configure a database for the web
server, which is only read only to the web user or web server process. Any write to the database for
the web server should be only from the protected internal database server. It the user input from the
web pages is need to be stored inside the database server, all the server-side scripts and the SQL
queries should be tested and verified thoroughly for any vulnerability and all the inputs should be
validated at client-side and also at server-side to prevent attacks like SQL Injection.

How to configure Virtual Directory on Internet Information Services

(IIS) 7
Virtual Directory is another important feature available with latest Web Servers including Internet
Information Services (IIS). A virtual directory is a directory name (alias) that you specify in Internet
Information Services (IIS) and map to a physical directory on a local or remote server. If you specify a
different name for the virtual directory than the physical directory, it is more difficult for users to
discover the Web server file system hierarchy because the URL does not map directly to the root of the
site. This is a great feature which helps to conceal the real file system structure of the web site.

1) To create a Virtual Directory, open the Internet Information Services (IIS) Manager by clicking Start >
Administrativr Tools > Internet Information Services (IIS) Manager.

 
 

2) Right click the site you want to create the Virtual Directory and select "Add Virtual Directory" from
the context menu.

3) Enter the alias and the real Physical Path to the directory in "Add Virtual Directory" dialog box. Click
"OK" to create new Virtual Directory.

 
4) New Virtual directory is created and is listed as shown below. Now the new Virtual Directory is
accessible using the URL http://www.omnisecu.com/engineering and the real Physical Path is
concealed.

Configuring IP address and Domain Name Restrictions in Internet Information

Services (IIS) 7

Configuring IP address and domain name restrictions in Internet Information Services (IIS)
allows you to permit or deny access to the web server, web sites, folders, or files. Rules can be
configured for remote IP addresses or based on the Domain name.

When a remote client that is not permitted access requests a resource, a 403.6 (“Forbidden: IP
address of the client has been rejected”) or 403.8 (“DNS name of the client is rejected”) HTTP
status will be logged by Internet Information Services (IIS).

IP and Domain Restrictions option is not enabled by default when you install Internet
Information Services (IIS). You can enable IP and Domain Restrictions option by adding the
above Role Service as shown below.

1) Open the Server Manager by selecting the path Start > Administrative Tools > Server
Manager.

 2) Click "Add Role Services" link to add the required Role. Check the "IP and Domain
Restrictions" check box in "Select Role Services" screen and click "Next" to continue.
 

3) Click "Install" in the "Confirm Installation Selections" screen, to add the "IP and Domain
Restrictions" Role Service.

 
 

4) Click Close in the installation results to close the "Add Role Services" wizard.

 5) After adding the "IP and Domain Restrictions" Role Service, you can configure IP and
Domain Restrictions by opening the Internet Information Services (IIS) Manager and selecting
IPv4 Address and Domain Restrictions, as shown below.
 

 6) Inside IPv4 Addresses and Domain Restrictions, select "Add Allow Entry" or "Add Deny
Entry" to add Allow or Deny entries.

 7) The "Add Allow Entry" and "Add Deny Entry" dialog box is shown below.
 

You can specify and IP address, an IP address range or a Domain Name in above dialog boxes.
Please note that configuring Allow or Deny restrictions using Domain name require reverse
DNS look up every time a request arrives the server. Performing reverse DNS lookups is a
potentially expensive operation that can severely degrade the performance of your IIS server.
Configuring MIME (Multipurpose Internet Mail Extensions) Types in
Internet Information Services (IIS) 7
MIME (Multipurpose Internet Mail Extensions) restrictions prevent undefined file types from being served
by Internet Information Services (IIS). MIME (Multipurpose Internet Mail Extensions) Types help protect
the Internet Information Services (IIS) server by preventing malicious attackers from downloading
sensitive files. When a client attempts to download a file that does not have MIME type defined on the
server, a 404.3 HTTP status is logged in the IIS log files.

How to add or remove a MIME (Multipurpose Internet Mail

Extensions)Type
 

1) Open the IIS Manager by clicking Start > Administrative Tools > Internet Information Services (IIS)
Manager. Select MIME Types on the site you want to configure as shown below.

2) Inside MIME Types, click "Add" in Actions Pane.

 
 

3) Enter the file extension and an appropriate MIME type in the "Add MIME Type" dialog box shown
below.

If you want to remove any existing MIME Type you no longer wish to serve, Select the MIME type and
then click the Remove link from the Actions pane.

Introduction to Authentication and Authorization in Internet Information Services (IIS) 7

Authentication is the process of determining whether an entity (normally a remote user or computer)
is in fact what it claims to be.

Normally authentication require an entity (user in this case) to provide an identifier (username) and
then prove the identity by providing something you know (a password), something you have (security
token), or something you are (biometric identification).
 Multifactor authentication combines multiple factors of authentication information to improve
security. Multifactor authentication normally combines something you know (a password) with
something you are (biometric identification).

The process of Authorization occurs once the user is authenticated. Authorization is the process
which system uses to determine what a user is allowed to do once he/she is authenticated.
Whenever the authenticated user need to access some file or resource, the system verifies that
operation against an Access Control List (ACL) maintained for the file or resource. The ACL consists of
a set of Access Control Entries (ACEs) that define which users can or cannot perform certain
operations. These operations include read a file, modify a file’s contents, update a file’s properties,
perform a backup, shut down a system etc.

Authentication Options in Internet Information Services (IIS) 7

Anonymous Authentication: In Anonymous Authentication the end user does not supply credentials
and the user can use the service anonymously. IIS 7.0 uses fixed user account
(USER_<computer_name>) to process the request

Basic Authentication: In Basic Authentication the end-user is prompted to supply credentials, which
are then transmitted unencrypted across the network.

Digest Authentication: In Digest Authentication the user’s password is not passed in clear text across
the network. Digest authentication hashes the user’s password using MD5 and sent across the
network. Windows is unable to store MD5 hashes of passwords for local accounts, thus Digest
authentication is only available for Active Directory accounts.

Integrated Windows Authentication: Integrated Windows Authentication uses two separate

authentication mechanisms NTLM v2 and Kerberos. The password is never sent as clear text across
the network. NTLM authentication uses a hashed version of the user’s password and Kerberos uses
shared secrets between the client, Active Directory domain controller, and the IIS server to
authenticate the user. Kerberos authentication is only available for Active Directory accounts,
whereas NTLM can be used for local account.

Client Certificate Authentication: In Client Certificate Authentication the client presents a certificate
to the server. The server is configured to map certificates to one or more Windows user accounts.
SSL/TLS must be enabled for this authentication.

Forms-Based Authentication: Forms-based authentication (FBA) authenticates a user using an.HTML

form. After authenticating via the.HTML form, an authentication cookie is set by the server. The client
must return this cookie with each subsequent request in order for the request to be authenticated.

How to Configure Basic Authentication in Internet Information

Services (IIS) 7
1) To configure Basic Authentication in Internet Information Services (IIS) 7, open Internet
Information Services (IIS) Manager and select the site you want to manage.  In Features View,
double-click Authentication.

2) On the Authentication page, select Basic Authentication. In the Actions pane, click Enable to use
Basic authentication with the default settings. Click edit to type the default domain and realm.

 3) In the Edit Basic Authentication Settings dialog box, in the Default domain text box, type a default
domain or leave it blank. Users who do not provide a domain when they log on to your site are
authenticated against this domain.

In the Realm text box, type a realm or leave it blank. In general, you can use the same value for the
realm name as you used for the default domain. f you enter the default domain name in the Realm
 text box, your internal Microsoft Windows domain name may be exposed to external users during
the user name and password challenge.

How to Configure Windows Authentication in Internet Information Services (IIS) 7

Windows Authentication in IIS 7.0 supports two protocols one is NTLM (NT LAN Manager) and other
is Kerberos.  NTLM (NT LAN Manager) is a Microsoft protocol suite that can be used both for HTTP-
based authentication and non-HTTP-based authentication.

Kerberos v5 authentication is an open, industry-standard, ticket-based authentication method.

Kerberos v5 is developed at MIT and it supports mutual authentication of the client and server to
each other. Kerberos authentication relies on a trusted third party. In Microsoft implementation of
Kerberos, the trusted third party is a domain controller (DC). Therefore, Kerberos authentication can
only be used for Active Directory domain accounts.

Windows authentication is best suited for an intranet environment for the following reasons:

• Client computers and Web servers are in the same domain.

• HTTP proxy connections are not required (NTLM doesn’t support  HTTP Proxy).

• Kerberos v5 requires a connection to Active Directory.

 To configure Windows Authentication, open the Internet Information Services (IIS) 7 Manager and
open the site you want to configure Windows authentication. In Features View, double-click
Authentication.
 

2) On the Authentication page, select Windows Authentication. In the Actions pane, click Enable to
enable Windows authentication.
Internet Protocol Security IPSec Tutorial

Introduction to Internet Protocol Security IPSec - What is IPSec?

This Lesson explains what is Internet Protocol Security (IPSec), goals of Internet Protocol Security
(IPSec) and different ways of implemeting Internet Protocol Security (IPSec).

Internet Protocol has many weaknesses. The following points describe some of the weaknesses of
Internet Protocol.

• IP data packet (Internet Protocol Datagram) contains the logical addressing information (IP
addresses). It is easy to forge the logical addresses of IP datagram.

• It is possible to view the contents of an IP datagram, since there is no inbuilt encryption for IP
datagram.

• It is possible to modify the contents of IP datagram.

•Replay attack is a type of network attack in which attackers capture packets whenever packets pass
between two hosts on a network. The packets are then analyzed and passwords, encryption keys, or
digital signatures are extracted from the captured packets. Later the attacker can send the captured
password to the host and gain authentication.

Hence we cannot make sure that the IP datagram’s received by a computer are from the claimed
sender, the data received is not tampered by an attacker and the datagram was not inspected by the
attacker while the packet was travelling the network. 

The purpose of Internet Protocol Security or IPsec is for protecting communications over Internet
Protocol (IP) communications using cryptographic security services. IPsec is a security tunneling
protocol, defining a mechanism that allows a device to encrypt and/or authenticate data packets and
encapsulate the data packets. Internet Protocol Security (IPsec) enhances your network security to a
very high level.

Goals of Internet Protocol Security (IPSec)

1) Authentication – Prove we are who we say we are.

2) Integrity – The data has not been tampered with.

3) Confidentiality – The confidential data cannot be inspected by others. The term confidentiality
means the data expected to remain private should be seen only by those who should see it.

Different ways of implemeting Internet Protocol Security (IPsec)

• IPsec can be integrated into the TCP/IP protocol suit.

• IPsec can be added below the TCP/IP protocol suit.

• IPsec can be implemented as a stand-alone device, and can be implemented as a part of the router
 or firewall.

Key protocols associated with IPSec

Internet Protocol Security (IPsec) consists of three key protocols.

Authentication Header (AH): AH is a protocol that provides data origin authentication, data integrity,
and anti-replay protection.

Encapsulating Security Payload (ESP): ESP is a a protocol that provides data origin authentication, data
integrity, and anti-replay protection and it provides confidentiality by encrypting the traffic.

Internet Key Exchange (IKE): IKE is a protocol that provides the key-management function. IKE helps
in setting up Security Associations.

In this lesson you have learned what is Internet Protocol Security (IPsec), why we need Internet
Protocol Security (IPsec), the goals of Internet Protocol Security (IPsec) and the ways Internet
Protocol Security (IPsec) can be implemented. Authentication Header (AH), Encapsulating Security
Payload (ESP and Internet Key Exchange (IKE) are the key protocols associated with Internet Protocol
Security (IPSec). Click "Next" to continue.

IPSec Security Association, Internet Key Exchange, IKE, Main Mode,

Quick Mode
Security Association (SA) form the basis of Internet Protocol Security (IPSec).

A Security Association (SA) is a simplex (one-way channel) and logical connection that provides
relationship between two or more systems to build a unique secure connection. A Security
Association (SA) can be viewed as an agreement between two devices about how to protect
information during transit.

The Security Association (SA) are one way (simplex). If two devices, Dev-A and Dev-B, are
communicating using IPSec, then the DevA will have two Security Association's. One Security
Association is used for processing out-bound packets and other Security Association is used for
processing inbound packets.

A Security Association (SA) consists of three things.

1) A Security Parameter Index (SPI)

2) An IP destination address

3) A IPSec Protocol Identifier. IPSec protocols are Authentication Header (AH) and Encapsulating
Security Payload (ESP).

The protocol Internet Key Exchange (IKE or IKEv2) is used to set up Security Associations (SAs)
between two devices. IKE uses a Diffie-Hellman key exchange to set up a shared secret key, from
which cryptographic keys are derived. Diffie-Hellman (developed by Whitfield Diffie and Martin
Hellman) algorithm is a method for securely exchanging a shared secret (key) between two devices
 over an untrusted network. The secret key is generated at two devices and it is never transmitted
over the network.

Internet Key Exchange (IKE) protocol used for generating Security Association is a two-phase process.

The first phase (also known as Main Mode negotiation) is a policy negotiation phase in which four
parameters are negotiated.

• The encryption algorithm (DES or 3DES).

• The hash algorithm (MD5 (Message Digest 5) or SHA (Secure Hash Algorithm)).

• The authentication method (Certificate, Pre-shared key, or Kerberos).

• The exchange of DH material for key generation.

In the second phase (also known as Quick Mode negotiation), the following parameters are
negotiated.

• The IPSec protocol (AH or ESP).

• The hash algorithm (MD5 of SHA).

• The algorithm for encryption, if requested (DES or 3DES).

After Main Mode and Quick Mode negotiations, common agreement is reached, and two Security
Associations (SAs) are established. One Security Association (SA) is for inbound communication and
the other Security Association (SA) is for outbound communication. As part of the second phase
(Quick Mode), session key material is refreshed, and a new pair of keys is generated. This can prevent
the cracking of session key by an attacker.

Security Parameter Index SPI, Security Policy Database SPD, Security Association Database SAD

The Security Parameter Index (SPI) is a very important element in the SA. An SPI is a 32-bit number
that is used to uniquely identify a particular SA for any connected device.

A Security Association (SA) is an agreement between two devices about how to protect information
during communication. It also indicates the parameters, such as keys and algorithms. SPI provides a
mechanism for the destination to identify which SA to use to check the security of the received
packet. The SPI is provided to map the incoming packet to an SA at the destination

The SPI is a 32-bit random number generated by the sender to identify the SA to the recipient.

It is worth knowing two other terms related with IPSec.

Security Policy Database (SPD)

IPSec Policies are maintained in the Security Policy Database (SPD). IPSec Policies define which traffic
to be protected, how it is to be protected, and with whom to protect it. The sending host determines
what policy is appropriate for the packet, depending on various "Selectors" by checking in the
Security Policy Database (SPD). "Selectors" can include Source and Destination IP Addresses, Name
(User ID ir a System Name), Transport Layer Protocols (TCP or UDP) or Source and Destination Ports.
 The Security Policy Database (SPD) indicates what the policy is for a particular packet. If the packet
requires IPsec processing, it will be it is passed to the IPsec module for the required processing.

Security Association Database (SAD)

IPSec Security Associations are stored in the Security Association Database (SAD). Each Security
Association has an entry in the Security Association Database (SAD). The Security Association entries
in the Security Association Database (SAD) are indexed by the three Security Association properties.

1) Destination IP address 2) IPSec protocol 3) Security Parameter Index (SPI).

Transport Mode - Internet Protocol Security - IPSec

In this lesson, you will learn what is Transport Mode, what type of data can be protected using
Transport Mode.

IPsec Transport mode protects upper-layer protocols (Ex: TCP or UDP) and Transport mode is used to
secure end-to-end (device to device) communications.

Figure 1: End-to-end data transmission security using Transport Mode

When IPSec is enabled, the transport layer packets (TCP Segments and UDP Datagrams) reach the IPSec
module. When IPSec is implemented as a part of TCP/IP protocol suit, the IPSec module is a of the
network layer (OSI Layer 3). The IPSec then adds the Authentication Header (AH), Encapsulating Security
Payload (ESP), or both headers, and then IP header is added.

IPSec Transport Mode

When IPSec is operating at Transport mode, IPSec header is inserted between the IP header and the
Transport Layer protocol header (TCP or UDP).
Figure 2: In Transport mode, IPSec Header is inserted between IP header and TCP Header

In Transport Mode, if the packet needs to be secured using both Authentication Header (AH) and
Encapsulating Security Payload (ESP), the packet is first protected using Encapsulating Security Payload
(ESP) and then it is secured using Authentication Header. This helps to bring the data integrity to the
Encapsulating Security Payload (ESP) payload also.

Figure 3: Transport mode - AH and ESP together

You have learned what is IPSec Transport mode and IPSec Transport mode can protect end-to-end data
transmission. Click "Next" to continue.

Tunnel Mode - Internet Protocol Security - IPSec

IPSec Tunnel mode is used to secure gateway-to-gateway traffic.  IPSec Tunnel mode is used when
the final destination of the data packet is different from the security termination point. IPsec Tunnel
mode protects the entire contents of the tunneled packets.

As we learned in previous lesson, Transport mode is a good option securing host-to-host

communication and Tunnel mode is the option for Virtual Private Network (VPN).
 The IPSec Tunnel mode data packets sent from the source device are accepted by the security
gateway (a router or a server) and forwarded to the other end of the tunnel, where the original
packets are extracted and then forwarded to their final destination device.

Figure 4: Gateway-to-gateway security using IPSec Tunnel mode

When we use IPSec Tunnel mode, the IP datagram is encapsulated in another IP datagram and an
IPSec header is inserted between two IP headers.

Figure 5: IP Datagram secured using IPSec Tunnel mode.

An IPSec tunneled mode packet has outer IP header and inner IP header. The inner header is the host
IP header itself and the outer header is added by the security gateway.

Authentication Header, AH, Internet Protocol Security IPSec

The Authentication Header (AH) is an IPSec protocol that provides data integrity, data origin
authentication, and optional anti-replay services to IP. Authentication Header (AH) does not provide any
data confidentiality (Data encryption). Since Authentication Header (AH) does not provide confidentiality,
there is no need for an encryption algorithm. AH protocol is specified in RFC 2402.

Authentication Header (AH) is an IP protocol and has been assigned the protocol number 51 by IANA. In
the IP header of Authentication Header (AH) protected datagram, the 8-bit protocol field will be 51,
indicating that following the IP header is an Authentication Header (AH) header.
Figure 6: Authentication Header (AH) - Header

Next Header: Next header field points to next protocol header that follows the AH header. It can be a
Encapsulating Security Payload (ESP) header, a TCP header or a UDP header (depending on the network
application).

Payload Length: specifies the length of AH in 32-bit words (4-byte units), minus 2.

RESERVED: This field is currently set to 0, reserved for future use.

Security Parameter Index (SPI): The Security Parameter Index (SPI) field contains the Security Parameter
Index, is used to identify the security association used to authenticate this packet.

Sequence Number: Sequence Number field is the number of messages sent from the sender to the
receiver using the current SA. The initial value of the counter is 1. The function of this field is to enable
replay protection, if required.

Authentication Data: The Authentication Data field contains the result of the Integrity Check Value
calculation, that can be used by the receiver to check the authentication and integrity of the packet. This
field is padded to make total length of the AH is an exact number of 32-bit words. RFC 2402 requires that
all AH implementations support at least HMAC-MD5-96 and HMAC-SHA1-96.

Encapsulating Security Payload, ESP Header

This lesson explains Encapsulating Security Payload (ESP), Encapsulating Security Payload (ESP) Header
and trailer, Encapsulating Security Payload (ESP) Header and trailer fields description.

The Encapsulating Security Payload (ESP) protocol provides all the functions of Authentication
Header (Authentication, Data Integrity, and anti-replay protection). The difference here is that the
Encapsulating Security Payload (ESP) provides the most critical security function, data confidentiality. The
benifits of using Encapsulating Security Payload (ESP) are listed below.

1) Confidentiality of Datagrams through encryption.

2) Traffic flow confidentiality using security gateways.

3) Authentication of data origin using digital certificates.

4) Anti-replay services using sequence number mechanism.

Encapsulating Security Payload (ESP) Header

Figure 7: Encapsulating Security Payload (ESP) Header

Security Parameter Index (SPI): Security Parameter Index (SPI) field in the Encapsulating Security Payload
(ESP) header along with the destination address, and the IPsec protocol are used to uniquely identify the
SA that applies to this packet.

Sequence Number: The sequence number in the Encapsulating Security Payload (ESP) header provides
antireplay services to Encapsulating Security Payload (ESP).

Protected Data: Protected Data field in the Encapsulating Security Payload (ESP) heade is the actual data
being protected by Encapsulating Security Payload (ESP). The length of this field is variable and depends
on the size of the data. The protected data field also contain any initialization vector for encryption
algorithm.

Padding: Block ciphers require that plaintext be padded to a multiple of the block size. If any padding is
needed, it follows immediately after the payload data in the padding field.

Pad Length: Pad Length specifies the length of the padding.

Next Header: The next header field indicates what type of data is in the payload data field.

Authentication Data: The authentication data field contains an integrity check value for the Encapsulating
Security Payload (ESP) packet.
This lesson explains Encapsulating Security Payload (ESP), Encapsulating Security Payload (ESP) Header
and trailer, Encapsulating Security Payload (ESP) Header and trailer fields description.

The Encapsulating Security Payload (ESP) protocol provides all the functions of Authentication
Header (Authentication, Data Integrity, and anti-replay protection). The difference here is that the
Encapsulating Security Payload (ESP) provides the most critical security function, data confidentiality. The
benifits of using Encapsulating Security Payload (ESP) are listed below.

1) Confidentiality of Datagrams through encryption.

2) Traffic flow confidentiality using security gateways.

3) Authentication of data origin using digital certificates.

4) Anti-replay services using sequence number mechanism.

Encapsulating Security Payload (ESP) Header

Figure 7: Encapsulating Security Payload (ESP) Header

Security Parameter Index (SPI): Security Parameter Index (SPI) field in the Encapsulating Security Payload
(ESP) header along with the destination address, and the IPsec protocol are used to uniquely identify the
SA that applies to this packet.

Sequence Number: The sequence number in the Encapsulating Security Payload (ESP) header provides
antireplay services to Encapsulating Security Payload (ESP).

Protected Data: Protected Data field in the Encapsulating Security Payload (ESP) heade is the actual data
being protected by Encapsulating Security Payload (ESP). The length of this field is variable and depends
on the size of the data. The protected data field also contain any initialization vector for encryption
algorithm.

Padding: Block ciphers require that plaintext be padded to a multiple of the block size. If any padding is
needed, it follows immediately after the payload data in the padding field.

Pad Length: Pad Length specifies the length of the padding.

Next Header: The next header field indicates what type of data is in the payload data field.

Authentication Data: The authentication data field contains an integrity check value for the Encapsulating
Security Payload (ESP) packet.

Windows 2003 IPSec Features

Following are some of the features of Windows 2003 IPSec implementaion.

Windows 2003 IPSec implementaion is policy based. Administrators need to work in Group Policy to
configure IPSec in Windows 2003.

Windows 2003 IPSec implementaion can use Kerberos v5, a digital certificate, or a shared secret
(string) for user authentication.

IPSec mutually authenticates computers prior to any data being exchanged.

Windows 2003 IPSec implementaion uses Data Encryption Standard (DES) or Triple DES (3DES) for
encryption.

Windows 2003 IPSec implementaion uses MD5 (Message Digest) or SHA1 (Secure Hash Algorithm)
algorithm for data hashing.

IPSec is transparant to users. IPSec operate at OSI Layer 3 and there is no need for users and
applications to directly interact with IPSec.

IPSec Monitor tool is available as a MMC snap-in.

Windows 2003 IPSec implementaion supports 2048 bit Diffie-Hellman key exchange, generating more
secure keys.

What are IPSec Policies? Default Windows 2003 IPSec policies

IPSec policies determines which IP traffic should be secured and which IP packets should be not be
secured, what type of security should be appplied to the IP packets. IPSec polices contain IPSec rules
and IPSec rules contain filter lists and filter actions.

There are three default IPSec policies in Windows Server 2003. We can assign only one policy at a
time.

Client (Respond Only): Client (Respond Only) IPSec policy allows the computer to attempt unsecured
communications first and switch to secured communications if requested.. This policy contains the
 default response rule, which creates dynamic IPSec filters for inbound and outbound traffic based on
the requested protocol and port traffic for the communication the system is securing.

Server (Request Security): Server (Request Security) IPSec policy configured systems can request
secure IP communications whenever possible but will fall back to clear-text IP communication if non
IPSec-aware computers or systems not configured using a Client (Respond Only) policy request
communication.

Secure Server (Require Security): Systems configured with a Secure Server (Require Security) IPSec
policy require secure communications. The filters for this policy require all communication from the
given system to be secure, with the exception of the initial inbound communication request. Non
IPSec aware devices and the devices which are not configured with Client (Respond Only) IPSec policy
will not be able to communicate with a device configured with Server (Request Security) IPSec policy.

The default polices can be viewed at group policy editor. If you are working in a Windows 2003
Domain Controller, select Start > Programs > Administrative Tools > Domain Controller Security
Policy.

Figure 9: Domain Controller Security Policy MMC snap-in.

You have learned the three default policies with Windows Server 2003 and their functions. Click
"Next" to continue.

How to configure IPSec in Windows 2003 - Securing Telnet Traffic

using IPSec
In this lesson and following lessons you will learn how to configure Internet Protocol Security (IPSec)
in a Windows 2003 network and how to secure Telnet traffic using Internet Protocol Security (IPSec).

Telnet is a network protocol and is commonly used to refer to an application that uses that protocol.
The application is used to connect to remote computers. Telnet listens at TCP well known port 23.
Telnet is a terminal emulator software and is used to gain access to a command-line interface on a
remote machine.

Securing Telnet Traffic using Internet Protocol Security (IPSec) -

Scenario
You have four Windows 2003 servers, SERV03.omnisecu.com is a domain controller and
SERV01.omnisecu.com, SERV02.omnisecu.com and SERV04.omnisecu.com are member servers.

Figure 10: Scenario - Configure Internet Protocol Security in a Windows 2003 network.

You want to allow Internet Protocol Security (IPSec) secure Telnet traffic to your Windows 2003
domain controller SERV03.omnisecu.com from SERV04.omnisecu.com, which is a windows 2003
member server and to block Telnet access from all other servers to Windows 2003 domain controller
SERV03.omnisecu.com.

You cannot use the default IPSec policies, because there is no default Internet Protocol Security
(IPSec) policy to block Telnet traffic specifically.

Here we need to create a new Internet Protocol Security (IPSec) policy to permit secure Telnet access
to the domain controller SERV03.omnisecu.com only from SERV04.omnisecu.com, and block Telnet
 traffic from all other servers.

In this lesson, you have learned an overview about telnet. You have four Windows 2003 servers. One
is a Windows 2003 domain controller and other three are member servers. You want to allow only
secure Telnet traffic to Windows 2003 domain controller from member server,
SERV04.omnisecu.com. Click "Next" to continue.

How to create an IPSec policy on a Windows 2003 domain controller

In this lesson, you will learn how to create Internet Protocol Security (IPSec), in Windows 2003
domain controller (SERV03.omnisecu.com). You can learn how to secure Telnet traffic from a member
server (SERV04.omnisecu.com) and block Telnet traffic from all other servers using Internet Protocol
Security (IPSec) in coming lessons.

Login to domain controller (SERV03.omnisecu.com) as Administrator and open "Domain Controller

Security Policy" MMC snap-in from "Administrative Tools". (Select Start > Programs > Administrative
Tools > Domain Controller Security Policy). Right click IP Security Policies on Active Directory and
select "Create IP Security Policy" from the context menu. (Domain Controller Security Policy is
selected because SERV03.omnisecu.com is a domain controller. You have to select appropriate Group
Policy when you configure IPSec for a different situation)

"Welcome to the IP Security Policy Wizard" will fire up.

Click "Next" in IP Security Policy Wizard to continue.

Insert a meaning-ful name for the IPSec Policy and description here and click "Next" IP Security Policy
Wizard to continue.
In "Requests for Secure Communications" screen of IP Security Policy Wizard, uncheck the "Activate
the default response rule" checkbox.

"Default Response rule" is an IPSec rule that is used to ensure that the computer responds to
requests for secure communication. If the active IPSec policy does not have a rule defined for a
computer that is requesting secure communication, the default response rule is applied for secure
IPSec communication.

Click "Next" to continue.

Uncheck "Edit Properties" checkbox (We will edit these settings later) and click "Finish" to complete
IPSec policy wizard.

You can now see the new "Secure Telnet" Internet Protocol Security (IPSec) policy, you have just
created in the MMC snap-in.

You have learned how to create an Internet Porotocol Security (IPSec) policy on a windows 2003
domain controller. You will learn how to create a Internet Porotocol Security (IPSec) Policy Rule in
next lesson. Click "Next" to continue.
How to create IPSec Rule in Windows 2003 Server

In this lesson , you will learn how to create Internet Protocol Security (IPSec) rule, in a Windows 2003
Server.

An Internet Protocol Security (IPSec) rule consists of IP filter list, filter action, Authentication
methods, Tunnel endpoint and Connection type. Internet Protocol Security (IPSec) rules specifies
when and how the computer should use IPSec. We can assign only one Internet Protocol Security
(IPSec) policy at a time, but an Internet Protocol Security (IPSec) policy can contain more than one
Internet Protocol Security (IPSec) rule.

Here we will create two rules, one rule will block all the Telnet Traffic from all the computers to the
domain controller SERV03.omnisecu.com, and other will allow secure traffic from member server
SERV04.omnisecu.com.

To create a new Internet Protocol Security (IPSec), right click the new Internet Protocol Security
(IPSec) policy you have created and select the "Properties" from the context menu.

Properties box of the "Secure Telnet" Internet Protocol Security (IPSec) policy will fire up, as shown
below. Remember to unckeck "Use Add Wizard" checkbox.
Click "Add" button to create a new Internet Protocol Security (IPSec) rule. Once again, Internet
Protocol Security (IPSec) rule consists of IP Filter List, Filter Action, Authentication methods, Tunnel
endpoint and Connection type.
.

"New Rule Properties" box will fire up.

 There are five tabs in "New Rule Properties" box.

1) IP Filter Lists

2) Filter Action

3) Authentication Methods

4) Tunnel Setting

5) Connection Type

In this lesson you have started learning how to create an Internet Protocol Security (IPSec) rule.
Internet Protocol Security (IPSec) rule contains IP filter lists and filter actions. Next lesson you will
learn how to create an IP filter list. Click "Next" to continue.

How to create IPSec filter list in Windows 2003

In this lesson you will learn how to create an Internet Protocol Security (IPSec) filter list.

IP Filter list specifies what traffic the system should secure using IPSec. IP filter lists can be specified
based on IP addresses, protocols, and port numbers. An IP filter list is configured on the IP Filter List
tab in the Properties dialog box of an IPSec rule of an IPSec policy.

Click "Add" button "New Rule Properties" IP Filter List tab.

"IP Filter List" dialog box will fire up. Enter a meaning-ful name and description. Remember to
uncheck the "Use Add Wizard". Click "Add" button to create a new filter list to filter all Telnet Traffic
to domain controller.

In Source address combo box, select "Any IP Address" and in Destination address combo box, select
"My IP Address". To automatically create two filters based on configured filter settings going to and
coming from the specific Destination address, select the Mirrored check box. Now click the "Protocol"
tab.

Select TCP as the protocol and "To this port" as 23. Remember, Telnet is listening at TCP port number
23. Click "OK" to create a new IP filter list.

Click "OK" to finish. The new filter list "Block All Telnet" will be listed in the IP filter lists tab.
 You have created a new IPSec IP filter list (Block All Telnet) to filter Telnet Traffic from all computers
to the domain controller SERV03.omnisecu.com. Now you have to specify a filter action for this filter
list. Click the filter action tab of "New Rule properties" Dialog box. To learn how to create a filter
action, click "Next".

How to associate IPSec filter list to IPSec filter action

This lesson will teach you how to associate the IPSec IP filter list you have created in the previous lesson
to an IPSec filter action. This filter action will block all Telnet traffic to the domain controller
SERV03.omnisecu.com.

We have created a IPSec filter list "Block All Telnet" which filter all Telnet traffic originating from any IP
address to the domain controller SERV03.omnisecu.com. We need to associate a filter action "Block" with
this filter list. when any traffic matches "Block All Telnet" filter list arrives at the domain controller, it will
be blocked.

Select the new filter list "Block All Telnet" you have created in last lesson by selecting the radio button.
Now click the filter action tab, to associate a filter action with this filter list.
To add IPSec block filter action, Uncheck the "Use Add Wizard" and Click "Add". Select "Block" radio
button inside "New Filter Action Properties".

Click "General" tab, enter a meaning-ful name for the filter action, and a description.
Click "OK".

New filter action "Block Telnet" will be listed, select it by clicking the radio button. Click "Apply" and
"Close". You can see the new "Block All Telnet" rule listed in the Rules tab of the IPSec policies.
New IPSec rule is created. There are three more tabs in the rule properties dialog box.

1) Authentication Methods - Lists the IPSec authentication methods. Three possible authentication
methods are

Kerberos: Kerberos 5 is the default authentication method in a Windows Server 2003 domain. Users
running the Kerberos protocol within a trusted domain can authenticate using this method.

Certificates: Digital certificates can be used for authentication, if a trusted certificate authority is available.

Shared Key: A Pre-shared key can be used for authentication when kerberos is not available. A pre-shared
key is a string value which is configured on each computer and must be the same on both computers.

2) Tunnel Setting - Specifies whether this is in Tunnel mode or Transport mode. You need to specify the
end-point of the tunnel also. "This rule does not specify an IPSec tunnel" option is the Transport mode.

3) Connection Type - Determines for which types of connections the rule will be applied: LAN, Remote
Access, or All Network Connections.

You have created a IPSec rule to block all telnet traffic to the domain controller. Now you need create a
IPSec rule allowing SERV04.omnisecu.com to allow secure telnet access. Follow the steps we did before
except a few changes.

Click the "Add" tab in the Secure Telnet IPSec policy to add a new rule.
Click "Add" button in the "New Rule Properties" dialog box, to add an IPSec IP filter list.

Type a meaning-ful name and description for the IPSec IP filter list.
Click "Add" button to add an IPSec IP filter.

Select "A specific IP Address" from the combo box of Source address and enter the IP address od
SERV4.omnisecu.com (192.168.1.12), to which we need to enable secure telnet communication using
IPSec. Enter Destination address as "My IP address". Click Protocol tab.

Enter the protocol and port nunmber to enable secure traffic.

Click "OK".
Select the new filter list "Allow SERV04" and click filter action tab.

Select "Require Security" filter action to enable secure IPSec communication between
SERV03.omnisecu.com and SERV04.omnisecu.com. Click "Apply" and "Close". Refer next lesson how to
configure IPSec encryption algorithm, hashing algorithm and other settings.

The two rules you have created are listed in the "Secure Telnet" policy properties.

At this point you may wondering about these two conflicting rules. "Block all Telnet" rule is defined to
block all telnet traffic to the domain controller SERV03.omnisecu.com and "Allow Serv04" is defined to
allow secure telnet traffic from SERV04.omnisecu.com. The IPSec rules are automatically ordered from the
most specific to the least specific. Here "Allow SERV04" IPSec rule is most specific, because we have
specified the IP address of SERV04.omnisecu.com (192.168.1.12).

You have learned how to associate an IPSec IP filter list with a filter action. You have created two rules,
one rule will block all IP traffic and other rule enable secure Telnet traffic betwee SERV03.omnisecu.com
and SERV04.omnisecu.com. Click "Next" to continue.

How assign an IPSec policy in Windows 2003

You will learn how to assign the IPSec policy you have created last lesson to the domain controller.

Remember, you can assign only one IPSec policy at a time.

To assign an IPSec policy, right click the policy and select "Assign" from the context menu. This action will
assign "Secure Telnet" IPSec policy you have created and make it active.
Once the policy is assigned, you can see a green dot at the policy icon and "Policy Assigned" status will be
"Yes".
Remember to assign the Client (Respond Only) IPSec policy on
SERV04.omnisecu.com, to allow it to communicate using IPSec.
Once the policy is active, Telnet traffic from all other servers will be blocked and secure communication
using IPSec only will be allowed between Serv03.omnisecu.com and SERV04.omnisecu.com. Remember to
update group policy using gpupdate command.

In this lesson you have learned how to assign an Internet Protocol Security (IPSec) policy. Click "Next" to
continue.

How to configure IPSec encryption and integrity algorithm in Windows 2003

his lesson explains how to configure Internet Protocol Security (IPSec) Integrity and Encryption algorithms
in Windows 2003.

If you select "Negotiate Security", you can specify you require Authetication Header (AH), Encapsulating
Security Payload (ESP) or both. You can also specify the encryption algorithm (DES or 3DES) and the
integrity algorithm (MD5 or SHA1).

Click "Add" in the "Edit Rule Properties" dialog box.

Selct "Negotiate Security" in the "New Filter Action" dialog box and Click "Add".
You can select either Authetication Header (AH), Encapsulating Security Payload (ESP) or both here.
"Integrity and encryption" will enable ESP with data integrity and confidentiality. "Integrity only" will
enable ESP with only data integrity. You can select "Custom" to customize your IPSec protocols and
algorithms. Select "Custom" radio button and click "Settings".

You can select IPSec protocols Authentication Header (AH), Encapsulating Security Payload (ESP) or both
in this dialog box. If you select Authentication header, you need to select an Integrity Algorithm also (MD5
or SHA1). If you select Encapsulating Security Payload, you need to select both Integrty Algorithm(MD5 or
SHA1) and encryption algorithm (DES or 3DES).

In the "Session key settings", you can specify an intervel to generate a new session key. Reducing this
value will increase your security, but decrease the performance. The interval can be specified in data size
(Kilobytes) or seconds. Session key generation process will be started whichever come first.

In this lesson, you have learned how to configure Internet Protocol Security (IPSec) Integrity and
Encryption algorithms in Windows 2003.

Public Key Infrastructure (PKI)

What is Symmetric Encryption?

You will learn the terms encryption, encryption algorithm encryption key and symmetric encryption
in this lesson.

Cryptography is the art and science of making data impossible to read. Cryptographic algorithms start
with plain, readable data (plaintext) and scramble it so it becomes an unreadable ciphertext. Each
encryption algorithm must also specify how the ciphertext can be decrypted back into the plaintext it
came from, so that the intended recipient can read it.

Encrypting the plaintext to ciphertext will give high security to your confidential data and only the
authorized person who is supposed to read this document, can read it.
Encryption Terms
Following are some important terms related with encryption. Before continuing, you should know
what these terms are.

Plaintext: The information in its original form. This is also known as cleartext.

Ciphertext: The information after it has been obfuscated by the encryption algorithm.

Encryption: The process of changing the plaintext into ciphertext.

Decryption: The process of changing the ciphertext into plaintext.

Encryption Algorithm: An algorithm defines how data is transformed when original plaintext data
scrambled to ciphertext. Both the data sender and the recipient must know the algorithm used for
data transformation. The recipient should use the same algorithm to decrypt the ciphertext back into
the original plaintext data.

Encryption Key: A key is secret value, which is used as an input to the algorithm along with the
plaintext data when plaintext is converted to ciphertext. The same secret key should be used to
decrypt the ciphertext back into plaintext data.

Cryptography: The art of concealing information using encryption.

Cryptographer: An individual who practices cryptography.

Cryptanalysis: The art of analyzing cryptographic algorithms for identifying the weaknesses.

Cryptanalyst: An individual who uses cryptanalysis to identify the weaknesses in cryptographic

algorithms.

What is Symmetric Encryption?

Symmetric encryption is the process of converting readable data unreadable format and converting it
back to readable format using same key. Symmetric encryption algorithms use the same key for
encryption and decryption. The key must be exchanged so that both the data sender and the data
recipient can access the plaintext data. The plaintext (Readable Text) is converted to ciphertext
(unreadable text) using a key and at the receiving side the same key is used to covert back the
ciphertext (unreadable text) to plaintext (Readable Text).

 
Symmetric Encryption Algorithms,DES,DESX,Triple
DES,3DES,RC2,RC5,RC4,AES,IDEA,Blowfish,CAST,Block
Cipher,Streaming Cipher
Data Encryption Standard (DES): An encryption algorithm that encrypts data with a 56-bit, randomly
generated symmetric key. DES is not a secure encryption algorithm and it was cracked many times. Data
Encryption Standard (DES) was developed by IBM and the U.S. Government together. DES is a block
encryption algorithm.

Data Encryption Standard XORed (DESX): DESX is a stronger variation of the DES encryption algorithm. In
DESX, the input plaintext is bitwise XORed with 64 bits of additional key material before encryption with
DES and the output is also bitwise XORed with another 64 bits of key material.

Triple DES (3DES): Triple DES was developed from DES, uses a 64-bit key consisting of 56 effective key bits
and 8 parity bits. In 3DES, DES encryption is applied three times to the plaintext. The plaintext is
encrypted with key A, decrypted with key B, and encrypted again with key C. 3DES is a block encryption
algorithm.

RC2 and RC5: Ronald Rivest (RSA Labs), developed these algorithms. They are block encryption algorithms
with variable block and key sizes. It is difficult to break if the attacker does not know the original sizes
when attempting to decrypt captured data.

RC4: A variable key-size stream cipher with byte-oriented operations. The algorithm is based on the use of
a random permutation and is commonly used for the encryption of traffic to and from secure Web sites
using the SSL protocol.

Advanced Encryption Standard (AES): Advanced Encryption Standard (AES) is a newer and stronger
encryption standard, which uses the Rijndael (pronounced Rhine-doll) algorithm. This algorithm was
developed by Joan Daemen and Vincent Rijmen of Belgium. AES will eventually displace DESX and 3DES.
AES is capable to use 128-bit, 192-bit, and 256-bit keys.

International Data Encryption Algorithm (IDEA): IDEA encryption algorithm is the European counterpart to
the DES encryption algorithm. IDEA is a block cipher, designed by Dr. X. Lai and Professor J. Massey. It
operates on a 64-bit plaintext block and uses a 128-bit key. IDEA uses a total of eight rounds in which it
XOR’s, adds and multiplies four sub-blocks with each other, as well as six 16-bit sub-blocks of key material.

Blowfish: Blowfish is a symmetric block cipher, designed by Bruce Schneier. Blowfish has a 64-bit block
size and a variable key length from 32 up to 448 bits. Bruce Schneier later created Twofish, which
performs a similar function on 128-bit blocks.

CAST: CAST is an algorithm developed by Carlisle Adams and Stafford Tavares. It’s used in some products
offered by Microsoft and IBM. CAST uses a 40-bit to 128-bit key, and it’s very fast and efficient.

Note:

Block Cipher: A block cipher divides data into chunks, pads the last chunk if necessary, and then encrypts
each chunk in its turn.

Streaming Cipher. A streaming cipher uses a series of random numbers seeded with a cipher key to encrypt
a stream of bits.

What is Asymmetric Encryption? Private Key, Public Key

Asymmetric encryption increases the security of the encryption process by utilizing two separate but
mathematically related keys known as a public key and a private key. Asymmetric encryption
algorithms use a key mathematically related key pair for encryption and decryption. One key of the
key pair is is known as the public key and other one isprivate key.

The private key is possessed only by the user or computer that generates the key pair. The public key
can be distributed to any person who wishes to send encrypted data to the private key holder. It is
impossible to compute the private key if you know the public key. Hence it is safe to publish the
public key.

If the public key is used for encryption, the associated private key is used for decryption.

If the private key is used for encryption, the associated public key is used for decryption

First, the data sender obtains the recipient’s public key. The plaintext is encrypted with asymmetric
encryption algorithm, using the recipient’s public key and the ciphertext is created. After the
encyprion process, the ciphertext is sent to the recepient through the unsecure network. The
recipient decrypts the ciphertext with his private key and now he can access the plaintext from the
sender.
Asymmetric Encryption Algorithms, Diffie-Hellman, RSA, ECC, ElGamal,
DSA
The following are the major asymmetric encryption algorithms used for encrypting or digitally signing
data. 

Diffie-Hellman key agreement: Diffie-Hellman key agreement algorithm was developed by Dr. Whitfield
Diffie and Dr. Martin Hellman in 1976. Diffie-Hellman algorithm is not for encryption or decryption but it
enable two parties who are involved in communication to generate a shared secret key for exchanging
information confidentially. The working of Diffie-Hellman key agreement can be explained as below.

Assume we have two parties who need to communicate securely.

1) P1 and P2 agree on two large integers a and b such that 1 < a < b.

2) P1 then chooses a random number i and computes I = a^i mod b. P1 sends I to P2.

3) P2 then chooses a random number j and computes J = a^j mod b. P2 sends J to P1.

4) P1 computes k1 = J^i mod b.

5) P2 computes k2 = I^j mod b.

6) We have k1 = k2 = a^(ij) mod b and thus k1 and k2 are the secret keys for secure transmission.

Rivest Shamir Adleman (RSA): Ron Rivest, Adi Shamir, and Len Adleman released the Rivest-Shamir-
Adleman (RSA) public key algorithm in 1978. This algorithm can be used for encrypting and signing data.
The encryption and signing processes are performed through a series of modular multiplications.

The basic RSA algorithm for confidentiality can be explained as below.

Ciphertext = (plaintext)^e mod n

Plaintext = (ciphertext)^d mod n
Private Key = {d, n}
Public Key = {e, n}

The basic RSA algorithm for authentication can be explained as below.

ciphertext = (plaintext)^d mod n

plaintext = (ciphertext)^e mod n
private key = {d, n}
public key = {e, n}

Elliptic Curve Cryptography (ECC): Elliptic Curve Cryptography (ECC) provides similar functionality to RSA.
Elliptic Curve Cryptography (ECC) is being implemented in smaller devices like cell phones. It requires less
computing power compared with RSA. ECC encryption systems are based on the idea of using points on a
curve to define the public/private key pair.

El Gamal: El Gamal is an algorithm used for transmitting digital signatures and key exchanges. The method
is based on calculating logarithms. El Gamal algorithm is based on the characteristics of logarithmic
numbers and calculations. The Digital Signature Algorithm (DSA) is based on El Gamal algorithm.

Digital Signature Algorithm (DSA). The Digital Signature Algorithm (DSA) was developed by the United
States government for digital signatures. Digital Signature Algorithm can be used only for signing data and
it cannot be used for encryption. The DSA signing process is performed through a series of calculations
based on a selected prime number. Although intended to have a maximum key size of 1,024 bits, longer
key sizes are now supported.

When DSA is used, the process of creating the digital signature is faster than validating it.

When RSA is used, the process of validating the digital signature is faster than creating it.

Public Key Cryptography

Public Key cryptography is based on asymmetric encryption. Asymmetric encryption makes use of a
mathematically linked pair of keys, one is known as the public and the other is known as the private key.
The plaintext encrypted using one of the keys can only be decrypted using the other key, and it is
impossible to compute private key, if public key is published. A user has his own pair of keys, keeping the
private key absolutely private and the public key as public as possible.

The following text explains the concept more clearly. If Alice has in hand her own public key (PubA), her
own private key (PrivA), and Bob's public key (PubB), she can do the following:

• Encrypt the plaintext with Bob's public key (PubB)

• Calculate the hash sum of the plaintext and encrypt it with her own private key (PrivA)

• Combine the ciphertext and the encrypted hash sum in a message and send it to Bob.

Upon receiving this message, Bob, who should have in his possession his own public key (PubB), his own
private key (PrivB), and Alice's public key (PubA), can do the following:

• Decrypt the ciphertext with his own private key (PrivB)

• Decrypt the hash sum with Alice's public key (PubA)

• Calculate the hash sum of the plaintext and compare it with the decrypted hash sum

Bob can now decrypt the ciphertext to plaintext and, if the hash sums are the same he can make sure that
it hasn't been altered in network.

What is a Digital Certificate?

The data structure used to transport and validate keys is called a digital certificate. A certificate protects
the key by guaranteeing the identity of the issuer, the identity of the owner, and the purposes for which
the key can be used. A certificate cannot be forged because the issuing authority digitally signs it. The
signature is applied to a hash of the certificate. This enables clients to validate the issuer's identity and
find any alteration. The client decrypts the hash using the issuer's public key and then compares the result
to a separate hash it performs on the certificate. If the results match, the certificate is valid.
A Digital Certificate contains the following fields (some are optional).

Issued By: The Certification Authority (CA) that issued the digital certificate.

Issued To: The recipient that obtained the digital certificate. If the recipient is a user, the name can be the
user's logon ID, User Principal Name (UPN), or Distinguished Name (DN).

Intended Uses (OID): A certificate has one or more uses. This shows the intended uses of the certificate.

Version: The certificate version. Windows Certification Authority (CA) servers issue X.509 Version 3
certificates.

Serial Number: This is a sequential number assigned by the CA to the certificate. The number is unique
and acts as a validity check.

Signature Algorithm: The hashing algorithm used to do the digital signature for the certificate. This is
typically either SHA-1 or MD5.

Issuer: This is the X.500 distinguished name of the issuing server.

Valid From: This is the issue date of the certificate.

Valid To: This important field defines the expiry date of the certificate.

Subject: This is the X.500 distinguished name of the certificate's owner.

Public Key: This field contains the public key.

CA Version: This field contains the version number (number of times the authorization certificate for a
particular Certification Authority (CA) has been renewed).

Subject Key Identifier: This field contains an SHA-1 hash of the Public Key field used to uniquely identify
the contents. This prevents alteration of the public key.

Certificate Template: This field is a Microsoft extension that contains name of the template used by the
CA to generate this certificate.

Key Usage: This field contains the OIDs of the purposes for the certificate.

Authority Key Identifier: Contains an SHA-1 hash of the public key of the issuing CA along with the
distinguished name of the CA.

CRL Distribution Points (CDPs): CRL (Certificate Revocation List) information listed by LDAP path, URL, and
file share name.

Authority Information Access: Information for a client to find the certificate of the issuing CA.

Thumbprint: A hash of the certificate.

Thumbprint Algorithm: The algorithm used to obtain the certificate hash.

What is Public Key Infrastructure

PKI,Confidentiality,Authentication,Integrity,non-repudiation
The Public Key Infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed
to create, manage, store, distribute, and revoke Digital Certificates. A Public Key Infrastructure (PKI)
enables users of a basically unsecure public network such as the Internet to securely and privately
exchange data through the use of a public and a private cryptographic key pair that is obtained and
shared through a trusted authority.

The following are the major functions of Public Key Infrastructure (PKI).

Confidentiality: The privacy of user transactions is protected by encrypting data streams and messages.
The confidentiality function may be intended to prevent the unauthorized disclosure of information
locally or across a network. By using Public Key Infrastructure (PKI), users are able to ensure that only an
intended recipient can “unlock” (decrypt) an encrypted message.

Authentication: Authentication is the process of verifying that the user is who they say they are. PKI
provides a means for senders and recipients to validate each other's identities.

Integrity: Guaranteeing message integrity is another important function of Public Key Infrastructure (PKI).
Public Key Infrastructure (PKI) has built-in ways to validate that all the outputs are equivalent to the
inputs. Any alter of the data can be immediately detected and prevented.

Non-Repudiation: Public Key Infrastructure (PKI) ensures that an author cannot refute that they signed or
encrypted a particular message once it has been sent, assuming the private key is secured. Here Digital
signatures link senders to their messages. Only the sender of the message could sign messages with their
private key and therefore, all messages signed with the sender's private key originated with that specific
individual.

What is a Certificate Authority (CA) and functions of a Certificate

Authority (CA)
Certificate Authority (CA) is a trusted entity that issues Digital Certificates and public-private key
pairs. The role of the Certificate Authority (CA) is to guarantee that the individual granted the unique
certificate is, in fact, who he or she claims to be.

The Certificate Authority (CA) verifies that the owner of the certificate is who he says he is. A
Certificate Authority (CA) can be a trusted third party which is responsible for physically verifying the
legitimacy of the identity of an individual or organization before issuing a digital certificate.

A Certificate Authority (CA) can be an external (public) Certificate Authority (CA) like verisign, thawte
or comodo, or an internal (private) Certificate Authority (CA) configured inside our network.

Certificate Authority (CA) is a critical security service in a network. A Certificate Authority (CA)
performs the following functions.

Certificate Authority (CA) Verifies the identity: The Certificate Authority (CA) must validate the
identity of the entity who requested a digital certificate before issuing it.

Certificate Authority (CA) issues digital certificates: Once the validation process is over, the Certificate
Authority (CA) issues the digital certificate to the entity who requsted it. Digital certificates can be
used for encryption (Example: Encrypting web traffic), code signing, authentocation etc.

Certificate Authority (CA) maintains Certificate Revocation List (CRL): The Certificate Authority (CA)
maintains Certificate Revocation List (CRL). A certificate revocation list (CRL) is a list of digital
certificates which are no longer valid and have been revoked and therefore should not be relied by
anyon

Comparison between Internal and External Certificate Authorities (CAs), Internal CA Vs External CA

Advantages internal Certificate Authority (CA)

• Simplified and ease of management is the main advantage of using internal Certificate Authority (CA).
There is no need to depend an external entity for certificates.

• In a Microsoft Windows environment, internal Certificate Authority (CA) can be integrated in Active
Directory. This further simplifies the management of the CA structure.

• There is no cost per certificate wen you are using an internal Certificate Authority (CA).

• Internal Certificate Authorities (CAs) are cheaper to configure, and expand the Public Key Infrastructure
(PKI).

• The auto-enrollment feature of Windows Server 2003 further simplifies the certificate issuing process.

Disadvantages of internal Certificate Authority (CA)

• Implementing internal Certificate Authority (CA) is more complicated than using external Certificate
Authority (CA).

• The security and accountability of Public Key Infrastructure (PKI) is completely on the organization's
shoulder.

• External parties normally will not trust a digital certificate signed by an internal Certification Authority
(CA).

• The certificate management overhead of internal Certification Authority (CA) is higher than that of
external Certification Authority (CA).

Advantages of external Certificate Authority (CA)

• The external CA responsible for the security and accountability of Public Key Infrastructure.

• External parties normally trust a digital certificate signed by a trusted external CA, such as VeriSign,
Thwate, Comodo, SecureNet etc.

• The certificate management overhead of external Certification Authority (CA) is lower than that of
internal Certification Authority (CA).

Disadvantages of external Certification Authority (CA)

• Integration between an external Certification Authority (CA) and the infrastructure of the organization is
limited.

• Your organization need to pay per certificate when you are using the services of an external Certification
Authority (CA).

• Less flexibility when configuring, expanding and managing certificates.

Certificate Authority (CA) Hierarchy, Root CA, Intermediate CA, Issuing

CA
Digital certificates created by a Public Key Infrastructure (PKI) Certificate Authority (CA) are verified using
a chain of trust. The trust anchor for the digital certificate is the Root Certificate Authority (CA), and any
Certificate Authority (CA) which comes under Root Certificate Authority (Root CA) is known as a
subordinate Certificate Authority (CA). The following figure shows the Certificate Authority Hierarchy.
  

Root CA: A Root CA is the topmost Certificate Authority (CA) in a Certificate Authority (CA) hierarchy. Each
Certificate Authority (CA) hierarchy begins with the Root CA, and multiple CAs branch from this Root CA in
a parent-child relationship. All child CAs must be certified by the corresponding parent CA back to the
Root CA. The Root CA is kept in a secure area and it is usually a stand-alone offline CA (to make it topmost
secure Certificate Authority (CA). The root CA provides certificates for intermediate CAs. The certificates
can be revoked if they are compromised.

Intermediate CAs: An intermediate Certificate Authority (CA) is a CA that is subordinate to another CA

(Root CA or another intermediate CA) and issues certificates to other CAs in the CA hierarchy.
Intermediate CAs are usually stand-alone offline CAs like root CAs.

Issuing CAs: Issuing CAs are used to provide certificates to users, computers, and other services. There can
be multiple issuing CAs, and one issuing CA can be used for generating computer certificates and another
can be used for generating user certificates.

Windows 2003 Certificate Authorities (CAs), Enterprise CA,

Standalone CA
You can create your organization's Certificate Authority (CA) using Microsoft's Windows Server 2003
Certificate Services. Windows 2003 Certificate Services offers four types of CAs: Enterprise Root CA,
Enterprise Subordinate CA, Standalone Root CA, and Standalone Subordinate CA.

Enterprise Root CAs

The Enterprise Root CA is at the top level of the certificate authority hierarchy. Once Enterprise Root
CA is configured, it registers automatically within Active Directory and all computers within the
domain trust it.

The Enterprise Root CA is usually responsible for issuing certificates to subordinate CAs, which then
issue the certificates to users and computers on the network. However the Enterprise Root CA can
also issue certificates to users and computers, if required. Following are the features of Enterprise
CAs.

• Auto enrollment feature is available.

• Only a member of Enterprise Admins group can configure Enterprise CA.

• An enterprise CA requires the Active Directory service.

• An enterprise CA requires the DNS service.

If you require smart cards for your employees, you should use Enterprise CAs.

Enterprise Subordinate CAs

The Enterprise Subordinate CAs are placed under the Enterprise Root CA in the certificate hierarchy.
Enterprise Subordinate CAs normally used for issuing certificates to a particular part of an
organization or for issuing certificates of a specific type. Enterprise Subordinate CA should be
certified by the Enterprise Root CA (may be an enterprise root CA on the local network or a third-
party CA).

Standalone Root CAs

Stand-alone CAs do not use Active Directory. If Active Directory is not available in your network, you
can configure Standalone Root CAs. If you want to issue certificates to outside entities, a Standalone
CA should be implemented.

• Auto enrollment feature is not available. All requests for certificates are pending until an
administrator approves them.

• Local administrators can configure standalone CAs

• Standalone CAs can be used with extranets.

• No certificate templates are used.

• Standalone CA certificates cannot be used for smart cards.

Standalone Subordinate CAs

The function of Standalone Subordinate CA is similar to an Enterprise Subordinate CA and Standalone
Subordinate CAs are placed under a Root CA in the certificate hierarchy. You require a Root CA to
configure a Standalone Subordinate CA. Standalone Subordinate CA should be certified by the Root
CA (Root CA on the local network or a third-party CA).
Windows 2003 Certificate Server Architecture
The following figure illustrates the Microsoft Windows 2003 Certificate Server Architecture.

Microsoft Windows 2003 Certificate Server engine is certsrv.exe. The engine has three important modules
to which the Certificate Server engine communicates. They are 1) Entry Module 2) Policy Module and 3)
Exit Module.

Entry Module: The entry module accepts PKCS10 and CMC formatted certificate requests. The Entry
Module place the certificate requests in a queue for policy module.

Policy Module: A policy module is a set of instructions that tells the CA what to do with incoming
certificate requests. A policy module can automatically approve a request, reject a request, or mark a
request as pending for an administrator to manually approve it based on any criteria coded into the
module.

Exit Module: An exit module allows the CA to take some action after a certificate is generated. For
example, an exit module might publish new certificates in the Active Directory or export them to the file
system.

The exit and policy modules are both customizable and replaceable. If the policy module or the exit
module does not match to the needs of an organization, it can develop modules in C++ or Visual Basic
(VB) and plug them into the CA architecture. 

The Certificate Server has a database which is used to store certificate transactions and status
information, certificates, and optionally archived private keys. The database (<CAName>.edb) is by default
located in the system32\certlog folder. The Certificate Server engine communicates with its database
through the certdb.dll.

The GUI administrative tool used for managing the certificate server is "Certificate Authority" MMC snap-
in. It can be located inside Administrative Tools. Windows 2003 also has a command line tool to manage
the certificate server and this tool is certutil.exe.

An intermediary or Registration Authorities (RAs) are applications that help the client in generating
correctly formatted PKCS10 or CMC certificate request files. Examples of Windows Server 2003
intermediaries are the Web enrollment pages (works using HTTP) and the MMC Certificates snap-in
(works using RPC) intermediary.

Stand-alone Root Certificate Authority (CA)

The root Certificate Authority (CA) is the most important Certificate Authority (CA) and it is the first
Certificate Authority (CA) in a Public Key Infrastructure (PKI).

Only one Certificate Authority (CA) can authorize itself, and it is the Root Certificate Authority (CA). The
importance of the Root Certificate Authority (CA) is that only the Root Certificate Authority (CA) can issue
a certificate to itself.

The subordinate Certificate Authorities (CAs) should be authorized by the Root Certificate Authority (CA).
The Root Certificate Authority (CA) can issue certificates to Subordinate Certificate Authorities (CAs) and
Subordinate Certificate Authorities (CAs) are then used to issue certificates to users, computers etc.

In a secure Certificate Authority (CA) hierarchy, the Root Certificate Authority (CA) should be an offline
(out of the network) stand-alone Root Certificate Authority (CA). The possibility of compromising the
Public Key Infrastructure (PKI) by hacking the private key of the Root Certificate Authority (CA) can be
avoided to a great extent when the Root Certificate Authority (CA) is kept offline (out of the network). The
offline root can be used only to issue CA certificates to its subordinate CAs.

We need to install the Root Certificate Authority (CA) as Standalone Certificate Authority (CA), because we
need to make sure the Root Certificate Authority (CA) is offline and secured. The Root Certificate
Authority (CA) cannot have network connections and cannot be linked to any domain. If the Root
Certificate Authority (CA) is a member server in a domain, it may lose its trust relationship with the
domain. The offline Root Certificate Authority (CA) cannot be a domain controller also, because domain
controllers cannot be taken off the network indefinitely.

The prerequisites for installing a stand-alone offline root CA is listed below.

• The stand-alone offline Root Certificate Authority (CA) should not be a member of any domain or a
domain controller.

• The computer name for the stand-alone offline Root Certificate Authority (CA) must be unique for the
entire forest.

• A certificate revocation list (CRL) must be published. The CRL distribution point (CDP) must be accessible
to users on the network and it should be included in the certificate.

• The Authority Information Access (AIA) distribution point needs to be configured for other CAs to verify
the Certificate Authority (CA) chain.

• IIS (Internet Information Services) should be configured on the Certificate Authority (CA) server.

How to install Stand-alone offline Root Certificate Authority (CA)

If you are planning to implement a multi-tier Certificate Authority (CA) hierarchy, you should
implement an offline Root Certificate Authority (CA) (Stand-alone root CA), so that the computer can
be removed from the network for long periods of time.

Internet Information Service (IIS) is not required for the installation of a stand-alone offline Root CA
because the only certificate requests submitted to the Root CA are for subordinate CA certificates.
This is normally submitted by using the Certification Authority MMC console.

Before Installing, the Stand-alone offline Root CA make sure that the Server Date and time are
correct. The name of the server cannot be changed once you configure the Certificate Authority (CA)
on this server.

Open "Add or Remove Programs" applet from the Control Panel (Start > Control Panel > Add.

Click "Add/Remove Windows Components".

"Windows Components Wizard" will pop up and select "Certificate Services" from the list box.

A dialog box will be displayed stating that once you have installed the certificate services in this
server, you cannot change the name of the server. Click "Yes" to accept it and continue or "No" to
exit from the wizard.
Select the Certificate Authority Type from the CA type screen. In this case, select "Stand-alone root
CA". Check the "Use custom settings to generate the key pair and CA certificate" check box. Checking
the above check box is only required if you want to change the default settings.

In the "Public and Private Key Pair" screen, you can select the CSP (Cryptographic Service Provider),
Hash Algorithm, and the other settings like Key length. For a Root CA, you must select a high key
length value. Some CSPs might not be supported for generating certificates from some templates.
The Microsoft Strong Cryptographic Provider CSP is the default choice. Other CSPs can be used if you
have the software installed or you have the related hardware.

You can also select the Hash Algorithm here and it allows you to select the required Hash Algorithm
for signatures. MD4 is the weakest and SHA1 is the strongest Hash Algorithm from the available
choices.

The "Use An Existing Key" check box allows you to use an existing key pair, if it was generated with
algorithms compatible with the selected CSP and the Import button lets you import certificates from
a file.

In the "CA Identifying Information" screen, enter the common name of the CA.

It will take a few seconds to generate the keys and a progress bar will be displayed.
In the "Certificate Database Settings", select the CA's certificate database and log files will be stored.
In this location CA’s own certificates are stored and it should be backed up regularly.
The wizard need some setup files to copy now and insert your Windows 2003 Operating System
installation CD inside the CD drive. After inerting the CD, click "Browse" button in the "Copy Error"
dialog box to show the "i386" folder inside the Windows 2003 Operating System installation CD.

Click "Open" button in the "Locate File"dialog box and then click "Retry" button in the "Copy Error"
dialog box.

"Configuring Components" screen with a progress bar will be displayed. If Internet Information
Services (IIS) is not installed on your computer, a dialog box will be displayed stating that.

Click "OK" to continue.

"Completing Windows Components Wizard" will be displayed. Click "Finish" to complete the
installation. Once the installation is over, you can open the "Certification Authority" Console from
Administrative tools.
How to install Enterprise Subordinate (intermediate) Certificate Authority (CA)

Enterprise Certificate Authorities require Active Directory. Make sure the server you are planning to
make an Enterprise Subordinate Certificate Authority is a member of an Active Directory Domain.
Click the following link to learn about Active Directory and how to make a Windows 2003 server member
of Active Directory domain.

Select Start > Control Panel > Add or Remove Programs.

Click "Add/Remove Windows Components" button.

A dialog box will be displayed showing that the machine name cannot be changed after the
installation of Certificate Services. Click "Yes" to continue.

In the "CA Type" Screen, select "Enterprise Subordinate CA" radio button. Click "Next".
In "CA Identifying Information" screen, enter Common Name and Distinguished Name suffix (DN field
will be filled automatically). Click "Next"
In "Certificate Database Settings" screen, keep default paths and click "Next".

In "CA Certificate Request" screen, show the path where the Certificate request will be saved. To get
a Certificate Authority certificate from Root Certificate Authority, we need this request file. Click
"Next.

Click "Yes" to temporarily stop IIS and continue installation.

You may be prompted for the installation CD at this stage, mount the installation CD in CD Drive and
select the required files from "i386" folder. Once the copying of files are over, a dialog box will be
show stating that the installation is not complete and use the certificare request file to obtain a CA
certificate.

Click "Finish" to finish the installation.

The installation of the Enterprise subordinate Certificate Authority is not complete. To complete the
installation, we need to get the CA certificate from the Root CA. Copy the request file in a floppy drive
or a pendrive to the Root CA and submit the request to the Root CA. To learn how to submit a
 request to Root CA, click "Next".

How to Submit Certificate Request to Root CA

Open the "Certification Authority" Console in Root CA. (Start > Programs > Administrative Tools >
Certification Authority).

Right click Server icon and select "All Tasks > Submit New Request" from the context menu.

Select the copied request file created from Enterprise subordinate CA.
Go to "Pending Requests", right click the "Pending Requests" now created, select "Issue" from the
context menu.

Select "Issued Certificates", double click the entry there.

The new CA Certificate will open. Notice the "General" tab. This certificate is issued by
"OMNISECU ROOT CA" and issued to "OMNISECU ENTERPRISE SUBORDINATE CA".
Open the "Certification Path" tab, and view the certification path.

To export this certificate to a file, click "Detials" tab.

Click "Copy to File". Certificate export wizard will launch. Click "Next".
Select the format of the certificate.

Select location to save the certificate, and save it.

"Completing the Certificate Export Wizard" screen will be displayed.

Click "Finish" to complete it, a diablog box will be displayed showing the export was successful.
 Once the Certificate for the Enterprise Subordinate CA is issued from the Root CA, copy that file to
a floppy disk or any removable drive and bring the certificate to the Enterprise Subordinate CA. In
this case, the name of the CA certificate is Cert_SubCA.cer. To learn how to install this certificate
on Enterprise Subordinate CA, click "Next".

How to import Root CA Certificate inside Trusted Root Certification Authorities Store

To import our Standalone offline Root CA certificate to Enterprise Subordinate CA's Trusted Root AA store,
follow these steps.

Copy the Root CA certificate from the Standalone Root CA we have created before.

Open the "Certification Authority" MMC console from Administrative Tools. (Start > Programs >
Administrative Tools > Certification Authority). Select Properties from Context menu.

Click View Certificate button.

The Root CA certificate will be open and you can see the certificate is issued to "OMNISECU ROOT CA" and
is issued by "OMNISECU ROOT CA". Only Root CAs can self certify.

Click the "Details" tab and click "Copy to file" to export the Root CA certificate to a file. After exporting the
Root CA certificate, bring it to the Enterprise subordinate CA. Open the certificates MMC console (Start >
Run > mmc). Open menu path File > Add/Remove Snap-in.
In "Add/Remove Snap-in" dialog box, click Add.

Select "Certificates" snap-in, and click "Add".

Select "Computer account" radio button, and click "Next".

Select "Local computer", and click Finish to open Certificates MMC console Snap-in.
Right click Certificates folder inside "Trusted Root Certification Authorities", and select "All Tasks >
Import" from the context menu.

This action will fire "Certificate Import Wizard". Click "Next" in Welcome screen.
Select the physical location of the Root CA certificate to import. Locate the file in Open dialog box and
click "Open".

In "Certificate Store" screen, select the default selection and click "Next".
In "Completing the Certificate Import Wizard" screen, click "Finish" to finish the import.

"The import was successful" message will be displayed.

Open the "Certificates" folder inside "Trusted Root Certfication Authorities" Tree in "Certificates" MMC
console. Check whether you can locate the newly imported certificate there.

You have imported the Root CA certificate inside "Trusted Root Certification Authorities" store.

How to install CA certificate issued from Root CA on Enterprise Sub CA

After importing the Root CA certificate in "Trusted Root Certification Authorities", open the "Certification
Authorities" Console (Start > Programs > Administrative Tools > Certification Authorities). The red squre
on the server icon denots that the Certificate Services are not running on this server.

Right click the server and select "All Tasks > Start Service" from the context menu.
Click "Yes" on the dialog box, which shows the CA certificate is missing and whether you want to install a
new certificate.

In "Select file to complete CA installation" dialog box, show the physical path where the certificate for the
Enterprise Subordinate CA is kept (certificate file which is generated from the Root CA for the enterprise
subordinate CA).

Click "Open". The installation will be completed now.