Introduction

What is Security?
In general, security is “the quality or state of being secure—to be free from danger.”
A successful organization should have the following multiple layers of security in place
to protect its operations:

 Physical security, to protect physical items, objects, or areas from unauthorized

access and misuse
 Personnel security, to protect the individual or group of individuals who are
authorized to access the organization and its operations
 Operations security, to protect the details of a particular operation or series of
activities
 Communications security, to protect communications media, technology, and
content
 Network security, to protect networking components, connections, and contents
 Information security, to protect the confidentiality, integrity and availability of
information assets, whether in storage, processing, or transmission. It is achieved
via the application of policy, education, training and awareness, and technology.

Figure 1  Components of Information Security

Key Information Security Concepts

 Access: A subject or object’s ability to use, manipulate, modify, or affect another

subject or object. Authorized users have legal access to a system, whereas hackers
have illegal access to a system. Access controls regulate this ability. 
 Asset: The organizational resource that is being protected. An asset can be
logical, such as a Web site, information, or data; or an asset can be physical, such
as a person, computer system, or other tangible object. Assets, and particularly
information assets, are the focus of security efforts; they are what those efforts are
attempting to protect.
 Attack: An intentional or unintentional act that can cause damage to or otherwise
compromise information and/or the systems that support it. Attacks can be active or
passive, intentional or unintentional, and direct or indirect. Someone casually
reading sensitive information not intended for his or her use is a passive attack. A
hacker attempting to break into an information system is an intentional attack. A
lightning strike that causes a fire in a building is an unintentional attack. A direct
attack is a hacker using a personal computer to break into a system. An indirect
attack is a hacker compromising a system and using it to attack other systems, for
example, as part of a botnet (slang for robot network). This group of compromised
computers, running software of the attacker’s choosing, can operate autonomously
or under the attacker’s direct control to attack systems and steal user information or
conduct distributed denial-of-service attacks. Direct attacks originate from the threat
itself. Indirect attacks originate from a compromised system or resource that is
malfunctioning or working under the control of a threat.
 Control, safeguard, or countermeasure: Security mechanisms, policies, or
procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities,
and otherwise improve the security within an organization. The various levels and
types of controls are discussed more fully in the following modules.
 Exploit: A technique used to compromise a system. This term can be a verb or a
noun. Threat agents may attempt to exploit a system or other information asset by
using it illegally for their personal gain. Or, an exploit can be a documented process
to take advantage of a vulnerability or exposure, usually in software, that is either
inherent in the software or is created by the attacker. Exploits make use of existing
software tools or custom-made software components.
 Exposure: A condition or state of being exposed. In information security,
exposure exists when a vulnerability known to an attacker is present.
 Loss: A single instance of an information asset suffering damage or unintended
or unauthorized modification or disclosure. When an organization’s information is
stolen, it has suffered a loss.
 Protection profile or security posture: The entire set of controls and
safeguards, including policy, education, training and awareness, and technology,
that the organization implements (or fails to implement) to protect the asset. The
terms are sometimes used interchangeably with the term security program, although
the security program often comprises managerial aspects of security, including
planning, personnel, and subordinate programs. 
 Risk: The probability that something unwanted will happen. Organizations must
minimize risk to match their risk appetite—the quantity and nature of risk the
organization is willing to accept.
 Subjects and objects: A computer can be either the subject of an attack—an
agent entity used to conduct the attack—or the object of an attack—the target entity,
as shown in Figure 2. A computer can be both the subject and object of an attack,
 when, for example, it is compromised by an attack (object), and is then used to
attack other systems (subject).
 Threat: A category of objects, persons, or other entities that presents a danger to
an asset. Threats are always present and can be purposeful or undirected. For
example, hackers purposefully threaten unprotected information systems, while
severe storms incidentally threaten buildings and their contents.
 Threat agent: The specific instance or a component of a threat. For example, all
hackers in the world present a collective threat, while Kevin Mitnick, who was
convicted for hacking into phone systems, is a specific threat agent. Likewise, a
lightning strike, hailstorm, or tornado is a threat agent that is part of the threat of
severe storms.
 Vulnerability: A weaknesses or fault in a system or protection mechanism that
opens it to attack or damage. Some examples of vulnerabilities are a flaw in a
software package, an unprotected system port, and an unlocked door. Some well-
known vulnerabilities have been examined, documented, and published; others
remain latent (or undiscovered).

Figure 2. Computer as the subject and object of an Attack

Critical Characteristics of Information

The value of information comes from the characteristics it possesses. Critical factors
are:

 Availability - Timely access of information

 Accuracy - Free from mistakes or errors
 Authenticity - Quality or state of being genuine
 Confidentiality - Protected from disclosure from unauthorized entities
 Integrity - Complete and not corrupted
 Utility - Having value
 Possession -  Quality of ownership and control

Components of Information Systems

 Software - Computer programs

 Hardware - Machines
 Data - Input to your systems
 People  - Source or sink of information
 Procedures - Policies
 Networks - Inter-connectivity of hardware

Approaches to Information Security Implementation

 Bottom-up Approach: System administrators improves the security of the

system
 Top-down Approach: Management initiated improvement of the system

Figure 3. Approaches to Information Security Implementation

Table 1. Summary of Phases for SDLC and SecS

The Environment
Business Needs First
Information security performs four important functions for an organization:

1.  Protecting the organization’s ability to function

2.  Enabling the safe operation of applications running on the organization’s IT
systems
3.  Protecting the data the organization collects and uses
4.  Safeguarding the organization’s technology assets

Threats
To protect your organization’s information, you must

1.  Know yourself - familiarity of the information to be protected and the systems

that store, transport, and process it
2.  Know the threats - be informed about the various threats to an organization’s
people, applications, data, and information systems

Table 2. Threats to Information Security

Attacks
An attack is an act that takes advantage of a vulnerability to compromise a controlled
system.
Examples:

1.  Malicious Code - The malicious code attack includes the execution of viruses,
worms, Trojan horses, and active Web scripts with the intent to destroy or steal
information.
2.  Hoaxes - A more devious attack on computer systems is the transmission of a
virus hoax with a real virus attached.
3.  Back Doors - Using a known or previously unknown and newly discovered
access mechanism, an attacker can gain access to a system or network resource
through a back door.
4.  Password Crack - Attempting to reverse-calculate a password is often called
cracking.
5.  Brute Force - The application of computing and network resources to try every
possible password combination is called a brute force attack.
6.  Dictionary - The dictionary attack is a variation of the brute force attack which
narrows the field by selecting specific target accounts and using a list of commonly
used passwords (the dictionary) instead of random combinations.
7.  Denial-of-Service (DoS) - In a denial-of-service (DoS) attack, the attacker
sends a large number of connection or information requests to a target . So many
requests are made that the target system becomes overloaded and cannot respond
to legitimate requests for service.
8.  Disributed Denial-of-Service (DDoS) - A distributed denial of-service (DDoS) is
an attack in which a coordinated stream of requests is launched against a target
from many locations at the same time.
9.  Spoofing - Spoofing is a technique used to gain unauthorized access to
computers, wherein the intruder sends messages with a source IP address that has
been forged to indicate that the messages are coming from a trusted host. 
10.  Man-in-the-Middle - In the well-known man-in-the-middle or TCP hijacking
attack, an attacker monitors (or sniffs) packets from the network, modifies them, and
inserts them back into the network. 
11.  Spam - Spam is unsolicited commercial e-mail. 
12.  Mail Bombing - Another form of e-mail attack that is also a DoS is called a mail
bomb, in which an attacker routes large quantities of e-mail to the target. 
13.  Sniffers - A sniffer is a program or device that can monitor data traveling over a
network. 
14.  Social Engineering - Social engineering is the process of using social skills to
convince people to reveal access credentials or other valuable information to the
attacker.
-  Phising - a social engineering technique in an attempt to gain personal financial
information from an individual, usually by posing as a legitimate entity.
15.  Pharming - Pharming is “the redirection of legitimate Web traffic (e.g., browser
requests) to an illegitimate site for the purpose of obtaining private information.
16.  Timing Attack - A timing attack explores the contents of a Web browser’s cache
and stores a malicious cookie on the client’s system.
Overview
Access Control
Access control is the method by which systems determine whether and how to admit a user into
a trusted area of the organization—that is, information systems, restricted areas such as
computer rooms, and the entire physical location. Access control is achieved by means of a
combination of policies, programs, and technologies. Access controls can be mandatory, non-
discretionary, or discretionary. 
In general, all access control approaches rely on as the following mechanisms:
 Identification
 Authentication
 Authorization
 Accountability
Identification
 A mechanism whereby an unverified entity—called a supplicant—that
seeks access to a resource proposes a label by which they are known to
the system
 The label applied to the supplicant (or supplied by the supplicant) is called
an identifier (ID), and must be mapped to one and only one entity within
the security domain
Authentication
 The process of validating a supplicant’s purported identity
 Three widely used authentication mechanism or factors:
1.  Something a supplicant knows - Password of Passphrase
2.  Something a supplicant has - Dumb cards, like ID and ATM
3.  Something a supplicant is - Biometrics
Authorization

 Matching of an authenticated entity to a list of information assets and

corresponding access levels.
 In general, authorization can be handled in one of three ways:
1.  Authorization for each authenticated user
 2.  Authorization for members of a group
3. Authorization across multiple systems
Accountability


 Also known as auditability, ensures that all actions on a system—

authorized or unauthorized—can be attributed to an authenticated identity
 Most often accomplished by means of system logs and database
journals, and the auditing of these records
 Simply tracking the use or access of a particular resource
Firewalls
Firewalls
 A firewall in an information security program is similar to a building’s firewall in that it
prevents specific types of information from moving between the outside world, known as
the untrusted network (for example, the Internet), and the inside world, known as the
trusted network.
 The firewall may be a separate computer system, a software service running on an
existing router or server, or a separate network containing a number of supporting
devices. Firewalls can be categorized by processing mode, development era, or
structure.
Firewall Processing Modes
Firewalls fall into five major processing-mode categories: 
1.
1.
1. Packet-filtering firewalls
2. Application gateways
3. Circuit gateways
4. MAC layer firewalls
5. Hybrids


o
 Hybrid firewalls use a combination of the other four modes, and in
practice, most firewalls fall into this category, since most firewall
implementations use multiple approaches
 The packet-filtering firewall, also simply called a filtering firewall,
examines the header information of data packets that come into a
network
 A packet-filtering firewall installed on a TCP/IP- based network typically
functions at the IP level and determines whether to drop a packet (deny)
or forward it to the next network connection (allow) based on the rules
programmed into the firewall
 Packet-filtering firewalls examine every incoming packet header and can
selectively filter packets based on header information such as destination
address, source address, packet type, and other key information as seen
in Figure 5.
 Packet-filtering firewalls scan network data packets looking for
compliance with or violation of the rules of the firewall’s database
 Filtering firewalls inspect packets at the network layer, or Layer 3, of the
Open Systems Interconnect (OSI) model, which represents the seven
layers of networking processes
 If the device finds a packet that matches a restriction, it stops the packet
from traveling from one network to another
 The restrictions most commonly implemented in packet-filtering firewalls
are based on a combination of the following:
- IP source and destination address 
- Direction (inbound or outbound) 
- Protocol (for firewalls capable of examining the IP protocol layer) 
- Transmission Control Protocol (TCP) or User Datagram Protocol (UDP)
source and destination port requests (for firewalls capable of examining
the TCP/UPD layer) Figure 5. IP Packet Structure
Packet structure varies depending on the nature of the packet. The two primary service types
are TCP and UDP (as noted above). Figures 6 and 7 show the structures of these two major
elements of the combined protocol known as TCP/IP.
Figure 6. TCP Packet Structure

Figure 7. UDP Datagram Structure

 
o
 Simple firewall models examine two aspects of the packet header:
the destination and source address
 They enforce address restrictions, rules designed to prohibit
packets with certain addresses or partial addresses from passing through the
device
 They accomplish this through ACLs, which are created and
modified by the firewall administrators
 Figure 8 shows how a packet-filtering router can be used as a
simple firewall to filter data packets from inbound connections and allow
outbound connections unrestricted access to the public network.

Figure 8. Packet-Filtering Router

 To better understand an address restriction scheme, consider Table 3. If an

administrator were to configure a simple rule based on the content of Table 3, any
connection attempt made by an external computer or network device in the
192.168.x.x address range (192.168.0.0–192.168.255.255) is allowed. The ability to
restrict a specific service, rather than just a range of IP addresses, is available in a
more advanced version of this first generation firewall

Table 3. Sample Firewall Rule and Format

 
o
 There are three subsets of packet-filtering firewalls:

1.
1.
1.
1.  Static filtering - requires that the filtering rules be developed
and installed with the firewall
2.  Dynamic filtering - firewall can react to an emergent event
and update or create rules to deal with that event
3.  Stateful inspection - keep track of each network connection
between internal and external systems using a state table

Application Gateways


 The application gateway, also known as an application-level firewall or
application firewall, is frequently installed on a dedicated computer, separate from
the filtering router, but is commonly used in conjunction with a filtering router
 Also known as a proxy server since it runs special software that acts as a proxy
for a service request
 Proxy server receives requests for Web pages, accesses the Web server on
behalf of the external client, and returns the requested pages to the users
 These servers can store the most recently accessed pages in their internal
cache, and are thus also called cache servers
 The proxy server is placed in an unsecured area of the network or in the
demilitarized zone (DMZ)—an intermediate area between a trusted network and an
untrusted network—so that it, rather than the Web server, is exposed to the higher
levels of risk from the less trusted networks
 Additional filtering routers can be implemented behind the proxy server, limiting
access to the more secure internal system, and thereby further protecting internal
systems

Circuit Gateways
 The circuit gateway firewall operates at the transport layer
 Connections are authorized based on addresses
 Like filtering firewalls, circuit gateway firewalls do not usually look at traffic
flowing between one network and another, but they do prevent direct connections
between one network and another

MAC Layer Firewalls

 Designed to operate at the media access control sublayer of the data link layer
(Layer 2) of the OSI network model
 Enables these firewalls to consider the specific host computer’s identity, as
represented by its MAC or network interface card (NIC) address in its filtering
decisions

Figure 9. Firewall Types and the OSI Model

Hybrid Firewalls

 Hybrid firewalls combine the elements of other types of firewalls— that is, the
elements of packet filtering and proxy services, or of packet filtering and circuit
gateways
 May actually consist of two separate firewall devices; each is a separate firewall
system, but they are connected so that they work in tandem
 For example, a hybrid firewall system might include a packet-filtering firewall that
is set up to screen all acceptable requests, then pass the requests to a proxy server,
which in turn requests services from a Web server deep inside the organization’s
networks
 An added advantage to the hybrid firewall approach is that it enables an
organization to make a security improvement without completely replacing its
existing firewalls

Firewalls Categorized by Generation

 First generation firewalls are static packet-filtering firewalls—that is, simple

networking devices that filter packets according to their headers as the packets
travel to and from the organization’s networks.
 Second generation firewalls are application-level firewalls or proxy servers—that
is, dedicated systems that are separate from the filtering router and that provide
intermediate services for requestors.
 Third generation firewalls are stateful inspection firewalls, which, as described
previously, monitor network connections between internal and external systems
using state tables.
 Fourth generation firewalls, which are also known as dynamic packet-filtering
firewalls, allow only a particular packet with a particular source, destination, and port
address to enter.
 Fifth generation firewalls include the kernel proxy, a specialized form that works
under Windows NT Executive, which is the kernel of Windows NT. This type of
firewall evaluates packets at multiple layers of the protocol stack, by checking
security in the kernel as data is passed up and down the stack. Example is Cisco.

Firewalls Categorized by Structure

 Most commercial-grade firewalls are dedicated appliances.  Specifically, they are

stand-alone units running on fully customized computing platforms that provide both
the physical network connection and firmware programming necessary to perform
their function.
 Other commercial firewall systems are actually off-the-shelf general purpose
computer systems that run custom application software on standard operating
systems like Windows or Linux/Unix, or on specialized variants of these operating
systems.
 Most small office or residential-grade firewalls are either simplified dedicated
appliances running on computing devices or application software installed directly on
the user’s computer.

Commercial-Grade Firewall Appliances

 Firewall appliances are stand-alone, self contained combinations of computing
hardware and software.
 The firewall rule sets are stored in nonvolatile memory, and thus they can be
changed by technical staff when necessary but are available each time the device is
restarted.

Commercial-Grade Firewall Systems 

 Consists of application software that is configured for the firewall application and
run on a general-purpose computer
 Organizations can install firewall software on an existing general purpose
computer system, or they can purchase hardware that has been configured to
specifications that yield optimum firewall performance

Small Office/Home Office (SOHO) Firewall Appliances 

 These devices, also known as broadband gateways or DSL/cable modem

routers, connect the user’s local area network or a specific computer system to the
Internetworking device—in this case, the cable modem or DSL router provided by
the Internet service provider (ISP)
 The SOHO firewall serves first as a stateful firewall to enable inside-to-outside
access and can be configured to allow limited TCP/IP port forwarding and/or
screened subnet capabilities

Residential-Grade Firewall Software

 Another method of protecting the residential user is to install a software firewall

directly on the user’s system
 Many people have implemented these residential-grade software-based firewalls
(some of which also provide antivirus or intrusion detection capabilities), but,
unfortunately, they may not be as fully protected as they think

Selecting the Right Firewall

 When trying to determine which is the best firewall for an organization, you
should consider the following questions:

1.
1.  Which type of firewall technology offers the right balance between
protection and cost for the needs of the organization?
2. What features are included in the base price? What features are available
at extra cost? Are all cost factors known? 
3. How easy is it to set up and configure the firewall? How accessible are the
staff technicians who can competently configure the firewall? 
4. Can the candidate firewall adapt to the growing network in the target
organization? 
 The most important factor is, of course, the extent to which the firewall design
provides the required protection
 The second most important factor is cost

Virtual Private Networks (VPNs)

 Virtual private networks are implementations of cryptographic technology .

 A virtual private network (VPN) is a private and secure network connection
between systems that uses the data communication capability of an unsecured and
public network.
 The Virtual Private Network Consortium (VPNC) (www.vpnc. org) defines a VPN
as “a private data network that makes use of the public telecommunication
infrastructure, maintaining privacy through the use of a tunneling protocol and
security procedures.”
 VPNs are commonly used to securely extend an organization’s internal network
connections to remote locations.
 The VPNC defines three VPN technologies: trusted VPNs, secure VPNs, and
hybrid VPNs.
 A VPN that proposes to offer a secure and reliable capability while relying on
public networks must accomplish the following, regardless of the specific
technologies and protocols being used:
o
 Encapsulation of incoming and outgoing data, wherein the native
protocol of the client is embedded within the frames of a protocol that can be
routed over the public network and be usable by the server network
environment.
 Encryption of incoming and outgoing data to keep the data
contents private while in transit over the public network, but usable by the
client and server computers and/or the local networks on both ends of the
VPN connection.
 Authentication of the remote computer and, perhaps, the remote
user as well. Authentication and the subsequent authorization of the user to
perform specific actions are predicated on accurate and reliable identification
of the remote system and/or user.

 
Transport Mode

 In transport mode, the data within an IP packet is encrypted, but the header
information is not. 
 This allows the user to establish a secure link directly with the remote host,
encrypting only the data contents of the packet.
 The downside to this implementation is that packet eavesdroppers can still
identify the destination system.
 Once an attacker knows the destination, he or she may be able to compromise
one of the end nodes and acquire the packet information from it.
 On the other hand, transport mode eliminates the need for special servers and
tunneling software, and allows the end users to transmit traffic from anywhere.
 This is especially useful for traveling or telecommuting employees. Figure 10
illustrates the transport mode methods of implementing VPNs.

Figure 10. Transport Mode VPN

Tunnel Mode

 Tunnel mode establishes two perimeter tunnel servers that encrypt all traffic that
will traverse an unsecured network.
 In tunnel mode, the entire client packet is encrypted and added as the data
portion of a packet addressed from one tunneling server to another.
 The receiving server decrypts the packet and sends it to the final address.
 The primary benefit to this model is that an intercepted packet reveals nothing
about the true destination system.
 One example of a tunnel mode VPN is provided with Microsoft’s Internet Security
and Acceleration (ISA) Server.
 With ISA Server, an organization can establish a gateway-to-gateway tunnel,
encapsulating data within the tunnel.

Figure 11. Tunnel Mode VPN

Intrusion Detection and Prevention Systems

 An intrusion occurs when an attacker attempts to gain entry into or disrupt the
normal operations of an information system, almost always with the intent to do
harm. 
 Even when such attacks are self-propagating, as in the case of viruses and
distributed denial-of-service attacks, they are almost always instigated by someone
whose purpose is to harm an organization.
 Often, the differences among intrusion types lie with the attacker—some
intruders don’t care which organizations they harm and prefer to remain anonymous,
while others crave notoriety.

Intrusion Prevention

 Intrusion prevention consists of activities that deter an intrusion such as:

o
 writing and implementing good enterprise information security
policy
 planning and executing effective information security programs
 installing and testing technology-based information security
countermeasures (such as firewalls and intrusion detection systems)
 conducting and measuring the effectiveness of employee training
and awareness activities

Intrusion Detection

 Intrusion detection consists of procedures and systems that identify system

intrusions

Intrusion Reaction
 Intrusion reaction encompasses the actions an organization takes when an
intrusion is detected
 These actions seek to limit the loss from an intrusion and return operations to a
normal state as rapidly as possible

Intrusion Correction

 Intrusion correction activities finalize the restoration of operations to a normal

state and seek to identify the source and method of the intrusion in order to ensure
that the same type of attack cannot occur again—thus reinitiating intrusion
prevention

IDPS Terminology

 Alert or alarm: An indication that a system has just been attacked or is under
attack. IDPS alerts and alarms take the form of audible signals, e-mail messages,
pager notifications, or pop-up windows. 
 Evasion: The process by which attackers change the format and/or timing of
their activities to avoid being detected by the IDPS.
 False attack stimulus: An event that triggers an alarm when no actual attack is
in progress. Scenarios that test the configuration of IDPSs may use false attack
stimuli to determine if the IDPSs can distinguish between these stimuli and real
attacks.
 False negative: The failure of an IDPS to react to an actual attack event. This is
the most grievous failure, since the purpose of an IDPS is to detect and respond to
attacks.
 False positive: An alert or alarm that occurs in the absence of an actual attack.
A false positive can sometimes be produced when an IDPS mistakes normal system
activity for an attack. False positives tend to make users insensitive to alarms and
thus reduce their reactivity to actual intrusion events.
 Noise: Alarm events that are accurate and noteworthy but that do not pose
significant threats to information security. Unsuccessful attacks are the most
common source of IDPS noise, and some of these may in fact be triggered by
scanning and enumeration tools deployed by network users without intent to do
harm.
 Site policy: The rules and configuration guidelines governing the implementation
and operation of IDPSs within the organization.
 Site policy awareness: An IDPS’s ability to dynamically modify its configuration
in response to environmental activity. A so-called smart IDPS can adapt its reactions
in response to administrator guidance over time and circumstances of the current
local environment. A smart IDPS logs events that fit a specific profile instead of
minor events, such as file modification or failed user logins. The smart IDPS knows
when it does not need to alert the administrator—for example, when an attack is
using a known and documented exploit that the system is protected from.
 True attack stimulus: An event that triggers alarms and causes an IDPS to
react as if a real attack is in progress. The event may be an actual attack, in which
 an attacker is at work on a system compromise attempt, or it may be a drill, in which
security personnel are using hacker tools to conduct tests of a network segment.
 Tuning: The process of adjusting an IDPS to maximize its efficiency in detecting
true positives, while minimizing both false positives and false negatives.
 Confidence value: The measure of an IDPS’s ability to correctly detect and
identify certain types of attacks. The confidence value an organization places in the
IDPS is based on experience and past performance measurements. The confidence
value, which is based upon fuzzy logic, helps an administrator determine how likely
it is that an IDPS alert or alarm indicates an actual attack in progress. For example,
if a system deemed 90 percent capable of accurately reporting a denial-of-service
attack sends a denial-of-service alert, there is a high probability that an actual attack
is occurring.
 Alarm filtering: The process of classifying IDPS alerts so that they can be more
effectively managed. An IDPS administrator can set up alarm filtering by running the
system for a while to track what types of false positives it generates and then
adjusting the alarm classifications. For example, the administrator may set the IDPS
to discard alarms produced by false attack stimuli or normal network operations.
Alarm filters are similar to packet filters in that they can filter items by their source or
destination IP addresses, but they can also filter by operating systems, confidence
values, alarm type, or alarm severity.
 Alarm clustering and compaction: A process of grouping almost identical
alarms that happen at close to the same time into a single higher-level alarm. This
consolidation reduces the number of alarms generated, thereby reducing
administrative overhead, and also identifies a relationship among multiple alarms.
This clustering may be based on combinations of frequency, similarity in attack
signature, similarity in attack target, or other criteria that are defined by the system
administrators.

Why use an IDPS?

 According to the NIST documentation on industry best practices, there are

several compelling reasons to acquire and use an IDPS: 

1.
1. To prevent problem behaviors by increasing the perceived risk of
discovery and punishment for those who would attack or otherwise abuse the
system 
2. To detect attacks and other security violations that are not prevented by
other security measures 
3. To detect and deal with the preambles to attacks (commonly experienced
as network probes and other “doorknob rattling” activities) 
4. To document the existing threat to an organization
5. To act as quality control for security design and administration, especially
in large and complex enterprises 
6. To provide useful information about intrusions that do take place, allowing
improved diagnosis, recovery, and correction of causative factors
 One of the best reasons to install an IDPS is that they serve as deterrents by
increasing the fear of detection among would-be attackers.
 If internal and external users know that an organization has an intrusion detection
and prevention system, they are less likely to probe or attempt to compromise it

Types of IDPS

 IDPSs operate as network- or host-based systems

  A network-based IDPS is focused on protecting network information assets
 Two specialized subtypes of network-based IDPS are the wireless IDPS and the
network behavior analysis (NBA) IDPS

Figure 12. Intrusion Detection and Prevention System

Network-Based IDPS

o
 A network-based IDPS (NIDPS) resides on a computer or
appliance connected to a segment of an organization’s network and monitors
network traffic on that network segment, looking for indications of ongoing or
successful attacks
 When the NIDPS identifies activity that it is programmed to
recognize as an attack, it responds by sending notifications to administrators
 The advantages of NIDPSs include the following:
1.
1.
1.
1. Good network design and placement of NIDPS devices can
enable an organization to use a few devices to monitor a large network. 
2.  NIDPSs are usually passive devices and can be deployed
into existing networks with little or no disruption to normal network
operations.
3. NIDPSs are not usually susceptible to direct attack and, in
fact, may not be detectable by attackers


o
 The disadvantages of NIDPSs include the following: 

1.
1.
1.
1.   A NIDPS can become overwhelmed by network volume
and fail to recognize attacks it might otherwise have detected
2.  NIDPSs require access to all traffic to be monitored
3.  NIDPSs cannot analyze encrypted packets, making some of
the network traffic invisible to the process.
4.  NIDPSs cannot reliably ascertain if an attack was
successful or not
5.  Some forms of attack are not easily discerned by NIDPSs,
specifically those involving fragmented packets

Wireless NIDPS

o
 A wireless IDPS monitors and analyzes wireless network traffic,
looking for potential problems with the wireless protocols (Layers 2 and 3 of
the OSI model)
 Unfortunately, wireless IDPSs cannot evaluate and diagnose issues
with higher-layer protocols like TCP and UDP
 Wireless IDPS capability can be built into a device that provides a
wireless access point.
 wireless IDPS can also detect:
 Unauthorized WLANs and WLAN devices
 Poorly secured WLAN devices
 Unusual usage patterns
 The use of wireless network scanners
 Denial of service (DoS) attacks and conditions
 Impersonation and man-in-the-middle attacks
  Some issues associated with the implementation of wireless IDPSs
include:

1.
1.
1.
1.  Physical security
2. Sensor range
3. Access point and wireless switch locations
4. Wired network connections
5. Cost

Host-Based IDPS

o
 Host-based IDPS (HIDPS) resides on a particular computer or
server, known as the host, and monitors activity only on that system
 HIDPSs are also known as system integrity verifiers because they
benchmark and monitor the status of key system files and detect when an
intruder creates, modifies, or deletes monitored files
 An HIDPS has an advantage over an NIDPS in that it can access
encrypted information traveling over the network and use it to make decisions
about potential or actual attacks.

Honeypots, Honeynets, and

Paddled Cell System
A class of powerful security tools that go beyond routine intrusion detection is known
variously as honeypots, honeynets, or padded cell systems.

 Honeypots are decoy systems designed to lure potential attackers away from
critical systems
 In the industry, they are also known as decoys, lures, and fly-traps
 When a collection of honeypots connects several honeypot systems on a subnet,
it may be called a honeynet
 A honeypot system (or in the case of a honeynet, an entire subnetwork) contains
pseudo-services that emulate well-known services, but is configured in ways that
make it look vulnerable to attacks
 This combination is meant to lure potential attackers into committing an attack,
thereby revealing themselves—the idea being that once organizations have
detected these attackers, they can better defend their networks against future
attacks targeting real assets
 In sum, honeypots are designed to do the following:
o Divert an attacker from critical systems
o Collect information about the attacker’s activity
o Encourage the attacker to stay on the system long enough for
administrators to document the event and, perhaps, respond
 A padded cell is a honeypot that has been protected so that that it cannot be
easily compromised—in other words, a hardened honeypot
 In addition to attracting attackers with tempting data, a padded cell operates in
tandem with a traditional IDPS

Advantages:

 Attackers can be diverted to targets that they cannot damage

 Administrators have time to decide how to respond to an attacker
 Attackers’ actions can be easily and more extensively monitored, and the records
can be used to refine threat models and improve system protections
 Honeypots may be effective at catching insiders who are snooping around a
network

Disadvantages:

 The legal implications of using such devices are not well understood
 Honeypots and padded cells have not yet been shown to be generally useful
security technologies
 An expert attacker, once diverted into a decoy system, may become angry and
launch a more aggressive attack against an organization’s systems
 Administrators and security managers need a high level of expertise to use these
systems

 Scanning and Analysis Tools

 In order to secure a network, it is imperative that someone in the organization

knows exactly where the network needs securing
 This may sound simple and obvious; however, many companies skip this step
 They install a simple perimeter firewall, and then, lulled into a sense of security
by this single layer of defense, they relax
 To truly assess the risk within a computing environment, you must deploy
technical controls using a strategy of defense in depth, which is likely to include
intrusion detection systems (IDSs), active vulnerability scanners, passive
vulnerability scanners, automated log analyzers, and protocol analyzers (commonly
referred to as sniffers)
 Scanner and analysis tools can find vulnerabilities in systems, holes in security
components, and unsecured aspects of the network

Port Scanner
 Port scanning utilities, or port scanners, are tools used by both attackers and
defenders to identify (or fingerprint) the computers that are active on a network, as
well as the ports and services active on those computers, the functions and roles the
machines are fulfilling, and other useful information
 These tools can scan for specific types of computers, protocols, or resources, or
their scans can be generic
 It is helpful to understand the network environment so that you can use the tool
most suited to the data collection task at hand
 As a rule of thumb, when a port is not used, close it.
 Table 4 below shows commonly used communication ports used out of 65,536
communication port available.

Table 4. Commonly used port numbers

Firewall Analysis Tools

 Understanding exactly where an organization’s firewall is located and what the

existing rule sets on the firewall do are very important steps for any security
administrator
 There are several tools that automate the remote discovery of firewall rules and
assist the administrator (or attacker) in analyzing the rules to determine exactly what
they allow and what they reject
 Some Firewall Analysis tools used are Nmap, Firewalk, HPING

Operating System Detection Tools

 Detecting a target computer’s operating system is very valuable to an attacker,

because once the OS is known, all of the vulnerabilities to which it is susceptible can
easily be determined
 There are many tools that use networking protocols to determine a remote
computer’s OS
 One specific tool worth mentioning is XProbe, which uses ICMP to determine the
remote OS

Vulnerability Scanners

 Active vulnerability scanners scan networks for highly detailed information

 An active scanner is one that initiates traffic on the network in order to determine
security holes
 As a class, this type of scanner identifies exposed usernames and groups, shows
open network shares, and exposes configuration problems and other vulnerabilities
in servers
 . An example of a vulnerability scanner is GFI LANguard Network Security
Scanner (NSS), which is available as freeware for noncommercial use
 Another example of a vulnerability scanner is Nessus, which is a professional
freeware utility that uses IP packets to identify the hosts available on the network,
the services (ports) they are offering, the operating system and OS version they are
running, the type of packet filters and firewalls in use, and dozens of other
characteristics of the network

Packet Sniffers

 A packet sniffer (sometimes called a network protocol analyzer) is a network tool

that collects copies of packets from the network and analyzes them
 It can provide a network administrator with valuable information for diagnosing
and resolving networking issues
 In the wrong hands, however, a sniffer can be used to eavesdrop on network
traffic
 There are both commercial and open-source sniffers—more specifically, Sniffer
is a commercial product, and Snort is open-source software
 An excellent free, client-based network protocol analyzer is Wireshark
(www.wireshark.org), formerly known as Ethereal
 Wireshark allows the administrator to examine data from both live network traffic
and captured traffic
 Some Wireless Security Tools used as sniffers are Kismet, Netstumbler,
Aircrack, Airsnort, and KisMac

Biometric Access Controls

 Biometric access control is based on the use of some measurable human

characteristic or trait to authenticate the identity of a proposed systems user (a
supplicant)
 It relies upon recognition—the same thing you rely upon to identify friends,
family, and other people you know
 The use of biometric-based authentication is expected to have a significant
impact in the future as technical and ethical issues with the technology are resolved
 Biometric authentication technologies include the following:
o Fingerprint comparison of the supplicant’s actual fingerprint to a stored
fingerprint
o Palm print comparison of the supplicant’s actual palm print to a stored
palm print
o Hand geometry comparison of the supplicant’s actual hand to a stored
measurement
o Facial recognition using a photographic ID card, in which a human security
guard compares the supplicant’s face to a photo
o Facial recognition using a digital camera, in which a supplicant’s face is
compared to a stored image
o Retinal print comparison of the supplicant’s actual retina to a stored image
o Iris pattern comparison of the supplicant’s actual iris to a stored image
 Among all possible biometrics, only three human characteristics are usually
considered truly unique. They are as follows:
o Fingerprints
o Retina of the eye (blood vessel pattern)
o Iris of the eye (random pattern of features found in the iris, including
freckles, pits, striations, vasculature, coronas, and crypts)