Royal University of Dhaka

Dept. of Computer Science & Engineering

Fall-2022

MS 681: Advanced Computer Network

Submitted By
Name: Md. Ashikur Rahman
ID: 045-22-3-00-05-11-3-016
Batch: 29
Program: M.Sc in CSE

Submitted To
Ahmed Abdullah
ahmed.abdullah@royal.edu.bd

Date of Submission: 20/11/2022

Question 1: How to use SQL injection method? How to prevent SQL injection?
Answer
SQL injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries
that an application makes to its database.

To make an SQL Injection attack, an attacker must first find vulnerable user inputs within the web
page or web application. A web page or web application that has an SQL Injection vulnerability uses such
user input directly in an SQL query. The attacker can create input content. Such content is often called a
malicious payload and is the key part of the attack. After the attacker sends this content, malicious SQL
commands are executed in the database.

SQL injections typically fall under three categories:

 In-band SQLi (Classic), Inferential

 SQLi (Blind)
 Out-of-band SQLi.

In-band SQLi

The attacker uses the same channel of communication to launch their attacks and to gather their
results. In-band SQLi’s simplicity and efficiency make it one of the most common types of SQLi
attack. There are two sub-variations of this method:

 Error-based SQLi—the attacker performs actions that cause the database to produce error
messages. The attacker can potentially use the data provided by these error messages to gather
information about the structure of the database.
 Union-based SQLi—this technique takes advantage of the UNION SQL operator, which fuses
multiple select statements generated by the database to get a single HTTP response. This
response may contain data that can be leveraged by the attacker.

Inferential (Blind) SQLi

The attacker sends data payloads to the server and observes the response and behavior of the
server to learn more about its structure. This method is called blind SQLi because the data is not
transferred from the website database to the attacker, thus the attacker cannot see information about
the attack in-band.

Blind SQL injections rely on the response and behavioral patterns of the server so they are typically slow
our to execute but may be just as harmful. Blind SQL injections can be classified as follows:

Boolean—that attacker sends a SQL query to the database prompting the application to return a
result. The result will vary depending on whether the query is true or false. Based on the result, the
information within the HTTP response will modify or stay unchanged. The attacker can then work
out if the message generated a true or false result.

Time-based—attacker sends a SQL query to the database, which makes the database wait (for a
period in seconds) before it can react. The attacker can see from the time the database takes to
respond, whether a query is true or false. Based on the result, an HTTP response will be generated
instantly or after a waiting period. The attacker can thus work out if the message they used returned
true or false, without relying on data from the database.

Out-of-band SQLi

The attacker can only carry out this form of attack when certain features are enabled on the database
server used by the web application. This form of attack is primarily used as an alternative to the in-band
and inferential SQLi techniques.

Out-of-band SQLi is performed when the attacker can’t use the same channel to launch the attack and
gather information, or when a server is too slow or unstable for these actions to be performed. These
techniques count on the capacity of the server to create

DNS or HTTP requests to transfer data to an attacker.

Prevention methods of SQL injection

Most instances of SQL injection can be prevented by using parameterized queries (also known as
prepared statements) instead of string concatenation within the query.

The following code is vulnerable to SQL injection because the user input is concatenated directly into
the query:

String query = "SELECT * FROM products WHERE category = '"+ input + "'";
Statement statement = connection.createStatement();
ResultSet resultSet = statement.executeQuery(query);
This code can be easily rewritten in a way that prevents the user input from interfering with the query
structure:

PreparedStatement statement = connection.prepareStatement("SELECT * FROM products WHERE

category = ?");
statement.setString(1, input);
ResultSet resultSet = statement.executeQuery();

Parameterized queries can be used for any situation where untrusted input appears as data within the
query, including the WHERE clause and values in an INSERT or UPDATE statement. They can't be used to
handle untrusted input in other parts of the query, such as table or column names, or the ORDER BY
clause. Application functionality that places untrusted data into those parts of the query will need to
take a different approach, such as white-listing permitted input values, or using different logic to deliver
the required behavior.

For a parameterized query to be effective in preventing SQL injection, the string that is used in the query
must always be a hard-coded constant, and must never contain any variable data from any origin. Do
not be tempted to decide case-by-case whether an item of data is trusted, and continue using string
concatenation within the query for cases that are considered safe. It is all too easy to make mistakes
about the possible origin of data, or for changes in other code to violate assumptions about what data is
tainted.
There are certain general strategic principles that we should follow to keep our web application safe.

Step 1: Train and maintain awareness

To keep our web application safe, everyone involved in building the web application must be
aware of the risks associated with SQL Injections. We should provide suitable security training to all our
developers, QA staff, Dev Ops, and Sys Admins. We can start by referring them to this page.

Step 2: Don’t trust any user input

Treat all user input as untrusted. Any user input that is used in an SQL query introduces a risk of an SQL
Injection. Treat input from authenticated and/or internal users the same way that we treat public input.

Step 3: Use whitelists, not blacklists

Don’t filter user input based on blacklists. A clever attacker will almost always find a way to circumvent
our blacklist. If possible, verify and filter user input using strict whitelists only.

Step 4: Adopt the latest technologies

Older web development technologies don’t have SQLi protection. Use the latest version of the
development environment and language and the latest technologies associated with that
environment/language. For example, in PHP use PDO instead of MySQLi.

Step 5: Employ verified mechanisms

Don’t try to build SQLi protection from scratch. Most modern development technologies can offer us
mechanisms to protect against SQLi. Use such mechanisms instead of trying to reinvent the wheel. For
example, use parameterized queries or stored procedures.

Step 6: Scan regularly (with Acunetix)

SQL Injections may be introduced by our developers or through external

libraries/modules/software. We should regularly scan our web applications using a web vulnerability
scanner such as Acunetix. If we use Jenkins, we should install the Acunetix plugin to automatically scan
every build.
Question 2: What are the current top five threats for a server that you should be
aware of? Explain.
Answer
There are lots of server security threats as technology advanced now-a-days. Five threats are explained
as follows:

1. Ransomware

According to Cybersecurity Ventures, the cost of ransomware damage is expected to reach $265 Billion
by 2031. Their report predicts that there will be a new attack every 2 seconds, as ransomware
perpetrators progressively refine their malware payloads and related extortion activities.

In this type of attack, the victim’s computer is locked, typically by encryption, blocking them from using
the device and everything stored in it. In order to regain access to the device, the victim has to pay
ransom, often in the form of virtual currency. There are different types transmitting such threats.
However, most of the time, ransomware are spread through malicious email attachments, infected
software apps, compromised websites, or infected external storage.

How to prevent ransomware?

 Back up computing devices and update software

 Avoid links in emails from unknown sources
 Avoid opening email attachments
 Do everything possible to avoid paying ransom
 Couple a traditional firewall that blocks unauthorized access to computers or networks
 Limit the data a cybercriminal can access

2. Insider threats

This is one of the most common types of security threats. It usually occurs when employees intentionally
or unintentionally misuse authorized access in a way that affects the organization’s system negatively.

In most of the cases, this is due to noncompliance with the organization’s policies and procedures. As
such, they are prone to email customer data to external parties or share their login information with
others. Such types of attacks would elude cybersecurity protocols to delete, sell, or steal data. This can
disrupt operations and cause great damages to data.

How to prevent insider security threats?

There are different activities that the organization might consider to prevent potential risks from insider
threats. Organizations can:

 Limit employees’ authorized access

 Train employees on security and make them aware of its importance
 Inform employees on different types of security threats and how they should act if they occur
 Follow the requirements of international standards, such as ISO/IEC 27001 or ISO/IEC 27032
 Implement two-factor authentication
  Install employee monitoring software

3. Phishing attacks

Phishing attacks are one of the most prevalent information security threats in today’s business
environment. According to Verizon’s 2021 Data Breach Investigations Report (DBIR), phishing is the top
“action variety” seen in breaches in 2020, with 43% of breaches having involved phishing and/or
pretexting.

Phishing aims at tricking users to compromise important and confidential information. Usually, attackers
use fake emails that are made to seem as reliable or from legitimate sources. The main idea is to push
users to take some actions (e.g., clicking on a link or opening email attachments) that allow attackers to
install malware on their devices.

How to prevent phishing?

One of the most effective preventive measures is training and awareness. Employees should be trained
and become aware of different types of security threats in general, as well as specific strategies used for
phishing.

4. Cloud attacks

Cloud has become a critical part of our everyday life. However, we should be aware that not all cloud
services provide secure authentication and encryption. Misconfiguration can cause several incidents,
including intrusions, network vulnerabilities, and data leaks.

According to IBM, over half of cloud security breaches are caused by simplistic issues. While, two thirds
of cloud security incidents could be avoided by checking configurations.

How to prevent cloud attacks?

 Educate/Train your employees

 Secure a data backup plan
 Identify who can access your data
 Use penetration testing
 Establish cloud governance policies and procedures

5. Malvertising attacks

Malicious advertising, alias malvertising, is a new up and coming form of cybercrime. Through this
technique, cybercriminals inject a malicious code within digital ads which would redirect users to
malicious websites or install malware on their devices. It is very difficult to be identified by internet
users and publishers. Thus, these are usually served to consumers through legitimate advertising
networks. Any advertisement displayed on websites can present a risk of infection.

Even some globally known companies have inadvertently displayed malicious ads in their websites.

How to prevent malvertising?

Again, awareness is of utmost importance. There are some steps that should be followed to reduce the
risk of infection. These include to:
 Ensure that software and extensions are updated
 Install antivirus software and ad blockers
 Avoid using Java or Flash programs
 On the other hand, publishers have a responsibility to protect their web visitors from malicious
advertising. They should take the following steps to reduce risk:
 Evaluate third-party ad networks responsible for choosing, inspecting, and running ads
 Scan ads that they plan to display
 Avoid using Flash or JavaScript in ads
Question 3: What is a Firewall and why is it used? Draw Firewall architecture.
What are the steps to set up a firewall?
Firewall:
A firewall is software or firmware that prevents unauthorized access to a network. It inspects incoming
and outgoing traffic using a set of rules to identify and block threats.

Firewalls are used in both personal and enterprise settings, and many devices come with one built-in,
including Mac, Windows, and Linux computers. They are widely considered an essential component of
network security.

Uses:
Firewalls are used in both corporate and consumer settings. Modern organizations incorporate them
into a security information and event management (SIEM) strategy along with other cybersecurity
devices. They may be installed at an organization's network perimeter to guard against external threats,
or within the network to create segmentation and guard against insider threats.

In addition to immediate threat defense, firewalls perform important logging and audit functions. They
keep a record of events, which can be used by administrators to identify patterns and improve rule sets.
Rules should be updated regularly to keep up with ever-evolving cybersecurity threats. Vendors discover
new threats and develop patches to cover them as soon as possible.

In a single home network, a firewall can filter traffic and alert the user to intrusions. They are especially
useful for always-on connections, like Digital Subscriber Line (DSL) or cable modem, because those
connection types use static IP addresses. They are often used alongside to antivirus applications.
Personal firewalls, unlike corporate ones, are usually a single product as opposed to a collection of
various products. They may be software or a device with firewall firmware embedded.
Hardware/firmware firewalls are often used for setting restrictions between in-home devices.

Firewall Architecture
Based on predefined security rules, the firewall allows only secured traffic and block unauthorized,
malicious applications. A firewall is placed in the network to judge all the incoming packets and only
allow secured packets.

Factors considered while architecting Firewall:

 The Ability of the particular organizations to implement firewall architecture.

 Decided budget of an organization on implementation of Firewall.
 Aims decided by the organization for network security.

Different implementations of Firewall architecture:

Screened Host Architecture:

It is the combination of packet filtering router and
firewall methodology such as application proxy
server. Before accessing system functionalities
router filters all packets in traffic. Services are
provided by the host attached to the internal
network. The basic security is provided by packet
filtering. Proxy operations are performed. It pre-
screens the packets entering the system to
minimize network traffic. It is responsible for
reducing the load on the proxy server. Application
proxy checks HTTP and other application layer
protocols. This host is called a bastion host. It
should be protected against attacks.

Characteristics of Screened Host Architecture:

 One Packet Filtering Router.

 One Bastion Host.

Dual-Homed Host Architecture:

The more complex version of Screened Host Architecture is Dual-Homed Host Architecture. To protect
our system from unauthorized users accessing confidential information, Dual-Homed Host Architecture is
used. It is the architecture involving the use of two
network interface cards. Secured access is provided by
Dual-Homed Host Architecture. Advance security is
provided by configuring one NIC inside the network and
another NIC in the external network. It is capable of
routing one packet from one network to another network
efficiently and securely. The server that provides secured
access with firewall, gateways, and proxies is Dual-Homed
Host Architecture. It provides a very high level of control
by not allowing any of the packets from the external
network if such a rule is specified by the user. External
attacks are prevented with the help of Network Address
Translation that is converting external IP address to
internal IP address.

Characteristics of Dual-Homed Host Architecture:

 One Packet Filtering Router.

 More restrictive form of Screened Host Firewall.
 Dual-Homed Host Architecture supports a Bastion Host with two Network Interface Cards.

Screened Subnet Firewall:

Screened Subnet Firewall is the variation of the Dual-Homed Gateway and Screened Host Firewall. In order
to get more flexibility and throughput different components of the firewall are maintained on separate
systems. Screened Subnet Firewall is less complex as a separate component will perform separate task. It
separates the internal network from the internet. Bastion hosts are more vulnerable. They are attacked
despite tight security. If the attacker successfully attacks the bastion host, he/she can spoil the system
security. Screened Subnet Firewall uses two screening
routers for providing security. It is mainly used in e-
commerce and financial systems. Its main use is to
establish a Demilitarized Zone often called a DMZ.
Screened Subnet Firewall is mainly used in the
corporate network. Many high-traffic system working
with high speed uses Screened Subnet Firewall. The
architecture has two main components that are
bastion host and a packet-filtering router. Each host is
responsible for protecting the internal network. There
exist different models of Screened Subnet Firewall.
One of the models of Screened Subnet Firewall
consists of Dual-Homed bastion host between two
filtering routers.

Three important components used in this architecture are:

 The first component connects with the internet and it acts as a public interface.
 Second component act as an intermediator between first and third component. It is the middle
zone (DMZ).
 The third component mainly works with the intranet.

Characteristics of Screened Subnet Firewall:

 Screened Subnet Firewall supports Two Packet Filtering Router.

 One Bastion Host.

Screening Router:

It works same like the Packet Filtering firewall

methodology. It is responsible for checking all the
incoming and outgoing traffic and according to
predefined rules it routes the packets. It is cost-
efficient. It can be used as perimeter protection for
internal network. These are mainly useful for the
internal Firewalls. It can be used in networks that
are providing services to the Internet. Service
Providers mainly use Screening router between the
Internet and their service hosts. If the router is
attacked, system security will come in danger.
Screening router Firewall architecture is a good choice for a situation where:

 The number of protocols used in the application are limited.

 The protocols used are straightforward.
 The network where there is a very high level of host security.
 There is a requirement for maximum security.
 You require Redundancy

Configure a firewall in 5 steps

Step 1: Secure our firewall

If an attacker is able to gain administrative access to our firewall it is “game over” for our network
security. Therefore, securing our firewall is the first and most important step of this process. Never put a
firewall into production that is not properly secured by a t least the following configuration actions:

 Update our firewall to the latest firmware.

 Delete, disable, or rename any default user accounts and change all default passwords.
Make sure to use only complex and secure passwords.
 If multiple administrators will manage the firewall, create additional administrator accounts
with limited privileges based on responsibilities. Never use shared user accounts.
 Disable simple network management protocol (SNMP) or configure it to use a secure
community string.

Step 2: Architect our firewall zones and IP addresses

In order to protect the valuable assets on our network, we should first identify what the assets are (for
example, payment card data or patient data). Then plan out our network structure so that these
assets can be grouped together and placed into networks (or zones) based on similar sensitivity
level and function.

For example, all of our servers that provide services over the internet (web servers, email
servers, virtual private network (VPN) servers, etc.) should be placed into a dedicated zone that
will allow limited inbound traffic from the internet (this zone is often called a demilitarized zone or
DMZ). Servers that should not be accessed directly from the internet, such as database servers, must be
placed in internal server zones instead.

Likewise, workstations, point of sale devices, and voice over Internet protocol (VOIP) systems can
usually be placed in internal network zones. Generally speaking, the more zones we create, the more
secure our network. But keep in mind that managing more zone s requires additional time and
resources, so we need to be careful when deciding how many network zones we want to use.

If we are using IP version 4, Internal IP addresses should be used for all of our internal networks.
Network address translation (NAT) must be configured to allow internal devices to communicate on the
Internet when necessary.

Once we have designed our network zone structure and established the corresponding IP address
scheme, we are ready to create our firewall zones and assign them to our firewall interfaces or sub
interfaces. As we build out our network infrastructure, switches that support virtual LANs (VLANs)
should be used to maintain level -2 separation between the networks.

Step 3: Configure access control lists

Now that we have established our network zones and assigned them to interfaces, we should
determine exactly which traffic needs to be able to flow into and out of each zone.

This traffic will be permitted using firewall rules called access control lists (ACLs), which are applied to
each interface or sub interface on the firewall. Make our ACLs specific to the exact source and/or
destination IP addresses and port numbers whenever possible. At the end of every access control list,
make sure there is a “deny all” rule to filter out all unapproved traffic. Apply both inbound and
outbound ACLs to each interface and sub interface on our firewall so that only approved traffic is
allowed into and out of each zone.

Whenever possible, it is generally advised to disable our firewall administration interfaces

(including both secure shell (SSH) and web interfaces) from public access. This will help to protect our
firewall configuration from outside threats. Make sure to disable all unencrypted protocols for
firewall management, including Telnet and HTTP connections.

Step 4: Configure our other firewall services and logging

If our firewall is also capable of acting as a dynamic host configuration protocol (DHCP) server, network
time protocol (NTP) server, intrusion prevention system (IPS), etc., then go ahead and configure the
services we wish to use. Disable all the extra services that we don’t intend to use.

To fulfill PCI DSS requirements, configure our firewall to report to our logging server, and make
sure that enough detail is included to satisfy requirement 10.2 through 10.3 of the PCI DSS.

Step 5: Test our firewall configuration

In a test environment, verify that our firewall works as intended. Don’t forget to verify that our firewall
is blocking traffic that should be blocked according to our ACL configurations. Testing our firewall
should include both vulnerability scanning and penetration testing.

Once we have finished testing our firewall, our firewall should be ready for production. Always
remember to keep a backup of our firewall configuration saved in a secure place so that all of our hard
work is not lost in the event of a hardware failure.