1

NETWORK SECURITY
ABSTRACT
John, sitting desperately in front of his system tries to hack his friend Williams bank account. But after a tiresome job, all he could succeed in getting was an encrypted code, which did not make any sense to him and would take a lifetime to decode making use of the concept of probability. Thanks! To the advanced techniques of security which saved William from getting bankrupt and losing his lifetime savings. In the present day scenario, where the earth is shrinking rapidly, such that the entire world is now on your desktop, security is gaining much significance consequently. Cryptography, authentication and access control mechanisms play a very important role in secured communication as they form the major disciplines of network security.

INTRODUCTION
What is security?
Freedom from danger, fear or ensuring safety is security. Measures adopted to prevent the authorized use, misuse, modification or denial of use of knowledge or facts, data or capabilities. Network security is an issue of great significance today where a single problem can change the fate of the companies and organizations.

Need of Security
Computer security is required because most organizations can be damaged by hostile software or intruders. There may be several forms of damage which are obviously interrelated which are produced by the intruders. These include

lose of confidential data Damage or destruction of data Damage or destruction of computer system Loss of reputation of a company

Orange Book: The National Computer Security Center (NCSC), an agency of the U.S government published an official standard called Trusted Computer System Evaluation Criteria universally known as the Orange Book. The Orange Book defines a series of ratings a computer system can have based on its security features and the care that went into its design, documentation and testing. This rating is intended to give government agencies and commercial enterprises an objective assessment of a systems security and to goad computer manufacturers into placing more emphasis on security. The official categories are D, C1, C2, B1, B2, B3, and A1 ranging from minimal protection or unrated to most secure. When computers are networked together new security problems occur which can prove to be great threats to major companies. The orange book did not address the issue of networked computers. The Red Book took all the requirements of the

Orange book and attempted to address a networked environment of computers, thus creating the concept of network security. A single layer of security cannot ensure good security. Effective security is achieved by the combination of all security disciplines. The prominent security technologies and product categories used today are anti-virus software, firewalls, smart cards, biometrics, intrusion detection, policy management, vulnerability scanning, encryption etc.

Common Misperceptions on Network Host Attacks

Its sad that system administrators and users often think that their network hosts are either uninteresting or invulnerable to hackers. Some of the common beliefs include: Nobody would ever attack our servers or desktops. Only good people work here. We have an Internet firewall. Thats all we need. Were secure. We use system passwords. Network security is too expensive and hard to maintain. Sure, weve all heard and used these excuses. We all have more pressing problems to worry about than getting hacked. But the fact is that all the above excuses, and many more just like them, are complete fantasy. Servers and desktops are attacked on a fairly common basis. Just because it is not detected does not mean it is not happening . . .

Reality: Hacking Tools are Pervasive and Cheap to Acquire

Its easy to find Windows NT (WinNT) and Windows 2000 (Win2K) hacking tools. Pick any Internet search engine (Altavista, Lycos, Yahoo, etc.) you are comfortable with and type in the following words as a search item: HACK Microsoft or HACK NT

Watch how many sites come up. Scary, isnt it? In some queries, you can find over 80,000 web sites with hacking tools on them. To make matters worse, there are CDROMs full of hacking tools such as Forbidden subjects, WinHackGoldCD, Hacker Chronicles and others of a more underground nature. These are available from a variety of both legitimate and less reputable sources.

Some Statistics on Network Security

Every year, the Computer Security Institute (www.gocsi.com) and the U.S. Federal Bureau of Investigation (www.fbi.gov) publish statistics about computer crime. The 2000CSI/FBI Computer Crime and Security Survey was eye-opening, and reported the following statistics: 30% reported computer systems penetrated by outsiders 55% reported unauthorized access by insiders 26% reported theft of proprietary information 32% reported denial of service attacks 19% reported sabotage of data or networks 90% of financial loss is from internal attacks As the statistics show, the truth is that network attacks are REAL, PERVASIVE, and EXPENSIVE. They are NOT going away. And, they are getting more insidious and dangerous to organizations.

SECURITY SERVICES
Network security can provide one of the five services as shown in the figure: -

Four of these services are related to the message exchanged using the network: Message confidentiality, integrity, authentication, non repudiation. Fifth service provides entity authentication or identification.

COMMON ATTACKS AGAINST NETWORK ASSETS

Attacks may occur through technical means such as specific tools designed for attacks or exploitation of vulnerabilities in a computer system, or they may occur through social engineering, which is the use of non-technical means to gain unauthorized access. Attacks are primarily of four types: Access Modification Denial of service Repudiation

An access attack is an attempt to gain information that the attacker is not authorized to see. This is an attack against the confidentiality of the information. Snooping, Eavesdropping and Interception come under this category. SNOOPING is looking through information files in the hopes of finding something interesting. If the files are on a computer system, an attacker may open one file after another until the required information is found. EAVESDROPPING is the process of listening to a conversation of which they are not a part. To gain unauthorized access to information, an attacker must position him at a location where the information is likely to pass by. A sniffer is a computer that is

configured to capture all the traffic on the network. Most often they are configured to capture user Ids and passwords. Tapping a fiber-optic line requires more specialized equipment and is normally not performed by run-of-the-mill attackers. INTERCEPTION is an active attack against the information. When an attacker intercepts information, he is inserting himself in the path of the information and capturing it before it reaches the destination. The attacker may or may not allow the information to continue to its destination. On the Internet this could be done by causing a name resolution change. The traffic is then sending to the attackers system instead of the real destination. If configured correctly, the sender may never know that he was not talking to the real destination.

MO D A N IFIC TIO

ATTACK is an attempt to modify information that an attacker is not authorized to modify. CHANGES are one type of modification attack is to change existing information. Change attacks can be targeted at sensitive or public information. INSERTION is the addition of information that did not exist previously. An attacker might choose to add a transaction in a banking system that moves funds from a customers account to his own. DELETION attack is the removal of existing information. This could be the removal of information in a historical record or in a record that is yet to be acted upon.

Denial-of-service (DoS) attacks are the attacks that deny the use of resources to legitimate users of the system, information or capabilities. DoS attacks generally do not allow the attackers to access or modify information on the computer system. DoS attacks are nothing more than vandalism. An attacker could encrypt a file and then destroy the encryption key. In that way, no one could get access to the information in the file. This type of vulnerability allows an attacker to send a predefined set of commands to the application that the application is not able to process properly. The application is likely to crash when this occurs. REPUDIATION ATTACK is an attack against the accountability of the information. In other words, repudiation is an attempt to give false information or to deny that a real event or transaction should have occurred. MASQUERADING is an attempt to act like or impersonate someone else or some other system. With few exceptions, any computer system can take on any IP address. Thus it is possible for a computer system to masquerade as another system. PASSWORD ATTACKS: These attacks comprise network sniffing and brute force attacks. Network sniffing concentrates on two areas: Acquiring clear-text passwords (the situation when Windows systems exchange passwords with any non-Windows operating system, such as UNIX or Novell) via network capture or file infiltration. Grabbing the encrypted value of an NT system password from a network packet or the password file and trying to decrypt the packet or file to expose the passwords that would allow a valid login to the host. Brute Force attacks involve a piece of software working its way through dictionaries and potential word-matching libraries to discover (guess) a specific word which, when matched with a specific user ID, will allow login to the system. Password attacks cannot be stopped by a packet-filtering firewall, but can be greatly reduced. Network access controls manage the network protocols and addresses allowed to pass through the firewall, providing a more definitive sense of control over

where a password attack can originate. Time-based security policies further define network access to the target system by allowing only specific transactions to take place at particular times of the day. And, con-nection logging allows for accurate and timely recording of all traffic activity. These are the types of firewall facilities you need to protect against Password attacks.

URL Based Attacks: These attacks are initiated by exploiting the vulnerabilities in many web servers and web-based applications that allow malicious code to be included as part of a URL. These attacks can result in denial-of-service, unauthorized file access or remote machine compromise.

THE COMMON TECHNIQUES ADOPTED BY HACKERS

Open File Sharing via NFS was used by some of the hackers to gain access to information. They simply mounted the remote drive and read the information. NFS uses user Ids to mediate the access to the information on the drive. This became more dangerous when some systems were found to allow the sharing of the root file system. In this case, if a hacker could become root on a system and mount a remote file system; he could change the configuration files of that remote system. Bad Passwords is the most common method used by the hackers to get into systems. Short passwords allow the hacker to brute-force the password. The other type of weak password is the one that is easy to guess. Buffer Overflows are one type of programming flaw exploited by the hackers. They are harder to find than bad passwords. Buffer overflows require quite a bit of expertise. Buffer overflows come up very often as the flaw in an application that copies user data into another variable without checking the amount of data being copied. More and more programs seem to suffer from this type of problem. If the programmer checked the size of the user data before placing it in the pre-defined variable, the buffer overflow can be prevented.

10

Denial-of-Service
i)

Single-source Denial-of-Service attack-Perhaps the most widely

known DoS attack is called the SYN flood. Other attacks have also been identified. The Ping of Death attack caused a ping packet to be sent to a target system. Normally a ping packet does not contain any data. The ping of death packet contained a large amount of data. When this data was read by the target, it would crash because of buffer overflow.
ii)

Distributed Denial-of-Service attacks are simply DoS attacks that

originate from a large number of systems. DDoS are usually controlled from a single master and a single hacker. Such attacks can be as simple as a hacker sending a ping packet to the broadcast address of a large network while spoofing the source address to direct all responses at a target. This particular attack is called Smurf attack. Advanced techniques: - Sniffing switch networks, redirecting traffic, IP spoofing are few of the advanced techniques. Malicious code VIRUSES A computer virus is a set of instructions that, when executed, inserts copies of itself into other programs. Some viruses are malicious and delete files or cause systems to become unusable. Other viruses do not perform any malicious act except to spread to other systems. Examples include Michelangelo (a traditional virus) and Melissa (a macro virus). TROJAN HORSES Just as the Greeks used a gift to hide evidence of their attack, so too does a Trojan horse program hide its malicious nature behind the faade of something useful or interesting. Example is the ILOVEYOU Trojan horse. It arrived as an email with a visual basic program, which caused the e-mail services to stop completely. Computer viruses Trojan horse programs Worms

11

WORMS A worm, as the name implies is a program that crawls from system to system without any assistance from its victims. The program replicates itself by installing copies of itself on other machines across the network. The most famous recent worm is called the CodeRed. Since CodeRed used legitimate web connections to attack, firewalls did not protect the victims. Once on a system, CodeRed chose a random address to attack next.

VARIOUS SECURITY TECHNOLOGIES

FIREWALLS A firewall is a network access control device that is designed to deny all traffic except that is explicitly allowed. Firewalls can be configured to allow traffic based on the service, the IP address of the source or destination, or the ID of the user requesting service. Firewalls are generally of two types: application layer firewalls and packet filtering firewalls. Application layer firewalls are software packages that sit on top of the general purpose operating systems or on firewall appliances. If a rule does not specifically allow the traffic to flow, the firewall will deny or drop the packets. With an application layer firewall, all connections terminate on the firewall. If the policy rules allow the traffic, the firewall initiates a new connection from its external interface to the server system.
i)

Packet filtering firewalls is similar to the application layer firewalls in

matters related to policy rules. Policy rules are enforced through the use of packet inspection filters. With a packet filtering firewall, connections do not terminate on the firewall, but instead travel directly to the destination. As the packets arrive at the firewall, the firewall will determine if the packets and the connection state are allowed by the policy rules. If so, the packet is sent on its way. If not, the packet is denied or dropped.

DEFENSIVE STRATEGIES:

12

If an intruder can find a hole in our firewall, then the firewall has failed. There are no in-between states. Once a hacker is in, our internal network is at her mercy. If he hijacks an administrative account, we're in big trouble. If he hijacks an account with lesser privileges, all the resources available to that account are at risk. No firewall can protect against inadequate or mismanaged policies. If a password gets out because a user did not properly protect it, our security is at risk. If an internal user dials out through an unauthorized connection, an attacker could subvert our network through this backdoor. Therefore, we must implement a firewall policy. The most basic firewall policy is as follows: Block all traffic, and then allow specific services on a case-by-case basis. This policy is restrictive but secure. However, it may be so restrictive that users circumvent it. In addition, the more restrictive our policy, the harder it will be to manage connections that are to be allowed. On screening routers, we'll need to implement complicated sets of rulesa difficult task. Most firewall products including the Microsoft Proxy Server simplify this process by using graphical interfaces and a more efficient set of rules. Security policies must be outlined in advance so administrators and users know what type of activities are allowed on the network.. Our policy statement should address internal and external access, remote user access, virus protection and avoidance, encryption requirements, program usage, and a number of other considerations, as outlined here: Network traffic to and from outside networks such as the Internet must pass through the firewall. The traffic must be filtered to allow only authorized packets to pass.
-

Never use a firewall for general-purpose file storage or to run programs, except for those required by the firewall. Do not run any services on the firewall except those specifically required to provide firewall services. Consider the firewall expendable in case of an attack.

Do not allow any passwords or internal addresses to cross the firewall.

13

If we need to provide services to the public, put them on the outside of the firewall and implement internal settings that protect the server from attacks that would deny service.

Accept the fact that we might need to completely restore public systems from backup in the event of an attack.. We can implement a replication scheme that automatically copies information to a public server over a secure channel.

Discussions about protecting networks usually focus on threats from the Internet, but internal users are also a threat. Indeed, surveys indicate that most unauthorized activities are perpetrated by internal users. In addition, organizations that connect with business partners over private networks create a potential avenue for attack. Users on the business partner's network may take advantage of the inter-company link to steal valuable information. The current trend is to implement data encryption on all network transmissions. Encryption can take place right at the source of the transmission for the highest security, whether it is the client on the LAN or the router that connects wide area networks. Firewalls are often described in terms of perimeter defense systems, with a so-called "choke point" through which all internal and external traffic is controlled. The usual metaphor is the medieval castle and its perimeter defense systems. The moats and walls provide the perimeter defense, while the gatehouses and drawbridges provide "choke points" through which everyone must travel to enter or leave the castle. We can monitor and block access at these choke points. Firewall products provide a "moat-like" barrier control method for network assets, which vary dramatically with the product selection. The typical use of a firewall product in a network is to isolate corporate assets from each other and from the outside world in a secure and manageable manner. Firewalls have been designed around these two approaches. A packet filtering firewall uses the strip-search method. Packets are first checked and then either dropped or allowed to enter based on various rules and specified criteria. A proxy service acts as an agent for a user who needs to access a system on the other side of the firewall. A third method, called state full inspection, is also coming into use.

14

This method would be analogous to a gatekeeper remembering some defining characteristics of anyone leaving the castle and only allowing people back in with those characteristics. This brings up another point. While firewalls are keeping Internet intruders out, our internal users might be looting our systems. We may need to separate departments, workgroups, divisions, or business partners using the same firewall technology, and we may need to implement encryption throughout our organization. Firewalls also do not protect against leaks, such as users connecting to the outside with a desktop modem. In addition, if some new threat comes along, our firewall might not be able to protect against it. Viruses and misuse of security devices are also a threat. DRAWBACKS WITH FIREWALLS Firewalls assume that all the unauthorized members are on the outside and everyone inside can be completely trusted. This is an unwarranted assumption. Firewalls can be defeated by somehow injecting malicious code into the corporate network. Firewalls, when not configured properly refuse to recognize legitimate users and make their job difficult.

CRYPTOGRAPHY AS A TOOL FOR SECURITY

No one can deny the importance of security in data communication and networking. Security in networking is based on cryptography. Cryptography, a word with Greek origin, means secret writing. The figure below shows the components involved in cryptography.

The German Lorenz cipher machine, used in World War-II for encryption of very high-level general staff messages

15

Cryptography is a discipline of mathematics concerned with information security and related issues, particularly encryption, authentication, and access control. Its purpose is to hide the meaning of a message rather than its existence. Cryptography is used in many applications that touch everyday life; the security of ATM cards, computer passwords, and electronic commerce all depend on cryptography. Until modern times, cryptography referred almost exclusively to encryption, the process of converting ordinary information (plaintext) into an unreadable ciphertext. Decryption is the reverse process.

A cipher (or cypher) is a pair of algorithms for encryption and decryption. The exact operation of a cipher is controlled by a key, which is a secret parameter for the cipher algorithm. Historically, ciphers were often used directly for encryption or decryption without additional procedures. The Enigma machine, used in several variants by the German military between the late 1920s and the end of World War II, implemented a complex electro-mechanical cipher to protect sensitive communications. In cryptography, code has a more specific meaning, referring to a procedure which replaces a unit of plaintext (i.e. the meaningful words or phrases) with a code word (for example, apple pie replaces attack at dawn). Codes are no longer used in serious cryptography - except incidentally for such things as unit designations - since properly chosen ciphers are both more practical and secure than even the best codes, and better adapted to computers as well. In recent decades, the field has expanded beyond confidentiality concerns to include techniques for authentication,

16

digital signatures, interactive proofs, and secure computation. The main classical cipher types are transposition ciphers, which rearrange the order of letters in a message (e.g. 'help me' becomes 'ehpl em'); and substitution ciphers, which systematically replace letters or groups of letters with other letters or groups of letters (e.g. 'fly at once' becomes 'gmz bu podf' by replacing each letter with the one following it in the alphabet). Simple versions of either offered little confidentiality. The development of digital computers and electronics after WWII made possible much more complex ciphers. Many computer ciphers can be characterized by their operation on binary bits (sometimes in groups or blocks), unlike classical and mechanical schemes, which generally manipulate traditional characters (i.e. letters and digits). SYMMETRIC-KEY CRYPTOGRAPHY Symmetric-key cryptography refers to encryption methods in which both the sender and receiver share the same key. This was the only kind of encryption publicly known until 1976. The modern study of symmetric-key ciphers relates mainly to the study of block ciphers and stream ciphers and to their applications. Block ciphers take as input a block of plaintext and a key, and output a block of ciphertext of the same size. Stream ciphers, in contrast to the 'block' type, create an arbitrarily long stream of key material, which is combined with the plaintext bit by bit or character by character, somewhat like the one-time pad. In a stream cipher, the output stream is created based on an internal state which changes as the cipher operates. That state's change is controlled by the key.

Cryptographic hash functions (often called message digest functions) do not use keys, but are a related and important class of cryptographic algorithms. They take input data (often an entire message), and output a short, fixed length hash, and do

17

so as a one-way function. For good ones, collisions (two plaintexts which produce the same hash) are extremely difficult to find. Message authentication codes (MACs) are much like cryptographic hash functions, except that a secret key is used to authenticate the hash value on receipt. PUBLIC KEY CRYPTOGRAPHY In a groundbreaking 1976 paper, Whitfield Diffie and Martin Hellman proposed the notion of public-key (also, more generally, called asymmetric key) cryptography in which two different but mathematically related keys are used: a public key and a private key. A public key system is constructed so that calculation of the private key is computationally infeasible from knowledge of the public key, even though they are necessarily related. Instead, both keys are generated secretly, as an interrelated pair.

The public key algorithms are:

Modular addition, Multiplication and modular exponentiation, RSA algorithm DSS algorithm.

18

AUTHENTICATION
The authentication of authorized users prevents unauthorized users from gaining access to information systems. The use of authentication mechanisms can also prevent authorized users from accessing information that they are not authorized to view. Currently, password remains the primary authentication mechanism for internal system access. If passwords are to be used, the following are recommended as best practices: Length- passwords must be a minimum of eight characters in length. Change frequency- passwords must not be more than 60 days old. History- the last ten passwords should not be re-used.

Content- passwords should not be made up of only letters but instead should include letters, numbers and special punctuation characters.

KEY CERTIFICATION If keys are transmitted to a remote destination by some means, they must be checked once they arrive to be sure that they have not been tampered with during the transmission. Public keys are intended to be published or given out to other users and must also be certified as belonging to the owner of the key pair. This can be done through a central authority- certificate authority. CA generates certificates, which are signed messages specifying a name and the corresponding key. INTRUSION DETECTION SYSTEMS Intrusion detection systems (IDS) are the burglar alarms of the network. An IDS is designed to differentiate between an authorized entry and a malicious intrusion into a protected network. A very common intrusion detection mechanism is anti-virus software. Other forms of intrusion detection include the following: Manual log examination Automated log examination Host-based intrusion detection software Network based intrusion detection software

19

Manual log examination can be effective, but is time consuming and error-prone. A better form of log examination would be to create programs or scripts that can search through computer logs looking for potential anomalies.

SECURITY IN INTERNET
IP Security It is a collection of protocols which is designed by Internet Engineering Task Force (IETF) to provide security for a packet at the network level. It helps to create authenticated and confidential packets for IP layer as shown in the figure below.

IP security (IPSec) operates in one of the two different modes: The transport mode or the tunnel Mode.

20

Transport Mode:

Tunnel Mode:

We use Tunnel mode when either the sender or receiver is not the host. The entire packet is protected from intrusion between the sender and the receiver.

21

ULTIMATE TOP-10 ELEMENTS OF SECURITY

Having just Firewalls in a network doesnt make it completely foolproof. So, there exist some technical and non-technical TIPS to be followed to ensure maximum security: 1. POLICY: Define, Implement and measure systems, networks and applications for compliance 2. EDUCATION: Part of (1) above is to ensure your users understand the consequences of their actions and the importance of information security to the organization 3. WARNINGS: Implement online warnings informing users (internal and external) of the rules of access to the systems 4. ASSESS: Determine what you are trying to protect, why and what value it has 5. PROTECT: Based on (4) above, implement firewalls, anti-virus and intrusion detection (IDS) tools 6. AUDIT: Regularly audit systems for access violations, latest applicable patches and integrity of operating systems and applications 7. PASSWORD: Enforce strong password policy and run password guessing for easy to guess passwords 8. SCAN: Periodically for known vulnerabilities and the latest exploits 9. BACK-UP: Ensure regular clean backups are made to enable speedy recovery 10. RESPONSE: Set up an incident response team with complimentary measures.

22

CONCLUSION Examining the threats and managing them appropriately is very important for the smooth running of any organization. Security is a very difficult topic. Everyone has a different idea of what ``security'' is, and what levels of risk are acceptable. The key for building a secure network is to define what security means to your organization. Once that has been defined, everything that goes on with the network can be evaluated with respect to that policy. It's important to build systems and networks in such a way that the user is not constantly reminded of the security system around him.

23

REFERENCES:

http://www.robertgraham.com/pubs/network-intrusion-detection.html http://online.securityfocus.com/infocus/1527 http://www.snort.org/ http://www.cert.org/ http://www.nmap.org/ http://grc.com/dos/grcdos.htm http://lcamtuf.coredump.cx/newtcp/