NSM Notes - Unit 3.pdf

Full Transcript

NETWORK SECURITY & MANAGEMENT

UNIT-3
NETWORK SECURITY
3.1 WORKING PRINCIPLES OF FIREWALL
3.1.1 Introduction to Firewall
A Firewall is a hardware or software to prevent a private computer or a network of computers from
unauthorized access, it acts as a filter to prevent unauthorized users from accessing private computers and
networks. It is a vital component of network security. It is the first line of defense for network security. A
firewall has a set of rules which are applied to each packet. The rules decide if a packet can pass or whether it
is discarded. It filters network packets and stops malware from entering the user’s computer or network by
blocking access and preventing the user from being infected. A firewall establishes a barrier between secured
internal networks and outside untrusted networks, such as the Internet.

3.1.2 Five Principles of Firewall Design
Firewall design principles are critical to protect your private network and maximize your network security.
Here are five principles you can use when establishing your firewall and implementing security policies.
1) Develop a Solid Security Policy
Having a proper security policy is an essential part of designing a firewall. Without it in place, it’s a headache
to allow users to navigate the company network and restrict intruders. This proper security policy will also
help you know the proper protocol if there is a security breach and it is useful for reporting security threats.
A properly developed security policy can protect you. A solid security policy includes guidance on proper
internet protocol, preventing users from using devices on public networks and recognizing external threats.
Simply having a security policy is only the first step. In addition to establishing security policies, one should
have frequent training and refreshers for all employees.
2) Use a Simple Design
If you have a complex design, you’ll need to find complex solutions anytime a problem arises. A simple design
helps alleviate some of the pain you may feel when a problem comes up. Also, complex designs are more
likely to suffer from configuration errors that can open paths for external attacks.
3) Choose the Right Device
You need to have the right tools to do the job. If you use the wrong device, you have the wrong tools and are
at a disadvantage from the start. Using the right part that fits your design will help you create the best firewall
for your network.
4) Build a Layered Defense
Firewalls should have layers to properly protect your network. A multi-layered defense creates a complicated
protection system that hackers can’t easily break through. Creating layers builds an effective defense and will
keep your network safe.
 NETWORK SECURITY & MANAGEMENT

5) Build Protection Against Internal Threats
Don’t just focus on attacks from external sources. A large percentage of data breaches are the result of internal
threats and carelessness. Mistakes made by those internally can open your network to attacks from outside
sources. Implementing proper security solutions for your internal network can help prevent this from
happening. Something as simple as accessing a web server can expose your network if you aren’t protected
internally as well as externally.

3.1.3 Types of Firewalls:
There are five main types of firewalls depending upon their operational method:
1) Stateless or Packet Filtering Firewall
2) Stateful Inspection Firewall
3) Circuit-Level Gateway
4) Application-Level Gateway
5) Next-Generation Firewall (NGFW)

1) Stateless or Packet Filtering Firewall:

A packet filtering firewall protects the network by analyzing traffic in the transport protocol layer where
applications can communicate with each other using specific protocols like Transmission Control Protocol
(TCP) and User Datagram Protocol (UDP). The firewall examines the data packets at this layer, looking for
malicious code that can infect the network or device. If a data packet is identified as a potential threat, the
firewall rejects it. Small businesses that need basic protection from existing cyber threats can benefit from a
packet-filtering firewall. Packet-filtering firewalls analyze surface-level details only and do not open the
packet to examine the actual data (content payload). They check each one in isolation for destination and IP
address, packet type, port number and network protocols but not in context with current traffic streams.
 NETWORK SECURITY & MANAGEMENT

2) Stateful Inspection Firewall:

Stateful inspection firewalls operate at the gateway between systems behind the firewall and resources outside
the enterprise network. Stateful inspection firewalls are situated at Layers 3 and 4 of the OSI model. State-
aware firewalls examine each packet (stateful inspection) and track and monitor the state of active network
connections while analyzing incoming traffic for potential risks. The “state” is the most recent or immediate
status of a process or application. Stateful firewalls can detect attempts by unauthorized individuals to access
a network, as well as analyze the data within packets to see if they contain malicious code. They are very
effective at defending the network against denial of service (DoS) attacks. It is important to monitor the state
and context of network communications because this information can be used to identify threats either based
on where they are coming from, where they are going, or the content of their data packets. This method offers
more security than either packet filtering or circuit monitoring alone but exacts a greater toll on network
performance.
3) Circuit-level Gateway:

Circuit-level gateways operate at the session layer of the OSI model. In the OSI model, a handshake must
occur before information can be passed from one cyber entity to another. Circuit-level gateways determine the
security of an established connection between the transport layer and the application layer of the TCP/Internet
Protocol (TCP/IP) stack by monitoring TCP handshakes between local and remote hosts. While circuit-level
gateways have minimal impact on network performance, a data packet containing malware can bypass a
 NETWORK SECURITY & MANAGEMENT

circuit-level gateway easily even if it has a legitimate TCP handshake. This is because circuit-level gateways
do not filter the content in data packets. To fill this gap, circuit-level gateways are often paired with another
type of firewall that performs content filtering.
4) Application-level Gateway:

It is also referred to as a “proxy firewall” and serves as an intermediate between internal and external systems.
An application-level gateway operates at the application layer, the highest of the OSI model. It employs deep
packet inspection (DPI) on incoming traffic to check both data packet payloads (content) and headers. This
firewall makes sure that only valid data exists at the application level before allowing it to pass through.
Application-level gateways follow a set of application-specific policies to determine which communications
are allowed to pass to and from an application. They help protect a network by masking clients’ requests before
sending them to the host. When network anonymity is required, application-level gateways are often in play.
They are ideal for securing web apps from bad actors (malicious intent).
5) Next-Generation Firewall (NGFW):
 NETWORK SECURITY & MANAGEMENT

A Next-Generation Firewall (NGFW) is the only type of firewall that provides the capabilities to protect
modern businesses against emerging cyber threats. As malware and threats have become more difficult to
detect at the access point, NGFW security has evolved to span the network and monitor behavior and intent.
NGFWs provide functions like deep-packet inspection, intrusion prevention (IPS), advanced malware
detection, application control and provide overall network visibility through inspection of encrypted traffic.
They can be found anywhere from an on-premises network edge to its internal boundaries and can also be
employed on public or private cloud networks. NGFWs CPU-intensive capabilities include decryption at a
very high-performance level, deep-packet inspection post decryption, detection of malicious URLs,
identification of command-and-control activities and download of malware and threat correlation. Due to these
advanced security capabilities, NGFWs are critical for heavily regulated industries such as finance or
healthcare and are often integrated with other security systems and SIEMs for end-to-end surveillance and
reporting.

3.1.4 Characteristics of Firewall
1) Physical Barrier: A firewall does not allow any external traffic to enter a system or a network without its
allowance. A firewall creates a choke point for all the external data trying to enter the system or network
and hence can easily block access if needed.
2) Multi-Purpose: A firewall has many functions other than security purposes. It configures domain names
and Internet Protocol (IP) addresses. It also acts as a network address translator. It can act as a meter for
internet usage.
3) Flexible Security Policies: Different local systems or networks need different security policies. A firewall
can be modified according to the requirement of the user by changing its security policies.
4) Security Platform: It provides a platform from which any alert to the issue related to security or fixing
issues can be accessed. All the queries related to security can be kept under check from one place in a
system or network.
5) Access Handler: Determines which traffic needs to flow first according to priority or can change for a
particular network or system. Specific action requests may be initiated and allowed to flow through the
firewall.

3.1.5 Advantages of Firewall
1) Blocks Infected Files: While surfing the internet we encounter many unknown threats. Any friendly-
looking file might have malware in it. The firewall neutralizes this kind of threat by blocking file access
to the system.
2) Stop Unwanted Visitors: A firewall does not allow a cracker to break into the system through a network.
A strong firewall detects the threat and then stops the possible loophole that can be used to penetrate
through security into the system.
 NETWORK SECURITY & MANAGEMENT

3) Prevents Email spamming: In this too many emails are sent to the same address leading to the server
crashing. A good firewall blocks the spammer source and prevents the server from crashing.
4) Control of Network Access: By limiting access to specified individuals or groups for particular servers
or applications, firewalls can be used to restrict access to particular network resources or services.
5) Monitoring of Network Activity: Firewalls can be set up to record and keep track of all network activity.
This information is essential for identifying and looking into security problems and other kinds of shady
behavior.

3.1.6 Disadvantages of Firewall
1) Infected Files: In the modern world, we come across various kinds of files through emails or the internet.
Most of the files are executable under the parameters of an operating system. It becomes impossible for
the firewall to keep track of all the files flowing through the system.
2) User Restriction: Restrictions and rules implemented through a firewall make a network secure but they
can make work less effective when it comes to a large organization or a company. Even making a slight
change in data can require a permit from a person of higher authority making work slow. The overall
productivity drops because of all of this.
3) System Performance: A software-based firewall consumes a lot of resources of a system. Using the
RAM and consuming the power supply leaves very less resources for the rest of the functions or programs.
The performance of a system can experience a drop. On the other hand, a hardware firewall does not
affect the performance of a system much, because it’s very less dependent on the system resources.
4) Complexity: Setting up and keeping up a firewall can be time-consuming and difficult, especially for
bigger networks or companies with a wide variety of users and devices.
5) Cost: Purchasing many devices or add-on features for a firewall system can be expensive, especially for
businesses.

3.2 INTERNET PROTOCOL SECURITY AND ITS USE IN SECURE COMMUNICATION
3.2.1 Introduction
IPsec is a set of protocols to secure internet communication at the network layer. It was developed by the
Internet Engineering Task Force (IETF) to provide a secure way to exchange data over the Internet, ensuring
that sensitive information is protected from unauthorized access, interception, or modification.
IPsec is the short acronym for Internet Protocol Security. The “IP” stands for Internet Protocol, which is the
main routing protocol used on the Internet for sending data to its destination using IP addresses. The “sec”
stands for secure, as it provides encryption and authentication to the data transmission process, making it more
secure.
 NETWORK SECURITY & MANAGEMENT

IPsec uses a variety of protocols to establish secure connections and protect data during transmission. IPsec is
not one protocol but a suite of protocols. The suite includes the following:
1) Authentication Header (AH): It provides data integrity and authentication and ensures that the transmitted
data has not been modified or tampered with. Yet, it does not encrypt data.
2) Encapsulating Security Protocol (ESP): It encrypts both the IP header and the payload of each packet
unless transport mode is used, in which case only the payload is encrypted. In addition, ESP adds its header
and a trailer to each data packet.
3) Security Association (SA): An SA is a set of security parameters defining how two devices communicate
securely. It includes information such as the encryption algorithm, authentication method, and key size. One
of the most commonly used SA protocols is the Internet Key Exchange (IKE). IPsec uses port 500 for its IKE
(Internet Key Exchange) protocol.

3.2.2 Modes of IPSec
IPSec operates in one of two different modes: Transport Mode or Tunnel Mode
 NETWORK SECURITY & MANAGEMENT

Transport Mode

In the transport mode, IPSec protects what is delivered from the transport layer to the network layer. In other
words, the transport mode protects the network layer payload, the payload to be encapsulated in the network
layer. Note that the transport mode does not protect the IP header. The transport mode does not protect the
whole IP packet; it protects only the packet from the transport layer (the IP layer payload). In this mode, the
IPSec header and trailer are added to the information corning from the transport layer. The IP header is added
later.

The transport mode is normally used when we need host-to-host (end-to-end) protection of data. The sending
host uses IPSec to authenticate and/or encrypt the payload delivered from the transport layer. The receiving
host uses IPSec to check the authentication and/or decrypt the IP packet and deliver it to the transport layer.
The figure above shows this concept.

Tunnel Mode

In the tunnel mode, IPSec protects the entire IP packet. It takes an IP packet, including the header, applies
IPSec security methods to the entire packet, and then adds a new IP header as shown in figure below. The new
IP header, as we will see shortly, has different information than the original IF header.
 NETWORK SECURITY & MANAGEMENT

The tunnel mode is normally used between two routers, between a host and a router, or between a router and
a host as shown in figure above. In other words, we use the tunnel mode when either the sender or the receiver
is not a host. The entire original packet is protected from intrusion between the sender and the receiver. It's as
if the whole packet goes through an imaginary tunnel. IPSec in tunnel mode protects the original IP header.

3.2.3 Features of IPSec
1) Authentication: IPSec provides authentication of IP packets using digital signatures or shared secrets. This
helps ensure that the packets are not tampered with or forged.
2) Confidentiality: IPSec provides confidentiality by encrypting IP packets, preventing eavesdropping on the
network traffic.
3) Integrity: IPSec provides integrity by ensuring that IP packets have not been modified or corrupted during
transmission.
4) Key management: IPSec provides key management services, including key exchange and key revocation,
to ensure that cryptographic keys are securely managed.
5) Tunneling: IPSec supports tunneling, allowing IP packets to be encapsulated within another protocol, such
as GRE (Generic Routing Encapsulation) or L2TP (Layer 2 Tunneling Protocol).
6) Flexibility: IPSec can be configured to provide security for a wide range of network topologies, including
point-to-point, site-to-site, and remote access connections.
7) Interoperability: IPSec is an open standard protocol, which means that it is supported by a wide range of
vendors and can be used in heterogeneous environments.

3.2.4 Advantages of IPSec
1) Strong security: IPSec provides strong cryptographic security services that help protect sensitive data
and ensure network privacy and integrity.
2) Wide compatibility: IPSec is an open standard protocol that is widely supported by vendors and can be
used in heterogeneous environments.
 NETWORK SECURITY & MANAGEMENT

3) Flexibility: IPSec can be configured to provide security for a wide range of network topologies, including
point-to-point, site-to-site, and remote access connections.
4) Scalability: IPSec can be used to secure large-scale networks and can be scaled up or down as needed.
5) Improved Network Performance: IPSec can help improve network performance by reducing network
congestion and improving network efficiency.

3.2.5 Disadvantages of IPSec
1) Configuration complexity: IPSec can be complex to configure and requires specialized knowledge and
skills.
2) Compatibility issues: IPSec can have compatibility issues with some network devices and applications,
which can lead to interoperability problems.
3) Performance impact: IPSec can impact network performance due to the overhead of encryption and
decryption of IP packets.
4) Key management: IPSec requires effective key management to ensure the security of the cryptographic
keys used for encryption and authentication.
5) Limited protection: IPSec only protects IP traffic and other protocols such as ICMP, DNS and routing
protocols may still be vulnerable to attacks.

3.2.6 Difference between IPv4 and IPv6
Parameters IPv4 IPv6
Address length IPv4 is a 32-bit address. IPv6 is a 128-bit address.
IPv6 is an alphanumeric address that
IPv4 is a numeric address that consists of 4
Fields consists of 8 fields, which are separated
fields which are separated by a dot (.).
by a colon.
IPv4 has 5 different classes of IP addresses
IPv6 does not contain classes of IP
Classes that includes Class A, Class B, Class C, Class
addresses.
D and Class E.
Number of IP
IPv4 has a limited number of IP addresses. IPv6 has a large number of IP addresses.
addresses
It supports VLSM (Virtual Length Subnet
Mask). Here, VLSM means that Ipv4
VLSM It does not support VLSM.
converts IP addresses into a subnet of
different sizes.
Address It supports manual, DHCP, auto-
It supports manual and DHCP configuration.
configuration configuration, and renumbering.
 NETWORK SECURITY & MANAGEMENT

It generates 340 undecillion unique
Address space It generates 4 billion unique addresses
addresses.
End-to-end
In IPv4, end-to-end connection integrity is In the case of IPv6, end-to-end connection
connection
unachievable. integrity is achievable.
integrity
In IPv4, security depends on the application.
Security In IPv6, IPSEC is developed for security
This IP address is not developed in keeping
features purposes.
the security feature in mind.
Address In IPv4, the IP address is represented in In IPv6, the representation of the IP
representation decimal. address in hexadecimal.
Fragmentation is done by the senders and the Fragmentation is done by the senders
Fragmentation
forwarding routers. only.
Packet flow It does not provide any mechanism for It uses flow label field in the header for
identification packet flow identification. the packet flow identification.
Checksum The checksum field is not available in
The checksum field is available in IPv4.
field IPv6.
On the other hand, IPv6 is multicasting,
Transmission
IPv4 is broadcasting. which provides efficient network
scheme
operations.
Encryption
It does not provide encryption and
and It provides encryption and authentication.
authentication.
Authentication
It consists of 8 fields, and each field
Number
It consists of 4 octets. contains 2 octets. Therefore, the total
of octets
number of octets in IPv6 is 16.

3.3 VARIOUS TYPES OF IDSs
3.3.1 Introduction
An Intrusion Detection System (IDS) is a system that monitors network traffic for suspicious activity and
issues alerts when such activity is discovered. It is a software application that scans a network or a system for
harmful activity or policy breaches. Any malicious venture or violation is normally reported either to an
administrator or collected centrally using a Security Information and Event Management (SIEM) system. A
SIEM system integrates outputs from multiple sources and uses alarm filtering techniques to differentiate
malicious activity from false alarms.
 NETWORK SECURITY & MANAGEMENT

Although intrusion detection systems monitor networks for potentially malicious activity, they are also
disposed to false alarms. Hence, organizations need to fine-tune their IDS products when they first install
them. It means properly setting up the intrusion detection systems to recognize what normal traffic on the
network looks like as compared to malicious activity.
IDS and firewall both are related to network security but an IDS differs from a firewall as a firewall looks
outwardly for intrusions to stop them from happening. Firewalls restrict access between networks to prevent
intrusion and if an attack is from inside the network it doesn’t signal. An IDS describes a suspected intrusion
once it has happened and then signals an alarm. The most optimal and common position for an IDS is behind
the firewall. Although this position varies considering the network.

3.3.2 Detection Methods of IDS
1) Signature-based Method:
Signature-based IDS detects the attacks based on specific patterns such as the number of bytes or number
of 1’s or number of 0’s in the network traffic. It also detects based on the already known malicious
instruction sequence that is used by the malware. The detected patterns in the IDS are known as signatures.
Signature-based IDS can easily detect the attacks whose pattern (signature) already exists in the system,
but it is quite difficult to detect new malware attacks as their pattern (signature) is not known.
2) Anomaly-based Method:
Anomaly-based IDS was introduced to detect unknown malware attacks as new malware is developed
rapidly. In anomaly-based IDS there is the use of machine learning to create a trustful activity model and
anything coming is compared with that model and it is declared suspicious if it is not found in the model.
Machine learning-based method has a better- generalized property in comparison to signature-based IDS
as these models can be trained according to the applications and hardware configurations.

3.3.3 Classification of IDS
Intrusion Detection Systems are classified into 5 types:
1) Network Intrusion Detection System (NIDS):
Network intrusion detection systems (NIDS) are set up at a planned point within the network to examine traffic
from all devices on the network. It performs an observation of passing traffic on the entire subnet and matches
the traffic that is passed on the subnets to the collection of known attacks. Once an attack is identified or
abnormal behavior is observed, the alert can be sent to the administrator. An example of a NIDS is installing
it on the subnet where firewalls are located in order to see if someone is trying to crack the firewall.
 NETWORK SECURITY & MANAGEMENT

2) Host Intrusion Detection System (HIDS):
Host Intrusion Detection System (HIDS) run on independent hosts or devices on the network. A HIDS
monitors the incoming and outgoing packets from the device only and will alert the administrator if suspicious
or malicious activity is detected. It takes a snapshot of existing system files and compares it with the previous
snapshot. If the analytical system files were edited or deleted, an alert is sent to the administrator to investigate.
An example of HIDS usage can be seen on mission-critical machines, which are not expected to change their
layout.

3) Protocol-based Intrusion Detection System (PIDS):
A Protocol-Based Intrusion Detection System (PIDS) comprises a system or agent that would consistently
reside at the front end of a server, controlling and interpreting the protocol between a user/device and the
server. It is trying to secure the web server by regularly monitoring the HTTPS protocol stream and accepting
 NETWORK SECURITY & MANAGEMENT

the related HTTP protocol. As HTTPS is unencrypted and before instantly entering its web presentation layer
then this system would need to reside in this interface, between to use the HTTPS.
4) Application Protocol-based Intrusion Detection System (APIDS):
An Application Protocol-Based Intrusion Detection System (APIDS) is a system or agent that generally resides
within a group of servers. It identifies the intrusions by monitoring and interpreting the communication on
application-specific protocols. For example, this would monitor the SQL protocol explicitly to the middleware
as it transacts with the database in the web server.
5) Hybrid Intrusion Detection System:
Hybrid intrusion detection system is made by the combination of two or more approaches to the intrusion
detection system. In the hybrid intrusion detection system, the host agent or system data is combined with
network information to develop a complete view of the network system. The hybrid intrusion detection system
is more effective in comparison to the other intrusion detection system. Prelude is an example of Hybrid IDS.

3.4 DISTINGUISH HOST-BASED IDS AND NETWORK-BASED IDS

Parameters HIDS NIDS

Full Form Host Intrusion Detection System. Network Intrusion Detection System.

Type It doesn’t work in real-time. It operates in real-time.

HIDS is related to just a single system, as NIDS is concerned with the entire
the name suggests it is only concerned network system, NIDS examines the
Concern
with the threats related to the Host activities and traffic of all the systems in
system/computer. the network.

NIDS being concerned with the network
HIDS can be installed on every computer
Installation is installed at places like routers or
or server i.e., anything that can serve as a
Point servers as these are the main intersection
host.
points in the network system.

HIDS operates by taking a snapshot of NIDS works in real-time by closely
Execution
the current status of the system and examining the data flow and immediately
Process
comparing it against some already stored reporting anything unusual.
 NETWORK SECURITY & MANAGEMENT

malicious tagged snapshots stored in the
database, this clearly shows that there is a
delay in its operation and activities.

As the network is very large making it
HIDS are more informed about the
Information hard to keep track of the integrating
attacks as they are associated with system
about attack functionalities, they are less informed of
files and processes.
the attacks.

Ease of As it needs to be installed on every host, Few installation points make it easier to
Installation the installation process can be tiresome. install NIDS.

Response Time Response time is slow. Response time is fast.

3.5 HIDS AND NIDS COMPONENTS
1) Data Collectors: Using either agents or an agentless approach, your HIDS deploys sensors that collect data
from hosts.
2) Data Storage: After being collected, the data is usually aggregated and stored in a central location. The
data is retained at least as long as is necessary to analyze it, although organizations may also choose to keep
the data on hand so they can reference it at a later time if desired.
3) Analytics Engine: The HIDS uses an analytics engine to process and evaluate the various data sources that
it collects. The purpose of analytics is to look for patterns or anomalies, and then assess the likelihood that
they are the result of security risks or attacks.

3.6 ADVANTAGES AND DISADVANTAGES OF HIDS, NIDS
Advantages of HIDS:
1) Verifies success or failure of an attack: Since a host-based IDS uses system logs containing events that
have occurred, they can determine whether an attack occurred or not.
2) Monitors System Activities: A host-based IDS sensor monitors user and file access activity including file
accesses, changes to file permissions, attempts to install new executables, etc.
3) Detects attacks that a network-based IDS fails to detect: Host-based systems can detect attacks that
network-based IDS sensors fail to detect. For example, if an unauthorized user makes changes to system
files from the system console, this kind of attack goes unnoticed by the network sensors.
4) Near real-time detection and response: Although host-based IDS do not offer true real-time response, it
can come very close if implemented correctly.
 NETWORK SECURITY & MANAGEMENT

5) Lower entry cost: Host-based IDS sensors are far cheaper than network-based IDS sensors.

Disadvantages of HIDS:
1) Host-based IDSs are harder to manage, as information must be configured and managed for every host.
2) The information sources for host-based IDSs reside on the host targeted by attacks, the IDSs may be
attacked and disabled as part of the attack.
3) Host-based IDSs are not well suited for detecting network scans or other such surveillance that targets an
entire network.
4) Host-based IDSs can be disabled by certain denial-of-service attacks.

Advantages of NIDS:
1) A few well-placed network-based IDS can monitor a large network.
2) The deployment of NIDSs has little impact on an existing network.
3) NIDSs can be made very secure against attack and even made invisible to many attackers..
Disadvantages of NIDS:
1) NIDSs may have difficulty possessing all packets in a large or busy network and, therefore, may fail to
recognize an attack launched during a period of high traffic.
2) Many of the advantages of NIDSs don’t apply to more modern switch-based networks.
3) NIDSs cannot analyze encrypted information. This problem is increasing as organizations and attackers
use virtual private networks.
4) Most NIDSs cannot tell whether or not an attack was successful; they can only find that an attack was
initiated.