Certified Network Defender (CND)

EC-Co ,/
,, I
,, .1:,,r.'
'
' i '' .,,,."·'·' '
f
•''
" '
'
,/,
if '.~I
' "" .,;
,/
' '
,, l,·II
,,_. ,,
,I' ,'' ,,,.,, I '
,,
',,:
'
II I: ,,,
':,
'
iI \ , ',:' (
•
~-.\ ;
',/' ',
\
', .
•• ~ ':;(,,
•
' ',,,
"
·-:::
'II,, •
•
'
" '
Certified Network Defender

COURSEWARE
EC-COUNCIL OFFICIAL CURRICULUM

Certified Network
Defender
Certified Network Defender Exam 312-38
Instructions for Downloading your CND Electronic

Courseware, Lab Manuals, and Tools.
Step 1:
Visit: https://aspen.eccouncil.org. If you have an account already, skip to Step 4.
Step 2:
Click Register and fill out the registration form. Click the Register button.
Step 3:
Using the email you provided in Step 2, follow the instructions in the auto-generated
email to activate your EC-Council Aspen Portal account.
Step 4:
Login using your Username and Password.
Step 5:
Once successfully logged in, click eBooks icon under the Learning Resources section. It
will open the Academia page.
Step 6:
Enter the access code below in the Access Code field and click the Submit button.
Access Code:
Step 7:
If your Access Code is valid, scroll down and you will be able to view instructions on how
to access the Electronic Courseware, Lab Manuals, and Tools.
Support:
E-mail support is available at academia@eccouncil.org.
System Requirements:
The Academia page contains details about system requirements and how to download
the e-courseware.
Certified Network Defender Copyright © by EC-Cll■Cil

All Rights Reserved. Reproduction is Strictly Prohibited.
Instructions to Download Digital Copy of your Class

Certificate of .Attendance
EC-Council
THIS IS TO ACKNOWLEDGE THAT
HAS SUCCESSFULLY COMPLET ED A COURSE ON
AT AN EC-COUNCIL ACCREDITED TRAIN IN G CENTER
IN STRUCTOR NA.\(£
CERTIFICATE Nl.11\IBER DATE
-~
You can verify authenticity of this certificate by visiting
Sanjay Bavisi, President https:/faspen.eccoundl.orgNerifyEval.aspx
Step 1: Complete the official training.
Step 2: Visit: https://aspen.eccouncil.org. If you have an account already, skip to Step 5.
Step 3: Click Register and fill out the registration form. Click the Register button.
Step 4: Using the email you provided in Step 3, follow the instructions in the auto-generated
email to activate your EC-Council Aspen Portal account.
Step 5: Login using your Username and Password.
Step 6: Click the Class Eval icon in the Student Services section.
Step 7: Enter the Evaluation Code (see the code below) in the Evaluation Code field and click
the Submit.
Step 8: Fill in the Course Evaluation Form. *Note: All fields on this form are mandatory. Click
the Submit Classroom Evaluation button.
Step 9: On the Course Evaluation Submission page, click the Download Certificate of
Attendance button to download your certificate of attenda nee.
Evaluadon Code: ***CND-*********

EC-Council
Copyright © 2016 by EC-Council. All rights reserved. Except as permitted under the Copyright
Act of 1976, no part of this publication may be reproduced or distributed in any form or by any
means, or stored in a database or retrieval system, without the prior written permission of the
publisher, with the exception that the program listings may be entered, stored, and executed in
a computer system, but they may not be reproduced for publication.
Information has been obtained by EC-Council from sources believed to be reliable. EC-Council
uses reasonable endeavors to ensure that the content is current and accurate, however,
because of the possibility of human or mechanical error we do not guarantee the accuracy,
adequacy, or completeness of any information and are not responsible for any errors or
omissions or the accuracy of the results obtained from use of such information.
The courseware is a result of extensive research and contributions from subject matter experts
from the field from all over the world. Due credits for all such contributions and references are
given in the courseware in the research endnotes. We are committed towards protecting
intellectual property. If you are a copyright owner (an exclusive licensee or their agent), and if
you believe that any part of the courseware constitutes an infringement of copyright, or a
breach of an agreed licence or contract, you may notify us at legal@eccouncil.org. In the event
of a justified complaint, EC-Council will remove the material in question and make necessary
rectifications.
The courseware may contain references to other information resources and security solutions,
but such references should not be considered as an endorsement of or recommendation by
EC-Council.
Readers are encouraged to report errors, om1ss1ons and inaccuracies to EC-Council at

legal@eccouncil.org.
If you have any issues, please contact support@eccouncil.org.

Foreword
The computer network has become more and more complex over the past few years and so has
the threats to its security. The Certified Network Defender (CND) course has focused on helping
the administrator to understand how to effectively deal with such issues that challenge the
security of a network.
This course presents a defensive stand to network security. It enhances the skills of a network
administrator so as to analyze the internal and external network security threats, how to
proactively minimize their effect by developing necessary security policies, designing a defense
strategy, implementing the security mechanisms, and by responding to security incidents in a
timely manner.
The course covers all major domains in such a manner that the reader will be able to appreciate
the way network security mechanisms have evolved over time; as well as gain insight into the
fundamental workings relevant to each domain. It is a blend of academic and practical wisdom,
supplemented with tools that the reader can readily access and obtain a hands-on experience.
The emphasis is on understanding various network security elements, updating the already
deployed security mechanisms, spotting any known or possible vulnerabilities, and hardening
security implementations using various tools. You will read about the defense mechanisms that
are most widely used such as the firewalls, IDS, digital signatures, the secure configuration of
various every-day applications, and a comprehensive set of policies that are to be enforced in
the network to secure it from network breaches.
This courseware is a resource material. Any network administrator can tell you that there is no
one straight methodology or sequence of steps that you can follow while securing a network.
There is no one template that can meet all your needs. Your network defense strategy varies
with the type of network, the security mechanisms you chose to deploy, and the resources at
your disposal. However, for each stage you choose, be it training your staff on security
awareness, identifying network threats, implementing packet filtering, deploying a honeypot,
troubleshooting the network, configuring a digital signature, securing wireless networks, you
will find something in this courseware that you can definitely use.
Finally, this is not the end. This courseware is to be considered as a 'work-in-progress', as it is
updated by adding value to it over time. You may find some aspects detailed, while others may
be in brief. The yardstick that is used in this respect is simple- "does the content explain the
point at hand?" It would be great to hear the views of the reader with respect to viewpoints
and suggestions. You can send your feedback so that this courseware can be a more useful one.

Table of Contents
Module Number Module Name Page No.
00 Student Introduction I
01 Computer Network and Defense Fundamentals 01

- -
02 Network Securi!Y Threats. Vulnerabilities. and Attacks 102
03 Network Security Controls. Protocols. and Devices 152
04 Network Security Policy Design and Implementation 253
05 Physical Security 348
06 Host Security 418
07 Secure Firewall Configuration and Management 565

08 Secure IDS Confi2uration and Mana ement 647
'-----------'•-------'
09 Secure VPN Configuration and Management 757
::::=========: -
10 Wireless Network Defense 823
11 Network Traffic Monitoring and Analysis 908
12 Network Risk and Vulnerability Management 976

::::=========: - -----~
13 Data Backup and Recovery 1051
14 Network Incident Res~onse and Mana ~e_

m_e_n_t _ _ ____..__
11_3_4_ .....
References 1207

Student Introduction
Welco111.e to Certified Network

Defender Class!

Module 00: Welcome to Certified Network Defender Class!
Exam 312-38
Module 00 Page I Certified Network Defender Copyright © by EC-Cll■Cil

.J Name
.J Company Affiliation
.J Title/ Function
-
.J Job Responsibility
.J Networking related
•
experience
.J Expectations
Copyright© by EC-Co■ncil. All Rights Reserved. Reproduction is Strictly Prohibited.
'
'°' Identity
~ =:
11111111 Card
Student Lab Manual/

Courseware Workbook
Course Reference
Evaluation Materials
Module 00 Page II Certified Network Defender Copyright © by EC-Cll■Cil

1 Computer Network and Defense Fundamentals 8 Secure IDS Configuration and Management
Network Security Threats, Vulnerabilities, and

2 Attacks
9 Secure VPN Configuration and Management
Network Security Controls, Protocols, and

3 Devices
10 Wireless Network Defense
Network Security Policy Design and

4 Implementation
11 Network Traffic Monitoring and Analysis
I 5 Physical Security 12 Network Risk and Vulnerability Management
6 Host Security 13 Data Backup and Recovery
I 7
Secure Firewall Configuration and
Management
14 Network Incident Response and Management
Copyright© by EC-Co■ncil. All Rights Reserved. Reproducti on is Strictly Prohibited.
EC-Council Certification Program CND

There are several levels of ce rtification tracks und er t he EC-Council Accreditation body:
Certified Secure Computer EC-Council Disaster Recovery

User(CSCU) Professional (EDRP)
Certified e-Business EC-Council Certified Secure

Professional Programmer (ECSP)
EC-Council Certified EC-Council Certified Security

Security Specialist (ECSS) Analyst (ECSA)
Certified Network You are Licensed Penetration Tester

Defender(CND) ~-·· here e=~ ~ (LPT)
Certified Ethical Certified Chief Information

Hacker (CEH) •' ~ Security Officer (CCISO)
Computer Hacking Forensic Master of Security Science

Investigator {CHFI) (MSS)
Module 00 Page Ill Certified Network Defender Copyright © by EC-Cll■Cil


Track
CND Certification Track

Complete the following steps:
Attend the Certified Network Start ~-·

Defender Course .
YI
Attend
Training
.
YI
Prepare for
Pass the CND Exam 312-38Exam
312-38 (ECC Exam Portal) .
YI
Take
Exam
,, ........
Fail
X
Pass : ../J
YI Y
CND
--- Certification
Achieved
Copyright© by EC-Co■ncil. All Rights Reserved. Re producti on is Strictly Prohibited.
~ Exam Title: Certified Network Defender

J
- ~
~
Exam Code: 312-38
Number of Questions: 100

J
-
-
~ Duration: 4 hours
J
- ~
~
Availability: ECC Exam Portal
Passing Score: 70%
The training center / instructor will advi.se you about the exam schedule and
voucher details
This is a difficult exam and requires extensive knowledge of CND M odules
Module 00 Page IV Certified Network Defender Copyright © by EC-Cll■Cil

Class Building
Phones
Hours Hours
Parking Restrooms
.:.
..
....
~- -. :....
..
.
. ..
Smoking Meals Recycling ...:
. ~
.
:...
: ' i
:. ....._ _ . .
······························ ... ... .. . ... .. . .. . .. . .. . .. . .. . '••···························
Please read the

Sign this
contents of the
document and
provided EC-
hand it over to
Councirs CND
the instructor
NDA document
We will NOT start Pl1111 appraach

the class unless thelnsb-torl
you sign this yaua19not
document p,•1ntedwll1
this document
Module 00 Page V Certified Network Defender Copyright © by EC-Cll■Cil

All Rights Reserved. Reproduction is Strictly Prohibited .
What Does CND Teach You?

Network Security Technologies
Physical security Access control mechanism
Firewalls / IDS implementation Proxy servers
OS hardening/ patching Packet/ content filtering
Antivirus protection Product evaluation based on common criteria
Encryption mechanism Passwords security
Authentication mechanism DMZ (demilitarized zones)
Configuration management Network logs audit
Network Security Operations
., Creating and enforcing security policies
., Creating and enforcing standard network operating procedures
. , Planning business continuity
., Configuration control management
., Creating and implementing incident response processes
. , Planning data backup and recovery
., Conducting forensics activities on incidents
. , Providing security awareness and training
. , Enforcing security as culture
Module 00 Page VI Certified Network Defender Copyright © by EC-Cll■Cil

There are tons of networking tools and technologies covered in the

curriculum
Inst ructors WILL NOT be able to demonst rate ALL t he tools in this
class
They will showcase only selected tools
The students are required t o practice with the tools not demonstrated
in the class on their own
Lab Sessions are designed to

reinforce the classroom
sessions
The sessio ns are intended to

give a hands on experience
on ly and does not guarantee
proficie ncy
Module 00 Page VII Certified Network Defender Copyright © by EC·CIIICil

•
Ubuntu Linux
1'
a-
Windows 10
A
-
Windows
Serve):.2008
NST Machine
A
--
OSSIM Machine
1'
!........................................... t. . . . . . . . . . . . . . . . . . . . . v..........................................J
Y.........................................
••••
__,
Windows
Server2012
Instructor M achine Student Machines
Copyright© by EC-Co■ncil. All Rights Reserved. Reproduction is Strictly Prohibited .
Student Computer Checl(list CND

tcrtifi«t leiw9r, ~e~itdc,
Check if your machine has the following OSes installed (Fully Patched)
e ••
OSSIM as VM
Copyright © by EC-Cllllltil. All Rights Reserved. Reproduction is Strictly Prohibited.
Module 00 Page VIII Certified Network Defender Copyright © by EC-Cll■Cil

•
Ubuntu Linux
1'
a-
Windows 10
A
-
Windows
Serve):.2008
NST Machine
A
--
OSSIM Machine
1'
!........................................... t. . . . . . . . . . . . . . . . . . . . . v..........................................J
Y.........................................
••••
__,
Windows
Server2012
Instructor M achine Student Machines
Student Computer Checl(list CND

tcrtifi«t leiw9r, ~e~itdc,
Check if your machine has the following OSes installed (Fully Patched)
e ••
OSSIM as VM
Copyright © by EC-Cllllltil. All Rights Reserved. Reproduction is Strictly Prohibited.
Module 00 Page VIII Certified Network Defender Copyright © by EC-Cll■Cil

Computer Network
and Defense Fundamentals
Module 01
Computer Network and Defense Fundamentals
Contputer Network and

Defense Fundantentals
Module 01

Module 01: Computer Network and Defense Fundamentals
Exam 312-38
Module 01 Page 2 Certified Network Defender Copyright © by EC-Cll■Cil

Understanding computer networks Explaining various protocols in TCP/IP

Describing OSI and TCP/I P network protocol stack
Models Explaining IP addressing concepts
Comparing OSI and TCP/I P network Und erstanding Computer Network
Models Defense(CND)
Understandingdifferenttypes of Describing fundamental CND
networks attributes
Describing various network topologies Describing CN D elements
Understandingvarious network Describing CN D process and
components Approaches
Copyright© by EC-Co■ncil. All Rights Reserved. Re producti on is Stri ctly Prohibited.
The module briefs you on the basic concepts of computer network fundamentals, including
t ypes of networks, network topologies, network models, and various protocols used in
computer networking.
This module will also introduce you to the fundamental concepts on computer network
defense. The module introduces you to different concepts about Computer Network Defense
(CND) including CND attributes, different layers of CND, CND process, etc. The aim of this
module is to provide students a brief overview of basic networking concepts and help you
understand w hat CND comprises. These CND fundamentals are addressed and th en elaborated
on separately using subsequent modules to attain defense-in-depth (DID) network security.

A Computer Network is a group of It allows users t o and

computing systems connect ed info rmation between various
together to allow electronic V.• resources such as comput er, mobile
communication ..•• phone, printers, scanners, et c.
.
The network model lays t he

foundation for the successful Standa rd Network Models:
esta blishment of communication ~ Open System Interconnection
between t wo computing systems, (OSI) Model
irrespective of their underlying
TCP/IP M odel
internal structure and technology
A computer network is a group of computers connected to each other for easy sharing of
information and resources. The computers share information using a data path. A commonly
known computer network is the internet. Features of computer networks include:
• Allows sharing of resources from one computer to another.
• Allows storing files and oth er information in one computer and other computers accessing
those files and information.
• Any device conn ected to a computer can access the files and information stored 1n
another computer via the network.
In many fields such as el ectrical engineering, t elecommunications, Computer science,

Information technology make use of computer networking concepts. These allow for easy
communication between the users by means of chat, email, instant messaging etc. The
computer network allows sharing of data across the networks.

Open System Interconnection

(OSI) Model
OSI model is t he standard reference model for communication bet ween t w o end
users in a network
OSI model comprises of seven layers, of which t he top 4 layers are used w hen a
message transfers to or from a user and the lower t hree layers are used w hen a
message passes t hrough the host computer
OSI MODEL
Data Unit Layer Function
7. Application Network process to application
Data representation, encryption and decryption, convert

6. Presentation
Data machine dependent data to machine dependent data
Host Layers
I nterhost communication, managing sessions between
5. Session
applications
- segments End-to-end connections, reliability, and flow control -
4 . Transport
3. Network Path determination and logical addressing

Packet/Datagram
Media Layers
Frame 2. Data Link Physical addressing
Bit 1. Physical Media, signal, and binary transmission
Open System Interconnection (OSI) is a reference model that defines the communication of
data over the netw ork. It is a framework that portrays the flow of data from one device to
another over th e network. The OSI model classifies the communication between two end -
points into seven different groups of layers. The logic behind this division is that the
communicating user provides functions of each of the seven layers. The communication
between t w o users occurs as a downw ard flow of data through the layers of the source
computer. Then, it tra verses across the network and flows upwards through the layers of the
destination computer.
Features of OSI model include :
• Provides a clear understanding regarding the communication over the netw ork .
• Displays th e working of software and hardware.
• Helps the users in understanding newer technologies.

• Easy compari son between the functional relationships bet ween differ ent netw orks.
The OSI model has a set of protocols that allows th e object on one host to communi cate w ith
the corresponding object on another host.

Host Host
••
◄••································
• •
• •
T
Presentation ◄••······························• Presentation m
::::,
•• • Q.
I
r+
•
T
Session
-••
Session
•• 0
m
I
::::,
Q.
◄••······························•
•
•
•••
• T
◄••······························•
-------.---- .-~
Transport Transport
••
•
Node ••
~-----'-----~• ••
•••• .......
••
n~
~--··• \•• -·
Q,)
::::,
(I)
Q.
••
t ••
Physical ◄• ... Physical • • • ■• Physical
•••
~••••• Protocol Interface
FIGURE 1.1: OSI Reference Model
Each layer in the OSI model has different levels of generalization and performs a distinct
function. The principle involved in developing the seven layers of OSI model is as follows:
• Each layer needs to meet a different concept or overview. Thus creating each layer
depends on the level of abstraction.
• Each layer needs to have a disti net functionality.

• The function performed by each layer needs to be 1n accorda nee with the standard
protocols at each layer.
• All the functions should not be present in the same layer. Selection of layers depends on
the number of functions performed.

.J TCP/ IP model is a fra mew ork fo r the Intern et Protocol suite of computer network protocols that
define the communication in an IP-based network
Functions Layers Protocols
Handles high-level protocols, issues of Fil e Transfer (TFTP, FTP, NFS), Em ail
representation, encod ing, and dialog (SMTP), Rem ote Login (Telnet, rlogin),
control
Application Layer Network Managem ent (SNMP), Name
Managem ent (DNS)
Constitutes a logical connection

between the endpoi nts and provides Transmission Control Protocol (TCP) and
Transport Layer User Datagram Protocol (UDP)
t ransport services from the sou rce to t he
destination host
Internet Protocol (IP), Internet Control

Message Protocol (ICM P), Address
Selects the best path through the network Internet Layer Resolution Protocol (ARP), Reverse
for packets to travel
Address Resolution Protocol (RARP)
Defines how to transmit an IP datagram to Ethernet, Fast Ethernet, SLIP, PPP, FOOi,
the other devices on a directly attached Network Access Layer ATM, Frame Relay, SMDS, ARP, Proxy
network ARP, RARP
The TCP/ IP protocol is a four-layered protocol developed by the Department of Defense (DOD).
Each layer in this model performs a different function and the flow of data occurs from layer 4
to 1 (from the sending machine) and from layer 1 to 4 (in the destination machine). The TCP/ IP
model describes the end-to- end communication between two machines and thereby
determining the addressing, routing and transmission of the data. The four layers in the TCP/ IP
model include:
• Application layer (Layer 4): Provides data access to applications.
• Transport layer (Layer 3): Manages host-to-host interactions .
• Internet layer (La yer 2): Provid es internetworking.
• Network Access layer (Layer 1): Provides communication of data present 1n the same
netw ork.
Network Access Layer- Layer 1

The Network Access layer is the low est layer in the TCP/ IP model. It handles the flow of data to
the Internet layer between two hosts in the same netw ork. The network -to-host layer adds a
packet header to the data frame and sends it over a physical medium. The layer consists of
functions such as modulation, bit and frame sy nchronization and error detection. Th e protocols
used in this layer are: Ethernet, Token Ring, FDDI, X.25, Frame Relay, RS-232, v.35.
Internet Layer - Layer 2

The Internet layer mainly deals with the communication of packets over the netw ork.

It performs internetworking by sending data from the source network to the destination
network. The functions performed by the Internet layer are as follows:
• Host addressing and identification
• Packet routing
The Internet layer is wholly responsible for managing the TCP/IP protocol framework. In this
protocol, the sequence of the packets received at the destination network differs from the
sequence of the packets sent from the source network. IP, ICMP, ARP, RARP are the protocols
used in this layer.
Transport Layer - Layer 3

The Transport layer determines the status of the data communicating between the source and
the destination. The functionalities of the Transport layer include end-to-end communication,
error control, segmentation, flow control and application addressing. The end-to-end
communication is of two types: connection oriented and connectionless oriented. TCP
implements the connection oriented communication, whereas UDP initiates connectionless
communication.
The TCP layer determines whether the data transmission occurs in a parallel path or in a single
path. The layer enables the application to read and write to the transport layer by adding the
header information to the data. The transport layer sends the data in small units in order for
the network layer to handle the data more efficiently. TCP, UDP, RTP are the protocols used in
the Transport layer.
Application Layer - Layer 4

The Application layer consists of the protocols used by the applications. These applications
provide user services and data over the network connections recognized by the lower layer
protocols. The application layer protocols deal with the client-server applications and other
services which have well-known port numbers earmarked by the Internet Assigned Numbers
Authority (IANA). HTTP, Telnet, FTP, TFTP, SNMP, DNS, SMTP, X Windows, and other application
protocols are the protocols used in the application layer.
• Advantages of TCP/IP model:
• It serves as a client-server architecture.
• It functions independently.
• It consists of many routing protocols.
• Initiates a connection between two computers.
• Disadvantages of TCP /IP model:
• Complex to setup.
• No assurance of packet delivery in the transport layer.
• Not an easy task to replace protocols.

• No visible parting between the services, protocols and interfaces.

Coll'lparing OSI and TCP/IP C ND
OSI MODEL TCP/IP MODEL
APPLICATION LAYER TCP/IP model is based on the practical

implementat ion of protocols around
APPLICATION which the Internet has developed,
PRESENTATION LAYER
LAYER whereas t he OSI model, o ften referred
to as a reference model, is a generic
SESSION LAYER protocol-independent standard
Only connection-oriented Both connectionless and

communication connection-oriented communication
NEIW«- IAYER IN'liMIEl' IAYER
DUA LINK &AYER OSI model defines services, intervals

NEIWORK ACCESS and protocols, whereas TCP/IP does
IA1Bl not provide a clear distinction between
Plff5ICAL &AYER
these
OSI Model
The main aim behind implementing the OSI model is to standardize and ease the
communication between the communicating parties using certain standard protocols. It
generalizes the communication between the computers in terms of layers. The OSI model has
seven layers. In this model, a layer serves the layer above it that brings to a conclusion the
working of each layer depends on the layers below it.
TCP/IP Model
TCP/ IP remains as the basic protocol for communication. The TCP/ IP protocol finds its
application either in an intranet or in an extranet. TCP/ IP consists of four layers, out of which
the upper layers manage the assembling of the packets in the original message and the lower
layers manage the address part of each packet and forwards it to the right destination.

Classification of networks based on the physical location or the geographical boundaries
e Usua lly possessed by private organizations and connects the

LocalArea nodes of a single organization, or premises
01 Network
(LAN) e Designed to facil itate t he sharing of resources between PCs or
workstations
e Provides transmission solutions for companies or groups who need

Wide Area to exchange information between multiple remote locations which
02 Network may be in different countries or even continents
(WAN) e Provides trustworthy, quick, and secure communication between two or more
places with short delays and at low costs
fl Huge computer networks covering a whole city

Metropolltan
03 Area Network e A MAN can be completely owned and monitored by a private organization
(MAN) or it can be provided as a service by any public organization such as a
telecommunications company
These networks may differ in many ways. For example: by size, by functions, by the
geographical distance. The services provided by th e networks differ according to the layout of
the networks.
The networks that differ by size depend on the area occupied by the network and the number
of computers present in the network. The computers in a netw ork can vary from one single
computer to millions of computers. The different networks are based on the size of the area
they cover:
• Local Area Network (LAN)
• Wide Area Network (WAN)
• Metropolitan Area Network (MAN)
• Personal Area Network (PAN)
• Campus Area Network (CAN)
■ Global Area Network (GAN)
Local Area Network (LAN)
The LAN consists of computers and its related devices that share information over the same
communication line. The LAN may extend only within an office building or home. The LAN can
handle hundreds of users. The two commonly used LAN technologies are Ethernet and Wi -Fi.
There are virtual LANs that enable the network administrators to provide a netw ork connection
to a group of nodes. LAN enables the use of many application programs and the users can

achieve those applications by simply downloading it from the LAN. Wireless LANs are becoming
much more popular. This is due to more flexibility and a cost which is less when compared to
wired-LANs.
Computer
••
••
•
••••
•• • ••• Computer
•••
••••
• •• ••
• •• ••
• ••
•
•
Computer Computer
FIG URE 1.2: LAN (Local Area Network)
• Advantages:
• Allows sharing of printers between the computers at home or office.
• LAN provides the users the privilege to work from any system in the LAN.
• Allows storage of files in a single folder and sharing it between the users on the
network.
• Disadvantages:
• As it provides file sharing facility, it requires separate security measures to restrict
access to certain files and folders.
• Any small issue in the file server can affect all the users on the server machine.
Wide Area Network {WAN)
The WAN is spread over a larger geographical area and is more far-reaching than a LAN. WANs
usually connect the nodes in the network using leased telecommunication lines. These lines
assist in carrying the information efficiently across the various computers in the network. WANs
can connect different LANs in a network. Most often, public networks are connected to the
wide-area network. The LANs connect to WANs for quick and secure transfer of data. However,
WANs requires a group of authorities to manage.
• Features of WAN:
• WAN networks generally provide larger and dedicated network services. It always tries
to meet the services according to business requirements.
• The WANs has a lower data transfer rate when compared to the transfer rate of LAN.

•• ..••
···-~
•••
•••
• ••• ·····
WAN _ _
~~
FIGURE 1.3: WAN (Wide Area Network)
• Advantages:
• A WAN connects places that are geographically apart from each other without a high
cost and a difficulty in implementation.
• Disadvantages:
• Very complex in structure.
• Provides only lower bandwidth and has a higher risk of losing the connections.
Metropolitan Area Network (MAN}

A MAN stretches for an even larger geographical area than a LAN, but less than that of a WAN.
It refers to the interconnection of networks spread across a city or town. Several LANs grouped
together form MANs. MANs provide secure, efficient communication by making use of fiber
optic cables. The MAN provides shared network connections to its users.
MAN
FIGURE 1.4: MAN (Metropolitan Area Network)
• Advantages:
• The links connecting the computers in a MAN have a much higher bandwidth allowing
for the easy sharing of data.
• Allows multiple users to share the data at the same speed.
• Disadvantages:
• Requires the need of installation before deploying it for the first time.
• Costly when compared to LANs.

Types of Networlts
(Cont'd)
Personal Area Network (PAN) -

e
i
Wireless communication t hat uses both radio and optical signals
e Covers individual's work area or w ork group and is also known as
a room-size network
Campus Area Network (CAN)

e Covers on ly limited geographical area
e This kind of network is applicable for a university campus
Global Area Network (GAN)

e Combination of different interconnected computer networks
e Covers an un lim ited geographical area
e The Internet is an example of a GAN
~-_____'!===
Personal Area Network (PAN)

A Personal Area Network refers to the interconnection of devices within a certain range of
distance. For example, a person can connect a laptop, mobile, tabl et etc. to the wireless
netw ork within a certain distance w ithout having to physically plug in anything to the devices.
This allows for file and information sharing within the devices connect ed to that network.
......
tlf?:fflM\\\\
•
: Transmission of data through
•
: short-range radio waves
....••...•........••...•.,• ..•....•...••...••...••
•
•• ••■ Wireless enabled
•
••
. . devices
·-=::a..
FE
I D
FIGURE 1.5: PAN (Personal Area Network)

Campus Area Network (CAN}

A campus area network consists of multiple connected local area networks within a certain
geographical area. Most government organizations and universities make use of the campus
area network. The size of the campus area network is much smaller than a MAN or a WAN. It
uses optical fiber in order to connect the nodes in a campus network. For example, different
buildings in a campus can use campus area network for interconnection and thereby allows the
sharing of information within different departments. The implementation of a CAN requires less
cost, is highly beneficial and economical due to high speed data transfer from any section of the
network.
• Features:
• Cost-effective.
• Allows interconnection between various departments in a campus.
• It provides a single shared data transfer rate.
• Resistant to failure.
• The campus area network is highly flexible to the changes of an evolving network.
• CAN offers a highly secure network by implementing authentication of the users

accessing the network.
Global Area Network (GAN}

The Global Area Network consists of different interconnected networks extending over an
unlimited geographical area. The GAN covers a more geographical area than a LAN and a WAN.
A GAN enables transfer of data from one point to another even when they do not connect
directly with each together. The points can connect using a central server or each point can
pass the data from one point to another till it reaches the destined point.
The GAN supports mobile communication for a number of wireless LAN's. Broadband GAN is
the most commonly used GAN. The BGAN uses portable terminals to connect the computers
located at different locations to the internet.
• Advantages of GAN:
• GAN allows the interconnection of multiple networks and it enables proper sharing of
data without tampering with it.
• Enables the storage of files in a central server, thereby allowing easy access of files
across different networks.
• GAN enforces security towards accessing of these files by imposing access restrictions.

U Network topology is a specification that deals with a network's overall design and
flow of data in it
Types of Topology
e Physical Topology - Physical layout of nodes, workstations and cables in the network
e Loglcal Topology -The way information flows between d ifferent components
Physlcal Network Topologles
Bus Topology Star Topology

Network devices are connected to the central cable, Network devices are connected to a central com put er
called a bus, by the help of interface connectors called hub which functions as a router to send messages
Ring Topology Mesh Topology

Network devices are connected in a way such that every
Network devices are connected in a closed loop. Data
device has a point-to-poi nt link to every other device on
travels from node to node, with each node along the
the network
way handling every packet
Tree Topology Hybrid Topology

It is a hybrid of bus and star topologies, in which groups
Combination of any two or more different topologies.
of star-configured networks are connected to a linear
Star-Bus or Star-Ring topologies are widely used
bus backbone cable
N etworlt Topologies
(Cont'd)
r ' ,. ,.
' '
'ii
-- ~ ::;ver iii Iii c:: :{ ··
.....•····~ ··•......
/ . ._ ·•.....
..._....
rj..I ,. . . . . ,. . ...~ . ..........,. ..1..........~ .........,..... ~ ·········· .:.......\...........'ii - ·······~ j ··········"-

"-··· -
~ iii Nooes B Iii \j !·. ..: \,1-
. ......................
liji··
=
....•····~
iii
I
---......
···w1
-
- -
Unear Bus Mesh Topology Star Topology
..r:::::=======------:=======~"" "'-:;;==========::·-.:'":::::=========~·
r "
lj••
.. ij•••• •· Se
··········~
·•••••••
Ner
Router
·········• ~
._
Internet
ii Ii)
. . . .'-l. . . . . a · .
~
Ring Topology Tree Topology
Printer ~

The logic of connecting computers over the network is possible using topologies. The topology
defines the structure of a network and determines the physical or logical layout of the network.
The physical topology defines the structure of the components of the computer systems,
whereas the logical topology defines the method of the flow of data in the network between
the computers.
Various topologies available are:
Star Topology
Star topology consists of a central node (hub) connected to other computers in the network
using a cable. Each node or computer in the network connects individually to the central node.
Adding nodes to the star network is an easy task. Any damage to the connection between any
node and the central node does not affect the working of the other nodes in the network. But,
any damage to th e hub can affect the star structure.
Here, the central node or hub acts as the server and the attached computers act as the clients.
All data to the respective nodes passes through the central node or hub. The hub acts as the
intersection for connecting all nodes present in the star network. The hub can connect to the
hubs of other networks and act as a repeater or a signal booster. The computer nodes connect
to the hub using unshielded twisted pair Ethernet cable. The following factors determine
whether the hub is active or passive:
• The central node or hub performing processes like data amplification, regeneration, etc.
• The central node regulates the movement of the data.
• The network requiring electrical power resources.

Node Node
5l•• ••
. $l
•• •
•• ••
Node •• : Node
• •
• ••
- ~--···
,r ...... n
• ••
••
• •••
•• ••
• •• ••
• •
~ i:,
( ~ (~
Node Node
FIGURE 1.6: Star Topology
• Advantages:
• Enables centralized management of the network through the central node or hub.
• Enables easy addition and removal of other computer nodes to the star network.
• Failure of one computer node does not make any impact on the rest of the nodes in
the network.
• Enable easy detection of failures and errors in the network. This allows for finding
better methods to sol ve the issue.

• Disadvantages:
• Any failure on the central node affects the whole network.
• Usi ng routers or switches as the central node increases the cost of implementing the
network.
• The addition of new nodes to the network depends on the capacity of the central
node.
Bus Topology
Here, a single cable handles all the computers in the network. The si ngle cable carries all the
information intended for all nodes in the network. Any damage to the connection between any
node and the main cable can affect the passage of data over the cable.
In the bus topology, the network broadcasts the signal sent by any node. The broadcasting of
the signal allows the signal to reach all the nodes attached to the cable. The node having an IP
and MAC address the sa me as given in the signal accepts those, while the other nodes reject
those signals. Every cable in the bus network has a terminator attached to the both ends of the
cable. Th e t erminator helps in preventing the signals from bouncing. They capture th e signals
reaching the end of the cable. Signal bouncing can cause the signals to bounce back in the
direction from where it came. If two signals bounce back at the same time from opposite
directions, this can ca use the col Iision of the signals.
There are two t ypes of bus topologies: Linear and Distributed bus topology. In linear bus
topology, there is only a single line attached to the two end points. In a distributed bus
topology, it can have more than one linear pattern attached to the network.
Node Node Node
.>l •• -~•• ~ ••
• ~
• • •
•
•••••••••••• •• • •
•••••••••••
• •• ••
••• • •
. • •
•• • ••
•• •• ••
••••••••••••• •• •• •••••••••••
•• • ••
•• -
• $l ~ ~
Node Node Node
FIGURE 1.7: Bus Topology
• Advantages:
• Easy to add new nodes to th e bus network.
• Low cost for implementation.
• Works better in small networks.
• Requires less cabling than a star network.

• Disadvantages:
• Addition of computer nodes depend on the length of the cable.
• Any issue in the main cable can affect the whole network.
• Terminators at both ends of the cable is a must.
• Very high maintenance cost.
• Not suitable for networks with very high traffic.
• As all nodes receive the signal sent from the source, it affects the security of the
network.
Ring Topology
A Ring topology connects all nodes in the network. The data circulates in the network until the
intended recipient accepts the data. Any damage to any of the nodes can affect the whole ring
network. The data travels on the network in one direction. The sending and receiving of data
takes place with the help of a TOKEN. In the concept of a TOKEN, the data are sent from the
source and includes another piece of information and then passes the TOKEN to the next node.
Each node checks if the signal is for itself. If yes, it receives the signal and passes the empty
TOKEN to the network. Or else, the node passes the TOKEN to the next node. Only those nodes
having the TOKEN can send data. Other nodes need to wait until they receive the empty
TOKEN. Usually, schools, offices, small buildings make use of RING topology.
Node
,~....
•• •• ~
••••
Node ••• Node
•
- f~
r~
•
.• ~
( ~
••• ••
•
••
Node •
·-♦8
•
..•• -~••..
•• ~
•••
Node
FIGURE 1.8: Ring Topology
• Advantages:
• Unidirectional flow of traffic.

• Every node can send data after receiving the empty token.
• No need of any centralized network server in order to manage the computer nodes.
• Better performance than Bus topology in scenarios where the traffic load increases.
• Every computer node has the same level of access to the resources.
• Adding new components to the system does not affect the performance of the whole
network.

• Disadvantages:
• Slow process as the signals need to pass through each node in the network.
• Any issue in any one of the nodes can affect the entire network.
• Needs a high amount of wired environment for connecting the network nodes, which
increase the cost of implementation.
• Sharing of bandwidth with all the nodes.
Mesh Topology
All the nodes or computers in the network connect with each other. The design confirms the
passage of data between every computer even in the failure of any one computer. Each node in
the network sends data to other nodes as well as passes the data from other nodes. However,
the mesh topology does not find much use in organizations due to its huge cost for
implementation and widely used in wireless networks.
Node Node
-~ -....................... ~ >}
••• •••
• ••
•• • •••
••• •• •
j~•• •;
••• •••
•• • •• • •• •
•• •
-
•••
-
Node
~ ...................... -~
(~
Node
~
<"
FIGURE 1.9: Mesh Topology
There are two types of Mesh topologies:
• Full Mesh Topology: All the nodes connect with each other in the network. If any node
failure occurs, the full-mesh topology can redirect the traffic from that particular node to
another node.
• Partial Mesh Topology: Here, only very few nodes connect to all nodes in the network,
while other nodes connect only to one or two other nodes. Due to this fashion of
connecting to very few nodes, the partial-mesh topology is far less costly and minimizes
the redundancy of many connections.
Mesh topology uses either of the two technologies: Routing or flooding. In the routing process,
the topology makes the message transmit through a path between the nodes. In order to
ensure continuous transmission of data between the nodes, the topology needs to ensure that
all connections between the nodes are proper and not broken.
• Advantages:
• Allows continuous transmission of data.
• Able to handle heavy load traffic.

• A node failure does not impact the whole network.
• Allows expansion and modification of networks without disturbing the network.
• Disadvantages:
• High level of redundancy due to the presence of many connections.
• Expensive compared to other network topologies.
• Consumes more time for set-up and needs more administrative attention.
Tree Topology
The tree topology consists of a combination of a bus topology and a star topology. Similarly, the
tree topology consists of a main cable line attached to a star network. In the tree topology,
many star topologies connect to the central transmission cable. Another name of the model is
"extended star topology".
• Advantages:
• Tree topology finds its usage in scenarios where it is difficult to implement the star
and bus topology.
• Allows easy expansion of the network.
• Design of the star topology in the layout enables an easy management of the nodes.
• Provides error detection and correction properties.
• Each star network connects to the main cable through wiring.
• Failure of one of the star networks does not affect the working of the other networks.
• Disadvantages:
• Any damage to the main transmission cable can damage the whole topology or
network.
• Even though the tree topology enables easy expansion of the network, it becomes
difficult for the network as a whole to manage the entire nodes and segments.
• The rate of expansion depends solely on the type of main cable used.
Hybrid Topology
The hybrid topology combines the characteristics of two topologies together. These are mainly
used in Wide area networks. The organization implements a hybrid topology according to the
requirements of the organization. For example, if one section of an organization needs bus
topology while another section needs ring topology, the organization can implement both these
topologies using a hybrid topology. They combine multiple topologies into a single large
topology.

• Advantages:
• Provides error detection and correction without affecting the working of the other
section of the network.
• Allows easy addition of the nodes.
• Allows the organization to design the network according to their needs.
• Provides a combination of the features of multiple topologies.

• Disadvantages:
• As it consists of multiple topologies, the organization needs to design it in an effective

manner and needs to ensure that the designed architecture can provide the required
throughput.
• The implementation of a hybrid topology is a costly affair, as it includes more cabling

and connections.

Network Hardware Components CND
t Network :~rface Card ~ It allows the computers to connect and communicate with the network
I Repealer ~ It is used to increase the strength of an incoming signal in a network
~ It is used to connect segments of a LAN. All the LAN segments can see all the packets
Hub
~ It is similar to hub. However no equipment in the LAN segment can see the packets
Switch 1111119' except the target node
Router ~ It receives data packets from one network segment and forwards it to another
Brldces ~ It combines two network segments and manages network traffic

t
Gateways ., It enables communication between different types of environments and protocols
t
Copyright© by EC-Co■ncil. All Rights Reserve d. Reproduction is Strictly Prohibited .
Network Interface Card (NIC)

Connecting to a network is an integral part of computing. The computers use a network
interface card for connecting to the network. They connect to wired as well as wireless
networks using certain electronic circuitry. Different names of NIC are Network interface
controller, Network adapter, Local area network adapter, etc. They provide the computers with
a dedicated full-time connection with the network. The computers on the LAN network contain
a NIC that enables LAN transmission.
The role of a NIC in a wired connection is as follows:
• Transmission of data from one computer to another.

• Gathering the data to transmit through the network cable.
• Handle the data transmission from the computer through the data cable.
• Accept the data from the cable, convert it into bytes for processing by the CPU.
NICs are commonly used in Ethernet connection s and the available configurations are: 10, 100,
and 1000 Base-T. The recent computers are configured along with the Ethernet capabilities in
the motherboard chipset. An Ethernet chip connected using a PCI or PCI express bus directly on
the motherboard is another method for connecting. Thus, it minimizes the need of a separate
NIC. In some situations, a NIC is integrated as components in a router, USB device, etc.

• Advantages:
• A network interface card does not have to be fixed with a physical cable.
• The NIC is used to send the data as well as receive the data.
FIGURE 1.10: NIC card for wired network
FIGURE 1.11: Wireless PC Card Network Adapter
Repeater
Repeaters are network devices that are generally used for the restoration or the repetition of a
signal. Repeaters can restore analog and digital signals misled due to transmission loss.
Repeaters can only amplify the analog signals, whereas with a digital signal a repeater can
restore the signal to its original quality. Repeaters can also pass the data between various
subnetworks carrying different protocols.
There are different types of repeaters:
• Telephone Repeater: Help in increasing the telephone signal range in the telephone lines.
The repeater locates its applications in the trunk lines carrying long distance calls. The
telephone signal lines made of a pair of wires, consists of an amplifier circuit that use
power from direct current (DC) to increase the power of the alternating current (AC)
audio signal on the line.

• Optical Communications Repeater: These mainly increases the signal strength of the fiber
optic cable. These cables carry digital information in the form of short pulses of light. The
light is made up of particles called photons.
• Radio Repeater: Increase the signal strength of the radio signals. The radio repeater
amplifies and retransmits the radio signals using the radio receiver connected to a radio
transmitter.
A normal LAN implementation usually limits the physical size of the single cable segment
according to the physical medium and the techniques used for transmission. The repeaters play
an important role in constructing a network that exceeds the size of the single, physical, cable
segment. The LAN implementation determines the number of repeaters that can be used. The
repeaters used between two or more cables require the need of the same physical layer
protocol in order to send the signals over all the cable segments.
• Advantages of Repeaters:
• Very simple to use.
• Less cost for implementation.
• It strengthens the signals.

• Disadvantages of Repeaters:
• Repeaters are the devices that augment the traffic on the network and sometimes
transmit errors. There is a limit on the number of repeaters used across a network.
• Users cannot monitor or inspect the repeaters through an inaccessible area and these
devices do not have the facility to separate or filter the traffic.
• The different segments of repeaters must be inspected thoroughly and periodically, if

this is not done it can cause the repeaters operating on different segments and
different media to become compromised.
• Repeaters can augment the traffic on the network and have a restriction of the
quantity deployed across a network.
• Repeaters can transmit errors in the network.
Hub
A hub is a network device used to connect multiple network devices or segments of a LAN. The
main activity of the hub is to forward the data arriving from one device to another device or
port. The hub requires fiber optic Ethernet cables in order to connect various devices. Some
hubs even work as a repeater that helps in amplifying the signals. The hub remains a common
point of connection for many devices in the network. It can contain multiple numbers of ports.
Upon the arrival of a packet at any port, other ports maintain a copy of the packet, thus
enabling all LAN segments to view packets. A hub provides a sequence of ports to connect the
network cables. The smallest hub can connect four computers to a network and with an extra

port to uplink to other hubs in the network. Hubs vary according to their size and have ports up
to 12, 16, and 24 in number.
• Types of hubs include:
• Passive Hubs: Passive hubs do not intensify the signal strength of the data prior to
transferring the data packets, but act as a means to transfer data between the devices
in the network.
• Active Hubs: Active hubs strengthen the signal prior to transferring it to other devices
in the network like the repeater. It has multiple ports and is called as multiport
repeater.
• Intelligent Hubs: Intelligent hubs are business critical hubs providing additional
features. It behaves like a stack with units added to the top to minimize space.
• Switching Hubs: Switching hubs view the destination address of every data packet
before transferring them to the specified destination port.
• Repeater Hubs: Repeater hubs relay the inbound traffic. However, active (or
switching) hubs transmit the data that is addressed for that specific host, i.e. sniffer
software is proved to be safe. Performance is also improved. Certain hubs offer
security at the MAC level (such that it connects only the identified MAC addresses to
specified ports). The present day hubs can also build VLANs (virtual LANs) that
assemble specific ports into a virtual network, which is not transparent to other ports.
• Advantages:
• It is a flexible, simple, and an economical device.
• Expands the length between nodes.
• Every port can make maximum use of the bandwidth without the use of CSMA/CD.
• Adding hubs increases the number of ports.
• Hubs organized by SNMP provide tools and statistics for better management.
• Makes use of the available cables along with other network elements.
• Hubs help to route the network traffic and prevent the crashing of networks. It can
also combine the relatively slow Ethernet devices with those of higher speeds. This
facilitates the addition of a variety of devices variant in speed.
• Disadvantages:
• Hubs cannot help to control the traffic.
• Data transfer rates decrease substantially with the increase in devices connected.
• Attacker can compromise the unchecked hubs.
• Computers connected to isolate hubs are isolated from the network.

Server
PC MAC
PC HUB PC
The packet of data from se rver is

forwarded to all connected nodes
FIG URE 1.12: Hub
Switches
A networking switch is the fundamental device in a wired or wireless LAN. It receives signals
from each terminal on the network through Ethernet cables in a wired network and through
antenna emitting radio waves in a wireless LAN. In both the cases, the networking switch sends
traffic across the LAN, permitting the computers to communicate with each other and share
resources. All computers residing in the LAN should contain a NIC. This card allocates a
distinctive MAC address to the machine in which it is setup. A wired NIC incorporates an
Ethernet cable, which extends to a port on the back of the networking switch. If the NIC is
wireless, the card will attribute a small antenna as a replacement for an Ethernet port. The
antenna sends signals to the wireless networking switch, which also hosts an antenna rather
than ports. Whether wireless or wired, the networking switch acts as a relay, analyzing traffic
packets as they arrive from the various machines and sending the packets to the destination
MAC address.
A transmission mode is the term used to define the direction of a signal or flow of information
between two interconnected devices. Simplex mode, half-duplex mode and full-duplex mode
are types of transmission modes. Information flows only in one direction in simplex mode, i.e.,
from sender to receiver. In half-duplex mode, data flow to and from but only in one direction at
a time. Both stations can send and receive the data, but not at same time. The full-duplex mode
transmits data in both directions at the same time.
• Switch Functions:
A networking switch functioning in full-duplex mode implies a machine on the LAN that
can receive and send data simultaneously. This is quicker than a networking hub, an
alternating device that serves the same function as a switch, but functions in half-duplex
mode, allowing each machine to send or receive at any given time. Another discrete
difference between a networking switch and hub is that the switch sends traffic packets

only to destination addresses. On the other hand, a networking hub sends all traffic on
the network to all nodes. The filters within each machine make the decision regarding
rejection or acceptance of the packets. This practice makes the network vulnerable to
eavesdropping. Network switches are low-priced devices, but price may vary based on a
number of ports. For those who are using a cable modem or a DSL service, a broadband
router with a switch inbuilt along with a firewall can replace the stand-alone networking
switch.
• Advantages:
• Networking switch has more advanced features than a networking hub.
• Anti-sniffing software switches network to identify packet sniffers.

• Disadvantages:
• Networking switch is not infallible, as an attacker can mislead it into employing packet
sniffers.
How a switch w orks
•.............····)
: °I
I: t_ • i!
•• ••
' ::::::::::·:::::·~~
Oat.i is sent
by one node
:.................,._
_ __, ''ti- - -- =
.•• .;••
!
•
• !•
'-:::::::::::::::::::<
Data is forwarded only
to the destination node
FIGURE 1.13: Working of switches
Routers
Routers are more complicated devices than the other devices like repeaters and bridges.
Routers can access the addresses of the network layer and have embedded software that helps
them in identifying the exact destination address. It looks from the multiple paths available
between the addresses and checks the channel that is appropriate for the transmission of data.
• Router Functions:
Router function in the physical, data link, and the network layers of the OSI model.
Routers transmit packets among several interconnected networks. They send packets
from a network to the other important destinations in a network. A packet sent from one
destination to the other travels through the router initially and then moves to the other
destination in a network. The destination router in turn transmits the packet until it

reaches the final destination. Routers behave as stations on the network, although
irrespective of stations to which they belong, routers contain addresses and connect to
more than two networks simultaneously.
When a router receives a packet in an interconnected network, it reads the address and
sends the packet to the destination address. However, if it does not find the
corresponding address in the network, it has the capability of forwarding the packet to
the next connected network based on the best options available. After identifying the
appropriate route for the packet to transmit, the router transmits the packet along the
accurate network to other networks. If it finds as inappropriate, it sends the packets to
the surrounding network or the adjacent router to select the next best path.
A router maintains a routing table to maintain the paths through which the routing occurs
and also minimizes excess costs for routing across the network. Static routing is a type of
routing where the network administrator monitors the entire routing processes. Routing
includes many concepts such as least-cost routing, which shows the economic paths
allotted for routing, i.e., selects the available shortest path. Shortest in terms of routing
also implies a path that is secure and fast. Some routers also route packets across the
network, which use more than one protocol.
Routers can associate with different networks such as LAN and WAN to broadcast the
data. They are the devices that prevent the collisions of data during a broadcast.
Sometimes, routers also act like other devices such as bridges, which can broadcast
packets for a single protocol or a group of protocols. When a router receives packets from
a multi-protocol router, it checks the packets (if packet matching with the protocols are
configured) and then sends the packets depending on the addresses of the network layer.
Routing includes concepts such as least-cost routing, which shows the paths allocated for
routing and sends data in the shortest path available.
• Advantages:
• Routers operate at the protocol level.

• Remote management and design via SNMP.
• Support intricate networks.

• More filtering, lesser performance.
• Provides security.
• Cannot separate the broadcast collisions.

• Regularly provide bridge functions.
• Complicated routing protocols used such as RIP, IGRP, and OSPF.
• Disadvantages:
• The security issues that routers face are that routers do not have security controls that
are very efficient, which leads to compromising of the system.
• Routers cause long delays in initializing the sessions for protocols such as FTP.

• Check the following aspects before starting the transmission through routers:
• Mapping between the ports.
• Internal addresses.
• External addresses.
• The port numbers of the internal and external addresses.
• Routers are expensive compared to other devices.
• Routers need only protocols designed for routing.
• Routers are slower than other devices.
• Routers lead to overhead, as they are not capable of separating the sent packets.
~ Ring
• , ••• ;-r
.F.':".. .:•
..... ·• .....
Router
•· .,
...
.
...
.... ·····"······:········'······ ·•• ..... . ---~-.-----.
Router
...... :
• ..• •
.
•
..• ....... ~ Ring ,,..~... . ..
..• ,_,..
.
Ring · · • • • • • ·:
...• ..•.....
... .••
Bus
.
:.
.•
....
....,• ............................... '
- ~
........: •
.•• '
e,■ ■ ■ ■ ■ ■ ■ ' ■ ■ ■ ■ ■ ■ •
•
•·
•
.
•■• ■■■■■ I • • • •
Router .: .: .: Router
~
•
FIGURE 1.14: Working of routers
Bridges
A bridge filters the traffic at the network boundaries. Bridges read the MAC address of each
frame (data packets) and forwards data to the addressed destination device. Bridges are logical
devices that can maintain each segment's traffic separately. By segmenting the traffic, bridges
prevent network congestion and segregation problems in the network traffic. Bridges operate
in the data link layer of the OSI model. It maintains a database of MAC addresses located in a
segment and permits only specific data frames addressed to that location while blocking
unauthorized frames from entering a segment. When a data frame reaches a bridge for
transmission, the bridge generates the signals and also finds the address of the destination, and
then sends the duplicate to only the appropriate network segment.
Bridges contain a table called a 'look up' table that hosts various physical addresses of all the
workstations linked to it. The table is an indicator as to which segments each workstation
belongs. When a bridge comes across a packet of data, it checks the address and finds the
matching corresponding addresses present in the table. After tallying, it traces out as to which
network segment the packet belongs to and sends the packet to the appropriate segment.
Bridges use the MAC address to make decisiqns on relaying network packets. They also act as
filters determining if they have to relay the packets to a segment or not.

• Transparent Bridging:
Bridges build a routing table to find whether a packet's destination address is matched
with the routing table. If the address does not match, then the packet moves to all the
devices in the network except the source to identify the correct destination for the
packet. A system with a transparent bridge must satisfy three criteria:
• Each station should forward the frame from one station to another.
• Frames help the movements of the forwarding.
• Avoid the loops.
• Loop Problem:
Transparent bridges work efficiently if the redundant bridges do not exist in the network.
If there are two LANs and are connected via two bridges, then a potential loop exists in
the network.
• Source Bridging:
The packets will have path information inserted into them in order to know the route.
Like switches, bridges are also efficient in learning the MAC address of all the connected
clients, peripherals, and the servers. Traditional bridges provide connectivity from a single
workgroup to another workgroup. The multiport bridges connect two network segments
with each other. Bridges inspect the information from the data link layer with a network
signal. Bridges are fitted with network filters, which help them to read the source address,
packet size, or type of protocol. These devices are simple to install on the network and are
efficient to regulate the traffic.
-···••►
:••··
D
:: ~~
__,
...
~-::= ..-:.
◄.....................
D . ..................................... C. T......................... ..l.L.►11 11

...: 5- •
Data not destined for a device

.:
Cl ....... on the other network is prevented r::::-1
from passing over the bridge
..,.. .. . L
-l
FIGURE 1.15: Bridges
Gateways
Gateways act as an entry point for other networks that try to connect to an internal network.
In the same way, they act as an exit point for an internal network that tries to make a
connection to external networks. A gateway can be a workstation or server that makes a two-
way communication between networks and expands its area. Application and transport layers
of the OSI model support gateways. They are capable of connecting devices that have different
protocols and environments. They convert protocols that are different by assigning matching
protocols to the packets and are called a protocol translator. If the gateways have to connect or

communicate between two different network architectures then they restructure and convert
the data from one environment to the other environment. Gateways are task specific. They
cannot filter data and sometimes they can transmit malicious packets without filtering. There
are two types of gateways:
• Transport Gateways:
• They are capable of connecting different devices with the connection oriented
transport protocol.
• They can transfer packets from one connection to the other by

restructuring/reformatting.
• Application Gateways:
• They are intelligent components that can understand the format/contents of the data
and then permits transmission.
• Email gateways translate messages and transfer them to mobile devices.
• They act as a firewall or proxy server to restrict unauthorized traffic.

Domain Name System (DNS) is a distributed hierarchic database that maps URLs
to IP addresses
W hat Is the 1D aid t ~•of __..,_

I am not authoritative for
WWW XTPMitvmm. Contact
PrimaryDNS Internet Root Server

User
>... .
ft
: IP address of
www.xsecurity.com is
$.
111111;111' XXX.XXX.XXX.)00(
~ .... ································9 ··
Authoritative DNS server for .COM Namespace

www.xsecutity.rom
The domain name system (DNS) converts the host names and internet domains to IP addresses
and vice-versa. The domain naming system finds its application in TCP/IP network. The DNS
services convert the DNS name entered by the user to its corresponding IP addresses. For
example, the DNS service converts the domain name www.Example.com to the IP address:
192.105.232.4
How DNS works:

The DNS works in a client-server model. The client accepts and receives responses from the
DNS server. There are two types of requests:
• Forward DNS lookup: These are requests containing names and resulting in an IP address.
• Reverse DNS lookup: These are requests containing IP addresses and resulting in names.
The DNS consists of a database present in various computers. The databases consist of names
and IP addresses of the hosts and domains. The clients in these scenarios are web browsers.
When the web browsers send in requests such as an internet host name, DNS resolver
determines the servers IP address using the DNS server. The DNS resolver actually forwards the
request to several other DNS servers if it does not achieve the desired mapping from the
requested DNS server.

QR
Byte0 Byte 1 Byte2 Byte 3
OQuery
Ver. H. Len. TOS Packet Length 1 Response
Identification Flag Fragment Offset Opcode

0 Standard Query (QUERY)
m Protocol Header Checksum
1 Inverse Query (I QUERY)
Source IP Address
_ _!_ _ Destination IP Address

2 Sever Status Request {STATUS)
AA 1 = Authoritative Answer
TC 1 = Truncation
RO 1 = Recursion Desired
Source Port Destination Port RA 1 = Recursion Available
UDP Length UDP Checksum Z = Reserved, set to O

Response Code
O No Error
QuerylO QR OPCode AA TC RO RA Z RCode
1 Format Error
Question Count Answer Count 2 Server Fa ilure

3 Non-existent Dama in
Authority Count Addi . Record Count
4 Query Type Not Implemented
DNS Query/ Response Data 5 Query Refused
DNS packet header format consists of three sections namely IP header, UDP header and DNS
data. Each section has different fields and different uses as described below:
• IP Version (4 bits): There are two types of IP packet and addressing 1Pv4 and 1Pv6. This bit
specifies the current IP protocol version. Always set the value as 4.
• Header Length (4 bits): Length of the IP header where header represents 32-bit words
along with IP options if any. The minimum value of the IP header is 5.
• Type of Service (TOS) (8 bits): Provides quality of service features. First three bits are for
IP precedence, 4 bits for TOS and last one-bit left alone (not used).
• Total Length (16 bits): Specifies the length of the IP datagram 1n bytes. It includes the
length of the header and the data.
• Identification (16 bits): Identifies the fragments of one datagram from those of another.
• Fragment Offset (13 bits): Used to reassemble the fragmented IP datagrams.
• Time-To-Live (TTL): It defines the lifetime of the IP datagram in the internet system. The
TTL field is initially set to a number and decremented by every router. When the TTL
reaches zero, it discards the datagram (Packet).
• Protocol (8 bits): Identifies the next encapsulated protocol that sits above the IP layer.
• Header Checksum (16 bits): Identifies the errors during IP datagram transmission and
calculated based on the IP header.

• Source/ Destination IP address: IP addresses of the sender and the receiver.
• Source/ Destination port numbers: DNS servers listen on port 53. The first packet of
any exchange always includes 53 as the UDP destination port. The source port is the
random port that varies considerably.
• Query ID: Unique identifier also termed as transaction ID, created in the query packet
that is left intact by the server sending the reply. It helps in matching the answers with the
awaiting questions.
• QR (Query / Response): Set to "O" for a query by a client, "1" for a response from a
server.
• Opcode: Set by client to "O" for a standard query.
• AA (Authoritative Answer): Set to "1" in a server response if this answer is Authoritative,

if not "O".
• TC (Truncated): Set to "1" in a server response if the answer cannot fit in the 512-byte
limit of a UDP packet response. Indicates the message was truncated.
• RD (Recursion Desired): Set in a query and indicates the query should be pursued
recursively. This is set to 1 if it wishes the server to perform the entire lookup of the name
recursively, or O if it just wants the best information the server has.
• RA (Recursion Available): A bit that is set (1) or cleared (O) in a response indicating that
recursion is available.
• Z (Reserved): This is reserved and must be zero.
• Rcode: Response code from the server, indicates success or failure.
• Question record count: Indicates the number of DNS queries in the questions section.
• Answer count: Set by the server, these provide various kinds of answers to the query
from the client.
• Authority count: Indicates the number of name server records in the authority record
section.
• Additional record count: Indicates the number of resource records In the additional
records section.
• DNS Question/Answer data: Holds the question/answer data referenced by the count
fields above.

Transmission Control Protocol (TCP )is a connection-oriented, four-layered

protocol
TCP breaks the messages into segments, reassembles them at the
destination, and resends the packets that are not received at the destination
The protocols that use TCP include the following:
FTP
Telnet
(File Transfer Protocol)
SMTP HTTP
(Simple Mail Transfer Protocol) (Hypertext Transfer Protocol)
The transmission control protocol or TCP is a connection-oriented protocol that helps in

configuring a network connection for various applications to carry data over the internet. The
TCP enables a computer to send data to a not her computer present on the same network or in
another network. The TCP ensures that the receiving devices receive all packets sent from the
sender. If TCP finds that, the receiver has not received all the packets, then, it insists the sender
resend the packets to the receiver. Two devices can disconnect the TCP connection between
them after the receiver receives all the data sent from the sender. The TCP does not support
the broadcasting of messages. It allows communication only between two devices. TCP and IP
are two protocols that rule the internet overall. The TCP is also responsible for breaking the
application data into packets and how these packets are accepted and sent through the
network. The TCP is wholly responsible for managing the flow control of the data packets in the
network. It maintains error-free data transmission and enables the retransmission of data
during the instances of data loss. Applications like WWW, e-mail, remote administration and
file transfer depend on transmission control protocol. For example, a web server uses the HTTP
protocol to send an HTML file to a client. Here, it is the TCP that assists the HTTP to issue the
connection and send the file. The TCP breaks the file or data into packets and numbers them.
Then it sends them to the IP layer for delivery. The packets are sent through multiple routes
and reach the destination IP address. The TCP at the client computer investigates for the arrival
of all packets according to the sequence of the numbers represented in the packet. The TCP
initiates a retransmission of the packets if any difference is found in the number of packets
received.

Functions of TCP
• TCP acts as an interface between the application and the internet protocol.
• It provides a host-to-host connection to the transport layer in the internet model.
• TCP manages all handshaking and transmission details.
• TCP identifies the cases of packet loss and duplication due to network congestion, traffic
load balancing and other irregular activities in the network.
TCP always uses an acknowledgement for every packet sent and received. In this technique, the
receiver needs to respond using an acknowledgment to the data it receives. The sender
maintains a record of the packets it sends and keeps a timer in order to manage the packet
transmission. The timer helps in cases where the packets are lost. The acknowledgement
technique actually confirms the arrival of each packet of data in the correct order.
TCP Services
TCP is a connection oriented protocol that enables flow control and consistent data delivery
services. Consistent data delivery services are mandatory for applications such as file transfers,
database services and other services. TCP depends on IP for consistent delivery of packets.
The application layer is responsible for handling the TCP connection between the two hosts
over the network. TCP provides the following services to the application layer:
• Full-Duplex transmission: Full-duplex enables transmission of data in both directions over

a signal carrier at the same time. For example, a telephone is full-duplex as it allows both
parties involved in the call to talk at the same time. Most modems provide the users the
option to choose between full-duplex and half-duplex. The selection of the option
depends on the application the user is running.
• Half-Duplex transmission: Half-duplex transmission allows transmission of data

transmission in both directions, but only in one direction at a time. For example, a walkie-
talkie, wherein only one user can transmit data at a time.
• Simplex transmission: Only one user can transmit data at a time and only in one direction.
Both parties involved in the transmission need to use the same frequency. For example, in
TV and radio, the signals transmit only in one direction (from transmitter site to several
receivers.)
Most of the TCP connections are duplex which means that it allows the data to flow in both
directions. Simplex mode, full-duplex mode and half-duplex modes are different types of
transmission modes that determine the flow of information between two communicating
devices.
TCP Operation
The overall operation of the TCP describes the method of how the Transport Control Protocol
manages the connections between two communicating parties. The TCP provides functions
such as data handling, flow control and reliability in data transmission. These functions are

possible only in the presence of a proper and consistent connection. The criteria to identify the
two communicating parties are as follows:
• Sender's IP address
• Sender's protocol port number
• Receiver's IP address
• Receiver's protocol port number

Appllcation Applicatlon
Header+
Port numbers are used t o indicate w hich Header+
Data application the receiving host should pass Data
the "Data" to
rI IP
Header I IP
Header
-f Data
J
i
' "
Frame Frame Data Fram• Frame Frame Data
Frame
Header Traller Helder Traller
"
Source Destination
FIGURE 1.16: TCP Operation
A consistent TCP connection can be established using sliding window, sequencing numbers and
acknowledgements and synchronization.
• Sliding Window: The TCP segment has a flag Window size that represents the size of the
data that it can receive. Window size zero means that it cannot accept any data from the
sender. The window size consisting of non-zero value means that it is ready to accept data
from the sender. The sender needs to maintain a window size that represents the
unacknowledged data and the size of the data it can send to the receiver.
Window offered by receiver
Usable window
• •
10 11 12 113 14 15 I16 17 1s I 19 20 ... .
Data not acknowledged In window, can be sent

• •• •
Data already acknowledged Out of window, can't send
FIGURE 1.17: Sliding W indow
In the above figure:
• The window size of the receiver is 6 which means the receiver can accept 6 bytes of
data.
• The window size of the sender is 6, ranging from 13 to 18.
• Here, 13 to 15 bytes did not receive any acknowledgement from the receiver.

• Sender can send bytes ranging from 16 to 18.

• The left end of the window closes down as soon as the sender receives the
acknowledgement for bytes 13 to 15.
• The window slides towards the right depending on the time taken by the receiver to
send the acknowledgement to the sender.
• Sequence and acknowledgement numbers: The parties participating in the TCP session
need to maintain a 32-bit sequence number in order to identify the amount of data sent.
The sender sends a packet along with a sequence number and the receiver acknowledges
it with an acknowledgement number in order to confirm the receipt of the data packets.
The sender can provide any random sequence number as an initial sequence number. The
sequence numbers can vary from O and 4,294,967,295.
Three-Way Handshake
A three-way handshake includes the communication between the client and the server in a
TCP/IP network. The client and the server need to hand over packets with SYN and ACK flags in
order to establish a consistent data communication. The other name for three-way handshake
is TCP handshake. The client and the server agree upon an acknowledgement and a sequence
number while launching the connection. The sender side determines the sequence number,
whereas the receiver determines the acknowledgement number. The acknowledgement
number represents the sequence number in addition to the number of bytes received. The
three steps involved in the three-way handshake are as follows:
4 •,◄••·/
Host A Three-Wav
•-►~
- • ---1~
Host B
lo · O·O· 2 ·21
· ◄••············
Handshake' ·····• 10· 0 · 0 · 3-21
·
••••••••••••••••••••••••••• •► SYN Received
Send SYN ACK
•••• •• •• (Seq=300
ack=lOl
•••• ••
•• •• ctl=SYN,ack)
•• •••
SYN Received ,· ,I.' ••••
Established
(Seq=lOl
ack=301
•••••••••••••••••••••••••• •>
ctl=ack) , ,~
Time Time
FIGURE 1.18: Three-Way Handshake
• Client sends a request to the server with an SYN flag set in order to establish a connection.
• Server accepts the request and sends an acknowledgement to the client along with the
SYN flag.
• The client receives the SYN + ACK flag from the server and sends ACK to the sender.
Thus, the above steps establish the connection between the client and the server. They can
easily send data as they are aware of the sequence and acknowledgment numbers of each
other.

TCP Header For111.at

0-31 Bits
Source Port No (16 bits) Destination Port No (16 bits)
Acknowledgement No (32 bits)
......... ,,.,,.,,.,,.,,.... ... , '" .. , '" .

,, ,,. ,,
Header~ ~ •rw .., : ~ : :z: : t:i : z : z
1 ,. bllS) l l&bits) ~ : ~ : ~ ; ~ : ~ ; ~ Window Size (16 bits)
2
1
TCP Checksum (16 bits) Urgent Pointer (16 bits)
6 ...................................-··-··-··-··-··-··-··-··-··-··-··-··-··-·· ..................................................··-··-........... -.. - .---·-··-··-··-··-··· ........................ .
16 [
•
17 i
•
18 [
•
19 i■
Data (If any)
0-31 Bits
The TCP breaks the data into packets and adds a header to every data packet creating a TCP
segment. The TCP segment undergoes an encapsulation process into an IP datagram. The TCP
segment consists of the TCP header and the data. The TCP header consists of ten mandatory
fields and an optional extension field. The data section follows the TCP header. The data section
consists of the data payload for the application. This header does not specify the length of the
data section. Subtracting the combined length of the TCP header and the encapsulating header
from the total IP datagram length, provides the length of the data section. Various fields
present in the IP segment header section are as follows:
• Source port (16 bits): Numerical value that indicates the source port.
• Destination port (16 bits): Numerical value that indicates destination port.
• Sequence number (32 bits): It is the first data octet in the segment. The sequence number
becomes ISN in the presence of SYN and the first data octet will be ISN+l.
• Acknowledgment number (32 bits): Once the ACK bit is set, this field constitutes of the
next sequence number that the sender is actually expected from the receiver and sends
these bits after establishing connection between two hosts.
• Header length (4 bits): It is the bit number that indicates the number of 32 bit words in
the header. Another name for header length is Data Offset field.
• Reserved (6 bits): Used for future use. It should be initially set to zero.

• Control bits (6 bits): The control bits handle the connection establishment, data
transmission and connection termination. The control bits in TCP header include:
• URG: Urgent Pointer field significant.
• ACK: Acknowledgment field significant.
• PSH: Push Function. Whenever TCP receives a request to push data from the
application, TCP need to just send the accumulated data without any intervention.
• RST: Reset the connection. The Reset request forces the TCP to drop the connection
instantly. The RST forces both the parties involved in the data transmission to break
the connection that can lead to loss of data.
• SYN: Synchronize sequence numbers.

• FIN: Closing of connection. The FIN flag represents the closing of the TCP connection.
• Window (16 bits): You can set more than one control bit simultaneously. Number of
octets the receiver wants to accept. This begins with the packet in the acknowledgement
field.
• Checksum (16 bits): Header and the data are covered. Here the system calculates the
checksum by attaching a pseudo header before or in front of a TCP segment.
• Urgent (URG) pointer: This field shows the data meant for quick transmission. Moreover,
it points to the position where the urgent data actually ends.
• Options: Systems can deliver the options at the end of the header, but it should
implement them completely and must have a length that is a multiple of 8-bits. The three
different options include:
• End of option list: This list gives the end of option list. Instead of using at the end of
each option individually, it displays as the final option. This option comes into picture
only when the end of the option does not coincide with the end of the TCP header.
• No operation: This option clearly specifies the boundaries between multiple options
and between other options. For instance, it aligns at the beginning of a subsequent
option on a word boundary. There is no assurance that a sender will use this option.
So, the receiver should be prepared to process the option even if it does not begin the
subsequent option on a word boundary.
• Maximum segment size: It is the maximum segment size that TCP can receive and the
size is sent at the beginning of the connection establishment process.
• Padding: Indicates that the TCP header ends and data begin at a 32-bit boundary. It
consists of all zeros.
• Data: The bytes of data send in the segment.

TCP/IP Protocol Stack: User

Datagram Protocol (UDP)
r•••
UDP is a connectionless transport protocol that exchanges datagrams, w ithout
acknowledgments or guaranteed delivery
It uses no windowing or acknowledgments so reliability, if needed, is provided by

application layer protocols
~ The protocols that use UDP include:

]
e TFTP {Trivial File Transfer Protocol)
e SNMP (Simple Network Management Protocol)
e DHCP (Dynamic Host Configuration Protocol)
. UDP Segment Format

•
# of Bits 16 16 16 16 16
Source Port Destination Port Length Checksum Data . . .

,
UDP is a connection-less oriented protocol that provides low latency and less tolerating a
connection between the applications on the Internet. Unlike TCP, UDP does not promise any
consistent availability of data using acknowledgement and sequence numbers. The data passes
over the network as datagrams. UDP offers two services, Port numbers in order to determine
the different user requests and the checksum in order to confirm the receipt of the data. The
broadcasting of messages requires the need of UDP.
Applications like gaming, video applications use UDP for a reliable data transmission. The data
transmission using UDP may lead to packet loss, but does not affect the quality of the data
transmitted over the network. Forward error correction is a technique that assists in improving
the audio and video signals. UDP uses the lossless transmission mechanism for the transmission
of large files. The lossless transmission mechanism helps in the retransmission of lost data
packets, thereby increasing the data transfer rate. A UDP header format includes:
#ofBits 1 16 l 16 16 16 16
Source Port Destination Port Length Checksum Data . . .
FIGURE 1.19: UDP header format
• Source Port: Refers to the port number of the port. This determines the location to send
the reply packet. If the server host is the source host, then the port number can be a well-
known port number, whereas, if the source port is the client, then the port number can
be ephemeral port number.

• Destination Port: Refers to the packets from a client. Same as the destination port, if the
destination port is a client, the port number can bean ephemeral port number, whereas if
the destination port is a server, the port number can be any well-known port number.
• Length: The length field determines the length of the UDP header as well as the UDP data.
The minimum specified length is 8 bytes.
• Checksum: The checksum performs the error-checking of the data and the header. It uses
the standard internet checksum algorithm and verifies whether the correct destination
receives the packet according to the IP address, port number and protocols specified in
the header.
UDP Operation
The primary operation of UDP is to collect the data from the higher layer protocols and place it
in UDP messages to forward the UDP datagrams to the internet protocol for transmission. UDP
provides a checksum capability that helps in detecting the errors in the data transmission,
ensures the proper transmission of the UDP message and detects whether the message
reached the exact destination or not. The basic steps that are involved in the transmission of
data using UDP are as follows:
• Higher-Layer Data Transfer: Application sends a message to the UDP software.
• UDP Message Encapsulation: Encapsulates the received message into the Data field of a
UDP message. It occupies the headers of the UDP message, source port, the destination
port and checksum value may be calculated.
• Transfer Message to IP: Pass UDP message to IP for transmission .
. ....·····
...·•··..······.... .:.· ..·...•···
. .
: ..· . .
: ..·
: •..
- TCP UDP
:•·
. ··•. ....
·•..... .•·...•···
··•...··. ..··..•·
.............. ......
... .. :. ..·····
.. •·· •
: ·• ..
..... •·...• :: ······•...

.... .. ..
......
..
.
- -
ManyLANS
INTERNET Your LAN and WANS
FIGURE 1.20: Passing messages to TCP and UDP

Comparison of UDP and TCP

• TCP:
• Reliability: The TCP works well at the transport layer. It manages the message
acknowledgement, retransmission and timeout. It confirms the arrival of all the
packets at the receiver and attempts retransmission of lost packets again and again.
• Ordered: It confirms that the messages arrive in an orderly manner or in sequence. It

rearranges the data arriving in the wrong order.
• Heavyweight: TCP manages reliability and congestion control.
• Streaming: TCP manages data as a byte stream.
• Connection-oriented: Creates a session between the hosts.
• UDP:
• Unreliable: UDP does not confirm the arrival of packets at the destination. It does not
attempt in retransmitting the lost packets or does not follow the concept of
acknowledgement.
• Not ordered: UDP does not confirm the sequence of the arrival of the packets at the
destination.
• Datagrams: UDP handles packets individually and deals with them only after its arrival
at the destination.
• Connection-less oriented: Does not create any session between the hosts.
• Broadcasts: UDP can send packets or broadcast the packets to multiple devices.

TCP/IP Protocol Stack:

Internet Protocol (IP)
Internet Protocol (IP) is fundamental network layer protocol in the TCP/IP protocol suite as is primarily
responsible for sending datagrams across network boundaries
0-31 Bits
IP Version iHeader lenglh
(4 bits) I (4 bits)
.........
;o:M
-··- ..
Identification (Fragment ID) (16 bits) R ; F ;F FragmentOffset (13 bits)
4; 4 S
.. .....
, , ,,, ·········································-········································
6 7
j Time-to-live {TTL) • · · : :
: (8 bits)
!-···· ................................ ..
8; 8
Source IP Address (32 bits)
"'
-
2 , 12 13 14 15
>a,
ID . . .
"i·•r••-•••••-•••••-•••••-•••••-•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••-••••••••••••••••••••••••••••••••••••••••••••••••••••••·•••••••••••••••••••••••••••••••••••••••••. -
:
6 . ··-··-··-··-··-··-··-··-··-··· ....................................... ···-·· ... -··-··-··-··-.. -··-··-··-...··-··-·· .....................................•........ ···-··-··-··-....................:
:
....'. 16 \. 17 \. 18 ;- 19 i:
~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . " ' ' " " ' ' " ,:. . ' " " ' ' " " ' ' " " ' ' " " ' ' " . . . . . . . . . . . . . . . . . . . . . . . .=. . . . . . . . . . . . . . . . . . . . . . . . . " ' " ' " ' ' " " ' " ' " ' ' " " ' . . ., . . ' " " ' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .;
0 -31 Bits
IP is a network layer protocol present in the TCP/IP communications protocol suite. The data is
always sent as packets or data grams in networking. IP provides a unanimously defined address
that eliminates the need to create a connection before sending data. IP also provides a
datagram service that carries information or data to the destination without much guarantee
regarding the confirmed arrival of these packets at the destination. The packets can be lost on
the way to the destination or can arrive at the destination in a completely or partially damaged
form.
There are two versions of IP available: Internet protocol version 4 (IPv4) and Internet protocol
version 6 (1Pv6}. The commonly used version is IPv4 represented using a 32-bit address. The
IPv6 is an improved version of IPv4 and represented using a 128-bit source and destination
address. The IP header is an introduction to the IP packet that contains information like IP
version, Source IP, destination IP, TTL, etc. The header normally is responsible for holding data
required to traverse the data over the internet. The IP header has the same format as that of a
data.
Various fields in the IP header are as follows:

• IP Version (4 bits): There are two types of IP packet and addressing IPv4 and IPv6. This bit
specifies the current IP protocol version. Always set the value as 4.
• Header Length (4 bits): Length of the IP header where header represents 32-bit words
along with IP options if any. The minimum value of the IP header is 5.

• Type of Service (TOS) (8 bits): Provides quality of service features. First three bits are for
IP precedence, 4 bits for TOS and last one-bit left alone (not used).
• Total Length (16 bits): Specifies the length of the IP datagram in bytes. It includes the
length of the header and the data.
• Identification (16 bits): Identifies the fragments of one datagram from those of another.
• Fragment Offset (13 bits): Used to reassembly the fragmented IP datagrams.
• Time-O-Live (TTL): It defines the lifetime of the IP datagram in the internet system. The
TTL field is initially set to a number and decremented by every router. When the TTL
reaches zero, it discards the datagram (Packet).
• Protocol (8 bits): Identifies the next encapsulated protocol that sits above the IP layer.
• Header Checksum (16 bits): Identifies the errors during IP datagram transmission and
calculated based on the IP header.
• Source IP Address (32 bits): This field represents the IP address of the sender.
• Destination IP Address (32 bits): This field represents the IP address of the receiver
(destination).
• Options (variable in length): This is an optional field. List of options that are applicable for
the active IP datagram.
• Data (variable in length): This field contains the data from the protocol layer that handed
over the data to the IP layer.

IP Header: Protocol Field
■ The IP packet has a protocol field that specifies whether a segment is TCP or UDP
IP Header
: :
4-bit I 3-bit Header ! 8-bit Type of 16-bit Total Length (In bytes)
Version : Length j Service {TOS)
Protocol Field
3-bit .....................................................
: 8-bit T~~jto-Live I 8-bit Protocol

--··-··-··-·· -.............................. .
: g :
1·····........ -~~~~;~ -~~~~~-; -~~~~~~-~-~ ..........
···-··-··-··-··-··-··-··-··-··-··-··· ............... .
TCP UDP
Connection-
32-bit Source IP Address Connectionless
oriented
1···············........................... .
32~1>it 0estinatiori'IJ>'Aclaress
Options (if any)
Data
The protocol field in the IP header determines the services available in the next higher levels in
the protocol stack. The protocol field is eight bits in length and includes 256 protocols. Multiple
higher layer protocols can use IP (multiplexing). "Assigned Numbers" specifies the values for
various protocols. Protocol and some common values (1 octet) are as follows:
• 0 (0x00) IPv6 Hop-by-Hop Option
• 1 (0x0l} ICMP protocol
• 2 (0x02} IGMP protocol
• 4 (0x04) IP over IP
• 6 (0x06} TCP protocol
• 17 (0xll} UDP protocol
• 41 (0x29} IPv6 protocol

What is Internet Protocol v6 (1Pv6)?
I Pv6, also called IPng or next generation ■ I Pv6 features t hat provide a platform for
protocol, provides a base for enhanced growth of IT development:
Internet functionalities
: Expandable address space (large and diverse)
The most important feature of I Pv6 is and routing capabilities
that it can store larger address space in
: Scalable to new users and services
comparison to I Pv4
: Auto configuration ability (plug-n-play)
I Pv6 contains both addressing and
controlling data or information to route : Mobility (improves mobility model)
packets for next-generation Internet
; End-to-end security (high comfort factor)
: Extension headers (offer enormous potential)
.. •
,.
, ;
;
Better Authentication and privacy checks
Support for source demand routing protocol
- Improved Quality of Service (QoS)
Copyright © by EC-Co■ncil. All Rights Reserved. Reproduction is Stri ctly Prohibited .
Internet protocol version 6 is the most recent version of the internet protocol. The internet
protocol version 6 provides a mechanism for identifying the computers in the network and
performs routing of the traffic across the internet. To meet the increasing requirements,
Internet Engineering Task Force (IETF) started a working group called Internet Protocol next
generation (IPng) to make research, experiments and recommendations for finding a new
generation protocol for IP. It eventually found the specification for internet protocol, version 6
(1Pv6) described in Internet standard document RFC 2460. Experts consider IPv6 as a
replacement to IPv4. The IPv6 uses a source and destination address in order to carry data
packets over the network, which is the same as in IPv4. IPv6 has a very large address space and
consists of 128 bits as compared to 32 bits in IPv4.
The features of 1Pv6 include

• IPv6 internet layer protocol is for packet-switched internetworking, it provides end-to-end
transmission of data across multiple IP networks.
• IPv6 is capable of providing large address space for increasing demands of internet users.
• It has a new format for packet header to minimize packet-processing problems with
overhead routing entries. Routers can efficiently and easily process IPv6 headers.
• IPv6 have globally identified unique addresses with efficient, hierarchal and routing
infrastructure that relies on prefix length rather than address classes. This allows the
backbone routers to create small routing tables.

• 1Pv6 simplifies host configuration with stateless and stateful address configuration for
network interfaces.
• In 1Pv6, hosts on a link are capable of automatically configuring themselves with a link
called link-local addresses by responding to the prefixes mentioned by the local routers.
When the host sends a link local address request to a local router for connecting to that
network, it then responds to the request by sending its configuration parameters. This
lets the host to configure automatically with the available router. 1Pv6 is even capable of
configuring itself, even though there are no routers.
• 1Pv6 has an inbuilt security feature called integrated internet protocol security (IPsec). It is
a set of internet standards based on cryptographic security services providing
confidentiality, data integrity and authentication.
• 1Pv6 supports unicast and multicast communication along with a new communication type
called anycast. In the anycast communication method, only the specific associated
address in a network receives the messages.
• 1Pv6 provides better support for quality of service (QoS) with proper management of
network traffic.

1Pv6 Header
..............................................................................................................................................................................................................
Traffic Class Flow Label

. . . . • · - · · · · · - · · · · •••••••••••••••••••••••••• ,I'. . . . . . . . . . . . . . . . . . . . . . -·. - •••••••• -· ·-·. · · · - · ·-··-·-···i
Payload Length Next Header Hop Limit
Source IP Address
~ ................... "' ... '" ... '" "' '" "' '" "' '" "' '" "' ...................... ,...................... , "' "' "' '" "' '" "' "' "' "' "' '" ... '" ............. ,.................................. ,'
Destination IP Address
·- .. -.. -.. -.. -.. -..... -.. -.. -.. -.. -.. -.. -.. -............................................. ···- .. -··· .. -..... -··· .. -..... -..... -..... -.......................................... '' .......... -··- .. -..... -..
0 -31 Bits
Copyright© by EC-Co■ncil. All Rights Reserved. Reproducti on is Strictly Prohibited .
The 1Pv6 is four times larger than 1Pv4. However, the header of 1Pv6 is only two times larger
than the 1Pv4. The 1Pv6 header consists of one fixed header and zero or more extension
headers. The extension headers consist of information that assists the routers in determining
the flow of a packet.
The 1Pv6 is 40 bits long and the fields in the fixed header consist of:
• Version (4 bits): Specifies the version of the internet protocol.
• Traffic class (8 bits): identifies the data packets that belong to the same traffic class and
distinguishes the packets with different priorities.
• Flow label (20 bits): This field avoids reordering of data packets and maintains the
sequential flow of data packets belonging to the communication.
• Payload length (16 bits): It informs the router about the length of the data which is
present for a particular packet in its payload.
• Next header (8 bits): Identifies the type of header following the 1Pv6 header and located
at the beginning of the data field (payload) of the 1Pv6 packet.
• Hop limits (8 bits): Replacement of time-to-live field in 1Pv4. Identifies and discards the
packets that are stuck in an indefinite loop due to any routing information errors. When
the counter reaches zero, it discards the packet.
• Source IP address (128 bits): 1Pv6 address of the sending host.
• Destination IP address (128 bits): 1Pv6 address of the receiving host (Destination).

Extension Header
The fixed header consists of only required information. The information that is rarely used or is
not required is always put between the fixed header and the upper layers of the extension
header. Each extension header requires the need of a distinct value in order to identify the
extension headers.
The 1Pv6 header points to the first extension header. Now, consider there are more than one
extension header. Then, the extension header points to the next extension header. The last
extension header points to the upper layer header. The sequence of the extension headers are
as follows:
IPv6 header
Hop-by-Hop Options header
Destination Options header1
Routing header
Fragment header
Authentication header
Encapsulating Security Payload header
Destination Options header2
Upper-layer header
FIGURE 1.21: Sequence of IP header
The extension headers are arranged in a linked list manner represented using one header after
the other.

TCP/IP Protocol Stack: Internet

Control Message Protocol (ICMP)
~ IP is an unreliable protocol w hich does not guarantee t he successfu l delivery of t he

netw ork packet
~ IP reports to the sender w hen data transmission fails
Internet Control Message Protocol (ICMP) overcomes this basic limitation of IP
ii ICMP is an error-reporting protocol used for diagnostic purposes, generating error messages
when there is problem in the delivery of IP packets
■ ICMP does not overcome t he unreliabil ity issues of IP instead, it reports the fai lure of
data transmission to sender
ICMP is an error reporting protocol used by networking devices like routers in order to send
error messages. ICMP relays query messages by locating its application. ICMP is not a transport
protocol that sends data between two communicating systems. Network administrators
troubleshooting internet connections mainly use th ese. ICMP transmits messages as datagrams
and consists of an IP header that encapsulates the ICMP data. The IP packets contain ICMP in
the IP data field. The ICMP messages can also contain the IP header of the original message that
assists the end system in understanding why and which packet failed. The 1Pv4 or 1Pv6 is
followed by the ICMP header and id entifies itself as protocol number 1.
The ICMP protocol consists of three fields:

• The major type identifi es the ICMP message.
• The minor code that contains more information regarding the type field.
• The checksum that identifies the errors originated during tran smission.
The ICMP data and th e IP header follow the three fields in th e ICMP protocol.

Format of an ICMP Message
Code Field
Type 3: Destination Unreachable
0 Echo Reply
1 Un.assigned Codes
2 Un.assigned 0 Net Unreachabl e
3 Destination Unreachable 1 Host Unreachabl e
4 Source Quench 2 Protocol Unreachable
5 Redirect 3 Port Unreachabl e
6 Alternate Host Address 4 Fragmentation Needed and Don •t Fragment was Set
7 Unassigned 5 Source Route Failed
8 Echo 6Destination Network Unknown
9 Router Advertisement 7 Destination Bost unknown
10 Router Solicitation 8 Source Host Isolated
11 Time Exceeded 9 Conmunication with Destination Network is
12 Parameter Probl em Administrativel y Prohibited
13 Timestamp 10 CommJ.nication with Destination Bost is
14 Timestamp Reply 15 Infoi::mation Request Administratively Prohibited
16 Information Reply 11 Destination Network Unreachable for Type of Service
17 Address Mask Request 12 Destination Host Unreachabl e for Type of Service
18 Address Mask Repl y 13 CommJ.nication Administratively Prohibited
19 Reserved (for Security) 14 Bost Precedence Viol ation
20-29 Reserved (for Robustness Experiment) 15 Precedence cutoff in effect
30 Traceroute
31 Datagram conversion Error
32 Mobile Host Redirect Type(8 bits) :. Code(8 bits) .; Cllecksum(16 bits)
33 IPv6 Where-Are-You ............ ......................................................................
,
34 IPv6 I-Am-Here
35 Mobile Registration Request Parameters
36 Mobile Registration Reply
37 Domain Name Request Data .....
38 Domain Name Reply
39 SKIP
40 Photuris
41-255 Reserved
ICMP messages consist of an IP header that encapsulates the ICMP data. ICMP transmits the
data as datagrams. ICMP packets are IP packets with ICMP in the IP data portion. ICMP
messages also contain the entire IP header from th e original message, so th e end system knows
which packet fail ed.
The structure of an ICMP message consists of three fields that have the same size and the same
meaning in all ICMP messages. The va lues in the fields are not the same for each ICMP message
type. The unique part contains fields that are specific to each type of message. The common
message format is the same for ICMPv4 and ICMPv6.

• Type: This field identifies the ICMP message type. For ICM Pv6, values from O to 127 are
error messages and values 128 to 255 are informational messages. The length of this field
is 1 byte. The types are defined as:
Type Name
0 Echo Reply
1 Unassigned
2 Unassigned
3 Destination Unreachab l e
4 Source Quench
5 Redirect
6 Alternate Host Address
7 Unassigned
8 Echo
9 Router Advertisement
10 Router So l icitation
11 Time Exceeded
12 Parameter Problem
13 Times tamp
14 Timestamp Reply
15 Information Request
16 I nformation Repl y
17 Address Mask Request
18 Address Mask Reply
19 Reserved ( for Security)
20-29 Reserved (for Robustness Experiment)
30 Traceroute
31 Datagram Conversion Error
32 Mobile Host Redirect
33 Pv6 Where- Are - You
34 IPv 6 I - Am- Here
35 Mobile Registration Request
36 Mobile Registration Reply
37 Domain Name Request
38 Domain Name Reply
39 SK I P
40 Photuris
41 255 Reserved
TABLE 1.1: ICMP types

• Code: This field identifies the subtype of message within each ICMP message Type value.
For each message, the field allows defining of up to 256 subtypes. The length of this field
is 1 byte. The t ypes are defined as:
Code Name
0 Net Unreachable
1 Host Unreachable
2 Protoco l Unreachable
3 Por t Unreachable
4 Fragmentation Needed and Don ' t Fragment was Set
5 Source Route Fail ed
6 Destination Network Unknown
7 Destination Host Unknown
8 Source Host I so l ated

Communication with Des tination Network is Administrative l y
9
Prohibited
Communication with Destination Host is Administratively
10
Prohibited
11 Destination Network Unreachable for Type of Service
12 Destination Host Unreachab l e for Typ e of Service
13 Communication Administratively Prohibited
14 Host Precedence Violation
15 Precedence cutoff in effect
TABLE 1.2: ICMP codes
• Checksum: The length of this field is 2 bytes. This 16-bit checksum field is calculated in a
manner similar to the IP header checksum in 1Pv4. It provides error detection coverage for
the entire ICMP message.
• Data: This field includes the specific fields used to implement each message type. The size
of this field is variable.
.
Type (8 bits) Code (8 bits) Checksum (16 bits)
Parameters
.•........................•........•...•.•....•..•...•....•...........................
Data .....
I• •••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••
•
.••
-------······································································:
FIGURE 1.22: ICMP message format

TCP/IP Protocol Stack: Address

Resolution Protocol (ARP)
.J ARP is a stateless protocol used for translating IP addresses to machine addresses (MAC)
~ ARP request is broadcast over the network, whereas the response is a unicast message to the requester
.J The IP address and MAC pair is stored in the system, switch, and/or router's ARP cache, through which
the ARP reply passes
ARP_REQUEST
ARP Cache Table
Hello, I need the MAC address of 192.168.168.3
I wantto connectto f·································································>
--
192.168.168.3, but I
need MAC address IP 10: 192.168.168.1
MAC: 00-14-20-01-23-45
i -- ---
IP 10 : 194.54.67.10
....> . . . . .......L~.~!~:.'. ~.~.~~~.~t;~;~~;~!.~~~~.~~.~~~
I I ;
:
.. ➔ ~
~~t
IP 10: 192.168.168.2
MAC: 00-14-20-01-23-46
MAC: OO:lb:48:64:42:e4 : ARP_REQUEST
'=.' 1'. L..~~1.,~'.!.~~~.~.~~.~.~.~~.~.~~.~~~~~~~.~:~~~:~.~~~·.. ·>
! (.__ARP_REPLY I am.192.168.168.3. MACaddress is 00-14-2<Hl1-23-47 ...............
IP 10: 192.168.168.3
·. ...................................................................................................... >
Connectio n Established MAC: 00-14-20-01-23-47
The address resolution protocol deals with converting the IP address to a physical address (Mac
address). The component address resolution refers to identifying the IP address of a computer
in a network. ARP is RFC 826 and its Internet Standard is STD 37. The protocol operates below
the network layer as a part of the interface between the OSI network and OSI link layer. 1Pv4
supports ARP when it is used over Ethernet.
The address resolution protocols are mainly a request and reply protocol and captured by the
line protocol. The address resolution protocol links only within the limits of the boundaries and
does not perform any communication across the internetwork nodes. The ARP maintains a
table known as ARP cache that keeps track of the Mac addresses and its corresponding IP
address. However, there are certain rules in maintaining the MAC addresses and IP addresses in
the table that enables the conversion from one form to another.
Working of ARP
The term address resolution refers to the process of finding an address of a computer 1n a
network. The process of ARP is as follows:
• A client process sends a request to the server process to find a physical host or MAC
address that matches with the IP address.
• The server sends the message to all connected computers on the network to identify the
network system for which the address was required.

• After finding the requested MAC address, the server sends a response to the client
process with the requested MAC address.
ARP Cache Table

ARP cache table stores the matched sets of IP addresses and the corresponding MAC addresses
of systems frequently communicating on the network. Each device on the network manages its
own ARP cache table. There are two different ways to store cache entries into the ARP cache
table:
• Static ARP Cache: These address resolutions are manually added to the cache table for a
device and they are kept in the cache on a permanent basis. To manage static entries, use
tools such as the ARP software utility.
• Dynamic ARP Cache: These hardware/ IP address pairs are added to th e cache by the
software itself because of successfully completed past ARP resolutions. They are kept in
the cach e only for a specific period and are then removed.

Hardware Type:
Byt e 0 Byte 1 Byt e2 Byte 3 1 = Et hernet
- - 2 = Experimental Ethernet
Hardware Type Protocol Type
3 = Amateur Rad io AX.25
4 = Protean ProN ET Token Ring
Hardwa re Length Protocol Lengt h Operation (1 for Request, 2for Re ply)
5 = Chaos
6 = IEEE 802 Ne tworks, etc.
Sender's Hardware Address (First 4 Bytes of Ethe rne t Add ress)
Protocol Type:
,, 1Pv4 = Ox0800
Sender's Hardware Address (last 2 Bytes of Sender's Proto colAddress(First 2 Bytes of IP
Ethe rne t Add ress) Add ress)
I Pv6 = 0x86DD
Hardware Length:
Sender's Protocol Address (Las t 2 Bytes of IP Target's Hardware Address (2 Bytes of Ethernet 6 for Ethernet
Add ress) Address, Null in ARP Request)
Protocol Length:
4 for 1Pv4
Target's Hardware Address (Last4 Bytes of Ethernet Address, Null in ARP Request)
Operation Code:
Sender's Protoco lAdd ress (4-byte IP Add ress) 1 For Request

2 For Reply
-
Copyright© by (C-Co■■cil. All Rights Reserved. Reproduction is Stri ctly Prohibited .
The standard ARP packet has the following fields:
• Hardware Type: This field identifies the type of hardware used for the local network
transmitting the ARP message. The size of this field is 2 octets and the value of this field
for Ethernet is 1.
• Protocol Type: This field specifies the network protocol for the intended ARP request. The
value of the field for 1Pv4 is 0x0800 and I Pv6 is 0x86DD. The permitted length of this field
is 2 octets.
• Hardware Length: This field specifies the length (in octets) of a MAC address in fields 5
and 7 of the ARP packet. For Ethernet, the value of this field is 6.
• Protocol Length: This field specifies the length (in octets) of the protocol addresses 1n
fields 6 and 8 of the ARP packet. The address length for 1Pv4 is 4.
• Operation: This field specifies the operation that the sender is performing. The value for
ARP request is 1 and for ARP reply is 2.
• Sender's Hardware Address: This field contains the MAC address of the device sending
the message such as the IP datagram source device on a request and the IP datagram
destination on a reply.
• Sender's Protocol Address: This field contains the IP address of the device sending this
message.

• Target Hardware Address: This field contains the MAC address of the intended receiver.
In an ARP request, this field is ignored (zero). In an ARP reply, this field indicates the
address of the host that originated the ARP request.
• Target protocol address: This field contains the IP address of the device of the intended
destination.


Ethernet
A LAN protocol that uses star

or bus topology
Various form of Ethernet

e lOBa.se-T: Transfers data at the
speed of l0Mbps
e lOOBase-T (Fa.st Ethernet): IEEE 802.3 is the specified
Support data transfer speed standard
of l00Mbps Ethernet
e Gigabit Ethernet: support data
transfer rates of lGbps
(l000Mbps)
Monitors network traffic using

Defines network hardware
CSMA/CD (carrier sense multiple
and how to handle data
access / collision detection)
Ethernet is the most commonly used LAN technology. It is a link layer protocol that determines
the data transmission between the network devices present in the same network. It uses a bus
or star topology and 10 BASE-T maintains a data transfer rate of 10 Mbps. Ethernet formed the
basis for the IEEE 802.3 standard that determines the physical and lower software layers. The
data transmission occurs in two units: packets and frames. The frame includes information like
payload of the data and the physical or Mac address of the sender and the receiver. Every
frame wraps itself in a packet that contains several bytes of information required for
establishing the connection. It is preferred mostly since, it is easy to install, less expensive and
allows high-speed data transfers. It monitors network traffic using CSMA/CD (carrier sense
multiple access / collision detection). Ethernet most commonly uses 100 BASE-T that provides
transmission speed up to 100 megabits per second. The Gigabit Ethernet provides a
transmission speed of about 1000 Mbps and GigaBit Ethernet provides a transmission speed of
about 1 Gbps. Other common LAN types include:
• Fast Ethernet
• Token Ring
• Fiber Distributed Data Interface (FDDI)
• Asynchronous Transfer Mode (ATM)
• LocalTalk

Features of LAN include:

• Enables easy handling, management and maintenance.
• Enables low-cost implementations.

• Allow a topological reliability for the network installation.
The Ethernet LANs consist of the following network nodes and connecting media. There are two
types of classification of the network nodes:
• Data terminal equipment (DTE): The DTE represents the source or the destination of the
data frames. The DTE's are devices like: workstations, file servers, print servers, etc.
• Data communication equipment (DCE): The network device that is responsible for
receiving and passing the frames across the network. The DCE includes devices like
repeaters, switches and routers.
The Ethernet finds its main application in wired networking, although the wireless networking
seems to take the place of the wired network. Experts say that the 802.11 ac provides more
internet speed than 1Gb Ethernet. The important thing about wired networking is that it has
less impact due to interference and is more secure than wireless networking.

TCP/IP Protocol Stack: Fiber

Distributed Data Interface (FDDI)
FDDl-2 supports voice and multimedia

communication to extensive geographical areas
Optical standard for transferring data by means

of fiber optics lines in a LAN up to 200km
FOOi
Comprises of two fiber optic rings

e Primary ring: Works in the network
e Secondary ring: Acts as backup and takes the position of Transfers data at the rate of 100Mbps
primary ring in case of network failure
FDDI is an optical standard used for transferring data by means of fiber optic lines in a LAN up
to 200km. The data transmission occurs at the speed of l00Mbps through a fiber optic cable
and uses a token ring to determine which workstation can transfer data at the specified time.
FDDI uses a fiber optic cable wired in a ring topology. It uses a token passing access method
(Please refer "token ring" topic) that provides equal responsibilities and privileges to all the
computers connected to the network.
A normally operating FDDI ring passes the token to all the network devices, whereas an
abnormal operating FDDI ring circulating the token to the devices connected to the ring
becomes invisible abruptly after a certain period, indicating a network issue. Furthermore, you
can set the priority levels using FDDI i.e., server is allowed to send a huge volume of data
frequently compared to the client systems.
It consists of two rings, one is primary and the other is secondary. Primary ring carries data
between the systems, whereas secondary ring acts as a backup to the primary ring. When this
primary ring fails to operate in the network, the secondary ring comes into picture and
performs all the operations usually carried out by the primary ring. This method transmits data
at high speed, but with Fast Ethernet allows transfer of huge amounts of data at l00Mbps, all
at a very low cost. However, organizations a re now using Gigabit Ethernet, which transfers
data at the rate of l000Mbps. The latest version of FDDI is FDDl-2, which supports voice and
multimedia communication to extensive geographical areas.


Token Ring
Local area network that connects Data flow is always

multiple computers using a unidirectional
transmission link eith er in a ring
topology or star topology
A local area network that consists of computers connected in a ring or bus topology and uses a
token to manage the transmission of data between the two computers. The presence of a
token can avoid the chances of a collision between the data transferred between the
computers. The possession of the token will allow the network nodes the right to transmit the
data, if any node receives the token, it captures the data and alters it with 1 bit of token, thus
adding the data packets that it wants to transmit to th e next node. Token ring allows the users
to send the data only after arrival of token to their respective location, thus, preventing data
collision between the workstations who want to send messages at th e same time. The
maximum size of token ring packet is 4500 bytes.
How a token ring functions:

• Pass th e empty frames across the network.
• The computers ready to send information to any other computer can insert a token into
the frame including th e data and the destination identifier .
• Inserting a token to a frame changes the token bit from Oto 1 in th e frame.
• Each computer checks with the frame and examines whether the destination address
matches. If it does, then that computer simply copies the message and changes the token
bit to 0.
• The frame deletes the information after computer with the destination address copies the
information.

• The frame passes through the network as empty frame and 1s now ready to accept
another data.
The components of a token ring frame are as follows:
Frame Field Description
Start delimiter Represents th e start of the frame
Access control Represents the priority of the frame and checks if it is a

token or a data frame
Frame control Includes Mac access control information for all the
computers and end station information for onl y one
computer
Destination address Specifies the destination address
Source address Specifies the address of the computer that sends the
frame
Information or data Contains the information to be sent
Frame check sequence Includes the CRC error-checking
End delimiter Specifies the end of the frame
Frame status Includes the current status like if information copied etc.
TABLE 1.3: Components of token ring

IP Address is a unique numeric value assigned to a node or a network connection
e 32-bit binary number I

e Set of fou r numbers or octet s
ra nging between O t o 255
I
e Numbers are separated by periods
e Known as dot ted-decimal notation

IP Addressing
e 168.192.0.1
---- 23.255.0.23
192.165.7.7
/J.~1.11
.111
IP address refers to a number assigned to the computers transmitting data over the network
and uses internet protocol for data transmission. The IP addresses consist of the following: host
identification and location addressing. The assigned addresses make it easier to identify the
computers in the network. The address normally consists of 32 binary bits divided into two
parts: host part and the network part. The format of an IP address consists of the 32 bit
numeric address written as four numbers separated by periods. Each number can range from 0
to 255. An example of an IP address is as follows: 1.160.10.240. The IP address can be either
static or dynamic. The static IP address does not change and is permanent. The dy namic IP
address changes every time a computer accesses the internet.
Important terms in IP addressing

• Default Network: In the default network, the default IP address is 0.0.0.0.
• Loopback Address: Loopback address is a unique IP address (127.0.0.1) designed for

network testing where a network administrator sends packets to the device to identify
problems during transmission.
• Broadcast Address: Broadcast address is a unique IP address (255.255.255.255) designed

for sending messages to all the nodes in a network. A network administrator uses this
address to send a common message to all the hosts residing in a network.
• Internet Corporation for Assigned Names and Numbers (ICANN): The

Internet
Corporation for Assigned Names and Numbers (ICANN) is the authority that manages the
assignment of IP addresses, IP address spaces, and Protocol Identifier Assignments. The

aim of ICANN is to ensure that all the users have valid addresses. ICANN does not look
after Internet content control, data protection, or unsolicited mail, but ICANN Is
responsible for the management of the new gTLDS (generic Top Level Domains).
• Making the Address Space Friendly: In order to make the address space friendly, it is
necessary to make the address familiar and short. The information in the Internet includes
of only two symbols: "1" and "0 11 • These describe the two possible states: On/Off. The
basel0 number system is user-friendly. Imagine that a computer's address is
4,27,28,123,12. It is easier to remember the binary equivalent of that address in the Base2
system: 10010000, 11111010, 01010101, and 10111011.
• Purpose of Dots: It can be difficult to remember a particular decimal number address. To

make it easier to remember, the decimal divides it into four parts. With the logical
classification of the address, it is easier to identify a particular host on the network. The
scheme depends on the decimal number and the address space used is binary. Certain
schemes use the binary numbers, whereas others use the decimal numbers directly.
Therefore, the 32-bit address space has four equal components of 8 bits each, such as
202.53.13.138.

Classful IP Addressing
ll (j
IP addresses is divided into NOTE:
5 major classes in classful IP
All the hosts residing on a network can share same
addressing scheme
network prefix but should have a unique host number
It was the first addressing Hosts residing on different networks can have same host
scheme of Internet that number but should have different network prefixes
managed addressing through
classes A, B, C, D, and E Two-Level Internet Address Structure:
An IP address can be broken

down in two parts:
e First part represents network
Network Number
I Host Number
OR
e Second part represents a
specific host on the network
~--------~~--------~
[ Network Prefix
'--------------"-......__________,
I Host Number ]
I------::==========!
(j r '
~(j - ~1
~====================---
Classful IP addressing is the Internet's first addressing scheme that managed addressing
through classes, primarily A, B, and C. First standardized in September 1981, the Internet
protocol (IP) specifies that each computer should have a unique, 32 -bit address number to use
the IP-based internet. Systems conn ected to more than one network interface would require a
unique IP address for each network. Classful addressing divides the IP address into two parts.
The first part identifies the network on which the host resides and the second part identifies
the specific node or host on a network. Classes of an address determine parts belonging to the
network address and parts belonging to the node address.
[ Network Number
OR
I Host Number
l
[ Network Prefix
I Host Number
FIGURE 1.23: Two-Level Internet address structure

l
From the past few years, network number segment refers network prefix because the major
part of each IP address determin es the network number. All the hosts residing on a network
can share the same network prefix, but should have a unique host number. Hosts residing on
different networks can have a same host number, but should have different network prefixes.

Has an 8-bit network prefix

Starts with binary address 0, decimal number can be anywhere between 1-126
First 8 bits (one octet) identify the network, remaining 24 bits specify hosts residing in the network
Has a 16-bit network prefix

First 16 bits (two octets) identify the network, remaining 16 bits specify hosts residing in the network
Has a 24-bit network prefix

First 24 bits (three octets) identify the network, remaining 8 bits specify hosts residing in the network
Supports multicasting
Reserved for experimental use
Copyright© by EC-Co■ncil. All Right s Reserved. Reproducti on is Strictly Prohibited .
Address Classes
(Cont'd)
Table showing number of Networks and Hosts:
Size of Host
Size of Network Number of Addresses Per
Class Leading Bits Number Bit Field
Number Bit Field Networks Network
aas.s A 0 7 24 126 16,277,214
Clas.s B 10 14 16 16,384 65,534
Clas.s C 110 21 8 2,097,152 254
Class D (Multi cast) 1110 20 8 1,048,576 254
Clas.s E (Reserved) 1111 20 8 1,048,576 254
IP Address Classes and class characteristics and uses
IP Address Fraction of Total IP Number of Number of

Intended Use
Class Address Space Network ID Bits Host ID Bits
Clas.s A 1/2 8 24 Used for Unicast addressing for very la rge size organizations
Used for Unicast addressing for medium or large size

Clas.s B 1/4 16 16
organizations
Clas.s C 1/8 24 8 Used for Unicast addressing for small size organizations
Clas.s D 1/16 N/A N/A Used for IP multicasting
Clas.s E 1/16 N/A N/A Reserved

Address classes play an important role in Internet routing. Internet designers have divided the
IP address space into different address classes to provide support for network requirements
and size such as class A, class B, class C, class D and class E.
Class A
IP address class defines IP address for large networks. The binary address starts with 0. The
decimal number is in between 0-127 and mostly used by international companies. From the 32-
bit address, the Class A address uses the leftmost 8-bits for identifying networks. The first 8 bits
identify the network and the remaining 24 bits specify hosts residing in the network. In the
recent years, class A networks are referred as "/S's" or "S's". Total of 126 (27-2)/8 networks can
be defined in Class A network. Two classes are less because in the "class A" network as
mentioned 0.0.0.0 is the default IP address and 127.0.0.0 is a loop back address. This network
supports a maximum of 16,777,214 networks in a host and 231 (2,147,483,648) individual
addresses. It contains 232 {4,294,967,296) addresses of IPv4 address space, which amounts to
50% of the total IPv4 unicast address space.
0 RouterA
10.10.0.0
I
r______________ JI ______________ ,
I I
v v
Switch
10.10.0.1 10.10.0.2
I
...
I
10.10.0.3
FIGURE 1.24 : Class A net w ork
Class B
Use class B addresses in medium-scale networks. It uses the leftmost 16-bits of this class and
the binary address starts with 10. The decimal number is from 128 to 191. The first 16 bits (two
octets) identify the network and the remaining 16 bits specify the hosts residing in the network.
Q RouterB
128.28.0.0
I
I
r-----------------------------,
I
I
I
v v
...,_,."switch Switch
128.28.0 .1 128.28.0 .2
I
...
I
128.28.0.3
FIGURE 1.25: Class B net w ork

In the recent years, class B networks are referred as "/16s" as they have 16 bits network prefix.
About 16,384 (214) / 16 networks can be defined in class B network where 65,534 (216 -2) hosts
are created per network and 230 (1,073,741,824) individual addresses. When calculated this
amounts to 25% of the total IPv4 unicast address space.
Class C
Class C addresses have a 24-bit network prefix. The binary address of Class C starts from 110.
The decimal number can be anywhere between 192 and 223. Class C addresses represent small
businesses. It uses the first 24 bits (three octets) for identifying the network, while the rest of
the 8 bits help in identification of the host on the network.
@ RouterC
192.28.0 .0
I
I
,-----------------------------,
I
I
-}
Switch Switch
192.28.0.2
I
...
I
FIGURE 1.26: Class C netw ork
Class D and Class E

In addition to the primary address classes, there are two other classes defined by the internet
designers such as class D and class E. These are special classes designed for specific purposes
wh ere users do not even know they exist. Class D starts with binary address 1-1-1-0 and its
decimal number can be anywhere from 224 to 239. Its main function is to support multicasting.
Class E starts with binary address 1-1-1-1, and its decimal number can be anywhere from 240 to
255. It serves experimental purposes.

Subnet Mask lvides the IP address of Subnet allows division of Class A,

0 the host into netw,ork and host
number
e 8, and C network numbers into
smaller segments
Variable length subnet mask

e (VLSM) allows two or more subnet
masks in the same network
8 VLSM effectively uses IP address
space in a network
Default Subnet Masks for Class A, Class B and Class C Networks
Default Subnet Mask

Total # bits for
IP Address Class
Network ID/Host ID Second
Fi rst Octet Th ird Octet Fourth Octet
Octet
Class A 8/24 11111111 00000000 00000000 00000000
Class B 16/16 11111111 11111111 00000000 00000000
Class C 24/8 11111111 11111111 11111111 00000000
Subnet mask provides information about the division of bits between subnet ID and host ID as
well as the host ID containing the routing traffic. It is a 32-bit binary number. Subnet mask
separates the IP address into two components, namely network address and host address. Use
subnet calculator to retrieve the subnet mask information. The Subnet mask performs bitwise
AND operation on the netmask to identify the network address of a particular IP address.
Subnet mask bits was defined by setting network bits to all "l"s and setting host bits to all "O"s.
Subnet masks are expressed using dot-decimal notation like an address.
Every host on the TCP/ IP network requires a Subnet mask. Use a default subnet mask for the
class based network ID's and use custom subnet masks when subnetting and supernetting 1s
configured.

It Subnet Mask
Total # bits for
IP. Address Class
Network 10/.Host ID Second
First Octet Third Octet Fou rth Octet
Octet
Class A 8/24 11111111 00000000 00000000 00000000
Class B 16/16 11111111 11111111 00000000 00000000
Class C 24/8 11111111 11111111 11111111 00000000
TABLE 1.4: Default subnet masks for Class A, Class Band Class C networks
Host IP address: 159.100.9.18

Binary format: 10011111.01100100.00001001.00010010
Class B network mask: 255.255.0.0

Binary format: llllllll.llllllll.00000000.00000000
Class B address with 5 bits allocated to subnet ID and remaining 11 left for host ID
Subnet mask= / 21
Prefix length notation: llllllll.llllllll.11111000.00000000
Subnet mask in dot decimal notation: 255.255.248.0
Network ID= 159.100.0.0

Binary format: 10011111.01100100.00001000.00000000
Extended network address (net ID+ subnet ID) = 159.100.8.0/ 21

Subnetting allows you to divide a Class _J For example, Consider class C Address
A, B, or C network into different logical
IP Address: 192.168.1.12
subnets
11000000.10101000.00000001.00001010
To subnet a network, use some of the
bits from the host ID portion, in order Subnet mask: 255.255.255.0
to extend natural mask 11111111.11111111.11111111.00000000
Sub netting: 255. 255. 255. 224

11111111.11111111.11111111. ~11poooo
........
Two-Level Classful Hierarchy
......................................................................
[ Network Prefix
I Host Number
,
,,
, ' '''
l ...~
These three extra bits from host ID
portion allows you to create eight
,,,, ', subnets
Three-Level Subnet Hierarchy
~ ---,
Subnet
Network Prefix Host Number
Number
Subnet Address Hierarchy
The traditional internet designers have not foreseen the rapid growth of the internet and the
change it has brought in as a communication system. Today, organizations are facing many
problems with allocation of IP addresses, as the IP address space, especially 1Pv4 as it is in the
depletion stage. This problem has occurred due to early decisions made by the internet
designers in the formative stage. In the early evolution stage of internet, organizations were
allocated address space based on their request rather than on their requirements. This has led
to eventual depletion of IP address space. Many organizations that predicted the future of
networking had invested in the internet, but organizations, which ignored the significance of
the internet, later realized and obtained addresses but had to face problems with address
shortage issues. Emerging organizations that are in the evolving stage have to face address
storage problems due to premature depletion of 1Pv4 address space.
In order to overcome the problems of IP address space depletion, one can perform IP
subnetting. Subnetting allows organization's network divided into two level structure, hosts and
subnets. An organization's system administrator divides the host network, specifically the
internal network, into two segments in order to make it unavailable to the external networks.
The main advantage of subnetting to the organization is that they can divide the classful host
number into a subnet id and host id based on their preferences and requirements.

Two-Level Classful Hierarchy

,,
, , ''
, , ''
Three-Level Subnet Hierarchy ,, ''
,L ~
Subnet
Number
FIGURE 1.27: Subnet address hierarchy
Two-Level Hierarchy without Subnetting
,;.
141
-
• 14 • 192 • 2
=
NetlD HostlD
Three-Level Hierarchy with Subnetting
141
• 14
JI • 192 • 2
Size SubnetlD HostlD
FIGURE 1.28: Tw o-level and Three-level subnetting
• Net address: 141.14.0.0
• Subnet address: 141.14.192.0
• Host address: 141.14.192.2
Routers use an extended network prefix to transmit the traffic between subnet devices.
Extended network prefixes include the network prefix number and subnet ID.
In classful IP addressing, the router uses the first octet of an IP address to determine the
address class, related network number and host number. In subnetting, as the division of
address is arbitrary in nature, it becomes difficult for the router to determine the process of
dividing it into subnet and host ID. Subnet mask provides information about the division of bits
between subnet ID and host ID as well as the host ID containing the routing traffic. It is a 32-bit
binary number.
Subnetting allows the division of Class A, B, and C network numbers into smaller segments.
Variable length subnet mask (VLSM) allows two or more subnet masks in the same network.
VLSM effectively uses IP address space in a network. VLSM provides flexibility to a network
administrator to divide a network as per the requirement and preference of the organization
and create subnets, sub-subnets and sub-sub-subnets.

Net ID Subnet ID Host ID

1 0 (14 bit) I (8 bit) I (8 bit)
L";, a,;cc==~-•-:;~==~-'=~==
;: : =~~
FIGURE 1.29: Example of subnetting
Class B address = / 16 network prefix

Network address= 131.175.0.0
Natural mask= 255.255.0.0

Subnetted w ith / 24 network prefix
Subnet ID= third number in dotted notation

131.175.21.0

Class A and B addresses are in Supernetting combines various Also known as Classless Inter-Domain
depletion stage Class C addresses and creates a Routing (Cl DR), invented to keep IP
addresses from exhaustion
0. •••
e ••
II g ... .·••••••
..........•····
Class C provides only 256
hosts in a network out of
which 254 are available for
use
e
It applies to Class
C addresses
Supernet mask is
reverse of subnet
mask
••• •••
••
Subnet Mask l___1_11_1_1_1_1_1_1_1_1_1_1_1_11_ 1_1_1_11_1_1_1_1_1_1_ o_oo_o_o_ _j

Default Mask 11111111111111111111111100000000
Supernet Mask l___1_11_1_1_1_1_1_1_1_1_1_1_1_11_ 1_1_1_11_o_oo_ o_o_o_ o_oo_o_o_ _j

Supernetting Class C Example:

.. ..
Supernet mask:
Suppose we use 2m Default mask:
255.255.(28-m-
consecutive blocks -----> 255.255.255.0 -----> 1)* 2m.0 =
255.255.252.0
Class C address: ~-------------- Net ID --------------►
Host ID
'
M Zero bits
Supernet address: A
xxxxxxxx . xxxxxxxx . xxxxoooo . 00000000
l 1-
1This byte is divisible by 2m

With the growth of internet, classful addressing is a big problem for many organizations.
Problems with classful addressing are a lack of flexibility in dividing addresses for an internal
network, improper distribution of allocated address space that requires a router to create more
and more routing table entries. Subnetting solves these problems to a certain extent, but IPv6
addressing brought 128-bit addressing system to eliminate addressing issues appropriately. This
new system eliminates the need for address classes and creates a new addressing scheme to
match the growing demand of internet users. This system advocates on creating a new classless
addressing scheme known as Classless Inter-Domain Routing (CIDR). This system uses a concept
of subnetting as a base and takes it a step further. Subnetting divides a single network into
subnets whereas CIDR applies the subnetting principle to large networks. It aggregates
networks into larger supernets with a concept known as supernetting.
• Advantages of CIDR:
With CIDR, organizations can allocate address space efficiently as per their requirement
and preference. In classful addressing, there are class A, B, and C networks. Class A
network has around 16,277,214 addresses per network, class B network has 65,534 and
class Chas only 254 addresses. There is disproportion of address classes in this addressing
system. CIDR eliminates the problem with class imbalances and routing entries by creating
small entries for large networks.
Network prefixes based on CIDR helps the router in determining the dividing point
between net ID and host ID. Subnetting requires a subnet mask to determine the network
ID and host ID. CIDR does not support a 32-bit binary subnet mask. Instead, CIDR uses "/"
slash notation known as CIDR notation along with prefix length to show the network size.
Subnet Mask 111111111111111111111111 00000
Default Mask 111111111111111111111111 000 00000
Supernet Mask 111111111111111111111 000 00000

FIGURE 1.30: Supernetting
• Supernetting Example:
Example showing a 4 Class C addresses in a network appear as a single network from

outside
4 address-contiguous networks:
213.2.96.0: 11010101.00000010.01100000.00000000
213.2.97.0: 11010101.00000010.01100001.00000000
213.2.98.0: 11010101.00000010.01100010.00000000
213.2.99.0: 11010101.00000010.01100011.00000000

Supernetmas k: 255.255.252.0
Supe rnetaddress: 213.2.96.0/ 22
11010101.00000010.01100000.00000000
Class C address: -c::e--------------- Net ID --------------->

Host ID
Supernet address: A
M Zero bits
xxxxxxxx . xxxxxxxx . xxxxoooo . 00000000

\ "
JThis byte is divisible by 2m
FIGURE 1.31: Supernetting with Class C address

Based on the standard specified by the RFC 4291

Allows multilevel subnetting
Supports unicast, anycast, and multicast addresses
I Pv6 address space is organized in hierarchical structure
1Pv6: Format prefix allocation
Start of address Mask length Fraction of

Allocation Format Prefix
range (hex) (bits) address space
Reserved 00000000 0:: 8/ 8 1/256
Reserved for Network Service

0000001 200:: /7 7 1/128
Al location Point (NSAP)
Reserved for IPX 0000010 400::/7 7 1/128
Aggregatable global unicast

001 2000::/3 3 1/8
addresses
Link-local unicast 11111110 10 FE80: : /10 10 1/1024
Site-local unicast 11111110 11 FEC0:: /10 10 1/1024
Multicast 11111111 FF00:: /8 8 1/256
1Pv6 is capable of providing a large address space of 128 bits for increasing demands of internet
users. It has a new format for packet header to minimize problems with overhead routing
entries. 1Pv6 has globally identified unique addresses with efficient, hierarchal and routing
infrastructure that relies on prefix length rather than address classes. This allows the backbone
routers to create small routing tables. 1Pv6 simplifies host configuration with stateless and
stateful address configuration for network interfaces. In 1Pv6, hosts on a link are capable of
automatically configuring themselves with a link called link-local addresses by responding to the
prefixes mentioned by the local routers. The host sends a link local address request to a local
router for connecting to that network, which then responds to the request by sending its
configuration parameters. This lets the host configure automatically with the available router.
1Pv6 is capabl e of configuring itself, even though th ere are no routers. 1Pv6 supports unicast and
multicast communication along with a new communication t ype called anycast.
• Unicast Address: It is used to identify a single node in the network. The four different
categories of Unicast address are:
• Global unicast addresses is globally unique in the internet.
• Link-local addresses not meant for routing, but confined to a single network segment.
• Unique local addresses. These assist in private addressing and also avoids the chances
of collision betwee n t wo subnets.

• Anycast Address: In anycast communication method, only specific associated address in a

network receives the messages. IPv6 provides better support for quality of service (QoS)
with proper management of network traffic.
• Multicast Address: IPv6 packets sent to a multicast address identifies the group of
interfaces, usually on different nodes. Only those hosts which are members of the multi-
cast group can receive the multi-cast packets. The IPv6 multicast is a routable address and
the routers forward these multicast packets to all the members of the multicast groups.
Start of address Mask length Fraction of

Allocation Format Prefix
range (hex) (bits) address space
Reserved 00000000 0:: 8/ 8 1/256
Reserved for Network Service

0000001 200:: /7 7 1/128
Al location Point (NSAP)
Reserved for IPX 0000010 400:: /7 7 1/128
Aggregatable global unicast

001 2000::/3 3 1/8
addresses
Link-local unicast 1111111010 FE80:: /10 10 1/1024
Site-l ocal unicast 11111110 11 FEC0:: /10 10 1/1024
Multicast 11111111 FF00: : /8 8 1/256
TABLE 1.5: 1Pv6 format prefix allocation
The IPv6 notation includes eight groups of hexadecimal quartets separated by colons. An
example for IPv6 is: 2001:cdba:0000:0000:0000 :0000:3257:9652. The groups of zeroes in IPv6
address may be reduced to zero or removed. For example:
• 2001:cdba:0000:0000:0000:0000:3257:9652
• 2001:cdba:0:0:0:0:3257:9652
• 2001:cdba::3257:9652
The IPv6 addresses use Classless Inter Domain Routing (CIDR) notation. The subnet using the
IPv6 protocol consists of a group of IPv6 addresses having the size value in the power of two.
The initial bits in the IPv6 address forms the network prefix. The bits in the network prefix uses
a forward slash ('/ '). For example: 2001:cdba:9abc:5678::/ 64 represents the address
2001:cdba:9abc:5678.

Difference between 1Pv4 and

1Pv6
Internet Protocol version 4 (1Pv4) Internet Protocol version 6 (1Pv6)
Deployed In the year 1981 In the year 1999
128-bit source and destination

Size 32-bit addresses
addresses
Dotted-decimal notation (separated by Hexadecimal notation
Format
periods) (separated by colon)
3ffe: 1900:4545 :ABOO:

Example 192.168.0. 77
0123:4567:8901:ABCD
Prefix Notation 192.168.0. 7/74 3FFE:F200:0234::/77
Total Number of 2"128 = ~340,282,366,

2"32 = ~4,294,967,296
Addresses 920,938,463,463,374,607,431,768,211,456
Manually perform static or dynamic
Configuration Auto-configuration of addresses is available
configuration
Security I PSec is optional Inbuilt support for I PSec
Internet Protocol Version 4 {1Pv4)

The fourth version of the internet protocol that identifies devices on a network through the
technique of addressing. IPv4 mainly works in the packet-switched link layer networks. It uses a
32-bit address sch eme, thereby permitting 2/\32 addresses. Th e sender and the forwarding
routers perform the fragmentation. Th ere is no method to identify the method of packet flow.
Checksum fields and option fields are available in IPv4. The IPv4 address uses IGMP to manage
multicast . It is possible to broadcast messages. Configuration of IPv4 requires either manual
configuration of IPv4 addresses or DHCP configuration.
Internet Protocol Version 6 {1Pv6)
Also know n as IPng (Internet Protocol Next Generation) is the advanced version of IPv4 and
replaces IPv4. The IPv6 protocol allow s better handling of hosts and data flowing on the
internet. Th e main advantage of using IPv6 is that it reduces the exhaustion of IP addresses.
Th e IPv6 addresses are 128-bit long and represented using hexadecimal. Th e send er performs
the fragm entation part. Th e flow label fi eld in the packet head er of th e IPv6 address format
assists in identifying th e flow of the packet. Th e lpv6 address head ers do not con sist of an y
ch ecksum or options fi eld. Th e IPv6 con sist s of an auto-configuration mode that eliminates th e
need for ma nu al configuration as in IPv4.
Advantages of 1Pv6 over 1Pv4:
• IPv6 provides a simplified method for th e router task w hen compared w ith IPv4.
• IPv6 is more reliable to use than IPv4 and IPv6 can handle more payloads.
• IPv6 is more compatible for use in mobile networks than IPv4.

1Pv4 Compatible 1Pv6 Address CND
1Pv6 addresses, with inserted 1Pv4 addresses, are universal Unicast addresses that have the binary
prefix000
One of the changeover techniques to 1Pv6 permits a means for nodes and routers to dynam ically
create 1Pv6 tun nels, allowing broadcast of 1Pv6 packets over an 1Pv4 infrastructu re
Nodes that implement t his method are allocated an unusual 1Pv6 address, w hich transports an 1Pv4
address in its 32 least major bits. This type of address is called an 1Pv4-compatible 1Pv6 address; its
format is shown below :
0
Prefix
0000 : 0000 : 0000 : 0000 : 0000 : 0000 : 143.23.234.211
The 1Pv4 address used inside an 1Pv4-compatible 1Pv6 address must be a public, globally routable 1Pv4 address
1Pv4 compatible addresses obtained from 1Pv4 public addresses allow connecting 1Pv6 hosts
over th e 1Pv4 internet infrastructure. The 1Pv6 address encapsulates within the I Pv4 header that
eliminates the use or addition of 1Pv6 routers.
The 1Pv4 compatible 1Pv6 allows the 1Pv6 devices to insert 1Pv4 addresses in the 1Pv6 address
through the 1Pv4 connect ed network. Th e 1Pv4 compatible 1Pv6 has a different address format
with th e first 96 bits set to all zeroes, followed by a dotted decimal 1Pv4 address.
0
( Prefix )
0000 : 0000 : 0000 : 0000 : 0000 : 0000 : 143.23.234.211
FIGURE 1.32: 1Pv4 address
They can be w ritten as 0:0:0:0:0:0:A.B.C.D or ::A.B.C.D, where "A.B.C.D" represents the

embedded 1Pv4 address.
The host or router at each end of an 1Pv4-compatibl e tunnel must support both the 1Pv4 and
1Pv6 protocol stacks . 1Pv4-compatible tunnel s must configure between border-routers or
between a border-router and a host . Using 1Pv4 -compatible tunn els is an easy method to create
tunn els for 1Pv6 over 1Pv4, but the techniqu e does not scal e for large netw orks.

Understanding Computer Network

Defense(CND)
.J Computer Network Defense(CND) is part

of the network operations which involves
protecting, detecting, and respondingto
unauthorized activities on the network
.J It includes set of processes and protective

measures carried out to defend a network
Computer Network
Defense
against service/network denial, degradation,
and disruptions
.J CND is NOT limited to just deploying firewall

or multiple firewalls on network Protection
.J CND is the implementation of a defense in
depth (DID) strategy on a network
CNDTRIAD
Computer network defense (CND) involves protecting, monitoring, analyzing, detecting and
responding to unauthorized activities on the network and confirms the overall (Defense-in-
depth) security of the network. Different types of unauthorized or illegal activities may include
interrupting, damaging, exploiting or restricting access to networks or computing resources and
stealing data and information from them.
Most of the organization considers network defense as involving the implementation of

security measures which protect their network from attacks. Deploying a firewall or multiple
firewalls on the network is enough to protect their infrastructure from a variety of threats.
However, it alone does not ensure network defense. Even though firewalls are considered one
of the security measures, it does not ensure defense in depth network security.
CND enables network administrators to defend and act against network attacks performed by
malicious or adversarial computer systems or networks.
CND is part of Computer Network Operations (CNO) which deals with the overall network
security achieved through detection, prevention, analysis, and response to various network
attacks.

Integrity:
i ~ . . . . 9.'.~.~~!.~?.~!* ~.:.i.~!~~.~~·····>I
Authori zed User ~
Ensures information is not modified or tampered by unauthorized ~ :
~ Server
parties
Ma n i n the Mi ddle
Confidentiality: Mliiil . . 7.~~.~?.~~:~~~~.?~.~~~~.'.~.~?~.~'.'.?~.► 1

Authori zed User ~ ,1
Ensures information is not disclosed to unauthorized parties ~~
~ Server
Ma i the Mi ddle
Availability:
Ensures information is available to authorized parties without
any disruption
-~
f':. liiiiiServi ces unavailable to authorized use~
Authori zed User

:
· I
Server
Non-repudiation:
Ensures that a party in a communication cannot deny sending the
~~·········:~~~.~~~'.?.~~~~'.~~~~?~~~........... ,
User denies transaction
message User
Server
Authentication:
Ensures the identity of an individual is verified by the system or
~~
Authori zed User
.A\)se<, ~',
0 ( \'Lei--~
i>-"'t<' \e< ~
,~~(\':, .-~ ---
I
o"" i:Jl•••••· • -
~ ······ Server
service
Unauthorized User
CND employs an Information Assurance (IA) principle which enforces taking appropriate
countermeasures and response actions upon the threat alert or detection. Network operators
should consider information assurance principles to evaluate if the data is sensitive or not, and
to handle the situations when security implications occur on the network. This assists them in
identifying network security vulnerabilities, monitoring the network of any intrusion attempts,
or malicious activity, and defending the network by mitigating vulnerabilities.
CND should address the following Information Assurance (IA) principles to achieve a defense-in-
depth network security
• Availability: Availability is the process of protecting the information systems or networks
that hold the sensitive data to make them available for the end users whenever they
request access.
• Confidentiality: Confidentiality allows only authorized users to access, use or copy
information. Authentication works closely with confidentiality, if the user is not
authenticated, they will not be granted access to confidential information. If a non-
authorized user accesses the protected information, it implies that a breach of
confidentiality has occurred.
• Integrity: Integrity protects the data and does not allow modification, deletion or
corruption of data without proper authorization. This information assurance principle also
works closely with Authentication to function properly.

• Non-Repudiation: Non-Repudiation is a service that validates the integrity of a digital

signature's transmission: starting from where it originated to where it arrives. Non -
repudiation grants access to the protected information by authorizing that th e digital
signature is from the intended party.
• Authentication: Authentication is a process of authorizing users with the credentials

provided by comparing th em to those in a database of authorized user's information on
an authentication server to grant access to the network. It guarantees that the files or
data passing through the netw ork is safe.

CND is t he co mbined use of technology, operations, and people invo lved in achieving
defense-i n-depth network security
Attack
Attack
..•...........................
Operations
Attack
People
The network defense is achieved with the appropriate implementation of technology,

operations and people in the organization. These elements play an important role in attaining
the proper defense in depth network security for the organization. Technology is not enough to
protect the network from a variety of attacks. Certain operations are needed in order to
configure these technologies and skilled individuals are required who can perform those
operations.
The combined use of these elements contributes to achieving defense 1n depth network
security.

CND Ele1nent: Technologies
Physical security Access control mechanism
Firewalls /IDS implementation Proxy servers
OS hardening/patching Packet/content fi lte ring
Antivirus protection Product evaluation based on common criteria
Encryption mechanism Passwords security
Authentication mechanism DMZ (demilitarized zones)
Configuration management Network logs audit
Implementations of the following technologies help an organization to protect their assets

• Physical security: The main aim in implementing the physical security is to secure the
hardware, personnel, networks, data and information. Physical security can prevent all
kinds of physical damage, theft or loss to an organization or an enterprise. It also provides
protection from fire, vandalism and other natural disasters.
• Access control mechanism: The main aim in implementing the access control mechanism
is to implement certain restrictions in users accessing the resources in the network.
Controlling the access to devices and other resources can actually secure the network as
well as to prevent the use of any rogue devices.
• Firewalls/IDS implementation: The main aim 1n implementing a firewall or IDS is to

execute certain security policies for communication in the network. Firewalls can actually
filter the trusted and untrusted network traffic and then allow the passage of traffic
depending on those policies. The IDS system can identify and monitor any kind of illegal
activities in the network level as well as in the host level.
• Proxy servers: The main aim in placing a proxy server in the network is to conceal the
original IP address from the attackers and thereby increasing the level of security in the
network. The proxy servers can also execute the user requests at a faster rate by the
method of caching.

• OS hardening/patching: The main aim in performing the operating system hardening or

patching is to prevent the level of any vulnerability in the network. The process of
patching and hardening provides the latest security updates and issues at the application
level, thereby enabling network administrators to solve the issue at a faster rate.
• Packet/content filtering: The main aim in implementing packet/content filtering is to

prevent any kind of intrusion in the network. The content packet filtering method filters
or searches for viruses, worms, intrusions or any other non-compliant protocols in the
network. It blocks or prevents passage of packets based on the source and the destination
addresses.
• Antivirus protection: The main aim in implementing anti-virus in the system is to secure
the data and systems from viruses, botnets, Trojans, etc. These malware programs can
actually gain the username and passwords of the user on the victim machine or
compromise the data contained in a system. The anti-virus can alert the user regarding
the presence of any malware program in the system.
• Product evaluation based on common criteria: The main aim in implementing the product
evaluation is to ensure that the IT products meet the security standards required for
deployment in the networks. The IT products need to meet the common criteria defined
for each specific product. Meeting the common criteria ensures the security of the IT
products deployed in the network.
• Encryption mechanism: The main aim in implementing the encryption mechanism is to

provide the confidentiality and integrity of the information passed on the network. The
encryption process confirms that the only sender and receiver of a message can actually
read the message and prevents all kinds of unauthorized access. The mechanism also
includes the use of an encryption key without which the sender and receiver cannot
access the message.
• Passwords security: The main aim in implementing the password security is to ensure
complete security of the passwords from all types of password attack. It protects the
passwords from brute-force attack and eavesdropping mechanisms. The password
security mechanism persuades the user to use long and complex passwords. It also brings
in certain mandatory policies that each user needs to follow while creating passwords,
thereby minimizing the chances of an attack on passwords.
• Authentication mechanism: The main aim in implementing authentication mechanism is

to ensure the authenticity of the user requesting an access to a resource. The
authentication mechanism checks the identity of the user against various methods like
credentials, biometrics, etc. The method of authentication can restrict unauthorized
access from the users.
• DMZ (demilitarized zones): The main aim in implementing the DMZ is to ensure the
security of an organization's local area network from an untrusted network. The
demilitarized zone can provide an extra layer of security to the network and prevent the
attackers from accessing the internal servers and data through the internet.

• Configuration management: The main aim in implementing the configuration

management is to provide the consistency in performance, functionalities and physical
components of the resources in a network. It prevents the chances of any failure of
equipment or any adverse changes in the system. The configuration management also
provides an idea regarding the updates and upgrades required for a resource.
• Network logs audit: The main aim in implementing the network logs audit is to monitor
the activities of a network. The review of network audits can actually increase the security
of the network.

~ Creating and enforcing security policies
., Creating and enforcing standard network operating procedures
., Planning business continuity
., Configuration control management
., Creating and implementing incident response processes
., Planning disaster recovery
., Conducting forensics activities
., Providing security awareness and training
., Enforcing security as culture
Performing following operations helps organizations to maintain the security of their assets
• Creating and enforcing security policies: Network operators need written security policies
to monitor and manage a network efficiently. These policies set appropriate expectations
regarding the use and administration of information assets on a network. Security policies
describe what to secure on the network and the ways to secure them.
• Creating and enforcing standard network operating procedures: Standard network

operating procedures are instructions intended to document the routine network activity.
Network operators should rely on these procedures to ensure efficiency and security of
the network. The main goal of network operating procedures is to carry out the network
operations correctly and always in the same manner.
• Planning business continuity and disaster recovery: There are various threats and
vulnerabilities to which business today is exposed, such as natural disasters, acts of
terrorism, accidents or sabotage, outages due to an application error, hardware or
network failures. Planning business continuity and disaster recovery is the act of
proactively working out a way to prevent and manage the consequences of a disaster,
limiting it to a minimum extent.
• Configuration control management: Network operators encounter many problems due to

the lack of configuration management capabilities. Configuration control management
involves initiating, preparing, analyzing, evaluating and authorizing proposals for change
to a system.

• Configuration control management includes:
• Device hardware and software inventory collection.
• Device software management.
• Device configuration collection, backup, viewing, archiving and comparison.
• Detection of changes to configuration, hardware, or software.
• Configuration change implementation to support change management.

• Creating and implementing incident response processes: Network operators create and
implement an incident response process through planning, communication and
preparation. Incident preparation readiness ensures quick and timely response to
incidents. Network managers should determine whether to include law enforcement
agencies during incident response or not as including; it can affect the organization
positively or negatively.
• Conducting forensics activities on incidents: Computer Forensics Investigators examine

the incident and conduct forensic analysis by using various methodologies and tools to
ensure the computer network system is secure in an organization.
While conducting forensics activities on incidents, people responsible for network

management should:
• Ensure that the professionals they hire are prepared to conduct forensic activities.
• Ensure that their policies contain clear statements about forensic considerations.
• Create and maintain procedures and guidelines for performing forensic activities.
• Ensure that their security policies and procedures support the use of forensic tools.
• Providing security awareness and training: Some of the threats to network security come
from within the organization. These inside attacks can be from uninformed users who can
do harm to the network by visiting websites infected with malware, responding to
phishing e-mails, storing their login information in an unsecured location, or even giving
out sensitive information over the phone when exposed to social engineering. Network
managers should make sure that the company's employees are not making costly errors
that can affect network security. They should institute company-wide security-awareness
training initiatives including training sessions, security awareness website(s), helpful hints
via e-mail, or even posters. These methods can help ensure employees have a solid
understanding of the company security policy, procedures and best practices.
• Enforcing security as culture: Network operators should enforce security as a culture in

the organization. It helps knowing what behavior compromises security and how to
educate employees to change their insecure behavior. The culture with in an organization
will have a significant influence on the likelihood of risks occurring, and the degree to
which varying control approaches will be successful.

Network Network Security Network Security Security

Administrator Administrator Engineer Architects
•I
I
•
I
I
•I
I
•
I
I
• • • •
•I
I
•
I
I
•
I
I
•
I
I
• • • •
Security Network End Users Informed
Analysts Technicians Leadership
Network defense relies on the people involved in network operations. People are a crucial
element of any organization's network security approach. The degree to which people
embodies a culture of security will significantly influence that organization's ability to protect
key assets. The people involved are responsible for maintaining, repairing and managing
network and computer systems to improve their performance. They explore and solve network
problems logically and consistently. They monitor the network for vulnerabilities before an
outsider can exploit it. These people make use of CND technologies and operations to design
and implement robust and secure the network.
People involved in computer network defense include:

• Network Administrator: The network administrator manages the whole network in an
organization. They coordinate all systems, software, etc. and help in running the network
of an organization smoothly.
• Network Security Administrator: The network security administrator is responsible for

maintaining all the cyber security of an organization. They fix, control and monitor the
security solutions of an organization.
• Network Security Engineer: The network security engineer mainly develops the
countermeasures required for any cyber related issues in an organization. They monitor
and manage the IT issues.

• Security Architects: The security architect supervises the implementation of the computer
and network security in an organization. They need to find methods to implement the
network and computer security in an efficient manner.
• Security Analysts: The security analyst maintains the privacy and integrity of the internal
network in an organization. They need to evaluate the efficiency of the security measures
implemented in an organization.
• Network Technicians: The network technician manages the hardware and software
components of an organization. They fix and repair the issues related to these
components.
• End Users: The end user refers to the people who use the end product deployed by an
organization. The end user can access the developed products through Desktop, Laptop,
iPads, Smart Phones, etc.
• Informed Leadership: The informed leadership can help an organization in taking

exemplary decisions regarding the security of the network and systems in an organization.
They need to be proactive enough to find the weaknesses and strengths in a network.

Blue team involves highly skilled individuals w ho are

collectively responsible for developing effective
Computer Network Defense (CND) for the target netw ork
The team examines the current security posture and any

security deficiencies existing in the netw ork and predict
possible effective solutions and security measures to
defend the network from various types of attacks
The tea m is responsible for det ermining the overall

adequacy of security measures
A Blue team is an internal security t eam who help in building a strong Computer Network
defense (CND) for the Network. Blue team is a part of the Red/ Blue t eam exercise to defend
the network. The Blue team defends the network from both real and red t eam attacks . Blue
team security professionals have direct access to the network. The Blue Team is responsible for
detecting th e attacks and, in a limited form, for protecting th e hosts . They identify known
vulnerabilities on systems and do not address the requirements for an overarching security
infrastructure. The goal of the Blue Team is to detect th e attacks and execute some counter-
measures to slow down or confuse the attackers.
• Roles and Responsibilities:
• Blue team protects the network against the attacks by the red t eam.
• Use tools to monitor and protect the network.
• Implement preventive measures to minimize the attacks.
• Create reports of the incidents to be sent to the management.
• Blue team must gain know ledge of the threat actor's Tactics, Techniques and
Procedures (TTPs) and prepare counter approaches to defend the network.
• Understand advanced threat actor activities on the network using defensive

t echniques against these actors.
• Understand th e net w ork using a realistic advanced attacker viewpoint.

• Find the operational readiness and incident response capabilities of the network using
various tools and techniques.
• Assess the ability of internal network defenses in eliminating attacks from advanced
threat actors.
• Advantages of Blue Teaming:
• Enhance the security of the organization network.
• Blue team members gain complete knowledge of the existing network defense.
• Validate existing network defense, and help use them effectively.
• Blue teams are more vigilant against attacks.
• Forming Blue teams helps by improving the training for network defenders to protect
the network.
• Help structure a realistic security process for monitoring threats in advance.

Network Defense-In-Depth
■ DID is achieved by ensuring security at each of the network layers
Internet Access, Acceptable-Use,User-Account, Firewall-

Management, Email Security, Passwords, Physical Security, 0
BYOD, ISO/IEC 27001, PCI-DSS, HIPAA, etc.
Physical locks, Access controls, security personnel, Fire A

Fighting Systems, Power Supply, Video surveillance, Lighting, V
alarm system, etc.
Server, DNS, Email, Routers, Firewalls, Switches e

Routers, Servers, Switches, Firewalls
OS, Antiviruses, Patches, Password Management, Logging,

etc.
•
9
Encryption, Hashing, permission, OLP
Defense In Depth Layers

Defense in depth is a security strategy in which several protection layers are used throughout
an information system. Defense-in-depth involves implementing security controls at different
layers of network stack. It imposes a complex defense layered structure thereby making it
difficult for the attackers to penetrate into the system and achieve their goal.
This strategy uses the military principle that it is more difficult for an enemy to defeat a
complex and multi-layered defense system than to penetrate a single barrier. Defense in depth
helps to prevent direct attacks against an information system and its data because a break in
one layer leads the attacker only to the next layer. If a hacker gains access to a system, defense-
in-depth minimizes any adverse impact and gives administrators and engineers time to deploy
new or updated countermeasures to prevent a recurrence of intrusion or stop an intrusion
from going any deeper.
Typical layers of Defense-in-depth approach include:
• Policies, Procedures, and Awareness: This is the first level of countermeasures that every
organization must design and implement. It includes enforcing security policies to avoid
misuse of resources or restrict unauthorized operations on the organization's resources.
• Physical: It involves ensuring security of organization assets from various physical threats.
• Perimeter: It involves the design and implementation of appropriate security measures at

the perimeter level.

• Internal Network: It includes the design and implementation of security measures at an

internal network.
• Host: It involves implementing security measures at each individual host level.
• Application: It involves implementing security measures at the application level.
• Data: It involves implementing security measures to data whether it is at rest or transit.

Defense-in-Depth Networlc Design CND

DMZ(Public Servers) Internal Severs Internal LAN
e
~ ~
Host Security
11 E)Application Security
RR ; ; Im :
1~r. I Work
Stations
~--• □
Intranet -
Servers
..i... D
......... . ••• • ··►=.:-• ... D
Internet
..: -
e Perimeter
Security •
Internal Network
Security ~--- □
0 Security Policies, Procedures, and
-
Awareness Q Data Security
e Physical Security Organization Network
Copyright© by EC~OIDCil. All Rights Reserved Reproduction is Strictly Proh ibited.
The first line of defense against attacks is the firewall, which can be configured to allow/deny
traffic. Installing and configuring the Next-Generation firewalls with capabilities such as
application control, identity awareness, IPS, web filtering, and advanced malware detection can
increase complexity for the attacker to bypass them.
IDS/IPS is the second line of defense mechanism for a network even though it is included in the
firewall as first line of defense. Having your IPS properly optimized and monitored is a good way
to detect and block attackers that get past the first castle defense.
The network administrator should consider the following factors while developing and
designing a secured network:
• The network topology and location of the hosts in a network.
• The right selection of hardware and software security technologies.

• Proper configuration of each component.
Network designers should always monitor and examine common security issues found in the
network set up of a company to establish a secure network. They should also identify some best
practices to secure the network.
The challenges encountered by the network designer are:
• Protecting the network from attacks that come from the internet.
• Protecting public servers such as web, e-mail and DNS servers.

• Containing damage when a network or system is compromised.

• Preventing internal attacks against the network.
• Protecting highly important and sensitive information like customer databases, financial
records and trade secrets.
• Developing guidelines for the administrators to handle the network in a secure manner.
• Enabling intrusion detection and logging capabilities.
Network designers need to take care of certain policies that help in the careful and efficient
management of the organization. The policies created should follow the company standards
and should include criteria like number of human resources needed, cost for securing the
network etc. The network designer can proceed with the network design after the creation of
these policies.

It includes a set of prior defensive actions (countermeasures)

Protection
taken towards eliminating all the possible vulnerabilities of the
network
It involves examining and assessing the network for any

Monitoring
abnormalities such as attacks, damages, unauthorized access
attempts, modifications, etc.
Detection It involves determining and identifying abnormalities and their

origins in a network
It involves actions which include confirming the incidents, finding

Analyzing
their root causes, and planning the possible course of action for
an incident
Responding It involves a set of action taken to mitigate the impact of attacks

on the network
Copyright© by EC~OIDCil. All Rights Reserved. Reproduction is Strictly Proh ibited.
The CND process specifies the prevention, detection and response actions to security incidents
in order to ensure complete computer network defense. It should be a continuous process. The
following phases of the CND process assist network administrators in implementing network
security effectively:
• Protecting: It includes a set of prior defensive actions (countermeasures) taken towards

eliminating all the possible vulnerabilities on the network. It includes security measures
such as Security Policies, Physical security, Host Security, Firewall, IDS, etc., used to offer
network protection.
• Monitoring: It invol ves examining and assessing the network for any abnormalities such
as attacks, damages, unauthorized access attempts, modifications, etc. It includes regular
monitoring of network traffic using network monitoring and packet sniffing tools.
• Detecting: It involves determining and identifying any abnormalities and their location in
the network. It includes identifying w hat is abnormal to the network.
• Analyzing: It involves actions, w hich includes confirming the incidents, finding their root
causes, and planning a possible course of actions for an incident. It includes deciding
wh ether th e incident is actual security incidents or a false positive.
• Responding: It involves a set of actions taken to mitigate the impact of an attack on the
netw ork. It includes incident response, investigation, containment, and eradication steps
for responding to the incidents .

•••••••••
■
Access Control J••••••••••► ___ F
_ire
_w_a1_1 _ _
■
■
Preventive
■
······••►
■
■
Admi.ssion Control J••••••••••►"==_ _NA_c_&_N_AP_ _
••• ■
Approaches ■
•••••••• Cryptographic Applications •• • •• • •• •► IPSec & SSL
•
• ■
'0:::::---------
••
••••••••• Biometric Security ········••► Biometrics
Reactive • • • • • • • • ■ •• ► Security Monitoring ••I

•~ ....... ► SIM S
"""""""....__ _ _......,...,,
Approaches
i• .••••• ► TRS & IPS
•••
·....... •► DoS & DDoS
........
•
••
► Fault Finding
_J...•:·····•• ►
•
Prot ocol Analyzer
······••►
Traffic M onitors
•
••
Retrospective •
...
:·····•• ► , _ CSIRT __J
Approaches
•• ■) . . . . . . . .
••
•
•• -------- =·····•• ► -
Security Forensics
J . CERT
:......... f
- Post Mortem Analysis
········••► Legal/Risk Assessor
Copyright © by EC~OIDCil. All Rights Reserved. Reproduction is Strictly Proh ibited.
There are three main classifications of security defense techniques used for identification and
prevention of threats and attacks in the target network.
• Preventive Approach: The preventive approach basically consists of methods or
techniques that can easily avoid the presence of threats or attacks in the target network.
The preventive approaches mainly used in the network are as follows:
• Access control mechanisms such as a firewall.

• Admission Control mechanisms such as NAC and NAP.
• Cryptographic Applications such as IPSec and SSL.
• Biometric techniques such as speech or facial recognition.
• Reactive Approach: The reactive approach is complementary to the preventive approach.
The reactive approach prevents those attacks and threats which the preventative
approach failed to. For example a DoS and DDoS attack. Implementing both preventive
and reactive approaches will confirm the security of the network. The reactive approaches
include security monitoring methods such as IDS, SIMS, TRS, I PS, etc.
• Retrospective Approach: The retrospective approach examines the reasons for attacks in
the network. The approaches include:
• Fault finding mechanisms which include a protocol analyzer and traffic monitors.
• Security forensics techniques such as CSIRT and CERT.
• Post-mortem analysis mechanism including legal/risk assessor.

•••••••••
■
Access Control J••••••••••► ___ F
_ire
_w_a1_1 _ _
■
■
Preventive
■
······••►
■
■
Admi.ssion Control J••••••••••►"==_ _NA_c_&_N_AP_ _
••• ■
Approaches ■
•••••••• Cryptographic Applications •• • •• • •• •► IPSec & SSL
•
• ■
'0:::::---------
••
••••••••• Biometric Security ········••► Biometrics
Reactive • • • • • • • • ■ •• ► Security Monitoring ••I

•~ ....... ► SIM S
"""""""....__ _ _......,...,,
Approaches
i• .••••• ► TRS & IPS
•••
·....... •► DoS & DDoS
........
•
••
► Fault Finding
_J...•:·····•• ►
•
Prot ocol Analyzer
······••►
Traffic M onitors
•
••
Retrospective •
...
:·····•• ► , _ CSIRT __J
Approaches
•• ■) . . . . . . . .
••
•
•• -------- =·····•• ► -
Security Forensics
J . CERT
:......... f
- Post Mortem Analysis
········••► Legal/Risk Assessor
Copyright © by EC~OIDCil. All Rights Reserved. Reproduction is Strictly Proh ibited.
There are three main classifications of security defense techniques used for identification and
prevention of threats and attacks in the target network.
• Preventive Approach: The preventive approach basically consists of methods or
techniques that can easily avoid the presence of threats or attacks in the target network.
The preventive approaches mainly used in the network are as follows:
• Access control mechanisms such as a firewall.

• Admission Control mechanisms such as NAC and NAP.
• Cryptographic Applications such as IPSec and SSL.
• Biometric techniques such as speech or facial recognition.
• Reactive Approach: The reactive approach is complementary to the preventive approach.
The reactive approach prevents those attacks and threats which the preventative
approach failed to. For example a DoS and DDoS attack. Implementing both preventive
and reactive approaches will confirm the security of the network. The reactive approaches
include security monitoring methods such as IDS, SIMS, TRS, I PS, etc.
• Retrospective Approach: The retrospective approach examines the reasons for attacks in
the network. The approaches include:
• Fault finding mechanisms which include a protocol analyzer and traffic monitors.
• Security forensics techniques such as CSIRT and CERT.
• Post-mortem analysis mechanism including legal/risk assessor.

Network Security Threats,
Vulnerabilities, and Attacks
Module 02
Network Security Threats, Vulnerabilities, and Attacks
Network Security Threats,

Vulnerabilities, and Attacks
Module OZ

Module 02: Network Security Threats, Vulnerabilities, and Attacks
Exam 312-38

Denial-of-Service
Brut e-Force
Ot hers
Brow ser
ShellShock
SSL
Botn et
Backdoor
http://www.calyptix.com
Copyright© by EC-Coaacil. All Rights Reserved. Reproduction is Strictly Prohibited.
According to the latest Threat Report from McAfee Labs, the statistics for the most common
network attacks detected are shown in the chart. The chart aggregates data from the
company's network of millions of sensors across the globe. According to the report, Denial of
Service attacks (DoS) top the list and is the most targeted attack towards the organization's
network. DoS attacks are very common, accounting for more than one -third of all network
attacks reviewed in the report. Attempts of brute forcing passwords are also significantl y
performed to gain unauthorized access to network resources. Browser-based attacks target end
users who are browsing the Internet. The attacks may encourage them to unwittingly download
malware disguised as a fake software update or application. Malicious and compromised
websites can also force malware onto visitor's systems. Attackers are also exploiting
vulnerabilities found in Bash, a common command -line shell for Linux and Unix systems in order
to install malware that sends spam campaigns and DDoS attacks. SSL attacks aim to intercept
data that is sent over an encrypted connection. A successful attack enables access to the
unencrypted information. SSL attacks account for 6% of all network attacks analyzed.
Source: http://www.calyptix.com

Understanding threat, attack, and Understanding the different

vulnerability concepts categories of network threats
Discussing network security Understanding the different

concerns categories of network security
vu Inera bilities
Discussing the reasons behind
network security concerns Understanding the different
categories of network attacks
Understanding the effect of network
security breach on business Describing the various network
continuity attacks
'
This module discusses the various network threats, vulnerabilities, and attacks that an attacker
can carry out to compromise network security. The module will teach you the different types of
network threats, why they arise, possible ways through which they come from, etc. The module
also discusses the different level of attacks that are carried out against the network and the
types of vulnerabilities that exist in the network.

Essential Tern1.inologies
-- -~
I
Attack
: An assault on the
.derived
system security
.
from an
intelligent threat
I ..
: An attack is any
action•violating
securi!Y
•
In the field of information security, Internet and computer security people often use the
following terms interchangeably: threats, vulnerabilities and attacks. Many people confuse
these terms. However, they are different and have a distinct meaning even though they are
interrelated. Therefore, it is necessary to understand and differentiate between them.
Threat
Threat is a potential occurrence of an undesired event that can eventually damage and
interrupt the operational and functional activities of an organization. A threat can affect the
integrity and availability factors of an organization. The impact of threats is very high and it can
affect the existence of the physical IT assets in an organization. The existence of threats may be
accidental, intentional or due to the impact of some other action.
Vulnerability
Vulnerability is the existence of a weakness, design, or implementation error that, when
exploited, leads to an unexpected and undesired event compromising the security of the
system. Simply put, a vulnerability is a security loophole that allows an attacker to enter the
system by bypassing various user authentications.
Attack
An attack is an action taken towards breaching an IT system's security through vulnerabilities.
In the context of an attack on a system or network. It also refers to malicious software or

commands that can cause an unanticipated behavior of legitimate software or hardware

because attackers take advantage of the vulnerabilities.
For example,
• Threats to Input Validation cause an application to be exploited using:
• Buffer overflows
• Cross-site scripting
• SQL injection
• Canonicalization attacks
• Query string manipulation

• Form field manipulation
• Cookie manipulation
• HTTP header manipulation
• Vulnerabilities in Input Validation:
• Lack of validation on user inputs
• Use of non-validated user inputs directly to generate SQL queries

• Relying solely on client-side validation
• Performing input validation based on known bad patterns
• Attacks to Input Validation can be:
• Exploiting input validation vulnerabilities to perform a Buffer overflow attack, Cross-

site scripting attack, SQL injection attack, Canonicalization attacks, Query string
manipulation, Cookie manipulation, etc.

Network Security Concerns CND
Network security is one of the primary concerns for organizations worldwide
Potential threats to network security are evolving every day
Network security attacks are becoming technically more sophisticated, better

organized, and harder to detect
Organizations are failing to defend themselves against rapidly increasing network

attacks due to the lack of network security skills ...
The attacks on the network are increasing at a fast rate. Constant attacks in the network is a
major issue in the computing world. Organizations are raising funds for securing the network
security. Network security concerns affect the availability, confidentiality and integrity of the
information present in an organization. Attackers are exploiting loopholes existing in security
related technologies. Administrators need to be more vigilant toward the newer attacks that
can occur in the network. Network administrators need to categorize the type of attacks
occurring in the network.
Designing and implementing a network is an easy task, but, maintaining the security of the
network is a difficult task. Attackers are using various exploitation tools to gain access to the
network and its resources.
The organization's network can also be at risk for different types of attacks from the inside. The
employees of an organization can at times pose a threat to the security of the company's
network. Insider threats can be more dangerous than external ones.
Attackers perform network attacks to take control of a computer, for curiosity and excitement,
for publicity and fame, for financial gains, to spy or corporate espionage, get information about
the organization and to disrupt the proper working of an application or service.
The organization needs to implement tasks that monitor and identify the attacks in the network
on a daily basis. The sharing of information and resources across the computers in a network
can attract intruders wanting to gain access to that information. The organization may consider
taking certain protective steps to prevent any kind of unauthorized access to its network.

Administrators can locate the various areas of continuous attacks, thereby assisting the
organization in planning for security.

Why Network Security Concerns CND

Arise « .....,., ··-·· ..,,,....
Hardware or Software Misconfiguration

I
Insecure or poor design of the network
Inherent technology weaknesses
Careless approach of end users

I
5 Intentional acts from end users
Hardware or software misconfiguration

Security loopholes are created from an insecure configuration of the hardware or software in
the network. For example, a misconfigured or the use of an unencrypted protocol may lead to
network intrusions resulting in a leak of sensitive information. Misconfiguration of hardware
may allow attackers to gain access to the network or system. Misconfiguration of software may
allow attackers to gain unauthorized access to the applications and data.
Insecure or poor design of network

An improper and insecure design of the network may incur a variety of threats and the
probability of data loss. For example, if firewalls, IDS and virtual private network (VPNs)
technologies are not implemented securely they will expose the network to different threats.
Inherent technology weakness

If the hardware or software is not capable of defending the network against certain types of
attacks, then it will be vulnerable to those attacks. Many hardware, applications or web
browsers are more prone to attacks such as denial-of-service or MITM attacks. If an old version
of a web browser is running on the system, those systems have a higher cha nee of being
vulnerable to distributed attacks. If the systems are not updated, a small Trojan attack will force
the user to clean the entire machine. Cleaning a machine often leads to data loss.

End-user carelessness
End user carelessness creates a huge impact to network security. Human behavior is more
susceptible to various types of attack and tend s to lead to more serious attacks on the network
including data loss, information leakage, etc. Intruders gain sensitive information through
various social engineering techniques. If users share account information or login credentials,
this leads to the loss of data or exploitation of the information. Connecting systems to an
unsecure network can also lead to attacks from a third party.
Intentional end-user acts

If an ex-employee, still has access to a shared drive, it can be misused to leak the company' s
sensitive information. This type of act is called an intentional end-user act. Such acts lead to
heavy losses to the company and data.

Types of Network Security

Threats
Internal
Arise from internal employees with access to netw orks and
Threats other internal resources
External
Arise from individuals w ho do not have direct access
Threats to t he netw ork
Unstructured
Arise from unskilled individuals who attack t he netw ork
Threats out of cu riosity
Structured
Arise from individuals who are highly motivated and
Threats
technically competent
There are basically two types of threats to the network.
• Internal
• External
Internal Threats
Around 80% of the computer and Internet-related crimes are insider attacks. These are
performed by insiders within the organization such as disgruntled employees, negligent
employees, etc., and harms the organization intentionally or unintentionally (by accident). Most
of these attacks are performed by privileged users of the network.
The reasons behind insider attacks could be revenge, disrespect, frustration, or lack of security
awareness. Insider attacks are more dangerous compared to external attacks because insiders
are familiar with the network architecture, security policies and regulation s of the organization.
Additionally, the security inside is not has strong because organizations focus on protection
from external attacks.
External Threats
External attacks are performed by exploiting v ulnerabilities already existing in the network. The
attacker does it for the sake of curiosity, financial gain or reputation damage to the target
organization. External attackers can be any user who is well -versed with attacking techniques or
a group of users who work together to support a cau se or political motive, by competitor
companies to create corporate espionage, by countries for surveillance, etc. Attackers

performing external attacks have a predefined plan, use specialized tools and techniques to
successfully penetrate the network.
The external attack depends on which weakness exists and then it is exploited to perform the
attacks. These attacks are performed without the assistance of insider employees. Some of the
external attacks include application and virus -based attacks, password -based attacks, instant
messaging-based attacks, network traffic-based attacks, and operating system based attacks.
External threats are classified into two types. They are a structured and an unstructured
external threat.
Structured External Threat

Structured external threats arise from highly skilled individuals who quickly identify
vulnerabilities which exist and can write exploits on their own to compromise the network.
These individuals or groups of individuals are often involved in major fraud and theft cases.
Unstructured External Attacks

Unstructured external threats arise from inexperienced individuals who use readily available
hacking tools and scripts to perform the attack. This type of attack is generally executed with
the intent of testing their hacking skills and poses serious harm to the organization.
External
.•
:•
• ~
Unstructured Threat
.........................••
D
Threat : • •
• ••
•
•• •••
.•
••
• •
.. ............................................
• •
·-·······
•
• •• •• ••
•
•• ••
..........
- · .• .
____._....................... .
••
•
••
••
D
•
••
♦
Internal Threa t
•••••••••••••••••••••••••• •
Structured Threat
-
Int ernal Network
Compromised Host
FIGURE 2.1: Different types of network secu rity th reats

How does a Network Security

Breach Effect Business Continuity
Disruption or even shut•

down of the Business
►·····• Loss of Productivity
Loss of Privacy
Data Loss/Theft
Legal Liability ►-··--•
Reputation Damage & loss

of Consumer Confidence
Disruption of Business
Any type of attack on a business can bring the entire business process to a standstill. The
breach in security leads to a loss of critical business and user information.
Loss of Productivity
An exploited business network has to undergo a lot of production losses. The loss incurred due
to an attack has to be recovered either through data backups or the user has to rework the
data. Recovery of data after a network attack is a time-consuming process.
Loss of Privacy
Due to a leak of all the confidential data, the organization has to face heavy losses of their
private data, which also leads to legal issues for them.
Theft of Information
An attack on the network leads to a raid of the information by attackers. A raid of personal and
professional information of the company's employees through such attacks affects those
employees directly. If the attacks get into a customer database, then their customers are
affected and this leads to huge problems.
Module 02 Page 114 Certified Network Defender Copyright © by EC·CIIICil

Legal Liability
A case can be filed against the attackers. These laws differ between countries. With proper
evidence of the incident an organization can file a legal lawsuit if their security is breached. The
same is true for customers. If their private and personal information is stolen, such as credit
card numbers, social security numbers and addresses are stolen, depending on the
circumstances, they may also have the right to bring a lawsuit against the company.
Damage to reputation and consumer confidence

Once an attack has been detected and identified on an organization, it 1s difficult to gain
customer confidence again. The reputation of the organization is at stake.


Vulnerabilities: Technological
Vulnerabilities that exist in the TCP/IP protocol, operating syst em, and network devices:
Vulnerabilities Description
TCP/IP protocol
J HTTP, FTP, ICMP, SNMP, SMTP are inherently insecure
vulnerabilities
'.J An OS can be vulnerable because:

Operating System
e It is inherent ly insecure
vulnerabilities
e It is not patched with t he latest updates
,.
J Various network devices such as routers, firewall and switches

can be vulnerable due to:
Network Device e Lack of password protection
Vulnerabilities e Lack of authentication
e Insecure routing protocols
e Firewall vulnerabilities
"

Vulnerabilities: Configuration
Vulnerabilities that exist due to the misconfiguration of computing and network devices:
,_
e Arising from the insecure transmission of user account details

User account vulnerabilities
over the network such as usernames and passwords
System account vulnerabilities e Arising from setting weak passw ords to system accounts
e Misconfiguring internet services can pose serious security

risks. For example. Enabling JavaScript and misconfiguring IIS,
Internet service misconfiguration
Apache, FTP, Terminal services, etc., can create security
vulnerabilities in the network
e Leaving the network devices/products w ith their default

Default password and settings
passwords and settings
Network device misconfiguration e Misconfiguring the network device itself
I


Vulnerabilities: Security Policy
Vulnerabilities due t o weak security policy implementation and enforcement:
Unwritten Policy e Unwritten security policy is difficult to implement and enforce
Lack of Continuity
e Lack of continuity in implementing and enforcing the security
policy
Politics e Politics make it difficult to implement a consistent security policy
Security policy unawareness e Lack of awareness for the security policy
A network security breach can occur because of the following vulnerabilities:
Technological vulnerabilities
A technological vulnerability exists due to the inherent weakness in the operating system,
printers, scanners or other networking equipment. Attackers can detect loopholes in protocols,
like, SMTP, FTP and ICM P. Attackers detect the lack of authentication in networking equipment
like switches and routers leading to an intrusion. Regular security audits by the network
administrator or information security officer will help keep track of any irregular activities on
the network.
Configuration vulnerabilities
Configuration v ulnerabilities exist due to the misconfiguration of computing and network
devices. It exists when an administrator configures a user account or the system services
insecurely, leaving th e default settings, improper password management, etc.
Security policy vulnerabilities

Security policy vulnerabilities exist when there is an improper drafting and enforcement of the
security policies in the organization. Lack of appropriate policy enforcement may lead to
unauthorized access to network resources. If an administrator fails to regularly, monitor and
audit the activities it will be easy for attackers to exploit the system.


Attacks
Reconnaissance Access
Attacks Attacks
Denial of Service Malware

(DoS} Attacks Attacks
Organizations are facing challenges in maintaining the security of their network, as the number
of attacks on a network is growing day by day. Attackers or hackers are finding new ways of
getting into networks. The motive behind the attacks differ from based on the objective of
each attacker. Some attackers want to steal the hardware and software, while others perform
actions that reduce the bandwidth of the network resources and others are after customer
data. The network administrator on the other hand needs to be highly efficient in identifying
these attacks and have knowledge on what each of these different types of attacks are.
Typical network attacks are broadly classified into:
Reconnaissance attacks
The reconnaissance attack refers to a technique in which the attackers gather information
about the network and organization, helping them perform attacks easier. Gathering
information about a network allows attackers to recognize any potentia I weaknesses it may
have.
Access Attacks
After gaining information about the target network, attackers then try to gain access by using
various exploitation techniques. These are the attempts made towards gaining access to the
system or network. This is called an access attack and it includes gaining unauthorized access,
brute force, privilege escalations, man-in-the-middle, etc.

Denial-of-service
In the denial-of-service attack, attackers attempt to deny certain services available to
customers, users and/or the organization. The DoS attack does not lead to any loss or theft of
any information, but can affect the organization financially due to the downtime. The DoS
attacks affect the files and other sensitive information stored in a system, as well as affect the
working of any website. Websites are brought down using this method.
Malware attacks
Malware attacks affect the system or network either directly or indirectly. They cause an
adverse impact on how the network functions. Malware is a program or a file that poses a
threat to a computer system. The different types of malware include Trojans, Viruses and
Worms.

Reconnaissance Attaclts C ND
~ In Reconnaissa nce Attacks, attackers make an Network Information is obtained using

attempt to discover the target network's Reconnaissa nce Attacks:
information
e Domain Name
lJ The aim of this attack is to gather all possible e Internal Domain Names
information about the target network e Network Blocks
J Exploitation of the target network begins e IP Addresses of the Reachable Systems
with reconnaissance e Rogue Websites/Private Websites
J Attackers gain the network information e TCP and UDP Services Running
using different techniques such as : e Access Control Mechanisms and ACL's
e Social Engineering e Networking Protocols
e Port scanning e VPN Points
e DNS Footprinting
e IDSes Running
e Analog/Digital Telephone Numbers

e Ping Sweeping
e Authentication Mechanisms
e System Enumeration
In Reconnaissance attacks, attackers make an attempt to discover all the possible information
about a target network, including information systems, services and v ulnerabilities which may
exist in the network.
The major objectives of a reconnaissance attack include collecting the target's netw ork
information, syst em information, and the organizational information. By carrying out
reconnaissance at various netw ork levels, the attacker gains information such as netw ork
blocks, network services and applications, system architecture, intrusion det ection syst ems,
specific IP addresses, and access control mechanisms. With a reconnaissance attack, the
attacker collect s information such as employee names, phone numbers, contact addresses,
designation, and w ork experience, etc. Which leads to social engineering and other phases of
the intrusion into the corporate netw ork.
Collecting Network Information

An attacker performs a whois database analysis, tra ce routing, et c. to gather netw ork
information. Thereafter the attacker may gain access to sensitive data or may attack th e
net w ork.
Collecting System Information

Prior to performing an attack, an attacker identifies the vulnerabilities to exploit in order to gain
access to a system. Once the attacker gains system access, they can use various tools and

utilities to perform illegal activities such as stealing sensitive data, attacking other systems,
sending forged emails from the system and deleting data.
Collect Organization's Information

An attacker obtains information about an organization from its website. In addition, they can
query the target's domain name against the whois database and get valuable information such
as location, people's names, phone numbers, etc. The information can then identify key
employees in the company and using this they launch social engineering attacks to extract
sensitive data about the organization.
Types of reconnaissance attack

Reconnaissance attacks can be active or passive.
• Active reconnaissance attacks
Active reconnaissance attacks mostly include port scans and operating system scans.
Here, the attacker uses tools to send packets to the target system. For example, the
traceroute tool helps gather all the IP addresses for the routers and firewalls. The attacker
also gathers more information regarding the services running on the target system.
• Passive reconnaissance attacks
Passive reconnaissance attacks use the method of gaining information from the traffic.
Here, the attackers perform sniffing that helps them gain all the details regarding the
weaknesses in the network. The attackers use various tools to gain information about the
target.
Example of Reconnaissance attacks includes

• Packet sniffing: Packet sniffing monitors every packet that passes through a network.
Through various packet sniffing tools, attackers capture userna mes, passwords, and other
user information. The user information is available in plain text, on protocols like Telnet
and HTTP. Packet sniffing can map the network and can break into the target computer.
• Port scanning: Port sea nning gives attackers access to any open ports on the target
machine. Once the access is possible, the intrusion is done.
• Ping sweeping: Ping sweeping is the technique which helps to locate the open/live port in
a network through an ICMP request. A well configured ACL can prevent ping sweeping in
the network.
• DNS Footprinting: DNS Footprinting is possible with the help of a DNS query consisting of
DNS lookup and whois. The queries provide information about the specific domain and
the IP address.
• Social Engineering: Social engineering is a technique, where targets, unknowingly share
their credentials or personal information on the network. Attackers use this information
to attack the target.

Reconnaissance Attacks:
ICMP Scanning
An Attacker sends an ICMP ECHO request to detect live hosts in a netw ork
They use tools such as Nmap to send ICMP ECHO requests
ICMP Echo Request

····································••►
•··································· ICMP Echo Reply
Attacker (192.168. 168. 3) Destination (192.168.168.S)
"
Zenmap - clllll
Sei n !ools frofile !::!elp
Target ~ -168.1685 I ::J Profile ~ ngscan

- ]::J iscan:
l - - -:!i
Cancel
Command: lnmap •sn 192.168.168.S I =i

I Hosts I[ Smice:s I INmap Output rPort, I HomITopology Host Details] Scansl
OS • HO<t
ii 192.168.168.S
. nmap -,n 192.1 68.168.S
=a •• Oeta.!!!JI
Startine 1111ap 6.4 8 ( h ttp: //nmap . ore: ) at 2813 -10- 03
10:53 Pacific Daylight Ti ne
ltmap scan repor t for 192 . 168. 168 . S
Kost is up (8 .8818s latency).
f:11'212 '3S20~i 1 IP address (1 host up) scanned in 0 . 11 ..,
-
Filter Hosts J seconds
http://nmap.org
Copyright © by EC-Coaacil. All Rights Reserved. Reproduction is Strictly Prohibited.
During ICMP scanning, the attacker sends ICMP packets to the system to gather all necessary
information about it. ICMP scanning helps an attacker determine what hosts are running in a
network. They are detected by pinging them with the help of scanning tool s such as NMAP.
NMAP uses the -P option to ICMP-scan in parallel, which can happen very quickly.
The Internet Control Message Protocol (ICMP) scanning technique works on one host system at
a time. It sends ICMP ECHO Requests to a single host using the ping utility or third party tool s. If
the host is live, it will return an ICMP ECHO Reply. This technique also locates the active devices
or determines if ICMP is passing through a firewall.

DNS Footprinting
ONS records
'J An attacker gathers DNS information t o determine name class type dat a time to llve
yahoo.com 1H SCA server: nsi.vahoo,com · - (00,30,00)
the key hosts in the network and perform social emall: hostmaster~ ahoo-lnc.com
serial: 20t 50'I0J04
engineering attacks refresh: 3600
retry: JOO
'J They use DNS interrogation tools to perform DNS e:icpire: 1814400
mirim...,, HI: 600
Footprinting yahoo.com Ul A 98.US..25 3.109 !SOOS {00:30 :00)
yahoo.com m A 206..190,36.4S · - (00,30,00)
'J DNS records provide important information about yahOo.oom lt4 A. 98.139. 183. 24 lSOOS (00:30:00)
yahoo.com 1t4 MX preference: 1 !SOOS (00:30:00)
the location and type of servers e!llchan9(l: mtas.amo.yahOo<t'ls..Mt
yahoo.com m MX preference: 1 1800S ( 00:30 :00)
e:icchan9@: mta6.amo.yalx>octls.ttet
yahoo.com m MX preference: 1 1800s ( 00:30 :00)
Record Type Description e:icchan~ : mta7.amo.yalx>octls.ttet

yahoo.com m NS ns4,yahoo.com 172800s ( 2,00:00:00)
A Po ints to a host's IP a ddress yahOo.oom TH NS 1'1$6.yahoo.com 172800s {2,00:00:00)
)'ahoo.com 1H NS MS.yahoo.com 172800S (2.00:00:00)
MX Po ints to domain's mail se rve r yahoo.com m NS nsl-.vahoo.com 1'2$00$ (2.00,00,00)
yahOo.co,n lt4 NS 1'1Sl .vahoo.com 172800s (2.00:00:00)
NS Po ints to hos e 's name server yahoo.com UI NS 0$1.Yahoo.com 172800S (2.00:00:00)
yahoo.oom ·- (00,30,00)
CNAME Canoni ca l naming allows aliases co a host 109. 253.138.98.in-adcll'.a rpa m PTR in .fp.vip.ne 1.vahoo.com !SOOS (00:30:00)
253.138.98.iB-adcl'.a rpa 1H NS ns4,yahoo.com 172800; ( 2.00:00:00)
SOA Indicate aut hor ity f or domain 253.13$.9$.in-addr..a,w IN NS 1'1$1.y,lhOQ.COtn 172$00$ (2.00:00:00)
2.53.138.9S.khl d4'.a rpa m NS Ml.yahoo.com 172800S {2.00:00:00)
SRV Se rvice records 2:S3,138.9'8.iB-ad4',a rpa m NS nsS.vahoo.com 1'2$00$ (2.00,00,00)

25 3.13$.9$.m-JlddU'Ul),) lt4 NS 1'1$2.vahoo.com 172800s (2.00:00:00)
2 53.138.9SJn-adel'.a rp.3 m TXT c onta« for this domain Is Ya hoo! t{OC, + 1 408 349 5555 1800S (00:30:00)
PTR Maps IP a ddress to a hos cname
253,133.98.in-addr.aiw W SCA server: hidde-o-master.yaOOo.com 600s (OOa 0,00)
email: hostmaster~ ahoo-lnc,com
RP Respon s i ble pe r son
serial: 2014101602
Host i n formati on record i ncludes CPU cype re.fresh: 3600
HINFO re-try: 600
and OS
e:icpire: 5184000
TXT Unstructured t e xt r ecords mirim...,, UI: 1$00
http://centralops.net
DNS footprinting reveals information about DNS zone. DNS zone data includes the DNS domain
names, computer names, IP addresses, and much more about a particular network. An attacker
uses the DNS information to determine key hosts in the network, and then performs social
engineering attacks to gather even more information.
When the attacker queries the DNS server using the DNS interrogation tool, the server responds
with a record structure that contains information about the target DNS. DNS records provide
important information about the location and t ype of servers.

Reconnaissance Attacks: Network

Information Extraction using Nmap Scan
An attacker uses Nmap to extract information such as live hosts on the network, services (application name
and version), type of packet filters/firewalls, operating systems and OS versions
Zenmap 1- ICI~ Zenmap 1- ICIJIIIII

Sc!n ! ools f rofile t!.clp Sc!n !ools f rofile t!_elp
Target: ' 192, 168.o.89 =a Profile-:
1
Int~ seal\, all TCP ports __B lxan] lcanceal Target:
I
192.168.o.89
=a Profile:
1
Intense seal\, all TCP ports __B lixanj Con«II
n~p ·p 1-6SS3S • T4 •A ·v 192.168.0.~ Comm.!lnd: nmap ·p 1-6SS3S· T4 •A ·v 192.168.0.~ 1
I-
Comm.!lnd:
I Hosls
1: S.~e
I- I
Nmap OutpUI Ports/ Hosul Topology HostOetaitsl Suns~ I Hosls II S.~e Nmap OutpU1 Ports/ Hosts I Topology I HostOetailsl Scans 1
OS ◄ lio$1 . nmop · p 1·6S53S •T4 ·A · v 192. 16&089

El i Details OS '
, Ho,t
. nmap ·p 1·6SS3S · T4 •A ·v 192.168.!),89
El IOet.,1lsl
Starting Ntlap 6.40 ( http: //nMaD,or a ) at 2816-98-30
16 : 58 India Standard Tillll!
ttSf.i. Loa~cd 118 scri pts for scannine,
~1 192. 168.0,!9 Not Jhqwn: 65523 closed POrtS
POOT
21/tcp
80/tcp ....
SlATE SfAVICf
open tcpwritpped
http
VERSION
Nicrosoft HTTPAPI httpd 2.,
~
NSE:. s cr i pt Pr e-scaMing. (5SOP/UPnP)

lnitiotine ARP Pine Scan at 16 :S9 I http·mcthods: OPTIONS TRACE GET HEAO POST
Scan ning 192 . 168, 0 . 89 [l port] I Potentiall y ~isky methOds: TRACE
Completed ARP P ing Seen a t 16:59, 8.33s elapsed ( 1 total
............
I_See http://nmap.org/ nsedoc/ scripts/ http•methods . html
hosts) l _http•tit le : 115 Windo~s
lni tiatina Par allel ONS r esolution Of 1 host. a t 16:59 135/tcp U'1)< ftiCl"OSOft NindOWS RPC
Completed Porollcl ONS rc$olution ol 1 host . ot 16:59, H9/tcp ncu,ios·nn
e .e5s elaosed
Ini tiating SYN Stealth Scan at 16:59
Scannine 192.168.8.89 [65535 por-tsJ
• 445/tcp
49488/tcp open asrpc
49489/tcp open .....,,
netbioS•SSl'I
Nicrosoft Nindows RPC
Nicrosoft "indows APC G
Discover ed open por t 445/ tcp on 192. 168.0.89
Oiscoverc-d open port 21/ tcp on 192 .168.t.89
Discover ed open por t 135/ tcp on 192.168.0.89
Discovered open port 139/ tcp on 192. 168.0.89
Discovered open por t 88/ t cp on 192.168. 0 .89
49418/tcp open H'1)<
49411/tcp open • srpc
49412/tcp open
49413/tcp open urpc
49414/tcp open OS'1><
.....,, KiCl"OSOft NindOWS RPC
Nicrosoft "indows AP(
Nicrosoft "indows APC
Discover i!d open port 49414/ tcp on 192 . 168 .0. 89 M,C Address; 80:15:50:88:.38:02 (Hicr osoft)
Discovered open port 49411/tcp on 191 . 168 .t . 89 Uo exact OS m.atches for hon (If you know wnet OS is
Discovered open por t 49409/ tcp on 192.168 .0.89 '-' runnine on i t, see http ://nftap .ore/ subllit / ).
Discovered open port 49413/ tcp on 192 . 168 .0 . 89 TCP/ I P f i nger print:
Discovered open por t 49412/ tcp on 192.168.0.89 .Qii.SCAtl (V• 6 •48'XE •4M>• 8/ 39XOT• 21'5CT• 1"'1.J• 31129'PV• "'°5• 1.'5
Discover td open port 49418/ tcp on 192.168 .0. 89 DC:~:v»i:001550$1
.::.-
Fifttr Hosts I
Oiscoverc-d open port 49498/ tcp on 191.168 .t . 89 v ~
-- Filter Hosts I OS :M•57CS6E901P• i686·oc·windo~s-windows)SEOCSP•1•6fliGCO•l'5
http://nmap.org
V
Nmap is a network discovery and security-auditing tool and is one of the most popular tool s
attackers use for network discovery. An attacker mostly uses the Nmap utility to extract all the
necessary information from the target.
Attackers use Nmap to determine what hosts are available on the network, what services
(application name and version) those hosts are offering, what operating systems (and OS
versions) they are running, what type of packet filters/firewalls are in use, and dozens of other
characteristics.
Network administrators also find this tool useful for security auditing ta sks such as network
inventory, managing service upgrade schedules, and monitoring host or service uptime.
Source: http://nmap.org

Port Scanning
Attackers may use various techniques to find o pen po rts o n the t arget
Attackers use NMAP to perform port sca nning
TCP Port Scanning

0--
-
~ Zenmap -
·] ,...... - ... . Sc!n ! ools trofdt ~ Ip
E"P19Z.168-0.97
l,11rgct
-
.:] Profile I l• I I....
!~ C.:ncd
Command: I••sX •vnmap 192.163.0.97

01 • Htll
.. ,~161.0m
• al ,.._19:' 1. . .11 :
1ou,,1,- • ..., ) •t
I Ho$ts I ] NmapOutpul
,t.,tl ... " - f •• ( M l • N I• 1, , u 11 ...
l•nlnvc.,. .,,,,.
,.__u,r ,., . ..... .., u --·
k.,. n 1,,n SM/ices I
Poits / Hosts Topolog~~ I
st Details So ns I -
' - 1 ~ ... """
, ...ui.u,..
•i"C ...... _. M.J)
,.,.,11.1 - .....,~u-
0
C:-1•1. . --•ll•I , _ ""•1••0... H I ""' . "

,.,_;:i1,o1 i.n. <_.on ..,.., .,. 1e,n
~I-Otl (1 tft•I - 0 )
..... ,
01 1 "Mt, •I 1,,u
1e U. t,e,- el ......
OS ◄ Host . = -~ ·v nmap 192.168.0.9-7 H ~ ~ eteils]
Sf-J . . a,1.lM,,,91 C l - - U )
Dhco-... -
OI.-.:•- -
Oioc,_..., -
,_..,.o.., H,, ........•1,
- " M1,u,.., IN,IM , t
-•
...-t inn. . .., .... . .....w
"' 192.168.0.9-7
St a rting Ur:ap 6 .48 ( h ttp : //n.11&p. org ) at 2814· 02•24 18 :45
Initi~tine ARP Pine S<an at 10:45
Tin~
Ot.K,.._ -
IIIKtw...a -
-_ . , u..-1~.., 1§11 . .. ....w
IO,tt•• en lfl,l. .. t t i
Scanni na: 192 .168 .0 ,97 (1 oor-t )
Oi ....• - - - -i,,.. '" ,. ......... , Coni,l eteCI ARP Pi ng Son at 10 :45, 0. 84s elai,sea (1 total nosts)
n,u... - ,,,.,......,,
ot.K•-
llh•• -- - -
01,.., . -... -
_ ', ,t~tc.
_., _,_,u, ..,......, ... .... w
1"1, I M ,._W
Initiating Parallel OHS resol ut i on of 1 host . at 18:45
Coripl ctcCI Para llel ONS r-esot uti on of 1 host . at 10:45, 0 .04s elat>se<1
Oiuc,.,..,.. _,.-,_ -~- '" •.. ••• ••••'
fil":'~-:..U•Z: =~';:-:_..:~.;.i;~ It )oJ t,,•. ,,_ .--Jntf'CI
Initiating XK,1,S Sca n at 10 :45
Scanni ng 19 2. 168 .8 .9 7 ( 1800 ports )
Oiu•- - - • . ., ,• .,. •11 • M . . . ....w
C:_l_.. ... f.,...,.n $ u ,i O<t l •. ,.. t.l.$o'lt • I • - C l - tfl d ...., • • CoriplctcCI XAAS S<an at 10 : 45, 21. 39$ c l .,D$CCI (1008 t otol ports )
- . k_. ~ • ui. ..... . ,, uriap scan r epor t for 19 2,168,0 , 97
f•ll•t t • rc.Mlhc • - • •
-•• lo _. (•.--~ I•••"'•)• Failed to f"C!.:Ol ve "nmai:>" .
...,... -- -·
- - - - -STU(
l"l)lltl
- . .Sf•YI((
,11t-... """ Host i s up (8 .88s latency) .
n,t.p - _.,. AU 1000 scanned por t s on 192 . 168.9 .97 arc opcn lf ilt er eCI
.. . . - -~,·-,0. .
It♦, .... _ ..... MM Address· 4 :0 E (Dell )
l~tU- _.IC
, ,,.,. .....
,., ... _ ...-u,,......
·""
,...,,.,._ -
~rt._. _ _l.,. 11 . .
A£M g:;t :1 lils ~ h-qm: C: \Pro er~11 File s (x86)\ lir:~p
Nnao door · 1 l P address ( 1 hOst up ) s canned i n 23.94 seconos
Raw i,acket!.: se~t : 2001 ( S8. 82SKB) I Revel : 1 (288)
--
'-C lll<• - • - •. .l -
!lftJI._
'l'tl-1H• -_ _
j- _,.,
I
I'¥ ♦er:eu• • • t 0oll)
L Filter Hosts I
TCP Conne ct / Full Ope n Scan Xmas Scan
Port scanning is the process of ch ecking what services are running on the target computer by
sending a sequence of messages in an attempt to break in. Port scanning involves connecting to
or probing TCP and UDP ports on the target system to determine if the services are running or
are in a list ening state. The listening state provides information about the operating system and
the application currently in use. Sometimes, active services that are list ening may allow
unauthorized users access to misconfigured systems or software that is running w ith
vulnerabilities. Port scanning t echniques help to id entify and list all the open ports on a
targeted server or host .
Attackers use various port scanning utilities tool s such as NMAP, Netscan Tools Pro, SuperScan
and PRTG Netw ork monitor to detect open ports on th e target . These tool s help an attacker
probe a server or host on th e target network for open ports. Open ports are the doorways
through w hich malware get on a system.

Social Engineering Attacks
Social engineering is the human side of breaking

into a corporate network
Social engineering is a non-technical intrusion that

relies heavily on human interaction
It involves tricking other people to break normal

security procedures
Organizations are vulnerabl e to social engineering

attacks even after implementing various technical
network security measures
Social engineering attacks occur at two levels:

e Physical
e Psychological
Social engineering is the art and science of convincing (tricking) people to provide personal or
business information. This is one way an intruder chooses to step into an organization.
Intruders gain unauthorized access through developing trust relationships with employees.
Social engineering refers to the method of influencing and persuading people to reveal
sensitive information in order to perform some malicious action. With the help of social
engineering tricks, attackers can obtain confidential information, authorization details, and
access details of people by deceiving and manipulating them. They can find out what people are
on vacation or going on vacation. Where they work, the security measures in place or simply
listening to the employees talk about their work day.
Attackers can easily breach the security of an organization using social engineering tricks. All
security measures adopted by the organization are in vain when employees get "social
engineered" by strangers. Some examples of social engineering include unwittingly answering
the questions of strangers, replying to spam email, and bragging in front of co-workers. Even
answering questions on a phone call can lead to social engineering. Employees must be trained
properly to recognize these tricks and taught how to counter them when necessary.
Prior to performing a social engineering attack, an attacker gathers information about the
target organization from various sources such as:
• Official websites of the target organization, where they reveal employee IDs, names, and
email addresses.

• Advertisements of the target organization through the type of print media required for
high-tech workers trained in oracle databases or UNIX servers.
• Biogs, forums, etc. in which employees reveal basic personal and organizational
information.
After gathering enough information about the target organization, an attacker tries to perform
a social engineering attack through various approaches such as impersonation, piggybacking,
tailgating, reverse social engineering, and so on.
Despite having security policies in place, attackers can compromise an organization's sensitive
information by means of social engineering as it targets the weakness of people.
Social engineering attacks are classified into two t ypes. They are either human-based or
computer-based. In human-based attacks, th e physical presence of intruders is required to
extract personal information from the targeted people. In computer-based attacks, intruders
extract the user's credential s remotely by operating on other systems.

e An attacker tries to exploit w eaknesses to hack well chosen passwords
e Using common passwords will make a system or application vulnerable to cracking attacks.
The most common passwords used are: passw ord, pa$$w 0rd, root, administrator, admin,
Test, guest, qwerty or personal information such as name, birthday, names of children etc.
6 An attacker targets routers and servers mainly
e Attackers use various techniques such as brute-force, social engineering, spoofing,

phishing, malware, sniffing and keylogging to acquire passwords
- e Attackers start with cracking passwords and tricking the network device to believe
they are valid users
Password attacks are performed to gain unauthorized access or to get control over a target
computer system. Attackers perform password attacks to steal secrets, make slight
modifications to websites, steal credit card details, get privileges, etc. Generally, passwords are
used to authenticate users with a system. Attackers try to gain these user passwords with
different techniques and authenticate with the system to enjoy the privileges the normal user
has. Attackers perform different techniques to crack the passwords of servers and routers and
get access to the targeted resource.

Password Attack Techniques CND

Dictionary A dictiona ry file is loaded into the cracking application that runs
Attack
against user accou nts
llruteForclnl The program tries every combination of characters until the

Attacb passw ord is broken
H,INld It w orks like a dictionary attack, but adds some numbers and
Attack symbols to t he w ords from t he dictionary and t ries to crack the
passw ord
Bl1IIN1ay It attacks cryptographic hash functions based on the probability (

Attack t hat if a hashing process is used for cr eating a key then the same is
used for other keys
-
Rainbow Table It attacks rainbow tables that store precomputed hash values in
Attack
plaintext
.....
An attacker may use different types of techniques to crack passwords. Those are:
Dictionary Attack
The dictionary attack is an attempt to crack a user's password by making a guess. Attackers can
guess passwords using a manual or an automated approach. This attack tries to match the most
occurring words or commonly used words in day to day life. The most common passwords
found are password, root, administrator, ad min, demo, test, guest, qwerty, pet names, date of
birth, children names, addresses and hobbies.
Most of users create passwords with the names of birds, famous names and places, etc. These
types of passwords are detected by dictionary attacks. Attackers prepare a dictionary of the
most commonly used words that are likely to be used as a password and use all the possible
entries to break the password. Dictionary attacks are relatively faster than brute force attacks.
Most networks are not configured with lengthy and complex passwords. So it is easy for
attackers to guess weak passwords and gain access to a network. Passwords that are not case
sensitive are easily guessed by attackers. For example, LAN manager authentication is case
insensitive. So the attacker doesn't need to consider whether the password is uppercase or
lowercase. There are many tools that automate the process instead of typing password after
password.

Brute Forcing Attack

In brute force password cracking, large number of guesses are performed in order to
successfully gain a password of the target system. It involves checking all combinations of
characters until the correct password is found. Brute-force attacks are best suitable for gaining
passwords which are small or not very complex. If there is a long and complex password, the
dictionary attack is faster than the brute-force attack. This is due to the time lag taken by the
brute-force attack to gain the correct combination for the password. Brute-force attacks are
time and resource consuming. The effectiveness of the brute-force attack depends on the
password being cracked.
Hybrid Attack
It works like a dictionary attack, but adds numbers and sy mbols to the words and tries to crack
the password. These attacks generalize common things people do to make their passwords
hard to guess. The hybrid attacking tool starts guessing a dictionary term and creates other
guesses by appending or prepending the characters to the dictionary term. It appends or
prepends with dates, numbers, alphanumeric characters, etc., to break the password.
Birthday Attack
The birthday attacks use techniques that solve a class of cryptographic hash functions. The
birthday attack falls under the section of brute-force attacks. The logic of a birthday attack
depends on the birthday problem that is explained as follows: A probability problem that states
if there are 23 people in a room, the probability of at least two people having the same date of
birth is more than 0.5. Attackers try to get the birth date of the target employee to crack the
password. It is because some users create passwords with th eir birth date. Attackers use
different methodologies such as probability analysis to get birth dates.
Similarly, in a birthday attack, it is likely to achieve equal values when different input values are
applied to a hash function. The attack depends on the occurrence of the number of collisions
that can occur when applying different values to a hash function.
Rainbow Table Attack

Rainbow table is a huge set of hashes (encoded codes) that are pre-matched to possible
plaintext passwords. Rainbow tables are used by password cracking software to breach
network security. All computer systems that require authentication, store user accounts and
passwords in the database in encrypted form. If th e attacker gains access to password
database, password cracking software compares the rainbow table's list of hashes with hashed
passwords in the database. The Rainbow table maps plain text passwords with hashes that are
exploited by attackers to access the network as a valid user.

Acciss·. .·At.t.ac~:s. : ···-.:..:·· '··... ...1

·</
...-·::::>·········.................................. .c>· ND
~ .~~twork s·ri.i (fJ.'19 ... ...
•.:.:·
...·....
·• ..:·-..
'•· • ."::•·..
.-·:
..:~·,1ilil:'d
··-.:::· ...· :
ttatt1otl ~lc11i,e,
.J Sniffing is a process of monitoring and

.J Organizations often leave their switch
capturing all data packets passing through a
ports open
given network using sniffing tools
.J Anyone in the same physica l location
.J Attackers use various sniffing utilities to sniff
can plug into the network using an
network traffic in order to gain sensitive
Ethernet cable
information
= (. ____ r _e,_n~
e t Passwords Email Traffic
nfiguration Web Traffic

Router Co
~rough so,t{\"q, .
~ .•• : :
..•• ..·•
·•... .... ••
··· ··········
··.......... ./:..: ·....................... ...{~pynght © by EC-CIUDCil. All R1ghts..Aeserii~d°::.-Re.product1on is Strictly Prot,ib,ted.

: .' ·•. ·•. : : .· : · .. -.. :
Sniffing involves capturing, decoding, inspecting and interpreting the information inside a
packet on a TCP/IP network. The purpose is to steal information, usually user IDs, passwords,
network details, credit card numbers, etc. Sniffing is generally referred to as a "passive" type of
attack, where the attacker can be silent/invisible on the network. This makes it difficult to
detect, and it is a dangerous type of attack. The TCP/IP packet contains vital information
required for two network interfaces to communicate with each other. It contains fields such as
source and destination IP addresses ports, sequence numbers and the protocol type.
There are three ways to sniff a network:
Internal sniff
A person (who may be an employee of the firm) who is already hooked up to the internal LAN
can run tools to directly capture network traffic.
External sniff
A hacker outside the target network can intercept packets at the firewall level and steal the
information.
Wireless sniff
Regardless of where the hackers are located on the network being sniffed , wide usage of
wireless networks has made it easy to sit near the network and penetrate it to get information.

Access Attacks:
Man-in-the-Middle Attack
_J In this attack, the intruder sets up a station in between the client and server
communication system to intercept messages being exchanged
Attackers use different techniques to split

Victim
the TCP connection into two connections
1. Client-to-attacker connection
" \" ~············ 'x ············:>-: 2. Attacker-to-server connection
...
QI -
-
Interception of t he TCP connection allows
"'....
V -
an attacker to read, modify, and insert
...."'"' -
fraudulent data into t he intercepted
6 _ MITM
Z - Connection communication
C: -
.!!! -
u -
....
In t he case of an http transaction, t he TCP
connection between the client and t he
server becomes the target
Copyright © by EC-Council. All Rights Reserved. Reproduction 1s Strictly Prohibited.
A man-in-the-middle attack (also known as MiTM) is a type of attack in which attackers intrude
into an existing connection between two systems to intercept the messages being exchanged
and to inject fraudulent information. It involves snooping on a connection, intruding into a
connection, intercepting messages, and modifying the data. It is basically a type of
eavesdropping attack where communication between two parties is monitored or modified by
a third unauthorized party. With the help of a MiTM attack, an attacker can exploit the real-
time processing of transactions, conversations or transfer of other data. MiTM is a form of a
session hijacking attack.
• Communication susceptible to MiTM attacks:
• Login functionality
• Unencrypted
• Fina nci aI sites

MiTM attack is often found in telnet and wireless technologies. It is not easy to implement such
attacks due to the TCP sequence numbers and speed. This method is relatively hard to
perpetrate and can be broken sometimes by invalidating the traffic.

Access Attacks:
Replay Attack
!..J A replay Attack is an extension of the man in the middle attack t hat occu rs after a tw o-w ay co mmunication
is intercepted
!..J An attacker captures the data to obtain usernames and passw ords
!..J Packets and authentication tokens are captured using a sniffer
!..J After the relevant info is extracted, t he tokens are placed back on t he netw ork to gain access
r---::::::1 ............0 ..Uservisits

..........awebsite
.............." ...............................................
Normal Traffic
;:,. .
L.::11
~ ~~ <: ........................................ . .......•....................... ·& ............ b□
•• ......,e.{ ••• .:v
•· Attacker sniffs the ~~,.o ~e' • • •
Use r ...,
,..
•• •Vic,,.
(/1'/)
communication to ,e<:<...""~ ~~e'I!.•···
e,v- 1\\.\• ••
...,
..,
W ebserver
••• • ♦•
••• ♦ re:
••♦ 9l/A
steal session IDs (\ <,t :<' 'f" • • •
0\e £...S\0 • ♦ ♦
c,\.
,,_,;f[, ♦ • ♦
•••
•. •. ,-st ~ c,e? • • te"" • • •
Se,.. ••••• •• •!.,l'or "L '0<,e ,,.'O\,'>"f;,. • • • • • ,,c:....._'f:',e. . •• • • • ~• •
·v. ••
to f./ erres. • • • ••
se,,.
♦ . (,1,
'llo,,-.
•••: Site
•• ♦ •• ♦♦ e· ~<.I'
e • •• ••
••
"e,'(
(;
"T- •• ♦
~-a,:,.. ..
te.9 • •• • •
A ♦ ••
• •• • •
~
···e -~
''Se . •• •• ~~ •• (\'>~ •••
'Sfo •••• •••• •• ~ •••• e,s9o ·••
i"'ti,ql':
de:,O'
r~.... • ..•·c,e<-Je<'(
••••
••• •·
•••• •••
1,:··
..... • •••
Attacker
The replay attack is an extension of the M ITM attack in which the attacker replays the
information gained from the communication between two parties. The attacker gains the token
used for validating the users accessing the webserver by eavesdropping. And later replays the
token to the server after modifications or deletions thereby gaining access to the session. The
attacker then sends the server response to the user.
In the replay attack, the attacker eavesdrops on the confidential information such as credentials
or Session ID or any key that the attacker can later use with the receiver in the pretext of the
sender. It is one of form of a MiTM attack.
For example, suppose user A sends a secret key to user B as a part of an identity verification.
Then attacker C performs eavesdropping and gains the required information. Attacker C can
later use this secret key to send information to user B in the pretext of user A. Then user B
accepts the message as it is properly encrypted.
To perform the replay attack, the attacker needs to get an intermediary control between the
sender and the receiver or achieve an access to the local machine of the sender. Packets are
captured using a sniffer. After the relevant information is extracted, the packets are placed
back on the network.
There are many ways to prevent the occurrences of any replay attack. The sender and the
receiver can use one-time passwords that expire after a certain period of time. The receiver can
validate the sender by matching the password provided by the sender. Even when the attacker
gets the one-time password and initiates a connection with the receiver, the receiver might

send another one-time password different from what the attacker gathered. The attacker sent
the one-time password he previously gathered and it does not match the password sent by the
receiver. Timestamping is another method used to avoid replay attacks. Users can neglect the
messages sent a very long time ago.
~
Original Connection
············ O·········································································►
(I I' :················ ➔
•
•
•
•
•
Victim Sniff MITM / Replay : Web Server
••••·•••••••••••••➔ ••••••••••••••••••••
Traffic
Attacker
FIGURE 2.2: Replay Attack

Access Attacks:
Privilege Escalation
An attacker can gain access to a network using a non-admin user account leading to gaining
administrative privileges
An attacker performs a privilege escalation attack which takes advantage of design flaws, programming
errors, bugs, and configuration oversights in the OS and software application to gain administrative
access to the network and its associated applications
These privileges allows an attacker to view private information, delete files, or install malicious
programs such as viruses, Trojans, worms, etc.
Types of Privilege Escalation
Vertical Privilege Escalation Horizontal Privilege Escalation

e Grant higher privileges or higher level of access e Use the same privileges or level of access while
e Kernel level operations that permit unauthorized assume the identity of another user
code to run
Attacker User
I can access the network using John's user
account but I need "Admin" privileges?
In a privilege escalation attack, the attacker gains access to the network and the associated
data and applications by taking advantage of defects in the design, software application, poorly
configured operating systems, etc. Once an attacker has gained access to a remote system with
a valid user name and password, they will attempt to increase their privileges. The attacker
uses a method of escalating the user account to another increased privileges, such as
administrator privileges.
An attacker does privilege escalation to perform unauthorized access and privileged operation
on the network or system. An admin account can access more and do more in a network than a
regular user. Basically, privilege escalation takes place in two forms. There is vertical privilege
escalation and horizontal privilege escalation.
Horizontal Privilege Escalation

In horizontal privilege escalation, the unauthorized user tries to access the resources, functions,
and other privileges that belong to the authorized user who has similar access permissions. For
instance, online banking user A can easily access user B's bank account.
Vertical Privilege Escalation

In vertical privilege escalation, the unauthorized user tries to gain access to the resources and
functions of the user with higher privileges, such as application or site administrators. For
example, someone performing online banking can access the site with administrative functions.

DNS (Domain Name Server) poisoning is the unauthorized manipulation of IP addresses in the domain naming server
cache
The DNS holds domain name translations of the IP addresses for network devices
A corrupted DNS redirects a user request to a malicious website to perform illegal activities
If a victim types ww.google.com, the request is redirected to fake website www.goggle.com
□
==
,~ ~ ..1
r~ ss~··1
r~~~ ..i
~ ························:>
Googk!>
Yahoo
8.8.8.8
.......................;:,..
Ill Google
Ill
Servers
.ollllllllil.'1..lilal!-
~ DNS ._a_ing_,______,
User .___ ___.
l~
l~'¾~~..I
···································
...........;:,..
Ill
User
Malicious Servers
Ill Google Servers
Copyright© by EC-Coaacil. All Rights Reserved. Reproduct ion is Strictly Prohibited.
DNS poisoning is a process in which the user is misdirected to a fake website by providing fake
data to the DNS server. The website looks similar to the genuine site, but it is controlled by the
attacker. It is also called a DNS spoofing attack in which the attacker tries to redirect the victim
to a malicious server instead of the legitimate server. The attacker performs this type of attack
by manipulating the DNS table entries in the DNS system. Suppose the victim wants to access
the website 123.com, the attacker manipulates the entries in the DNS table in such a way that
the victim is being redirected to the attacker's server instead. This can be done by changing the
IP address of 123.com to the attacker's malicious server IP address. The victim connects to the
attacker's server without their knowledge. Once the victim connects to the attacker's server,
the attacker can compromise the victim's system and steal data.

Access Attacks:
DNS Cache Poisoning
DNS cache poisoning refers to altering or adding forged DNS records into the DNS resolver cache so that a DNS
query is redirected to a malicious site
If the DNS resolver cannot validate that the DNS responses are coming from an authoritative source, it will cache
the forge d DNS entries locally and serve this forged DNS to users when someone makes the same DNS request
What Is the IP
address of
www.xsewrlty.com
.... 0 -~~f'f.~~ ~~ !~!?.......... ~ .. 8 ·......~~-~-!~~?.~~!~!?............... 3>
~ ---;;;;~<£..... ~~~ ~~~-~; ~; ~:;;1

"""-,llw-"'I
:·....· 8 ... ."""-C..:.--~ '3<£···········8 · ·"'
• updated with IP of
User • fake w ebsite Internal I!,. Authoritative server

DNS for xsecutity.com
: Redirected to a
Send DNS response
.
: fake w ebsite
with IP of a fake
website
-
Fake Website Attacker Rogue DNS
The DNS system uses cache memory to hold the recently resolved domain names. It is
populated with recently used domain names and respective IP address entries. When the user
request is received, the DNS resolver first checks the DNS cache; if the domain name that the
user requested is found in the cache, then the resolver sends its respective IP address quickly.
Reducing the traffic and time of for DNS resolving.
Attackers target the DNS cache and make changes or add entries to it. The attacker replaces the
user-requested IP address with the fake IP address. Then, when the user requests the domain
name, the DNS resolver checks the entry in the DNS cache and picks the matched (poisoned)
entry. The victim is redirected to the attacker's fake server instead of the authorized server.

Address Resolution Protocol (ARP) is a protocol used for mapping an IP address to a physical machine address wh ich is recognized in
the local network
ARP spoofing/poisoning involves sending a large number of forged entries to the target machine's ARP cache or overloading a switch
When a user A initiates a session with user B in the same

Layer 2 broadcast domain, an ARP request is broadcasted
using the user B's IP addresses and the user A waits for the
user B to respond with a MAC add ress
Hey 10.1.1.1
are you there? Uslf B
Switch broadcasts ARP : The legitimate user responds to
request onto the w ire : the ARP request
~ - --- - .~~~.s.~.~ ~!9~.';~♦..-

• -• -•- •_,J_,.;:.'_
"~
"~
. _~·-".."►;.....--•--.;:..·_.._.._.._.._.._..►;.......;:._._.._.._.._.._.._...:;.'►-•-·~
~;:;;-·---s.~•...... Switch j:e
·e
~/)~
(10. 1.1.0) If?. s 1,:r ·•... •
'AleqO',"'a4c, ·•• j Malicious user eavesdrops on y
O'rei, tolls
ss • : the ARP request and d erO
•• ,_
, - -- ---
No, I' am 10.1.1.1
and my MAC
: responses, and spoofs as the
,,: legitimate user ~~.:, 0l

~
Malicious user eavesd rops on this unprotected Layer address is
2 broadcast domain and can respond to broadcast 9:8:7:6:5:4
-
ARP r equest and reply to the user A by spoofing the Informati on for IP address
user B's MAC address 10.1.1.1 is now being sent to
MAC address 9:8:7:6:5:4
Attacker
ARP poisoning is an attack in which the attacker tries to associate their own MAC address with
the victim's IP address so that the traffic meant for that IP address is sent to the attacker. ARP
(Address Resolution Protocol) is a TCP/ IP protocol that maps IP network addresses to the
addresses (hardware addresses) used by the data link protocol. Using this protocol, you can
easily get the MAC address of any device within a network. Apart from the switch, the host
machines also use the ARP protocol for getting MAC addresses. ARP is used by the host
machine when a machine wants to send a packet to another device and it has to mention the
destination MAC address in the packet sent. In order to write the destination MAC address in
the packet the host machine should know the MAC address of the destination machine. The
MAC address table (ARP table) is maintained in several places even in the operating system.
ARP resolves IP addresses to the MAC (hardware) address of the interface to send data. If the
machine sends an ARP request, it normally considers that the ARP reply comes from the right
machine. ARP provides no means to verify the authenticity of the responding device. In fact,
many operating systems implement ARP so trustingly that devices that have not made an ARP
request still accept ARP replies from other devices.
An attacker can craft a malicious ARP reply that contains an arbitrary IP and MAC address. Since
the victim's computer blindly accepts the ARP entry into its ARP table, an attacker can force the
victim's computer to think that the IP is related to the MAC address they want. An attacker can
then broadcast their fake ARP reply to the victim's entire network.

Access Attacks:
DHCP Starvation Attacks
Dynamic Host Configuration Protocol (DHCP) is a configuration protocol that assigns valid IP addresses to the host systems
out of a pre-assigned DHCP pool
DHCP starvation attack is a process of inundating DHCP servers with fake DHCP requests and using all the available IP
addresses
This results in a denial-of-service attack, where the DHCP server cannot issue new IP addresses to genuine host requests
New clients cannot get access to the network, resulting in a DHCP starvation attack
,<[••••••••••••••••••••••••••••• ■ • • • • • ............................ ·►
DHCP Scope
...
.... 1• Ill • ~
~
•••
10.10.10.1
•
.··~ ....!'---IP'
• A
~
•
·..• 10.10.10.2
-:-•I A _..._ c.r: ••
<, ••
~"'°7 •· ,.,,.-.,
~I ♦
.,.. ■••
••
1'.. ■
':I ,:'\
A,.
r. ·.
•
~ ♦
••
r.·•
',J'. ■
~ ;,,.--■ 10.10.10.3
~')..•· '°'~-·
'l:J,'. e • •
~~ • -:1 ■ ~ -- !!I • • ~. • ;o. . ·9: .
User
s.\ • :v • ,;."':i■•
z,:
.:." i:
:J:
JI:
~ : i ~ ~.... ~/ -. ~; -._
~• ~.S>-~• ~•.,•. "°':.o•■ ~Y6~••- DHCP Server 10.10.10.4
» ■ v- ■ ':"! . ,.. . 45, ■
User will be unable to .:,·.· S,·.· ~.. ;; ■ :::i : 't• ~. •. 'P- •. ? ·.
·~ .• ~o/.• ;,. .;;: D • ~. •. ~ • ~~-. P.,._•. Serverruns out oflP 10.10.10.5
get the valid IP address e,'?" •• -.. : . ~·: ~- i:-: • ~ - ~ -- ?,I';. .....> ••
:i.\
b,V ♦
•
4'~♦•• ~■ • ""' .
Gt ■ ,. •
N ■
~ .
~• "" •
"'- ■
:;, •
,t,.__•♦ 'fo:,0~♦
• add resses to aIIocate
(.;"Ii ...
'b~ •
~ -· ~ -- 'i : ,!=
i:! ·: .:e~
.,~• . .,o.. .,.
.. -~ -.
~.~-. .,,· ••
~. to valid users
~'.t-.•.
_..., .
~.•
~ ·
1~ .•-
.., .
.;;:
J.
GI •
e:
i .
.:o~
~- -•
=o·.
~ -• ..>... -~,l.
~·
"t"- ••
• _t,."1 •
-.:.- .• ~V •• ;t .• ,. •
v . u . 'i•. & •
-v•. ••
•
•
•• "'~ •• -.:.0
~:
... •
:t •. <II( .
::E . ~ . " . ~ . ••
I', . ~ . . ,,, . • 10.10.10.254
• • ~ - ~ - ►• .,... 7'.: ♦ • •
•• •• ~ . <. ~ .. -Z • ~ · •• ••
~................. , .................................... , .............. .. ,1>... ........................................... , . • • • • • • • • • • ,
Attacker sends many

Attacker
different DHCP requests
w ith many source MACs
In a DHCP starvation attack, an attacker floods the DHCP server by sending a large number of
DHCP requests and uses all the available IP addresses that the DHCP server can issue. As a
result, the server cannot issue any more IP addresses, leading to a denial of service (DoS)
attack. Because of this issue, valid users cannot obtain or renew their IP addresses, and thus fail
to access their network.
In a DHCP starvation attack, the attacker can broadcast a number of DHCP requests with
spoofed MAC addresses. Sending many DHCP requests can consume the address space in the
DHCP server. The DHCP starvation attack is similar to the Synchronization (SYN) flood attack.
The victim network suffers a starvation of DHCP resources as the attackers are continuously
broadcasting fake DHCP requests. The attackers can also place a rogue DHCP server in their
system and respond to the DHCP requests from the victims or users. In the DHCP starvation
attack, the attacker continuously sends many DHCP requests with fake MAC addresses. These
request IP addresses from the DHCP server. The attacker continues the process until their
request has completely utilized the space available in the DHCP server, disabling the victim
from gaining an IP address. An attacker broadcasts DHCP requests with spoofed MAC addresses
with the help of tool s such as Gobbler.
Port security is a method used in preventing the DHCP starvation attack. It limits the number of
MAC addresses that can access the port. Only those MAC addresses having permission to
access the port can send forward the packets. DHCP snooping is another method available in
preventing the DHCP starvation attack. It filters the untrusted DHCP messages. The DHCP
snooping is a Cisco catalyst switch feature that determines the port that can respond to the
DHCP requests.

Access Attacks:
DHCP Spoofing Attack
■ DHCP servers assign IP addresses to the clients dynamically
■ An attacker places a rogue DHCP server between the client and the real DHCP server
■ Whenever a client sends a request, the attacker's rogue server intercepts the communication and acts as a valid
server by replying with fake IP addresses
DHCPDISCOVERV (1Pv4) / SOLICIT (1Pv6) (Broadcast)

1 ' --
DHCPOFFER (1Pv4) / ADVERTISE (1Pv6) (Unicast) from Rogue Server
., DHCPREQUEST (1Pv4) / REQUEST (1Pv6) (Broadcast)
DHCPACK (1Pv4) / REPLV (1Pv6) (Unicast) from Rogue Server

DHCP Server
IP Address: 10.0.0.20
Subnet Mas k : 255.255.255.0
Defa ult Routers : 10.0.0.1
DNS Servers: 1 92.168. 1 68 .2,
192. 1 68 .168.3
Leas e Ti me: 2 days
Copyright © by EC-Coaacil. All Rights Reserved. Reproduction is Strictly Prohibited.
A DHCP Spoofing attack is also known as a rogue DHCP server attack. In a rogue DHCP server
attack, an attacker will introduce a rogue server in the network. This rogue server has the ability
to respond to client's DHCP discovery requests. Though both the servers respond to the
request, i.e., the rogue server and the actual DHCP server, the server that responds first will be
taken by the client. If the rogue server gives the response earlier than the actual DHCP server,
the client takes the response from the rogue server instead. The information provided to the
clients by this rogue server can disrupt their network access, causing a DoS.
The DHCP response from the attacker's rogue DHCP server may assign the IP address of an
attacker as a client's default gateway. As a result, all the traffic from the client will be sent to
the attacker's IP address. The attacker then captures all the traffic and forwards this traffic to
the appropriate default gateway. From the client's viewpoint, they think that everything is
functioning correctly. This t ype of attack cannot be detected by the client for a long period of
time.
Instead of using the standard DHCP server, the client can use a rogue DHCP server. The rogue
server directs the client to visit fake websites for the purpose of gaining their credentials.
To mitigate a rogue DHCP server attack, set the interface to which that rogue server is
connected to as untrusted. That action will block all ingress DHCP server messages from that
interface.

Access Attacks:
Switch Port Stealing
0 0
It is a MITM technique used to perform packet sniffing by exploiting the switch ports of a user
Attackers flood the switch ports with forged packets that contain victim's host spoofed MAC as source
address and attacker's MAC as destination address
This allows the switch port to send the traffic to the attacker instead of the intended recipients
0 0
~ ~ .................~;:::-::~..►
Broadcasts ARP ~
• ••••••r;~.u.'7~ ••••••••••••••••••••••••••• ~~
--~
l,.....,_,l l I I '
Host A ... e,._ Host B

•• 0~
•• <>'c
• • ••i1sr,J'Jt
•••••
,.-9'°I"~
Inundates forged packets at •• 9i,
... ...
I!,. I!,. I!,. ...
the switch and redirects the .. ... ..... ··-.~~~
packe ts to attacker
..
..
,......,_
...
-..
l I I }
Host C
Attacker
Switch port stealing is a sniffing technique used by an attacker who spoofs both the IP address
and MAC address of the target machine. Using a port stealing attack, attackers steal traffic
destined to a specific port of an Ethernet switch. It allows an attacker to sniff the packets that
were originally destined for another computer.
An attacker takes advantage of a switch's incapability of updating its address table dynamically.
Ethernet switches learn and maintain information about who is connected to the port. This
information includes IP and Mac addresses of the computers connected to the network. The
switch is supposed to update this information dynamically. However, the switch is still static in
a real network environment. For example, if computer connected to a particular port is moved
to another port, the switch's address table entry will still point to the same computer only.
A MiTM technique is used to perform packet sniffing by exploiting the switch ports of a user.
Attackers flood the switch ports with forged packets that contain the attacker's MAC address as
the source address which is identical to the victim's host spoofed MAC and destination
addresses. This allows the switch port to send traffic to the attacker instead of to the intended
recipients.

Access Attacks:
MAC Spoofing/Duplicating
_J A MAC duplicating attack is launched by sniffing a network for MAC addresses of clients,
which are actively associated with a switch port and re-using one of those addresses
_J By intercepting the network traffic, the attacker replicates a legitimate user's MAC
address to receive all the traffic intended for the specific user
_J This attack allows an attacker to gain access to the network by faking another person's
identity, who is already on the network
My MAC address
Switch Rule: Allow access to the network
Is A:B:C:D-.E only if your MAC address is A:B:C:D:E
............................... ~ ◄••·········••► ◄••·········••► ◄ ............. ►
r-°"l. r::::l!!I • • r
Legitimate User Sw itch •
: At tacker sniffs the network for MAC addresses
: of the currently associated users and then
No! My : uses that MAC address to attack other users
MAC Address Is
A:B:C:D:E .
: associated t o the same switch port
Attacker Internet
Note: This technique w orks on Wireless Access Points with MAC filtering enabled
Spoofing attacks allow attackers to spread malware, bypass authentication checks, or steal
sensitive information. The attacker pretends to be a legitimate user on a network and gets
access to restricted resources in order to perform malicious activities.
MAC duplicating refers to spoofing the MAC address with the MAC address of a legitimate user
on the network. It involves sniffing a network for the MAC addresses of legitimate clients
connected to the network. In this attack, the attacker first retrieves the MAC addresses of
clients who are actively associated with the switch port. Then the attacker spoofs their own
MAC address with the MAC address of the legitimate client. If the spoofing is successful, the
attacker can receive all the traffic destined for the client. An attacker gains access to the
network and will take over someone's identity who is already on the network.

Denial-of-Service Attack (DoS) CND
The DoS attack makes resources unavailable Using this technique, an attacker can:
for genuine users by sending a large number
of service requests or exploiting e Consume the device's processing
vulnerabilities power w hich allow attacks to go
unnoticed
Techniques used by an attacker is sending
malicious packets and exploiting already
existing programming, logical, and e Cause the admin to take more time to
application vulnerabilities investigate a large number of alarms
Organizations deploy IDS central logging e Fill up disk space providing no space or
servers exclusively to store IDS alert logs of all disrupt logged processes
systems in a centralized manner
If an attacker obtains the central log server' s

e Cause more alarms that are beyond
handling capacity of the management
IP address then they could slow it down or
systems (such as databases, ticketing
even crash it with a DoS attack
systems, etc.)
After the server is shut down, attacks could
go unnoticed because the alert data is no e Cause the device to lock up
longer being logged
Denial-of-service (DoS) is an attack that prevents authorized users from accessing a computer
or network. DoS attacks target the network bandwidth or connectivity. Bandwidth attacks
overflow the network with a high volume of traffic using existing network resources, depriving
legitimate users of these resources. Connectivity attacks overflow a computer with a large
amount of connection requests, consuming all available operating system resources, so that the
computer cannot process legitimate user requests.
Consider a company (Target Company) that delivers pizza upon receiving a telephone order.
The entire business depends on telephone orders from customers. Suppose a person intends to
disrupt the daily business of this company. If this person came up with a way to keep the
company's telephone lines engaged in order to deny access to legitimate customers, the Target
Company would lose business.
DoS attacks are similar to the pizza company situation. The objective of the attacker is not to
steal any information from the target. It is to render its services useless. In this process, the
attacker compromises many computers (called zombies) and virtually controls them. The attack
involves deploying the zombie computers against a single machine to overwhelm it with
requests and finally crash the target in the process.

Distributed Denial-of-Service
Attack (DDoS)
An attacker uses botnets for exploiting vulnerabilities
DDoS attack involves a multitude of compromised
which exist in the target system and convert it to a
systems attacking a single target, thereby causing a
bot master. Doing this will infect it with malware or
denial of service for legitimate users
even take control of other systems on the network
Two Types of DDoS

DDoS attacks disable the whole network and hinder • Network-centric attack: Overloads a service by consuming
business operations causing financial loss and a bad bandwidth
reputation • Application-centric attack: Overloads a service by sending
inundate packets
Zombie systems are

••• ~ ••••••••••••••••••• ,. • instructed to attack a
~ • •• target server
·• ....••
·· ~ L...,
Compromised PCs (Zombies)
Handler
Compromised PCs (Zombies)
A distributed denial-of-service (DDoS) attack is a large-scale, coordinated attack on the

availability of services on a target's system or network resources. Launched indirectly through
many compromised computers on the Internet.
The services under attack are those of the "primary target," while the compromised systems
used to launch the attack are often called the "secondary target." The use of secondary targets
in performing a DDoS attack provides the attacker with the ability to wage a larger and a more
disruptive attack, while making it more difficult to track them.
As defined by the World Wide Web Security FAQ: "A Distributed Denial-of-Service (DDoS) attack
uses many computers to launch a coordinated DoS attack against one or more targets. Using
client/server technology, the perpetrator is able to multiply the effectiveness of the denial-of-
service significantly by harnessing the resources of multiple unwitting accomplice computers,
which serve as attack platforms."
If left unchecked, more powerful DDoS attacks could cripple or disable essential Internet
services in minutes. DDoS attacks can be very dangerous because they can quickly consume the
largest hosts on the Internet, rendering them useless. The impact of DDoS includes loss of
goodwill, disabled network, financial loss, and disabled organizations. They are also used as
decoys. Attacks use DDoS attacks to crash systems, while they then attack the real target.
Administrators are busy with the DDoS and may not notice the real attack until it is too late.

Ma lware are softwa re programs or malicious codes that install on a system without the user's
knowledge
It disrupts services, damages syste ms, gathers sensitive information, etc.
Examples of malware include Virus, Troja n, Adware, Spyware, Rootkit, Backdoor, etc.
Virus Spyware
A virus is a self-replicating program t hat attaches itself to Spyware is a piece of software code that extracts the user
another program, computer boot sector, or a document information a nd sends it to attackers
Trojan Rootkit
A program that appears to be good o r useful software but Rootkit is a malicious software program that conceals
contains hidden and harmful code certain activities from detectio n by the operating systems
Adware Backdoor
Adware is a software program that tracks t he user's Backdoors are programs that allow attackers to bypass the
browsing pattern for marketing purposes and to display authentication checks, such as ga ining administrative
advertisements privileges without passwords
Malware
Malware is a piece of malicious software that is designed to perform activities as intended by
the attacker without user consent. It appears in the form of an executable code, active content,
scripts or other forms of software. The attacker compromises system security, intercepts
computer operations, gathers sensitive information, modify, delete or add content to a
website, take control of a user's computer, etc. It is used against government agencies or
corporate companies to extract highly confidential information.
Virus
A virus is a type of program that can duplicate itself by making copies of itself. The major
criteria for categorizing a piece of executable code as a virus is that it replicates itself through
hosts. A virus can only spread from one PC to another when its host is taken to the uncorrupted
computer. For example, by a user transmitting it over a network or executing it on a removable
media. Viruses can spread the infection by damaging files in a file system. Viruses are
sometimes confused as worms. A worm can spread itself to other computers without the intent
of the host. A majority of PCs are now connected to the Internet and to local area networks,
increasing their spread. The virus spreads through the computer by itself and infects the file
from one computer to another computer using a host. It reproduces its own code while
enclosing other executables and spreads throughout the host. Some viruses reside in the
memory and may infect programs through the boot sector. A virus can also be in an encrypted
form infecting files in a symbolic form.

Armored Virus
An armored virus is a type of computer virus that is specifically coded with different
mechanisms to make its detection difficult. It fools antivirus programs, making them believe
the armored virus is located somewhere else in memory and making it difficult to detect and
remove. There is another kind of armor that is implemented with complicated and confusing
code, whose purpose is to hide the virus from being detected as well as develop a
countermeasure. This mechanism makes it difficult for researchers to disassemble the virus.
Therefore, it propagates longer before researchers find a countermeasure. It affects target
users similar to a normal virus.
Trojan
A Trojan is a malicious program that masquerades as legitimate software. A Trojan horse attack
is termed as a serious threat to system security. A victim may be under attack from the trojan,
but they could also be used as an intermediary to attack others (without the knowledge of the
victim). Most Trojans consist of two parts: server and a client. A server is a program that gets
installed on the infected system. The client is also a program that is located on the attacker's
computer. Both the server and client are used to establish a connection between the attacker
and a victim's system via the Internet.
In the computer world, a Trojan can be described as a hateful security-breaching program that
is impersonates an application and is illegal. For example, if the user downloads what appears
to be a movie or a music file and then clicks on the file to open it, the file will instead unleash a
dangerous program that erases the disk.
Trojan horses can also access the programs remotely. It can delete files, send files to the
intruder, modify the files, installs other programs that provide unauthorized network access
and execute privilege-elevation attacks. A Trojan horse can attempt to exploit a vulnerability to
increase the level of access beyond that of the user running the Trojan horse. If a Trojan
compromises a system in a shared network, the attacker records user names and passwords or
other sensitive information as it navigates across the network.
Adware
Adware is a software program that tracks the user's browsing patterns for marketing purposes
and displaying advertisements. It collects the user's data, such as what types of Internet sites
the user visits in order to customize the adverts that are relevant to the user. Legitimate
software is embedded with adware programs to generate revenue. Adware is considered as a
legitimate alternative provided to customers who do not wish to pay for software. Software
developers look to adware as a way to reduce development costs and increase profits. It
enables software developers to offer software at no cost or at a reduced price. Software
developers are motivated to design, maintain and upgrade their software product and generate
revenues using adware. It has become a large platform with millions of users and has attracted
attackers looking to perform attacks through exploiting adware.
Legitimate adware requests a user's permission before collecting user data. If a legitimate
adware is used and you remove or uninstall it, the ads should disappear. Further, there is an

option to disable ads by purchasing a registration key. When user data is collected without a
user's permission, it is malicious and termed as spyware. It should be avoided for privacy and
security reasons. Malicious adware gets installed on a computer using cookies, plug-ins, file
sharing, freeware and shareware. It consumes more bandwidth, exhausts CPU resources and
memory. Attackers perform spyware attacks and collect information from the target user's hard
drive, the websites visited or keystrokes t yped in order to misuse and perform fraud.
Common adware programs include toolbars on a user's desktop or those that work in
conjunction with the user's web browser. Adware performs advanced searching of the web or a
user's hard drive and may provide better organization of bookmarks and shortcuts. Adware
typically requires an Internet connection to run. There is more advanced adware that includes
games and utilities that are free to use but users need to watch advertisements until the
program opens. For example, while watching "YouTube videos", users need to wait until the ad
is completed before watching the video.
Spyware
Spyware is a piece of software code that extracts the user's information and sends it to
attackers. It enables pop-up advertisements to appear, modifies computer settings, redirects
users to fake webpages or changes the home page of the browser. Users are not really aware of
spyware being installed on their computer. Most of the time, spyware is used to track cookies
and display unwanted pop-up ads. Its presence is hidden from the user and it is difficult to
detect. Keylogger is a type of spyware used by attackers to record keystrokes entered by the
user.
Spyware infects a user's system when they visit a fake website containing malicious code which
is controlled by the spyware author. This malicious code forces the spyware download and its
installation. It also gets infected by manipulating loop holes in the browser or software, by
binding itself with trusted software, etc. Once the spyware is installed, it monitors the user's
activities on the Internet. It gathers information such as usernames, passwords, bank account
details, credit card numbers, etc., and sends it to the attacker.
When a system is infected by spyware, its performa nee degrades. It disables the software
firewall, antivirus software, reduces browser security settings and makes it more vulnerable to
attacks. Applications will freeze, failure to boot, etc. Spyware that interferes with networking
software makes it difficult to connect to the Internet. It steals information from users by
utilizing the target computer's memory resources and bandwidth allocated for an Internet
connection. Since spyware uses memory and system resources, there are chances of system
crashes.
Rootkits
Rootkit is a software program that hides its activities from detection and performs malicious
activities to get privileged access to a target computer. It hides the fact that the operating
system is compromised by the attackers. A successful rootkit can potentially remain in place for
years if it remains undetected. Rootkits are used to hide viruses, worms, bots, etc., and it is
difficult to remove them. Malware that is hidden by rootkits are used to monitor, filter or steal

sensitive information and resources, change the configuration settings of the target computer
and other potentially unsafe actions.
Rootkits are installed by attackers after gaining administrative access either by manipulating a
vulnerability or cracking a password. The attacker gets full control over the target system, they
can modify files and existing software that detects rootkits.
Rootkits are activated each time the system is rebooted. It gets activated before the operating
system completes booting. So it is difficult to detect the presence of a rootkit. Rootkits install
hidden files, processes, hidden user accounts, etc., in the system's operating system to perform
malicious activities. It intercepts the data from terminals, keyboard and network connections
and allows the attacker to extract sensitive information from the target user. Rootkits gather
user's sensitive information such as usernames, passwords, credit card details, bank account
details, etc., in order to misuse the information to commit fraud or other illegal activities.
Backdoors
Attackers create backdoors to compromise the security of the target systems and gain access to
a network illegitimately. Attackers insert small programs that bypass the authentication check
such as gaining administrative privileges without passwords. The attacker installs programs and
controls the victim's computer remotely. Attackers use backdoors to get access to a network
and keep returning by using the same exploit.
It is difficult for the system administrators to block access to attackers using backdoors. Even if
the system administrator detects a backdoor attack and changes the password, the attacker is
still able to get access to the resources of the infected system. If the attacker believes that
system administrator detected access, then they can simply choose to locate another
vulnerability to avoid being detected. Backdoors are not logged and appear as if no one is
online, while the attacker continues to use the infected machine.
Password cracking is a common type of backdoor attack used to breach network security and
systems connected to the network. Accounts that are unused or not used frequently are
exploited by attackers to perform backdoor attacks. Password crackers detect the accounts
with weak passwords and create an access point by changing the password. System
administrators are not able to identify fragile accounts because the accounts with modified
passwords do not appear and they believe that everything is operating normally. System
administrators find it difficult to determine which accounts are not used in order to lock them.
Logic Bomb
A logic bomb is a piece of software code that performs a malicious action when a logic
condition is satisfied. For example: Crashing a program on specific date using. When a logic
bomb explodes, it is designed to display an unauthentic message, delete data or completely
reformat hard drives, send sensitive information to untrusted parties, disable a network for a
certain length of time and cause harm to the target computer. Malicious software such as a
virus, use logic bombs to spread before being noticed.
Logic bombs are used to demand money for software by developing a code that makes the
software a trial version. After a specific number of days, the user has to pay a specified amount

to continue to use the software. Logic bombs are used to blackmail target users. If the demand
is not met, the logic bomb explodes into the computer network and corrupts, deletes data or
performs malicious activities as intended by attackers.
Attackers use the combination of spyware and a logic bomb to steal the identity of a target
user. Spyware allows attackers to install keyloggers secretly and capture the keystrokes. A logic
bomb is designed to wait until the targeted user visits a website requiring a login with their
username and password. It then triggers the logic bomb to execute a key logger to capture the
user credentials and send it to the remote attacker.
Botnets
A botnet is a collection of compromised computers connected to the Internet to perform a
distributed task. Attackers distribute malicious software that turns a user's computer into bots.
A bot refers to a program or an infected system that performs repetitive work or acts as an
agent or as a user interface to control other programs. The infected computer performs
automated tasks without the user's permission. Attackers use bots to infect a large number of
computers. Cyber-criminals who control bots are called a botmaster. Bots spread across the
Internet and search for vulnerable and unprotected systems. When it finds an exposed system,
it quickly infects and reports back to the bot master.
Attackers use botnets to distribute spam emails, carry out denial-of-service attacks and
automated identity theft. A computer part of a botnet might slow down its performance.
Botmasters use infected computers to perform various automated tasks. They instruct the
infected systems to send viruses, worms, spam, spyware, etc. Botmasters steal personal and
private information from the target users such as credit card numbers, bank details, usernames,
passwords, etc. Botmasters launch DoS attacks on a specific target user and extort money to
regain control over the compromised resources. Bot masters use bots to boost web advertising
billings by automatically clicking on internet ads.
Bots enter a target system using a payload in a Trojan horse or similar malware. It infects the
target system through drive-by-downloads, or by sending spam mails that are embedded with
malicious content.
Ransomware
Ransomware is a type of malicious software that locks or encrypts valuable files available in the
victim's computer until a ransom is paid. Unlike other malware it does not hide, it displays a
message on the infected system that "your files are taken away for ransom and you need to pay
money in order to decrypt it". It redirects victims to different sites and provides information
regarding how to make payment to recover the data back. During payment, attackers often
collect credit card details that may result in further financial losses. Moreover, there is no
guarantee the data will be recovered, even if the payment is made.
Ransomware gets installed when a user clicks on a malicious link in an email attachment or
instant message or on a social networking site. It gets installed even when the user visits an
infected site or clicks on an infected pop-up advertisement. Ransomware demands are
displayed either in a text file or on a web page in the browser.

This type of malware takes advantage of a victim's embarrassment, surprise or fear to satisfy
the ransom demands. For example, attackers put time pressure on a victim stating that their
data gets destroyed every 30 minutes if they do not make a payment. If the payment is not
done within the time span, the files cannot be recovered. Other ransomware forces users to
purchase a product to recover the data back. Some ransomware tricks or embarrasses users to
pay the ransom by stating they have been watching illegal content and must pay a fine.
Polymorphic malware
Polymorphic malware is a destructive and intrusive malware code that changes its signature to
avoid pattern matching detection by a ntivirus programs. The functionality remains the same
even though its signature changes. For example, a spyware program working as a keylogger
continues to perform the same action, even if its signature changes. If a polymorphic malware
is detected and its signature is added to a downloadable database for an antivirus program, it
fails to detect the same malware with the modified signature.
Polymorphic malware code (payload) is encrypted in order to hide and make it difficult to read
by antivirus programs. Polymorphic behavior is gained by malware when the mutation engines
are bundled with another payload such as viruses, worms, or Trojans. It allows different
subversions of the same code but with the same functionality. It modifies the file names,
encrypts the data with variable keys, compresses the files etc.

Polymorphic malware

Polymorphic malware

Polymorphic malware

Polymorphic malware

Polymorphic malware

Polymorphic malware

Polymorphic malware

Polymorphic malware

Polymorphic malware

Network Security Controls,
Protocols, and Devices
Module 03
Network Security Controls, Protocols, and Devices
Understanding the fundamental

Explain the network data encryption
elements of network security
mechanism
Explaining network access control
Describe Public Key Infrastructure
mechanisms
(PKI)
Und erstandingthe different types of
Describe various network security
access controls
protocols
Explaining network Authentication,
Describe various network security
Authorization and Auditing (AAA)
devices
mechanisms
This module discusses three important elements of network security, controls, protocols, and
devices. The module will make teach you the various network security controls, including
authentication, authorization, encryption and access controls. It also provides the necessary
information on the different security protocols that should be implemented to secure the
network. The module also discusses various security perimeter appliances commonly deployed
in the network to defend against possible attacks.

..♦
..
. .• • •. - ·
••
..
· • • • ••••••••••••
.-· .-·
:· •••••
...
••• :
·.. :
. . . . .. .
...
Nt·t·wo~k·. . S·.~.c :u rity Co..nti·o.l~.. . . .

•,
:: : ·.. ; ; ··.. ·-..

.. . C:.· ND
.· 5crnh" letwerll Dd11Ml;'I
.......- / .-······•·:::·-.. ...-.... ··-.:::· ..•· :
[ii) Accounting
Authentication
Access Control
Security Policy
Authorization
Identification Cryptography
···.......... ...-·:>; ·........................ _.cci'~yright © by EC-Co■ncil. All Rights .d!?s•iiri,:~i(R~ product1on is Strictly Prot,ib1ted.
: : • .. ·•. : : : : ·.. •,. :
Network security controls are used to ensure the confidentiality, integrity, availability of the
network services. These security controls are either technical or administrative safeguards
implemented to minimize the security risk. To reduce the risk of a network being compromised,
an adequate network security requires implementing a proper combination of network security
controls.
These network security control s include:
• Authentication
• Authorization
• Accounting
• Access Control
• Identification
• Cryptography
• Security Policy
These controls help organizations with implementing strategies for addressing network security
concerns. The multiple layers of network security controls along with the network should be
used to minimize the risks of attack or compromise. Th e overlapping use of these controls
ensures defense in depth network security.

Access Control Ter:minology CND
It refers to a
It refers to a specific resou rce It checks the It represents the
particula r user or access control action t aken by
t hat the user wants
process which rule for specific t he o bject on t he
to access such as a
wants to access file or any restrict ions subject
the resource
hardware device
~ Subject ~ .......... • • • • • • • • • • .~
Ill.
Ref erence M onitor , . •• •• •• •• •• •• .. ..........
Ill.
~ Object '
Authent.ication Authorization
The follow ing terminologi es are used to define access control on specific resources:
Subject
A subject may be defined as a user or a process, w hich attempts to access the objects. Further,
subjects are those entities that perform certain actions on th e system.
Object
An object is an explicit resource on which access restriction is imposed. The access controls
implemented on the objects further control the actions performed by the user. For example:
Files or hardware devices.
Reference Monitor
It monitors the restri ctions imposed according to certain access control rul es. Reference
monitor implements a set of rules on the ability of the subject to perform certain actions on the
object.
Operation
An operation is an action performed by the subject on th e object. A user trying to delete a file is
an example of an operation. Here, the user is the subject, delete refers to the operation and file
is the object.

.Access Control Principles
Authorization
System Database
Administrator
•
••
•
•
Authentication •• Access Control
•••
Authe ntication .....• ..... Access

·······••►
a·-·
) Control
Function
Function
,== ,
LJLJ
System
Resources
Access control principles deal with restricting or allowing the access controls to users or
processes. The principle includes the server receiving a request from the user and
authenticating the user with the help of an Access Control Instruction (ACI). The server can
either allow or deny the user to perform any actions like read, write, access files etc.
Access controls enable users to gain access to the entire directory, subtree of the directory and
other specific set of entries and attribute values in the directory. It is possible to set permission
values to a single user or a group of users. The directory and attribute values contain the access
control instructions.
Access control function uses an authorization database, maintained by the security admin, to
ch eck the authorization details of the r equesting user.
• General steps in Access Control:
• Step 1: Users have to provide their credentials/identification while logging into the
system.
• Step 2: The system validates users with the provided credentials/identification such as
password, fingerprint, etc. with the database.
• Step 3: Once the identification of the user is successful, the system provides the user
an access to use the system.
• Step 4: The system then allows the user to perform only those operations or access
only those resources for which the user is authorized.

• There are three main parts for an access control instruction:

• Target: Permissions are set for certain attributes and entities. These attributes and
entities are known as targets.
• Permission: Permissions set for the target explains the actions allowed or denied for
those targets.
• Bind Rule: Specifies the subject to the access control instructions.

Access Control System:

Administrative Access Control
The management implements administrative access controls to ensure the safety of orga nization
Administrative Access Controls

Security
Security Separation Information Investigations awareness and
policy of duties classification training
~
•
Monitoring Job rotation Personnel Testing

and procedures
supervising
Copyright© by EC-Co■ncil. All Rights Reserved. Reproduction is Strictly Proh ibited .
Administrative controls are management limitations, operational and accountability

procedures, and other controls that ensure the security of an organization. The procedures
prescribed in the administrative access control ensure the authorization and authentication of
personnel at all levels. The components of an administrative access control are as follows:
Security Policy and Procedures

Policies and procedures determine the method of impl ementing security practices in an
organization. These specify the extent to which the company can accept a risk and specifies the
level of actions allowed in the organization.
Personnel Controls/Procedures
Personnel controls determine the methods by which the employees may handle the security
principles. Personnel controls specify the steps taken in the case of any non -compliance issue.
The change of security determines the steps taken right from the hiring of an employee until
the employee leaves or shifts in any other department.
Supervisory Structure
Supervisory structure consists of members that are responsible for the actions performed by
the other employees in th e organization in context of security.

Security Awareness and Training

Trains the employees in an organization about the importance of access control. The training
assists the employees to limit the attacks in the network and assists them in detecting and
controlling the viruses and worms.
Testing
Testing of the access controls brings out the weaknesses in the network, checks if all the access
controls are working properly and evaluate the procedures and policies aligned for the proper
functioning of the organization.
Job Rotation
Job rotation improves error detection and fraud disclosures. Job rotation policy along with
separation of duties is a good administrative access control. However, job rotation prevents
employees to take up multiple roles at a time, which adds overhead to access control system.
One needs to be aware of the impact of job rotation on access control system.
Separation of Duties
Separation of duties comes into play when a single operation requires more than one person to
complete it. When one individual is responsible for completing a task it gives them more power
and the security risk is high. Whereas, if the same task is accomplished by a team of people,
proper checks and balances are maintained and there is less chance for errors.
Example: Having one security administrator for doing actual planning and another team of
security administrators implementing and testing will reduce the security risks and increase the
chances of finding errors.
Separation of duties can be applied to a single person. For instance, if a user having limited
access wants to perform a task requiring administrative privileges, User Account Control (UAC)
can give access once the appropriate privileges are supplied.
Information Classification
Implementing access control is impossible without Information classification. The information
can be classified as: public, private, secret, proprietary, confidential, etc.
Process of Information Classification:

• Understand data classification project goals
• Build data classification policy

• Build data classification standards
• Build data classification process flow and procedures
• Create tools to support the process

• Determine application owners
• Determine data owners and data owner delegates

• Categorize information
• Define the audit process
• Save information in a repository
• Give user training
• Review and update Information classification at regular intervals
Investigation
Investigate the logs for all doubtful activities and violations and make a report for further
actions. Investigate unexpected information system related activities. Study the investigations
periodically and make changes to access authorizations.


Physical Access Controls
It is a set of security measures taken to prevent unauthorized access to physical devices
Physical Access Controls
Motion
detect
Ors 1
/
,
I
I /
Fences
Appropriate physical access controls can reduce the chances of attacks and risks in an
organization. Maintaining physical access controls provide physical protection of the
information, buildings and all other physical assets of an organization.
The physical access controls are categorized into:
Prevention Access Controls

They are used to prevent unwanted or unauthorized access to resources. It includes access
controls such as fences, locks, biometrics, mantraps, etc.
Deterrence Controls
They are used to discourage the violation of security policies. It includes access controls such as
security guards, warning signs, etc.
Detection Controls
They are used to detect unauthorized access attempts. It includes access controls such as CCTV,
alarms, etc.
An access control point can be a physical barrier such as a door or parking gate, where
electronic access control is placed; users must enter their credentials before they get access.
Using a PIN for authentication, checks the identity of a user. For example, in an office, the
employee must place an access card to the card reader to be able to access the premises.


Technical Access Controls
It is a set of security measures taken to ensure confidentiality, integrity

and availabi lity of the resources
Technical Access Controls
System Access Encryption and protocols Antivirus software
Network Access Auditing Firewalls
Copyright© by EC-Co■ncil. All Rights Reserved. Reproduction is Strictly Proh ibited .
Technical access controls the subject's access to an object. It involves implementing technical
access controls for restricting access to devices in an organization to protect the integrity of
sensitive data.
The components of technical access control include:
System Access
System access deals with restriction of access to data according to sensitivity of data, clearance
level of users, user rights, and permissions.
Network Access
Network access control offers different access control mechanisms for network devices like
routers, switches, etc.
Encryption and Protocols
Encryption and protocols protect the information passing through the network and preserves
the privacy and reliability of the data.
Auditing
Deals with tracking the activities of the network devices in a network. This mechanism helps in
identifying th e weaknesses in the network.
Firewalls
Firewalls are implemented to filt er unwanted traffic and prevent attacks on the network.

Antivirus Software
Antivirus software is installed to prevent the system from malware infections.

Types of Access Control

Discretionary Mandatory Access Role-based
Access Control (DAC} Control (MAC) Access
..J It permits the user, who is ..J It does not permit the end .J Users can be assigned
granted access to user to decide who can access to systems, files,
information, to decide access the information and fields on a one-by-
how to protect the one basis whereby access
information and t he level ..J It does not permit the user is granted to the user for
to pass privileges to other a particular file or system
of sharing desired
users, as the access could
..J Access to fil es is then be circumvented ..J ltcansimplifythe
restricted to users and assignment of privileges
groups based upon t heir and ensure that
identity and the groups to individuals have all the
privileges necessary to
w hich the users belong
perform their duties
Types of access control determine how a subject can access an object. The policies for
determining the mechanism, uses access control technologies and security.
The t ypes of access control include:
Discretionary Access Control (DAC)

Discretionary access control s determine the access controls taken by any possessor of an object
in order to decide the access controls of the subjects on those objects. The other name for DAC
is a need-to-know access model. The decision taken by the owner depends on the following
measures:
• File and data ownership: Determines the access policies of the user.
• Access rights and permissions: Setting access privileges to other subjects by the
possessor.
The owner can provide or deny access either to any particular user or a group of users. The
attributes of a DAC include:
• The owner of an object can transfer the ownership to another user.
• Access control prevents multiple unauthorized attempts to access an object.
• Prevents unauthorized users to view details like file size, file name, directory path etc.
• The DAC uses access control lists in order to identify and authorize users.

• Disadvantages:
• It requires to maintain the access control list and access permissions for the users.
• Examples of DAC include UNIX, Linux, and Windows access control.
Mandatory Access Control (MAC}

The mandatory access controls determine the usage and access policies of the users. Users can
access a resource only if that particular user has the access rights to that resource. MAC finds
its application in the data marked as highly confidential. The network administrators impose
MAC, depending on the operating system and security kernel.
• There are two techniques to implement MAC:

• Rule based access control: Rule based MAC specifies whether to allow or deny access
to an object depending upon the levels of trust between the subject and the object.
• Lattice-based access control: The lattice based access control defines the complex
controls required for multiple subjects and objects.
• The advantages and disadvantages of MAC include:
• MAC provides a high level of security as the network administrators determine the
access controls.
• The MAC policies minimize the chances of errors.

• The operating system, depending on the MAC, mark and label the incoming data,
thereby creating an external application control policy.
• Examples of MAC include SE Linux, trusted Solaris.
Role Based Access Control (RBAC}

In role based access control, the access permissions are available based on the access policies
determined by the system. The access permissions are out of user control which means that
users cannot amend the access policies created by the system. The rules for determining the
role based access controls are:
• Role Assignment: Assigning a certain role to a user that enables them to perform a
transaction.
• Role Authorization: User needs to perform a role authorization in order to achieve that
role.
• Transaction Authorization: Transaction authorization allows users to execute only those
transactions for which they are authorized.

User Identification, Authentication,

Authorization and .Accounting
Describes a method to ensure t hat an individual holds a

Identification
valid identity (Ex: username, account no, etc.)
It involves validating the identity of an individual

Authentication
(Ex: Password, PIN, etc.)
It involves controlling the access of information for an /

Authorization individual (Ex: A user can only read the fi le but not write to
or delete it)
It is a met hod of keepi ng track of user actions on the

network. It keeps track of who, when, how the users
Accounting
access t he netw ork. It helps in identifying authorized
and unauthorized actions
Identification
Identification deals with confirming the identity of a user, process, or device accessing the
network. User identification is the most common technique used in authenticating the users in
the network and applications. Users have a unique user ID which helps in identifying th em.
The authentication process includes verifying a user ID and a password. Users need to provide
both the credentials in order to gain access to the network. The network administrators provide
access controls and permissions to various other services depending on the user ID's.
Example: Username, Account Number, etc.
Authentication
Authentication refers to verifying the credentials provided by th e user w hile attempting to
connect to a network. Both wired and wireless netw orks perform authentication of users
before allowing them to access the resources in the network. A t ypical user authentication
consists of a user ID and a passw ord. The other forms of authentication are authenticating a
web site using a digital certificate, comparing th e product and the label associated with it. The
factors associated w ith the process of authentication are:
• Knowledge factors: The knowledge factors refer to the mandatory entities that a user
should know whil e trying to log into a syst em or network. For example, usernames and
passwords .

• Possession factors: The possession factors refer to the entities that a user should hold
while performing logging. For example: One-time password token, Employee ID cards, etc.
• lnherence factors: The inherence factors, mostly appl y to the biometric factors that the
users use for authentication. For example: retina scan, fingerprint scan, etc.
Common authentication methods include:
• Passwords
• Biometrics
• Token management
• Authorization
Authorization
Authorization refers to the process of providing permission to access the resources or perform
an action on the network. Network administrators can decide the access permissions of users
on a multi-user system. They even decide the user privileges. The mechanism of authorization
can allow the network administrator to create access permissions for users as well as verify the
access permissions created for each user. In logical terms, authorization succeeds
authentication. But, the type of authentication required for authorization varies. However,
there are cases that do not require any authorization of the users requesting for a service. For
example, no user authorization is needed when a user tries to access a web page from the
Internet.
Accounting
User accounting refers to tracking the actions performed by the user on a network. This
includes verifying the files accessed by the user, functions like alteration or modification of the
files or data.

Types of Authentication:
Password Authentication
Password Authentication uses a combination

of username and password to authenticate
network users
The password is checked against a database

and a llows access, if it matches
Password authentication ca n be vulnerable

to password cracking attacks such as brute
force, dictionary attacks
In password authentication, users need to provide usernames and the passwords to prove their
identity to a system, application or network. The username and password are then matched
against the list of authorized users in the database/windows active directory. Once matched,
users can access the system.
The user password should follow standard password creation practices, including a mixture of
alphabet letters, numbers and special characters, having a length greater than 8 characters
(small passwords are easily guessed).
Password authentication is vulnerable to brute force attacks (A person trying possible

combinations of characters to guess the password or capture packets using a protocol "sniffer"
while sending across the network as plain text).

Two-factor Authentication
Two-factor authentication involves using two different authentication factors out
of three (a knowledge factor, a possession factor, and an inherence factor) to
verify the identity of an individual in order to enhance security in authentication
systems
Combinations of two-factor authentication: password and smartcard/token,

password and biometrics, password and OTP, smartcard/token and biometrics, etc.
lnherence factor (biometric authentication) is the best companion of two-factor

03 authentication as it is considered as the hardest to forge or spoof
Most widely used physical or behavioral characteristics to establish or verify an

identity: fingerprints, pa lm pattern, vo ice or face pattern, iris features, keyboard
dynamics, signature dynamics, etc.
The two-factor authentication is a process where a system confirms the user identification in
two steps. The users may use a physical entity like a security token as one of the credentials
and the other credential can include security codes.
Two-factor authentication depends on two factors:
• Something you have
• Something you know

Example: A bank card - A user requires swiping the bank card and entering the PIN while
accessing the bank card. Here, bank card is the physical entity and the PIN is the security code.
Advantage of two factor authentication includes decreasing the chances of identity theft and
phishing. However, there are certain drawbacks for this two-step process. There are situations
where the user will have to wait for the organization to issue the physical token to the user. The
delay in getting the token results in users waiting for a long time to access their private data.
Identity evaluation depends on Knowledge, Possession, and Inherent Factors. Out of these,
inherent factors are difficult to change as they depend on the characteristics of a human being.
There are many combinations available in the two-factor authentication. Commonly found are:
• Password and Smart card
• Password and Biometrics
• Password and OTP

• Smart card and Biometrics

Two-factor authentications performed without the use of tokens a re called Tokenless
authentication. They can be implemented quickly across the network.

Biometrics
.J Biometrics refers t o the identification of individuals based on t heir physical characteristics
Biometric Identification Techniques
Fingerprinting Retinal Scanning
Ridges and furrows on the Identifies a person by

surface of a finger are used to analyzing the layer of blood
identify a person, which are vessels at the back of their
ue eyes
Vein Structure
Voice Recognition
Recognition
Thickness and location of Type of authentication that

veins are analyzed t o uses voice recognition to
identify a person identify or verify a person
Biometric is a technology which identifies human characteristics for authorizing people. The
most common used biometrics are fingerprint scanner, retina scanner, facial recognition, DNA,
and voice recognition.
Biometric authentication involves following steps:
• The reader scans biometric data
• A software converts the scanned information into a digital form and compares against the
stored data
Biometric takes the current biometric data and compares it with the biometric data stored in
the database. If both data matches, then it confirms the authenticity of the user and allows
perm1ss1on.
• Types of identification techniques used in biometrics are:
• Fingerprint Scanning: Compares two fingerprints for verification and identification

using the patterns on the finger. The patterns depend on ridges and minutia points
that differentiate each user's finger prints.
• Retinal Scanning: Compares and identifies a user using the distinctive patterns of
retina blood vessels.
• Iris Scanning: Compares and identifies the images of the iris of one or both eyes of a
user. The iris pattern differs from one person to another.

• Vein structure Recognition: Compares and identifies the patterns produced by user's
veins. Each person has different patterns according to the flow of blood.
• Face Recognition: Compares and identifies a person depending on the facial patterns
from an image or a video source.
• Voice Recognition: Compares and identifies a person according to the voice patterns
or speech patterns.
• Advantages of Biometrics:
• It is difficult to tamper the biometric details like a password or username. They cannot
be shared or stolen using social engineering techniqu es. The biometric authentication
requires the presence of the user which reduces th e chances unauthorized access.

Smart Card Authentication
Smartcard is a small computer chip device that holds a users'

personal information required to authenticate them
..J Users have to insert their Smartcards into readers and their
***** Personal Identification Number (PIN) to authenticate themselves
Smartcard Authentication is a cryptography-based authentication

and provides stronger security than password authentication
Organizations use smart card technology to ensure strong authentication. The smart technology
can store password files, authentication tokens, one-time password files, biometric templates,
etc. Smart card technology finds its usage with another authentication token providing a multi-
factor authentication. This enables a better logical access security. Smart card technology finds
its application in VPN authentication, email and data encryption, electronic signatures, secure
wireless logon, biometric authentication.
Smart card consists of a small computer chip and stores personal information of the user for
identification. Smart cards are inserted into the machine for authentication along with
providing the Personal Identification Number (PIN). Smart cards also help in storing the public
and the private keys.
The main advantage of using a smart card is that it eliminates the risk of credentials being
stolen from a computer as they are stored in the card's chip itself. However, it only enables a
limited a mount of information to be stored in the card's microchip.
• Advantages of Smart Card :
• Uses high ly secure technology: The smart card technology uses better encryption and
authentication methods, increasing the security of the card.
• Easy to carry: Smart cards are easy to carry and a user just needs to know the PIN of
the card.

• Reduces the chances of deception by users: The smart card enables users to store
information like fingerprint, other biometric details, thereby allowing organizations to
recognize their employees.
• Disadvantages of Smart cards:
• Can be easily lost: Since the smart cards are small in size, the chances of losing it are
very high.
• Security issues: Losing a smartcard puts its owner's information and identity at great
risk.
• High cost for production of smart cards: As smart cards have microchips and other
encryption technologies; its production cost is high.

Single Sign-on (SSO)
J It allows a user to authenticate themselves to multiple servers on a network with single password
without re-entering it every time
Advantages:
e Don't need to remember passwords of multiple applications or systems
e Reduces the time for entering a username and password
e Reduces the network traffic to the centralized server
e Users need to enter credentials only once for multiple applications
User
··r. ...............~ R APP SERVER
~.
1 . . . . .
..
►
. . . . . . . . . . . . . . . . . . IN,- EMAIL SERVER
.
.................... ~ DB SERVER
User Single Sign-on (SSO) Authentication
As the name suggests, it allows users to access multiple applications using a single user name
and password. The 550 stores the credentials of a user in an 550 policy server. An example for
550 is Google applications. Users can access all Google applications using a single user name
and password combination. Consider Google as a central service. The central service creates a
cookie for all users logging in for the first time in any of the applications present in the central
service. When a user attempts to access other applications of the central service, it eliminates
the need for the user to enter the credentials again due to the cookie w hich is already created .
The system checks the credentials using the cookie created.
• Advantages of SSO:
• Reduces the chances of re-authentication thereby increasing the productivity.

• Removes the chances of Phishing.
• Provides a better management of applications due to a centralized database.

• Disadvantages of SSO:
• Losing credentials have a higher impact as all the applications of the central service
become unavailable.
• There are many vu lnerability issues related with the authentication to all the
applications.
• It is an issue in multi-user computers and requires certain security policies
implemented to ensure security.

. . . . .
Au t horization for network access is done through Ill Users can access t he requested resource on behalf
single centralized authorization unit of others
It maint ains a single database for aut horizing all • Ill The access request goes through a primary
t he network resources or applications resource to access the requested resource
Ill It is an easy and inexpensive authorization
approach
. . .
Ill Each net work resource maintains it s authorization Unlike Implicit Authorization, it requires separate
unit and performs authorization at locally authorization for each requested resource
Ill It maintains its own database for authorization ii It explicit ly maintains aut horization for each
requested object
Network authorization can take different forms based on the organization's need.
Centralized Authorization
The need for centralized authentication came into existence when it became difficult to
implement the authorization process individually for each resource. It uses a central
authorization database that allows or denies access to users. The decision depends on the
policies created by the centralized units. This enables easy authorization for users accessing
different platforms. The centralized authorization units are easy to handle and have low costs.
A single database provides access to all applications, thereby enabling better security. The
centralized database also provides an easy method of adding, modifying, and deleting the
applications from the centralized unit.
Decentralized Authorization
The decentralized authorization maintains a separate database for each resource. The database
contains the details of all users permitted to access that resource. The decentralized
authorization process enables users to provide access to other users as well. This increases the
flexibility level of the users in using the decentralized method. However, certain issues related
to the decentralized authorization are cascading and cyclic authorizations.
Implicit Authorization
Implicit authorization provides the access to resources indirectly. The task is possible after the
user gets authorization for a primary resource through which the access to the requested

resource is possible. For example, the user requesting a web page has permission to access the
main page as well as all pages linked to the main page. Hence, the user is gaining an indirect
access to the other links and documents attached to the main page. The implicit authorization
provides a level of better granularity.
Explicit Authorization
The explicit authorization maintains separate authorization details for each resource request.
The explicit authorization technique is simpler than implicit technique; however, this technique
makes use of more storage space due to storage of all authorization details.

Authorization Principles
Least privilege Separation of duties
Assigning only limited access to users or groups Restricting permissions and privileges to the
for accessing resources of a computer like users by separating the administrator account
programs, processes or files to fu lfill their job and the user account.
responsibilities
Individuals or workgroups should not be in a
System administrator is responsible for assigning position to control all parts of a system
privileges to prevent the risks of information application
security incidents and to achieve better system
Provides security and reduces the risk of loss of
stability and system security
confidentiality, integrity, and availability of
enterprise information
a
Authorization principle describes in detail the access perm1ss1on levels of users. Enabling
authorization process ensures the security of the processes and resources. The process of
authorization should be based on the following principles:
Least Privilege
Least privilege provides access permissions to only those users who really need the access and
resources. The permission granted depends on the roles and responsibilities of the user
requesting the access. There are two underlying principles involved in the least privilege
method: Less right and Less risk. According to these principles, users need to complete the task
using the limited amount of resources in a limited amount of time provided to the users. This
approach reduces the unauthorized access to the system resources.
Separation of Duties
It involves the breaking authorization process into various steps. Different privileges are
assigned to each step for individual subjects requesting for a resource. It ensures that no one
individual has authorization rights to perform all functions and at the same time does not allow
access to all the objects to one individual. This division makes sure that one person is not
responsible for a larger process. For example, granting web server administrator rights to only
configure a web server without granting administrative rights to other servers.

J En cryption is a w ay of protecting information by t ransf orming it in such a w ay that the resulting

t ransformed for m is unreadable to an unauthorized pa rty
J To encrypt data, an encryption algorithm uses a key to perf orm a transform ation on the data
Types of Encryption ENCRYPTION
';f'~"""'ff'' A ~
..J Symmetric Encryption
_____F_ilE! _______________Encryption __________ Encrypted File _

..J Asymmetric Encryption
Encrypted File
-:, ..,
~
~
with FEK in
Header
=
Encryption
Encrypted FEK
Encryption is the practice of concealing information by converting plain text (readable format)
into cipher text (unreadable format) using a key or encryption scheme. Encryption guarantees
confidentiality and integrity of organizational data, at rest or in transit.
The encryption algorithm encrypts the plain text with the help of an encryption key. The
encryption process creates a cipher text that needs decrypting w ith the help of a key. The
process of decryption involves the same steps except for the usage of keys in the reverse order.
Common encryption algorithms used to encrypt data include RSA, MDS, SHA, DES, AES, etc.
The encryption process finds its application while transmitting data through a netw ork, mobile
phones, and wireless transmission and Bluetooth devices.

Sy111111etric Encryption
..J Symmetric encryption is the oldest cryptographic technique used to encrypt digital data in
order to ensure data confidentiality
..J It is called symmetric encryption as a single key is used for encrypting and decrypting the data
J It is used to encrypt large amounts of data
~ ............... .
l l
I :::~ I Encrypted Both sender and receiver share the Decrypted
Message
Mfi'llo
How ,ue
l_J Message same key to encrypt and decrypt data you?
···············- - -
Sender Receiver
(Sende r uses the secret key to encrypt the (Receive r decrypts the data using t he secret
confidential message and sends it to the receiver) key and reads the confidential message)
Symmetric encryption requires that both the sender and the receiver of the message possess
the same encryption key. The sender uses a key to encrypt the plaintext and sends the resulting
cipher text to the recipient, who uses the same key to decrypt the cipher text into plain text.
Symmetric encryption is also known as secret key cryptography as it uses only one secret key to
encrypt and decrypt the data. This kind of cryptography works well when you are
communicating with only a few people.
Because the sender and receiver must share the key prior to sending any messages, this
technique is of limited use for the Internet, where individuals who have not had prior contact
frequently require a secure means of communication. The solution to this problem is public-key
cryptography.
The symmetric key encryption can use stream ciphers or block ciphers. Stream ciphers encrypt
the bits of a message, one at a time whereas block ciphers encrypt blocks of bits.
• Advantages:
• Easy to encrypt and decrypt the message.
• Faster than asymmetric encryption.

• Disadvantages:
• The communicating parties need to share the key used for transmission of data.
• Unauthorized access to the symmetric key compromises data at both ends.

etric Encryption C ND
C.crrifi~ letw.r, ~C11'"1ce,
0 Asymmetric encryption, unlike symmetric encryption, uses two separate keys

0
to carry out encryption and decryption; one key, called the public key for
encrypting messages, and the second key, called t he private key for
decrypting messages
It is also cal led public key encryption and is used to encrypt small amounts of
data
0 0
0 .............................................. 0
.
v Public Key Privat e Key
l l
Rece iver selects a public and private
key and sends the public key to the
sender
p
Sender Receiver
Sender uses the public key to encrypt the Receiver decrypts t he data using the
0 message and sends it to the rece iver private key and re ads t he message 0
The introduction of asymmetric encryption (also known as public-key cryptography) was to

sol ve key-management problems. Asymmetric encryption involves a public key and a private
key. The public key is publicly available, but the sender keeps the private key a secret.
Asymmetric encry ption uses the following sequence to send a message:

1. An individual finds the public key of the person they want to contact in a directory.
2. This public key is used to encrypt a message that is then sent to the intended recipi ent.
3. The receiver uses the private key to decrypt the message and read it.
No one but the holder of th e private key can decrypt a message composed with the
corresponding public key. This increases the security of the information because all
communications involve only public keys; the message sender never transmits or shares the
private keys. The sender must link the public keys with the usernames in a secured method to
ensure that unauthorized individuals claiming to be the intended recipi ent do not intercept
information. To meet the need for authentication, one can use digital signatures.
• Advantages:
• More secure than symmetric encryption.

• No need to distribute th e keys.

• Disadvantages:
• It takes a longer time than symmetric encryption as it involves various combinations of

the secret keys and the public keys.
• Various complex algorithms involved in the process of asymmetric encryption also

increase the time taken to implement it.

Hashing: Data Integrity

Confoclential
Message
..J Hashing is one of t he forms of cryptography
User sends the message
that t ransforms the information into a fixed- and the hash code to
length value or key t hat represents t he receiver
original information Sender i\,j,fj, ,fj,■

Hash Code
..J Hashing ensu res the security of information 1001

by checking the integrity of information on 0010
&.........I
both the sender and receiver sides
Checking the integrity of information:
e The sender of the message creates a hash

code of it and sends the message to the
receiver along with its hash code
e The receiver again creates a hash code for the

same messages at the receiver side and
Receiver checks the hash Confidential
compares both the hash codes; if it is match,
code to ensure that the Message
then the message has not been tampered message has not been
with. altered
Receiver
Hashing is a method to generate a fixed length string of random characters for a message using
an algorithm. It involves the conversion of the original message into a short-fixed length value
or a key that carries the original information.
• Hashing finds its application in:
• Secure storage of Passwords: Passwords are hashed before storing in the data base
Every time the user enters the password to login, it is first hashed and the generated
hash is matched with the hash stored in the database. If both the hashes match, the
user is granted access. Hashing secures passwords from attackers who gain access to
the database. The stored hash is useless until the attacker is able to generate the
password using a reverse algorithm.
• Monitoring File Integrity: Hashing helps identify if a downloaded file is tampered with.
A hash of the downloaded file is generated and matched with the one provided by the
website. If both hashes match, it is assumed that the file is in its original form.
• Monitoring Message Integrity: Hashing ensures that the transmitted messages are
not tampered with. An encrypted hash is sent along with the message to the receiver
who decrypts the message and hash, and generates a hash from the decrypted hash. If
the sent hash and the generated hash are same the message is assumed to have been
transmitted safely.

• COMMON HASHING FUNCTIONS:
• MDS (Message Digest 5): Generates hashes of 128 bits in length, expressed as 32
hexadecimal characters.
• SHA (Secure Hashing Algorithm): Considered a more secure hashing algorithm. SHA
SHA-1 (generates hashes of 160 bits in length, expressed as 40 hexadecimal
characters.
• SHA-256 (generates hashes of 256 bits In length, expressed as 64 hexadecimal
characters.
• LIMITATIONS OF HASHING:
• As Hash is a fixed length string it may result in collision (generating same hash for
different data). Hash of smaller length is more prone to collision.

e Digital signatures use the asymmetric key

Sender uses the pri vate key Private Key
algorithms to provide data integrity to "sign"themessageand c-
e A specific signature function is added to the
sends the message and
signature to receiver
................ I ~ Confidential
asymmetric algorithm at t he sender's side to ~ Message
digitally sign the message and a specific

verification function is added to verify the
signature to ensure message integrity at t he
Se nde r Mi+fr·U,i
Hash Code
recipient side
e The asymmetric algorith ms that support these

two functions are called digital signature ~"' 1001
0010
: Sender selects a public a nd
algorithms : privatekeyandsendsthe
: publi ckeyto receiver
e Digit ally signin g messages slows performance;
t he hash value of the message is used instead of
t he message itself for better perfo rm ance
e A digital signature is creat ed using the has h code
of the message, the private key of the sender, and
t he signature fu nction
e It is t hen verified using the has h code of message,

t he public key of sender, and th e verificati on
fu nction
Copyright© by EC-Co■ncil. All Rights Reserved. Re producti on is Strictly Prohibited .
Creating a digital signature at sender side
........... 0-PriY3!e Key

. .. Message w ith Digital
Signature
Confidential
Message
'ii
"'
II
abed
~&ib
IJ m
nop,
Hashing Hash Code

101 Signature
Mi+fr,jj,i
Confidential Message
Algorithm Function
Hash Cod e
Verifying a digital signature at recipient side
~ .
Publ!_< Key
Messace with Digital
Signature
..
"'
II
abed
Confidential ef~h
Messace ijl<J m
nop,
101
ii+ii+U,i Hashing
Algorithm
Hash Code Verification
Function
Confidential
M essage
Hash Code

A digital signature is a cryptographic means of authentication. Public-key cryptography uses

asymmetric encryption and helps the user to create a digital signature.
A hash function is an algorithm that helps users to create and verify digital signatures. This
algorithm creates a digital representation, also known as the message fingerprint. This
fingerprint has a hash value that is much smaller than the message, but one that is unique. If
the attacker changes the message, the hash function will automatically produce a different
hash value.
To verify the digital signature, one needs the hash value of the original message and the hash
function used to create the digital signature. With the help of the public key and the new result,
the verifier checks to see if the digital signature was created with the related private key, and
whether the new hash value is the same as the original.

The public key in a digital signature can be transmitted securely by sending it over a secured channel like SSL, but if the
sender wants to send his public key to more users, a number of these secured channels need to be created for each user
communication; this process will become quite tedious and unmanageable
The digital certificates are used to deal with security concerns about transmitting public keys securely to the receiver in
the digita I signature
The trusted intermediary solution is used to secure public keys, where the public key is bound with the name of its
owner
Owners of the public key need to get their public keys certified from the intermediary; the intermediary then issues
certificates called digital certificates to the owners which they can use to send the public key to a number of users
Private
Key
0
Signature Function
0
Verification Function
Sender >.. >... Receiver
Sender signs message digitally using his
private key and sends it to receiver
L.... F r ...~
Public key
Receiver extracts the public key from the
digitalcertificate and verifies the digitally
along with digital certificate Digital Certificate signed message from senderusing extracted
Digital Certificate
public key
Digital Certificate Attributes
Serial num : Rei:1resents the uni~ue certificate r: Provides the identity of the
identity • •• ••
Subject: Represents the owner of the certificate Valid from: Denotes the date from which the
which may l:ie a r1erson or an organization • •
Signature algorithm: States name of algorithm Valid to: Denotes the date t ill which the
used for creating the signature certificate is valid
. · · : Specifies the purpose of the public

: Specifies the hashing
key, whether it should be used for encryption,
algorithm used for digital signatures
signature verification, or both
Public key: Used for encrypting the message or Thumbprint: Specifies t he hash value for the
verifying the signature of the owner certificate, which is used for verifying the
certificate's integrity

Digital certificates allow the secure interchange of information between a sender and a
receiver. This enables the use of a public key by the sender to the receiver. The sender applies
for a digital certificate from the Certificate Authority (CA). The CA along with the encrypted
message and the public key provides other identity validating information. The receiver accepts
the encrypted message and uses the CA's public key to decode the digital certificate. This allows
the receiver to identify the digital signature and then obtain the sender's public key and other
identification details.
The digital certificate can hold information like the name of the sender who applied for the
certificate, expiration date, and copy of the sender's public key digital signature of the CA. The
receivers receiving the digital certificate can check the validity of the certificate using the
signature attached from the approved authorities using the private key of the authority. Each
operating system and web browser carry authorized certificates from the CA which enables
easy validation. The main aim in implementing a digital certificate is to ensure nonrepudiation.
Most of the SSL/TLS protocols use certificates in order to prevent attackers from changing or
modifying the data. The certificates find application in e-mail servers and code signing.

Public Key Infrastructure (PKI) CND
Public Key Infrastructure (PKI) is a set of hardware, software, people, policies, and procedures
required to create, manage, distribute, use, store, and revoke digital certificates
Components of PKI
Issues and verifies digital certificates
( · · ) that acts as the verifier for the certificate authority
A certificat e management syst em for generat ion, distribution, storage, and

of certificat es
wh..e the . . · (with their public keys) are stored
Public Key Infrastructure (PKI)

(Cont'd)
Certification Validation
Authority (CA) Authority (VA)
Request for issuing ::1 ..

e·· e-..
certificate ••••
Registration
•
..
- ( ) Public Key
Public Key
-. e
- () Determined
Authority (RA)
..
.fl- Certificate
Certificate
.fl.
..: . Result
t::.•
User applies for
issuing certificate
·.ft
~
e .
··8 ·············· -.a ······················►
Message in public key certificate

signed with digital signature
► Validation of electronic signature

Public Key
► Enquires about public key certificate
Private Key ~ valid ity to validation authority

Public Key Infrastructure (PKI) is a security architecture developed to increase the

confidentiality of information exchanged over the Internet. It includes hardware, software,
people, policies, and procedures required to create, manage, distribute, use, store, and revoke
digital certificates. In cryptography, the PKI helps to bind public keys with corresponding user
identities by means of a Certificate Authority (CA).
PKI is a comprehensive system that allows the use of public-key encryption and digital signature
services across a wide variety of applications. PKI authentication depends on digital certificates
(also known as public-key certificates) that CAs sign and provide. The digital certificate is a
digitally signed statement with a public key and the subject (user, company, or system) name
on it.
Public-key infrastructure is widely recognized as a best practice for ensuring digital verification
for electronic transactions. These are the most effective method for providing verification while
enabling electronic transactions. The digital signatures supported by PKI include the following:
• With whom you are dealing (identification)
• Who is authorized to access what information (entitlements)
• A verifiable record of the transaction (verification)
Uses of PKI
PKI does not serve as a business function only; it provides the foundation for other security
services. The primary use of PKI is to allow the distribution and use of public keys and
certificates with security. The security mechanisms that are based on PKI include email, chip
card application, value exchange with e-commerce, home banking, and electronic postal
systems. PKI enables basic security services for varied systems that are as follows:
• Uses SSL, IPsec, and HTTPS protocols for communication security.
• Uses S/M IME and PGP protocols for email security.
• Uses SET protocol for value exchange.
The following are the key benefits of PKI:
• Reduces the transactional processing expenses.

• Reduces risk.
• Improve efficiency and performance of systems and networks.

• Reduces the difficulty of security systems with binary symmetrical methods.

Network Security policy defines the rules for access of network

resources of an organization
..J It helps in restricting unauthorized access to network resources

from outside malicious users as well as from users within the
organization
It is updated continuously depending upon technology and

employee requirements
Network security policy is a document describing the various policies used to build the network
security architecture of the organization. The security policies generally examine the data
access, web browsing methods, and encryption processes. It also helps in restricting
unauthorized users and malicious users from the organization. A security policy should include
the type of services that are available and the probability of damage to these services. The
security policies decide the access permissions of users and security of the network. Security
policies enable permissions to only minimal level of resources that is enough in completing the
task by the user. Organizations need to monitor the policies and confirm they meet their
security needs.

Network Security Devices:

Firewalls
Fi rew all is a softwa re or ha rdw are, or combination of both, which is generally used to separate
a protected network from an unprotected public network
It mo nitors and filters the incoming and outgoing traffic of the network and prevents
unauthorized access to private networks
It works at the network layer of the OSI model, or the IP layer of TCP/I P.
Local Area Network Public Network
Modem
Internet
A firewall is a secure, reliable, and trusted device placed between private and public networks.
It helps in protecting a private network from the users of a different network. It has a set of
rules to trace the incoming and outgoing network traffic and is also responsible for allowing,
denying the traffic to pass through.
Typical use of firewalls:

• Protect the private network applications, services on the internal network from the
unauthorized traffic, and the public network.
• Restrict the access of the hosts on the private network and the services of the public
network.
• Support network address translation, which helps in using the private IP addresses and to
share a single Internet connection.


Proxy Server
A Proxy server is a dedicated computer or a
D software system virtually located between a client

and the actual server I It intercepts and filters a II the requests going to the
real server
It provides an additional layer of defense to the

It is a sentinel between an internal network and the
network and can protect against some OS and Web
open Internet
Server specific attacks
It serves clients requests on behalf of actual severs, Network administrators should deploy a proxy server
I) thereby preventing actual servers from exposing
themselves to the outside world
to intercept malicious, offensive Web content,
computer viruses, etc. hidden in the client requests
Internet
Proxy Server
A proxy server is an application that can serve as an intermediary when connecting with other
computers.
A proxy server is used:
• As a firewall, and to protect the local network from outside attacks.

• As an IP address multiplexer, allowing a number of computers to connect to the Internet
when you have only one IP address (NAT/ PAT).
• To anonymously surf the web (to some extent).
• To filter out unwanted content, such as ads or "unsuitable" material (using specia Ii zed
proxy servers).
• To provide some protection against hacking attacks.

• To save bandwidth.
How proxy servers work?

Initially, when you use a proxy to request a particular web page on an actual server, the proxy
server receives it. The proxy server then sends your request to the actual server on behalf of
your request-it mediates between you and the actual server to send and respond to the
request.
A proxy server improves security, administrative control, and caching services. It is also used for
evaluating network traffic and maintaining user confidentiality.

Proxy servers in an organization help in maintaining security and administrative controls.

However, attackers use proxy servers to hide their presence on the internet.

Advantages of using Proxy

Servers
, ,- Bandwidth Savings &

Control Internet Usage
,,, ,, Improve Speed
_,.,,'
I z
Hides IP Address, Location Improve Security mainly
& Other Information in business networks
3 4
The following are some more benefits of using a proxy server in the network
• Acts as security protector between user devices and server.
• Enhances the security and privacy of client devices.
• Improves browsing speed.
• Provides advanced logging capabilities for user activities.
• Used to control access to specific types of restricted services.
• Helps the organization to hide its internal IP address.
• Reduces the chances of the modifying cookies in the browser configuration and protects
from any kind of malware.
• Filters requests from external sites.
• Improves delivery of the requested web pages to the users.
• Enables authentication for the proxy servers before it handles the user requests and
services.

Proxy Tool: Proxy Workbench CND C.Crtifi~ letw.r, 0ce~ttc1"'
Proxy Workbench is a proxy server that displays data passing through it in real time
It allows you to dril l into specific TCP/IP connections, view their history, save the data to a file,
and view th e socket connection diagram
-
......
file Yiew Iools .!:felp
Pro xy W o rkbench
IMonit01ing: w1N·QEBBMOPEBPE (192. 168.0.54)

AII Activiy
:--~ SMTP, Outgoing e•moi (25)
t-G POP3 · lncor,wig e-mail (1 10) ,. 127.0.0.1:3750 192. 168.0.4:8080
i-~
• • < HTTP P10xy -Web (8080) ~ 127.0.0.1:3752 192.168.0.4:8080
:--~ HTTPS P,oxy • Secu,e Web (443) ~ 127.0.0.1 :3754 192.168.0.4:8080 HTTP P,t,18 has cisco
t-G FTP· File T1ansle1 P,otoe<>I (21)
L.~ Pass Th10uoh • Fo, Tesmo Aoos 110001
eal time data for Al Activity
00038 4 te . . Cookie : PREF 74 65 Od Oa 43 6£ 6£ 6b 69 65 3a A

0004 00 =I D=bafa9 23 364c9 3d 49 44 3d 62 61 66 61 39 32 33
00041 6 492 7 : Tl-1• 139 297 56 34 39 32 37 3a 54 4d 3d 31 33 39
000 432 27 :LM=l 3929 756 27 32 37 3a 4c 4d 3d 31 33 39 32 39
00044 8 :S= 8TJfZ7rC3R3Hn 3a 53 3d 38 54 4a 66 Sa 37 72 43
0004 64 klO .. Connect i on : 6b 60 4f Od Oa 43 6f 6e 6e 65 63
000 480 keep-al i ve . . Pra 20 6b 65 65 70 2d 61 6c 69 76 65
000496 gma : no- cache .. C 67 6d 61 3a 20 6e 6f 2d 63 61 63
00051 2 ache-Control: no 61 63 68 65 2d 43 6f 6e 74 72 6f
0005 28 -cache. 2d 63 61 63 68 65 Od Oa Od Oa
V
Ill >
Memory: 36 KBytes ISockets: 4 E a ce:. O il I ' 10.us:o. u,; I , 1iiurnu. 011 I u
"
http://www.proxyworkbench.com
Proxy Workbench is a proxy server utility that displays the passage of data in real time. It allows
getting details like saving data, viewing history and viewing socket diagram of a socket
connection for a particular TCP/ IP connection. Socket connection diagram displays the graphical
history of all the previous events that took place in that socket connection.
• Advantages:
• Displays an animated view of the socket connection.
• Handles POP3 and HTTPS (Secure sockets).
• Displays real time logging of data.
• Proxy workbench is mainly used by:
• People interested in Web browsing, sending and receiving e-mails etc.
• Programmers
• IT training industry
• Internet security practitioners
Source: http://proxyworkbench.com

SocksChain Fiddler
http://ufasoft.com http://www.telerik.com
Burp Proxy Proxy

http://www.portswigger.net http://www.anologx.com
Proxifier Protoport Proxy Chain

https://www.proxifier.com http://www.protoport.com
WinGate ProxyCap
http://www.wingate.com http://www.proxycap.com
Charles CCProxy
http://www.charlesproxy.com http://www.youngzsoft.net
Socks Chain
Source: http://ufasoft.com
Socks Chain is a program that allows working with any Internet service through a chain of
SOCKS or HTTP proxies to hide the real IP-address. Socks Chain functions as a usual SOCKS-
server that transmits queries through a chain of proxies. It allows using with client programs
that do not support the SOCKS protocol, but work with one TCP -connection, such as TELNET,
HTTP, IRC, etc.
Burp Proxy
Source: http://www.portswigger.net
Burp Suite Burp Proxy is an intercepting proxy server that operates as a man -in-the-middle
between your browser and the target application, allowing you to intercept and modify all
HTTP/ S traffic passing in both directions.
Proxifier
Source: https://www.proxifier.com
Proxifier allows network applications that do not support working through proxy servers to
operate through a SOCKS or HTTPS proxy and chains.

WinGate
Source: http://www.wingate.com
WinGate Proxy Server is an integrated Internet gateway and communications server which
meets the control, security, and communications needs of today's businesses. It provides the
flexibility to match the company's budget, irrespective of the size of the organization.
Charles
Source: http://www.charlesproxy.com
Charles is an HTTP proxy/ HTTP monitor/ Reverse Proxy that enables developers to view all
HTTP and SSL/ HTTPS traffic between their machine and the Internet. This includes requests,
responses and the HTTP headers (which contain the cookies and caching information).
Fiddler
Source: http://www.telerik.com
Fiddler is a proxy server that is compatible with any browser, system or platform.
Key features of Fiddler include:
• Web Debugging
• Performance Testing
• Security Testing
• Web session manipulation
• HTTP/HTTPS traffic recording
• Customizing Fiddler
AnalogX Proxy
Source: http://www.analoqx.com
AnalogX Proxy is a server that allows any other machine on the local network to route its
requests through a central machine. The protocols supported by proxy are HTTP (web), HTTPS
(secure web), POP3 (receive mail), SMTP (send mail), NNTP (newsgroups), FTP (file transfer),
and Socks4/4a and partial SocksS.
Protoport Proxy chain
Source: http://www.protoport.com
Protoport Proxy Chain software enables users to build a chain of proxy servers from different
countries. The proxy server tool enables them to surf the internet anonymously.
ProxyCap
Source: http://www.proxycap.com
ProxyCap redirects computer's network connections through proxy servers. ProxyCap
determines the applications that can connect to the Internet through a proxy. ProxyCap
supports the SSH protocol, allowing the user to specify an SSH server as the proxy server.

CCProxy
Source: http://www.youngzsoft.net
CCProxy is a windows proxy server that assists users to build their own proxy server and to
share the Internet connection within the LAN. CCProxy can support broadband, DSL, dial -up,
optical fiber, satellite, ISDN, and DDN connections. CC Proxy Server can act as an HTTP, mail,
FTP, SOCKS, news, Telnet, and HTTPS proxy server. The functions provided by the CCProxy are:
Internet access control, bandwidth control, Internet web filtering, content filtering and time
control, web caching, online access monitoring, access logging and bandwidth usage statistics
functions.


Honeypot
A honeypot is an information system resource that is explicitly set up to attract and
trap people who attempt to penetrate an organization's network
It has no authorized activity, does not have any production value, and any traffic to it
is likely a probe or an attack
A honeypot can log port access attempts, or monitor an attacker's keystrokes.

These could be early warnings of a more concerted attack
Honeypot
DMZ
Internal
Network
........ .
••
..•
• • • • • • • • • • • • ••
.
■ •••••••••••• ■■ •• • •••••
[C i
Firewall Packet Filter
Web Server
A honeypot is a computer system on the Internet intended to attract and trap people who try
unauthorized or illicit utilization of the host system. It is a fake proxy run in an attempt to frame
attackers by logging traffic through it, and then sending complaints to victim ISPs. Whenever
there is any interaction with a honeypot, it is most likely to be a malicious activity. Honeypots
are unique; they do not solve a specific problem. Instead, they are a highly flexible tool with
many different security applications. Some honeypots help in preventing attacks, others can be
used to detect attacks, while others can be used for information gathering and research. It
requires a considerable amount of attention to maintain a honeypot.
• To set up a honey pot:
• Install a system on the network with no particular purpose other than to log all
attempted access.
• Install an older, unpatched operating system on a network. For example, the default
installation of WinNT 4 with 115 4 can be hacked using several different techniques. A
standard intrusion detection system can then be used to log hacks directed against
the system and further track what the intruder attempts to do with the system once it
is compromised. Install special software designed for this purpose, which will have the
advantage of making it appear that the intruder is successful without really allowing
them access to the network.
• Ensure that the attacker cannot easily delete system data intended to be 1n the
honey pot.

• The main intention of implementing a honeypot is to:

• Track the activities performed by the attackers, thereby allowing the network
administrators to build countermeasures for those attacks.
• Collect forensic information that can be used for the further investigation of the
attack.
• There are two types of honeypots classified based on their deployment:

• Production Honeypot: Normally placed inside a production network along with the
other production servers, thereby giving a notion to the attackers that it contains real
and valuable data. The organization evaluating the traffic through the honeypot can
now understand the activities performed by an attacker. Honeypots also allow the
organization to identify the attackers and bring them behind bars.
• Research Honeypot: The research honeypots enable an organization to closely

evaluate each step taken by the attackers while attacking the network. Enabling the
organization to understand each step carefully and thereby developing the measures
required for each attack. The use of honeypot also enables the organization to easily
track the data stolen by the attackers.
• The further classification of honeypots available based on their design:
• Pure Honeypots: The presence of pure honeypots makes it possible to track the
activities of an attacker in a complete manner. It places a small tap in between the
honeypot's link to the network.
• Low-interaction Honeypots: As the name suggests, low-interaction honeypots

generally fake those services frequently asked by the attacker. They are essentially a
single machine with multiple virtual machines.
• High-Interaction Honeypots: The high-interaction honeypots stage a lot of services
and activities performed by the real production systems, tricking the attackers into
believing that they are accessing a real production system. Multiple honeypots on a
single machine is possible by implementing a virtual machine. The high-interaction
honeypots are highly secure and examine each activity of the attacker. But, the
disadvantage with the honeypot is that they are very costly to maintain and
implement.
Honeypots implemented need to look as genuine as any other original production system. It
should contain information that can attract the attackers and persuade them to perform
activities.

Advantages of using Honeypots CND
It is difficult t o identify an int ernal at tack

attempted within the organization's
Firewall monitoring space. Honeypots can
Honeypot s appear to be easy to resolve this
compromise, so the attackers focus on
the honeypots first
Honeypots provide high value and limited
data compared to Firewalls, System logs,
and IDS
The sole purpose of Honeypots is to t rack
the attacks, so they can easily identify any
newly created viruses and worms
) Due to limited data monitoring feature7
Honeypots rarely face a resource
exhaustion problem
Honeypots are easy to deploy, configure
and maintain
Honeypots need less equipment, sot ~

investment in them is less
Honeypots can be used to identify

zero-day attacks
Honeypots confuse attackers and keeps

keep them occupied
The following are some security benefits of implementing Honeypots in the network:
• Simplicity: Honeypots are simple to implement as they do not contain complex

algorithms.
• Detect Inside attacks: Honeypots help detect insiders (Employees) misusing the system.
• Reduce False Positive: Any connection to a honeypot is considered a hostile attack. Any
information sent from the honeypot represents an intrusion.
• Identify False Negatives: Since any activity with the honeypot 1s considered abnormal,
they help capture new attacks or activity against them easily.
• Data Collection: Honeypots collect little high value data. This little information 1s the
exact information presented in an easy to understand format.
• Resources: As honeypots capture less activity, they do not come across a resource
exhaustion issue.
• Encryption: Honeypots capture the activity even if they are encrypted.
• 1Pv6: Honeypots are capable to detect, capture, and log all IP activity.
• Incident response: Allows the organization to detect and prevent attacks by taking the
necessary steps
• Warning system: Provides alerts regarding threats in th e network.

• Ability to mislead: Easy to mislead attackers.

• Stores information: Information collected by honeypots is considered highly beneficial.

Kojoney HIHAT
http://kojoney.sourcejorge.net http://hihat.sourceforge.net
Glastopf HONEYBOT
http://glastopf.org http://www.atomicsoftwaresolutions.com
Canary HONEYD
https://canary.tools http://www.citi.umich.edu
Thug T-POT
http://bu/fer. github. io http://dtag-dev-sec.github.io
ARGOS Conpot
http://www.few.vu.nl https://pypi.python.org
Kojoney
Source: http://koioney.sourceforqe.net
Kojoney is a low level interaction honeypot that emulates an SSH server. The prerequisites
required for Kojoney are:
■ OpenSSL
• Python
• Sh or Bash (Bourne Again SHell)
• lope-Interfaces (included in the package)
• Twisted (included in the package)
• Twisted Conch (included in the package)
Glastopf
Source: http://glastopforg
Glastopf is a honeypot, which emulates thousands of vulnerabilities to gather data from attacks
targeting web applications. Glastopf follows a very simple principle: Send the correct response
to the attacker exploiting the web application.

Canary
Source: https:1/canary. tools
Canary honeypot mimics a production system when deployed. It helps an organization in the
early detection of network breaches.
Thug
Source: http://buffer.github.io
Thug is a low interaction honeyclient. The main aim behind Thug is to mimic the behavior of a
web browser in order to detect and emulate malicious contents. A honeyclient is a tool
designed to mimic the behavior of a user-driven network client application, such as a web
browser, and be exploited by an attacker's content.
Argos
Source: http://www.few.vu.nl
Argos's honeypot uses dynamic taint analysis to detect and analyze control flow attacks.
HIHAT
Source: http://hihat.sourceforge.net
The High Interaction Honeypot Analysis Toolkit (HIHAT) transforms arbitrary PHP applications
into web-based high-interaction honeypots. It provides a graphical user interface which
performs the process of monitoring the Honeypot and analyzing the acquired data.
HoneyBot
Source: http://www.atomicsoftwaresolutions.com
HoneyBot is a medium interaction honeypot for windows. A honeypot creates a safe
environment to capture and interact with unsolicited traffic on a network. HoneyBOT is an ideal
tool for network security research or as part of an early warning IDS.
HoneyD
Source: http://www.citi.umich.edu
HoneyD creates virtual hosts on a network. The hosts can be configured to run arbitrary
services, and their personality can be adapted so that they appear to be running certain
operating systems. HoneyD enables a single host to claim multiple addresses.
T-POT
Source: http://dtag-dev-sec.github.io
The main aim of implementing a T-POT is to create a system, whose entire TCP network range
as well as some important UDP services act as a honeypot, and to forward all incoming attack
traffic to the best-suited honeypot daemons in order to respond and process it.
Conpot
Source: https:1/ovpi.pvthon.orq
Conpot is an ICS honeypot that collect intelligence about the motives and methods of
adversaries targeting industrial control systems.


Intrusion Detection System (IDS)
An intrusion detection system (IDS) is a network security appliance t hat inspects all inbound and
outbound network traffic for suspicious patterns that may indicate a net w ork or system security breach
If found, t he IDS w ill alert t he netw ork admin istrator about the suspicious activities
IDS checks traffic for signatures that match known intrusion patterns, and t riggers an alarm when a
match is found
•••••••••••••••••• ·>: 111 Ill Ill Ill ..................... ·>

'
~ n . . . . . . . . . ~r.-4~~ ...._
:)>
Internet Router IDS DMZ
' .
i i i i
' '
·········~ .............. <·--
-
User Intranet IDS
Intrusion Detection System (IDS) performs an evaluation of the network traffic for illegal
activities and policy violations. Intrusion detection uses vulnerability assessment for ensuring
the security of the network. Features of Intrusion Detection include:
• Evaluating system and network activities.

• Analyzing vulnerabilities in the network.
• Measuring the system and file reliability.

• Skill to identify the possibilities of attacks.
• Monitoring irregular activities in the network and system.

• Evaluating the policy violations.
Organizations can identify the presence of attacks or intrusions from outside the network as
well as the intrusions or misuse within the network. Mostly the intrusion detection systems use
vulnerability assessment or scanning in order to identify th e vulnerabilities in th e network and
to monitor the security of the netw ork.
Firewalls prevent intrusions w ithin the network, but do not actually alert regarding the
intrusion or attack. IDS syst ems can monitor and identify the intrusions w ithin the netw ork as
well as signal an alarm to the netw ork administrator.

Advantages and disadvantages of IDS:

• The IDS allows continuous monitoring and tracking of all intrusions and attacks 1n the
network.
• The IDS provides an extra layer of security to the network.

• The IDS can also provide a log or data regarding the attack or intrusion that can be later
used for investigation of the incident.
• The IDS requires more maintenance when compared to th e firewalls.

• It is not always possible for the IDS to detect the intrusions.
• IDS requires properly trained and experienced users to maintain it.

• IDS can raise false alarms to the netw ork administrator.


Intrusion Prevention System (IPS)
IPS is a network security appliance that combines functions of both a firewall and an IDS
It is an extension of an IDS used to monitor network traffic for malicious activities
Unlike IDS, an IPS is able to actively prevent/block detected intrusions on the network
Untrusted Network Server
··········~ ··············]······················
..
~
Firewall
Intrusion Prevention Systems (IPS) work similar to an IDS. Like an IDS, an IPS monitors the
network traffic for any intrusion or attack. IPS systems have the capability to carry out quick
action against any kind of intrusion. An IPS takes actions based on certain rules and policies
configured into it. In other words, the IPS system can identify, log, and prevent the occurrence
of any intrusions or attacks in the network.
• The features of an IPS include:
• Identify illegal activities.
• Recording information about any illegal activity.
• Restricting the attack across the network.
• Reporting the attack to network administrator.

IPS may include firewalls or anti-virus software in order to deny access to intruders 1n the
network.
• Advantages of IPS over IDS:
• Unlike an IDS, the IPS systems can block as well as drop illegal packets in the network.
• An IPS can be used to monitor activities occurring in a single organization.
• An I PS prevents the occurrence of direct attacks in the network by controlling the

amount of network traffic.

I
Snort AIDE
https://www.snort.org [_y_ '2:i http://aide.sourceforge.net
<..AC.
Suricata Next-Generation IPS

http://suricoto-ids.org http:// www.fartinet.com
Cyberoam Intrusion Prevention

OSSEC
http:// www.assec.net System
http:// www.cyberaam.com
IBM 8 Security Network Intrusion

Strata Guard IDS/IPS
Prevention System
http:// www.data-clliance.cam.my
http:// www--03.ibm.com
McAfee Host Intrusion Prevention AlienVault Unified Security

for Desktops Management
http://www.mcafee.com http://www.alienvault.com
Snort
Source: https://www.snort.org
Snort is an open source network intrusion detection system, capable of performing real -time
traffic analysis and packet logging on IP networks. It can perform protocol analysis and content
searching/ matching, and is used to detect a variety of attacks and probes, such as buffer
overflows, stealth port scans, CGI attacks, SMB probes, and OS fingerprinting attempts.
Uses of Snort:
• Straight packet sniffer like tcpdump.

• Packet logger (useful for network traffic debugging, etc.).
• Network intrusion prevention system.
Suricata
Source: http://suricata-ids.org
Suricata is a Network IDS, IPS and Network Security Monitoring engine. The Suricata tool is
highly scalable that allows to run one instance which balances the load of processing across
every processor on which it is configured. The tool enables identifying thousands of files
passing through the network.

OSSEC
Source: http://www.ossec.net
OSSEC actively monitors all aspects of UNIX system activity with file integrity monitoring, log
monitoring, root check, and process monitoring. During the course of an attack, OSSEC alerts
through alert logs and emails and also exports alerts to any SIEM system via SYSLOG.
Strata Guard IDS/IPS

Source: http://www.data-alliance.com.mv
Strata Guard enforces network audit, usage policies and can block peer-to-peer file sharing,
instant messaging, chat, prohibited browsing activity, and worm propagation. It can detect
anomalous activity such as spoofed attack source addresses, TCP state verification and rogue
services running on the network.
McAfee Host Intrusion Prevention for Desktops

Source: http://www.mcafee.com
McAfee Host Intrusion for Desktop safeguards your business against complex security threats
that may be unintentionally introduced or allowed by desktops and laptops.
AIDE
Source: http://aide.sourceforqe.net
AIDE stands for Advanced Intrusion Detection Environment. It is a file and directory integrity
checker. It creates a database from the regular expression rules that it finds from the config
file(s). Once this database is initialized, it can be used to verify the integrity of the files. It has
several message digest algorithms that are used to check the integrity of the file. All of the
usual file attributes can also be checked for inconsistencies. It can read databases from older or
newer versions.
Next- Generation IPS
Source: http://www.fortinet.com
It is used for advanced threat protection by integrating:
• Real-time contextual awareness.
• Intelligent security automation.

• Superior performance with industry-leading network intrusion prevention.
Cyberoam Intrusion Prevention System
Source: http://www.cvberoam.com
Cyberoam Intrusion Prevention System protects against network and application-level attacks,
securing organizations against intrusion attempts, malware, Trojans, Dos and DDoS attacks,
malicious code transmission, backdoor activity and blended threats. It can carry thousands of
automatically updated signatures, enabling protection against the latest vulnerabilities.

IBM® Security Network Intrusion Prevention System
Source: http://www-03.ibm.com
IBM® Security Network Intrusion Prevention System stops constantly evolving threats before
they impact your business. It provides both high levels of protection and performance, while
lowering the complexity associated with deploying and managing a large number of point
solutions.
AlienVault Unified Security Management
Source: http://www.alienvault.com
AlienVault Unified Security Management analyzes system behavior and configuration status to
track user access and activity. It detects potential security exposures such as system
compromise, modification of critical configuration files (e.g. registry settings, / etc/ passwd),
common rootkits, and rogue processes. It identifies the latest attacks, malware infections,
system compromise techniques, policy violations, and other threats.


Network Protocol Analyzer
Protocol analyzer often referred to as

Protocol analyzer is the combination of packet analyzer, network analyzer,
hardware and software that can be sniffer, etc.
installed on the organization network or
systems to enhance security against
malicious activity
Protocol analyzer usually places a NIC in

promiscuous mode in order to see and
It is an efficient network sniffer for capture all t he packets on the network
capturing and logging traffic between an
organization's server and its users
It includes a timing chart, which

indicates the interaction of the packet
Examines packets transmitted across a flow between the organization's server
network segment and decodes t he and t he user's browser by time
packet's data if needed and analyzes its
content
A network protocol analyzer is a computer hardware device or software that monitors and
analyzes data passing through a network. A network protocol analyzer can complement a
firewall, an anti-virus, and a spyware in a network. It analyzes the raw data in each packet and
identifies the content in each packet passing through the network. It reduces the probability of
occurrence of an attack in a network and also provides immediate response to an attack on the
network.
Features of a network protocol analyzer include:
• Detailed description of activities in a network.

• Network traffic anal ysis.
• Packet data analysis.
• Alarms for threats in the network.

• Bandwidth analysis.
Network protocol analyzer enables the network administrator to gain a snapshot of the traffic
in the network.

Production Network How a Protocol Analyzer Monitors Network Traffic
SAN List of Network Packets
~ ..·····•
'
•. • •................il:~..............111
j .··:
Packet Driver
Router /
.· : :
Ill
Switch Server Farm
0 ~ Analyzer Host
T
Packet capturing Function
Data Access
Network Decoding Engine
Consolidat ed +
Tool Farm Packets Analyzed
♦
•
~
~-
. r
~
•
Packets Displayed
Security Performance Protocol Forensic Further Analysis

Probe
I DS M onitor Analyzer Recorder
The analyzer works on the host machine. After starting the analyzer in the promiscuous mode,
the NIC on the host captures all traffic passing through it. The analyzer then forwards the
captured traffic into the packet-decoder engine of the analyzer. Here, the decoder engine
monitors the behavior of the traffic and splits the packets into their respective layers. The
analyzer software will now verify these packets and later display the packet information on the
host screen of the analyzer. The analyzer also enables filtering of the packet depending on the
product capability.

Advantages of using a Networlc

Protocol Analyzer
Detects network misuse by internal and external users
Analyzes network problems )

Detects network intrusion attempts ]
Monitors network usage and WAN bandwidth utilization
Gathers and reports network statistics
Debugs network protocol implementations
I Troubleshoots hard-to-solve problems

J
Gathers information, such as baseline traffic patterns and network utilization metrics
-
Identifies unused protocols so that you can remove them from the network
Generates traffic for penetration testing
Eavesdrops on traffic and filters suspected traffic from network
The following are some benefits of using a Network Protocol Analyzer in the network:
• It can be used as a network troubleshooting and debugging tool. It helps in figuring out
the reason for performance issues, identifying protocol errors, reason for DHCP to stop
working, reason for virtual network not routing traffic correctly, and various other related
problems.
• It is used to identify implementation and configuration errors while implementing a new

service or altering an existing one.
• It helps in improving the performance of security products like firew alls and intrusion-
detection syst ems . By analyzing the packets using the protocol analyzer reasons for access
issues like passing of malicious traffic and the restriction of authorized packets can be
identified.
• It is used to analyze attacks like a Denial of Service (DoS) attack.
• It generates application statistics such as average HTTP traffic transaction time, DNS query
and SQL Server response time, retransmission rates, and top talkers and listeners on the
netw ork.
• It provides all th e current and latest updates of th e activities occurring in the network.
• It verifies the occurrences for any irregularity in the network traffic and checks if there is
any variation in th e features of a data packet.

• It records details that later assist in the forensic investigation of any incident. This
minimizes the risk of users gaining information related to any previous incident.
• It can inquire about any particular data string in a given packet.
• It can disable any unwanted protocols.

• Gets details about the untrusted contents in a packet.
• Monitors other network users.
• Helps in reinstating client -server communications .

• Helps in debugging network protocol applications.
• Blocks all unwanted traffic in th e netw ork or in other words, blocking all traffic that is not
required for analyzing.

Wireshark PRTG Network Monitor

https://www.wireshark.org https://www.poessler.com
CommView Observer
http://www.tomos.com www.viavisolutions.com
CAPSA Soft Perfect

http://www.colasoft.com https://www.softperfect.com
ETHER DETECT JUSTNIFFER

http://www.etherdetect.com http://justniffer.sourceforge.net
~. Microsoft Message Analyzer Network Probe

pJP https://www.microsoft.com http://www.objectplanet.com
Wireshark
Source: https://www.wireshark.org
Wireshark captures network packets and tries to display that packet data as detailed as
possible. It examines what's going on inside a network cable.
CommView
Source: http://www.tamos.com
CommView is a network monitor and analyzer designed for LAN administrators, security
professionals, network programmers, home user. It captures every packet on the wire to
display important information such as a list of packets and network connections, vital statistics,
protocol distribution charts, and so on. It allows examining, saving, filtering, import and export
captured packets, view protocol decodes down to the lowest layer with full analysis of over 100
supported protocols.
CAPSA
Source: http://www.colasoft.com
Capsa is a portable network analyzer application for both LANs and WLANs, which performs
real-time packet capturing capability, 24x7 network monitoring, advanced protocol analysis, in -
depth packet decoding, and automatic expert diagnosis. It gives quick insight to network
administrators or network engineers allowing them to rapidly pinpoint and resolve application
problems.

ETHERDETECT
Source: http://www.etherdetect.com
EtherDetect provides a connection-oriented view for analyzing packets more effectively.
Few of the features of EtherDetect include:
• Captures full packets, organized by TCP connections or UDP threads.

• Passively monitors your network, with no need to install the program on target PCs.
• Packet viewing in Hex format and syntax highlighting viewer.
Microsoft Message Analyzer
Source: https://www.microsoft.com
The Microsoft Message Analyzer supports the latest protocol parsers for capturing, displaying,
and analyzing protocol messaging traffic, events, and other system or application messages in
troubleshooting and diagnostic scenarios.
PRTG Network Monitor
Source: https://www.paessler.com
PRTG protocol analyzer allows you to use an unlimited number of NetFlow / flow sensors. Using
its built-in protocol analyzer, PRTG can monitor and classify network traffic by IP address,
protocol or user-defined, custom para meters.
Observer
Source: http://www.viavisolutions.com
Observer Analyzer delivers individual packet views and decodes over 740 primary protocols and
countless sub-protocols.
SoftPerfect
Sou re e: https ://www.softperfect.com

Softperfect performs analyzing, debugging, maintaining and monitoring local networks and
Internet connections. It captures the data passing through the dial-up connection or Ethernet
network card, analyses this data and then represents it in a readable form. This is a useful tool
for network administrators, security specialists, network application developers and anyone
who needs a comprehensive picture of the traffic passing through their network connection or
a segment of a local area network.
JUSTNIFFER
Source: http://iustniffer.sourceforqe.net
Justniffer is a network protocol analyzer that captures network traffic and produces logs in a
customized way. It can also emulate Apache web server log files, track response times and
extract all "intercepted" files from the HTTP traffic.

Network Probe
Source: http ://www. objectplanet. com
Network Probe is a network monitor and protocol analyzer to monitor network traffic in real -
time, and will help you find the sources of any network slowdowns.


Internet Content Filter
Internet content filter is either software or
hardware that blocks browsing of harmful websites It prevents the network from malware,
and undesirable content on World Wide phishing, pharming attacks
Web(WWW)
It provides additional protection other than

It filters content based on keywords, URLs,
traditional Network firewalls and antivirus
and Contextual analysis
software
.
( ] Firewall ( ] Firew all ~ Firewall
.
L LAN (Etherneti . . . J
................................................
.
........................
. . C LAN (Ethernet) J
......................................................
... .. ..
......................... f ............ ;:::::::r. ::::::::;.............. -~
O Qii.J Q~a
~
Client Side Internet Filtering Gateway Level Content Filtering

d ~
1
Qa
End-To-End Content Filtering
~l
Content filters block deceptive web pages or emails. It protects the network from malware and
other systems that are unreceptive and interfering. A content filter allows the organization to
block certain web sites. Organizations can implement different types of Internet filtering:
• Browser-based filters
• E-mail filters
• Client-side filters
• Content-limited filters
• Network-based filtering
• Search engine filters
In the process of content filtering, it compares each character string in the web site in order to
screen it. Most of the organizations filter pornographic or violence related websites . Content
filtering can protect a network from all kinds of malware codes or other attacks that can make
massive changes in the system and network.

Advantages of using Internet

Content Filters
Prevents emp loyees from deliberately o r inadvert ently accessing pornography
Prevent predators from chatting w ith you r employees on line
Blocks certain categories of sites permanently or f or a limited time, greatly

" reducing cyber-slacking and productivity drops
Frees up an organization's Internet bandwidth for legitimate, busin ess related

activities
Controls the productivity

It is often difficult to manage employee activities in a large organization. The Internet content
filter can assist the organization from restricting the employees from using any social
networking sites or any illegitimate sites. Network administrators can block sites not related to
work and thereby increase the efficiency and productivity of the organization.
High-level of protection
Internet content filters normally provide protection from malware programs and software.
Restricts all kinds of liability issues

Content filtering software can prevent users from sharing files and other documents outside
the organization.
Highly flexible
It enables the organization to decide on the sites that need to be blocked. It also provides the
organization the ability to change the site blocking setting at any time.
Increased speed
Using Internet content filtering allows the organization to control the bandwidth of the Internet
connection by blocking sites. This in turn increases the speed of the Internet.

Netsentron iboss
http://www.netsentron.com http://ibosshome.com
Net Nanny Web Filter Lite

https://www.netnonny.com https://www.1H1tongJe.com
Symantec Web Gateway Safe Squid

http://www.symontec.com https://www.safesquid.com
Li DansGuardian
http://donsguardion.org
Handy Filter
http://www.handyfilter.com
~
1:r...
,1 OpenDNS Qustodio
https://www.opendns.com https://www.qustodio.com
Netsentron
Source: http://www.netsentron.com
Netsentron content filter is primarily used in schools and businesses. It stops all unauthorized
access to a network and also blocks pornographic, offensive, and unapproved websites. It also
provides the flexibility to work on files remotely.
Net Nanny
Source: https://www.netnanny.com
Net Nanny helps parents filter out the harmful content and other dangers of the Internet.
Various features of Net Nanny include:
• Compatible with Windows, Mac, Android, iPhone, iPod Touch, and iPad.
• Blocks pornography.
• Masks profanity before it appears on the screen.
• Controls access to set time limits on Internet usage.
• Sends alerts and reports to console or email.
• Creates user profiles to tailor protection to the individual family member's needs.

Symantec Web Gateway

Source: http://www.symantec.com
Symantec Web Gateway protects organizations against multiple types of malware and gives
organizations the flexibility of deploying it as either as a virtual appliance or on physical
hardware.
DansGuardian
Source: http://dansguardian.org
DansGuardian filters the actual content of pages based on many methods, including phrase
matching, PICS filtering and URL filtering.
OpenDNS
Source: https://www.opendns.com
OpenDNS Web filtering lets you manage the Internet experience on and off your network with
the acceptable use or compliance policies, putting you in control.
lboss
Source: http://ibosshome.com
The iboss Home allows you to take control of the Internet in your home by restricting the
websites and online content.
Web Filter Lite
Source: https://www.untanqle.com
Web Filter Lite enables administrators to enforce network usage policies and monitor user
behavior. Zero client installation and category block lists make it easy to protect the network
from malware, block potential time wasting sites, and conserve bandwidth by blocking video
downloads.
Safe Squid
Source: https://www.safesquid.com
SafeSquid detects and blocks malware at the web-gateway before it can reach the users. Also, it
protects users from fraudulent websites, web-applications, and security breaches.
Handy Filter
Source: http://www.handyfifter.com
Handy Filter is a Web Content Filtering Software which enables you to track the user visited
websites. Block web access at specific hours you choose.
Qustodio
Source: https://www.qustodio.com
Qustodio internet filter blocks inappropriate content, even in private browsing mode. It also
tracks and monitors the time spent on specific sites.


Unified Threat Management (UTM)
UTM is a netw ork security management solution which allows administrator to monitor and manage
t he organization's netw ork security t hrough a cent ralized management console
It provides firewall, intrusion detection, antimalware, spam filter, load balancing, content filtering, data
loss prevention, and VPN capabilities using a single UTM appliance
Advantages Disadvantages
e Reduced complexity e Single point of failure
e Simplicity e Single point of compromise
e Easy Management
Load Balancer - - - - ~ Network Firewall
Content Filter - - - - - - - - - - t UTM Anti-Virus and

Solutions Anti-Spam
VPN _ _ _ __.
IDS/ IPS
Unified Threat Management or UTM is a security management method that enables the
administrator to evaluate and examine security related applications and other components
through a single console. UTM helps in minimizing the complexity of the network by protecting
users from blended threats.
Advantages of UTM:
• Less cost: Reduces the cost of buying multiple devices. UTM needs only a single console
that can manage th e w hole network.
• Low maintenance cost: As only a single con sole is used, it needs little maintenance .
• Easy installation and management: UTM involves the use of only a single console that
requires minimum wiring and other installation requirements.
• Fully integrated: UTM is a complet e console that incorporates every feature required for
protecting a network.

Disadvantages of UTM:
• Less specialization: As UTM is a single console managing the whole security of the
network, there are chances of it missing out certain features required to maintain the
security. The case can be avoided by using dedicated devices for each feature.
• Single point-of-failure: UTM involves the use of a single console with all features included
in it. Failure of one feature can affect the performance of th e other features and the
working of the UTM as such.
• Possible performance constraints: The single console in UTM performs various tasks at the
same time. There are chances that all the tasks or features do not get the CPU time
adequately. This situation may lead to many attacks on the system.

SOPHOS @ ~ chGuard
F :::RTlnET. Security made simple.
":.==.;•' "' ::;; •• : -- ;: -

!!91----1 ---- . .
https://www.fortinet.com https:// www.sophos.com https://www.paloaltonetworks.com https://www.watchguord.com
i L Barracuda I I
Q~ Security ~
e ' I I'I I'
CISCO _
http:// www.mcafee.com http://www.sonicwall.com https://www.borrocuda.com http:// www.cisco.com
Fortinet
Source: https://www.fortinet.com
Fortinet helps in protecting the entire network from the endpoint to the cloud, delivering
industry-leading, end-to-end simplified security.
SOPHOS
Source: https://www.sophos.com
With SOPHOS UTM, it is easy to configure firewall rules that cover multiple destinations,
sources, and services. It also provides country blocking and intrusion prevention (IPS). It allows
control of web applications proactively or in real -time using the popular flow-monitor.
Watch Guard
Source: http://www.watchguard.com
Watch guard provides an all -in-one network security platform. It provides monitoring and
isolation of threats present in the console.

Dell
Source: https://www.sonicwall.com
UTM technology delivers comprehensive protection and simplifies security management, all
without affecting the speed of the network. It decontaminates VPN and wireless traffic and
ensures the integrity of all traffic passing through.
Barracuda
Source: https://www.barracuda.com
Barracuda Firewall provides comprehensive network security and optimization. It uses the
power of the cloud in innovative ways to deliver next-generation firewall and content-security
features without bogging down the network.
Palo Alto Networks
Source: https://www.paloaltonetworks.com
Palo Alto Networks is a network security appliance built around the next-generation firewall. It
easily integrates with every other security element. It is used for networking, security, content
inspection, and management.
McAfee
McAfee's network security solutions detect advanced targeted attacks and get actionable
threat information. It optimizes threat detection and response by closing the gap from malware
encounter to containment.
Cisco
Source: http://www.cisco.com
Cisco's security appliances provide zone-based firewall, IPS, Web threat protection and URL
filtering. It also involves application control, spam filter, gateway anti-virus, site-to-site VPN,
remote user VPN with Cisco.


Network Access Control (NAC)
..J Network Access Control, also known as Network Admission Control (NAC) are appliances or
solutions that attempt to protect the network by restricting the connection of an end user to the
network based upon a security policy
The pre-installed software agent may inspect several items before admitting the device and may
restrict where the device may be connected
What NAC does?
Authentication of users connected to Identification of devices, platforms, and

network resources operating systems
Defining a connection point of network Development and application of security

devices policies
Network Access Control (also known as Network Administration Control) deals with restricting
the availability of a network to the end user depending on the security policy. It mainly restricts
systems without antivirus, intrusion prevention software from accessing the network. NAC
allows you to create policies for each user or systems and define policies for networks in terms
of IP addresses.
• NAC implements detection programs using the following points:
• Searching for an antivirus program and examining whether it is updated or not.
• Checking if the end system has a configured firewall or Intrusion Prevention Software.
• Looking for any viruses on the network, and checking if the operating system is
updated.
• NAC performs the following actions:
• Evaluate unauthorized users, devices, or behaviors in the network. It provides access

to authorized users and other entities.
• NAC helps in identifying users and devices on a network. Also determines whether
these users and devices are secure or not.
• Examines the system integration with the network according to the security policies of
the organization.

NAC helps in maintaining security policies for increased control of the network. An organization
must look into the threats to its network while considering the cost of implementing NAC.
Organizations need to have plans to rectify the faults in the policies while implementing a NAC.
Organizations may con sider the following points:
• Do the NAC policies authenticate users?

• How well is the NAC implemented?
• Is NAC properly integrated with the device?
• Does the NAC tool check if the end user is blocked?

Organizations need to consider the following resources while implementing a NAC:
• Network Infrastructure: Incorporate network access control policies within the network
infrastructure.
• Security: Managing the infrastructure.
• Human Resources: Reporting the network policies to the employees in an organization.
• Operations: Management of response, procedures and actions.
• Management: Decides the priority of the policies, effect of policies on the organization
and managing the budget issues.

Bradford Networks'
ForeScout CounterACT™
https://www.forescout.com Network Sentry/NAC
https://www.bradjordnetworks.com
Extreme Networks NAC Packetfence NAC

http://www.extremenetworks.com http://pocketfence.org
Trustwave Network Arubanetworks ClearPass

Access Control Policy Manager
https://www.trustwave.com http://www.arubanetworks.com
Cisco NAC Appliance Portnox Network Access Control

http://www1.cisco.com http://www.portnox.com
ForeScout CounterACT™
Source: https://www.forescout.com
ForeScout CounterACT provides real -time visibility of users, devices, operating systems and
applications connected to the network. CounterACT provides comprehensive network access
control capabilities to enforce network access and compliance policies, after discovering and
classifying devices.
Extreme Networks NAC

Source: www.extremenetworks.com
Extreme Netw orks NAC provides an unparalleled range of choices for fine grained network
access control.
Trustwave Network Access Control
Source: https://www.trustwave.com
Trustwave NAC enables granular control over network access and continuous monitoring of
corporate-sanctioned and bring-your-ow n-device (BYOD) endpoints. Thi s helps prevent th e
spread of malware and other threats that can harm infrastructure and make the business
vulnerable to attack and data loss.

Cisco NAC Appliance

Source: http://wwwl.cisco.com
The Cisco Network Admission Control System, composed of the Cisco NAC Manager and Server,
is a policy component of the Cisco TrustSec solution. Cisco NAC Appliance extends NAC to all
network access methods, including access through LANs, remote-access gateways, and wireless
access points. It also supports posture assessment for guest users.
Bradford Networks' Network Sentry/NAC
Source: https ://www. bra dfordnetworks. com

It dynamically leverages the continuously growing library of security commands and controls
built into today's switches, routers, wireless controllers and wireless access points to perform
pre-connect risk assessments on every device attempting to connect to the network.
PacketFence NAC
Source: http://packetfence.org
PacketFence effectively secures networks from small to very large heterogeneous networks.
PacketFence's operation is completely out-of-band which allows the solution to scale
geographically and to be more resilient to failures.
Arubanetworks ClearPass Policy Manager
Source: http://www.arubanetworks.com
ClearPass solves today's digital workplace security challenges across any multivendor network
by replacing outdated legacy AAA with context-aware policies. It delivers visibility, policy
control and workflow automation in one cohesive solution.
Portnox Network Access Control

Source: http://www.portnox.com
It evaluates all networking layers - Ethernet, wireless, virtual, VPN and even the cloud to
illuminate, visualize, analyze and control all connected users and devices. It communicates with
user-driven devices such as laptops, desktops, Vol P phones, tablets, etc. to identify the user
currently using the device. Every decision Portnox NAC makes factors in the Device, Network
and Identity (DNI).

Computer sub netw ork is placed betw een the organization's private network, such as LAN,
and an outside public network, such as the Internet, and acts as an additional security layer
.J Contai ns t he servers which need to be

accessed from an outside network
e Web servers
e Email servers
e DNS servers
.J DMZ configu rations

e Both internal and external networks can
connect to DMZ
e Hosts in the DMZ can connect to external
networks
e But hosts in the DMZ can not connect to
internal networks
······························
A DMZ is a small network which is placed between the organization's private network and an
outside public network. It prevents the outsider from getting direct access to the organization's
server. For example, if an attacker uses the public network to access the DMZ host and
penetrates it, then only the information on that host will be compromised. In this w ay, a DMZ
acts as an additional security layer for networks and lowers th e threat of intrusion in the
internal network. A DMZ contains the follow ing servers, which need to be accessible from
outside the network:
• Web servers
• Email servers
• DNS servers
Tw o basic methods of designing a network w ith a DMZ are using a single firewall (three legged
model) and using dual firewalls. It is also possible to extend these configurations according to
the network requirements.
• Single Firewall: In this model, the network architecture containing th e DMZ consists of
three network interfaces. The first netw ork interfa ce conn ects the ISP to the firewall
forming the external network, w hereas th e second interfa ce forms the internal net work.
Th e third interface forms th e DMZ. The firewall acts as the single point of failure and
should be abl e to manage all th e traffic to the DMZ.

• Dual Firewall: The dual firewall approach uses two firewalls to create a DMZ. The first
firewall allows only sanitized traffic to enter the DMZ and the second firewall double
checks it. The dual approach is the most secure approach in implementing a DMZ.
Any server that needs exposure to the public network can be placed in the demilitarized zone. It
is possible for the network administrator to place servers like web server, DNS server, e-mail
server, FTP server, in the DMZ and enable access for internal and external clients.
Advantages of DMZ:
• Separation of DMZ from LAN enables the high level protection of LAN.
• Provide an increased control of resources.
• It uses multiple software and hardware based products of different platforms in order to
provide an additional layer of protection.
• Provides a high level of flexibility for Internet-based applications like email, web services,
etc.

Virtual Pri·~te Network (VPN) CND
Private netwo rk w hich uses public netw orks, like the Internet to provide secured
connections to the employees working remotely
Uses public networks like telephone lines and assures secure transfer of data
between systems over an insecure network
It make use of encryption techniques and security mechanisms to provid e security

by th e use of tunneling protocols and encryption methods
A VPN uses public networks, such as the Internet, and assures secure transfer of data between
systems over them. Certain tunneling protocols employed by the VPN help to achieve
encryption, data integrity, and authentication. A VPN ensures scalability in organizing to
support new clients, organizations, and applications. It ensures solutions to business problems
with its embedded t echnology.
A VPN enables a virtual conn ection between users and the public netw ork. A packet that is
transmitted is encapsulated inside a new packet along w ith a new header. The header
facilitates packet traversal in the netw ork. The path through which the encapsulated packet
traverses is known as a tunnel. The encapsulated packet, after reaching the end point of the
tunnel is de-encapsulated so that the original packet is forwarded to the final destination .
The tunnel needs to carry the same tunneling protocols that operate at layer 2 - data link layer
or layer 3 - network layer of the OSI layer. Commonl y used tunneling protocols are: IPsec, PPTP,
L2TP and SSL.

Network Security Protocols CND
~ RADIUS
I ~ Secure HTTP
I
~ TACACS+
I ~ HTTPS
I
f Kerberos
I f TLS
I
~ PGP
I ~ SSL
I
~ S/MIME
I ~ IPsec
I
There are various security protocols that work at network, transport and application layers.
These protocols help organizations in enhancing the security of their data and communication
against different types of attacks.
• The security protocols that work at the transport layer are as follows:
• Transport Layer Security (TLS): The TLS protocol provides security and dependability
of data between two communicating parties
• Secure Sockets Layer (SSL): The SSL protocol provides security to the communication
between a client and a server.
• The security protocols that work at the network layer are as follows:
• Internet Protocol Security (IPsec): The IPsec protocol authenticates the packets
during the transmission of data.
• The security protocols that work at the application layer are as follows:
• Pretty Good Service (PGP) protocol: The PGP protocol provides security to the data
through the method of encryption and decryption.
• S/MIME Protocol: Commonly known as Secure/Multi-Purpose Internet mail

Extensions, provides security to the e-mails.
• Secure HTTP: Secure HTTP provides security to the data traversing through the world
wide web

• Hyper Text Transfer Protocol Secure (HTTPS): The HTTPS protocol ensures the
security of data in the network
• KERBEROS: The Kerberos protocol provides security using a client-server model
• RADIUS: The RADIUS protocol provides security to the remote access servers to
communicate with a central server.
• TACACS+: The TACACS+ provides security using a client-server model

Radius Authentication Steps:

Remote Authentication Dial-In User Service 1. The client initiates the connection by sending Access-
(RADIUS) is an authentication protocol which Request packet to the server
provides centralized authentication, 2. The server receives the access request from the client and
authorization, and accounting(AAA) for the compares the credentials with the ones stored in the
remote access servers to communicate with database. If the provided information matches, then it
the central server. sends the Accept-Accept message along with the Access-
Challenge to the client for additional authentication else
it sends back Accept Reject message
3. Client sends the Accounting-Request to the server to
specify accounting information for a connection that was
accepted
Packet Type-Access Request (Username, Password)

...................................................................................................................... > ~~
Access-Accept/ Access-Reject(User Service, Framed Protocol) E

<················································································································
Access Challenge (optional) (Reply M essage)
················································································································>
Access Server RADIUS Server
RADIUS RADIUS
Client Server
RADIUS: Accounting- Request

Radius Accounting Steps:
.......... ~ ....................................................•
[acct_status_type =start]
Client sends the Accounting-

Request to the server to specify RADIUS: Accounting-Response
accounting information for a •····················································
RADIUS: Accounting- Request
connection that was accepted. [acct_status_type=i nterim update]
•••••••••••••••••••••••••••••••••••••••••••••••••••• +:i
The server receives the
Accounting-Request message RADIUS: Accounting-Response
and sends back the Accounting- •····················································
Response message which states RADIUS: Accounting- Request
the successful establishment of ....................................................•
[ acct_status_type=stop)
network
RADIUS: Accounting-Response
• ····················································

RADIUS stands for Remote Authentication Dial -In User Service. It was developed by Livingston
Enterprises as a networking protocol, which provides centralized authentication, authorization,
and accounting for remote access servers to communicate with a central server. RADIUS has a
client server model, which works on the application layer of the OSI model by using UDP or TCP
as a transport protocol. The RADIUS protocol is the de facto standard for remote user
authentication and it is documented in RFC 2865 and RFC 2866.
The RADIUS protocol is an AAA protocol that works on both, mobile and local networks. It uses
PAP, CHAP, or EAP in order to authenticate the users communicating with servers. The
components of a RADIUS AAA protocol are as follows:
• Access clients
• Access servers
• RADIUS proxies
• RADIUS servers
• User account databases
RADIUS messages are sent as UDP messages and allow only one RADIUS message in the UDP
payload section of the RADIUS packet. RADIUS messages consist of a RADIUS header and other
RADIUS attributes.

.J Terminal Access Controller Access-

Control System Plus is a network
security protocol used for
authentication, authorization, and
accounting for a network devices like
Remote User PSTN/ ISDN TACACS+
Client
....... . . . . ...... ..
Router
- 1 /=\
.. ...... . 1....... . .
Corporate Netwak
1--:--i
1
switches, routers and firewalls through

one or more centralized servers
J TACACS+ encrypts the entire

communication between the client and Remote User AAAOient TACACS+ Server
server including the user's password
which protects from sniffing attacks
.J It Is a client server model approach ······································ I I

where the client (user or network
2. REQUEST issent to AAA
device) requests for connection to the 1. The AAA client receives the r esource server for service shell
server, then the server authenticates the request from the user. This is assuming
that authentication has already taken
user by examining the credentials place
3. RESPONSE is r eturned to the
AAA client indicating a pass or fail
4. AAA client may grant or deny access

to the service shell
Terminal Access Controller Access-Control System Plus (TACACS+) is a protocol developed by

Cisco. It is deri ved from the TACACS protocol. It performs authentication, authorization, and
accounting separately unlike RADIUS. It is primarily used for device administration.
Authentication of TACACS+
Consider the following example of authentication where a laptop user is conn ecting to a NAS
(router). The TACACS+ authentication involves following steps:
• Step 1: User initiates the connection for authentication.

• Step 2: Router and user exchange authentication parameters.
• Step 3: Now, the router sends the parameters to the server for authentication purpose.
• Step 4: Server responds with the REPLY message based on the provided information .

Difference between RADIUS and TACACS+
USER
USER
TACACS+ Authentication
RADIUS Authentication
Authentication req uest
.......................................................... ➔---
Aut hentication request 1--1 <....~~~.~!:~~!:~~i.?~.~:P.!Y: .~.~!~?.~i.z.~!!?.~.1!:~!:1•....

...... ········· · ············· · ····································➔ .................. ~~.~~~r!;~.~i~!"! .r.~g_~~~~..............➔ .
<....':-.~ ~.~:.~!!~~.~i:!~.:.:P.1X: .~.~!~.?!!~.~~(?.~!!:~!:1••••• Authorization reply
....................... ~7.~'?.~[!~i.~~ .. . . . . . . .. . . . ... . . . . . ➔·=;;;;, ....................... ~~.~'?.~!"!~i.~!l.......................➔=.:.i
NAS RADIUS
NAS RADIUS
FIGURE 3.1: RADIUS vs TACACS+
RADIUS TACACS+
Combines authentication & Separates all 3 elements of the AAA,

authorization. making it more flexible.
Encrypts only the password. Encrypts the username and password.
Requires each network device to Central management for authorization

contain authorization configuration. configuration.
UDP- Connectionless UDP ports TCP- Connection oriented TCP port 49

1645/ 1646, 1812/ 1813
TABLE 3.1: Difference between RADIUS and TACACS+

Kerberos is an authenticating method for accessing

network Client KDC (Kerberos)
........
Kerberos authentication protocol (KAP): KOC request .... .... Ticket
Ticket request
generatedand
1. User sends the credentials to the authentication server
- - - -·····...·······•:3 encrypted
using se rver
2. AS (authentication server) hashes the password of the secret k ey
user and verifies the credentials in the active directory
database. If the credential matches then AS (consists of
Ticket Granting Service ) sends back the TGS Session Key
and granting t icket to the user to create a session
Decrypt the
-----. ....·········....
•.• Tick et response
3. Once users are authenticated they send granting ticket to
ticket
response
k·············
request a service ticket to the server or TGS for accessing and forward
services the
ticket to Serve r
server
4. The TGS authenticates the TGT and grants a service ticket ·········
to the user. The service ticket consists of the ticket and a
session key ··········1.._ n_
1ck-et_ ...,I Decrypt the
··············· ·:l ticket and
5. The client sends the service ticket to the server. The .... confirm the
identity of
servers uses its key to decrypt the information from the client
TGS, and the client is authenticated to the server
Kerberos is a network authentication protocol for authenticating requests in computer

networks. It is based on client server model, which uses an encryption technology and a
"Ticket" mechanism to prove the identity of a user on a non-secure network. Kerberos protocol
messages protect the network from replay attacks and eavesdropping. It commonly uses
public-key cryptography while authenticating users attempting to access the server.
• Step 1: User sends the credentials to the authentication server.

• Step 2: AS (authentication server) hashes the password of the user and verifies the
credential s in the active directory database. If the credential matches, then AS (consists of
the Ticket Granting Service) sends back the TGS Session Key and ticket granting the ticket
to the user to create a session
• Step 3: Once the user authenticates, they send the ticket granting the ticket to request a
service ticket to the server or TGS for accessing services.
• Step 4: The TGS authenticates the TGT and grants a service ticket to the user. The service
ticket consists of a ticket and a session key.
• Step 5: The client sends the service ticket to the server. The servers use its key to decry pt
the information from the TGS, and the client is authenticated to the server

..
Random Key A
• ...
File Encrypt ion Encrypted File
..J PGP is an appl ication layer
protocol which provides
cryptographic privacy and Enaypted File
authentication for netw ork ~ w ith user's public
~ key in Header
communication
Encryption Encrypted Key
..J It encrypts and decrypts FILE ENCRYPTION
ema il com munication as w ell
as authenticates m essages User's Private Key
with digital signatures and
encrypts stored fi les
Encrypted Key
Encrypted File
with User's Public
Key in Header
~
Encrypted File Decryption File
FILE DECRYPTION
Copyright© by EC--Otuncil. All Rights Reserved. Reproduction is Strictly Proh ibited.
PGP (Pretty good privacy) is an encryption and decryption computer program that is used to
provide confidentiality and validation while communication. PGP enhances the security of
emails.
How Does PGP work?

Every user has a public encryption key and a private key. Messages are sent to another user
after encrypting using the public key. The receiver decrypts the message using their private key.
PGP compresses the message w hich increases the security of the message in the netw ork. PGP
creates a session key w hich is used only once . PGP encry pts the message using the session key
along with the encryption algorithm. The session key encrypted by the recipient' s public key.
The public key encrypted session key is sent to the recipi ent along w ith th e encrypted message.
Recipient uses th eir private key to decrypt the session key and to decrypt the entire message.
There are t w o versions of PGP:

• Rivest- Shamir-Adleman Algorithm
• Diffie-Hellma n Algorithm
PGP creates a hash code from the user's name and signature to encrypt the sender's private
key. The rec eiver uses the sender's public key to decrypt the hash code.

S/MIME (Secure/Multipurpose Internet Mail Extensions) is an

application layer protocol which is used to send digitally signed
and encrypted email messages
It uses the Rivest-Shamir-Adleman encryption (RSA) system for

email encryption
Administrators need to enable S/M IME-based security for

mailboxes in t heir organizations
Public
...................►I OK? 1............ :), ~

l~el
i ~
~
!
'i:'.
Alice
teKey
Certifocate
Alice
-' \
.....,
Alice
Key
! [0 S~naing ] ................ · .......... ➔,____ s~

_Dn_~a_
~ :_~e_ ___......,.......... . ....... ►----~-ig_::_:_::;_; __ ~ ... ... ..... :
..
.
: e
L;: Encryption (DES) ................ . .......... ➔
.. . ...... . .·l',lfe'{;·agl!""·... ....
Eo.~!"f!led····"·
e Decryption (DES) ...~
~
····· ·····
A
Secret Key
Secret Key
e Encryption (RSA) ................. .......... ➔[::::::::~::::::::::J·........ .. ... . )> • Decryption (RSA)

- - - - - - -,-it':,-
//'-
~
! r:::l
Certifocate
Public::: ; ~ ~........ ~~- .... ...... ... _ _ _s_o_b _ _oli..,__,,
Private Key
Bob

Difference between PGP and

S/MIME
Mandatory Features S/MIME v3 OpenPGP
Message Format Binary, Based on CMS Application/Pkcs 7-mime
Certificate Format Binary, Based on X.509v3 Binary, Based on previous PGP
Symmetric Encryption Triple DES (DES, EDE3, Eccentric

Triple DES (DES, EDE3, CBC)
Algorithm CFB)
Diffie-Hellman (X9.42) w ith DSS or

Signature Algorithm EIGamal with DSS
RSA
Hash Algorithm SHA-1 SHA-1
MIME Encapsulation of Choice of Multipart/signed or CMS

Multipart/signed ASCII armor
Signed Data Format
MIME Encapsulation of
Application/Pkcs 7-mime Multipart/Encrypted
Encrypted Data
S/MIME is used to send digitally signed and encrypted messages. It allows you to encrypt the
email messages and then digitally sign them to ensure confidentiality, integrity and non-
repudiation for messages. It provides cryptographic security services such as:
• Authentication
• Message Integrity
• Non-Repudiation
• Privacy
• Data Security
S/MIME ensures e-mai l security and has been included in the latest versions of browsers. It
uses a RSA encryption method and provides details regarding including encryption and digital
signatures in the message.
S/MIME protocol needs to ensure that it gains a certificate from the CA or from a public CA. The
protocol uses different private keys for signature and for encryption.

_ _ 1 rr _ _ 1
•
Secure HTTP is an application layer protocol, It ensures secure data transmission of individual
used to encrypt the web communications messages while SSL establishes a secure
carried over HTTP connection between two entities ensuring
security of the entire communication
I
- It is generally used in situations where the
It is an alternate for the HTTPS (SSL) protocol
server requires authentication from the user
S-HTTP Application Level Security

Client Machine Server Machine
······················::::~~~·· .................. ···1 HTTP : ••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••• ,
◄• ...................................................... ·• WWWServer
C Crypto Smart 7 Crypto Smart
•i
: Encrypted and/or
Signed Messages
•i
: Encrypted and/or
Signed Messages
I◄ •••> •••••••••••••••• .~~~~.~;.~~e:'; ~~~~~ ••••••••••••••••••••_[

.__ _ _ _ _ _ _L
Network Layer
i
•• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• •••••••••••••••••••,:
i=•• •••'•••~
Network Layer
-•••-------~~
••• ••• ••• ••• ••• ••• ••• ••• ••• •••
1
••••••••••••••••••••n
Note: Not all Web b rowsers and servers support S·HTTP
Secure HTTP ensures a secured interchange of data on the World Wide Web. It implements
application level security that offers encryption and digital signatures on th e message. S-HTTP
verifi es the user by using a certificate. S-HTTP provides many cryptographic algorithms and
modes of operations. The S-HTTP protocol uses client-server protocol to determine the security
conditions for a client-server communication. It allows the client to send a certificate in order to
authenticate a user. There are many web servers that support the S-HTTP protocol that allows
them to communicate without the need for any encryption.

Hyper Text Transfer Protocol

Secure (HTTPS)
HTTPS ensu res secure communication betw een tw o com puters over HTTP
G The connection is encrypted using Transport Layer Security (TLS) or Secure Sockets Layer(SSL) protoco~
It is often used in confidential online transactions
It protects against man-in-the-middle attacks as data is t ransm itted over encrypted channel
How it works HTTPS
A~ "Mypass" "Xz54p6kd" "Mypass"

B
Encryption .
.............•..........
. De cryption ···················••+1
.
Sendsthe Receive the
Password Unauthorize d Gets "Xz54p6kd" Password
Access
It is a protocol used to ensure secure communication in the network. It uses protocols such as
TLS (Transport layer security) and Secure Sockets La yer (SSL) to ensure secure transmission of
data . HTTPS confirms the verification of the w ebsites and preserves the confidentiality and
reliability of the messages passed over the Internet.
HTTPS mainly uses SSL in order to protect the w ebsite making it easier for users to access the
website . SSL has the follow ing advantages:
• Encrypts confidential information during exchange of data.

• Maintains a record of the details regarding the certificate owner.
• A certificate authority checks the owner of the certificate w hile issuing it.

Transport Layer Security (TLS) CND
TLS ensures secure communication between client-server applications over the internet
It prevents the network communication from being eavesdropped or tampered
Layers of TLS Protocol

[ Application ] [ Application
11
TLS Record Protocol
A
I tI
I
I I
e It ensu res connection security TLS I I
TLS
+J I
with encryption Handshake 1-t Handshake
I
Protocol I I Protocol
•- I
TLS Handshake Protocol I
I
TLS Record Protocol 1 ITLS Record Protocol
.• I
e It ensures server and client
I I
authentication TCP/ IP I I TCP/ IP
-•- I
I __ . I
Network Hardware1
-- ------ I Network Hardware
- . .
TLS provides secure communication of data 1n addition to confidentiality and reliability

between the communicating parties.
A secure TLS connection includes the following properties:
• Ensured confidentiality and reliability of data during communication between client and
server using symmetric cryptography.
• Authenticate communication applications using public key cryptography.
• Authentication codes can maintain the reliability of the data.
• TLS consists of two protocols:
• TLS Record Protocol: Provides security using encryption method.
• TLS Handshake Protocol: Provides security using authentication of client and server
before communication.

SSL is developed by Netscape fo r managing the security of a message transmission on the Intern et
It uses RSA asymmetric (public key) encryption to encrypt data transferred over SSL connections
Client Hello message (includes SSL version, randomly generated data, encryption algorithms,
..,.......................................................................................................................... .
session ID, key exchange algorithms, compression algorithms, and MACalgorithms)
.. Determines the SSL version and encryption algorithms to be used for the communication;
.
~.................................. ~-~~~~!.~~~~~!!~1
!?.~?~.~?!';!~~!~......................... · 9 ..
Verifies the Digital certificate; generates a random premaster secret (Encrypted with
--•·.9 ·.... ~:.n::::~~~-~I)~~;!!.~~~.s.:~~~.~'.:~~ ~.e.~~:~~~-~~~ ~~~~~~;.~~.t~.:~~~~~!~~~!~~~~~........·>

A
\.e . >.-
~-~~~!!.~~-n-~~ ~~~::.~~~~ -~~~~!.~ ~~~- ~(s.~ !~~-~~ ~(~i~~-e-~ ~~!!~~:.'~-~~~ ?!.~~~~-s-~~~~."};~~~~! .......:
Ha.sh value is calculated for the exchanged handshake messages and then compared to the hash value •
received from the client; If the two match, the key and cipher suite negotiation succeeds. Sends a :
Change Opher Spec message and also sends Finished message (hash of handshake message) :
•......................................................................................................................... ,
Copyright© by EC-Co■ncil. All Right s Reserved. Re producti on is Strictly Prohibited .
The Secure Sockets Layer (SSL) is a protocol used to provide a secure authentication mechanism
between two communicating applications, such as a client and a server. The SSL requires a
reliable transport protocol, such as TCP, for data transmission and reception.
Any application -layer protocol that is higher than SSL, such as HTTP, FTP, and telnet, can form a
transparent layer over the SSL. SSL acts as an arbitrator between the encryption algorithm and
session key; it also verifies the destination server prior to the transmission and reception of
data. The SSL encrypts th e complete data of the application protocol to ensure security.
The SSL protocol also offers "channel security" with three basic properties:
• Private channel: All the messages are encrypted after a simple handshake 1s used to
define a secret key.
• Authenticated channel: The server endpoint of the conversation 1s al w ays encrypted,

w hereas the client endpoint is optionally authenticated.
• Reliable channel: message transfer has an integrity check.
SSL uses both asy mmetric and symmetric authentication mechanisms . Public-key encryption
verifies the identities of the server, the client, or both . Once authentication has taken place, the
cli ent and server can create symmetric keys allowing them to communicate and transfer data
rapidly. An SSL session is responsible for carrying out the SSL handshake protocol to organize
the states of the server and clients, thus ensuring the consist ency of the protocol.

Internet Protocol Security (IPsec) CND

J IPsec is a network layer prot ocol that U It encrypts and authenticates each IP packet
ensures secure Internet Protocol (IP) level in the commun ication
communication U It supports network-level peer
authentication, data origin authentication,
u It provides end-to-end security at the
data integrity, data confidentia lity
Internet Layer of the Int ernet Protocol
(encryption), and replay protection
Suite
..:••••"
•
LAN- Internal IP
Internet
LAN - Internal IP '"":
..
··~.• -
..••
..•• Firew all
..••
··T =
·····~~@:; • - - -IPSec
- -Tunnel
- - - - -r••·i;_::,:!:J::ti
.• .•
.• .•
:
. .
.... External IP External IP
'\,,.
IPsec ensures secure communications over the Internet Protocol (IP) network. It works at the
application layer of the communications model. It makes use of cryptographic security services
to ensure secure communication. It allows authenticating the IP packets during communication
of data. IPsec finds its applications in Virtual Private Networks and remote user access. IPsec is
used between a pair of hosts, a pair of security gateways, or between a security gateway and a
host. The I Psec consists of two security services: Authentication Header (AH) and Encapsulating
Security payload (ESP). The AH allows authentication of th e sender, whereas the ESP allows
authentication of the sender as well as encry ption of the data.
It provides secure communication for netw ork-level peer authentication, data origin
authentication and ensures data integrity, data confid entiality (encryption), and repla y
protection
IPsec consists of two encryption modes, namely Transport and Tunnel:
• In Transport mode, data portion or the payload is encrypted.

• In Tunnel mode, the entire IP is encrypted.

Internet Protocol Security (IPsec) CND

J IPsec is a network layer prot ocol that U It encrypts and authenticates each IP packet
ensures secure Internet Protocol (IP) level in the commun ication
communication U It supports network-level peer
authentication, data origin authentication,
u It provides end-to-end security at the
data integrity, data confidentia lity
Internet Layer of the Int ernet Protocol
(encryption), and replay protection
Suite
..:••••"
•
LAN- Internal IP
Internet
LAN - Internal IP '"":
..
··~.• -
..••
..•• Firew all
..••
··T =
·····~~@:; • - - -IPSec
- -Tunnel
- - - - -r••·i;_::,:!:J::ti
.• .•
.• .•
:
. .
.... External IP External IP
'\,,.
IPsec ensures secure communications over the Internet Protocol (IP) network. It works at the
application layer of the communications model. It makes use of cryptographic security services
to ensure secure communication. It allows authenticating the IP packets during communication
of data. IPsec finds its applications in Virtual Private Networks and remote user access. IPsec is
used between a pair of hosts, a pair of security gateways, or between a security gateway and a
host. The I Psec consists of two security services: Authentication Header (AH) and Encapsulating
Security payload (ESP). The AH allows authentication of th e sender, whereas the ESP allows
authentication of the sender as well as encry ption of the data.
It provides secure communication for netw ork-level peer authentication, data origin
authentication and ensures data integrity, data confid entiality (encryption), and repla y
protection
IPsec consists of two encryption modes, namely Transport and Tunnel:
• In Transport mode, data portion or the payload is encrypted.

• In Tunnel mode, the entire IP is encrypted.

Network Security Policy
Design and Implementation
Module 04
Network Security Policy Design and Implementation
Network Security Policy Design

and l11lplel1lentation
Module04

Module 04: Network Security Policy Design and Implementation
Exam 312-38

Top 5 Human Errors

■ General carelessness and failure to follow security policies and procedures tops the list of
Human Errors
End- user failure to follow policies and procedures 42%
General ca 42%
31%
http://www.temperednetworks.com
Copyright© by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Understanding the security policy Understanding how to design a security

Discussing the need of security policies policy
Describing the hierarchy of a security Understand the implementation of a security

policy policy
Describing the characteristics of a good Describe the various types of a security policy
security policy Discussing the design of various security
Describing the typical content in a security policies
policy Understand the need to enforce and train on
Understanding the policy statement the security policy
Describing the steps for creating and Discussing various information security
implementing a security policy related standards, laws and acts
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
This module focused on designing and implementing security policies for your organization. The
module explains the need and importance of using security policies. It describes the content
and the steps involved in designing and implementing security policies. The module also
describes the considerations required when designing various security policies, which will guide
you on an effective policy design and implementation.

A security policy is a well documented set of pla ns, processes, procedures, standards, and guidelines
required to establish an ideal information security status for organizations
The security policy is an integral part of an infor mation secu rity management program for any organization
Need for a Security Policy
J To provide a consistent application of ..J To provide legal protection

security principles throughout the
organization ..J To quickly respond to security incidents
J To ensure information security standards ..J To reduce the impact of a security

compliance incident
J To limit the organization's exposure to ..J To minimize the risk of a data breach
external information threats
..J To enhance the overall data and network
..J To outline senior management's security
commitment in maintaining a secure
environment
■■■■■■■■■■■
Copyright© by EC-Council. All Rights Reserved. Reproduction is Strict ly Prohibited.
A security policy is a high-level document or set of documents describing the security controls
to implement in order to protect the company. It maintains confidentiality, availability,
integrity, and asset values. Security policies form the foundation of a security infrastructure.
Without them, it is impossible to protect the company from possible lawsuits, lost revenue, and
bad publicity, not to mention basic security attacks.
Policies are not technology specific and accomplish three things:
• They reduce or eliminate the legal liability to employees and third parties.
• They protect confid ential and proprietary information from theft, misuse, unauthorized
disclosure, or modification.
■ They prevent computing resource waste.
A security policy comprises objectives, rules for beha vior and requirements to secure the
organization's netw ork and computer systems. Security policies act as a connecting medium
between the objectives and security requirem ents, as well as to help users, staff, and managers
protect technology and information assets. The policy provides a baseline to acquire, configure,
and audit computer syst ems and networks.
A security policy defines a set of security tools for preventing attacks on the entire netw ork in
order to keep malicious users aw ay from th e organization and provide control over perilous
users w ithin th e organization.

The security policy should ensure confidentiality, privacy, integrity and availability of the
company's assets.
The Need of a Security Policy

• The number of devices used across an organization is increasing and pushing the growth
of the information being transferred, networks used and storage space. This growth also
increases the likelihood of security threats originating from various vulnerabilities. A
security policy enables the organization to combat such threats and protect them from
losing information.
• It provides a consistent application of security principles throughout the company to

ensure everything functions in a secure manner. Security policies ensure compliance to
information security industry standards, building a trust based relationship with clients. It
helps limit a company's exposure to external information threats, while it indicates senior
management's commitment to maintaining a secure environment.
• It provides legal protection by defining what rules to use on the network, how to handle
confidential information and the proper use of encryption, reducing liability and exposure
of the organization's data.
• Security polices reduce the risk of damaging security incidents by identifying the
vulnerabilities and predicting the threats before they happen.
• They also comprise procedures and techniques to minimize the risk of an organization's
data leak or loss by adopting backup and recovery options.
Advantages of Security Policies

• Enhanced data and network security: Organizations implement a policy based on their
network which enhances their data security. It facilitates protection when sharing
information between other systems on a network.
• Risk mitigation: The risks involved from external sources is reduced by implementing and
deploying security policy. If an employee follows the policy exactly, it becomes nearly
impossible for an organization to lose its data and resources.
• Monitored and controlled device usage and data transfers: Even though policies are
being implemented thoroughly by employees, administrators should regularly monitor
the traffic and external devices used in the system. Monitoring and auditing of the
incoming and outgoing traffic should always be done on regular intervals.
• Better network performance: When security policies are implemented correctly and the
network is monitored regularly, no unnecessary loads exist. The data transmission speed
in the system increases, providing an overall performance enhancement.
• Quick response to issues and lower downtime: Policy deployment and implementation
enables faster response rates when resolving network issues.
• Reduction in Management stress levels: The role of management becomes less stressful
when policies are implemented. Every policy must be followed by every employee in the

organization. If this occurs, management will not need to worry about any malicious
attacks on the network.
• Reduced costs: If employees follow the policies correctly, the cost of each intrusion 1s
reduced as well as the impact on an organization.

Hierarchy of a Security Policy CND
A high level rule to be followed by everyone
A set of guidelines followed to abide by the law
Helps an organization establish the legal and internal

requirements pertaining to network security
A Set of orthodox values followed to ensure

Policies are not violated
Practices: Methods to create a policy

Procedure: Set of steps to create a process
Guidelines: Advice to maintain security
Organizations use different terminologies while drafting a security policy. The implementation
of these terminologies depends on the severity and the level of the hierarchy they are a part of.
• Laws: Placed at the top of the hierarchy. These policies set which laws every individual in
the organization must follow. Organizations have the authority to take action against any
employee who fails to follow these laws.
• Regulations: A regulation is the second component in the hierarchy. Regulations ensure

employees follow the law. It is a set of guidelines that depends on the laws of the security
policy. Organizations can set either government or social regulations. Social regulations
also involve third party regulations.
• Policies: With the help of policies, an organization establishes the legal and internal
requirements of their network security. Management documents, reviews, and approves
these policies. A policy consists of different disciplines and procedures. The
documentation of a policy defines the security architecture for the organization. The
implementation of these policies set the standard for the organization and improves risk
management.
• Standards: Standards specify the method of policy implementation. Standards are derived
from policies and must be implemented by the organization. They are both voluntary
and/or mandatory depending on company policies. They bring consistency to the business
functionality. It is not feasible to change the company standards after a certain interval.
They also involve security controls related to technology, hardware and software.

• Practices: Practices define the strategy to implement an organization's policies and

standards. Practices help the organization overcome threats. An organization instructs the
employees to execute the practices by deploying, evaluating and assessing certain tasks.
• Procedures: A procedure is a set of sequential steps leading up to a process satisfying

organizational policies. The implementation of these procedures requires an approval
from senior management. Procedures work based on the following questions:
• Who will do what?

• What steps will they take?
• Which forms or documents will they use?

Procedures are made up of checklists, instructions and/or flowcharts.
• Guidelines: Guidelines are an optional item providing advice which is normally not
mandatory to follow. It serves as a reference when there are no specific standards.
Guidelines act as a recommendation and organizations should not ignore them.
Implementing guidelines mitigate risk. It is advisable to keep guidelines updated as the in
business requirements change.

Characteristics of a Good
Security Policy
Economically
Concise and Clear Usable
feasible
• ------- ■ --------
Understandable Realistic Consistent
• -------■ --------
Based on
Procedurally
Comply to laws standards and
tolerable
regulations
Copyr ight © by EC-Council. All Rights Reserved . Reproduction is Strict ly Prohibited.
A good security policy has the following features:
1. Concise and clear: A security policy needs to be concise and clear. When they are, they are
very easy to deploy in the infrastructure. Complex policies become hard to understand
and employees may not implement them as a result.
2. Usable: Policies must be written and designed so they can be used easily across various
sections of the organization. Well-written policies are easy to manage and implement.
3. Economically feasible: Organizations must implement policies which are economical and
enhance the security of the organization.
4. Understandable: Policies must be easy to understand and follow.

5. Realistic: Policies must be practical based on reality. Using fictional items in a policy will
only hurt the organization.
6. Consistent: Organizations must have consistency when implementing their policies.

7. Procedurally tolerable: When implementing procedures policies they have to be
employer-employee friendly.
8. Comply with cyber and legal laws, standards, rules and regulations: Any policy that is
implemented must comply with all rules and regulations regarding cyber laws.

Key Elements of Security Policy

Key elements of a good security policy are:
• Clear Communication: Pay close attention to any communication gaps. Communication

must be clear when designing a security policy. A communication gap leads to undesirable
results. A set of policies may be created which are not feasible for the users or the
network. Keep communication channels clear.
• Brief and Clear Information: Any information provided to developers regarding the
creation of the network policy must be clear and understandable. If not the approach to
the security of the network will not be as expected.
• Defined Scope and Applicability: The scope identifies the items that must be covered,
hidden, protected or public and how to secure them. The network policy addresses a wide
range of issues from physical security to personal security.
• Enforceable by Law: The security policy must be enforceable by law and penalties
imposed if there is policy breach. Penalties for a violation must be addressed when the
policy is created.
• Recognizes Areas of Responsibility: The network policy must recognize various
responsibilities for employees, the organization and third parties.
• Sufficient Guidance: A good network policy must have proper references to other
policies, which help guide and redefine the scope and the objectives of the policy.

Contents of a Security Policy CND C.crrifi~ letw.r, ~C11'"1ce,
This features the requirements of a system when implementin

- - - - - - - - - security policies which include discipline security, safeguard
security, procedural security, and assurance security
Focuses on the security disciplines, safeguards,

procedures, continuity of operations and documentation
Defines the roles, responsibilities and functions of a

security policy
Provides a computer system architecture allocation

to each system in the program
The four parts of a security policy implementation are:
1. Security requirements
2. Policy description
3. Security concept of operation
4. Architecture element allocation
Security Requirements
This statement features the requirements for a system to implement security policies. There
are four types of security requirements:
• Discipline Security
• Safeguard Security
• Procedural Security
• Assurance Security
• Discipline Security Requirements
It involves security policies stating what actions are taken on various components needing
to be secured. For example, computer security, operations security, network security,
personnel security, physical security, etc.

• Safeguard Security Requirements
It involves security policies stating the protective measures required. For example,
protective measures for access control, malware protection, audit, availability,
confidentiality, integrity, cryptography, identification, and authentication.
• Procedural Security Requirements
It involves security policies containing access policies, accountability, continuity of

operations, and documentation.
• Assurance Security Requirements
It involves security policies used with the compliance of various standards, certifications,
and accreditations.
Policy Description
This statement mainly focuses on the security disciplines, safeguards, procedures, continuity of
operations, and documentation. Each subset of this policy describes how the system's
architecture elements will enforce security.
Concept of Operation
This concept defines the roles, responsibilities, and functions of a security policy.
It focuses on the mission, communications, encryption, user and maintenance rules, idle time
management, privately owned versus public domain, shareware software rules and a virus
protection policy.
Architecture Element Allocation

This policy provides a computer system architecture allocation to each system in the program.

Typical Policy Content
] I ~
Document Control ··••► Overview ··••► Policy Statements
Document Location Purpose

I Sanctions and
Violations
Revision History Scope

I Related Standards,
Policies and Processes
Approvals Definitions Contact Information
~
Roles and Where to Find
Distribution
Responsibilities More Information
Document History Target Audience Glossary/ Acronyms

a---- a----·
The important policy sections are:
• Overview of a security policy provides background information that the policy needs to
address.
• Purpose is a detailed explanation of why the policy needs to be framed.

• The scope includes information about who and what the policy covers.
• Definitions are the terms used in the policy.

• Roles and Responsibilities are defined for the employees and management.
• Target Audience is the users and clients the policy is being created for.
• Policies are statements on each aspect of the policy.

• Sanctions and Violations defines the allow/deny process clients and users must follow.
• Contact Information includes information about who to contact in case there is a policy
sanction and/or violation.
• Version number ensures all changes/updates to the policy are tracked correctly.
• Glossary/Acronyms mention the different terms and abbreviations used in the policy.

..J A policy is only as effective as t he policy statements it contains. Policy st at ements m ust be
written in a very clear and formal style
..J Several good examples of a policy statement are:
All computers must have anti-virus All computer software must be purchased
protection activated to provide rea l-time, by the IT department in accordance with
continuous protection the organization's procurement policy
All servers must have the minimum A copy of all backup and restoration media
services configured to perform their must be kept with the off-site backup
designated functions media
While using the Internet, nobody is

All access to data is based on a valid
permitted to abuse, defame, stalk, harass,
business need and subject to a forma l
threaten anyone else or violate local and
approval process
international cyber laws
An organization's security policy is said to be successful, if it consists of clear and concise policy
statements. A policy statement is an outline that defines the in -depth structure of the
organization's policy. Every policy draft should have a valid policy statement that defines the
organization's course of action during the time of a circumstantial situation. The policy
statement helps employees understand th e preventive measures they are permissible to take.
An example of an ideal policy statement is:
"All access to data will be based on a valid business need and is subject to a formal approval
process"
The above policy statement example cl early states employees can access data onl y on approval
from management. It can be concluded that if any employee does not adhere to th e policy
statement, the organization has the right to take required action.

Steps to Create and Implement

Security Policies
Include senior
1
Perform risk assessment
to identify risks to t he 2
Learn from standard
guidelines and other
3 management and
other staff in policy
organization's assets organizations
development
Ensure every member
4 Set clear penalties

5
Publish t he final version
to everyone in t he
6 of your staff reads,
and enforce t hem signs, and understands
organization
the policy
Train employees and

Deploy tools to Regularly review
7 enforce policies 8 educate them about
t he policy
9 and update
The security policy development team contains the 1ST (Information Security Team), Technical Writers, Technical Personnel,
Legal Counsel, Human Resources, User Groups and the Audit/Compliance Team.
The steps below are used to create and implement an effective security policy:
1. Risk Assessment: An organization needs to perform a risk assessment of their assets

before drafting a policy. During a risk assessment, risks are identified and determine its
severity and criticality.
2. Standard Guidelines: Organizations set up guidelines before drafting their own security
policy. A set of standard guidelines drafted in a clear language is helpful to an organization
and their employees.
3. Management Input: Management is involved in the process of drafting a new policy or
adding a policy to the existing one. Employees will only adhere to the drafted policy if
management legally sanctions and approves it. Any policy drafted without management
consent is illegal and will cause serious consequences.
4. Penalties: Certain organizations have very strict policies. If an employee does not follow
these policies, severe actions can be taken against them. Organizations should always
mention the penalties that an employee will suffer if th ey do not follow the rules.
5. Final Draft: Once management approves the completed policy document, the document
is distributed among everyone in the organization.
6. Accepted by employees: Employees are required to accept all the policies set by the
organization. Employees can give their acceptance by reading the document carefully and
then signing it.

7. Deployment of policies: To enforce policies in the organization you may need additional
deployment tools.
8. Training the employees: Employees should be periodically trained on the organizational
policies. Even if the policies in the organization are functional for a long time, there are
employees who might be new. Bringing awareness to these employees is a very important
task.
9. View and Update: Even if an organization is in business for a long time, reviewing their
policies is still a requirement. With the introduction of new technologies and new security
breaches, updating policies are a necessity. Policies that no longer protect and the current
technology and/or scenarios are not useful to the organization.

Considerations Before Designing

a Security Policy
What is the purpose of the policy? Is it a value addition or a mere formality?
V Is the policy in line with the training programs?
V Does the policy comply with the organization's objectives?
V Is the policy a guideline for best practices or does it need to be based on a some standard ?
V How many people fall under the of the policy? Who are they?
V What is the least amount of information each employee must know to do their jobs?
V Are all the details required in the policy?
V Can the policies be linked ? What is the best method?
Jf nee<!,to ~ naerst~na from tl'ie ROlicies?
Organizations should not deploy a policy without knowing the purpose first.
Before designing a security policy, answer the following questions:
• What is the purpose of the policy? Is it a value add or a mere formality?
Organizations or management should be aware of the policy's purpose when deployed in

the organization. If management understands the purpose of the policy, it will be easier to
make their employees adhere to it.
• Is the policy in line with any training program?
Usually, organizations introduce a policy without training or workshops for the

employees. It is necessary to deploy only those policies employees have been trained.
Policies without training or workshops will serve no good to the organization, as
employees will not be aware of its pros and cons.
• Does the policy comply with the organization's objectives?
While documenting the policy, it should be noted that they run parallel with the
objectives of the organization. Implementation of the policy cannot be termed successful,
if it does not meet the organizational objectives.
• Is the policy a guideline for a better practice or does it needs to be based on a standard?
The purpose of introducing policies may differ. It is important to know why the policies
are being introduced in the first place. Usually certain policies are formed as per the

regulations by the government and some are implemented for the organization's personal
security.
• How many people fall under the purview of this policy? And who are they?
While designing a policy there are situations where only some employees or a particular
group needs to adhere to it. It is important to categorize these types of policies, which
leads to simplicity while implementing it in an organization.
• What is the least every employee needs to know?
All an employee should know regarding the policy is how the policy should be
implemented on a daily basis. The training session conducted for the employees should
inform them about the action taken against them in case of compliance.
• Do I really need all the details written into this policy, or is this better written in System
Specific Security Policies (SSSPs) for the IT professional?
While the policy is documented, it is important to understand the target. It is not

necessary that every policy might be part of the same document. Example - Document for
the security policy will not include the HR policy.
• How to best link the policies?
Policies should be documented in a clear and concise language. The document should
include all the best practices an organization will undertake and those employees will
adhere to.
• What do the staff need to understand from the policy?
Management can keep the main objective clear when they write the policy with user
friendly language. For example, the policies have to be followed by everyone in the
organization. Management should arrange training sessions or workshops to help
employees who are not certain of any policy or they are not clear. With the introduction
of these policies, an organization makes it very clear to employees on the level of
awareness required for securing the data and resources in the network.

Design of a Security Policy
Guidelines should cover the following policy structure points:
Detailed description Functionalities of

those affected by the
of policy issues
policy
Compatibility level
Description about the
of the policy is
status of the policy
necessary
Applicability of
Consequences of
policy to the
non-compliance
environment
The security policy structure provides an overview of the functionalities of security aspects. The
security policy structure should ensure that the following is in place:
• The description of the issue the policy is used for.

• Details regarding the status of the policy and the description about the domains where
the policy has been applied.
• Employee functions and responsibilities who are involved in the policy.

• The extent to which the policy is compatible with the organization's standards.
• The tasks and procedures involved in the policy and the ones that are not involved.
• End consequences will be encountered if the policy is not compatible with the
organization's standards.
The security policy must contain all the information that 1s required for a successful
implementation of the organizational work process.
Consider the following key points while designing security policies:
• Develop policies that you plan to enforce: Not enforcing a policy is of no use. Real-time
implementation of all statements mentioned in the policy is necessary for limiting
network access.
• Explain the purpose of the policy: Based on the functions of the organization, develop the
policies for a specific network objective.

• Develop security policies that do not require updates too frequently: To avoid frequent
amendments, the overall network issues are to be pre-estimated.
• Differentiate between policies, standards and recommendations: The network policies

should be comprehensive and thorough, but should not be too specific.
• Represent the basic goals of the organization: Depending on the information, assets of
an organization represent the range of network security.
• Make sure your policies are understood: Network policies should be straightforward, but
not too complicated.
• Include your policies as part of your security awareness training: At least one policy has
to be included in the security awareness training.
• Identify the basic risks that can be expected: The basic risk factors of the network are to
be pre-estimated by the network admin.
Some of the measures to develop security policies are as follows:
• Every company and client should identify its roles and responsibilities and its tasks should
be described in detail. That means the knowledge of the structure of the organization, the
responsibilities of individuals, the tasks performed by everyone in the organization and
who tackles the security policies is essential. It is important to make sure the policies
address the problems, requirements, and objectives of the organization. The
representation of each problem should be to the maximum extent. It should also include
data security, legal issues, and human resources. The development and operations of the
organization should be represented in the policies.
• The basic goals of the business are represented. Business knowledge is essential to
improve security and to build a good security policy. Consider an organization that needs
extensive auditing, monitoring and a recovery system that takes regular data backups.
This may not be the case for the rest of the company. Therefore, the policies of an
organization differ according to their requirements. Some policies may be cost effective,
whereas others may be expensive. That means that security policies are specific to each
organization.
• The next step in developing policies is to identify the security principles that represent the
company's security objectives. These goals are to be checked regularly and introduced
into the development process whenever necessary. The aim of security policies is to
describe the policies and principles of the organization with less technical details and in a
simple way.
• The assets and data that need security are recognized and categorized. The valuable data
is made the center of all the security policies. Data that has been identified as more
vulnerable to threats is secured. Cataloging the data and assets makes it easy for
management to make decisions with respect to its value and use. This helps to effectively
control resources.

• As the data is collected and analyzed, it should also be classified. Data is the center of
every policy that is developed. Data flow analysis is important to any and all issues related
to data. For example, during a transaction, data flows through the browser, the web, and
other media such as telephone lines, servers, and firewalls. The data is stored in
databases, on disks, tapes, or paper. If the flow of data is tracked through the media, it
can be determined where there are potential data vulnerabilities and data corruption
locations and control mechanisms can be implemented to prevent the vulnerabilities and
corruption.
• The expected risks are identified. Developing a profile for possible threats helps enable a
decision-making process for any threats within that area. The chance of risk associated
with issues and the amount of money needed to recover from that loss can be recognized.
The nature of threats differs depending on different areas. For instance, the result of
attacking financial transactions would be very different from an attack on an art website.
• The services that guard the system are to be identified. Once the data resources and flow
of data are identified, a risk profile is created. The security services that apply to that
particular area will be recognized and identified. The services for security include
responsibilities, authentication, accessibility, recognizing, integrity, secrecy, and non-
duplication. Knowledge of the security needs of a particular environment is essential for
choosing the security policy to be employed over that area.

After the security policy has been created, the most difficult part of the process is deploying it throughout the
organization
Make sure the security policy is approved by senior management
Make su re t he security policy is officially adopted as a company policy
Review each policy and decide how it can be enforced w ithin the organization
i Ensure t hat appropriate tools and techniques are in place to conform to the policy
□
Develop a policy change plan for both the network and t he policy it self
Coordinate with ot her departments to develop procedures based on the policies
Provide bas ic informat ion security awareness training to employees
Implementation of the security policy happens after it is built, revised, and updated. A proper
model and outline of the policies must be created. Suggestions from stakeholders must be
included to directly correlate it with the interests of the organization. After its completion, the
final version must be made available to all staff members so they may understand it. It must be
readily available at any time when needed. It must be placed on the internal network and
intranet. Proper training of the policies must be given to employees for their prompt
understanding and suggestions must always be taken into consideration. For effective
implementation, there must be a rotation of jobs, so that different people handle data. This will
help employees identify any limitations the security policy has. Company data is very critical. It
must not be given to everyone and must not be made public, so proper care must be taken.
There must be a proper security awareness program, cooperation and coordination among
employees.
Once the security policy is designed and developed, the next step in the process is the also the
hardest, deployment.
Guidelines for successfully implementing the policy:
• Ensure the security policy is backed by the organization's senior management team and is
officially adopted as company policy.
• Go through each policy and think about how it will be applied within the organization.
• Make sure the correct tools are available to conform to the policy.

• Create a plan to make any necessary changes to either the network or the policy.
• Work with the necessary departments within your company (Legal, IT, HR, etc.) to
establish procedures to support your policies.
• Provide basic information security awareness training to everyone through a basic

Security Awareness Program.
• Make the security policy available to all employees having access to the information
assets the policy governs.
• The Information Security Officer or IT Security Program Manager are responsible for
implementing and managing the security policy.
• Ensure the organization is well equipped with the technology and tools needed to manage
the security policy properly.
• Make sure visitors are provided the Acceptable Use Policy in the event they are allowed to
use the company's network.

Types of Information Security

Policies
Enterprise Information Issue Specific Security System Specific

Security Policy (EISP) Policy {ISSP) Security Policy {SSSP)
EI SP drives an organization's !..J ISSP direct s t he aud ience o n SSSP directs users w hile configuring
scope and provides direction the usage of t echnology or maintaining a system
to t heir security policies based systems w ith t he help
Examples of SSSP:
of guidelines
Examples of EISP: e DMZpolicy
6 Applicat ion Policy U Examples of ISSP:
I:! Encryption policy
e Net work and network
I:! Remote access and wireless
policies
e Acceptable use policy(AUP)
device secu rity policy
e Incidence Response plan
e Policies for secure cloud computing
e Security policy auditing
e Password policies
e Policies for Intrusion detection and
e Back up and restore policy prevention
I:! Policies for personal devices
e System security policy e Access control policy
e User account poli cies
e Policies for servers
e Internet and web usage
policies
In an organization, policies are crucial for information security planning, design and
deploy ment. These policies provide measures to handle issues and the technologies that could
help users accomplish their security goals. The policy also explains how the software or
equipment functions in the organization.
Information technology enterprises deploy security policies such as:
Enterprise Information Security Policies (EISP)

The EISP support organizations by offering ideology, purpose and methods to a secure
environment for enterprises. It sets out a method for development, implementation and
management of security programs. These policies also ensure the information security
framework requirements are proposed and met.
Issue-Specific Security Policies (ISSP)

These policies aim to address specific security issues in an organization. The scope and
applicability of these security policies are completely dependent on the t ype of issue and the
methods utilized by them. It specifies the necessary technologies along with preventive
measures such as authorization of user access, privacy protection as well as a fair and
responsible use of the technologies.

System-Specific Security Policies {SSSP}

The implementation of a System-Specific Security Policy is to focus on the overall security of a
particular system in the organization. Organizations develop and manage this t ype of policy,
including procedures and standards in order to maintain the systems. The technologies used by
the organization should also be included in system -specific policies. It addresses the
implementation and configuration of technology and user beha vior.

Internet Access Policies
Promiscuous Policy Permissive Policy
• Access
No Restrictions on Internet/Remote • Known dangerous services/attacks
blocked
• Policy begins with no restrictions
e Nothing is blocked
• Known holes plugged, known dangers
stopped
• Impossible to keep up with current
exploits; administrators always play
catch-up
Paranoid Policy Prudent Policy
• Everything is forbidden
• Provides maximum security while
allowing known but necessary dangers
• No Internet connection, or severely • All services are blocked
limited Internet usage • Safe/necessary services are enabled

individually
• Users find ways around overly severe

restrictions
• Nonessential services/procedures that
cannot be made safe are not allowed
• Everything is logged
Internet access policies define the restricted use of the Internet. It is important for employees
to know which of their actions is restricted while accessing the Internet. The Internet access
policy helps keep employees informed on what they can browse and what they cannot. An
internet policy includes guidelines for permissible use of the Internet, system security, network
setup, IT service, etc.
Internet access policies broken down into the four categories below:
1. Promiscuous Policy: This policy does not impose any restrictions on the usage of system
resources. For example, with a promiscuous Internet policy, there is no restriction on
Internet access. A user can access any site, download any application, and access a
computer or a network from a remote location. While this can be usefu I in corporate
businesses where people travel or work at branch offices need to access the
organizational network, it also opens the computer to threats such as malware, viruses
and Trojans. Due to free Internet access, this malware can come in the form of
attachments without the knowledge of the user. Network administrators must be
extremely alert while choosing this type of policy.
2. Permissive Policy: This policy begins wide-open and only known dangerous
services/attacks or behaviors are blocked. For example, in a permissive Internet policy,
the majority of Internet traffic is accepted, except for several well-known and dangerous
services/attacks. Because only known attacks and exploits are blocked, it is impossible for
administrators to keep up with current exploits. They are always playing catch-up with
new attacks and exploits.

3. Paranoid Policy: A paranoid policy forbids everything. There is a strict restriction on all
company computers, whether it is system or network usage. There is either no Internet
connection or severely limited Internet usage. Due to these overly severe restrictions,
users often try to find ways around them.
4. Prudent Policy: A prudent policy starts with all services blocked. The administrator
enables safe and necessary services individually. This provides maximum security and logs
everything, such as system and network activities.

An acceptable use policy defines the proper use of an organization's information, electronic computing
devices, system accounts, user accounts, and network resources
Design Considerations:
-
jlil
Should users read and copy files that
are not their own but are accessible?
-
jlil
Should users be allowed to share
accounts?
t, Should users modify files they have t, Should users make copies of system
write access to but do not own? configurations for personal use or
provide them to other people?
e Should users be permitted to use
.rhosts files? Even though the entries
are acceptable?
-
jlil
Should users have the ability to make
duplicates of copyrighted software?
Acceptable-use policies consist of rules decided by network and website owners. This type of
policy defines the proper use of computing resources. It states the responsibilities of users to
protect the information available in their accounts. The users must accept the policy
restrictions while accessing a computer on the network or the Internet. An AUP (Acceptable
Use Policy) covers principles, prohibitions, reviews and penalties and it prohibits the user from
using the corporate resources for personal reasons.
An AUP is an integral part of information security policies. Generally, organizations ask their
new members to sign an AUP before they are permitted to access the information systems. An
AUP should cover all major aspects about what users are permitted to do and what they are not
permitted to do in the IT infrastructure.
To ensure the AUP is followed properly, administrators conduct regular security audits.
Example: Many organizations restrict discussions on political or religious topics on sites or in
emails.
The majority of AUPs describe the penalties of a policy breach, those penalties range from
temporarily disabling the user's account to extreme measures such as legal actions.

The User Account Policy defines the creation process of user accounts and incl udes user right s and
responsibilities
Who has the authority to approve account requests?
Who (employees, spouses, children, company visitors, etc.) are permitted to use the
computing resources?
J Can users have multiple accounts on a single system?
J Can users share accounts?
J What are the rights and responsibilities of the user?
J When should an account be disabled and archived?
The User Account Policy is a document specifying the requirements for requesting and
maintaining an account on the organization's network. It mentions the processes for creation,
deletion and operating user accounts by defining the type of accounts created under a specific
network.
The user account policy defines the process of account authorization, user responsibilities as
well as Internet services for both internal and external users. In addition, it also defines the
creation of a userna me and password, encryption standards, t y pe of verifications in case the
user forgets their password and the devices utilized for accessing or linking to the account.
This policy also defines the necessary user age limit, profession and other criteria for creation
or classification of the account such as guest, internal, external, media, etc. It is essential for
large sites where users may t ypically have accounts on many systems. Some sites have users
read and sign an account policy. Software applications have users sign an EULA - End User
License Agreement as part of the account request process.
Example wording: "Employees shall onl y request / receive accounts on systems th ey have a tru e
business need to access. Employees may only have one official account per system and the
account ID and login name must follow the established standards. Employees must read and
sign the acceptable use policy prior to r equesting an account."
Network administrators have responsibilities wh en implementing a user account policy:
1. Types of accounts: As per the organization's policy, administrators are asked to create
two t ypes of accounts in th e network - Administrator account and Standard account. The

administrator account is for the network administrators only. It may or may not include
the top management of the organization. Standard accounts are for employees
irrespective of the department in which they are working.
2. Account Permissions: Administrators are required to set the level of permissions to every
employee in the organization. Even though a team leader may not have access to the
administrator privileges, the level of permission will differ with the reporting member of
this team. Administrators should assign the permissions according to the designation of
the employee. Permissions can also be set for a group. Everyone in the HR group has a
standard set of permissions.
3. Account auto-lock: An administrator sets a length of time an account will automatically
lock. If an employee has not reported to the office for three consecutive days, the auto
lock feature will enable and the account will be locked automatically. This feature
prevents anyone from forcing the login or attempting to login to the account when the
user is not there. This feature is present in mobile phones as well and it prevents others
from accessing the device without the log in code.
The User Account Policy should mention certain important characteristics, operations and
maintenance. The policy content should state the following:
• Who has the authority to approve account requests?

• Who is allowed to use the resources (e.g., employees or students only)?
• Are there any citizenship/resident requirements?
• Are users allowed to share accounts or are they allowed to have multiple accounts on a
single host?
• User's rights and responsibilities.

• When the account should be disabled and archived.
• How long can the account remain inactive before it is disabled?

• Password construction and aging rules.

..J Remote Access Policy defines who can have remote access, access mediums, and remote
access security controls
Who is allowed to have remote access?
What specific methods (such as cable modem/DSL or dial-up) does the company
support?
Are dial-out modems allowed on the internal network?
Are there any extra requirements, such as mandatory anti-virus and security software
on the remote system?
Can other fami ly members of an employee use the company network?
Do any restrictions exist on the data that can be accessed remotely?
The Remote Access Policy document defines the acceptable guidelines for remote access to the
network and resources. A remote employee should follow the policy when connecting to the
internal network. The Remote Access Policy is helpful to organizations having a geographically
dispersed network. Implementing the remote access policy helps minimize potential damage
that can occur from unauthorized external network traffic. Implementing remote access
includes dial-in modems, frame relay, ISDN, DSL, VPN, SSH, Wi-Fi, etc.
Points to consider in the policy:
• User authentication: Organizations should have a strict user authentication policy for
remote users. The organization has the right to deny access to users having a weak
password or user credentials. The policy should also state the action taken against
employees if they share their remote credentials with others.
• Information encryption: Employees working as a remote user should include encryption

of their data while working on a shared infrastructure. This maintains the confidentiality
and integrity of the data. The organization must educate remote users on the encryption
policy they need to follow.
• Usage of network and network devices: The policy should restrict employees from
reconfiguring their network devices for the purpose of split-tunneling. This can make the
network vulnerable to intrusion. Employees should not perform any third party activities
on the organization's network and should not connect to any other third-party network.

• Antivirus and patches: The systems used by remote users should meet the organization's
requirement. Users should have an up-to-date anti-virus installed on their system. They
should proactively install updates for the antivirus and patches for the operating system.
• Access to data: Administrators should assign privileges to the remote user according to
their roles and responsibilities in the organization. Organizations should restrict users
from accessing confidential organization data remotely.
Network administrator's responsibilities in enforcing remote access are:
1. Ensure remote system has specified version of antivirus, firewall and malware
2. Predefine VPN tunnel's connection
3. Enforce an authentication method for the remote VPN

4. Enforce access control on the remote system when connected through remote access
5. List a set of devices which can be used for remote access

Information Protection Policy defines guidelines for processing, storing and t ransmitting
sensitive information
What are the information sensitivity levels?
Who can access the sensitive information?
How Is the sensitive Information stored and transmitted?
~ What level of sensitive information can be printed on public printers?
What Is the process for removing sensitive information from storage media (paper shredding, scrubbing HDDs,
degaussing disks, etc.)?
The Information-Security policy is a document that guides employees to defend their data or
physical devices from unauthorized access. The main aim of the policy ensures the information
is not shared or modified by any external sources. The organization should define the level of
sensitive information. Organizations should make it a practice to ask new employees to sign the
information-security policy.
Lack of an information security policy can lead to vulnerabilities in the network and system.
With no information security policy in place, employees can knowingly or unknowingly share
the data to external sources.
The information security policy should be drafted based on the following points:
• List of authenticated users who can have access to sensitive information.
• The process and method of saving sensitive information. This can include data that 1s
either archived or encrypted.
• The policy should mention the location where the sensitive information is stored. The
authorized users should be asked to save the information in this location. Saving the data
at any other location can potentially cause data theft or exposure of information to other
sources.
Implementation of information security assures the data will be protected throughout the
functioning of the organization.

Firewall Management Policy CND

C.Crtifi~ letw.r, 0ce~ttc1"'
0 0
Firewall Management Policy defines access, management, and monitoring of
firew alls in t he organization
0
Who has access to the firew all systems?
Who can receive request s t o make changes to the firewall configuration?
Who can approve requests to change the firewall configuration?
Who can see the firewall configuration rules and access lists?
How often should the firewall configuration be reviewed?
A netw ork administrator's responsibilities w hen configuring firewall security policies are:
• Authentication of service or application: Administrators should verify the applications or

services before they Allow by default. A service that does not look legitimate should not
be added.
• Setting up a dashboard: Administrators can set up a dashboard that w ill include all
threats and vulnerabilities the organization's network can encounter. Setting up a
dashboard forms a strong rule base.
• Enable anti-spoofing protection: To ensure the source IP address is same as the security
gateway interface, it is important to enable anti-spoofing protection.
• Telnet access: Telnet is insecure by nature. Administrators should not allow Telnet access
for the secure functioning of the network.
• FTP connection: FTP connections should onl y be allowed if administrators have to upload
error logs for the vendor. In other scenarios, it is advisable to prohibit FTP.
• Refrain direct connection: Administrators should avoid setting up a direct connection
between an internal client and ext ernal service. If the organization needs a conn ection to
be established, it can be done through proxy servers.

Special Access Policy defines the terms and conditions of granting special access to
system resources
..J Who can receive requests for special access?
..J Who can approve requests for special access?
..J What are the password rules for special-access accounts?
..J How often are passwords changed?
..J What reasons or situations can lead to revocation of special

access privileges?
Regulating the special access policy allows certain employees to access the data in the network.
Before implementing a special -access policy in the network, an administrator should consider
the following items:
• Authorized users: Special-access to resources can only be given to privileged users.

Usually these users are top-management employees or administrators.
• Approval: Employees can be given privileged access only if it 1s authorized by

management or the administrator.
• Password rules: The policy should have a policy statement regarding password rules. This
may include the strength of the password, the validity of the password, etc.
• Revoking Privileges: Users provided with special privileges should be notified of the
circumstances under which their privileges can be revoked.

Network Connection Policy defines the sta ndards for establishing the connection for computers,
servers, or other devices to the network
Who can install new resources on Who approves the installation of

the network? new devices?
Who must be notified when new

devices are being added to the Who documents network changes?
network?
Are there any security requirements

for the new devices being added to
the network?
A network connection policy is drafted to secure the organization's network. The network
connection policy defines regulations to be followed and implemented on the systems, servers
and other electronic devices used in the organization. An effective network-connection policy
involves securing the devices from potential intrusion an organization can experience.
The following points should be included in the network-connection policy:

1. Connection of devices: The policy should include the normal rules for connecting their
electronic devices, including their personal mobile phones. Employees should be
restricted from making any changes in the network through their devices as it may cause
network fluctuations or loss of connectivity.
2. Authenticating: For a better security service, employees should be asked to authenticate

their device every time it is connected to the network. Though it might be a frustrating
task for some, the security of the network is the main priority.
3. Responsibility of employee: Every employee using their personal devices on the
organization's network is responsible for their systems to meet the security standards.
The organization will have full authority to deny the device that does not meet their
security standards.

Business Partner Policy
Business Partner Policy defines agreements, guidelines, and responsibilities for business
partners to run business securely
...................................... , ................................................................................, ............. .
Is it mandatory for a company to have a written security

policy?
Should each company have a firewall or other perimeter

security device?
How will one communicate (virtual private networking or

VPN over t he Internet, leased line, and so forth)?
How will access to the partner's resources be requested?
should each partner keep accurate accounts, books,

and records relati ng to the business?
Organizations working in partnership follow certain guidelines that are drafted under a
business-partner policy. It defines the guidelines partners are required to follow so they can run
their business securely. There can be geographical and cultural differences between the two
business partners, you need to be careful when drafting policies in these scenarios. Business -
Partner policies should address the following questions:
1. Need of Policy: The business partner policy defines the rules and regulations of the
respective organizations. Certain policies followed by employees in company A may not
necessarily be followed in company B. Organizations should work out a third way for
drafting the policy, so it does not affect how both companies function.
2. Security: Getting employees to follow common security rules is the biggest challenge
when drafting a business-partner policy. The policy should mention the common security
boundaries for both partners and how it will be regulated if employees do not follow it.
3. Resource sharing: Even though both organizations are in a partnership it does not mean
the companies will have access to each other's data. The policy should state the amount
of data that both parties can share and access. Data breaches either partner will result in
legal actions.
4. Record maintenance: In a partnership, an organization should maintain a log for every

transaction. This maintains a healthy partnership between each company.

ail Security Policy
An email security policy defines the proper usage of corporate email
• Define prohibited use
• If personal use is allowed, it needs to be defined

• Employees should know if their emails are reviewed and/or
Design archived
Considerations:
• What types of emails should be kept and for how long
• When to encrypt emails
• Consequences of violating email security policy
Email security policies are developed to ensure corporate email is used properly. A simple
personal email from a corporate account can result in unintended information disclosure.
Implementation of an email security policy lets the organization achieve:
1. Competitive accomplishment: Through an email security policy, organizations train their
employees in email etiquette. Including but not limited to, drafting effective emails,
learning about the reply in target duration, etc. This helps the organization maintain its
respective competition in the market.
2. Employee productivity: Email security policies state what the normal use of corporate
email is. This restricts employees from using emails for their personal use, increasing the
overall productivity of the organization.
3. Less employer liability: Organizations should state the consequences or the actions taken
against the employee if the normal use policies are not followed. The liability of the
employer is reduced as a result.
Responsibilities of network administrators:
1. Email Use and Limitations: The policy should state the scenarios and domains where
employees cannot use their corporate email addresses. The email policy should mention;
in which scenarios an employee cannot use the corporate email address specifically. The
policy should also instruct employees not to open malicious attachments.

2. Defining extent of personal use: Policy should set boundaries for employees when using
corporate email for their personal use.
3. Monitoring of emails: If an organization will be reviewing the emails of all the employees,
it should be mentioned in the policy.
4. Duration of emails: Employees should be notified about the duration for keeping email in
their mailbox. Employees should be informed that the administrators will have the right
to archive emails after a certain period of time.
5. Encryption: In case of sensitive information being sent or received, employees should be
aware of the encryption policy of the organization.
6. Actions against compliances: The policy should clearly state the action taken against an
employee if they fail to follow the policy set by the organization.

Password Policy provides guidelines for using strong passwords for an organization's
resources
Password length and formation Password Blacklists Common password practice
•'
''
''
'
' '''
••''
•
Complexity of password
• '
Password duration
A password policy is a set of rules to increase system security by encouraging users to employ
strong passwords when accessing an organization's resources and to keep them secure.
The purpose of the policy is to protect the organizational resources by creating robust
protected passwords.
The policy statement should include a standard practice for creating a robust password.
For example,
• The password length should be between 8 and 14 characters
• The password should include both uppercase and lowercase letters, numerical digits and
special characters
• Special characters include(@,%,$,&,;)
• Passwords are case sensitive while the user name or login ID is not
• Password history: Unique passwords must be used while changing the old password.
Passwords cannot be reused.
• Maximum password age: 60 days
• Minimum password age: No limit

Some of the components of a password policy include:
• Password length and formation
The policy includes the length of the password. The password length varies according to
the organization. The formation of a password includes
• One or more numerical digits
• Special characters such as @, #, $

• Use upper case and lower case letters
• Avoid using personal information
• Use of company name in the password is prohibited
• Password duration
The policy suggests users change their passwords regularly usually every 90 or 180 days.
Changing a memorized password is hard for the user, but it is necessary to avoid
password stealing.
• Common password practices
The password policy statement should include guidance or best practices on creating,
storing and managing passwords
For example, it should include guidelines such as:
• Do not share your computer user account details.
• Do not keep a common password for all accounts.
• Do not share passwords.
• Never write the password anywhere, instead remember it.
• Employees should not communicate their password through e-mail, phone or IM's
even to the administrator.
• Do not leave the machine unattended. Always log off or lock the system when leaving
the desk.
• Keep different passwords for the operating system and frequently used applications.
The password policy should include a disclaimer, which should inform everyone on the
consequences of not following the guidelines stated in the password policy. The disclaimer
should involve all employees, including top management. Disclaimers can include verbal or
written warnings or termination.

Physical Security Policy
Physical Security Policy defines guideli nes t o ensure t hat adequate physical security
measures are in place
e Is the building protection deficiency review ed on a regular basis?
e Is there a process to identify outsiders such as visitors, contractors, vendors, etc. before giving
them access to the premises?
e Is there adequate lighting systems in place?
e Are each of the entry points properly blocked?
e Are the badges, locks, keys and authentication controls audited on a regular basis?
e Is video surveillance footage monitored regularly?
e Is there a proper inventory of an organization's assets maintained regularly?
Physical security is the security provided in terms of physical assets, which can be damaged
physically. In IT organizations where there is a huge a mount of physical assets present, the
assets are prone to damage during installations, during changing the assets from offshore to
local locations. Care must be taken in terms of how frequently the risks are being monitored
and analyzed, and the training provided to the people handling or working with the physical
assets must be monitored.
Designing a physical security policy helps an organization maintain certain norms, which can be
followed by the employees, reducing the probability of loss.

Information System Security

Policy
Informat ion system security policy defines guidelines to safeguard an organizat ion's information
systems from malicious use
Are t he information systems protected with anti-malware?
Is t he anti-malware updated regularly?
Design
Considerations: Is t he operating system updated and pat ched regularly?
Are t hey secured using strong password policies?
Are t hey secured with st rong physical security policies?
Th e information security policy helps maintain th e integrity and confidentiality of th e

information syst em.
Information system security policy statements should be focused on:
1. Installation of anti virus
2. Regular updates of softw are

3. Applying a firew all
4. OS upgrades
5. Passw ord policy
6. Physical security standards
M odule 04 Page 296 Certified Network Defender Copyright © by EC-Cll■Cil

BringYour Own Devices (BYOD)

Policy
A BYOD policy provides a set of guidelines to maximize business benefits and minimize risks while
using an employee's personal device on an organization's network
~,
e W hat personal devices are allowed to use under BYOD ?
e W hich resources can be accessed through BYOD devices?
~ W hat needs t o be disabled in BYOD devices?
S W hat are the Data storage considerations fo r BYOD devices?
e What security measures are to be put in place for data and BYOD
devices?
Bring Your Own Device (BYOD) is a terminology used by organizations to motivate employees to
bring their own devices. As it is difficult for organizations to keep up with the changing pace of
technology, BYOD has been beneficial to employers. BYOD also has a disadvantage, if the device
is not fully tested and does not follow the policies it can be a threat to the IT infrastructure.
The existence of a BYOD policy is important. The policy provides a set of guidelines to maximize
business benefits and minimize the risks while using employee personal devices on an
organization's network.
Aspects of a BYOD policy:
1. Permissible devices: The policy should state the name of the devices an employee is
allowed to use. The list of devices may differ based on the designation of each employee
in the organization.
2. Permissible resources: The policy should clearly state the resources an employee can use
while using their own device. The policy should mention the actions taken if an employee
does not adhere to these policies.
3. Services to be disabled: Before an employee connects their device to the corporate
network, administrators should verify the services and the applications running on the
device. If certain services or applications are a source of vulnerabilities, administrators
should disable those services immediately.
4. Data Storage: It is necessary to document the location of data storage for BYOD.
Administrators should provide a separate location for data on employee devices. Storing

the data in existing drives can be a threat to the data. Administrators must provide a
separate drive to employees.
5. Security measures for data and BYOD device: Employees should be made aware of
threats and vulnerabilities while they use their devices in the corporate network. It is the
responsibility of the administrator to monitor these devices along with all corporate
devices.
While BYOD is emerging as a new trend in organizations, it is the responsibility of the
administrator to enforce the BYOD policy. A few administrator responsibilities associated with a
BYOD policy are:
1. List of devices: Administrators can prepare a list of devices and software in the BYOD
policy document. Items such as these listed below:
• Smartphones (with model number)
• Laptops (with model number)
• OS (with version)
• Any other process specific software or app
2. Resources to be accessed: Depending on the designation of the employee, administrators
can allow the following resources on BYOD.
• E-mail
• Contact
• Calendar
• Process specific documents
3. Disable the use of the following on BYOD devices:
• Storage or transmission of illicit materials
• Using another company's proprietary information
• Harassing
• Engaging in other business activities
4. Store data on BYOD devices with proper security measures using:
• The device
• Organization server
• Cloud
5. To secure data on BYOD devices follow these steps:
• Password (BYOD device also) and encryption policies
• Monitor data transferred

Software/Application Security
Policy
Application security policy mandates proper measures to be set up which enhance the
security of in house and purchased applications
Error Handling & Exception

Configuration Management Authentication
Management
Data Protection in Storage &

User & Session Management Logging & Auditing
Transit
Authorization Data Validation Encryption
Application security involves securing the inbuilt and purchased applications running on the
system. The security policy covers the application throughout its complete life cycle. The threat
to an application is caused by software tampering, parameter manipulation, authorization,
cryptography, etc.
Drafting the guidelines for application security mandates the proper functioning of the
application, further enhancing how the system works.
The key factors in documenting a software/application security policy are:
1. Data validation
2. Session Management
3. Authentication
4. Authorization
5. Encryption
A network administrator's role in enforcing application policies is:
1. Criteria for data validation: It is required to set measures to validate data flowing in and
out of the application.
2. Authentication process: Administrators should set up an authentication policy for all
systems. If a user is trying to install a third party application, the system will prompt for an

administrator password. This will restrict users from installing third party applications
without administrator rights.
3. Authorization standards: Administrators should authorize application use for only those
who need it. The authorization can also be limited to certain parts of the application's
data.
4. Encryption policy: Administrators can encrypt the sensitive application data, preventing
users from getting access to it.
5. Monitoring: Every employee application session should be monitored.

The backup policy helps an organization recover and safeguard their information in t he
event of a securit y incident/network failure
~ The location of data backup
v Name and contact of authorized personnel who can access backups
~ Backup schedule
~ Type of backup method used
Hardware and Software requirements for taking backups
Creating a backup policy is one of the most important things you can do for your data security
plan. Optimized backup policies and procedures will save your organization time and money.
The biggest reason for this is by bringing the backup and recovery process in line with actual
requirements. It will also ensure a smooth recovery process in the event of a hard drive failure,
virus attack or natural disaster.
Backup policies and procedures vary according to the needs of an organization and industry.
There are certain elements of a data backup and restore process that every company should
identify:
• Determining What Files Should Be Backed Up:
Before implementing a backup policy on a system, administrators should identify the

important files for business activity. Data that helps run the business should be backed up.
Data that including, financial information, tax information, personal employee
information is important and should be backed up.
• Determine Who Can Access Backups:
Administrators should assign privileges to access backups to only those employees who
work on the data. It is important to keep track of the backup data. Keep the backup logs
updated regularly.

• Determine How Often to Backup:
An organization backup policy should define the backup schedule employees must use.
Informing employees beforehand helps them prioritize their data for this requirement.
The schedule should be created, considering the business of the organization and the
severity of the data on the machines. It is not necessary to run a backup on everything at
the same time. Certain files or databases have to be backed at a different time. The
backup policy should also mention the time the backups should run. Usually an
organization prefers to perform backups after business hours. Based on the backup policy,
the backup process can be initiated by administrators.
• What Type of Backup is required?
While drafting the backup policies and procedures, administrators should also determine
the type of backup required. The type of backup depends on the organization's needs. The
three basic types of backup include:
• Full backups: Performs a backup of all data. The simplest form of backup and a very
time consuming process.
• Incremental backups: In this type of backup, the backup is created only when the data
was changed since the last full backup. It is a less time-consuming process.
• Differential backups: It backs up all the selected files that are new and changed si nee
the last full backup.
• Where to Back Up Data:
The backup policy should mention the location of the backup data and where it will be
stored. Administrators can store the data on a physical external device, cloud or both.
It is important to test and evaluate all backup policies.

Confidential data policy defines guidelines for identifyi ng an organization's confidential data and
procedures to handle it
e Treatment of confidential data incl uding data @ Security controls for confidential data
storage, access, transmission, data sharing,
disposal, handling and disclosure of data e Emergency access to the data
e Use of Confidential Data
A confidential data policy is a set of information that requires a very high level of protection. It
may consist of salary details, product details, organization structure details, etc. It is the
responsibility of administrators to ensure the confidential data is secured from non-authorized
access.
Drafting of a confidential data policy will help the organization protect the information,
important to the exist ence of the business. The presence of a confid ential data policy ensures
users maintain th e integrity and confidentiality of the business whi ch w ill further help the
overall growth of th e business.

r
_J A data classification policy Design Considerations:
establishes a framework for
classifying organizational data e Appropriat e data
based on its level of sensitivity, classification by dat a owners
value and crit icality within the
IT security policy e Protecting data at rest
_J The organization's data is e Protecting data in transit

classified into one of three
sensitivity levels or e Data labeling
classificat ions which are
restricted, private and public
The data classification policy document aims to classify sensitive data and secure it as per its
class. The implementation of a data classification policy helps the organization maintain and
secure their data and resources. The classification of data and prioritizing its risk level depends
on the organization. They can classify their data according to the user-requirement, security
requirement or managerial requirement. The prioritization of the risk level can be restricted,
confidential or public. The data classification policy should also include a list of users who can
have access to the information.
Points to consider when developing a data classification policy:
• Employees should avoid distribution of any restricted or confidential data internally and
externally.
• Authorized employees dealing with confidential data should send it only in an encrypted
format through email.
• Administrators should have a secure backup of the data and monitor the backups
regularly. The backups should have strong user credentials.
• After receiving the confidential data, an employee should scan the device or the file to
avoid any malicious activity.
• If the authorized employee finds confidential data that is public, they should immediately
delete the data (if possible).

• The document should mention the action taken against employees if they do not adhere
to the policy.
• The organization should perform regular audits to ensure authorized employees are
following the required measures.

Internet usage policy governs the way the organization's internet connection is used by every device on
the network.
0 Internet usage limit for official as well as personal use
<:) Time frame for personal use
Design
Considerations
Q M ethod adoption for web usage monitoring
Q Levels of privacy for employees
(:') Restricted Content
An Internet usage policy informs employees about the rules which have to be follow ed while
accessing the corporate Internet network. The implementation of such policies helps the
organization maintain a secure network. Using an Internet policy keeps the syst ems secure and
helps the user understand the t ypes of risks a network can encounter. The policy should make
employees aware that browsing prohibited sites or downloading fil es from unreliable sources
can land th em in trouble.
A small negligence from an employee or administrator end can lead to a major v ulnerability in
the network. The Internet usage policy must be accepted by all employees and it must be
signed by them to acknowledge their understanding. Network administrators should (in
consultation with top management) ensure the following facts:
1. Limited usage: Employees should be aware that the corporate Internet is used for official
use only. Employees should refrain from using the Internet for their personal use.
Example, downloading movies should not be allow ed.
2. Setting a timeframe for personal use: If an organization plans to allow employees to use
the Intern et for personal purposes, it can set a timefram e for th e use.
3. The method to be adopted for monitoring web use: Administrators should set
monitoring standards to keep track of user activities on the Internet. Th ese monitoring
standards should follow the policies drafted in th e document.
4. Discuss and decide what content should be never allowed: Administrators should discu ss
with top management and decide on a list of sites that should be denied or can be add ed
to a list of non-trust ed sites.

Server policy establishes a standard for the base configuration of an organization's server
An effective server policy restricts unauthorized access to an organization's data and

technology
Location and protection consideration for servers
Configuration of servers
Monitoring of servers
A server policy is an internal organizational policy that defines the handling of server issues. It
includes the details of installation, configuration, services required, etc. for the server. The
policy document authorizes only its target audience - network/ system administrators to have
access to read it. The policy states administrators have the rights to perform deletions or
modifications in a server. Following the policy, if any changes are made administrators are
required to inform management or the users that will be affected by the changes.
The policy should cover the points that can help administrators rebuild the network or servers
during a tim e of a disaster or calamity. With many troubleshooters available, th e document
reduces the troubleshooting time of th e administrators.
For every server on a secure network, there are lists of items that must be documented and
reviewed on a regular basis to keep a private network secure. The server list of information
must be updated as new servers are added to th e network and updated regularly.
1. Server name
2. Server location
3. The function or purpose of the server
4. Hardware compon ents of the system, including the make and mod el of each part in the
system
5. List of all software running on the server including the operating system, programs, and
services

6. Configuration information about the server including:
• Event log settings

• A comprehensive list of services that are running
• Configuration of any security lockdown tool or setting
• Account settings
Responsibilities in enforcing general server policies are:
1. User restriction: Servers are the foundation of a functioning organization, administrators

should not allow server access pri vileges to anyone in the organization except those who
have been given permission by them.
2. Configuration compliance: At times, administrators may have to make changes to the
configuration settings of a server. Such exceptions should be permissible. The changes
should be monitored.
3. Server registration: Server registration should follow the corporate enterprise
management system.
4. Updating the corporate enterprise management system: It is the responsibility of the

administrator to update the corporate enterprise management system on a regular basis,
this keeps the network and machines running smoothly.
5. Parallelism in modifications: Administrators should make sure that the configuration

changes made on the server comply with the change management procedure.

Wireless N etworlt Policy

A wireless network policy states the rule and regulations for accessing an organization's wireless
network resources
Design Consideration
e Defining an access point for a WLAN
e Placement of an access point
e Technologies used for wireless connectivity
e Procedure for integration of a new system into the wireless environment
e Procedure for monitoring the network
The Wireless Network policy is designed to protect organizational resources against intrusion
from a wireless network. It applies to all wireless devices in use by the organization or those
that connect through a wireless device to any organization network.
A network administrator's responsibilities in enforcing Wireless policies are:
1. Access Point: Administrator should provide a clear description of new established access
points in the network. All access points must be registered and approved. They should be
connected to the organizational network.
2. Configuration: Administrators should configure the 551D on all wireless devices so they do
not reveal any information about the organization.
3. Permissible devices: The policy document should mention the type of devices that can be
used to connect to the corporate wireless network. Only those devices that a re approved
by management should be connected to the network.
4. Permissible technologies: Administrators should define what technologies can be

accessed through the wireless network.

Incidence Response Plan (IRP) CND
,
IRP is an integral part of the security policy which instructs how to detect, respond, and limit
the effects of an information security incident
.
-...
.. ..-
.............................................................................................................
.... ..
...
. ...
Contain Damage Recover Lost Get the systems

Data up and Working
An incident response plan (IRP) is a set of written instructions for detecting, responding to and
limiting the effects of an information security event. Incident response plans provide
instructions for responding to a number of potential scenarios, including data breaches, denial
of service/distributed denial of service attacks, firewall breaches, virus or malware outbreaks or
insider threats. Without an incident response plan in place, organizations may not detect the
attack in the first place, or not follow proper protocol to contain the threat and quickly recover
from it.
The design process of an IRP should concentrate on these aspects:
• To limit the ill effects of damage
• Recover lost data
• Get the systems up and working
Network administrator's responsibilities in designing an IRP are:
• Prepare an IRP as a preventive measure.
• Scan all log files on a daily basis to discover an attack in the earliest stage.
• After you detect an attack incident, immediately debrief your top officials.
• Follow the IRP steps and take appropriate actions to minimize the damage.
• Ensure the organization fully recovers from the attack.
• Take appropriate steps to prevent a similar kind of attack in the future.

User Access control policy gives an organization the ability to control, restrict, monitor, and
protect corporate resource availability, integrity, and confidentiality
Who can access (people, process, machines)?
What system resources can be accessed?
What files can be read?
What programs can be executed?
How to share data with other entities?
The access control policy provides a way to control the interaction between users, systems and
resources. An access control policy helps an organization control, constrain and defend the
resource availability of an organization.
The access control policy should define:
• Who can access (people, process, machines)?
• What system resources can be accessed?
• What files can be read?
• What programs can be executed?
• How to share data with other entities?
The policy should address the typical Access Control Practices such as:
• Undefined user or unknown account logins should be prohibited.
• Powerful accounts such as an administrator account must be monitored continuously.
• Lock access to accounts after crossing a limited number of unsuccessful login attempts.
• Remove unused accounts.
• Administer strict access criteria.
• Enforce the need-to-know and least-privilege practices.
• Disable unrequired system features and unused ports.
• Restrict global access rules.

Switch Security Policy
Switch security policy describes a required minimal security configuration for the
switches in the network
■ Is the switch data monitored regularly?
■ Are unnecessary services and applications blocked?
■ Is all the stored passwords and sensitive data encrypted ?
■ Is the switch located in a restricted area ?
Switch security policy should be based on the following aspects:
1. Monitor regularly: The data in the switch should be monitored regularly for smooth
network function.
2. Services and applications: It is not necessary to block all the services and applications of
the switch device. Block the items which are not required and those which are known to
be vulnerable.
3. Encryption: Administrators should encrypt all the stored data and passwords.
4. Restricted area: Physical storage of the switch should be in a restricted area.
5. Configuring a L3 switch: If an organization is using a L3 switch, it should be configured
identical to the router policy.
A network administrator's switch policy responsibilities are:
1. Enable Password: You should always maintain the 'enable password' option. This helps to
keep the switch in a secure encrypted form.
2. Timeout periods: Setting session timeout periods on the switch will not keep the switch
busy, until the time a packet does not reach its destination.
3. Privileges: Privileges should be enabled on all levels of the switch.
4. SSH: Administrators should avoid using Telnet as a communication channel. SSH has
prove n to be more secure than Telnet. Use SSH with a strong password.

5. Port security: Port security limits the MAC based access. Enhancing the security of the
switch. Limit MAC based access by implementing port security.
6. Disable ports: Ports that are not used by the switch should be disabled. Administrators
can assign these ports to an unused VLAN number.
7. Configure trunk ports: Trunk ports carry traffic for all VLANs. A VLAN number that is not in
use should handle the configuration of trunk ports.
8. VLAN restrictions: Use a static VLAN and limit the number of VLANs that can be
transported over the trunk.
9. AAA framework: The Authentication, Authorization and Accounting framework includes

the access of computer resources, implementation of policies, and provides information
about services. AAA provides local and remote access to the switch.
10. Switch Logs: Set the switch to log data and then transfer it to a secure log host
11. Disable the following if not in use:
• Cisco discovery protocol

• Dynamic trunking
• Scripting environments like TCL shell

12. Encryption: Enable Password-encryption and NTP configuration following the corporate
standard.
13. ACL: AC L's to be configured following the organization hierarchy and requirements.
14. Disable VTP: If you are unable to disable VTP, then set VTP to management domain,
password, and pruning. After performing the above st eps set VTP to transparent mode.

Intrusion Detection and

Prevention (IDS/IPS) Policy
The IDS and IPS policy facilitates detection and prevention of intrusion into the I
organization's network I
: Deployment of a standard IDS system
: Monitor log files of an IDS continuously
: Regularly update the intruder's definition in the IDS logic for all evolving threats
Copyr ight© by EC-Council. All Rights Reserved . Reproduction is Str ictly Prohibited.
The policy of an IDS/IPS should facilitate the detection and prevention of intrusions 1n the
The IDS and IPS policy design should include the following components:
1. Deployment of a standard IDS system: For a successful working IPS, administrators
should deploy a standard IDS system across the network. The successful deployment of an
IDS ensures threats will be detected and then prevented using the IPS standards.
2. Monitor log files of an IDS continuously: For monitoring the activity on a network
continuously, administrators should actively audit and monitor the IDS.
3. Regular update: It is important for administrators to perform regular updates for the
intruder's definitions in IDS logic as per evolving threats.
4. Need of IPS: It is advisable to deploy an IPS for large organizations. Deployment and
implementation of an I PS ensures threats are detected using the same software as an IDS
and prevents the networking using these prevention tools.

The encryption policy defines an acceptable use and management of encryption methods,
techniques, and tools throughout an enterprise
The policy is applicable to all enterprise network resources, users(staff, stake holders etc.),
internal network (LAN, Wi-Fi) and remote(WAN) connections
Design Considerations: It should define encryption standards that need to be used in an

enterprise wired/ wireless data communication, servers, desktops, laptops, smart phones,
removable storage devices, USB memory sticks, VPN, Wi-Fi, etc.
The encryption policy sets universal standards for organizations to facilitate data protection. It
involves establishing business and technical strategies for accomplishing data security. The
encryption policy determines the need for data encryption and the process of encrypting it.
The encryption policy is applicable to large and small organizations. It is applicable to but not
limited to employees, partners, vendors, stakeholders, etc. It is necessary to understand every
aspect of the policy to implement it further across the organization. The encryption policy
defines the standards which can be deployed and implemented in electronic devices like
servers, laptops, smart phones, removable devices, etc.
Encryption policies should be designed based on the following points:
1. Encryption algorithm: Once the encryption policy is approved by management,
administrators should research the encryption algorithm which can be implemented in the
infrastructure.
2. Changes in hash functions: You should change the hash functions of the selected
algorithm, if required.
3. Type of key: As per the organization's requirement, administrators can use a symmetric or
asymmetric key for encrypting the data.
4. Verified certificates: Before installing any certificate on the server, administrators should
verify the authenticity of the certificates and its provider.
5. SSL and TLS certificate: Ensure the servers are using SSL and TLS and that both of these
have a trusted certificate.

Router policy describes a Design Considerations:

required minimal security
configuration for all routers
User authentication
in the network
Access rules
~
... . -
Placement
Password management
Services req uired/ disallowed/blocked
An organization should establish router policies for the smooth functioning of the IT
infrastructure.
The router policies should be designed based on following points:
1. No local user account: Routers must use TACACS user authentication. Administrators
should not create local user accounts on the router.
2. Encryption: The security of the router can be done by setting up the 'enable secret
password' on the router in a secure encrypted form.
3. Corporate Management System: All routers should be included 1n the corporate

enterprise management system with a designated point of contact.
4. Do not touch: Administrators should place warnings such as, 'Do not touch' on the routers
to avoid any mishandling by employees.
5. Maintain standards: Routers should comply with th e standards outlined in th e Router 105
Template.
6. Non-usage of SNMP: Administrators should use standardized corporate SNMP strings.

They should avoid using public and private SN MP community strings.
7. Login information: Administrators should ensure every router saves system logging
information to a local RAM buffer. The information should also be stored on "syslog"
server.

8. Configuration of VTY: Virtual terminal (VTY) should be configured so it accepts

connections for the required set of protocols only.
9. Administrators should consider blocking the following services:

• Incoming packets with an invalid source address
• Incoming packets with spoofed source addresses (i.e. company names)
• TCP and UDP small services
• Source routing
• Web services running on the router
• IP directed broadcasts
• Cisco discovery protocol on all third party interfaces

Security Policy Training and

Awareness
.J Security Policy Training teaches Advantages:

employees how to perform their
duties and to com ply with t he @ Effective implementation of a security
security policy policy
e Policies are followed and not just enforced

.J Organizations should t rain new
employees before granting them @ Creates awareness on compliance issues
access to the network or provide
lim it ed access unti l t he e Helps an organization enhance t heir
com pletion of their training network security
The security policy training and procedures are required to ensure the security and effective
netw ork management.
• The security policy training program helps employees appropriately recognize and
respond to security threats in real time. The training teaches employees understand the
importance of data on their devices or systems. Employees adapt themselves to secure
computing ha bits.
• The security policy training provides new updates to employees with the awareness of
probable vulnerabilities that can occur if they do not follow the policies.
• Security policy training and awareness helps minimize security breaches in the
organization. Early identification of a breach decreases the cost to the organization.
• Security policy awareness among users helps notify them about new security policies, by
publishing policy documentation and by developing descriptive security documentation
for users, etc.
• Employees following the security policy correctly reduces potential fines or legal actions.
• An effective training program will help an employee monitor their computing behavior
and inform their security concerns to management. The training will enhance the overall
compliance with the company's security policies and procedures.

ISO Information Security

Standards
Sr.
Standards Objective
No.
1 ISO/IEC 27001 Formal ISMS specification
2 ISO/IEC 27002 Informat ion security controls
3 ISO/IEC 27003 ISMS implementation guide
4 ISO/IEC 27004 Information security metrics
5 ISO/IEC 27005 Information security risk management
6 ISO/IEC 27006 ISMS certification guide
7 ISO/IEC 27007 Management system auditing
8 ISO/I EC TR 27008 Technica l audit ing
9 ISO/IEC 27010 For inter-organisation communication
10 ISO/IEC 27011 lso27k in telecoms
http://www. iso2 7001security. com

Standards (Cont'd)
Sr. No. Standards Objective
11 ISO/IEC 27013 ISMS & ITU/service management
12 ISO/IEC 27013 ISMS & ITU/service management
13 ISO/IEC 27014 Information security governance
14 ISO/IEC TR27015 lso27k in financial services
15 ISO/IEC TR 27016 Information security economics
16 ISO/IEC 27017 Cloud security controls
17 ISO/IEC 27018 Cloud privacy
18 ISO/IEC TR 27019 Process control in energy
19 ISO/IEC 27031 ICT business continuity
20 ISO/IEC 27032 Cybersecurity
http://www.iso27001security.com

---------------------------------------------------~


Standards (Cont'd)
Sr. No. Standards Objective
21 IS0/IEC 27033-1 to -5 Network securit y
22 ISO/IEC 27034-1 & -2 Application security
23 ISO/IEC 27035 Incident management
24 150/IEC 27036-1 -2 & -3 ICT supply chain
25 ISO/IEC 27037 Digital evidence [forensics]
26 ISO/IEC 27038 Document reduction
27 ISO/IEC 27039 Intrusion prevention
28 ISO/IEC 27040 Storage security
29 ISO/IEC 27041 Investigation assurance
30 ISO/IEC 27042 Analyzing digital evidence
31 ISO/IEC 27043 Incident investigation
32 ISO 27799 IS027k In healt hcare
http://www.iso27001security.com
1S0/IEC 27001
Source: http://www.iso27001security.com
ISO/ IEC 27001 formally specifies an Information Security Management System (ISMS), a suite of
activities concerning the management of information security risks. The ISMS is an overarching
management framework through which the organization identifies, analyzes and addresses its
information security risks. The ISMS ensures that the security arrangements are fine-tuned to
keep pace with changes to the security threats, vulnerabilities and business impacts - an
important aspect in such a dynamic field, and a key advantage of ISO27k's flexible risk-driven
approach as compared to, say, PCI-DSS.
1S0/IEC 27002
ISO/ IEC 27002, is relevant to all types of organizations, including commercial enterprises of all
sizes (from one-man-bands up to multinational giants), not-for-profits, charities, government
departments and quasi-autonomous bodies - in fact any organization that handles and depends
on information. The specific information security risk and control requirements may differ in
detail, but there is a lot of common ground, for instance, most organizations need to address
the information security risks relating to their employees plus contractors, consultants and the
external suppliers of information services.

1S0/IEC 27003
Source: http://www.iso2700lsecurity.com
ISO/IEC 27003 guides the design of an ISO/IEC 27001-compliant ISMS, leading up to the
initiation of an ISMS implementation project. It describes the process of ISMS specification and
design from inception to the production of implementation project plans, covering the
preparation and planning activities prior to the actual implementation.
1S0/IEC 27004
ISO/IEC 27004 concerns the measurements relating to information security management: these
are commonly known as 'security metrics'.
1S0/IEC 27005
The standard provides guidelines for information security risk management and supports the
general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory
implementation of information security based on a risk management approach.
1S0/IEC 27006
ISO/IEC 27006 is the accreditation standard that guides certification bodies on the formal
processes they must follow when auditing their client's Information Security Management
Systems (ISMSs) against ISO/IEC 27001 in order to certify or register them compliant. The
accreditation processes laid out in the standard give assurance that ISO/IEC 27001 certificates
issued by accredited organizations are valid.
1S0/IEC 27007
ISO/IEC 27007 provides guidance for accredited certification bodies, internal auditors,
external/third party auditors and others auditing ISMSs against ISO/IEC 27001 (i.e. auditing the
management system for compliance with the standard).
ISO/IEC 27007 reflects and largely refers to ISO 19011, the ISO standard for auditing quality and
environmental management systems - "management systems" of course being the common
factor linking it to the ISO27k standards. It provides additional ISMS-specific guidance.

1S0/IEC TR 27008
This standard provides guidance for all auditors regarding "information security management
system controls" [sic] selected through a risk-based approach (e.g. as presented in a statement
of applicability) for information security management. It supports the information security risk
management process and internal, external and third party audits of ISMS by explaining the
relationship between the ISMS and its supporting controls. It provides guidance on how to
verify the extent to which required "ISMS controls" are implemented. Furthermore, it supports
any organization using ISO/IEC 27001 and ISO/IEC 27002 to satisfy assurance requirements, and
as a strategic platform for information security governance.
1S0/IEC 27010
This standard provides guidance in relation to sharing information about information security
risks, controls, issues and/or incidents that span the boundaries between industry sectors
and/or nations, particularly those affecting "critical infrastructure".
1S0/IEC 27011
This ISMS implementation guide for the telecom industry was developed jointly by ITU-T and
ISO/IEC JTCl/SC 27, with the identical text being published as both ITU-T X.1051 and ISO/IEC
27011.
1S0/IEC 27013
This standard provides guidance on implementing an integrated information security and IT

service management system, based on both ISO/IEC 27001:2005 (ISMS) and ISO/IEC 20000-
1:2011.
1S0/IEC 27014
ISO/IEC JTCl/SC 27, in collaboration with the ITU Telecommunication Standardization Sector
(ITU-T), has developed a standard specifically aimed at helping organizations govern their
information security arrangements.

1S0/IEC TR 27015
This is a guideline intended to help financial services organizations (banks, insurance
companies, credit card companies etc.) implement ISMSs using the ISO27k standards.
Although the financial services sector already labors under a vast swathe of risk and security
standards (such as ISO TR 13569 "Banking Information Security Guidelines", SOX and Basel
11/111), the ISMS implementation guidance developed by SC 27 reflects ISO/IEC
27001 and27002 along with various general-purpose security standards such as COBIT and the
PCI-DSS requirements.
1S0/IEC TR 27016
It helps management appreciate and understand the financial impacts of information security
in the context of an ISO27k ISMS, along with political, social, compliance and other potential
impacts on the organization that collectively influence how much it needs to invest in
protecting its information assets.
1S0/IEC 27017
This standard provides guidance on the information security aspects of cloud computing,
recommending and assisting with the implementation of a cloud-specific information security
controls supplementing the guidance in ISO/IEC 27002 and other ISO27k standards.
1S0/IEC 27018
This standard provides guida nee aimed at ensuring that cloud service providers (such as
Amazon and Google) offer suitable information security controls to protect the privacy of their
customer's clients by securing PII ( Personally Identifiable Information) entrusted to them. The
standard will be followed by ISO/IEC 27017 covering the wider information security angles of
cloud computing, other than privacy.
1S0/IEC TR 27019
This standard (a Technical Report) is intended to help organizations in "the energy industry"
interpret and apply ISO/IEC 27002:2005 in order to secure their electronic process control
systems.

1S0/IEC 27031
ISO/IEC 27031 provides guidance on the concepts and principles behind the role of information
and communications technology in ensuring business continuity.
The standard:
• Suggests a structure or framework (actually a set of methods and processes) for any
organization - private, governmental, and non-governmental.
• Identifies and specifies all relevant aspects including performance criteria, design, and
implementation details, for improving ICT readiness as part of the organization's ISMS,
helping to ensure business continuity.
• Enables an organization to measure its ICT continuity, security and hence readiness to
survive a disaster in a consistent and recognized manner.
1S0/IEC 27032
ISO/IEC 27032 addresses "Cybersecurity" or "Cyberspace security", defined as the
"preservation of confidentiality, integrity and availability of information in the Cyberspace". In
turn "the Cyberspace" (complete with definite article) is defined as "the complex environment
resulting from the interaction of people, software and services on the Internet by means of
technology devices and networks connected to it, which does not exist in any physical form".
1S0/IEC 27033-1 to -5
ISO/IEC 27033 is a multi-part standard derived from the existing five-part network security
standard ISO/IEC 18028. It is being substantially revised, not just renamed, to fit into
thelSO27k suite.
1S0/IEC 27034 -1 & -5
ISO/IEC 27034 offers guidance on information security to those specifying, designing and
programming or procuring, implementing and using application systems, in other
words business and IT managers, developers and auditors, and ultimately the end-users of ICT.
The aim is to ensure that computer applications deliver the desired or necessary level of
security in support of the organization's Information Security Management System, adequately
addressing many ICT security risks.

1S0/IEC 27035
Information security controls are imperfect in various ways: controls can be overwhelmed or
undermined (e.g. by competent hackers, fraudsters or malware), fail in service (e.g.
authentication failures), work partially or poorly (e.g. slow anomaly detection), or be more or
less completely missing (e.g. not [yet] fully implemented, not [yet] fully operational, or never
even conceived due to failures upstream in risk identification and analysis). Consequently,
information security incidents are bound to occur to some extent, even in organizations that
take their information security extremely seriously.
1S0/IEC 27036 -1-2 & -3
ISO/IEC 27036 is a multi-part standard offering guidance on the evaluation and treatment of
information security risks involved in the acquisition of goods and services from suppliers. The
implied context is business-to-business relationships, rather than retailing, and information-
related products. The terms acquisition and acquirer are used rather than purchase and
purchasing si nee the process and the risks are much the same whether or not the transactions
are commercial.
1S0/IEC 27037
This standard provides guidance on identifying, gathering/collecting/acquiring, handling and

protecting/preserving digital forensic evidence i.e. "digital data that may be of evidential value"
for use in court. The fundamental purpose of the ISO27k digital forensics standards is to
promote best practice methods and processes for forensic capture and investigation of digital
evidence. While individual investigators, organizations and jurisdictions may well retain certain
methods, processes and controls, it is hoped that standardization will (eventually) I ead to the
adoption of similar, if not identical approaches internationally, making it easier to compare,
combine and contrast the results of such investigations even when performed by different
people or organizations and potentially across different jurisdictions.
1S0/IEC 27038
Digital data sometimes have to be revealed to third parties, occasionally even published to the
public, for reasons such as disclosure of official documents under Freedom of Information laws
or as evidence in commercial disputes or legal cases. 'Redaction' is the conventional term for
the process of denying file recipients' knowledge of certain sensitive data within the original
files.

1S0/IEC 27039
IDS (Intrusion Detection Systems) are largely automated systems for identifying attacks on and
intrusions into a network or system by hackers and raising the alarm. IPS (Intrusion Prevention
Systems) take the automation a step further by automatically responding to certain types of
identified attack, for example by closing off specific network ports through a firewall to block
identified hacker traffic. IDPS refers to either type.
1S0/IEC 27040
The proposers of this standard felt that the information security aspects of data storage
systems and infrastructures have been neglected due to misconceptions and limited familiarity
with the storage technology, or in the case of [some] storage managers and administrators, a
limited understanding of the inherent risks or basic security concepts.
1S0/IEC 27041
The fundamental purpose of the ISO27k digital forensics standards is to promote best practice
methods and processes for forensic capture and investigation of digital evidence. While
individual investigators, organizations and jurisdictions may well retain certain methods,
processes and controls, it is hoped that standardization will (eventually) lead to the adoption of
similar, if not identical approaches internationally, making it easier to compare, combine and
contrast the results of such investigations even when performed by different people or
organizations and potentially across different jurisdictions.
1S0/IEC 27042
The fundamental purpose of the ISO27k digital forensics standards is to promote best practice
methods and processes for forensic capture and investigation of digital evidence. While
individual investigators, organizations and jurisdictions may well retain certain methods,
processes and controls, it is hoped that standardization will (eventually) lead to the adoption of
similar, if not identical approaches internationally, making it easier to compare, combine and
contrast the results of such investigations even when performed by different people or
organizations and potentially across different jurisdictions.
1S0/IEC 27043
The fundamental purpose of the digital forensics standards ISO/IEC 27037, 27041, 27042,
27043 and 27050 is to promote best practice methods and processes for forensic capture and
investigation of digital evidence. While individual investigators, organizations and jurisdictions
may well retain certain methods, processes and controls, it is hoped that standardization will
(eventually) lead to the adoption of similar, if not identical approaches internationally, making

it easier to compare, combine and contrast the results of such investigations even when
performed by different people or organizations and potentially across different jurisdictions.
1S0/IEC 27799
This International Standard provides guidance to healthcare organizations and other custodians
of personal health information on how best to protect the confidentiality, integrity and
availability of such information by implementing ISO/IEC 27002. Specifically, this International
Standard addresses the special information security management needs of the health sector
and its unique operating environments. While the protection and security of personal
information is important to all individuals, corporations, institutions and governments, there
are special requirements in the health sector that need to be met to ensure the confidentiality,
integrity, adaptability, and availability of personal health information.

ISO/IEC 27001:2013: Information Technology-

Security Techniques - Information Security
Management Systems - Requirements
1S0/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually
improving an information security management system within the context of t he organization
It is intended to be suitable for several different types of use, including the follow ing:
Use within organizations to formulate Identification and clarification of existing

security requirements and objectives information security management processes
Use within organizations as a way to ensure Use by the management of organizations

that security risks are cost effectively
managed
• to determine the status of information
security management activities
Use within organizations to ensure Implementation of business-enabling

compliance information security
Used by organizations to provide relevant

Definition of new information security
information about information security to
management processes .I. 1 customers
http:// www.iso.org
ISQ/IEC 27001 :2013 (Cont'd) ( ND
1S0 / IEC 27001:2013 specifies 114 controls in 14 groups and 35 control objectives
Sr. No. Group Control Objectives

01 A.5 Information security policies (2 controls)
02 A.6 Organization of information security (7 controls)
03 A.7 Human resource security - 6 controls that are applied before,

during, or after employment
04 A.8 Asset management (10 controls)
05 A.9 Access control (14 controls)
06 A.10 Cryptography (2 controls)
07 A.11 Physical and environmental security (15 controls)

-----------------------------------------------

ISQ/IEC 27001 :2013 (Cont'd) ( ND
Sr. No. Group Control Objectives
08 A.12 Operations security (14 controls)
09 A.13 Communications security (7 controls)
10 A.14 System acquisition, development and maintenance (13 controls)
11 A.15 Supplier relationships (S controls)
12 A.16 Information security incident management (7 controls)
13 A.17 Information security aspects of business continuity management (4 controls)
14 A.18 Compliance; with internal requirements, such as policies, and with external
requirements, such as laws (8 controls)
,r
Structure of 1S0/IEC
27001:2013
1S0/IEC 27001:2013 has ten short clauses:

1. Scope of the standard
2. How the document is referenced
3. Reuse of the terms and definitions in ISO/IEC 27000
4. Organizational context and stakeholders
5. Information security leadership and high-level support for policy
6. Planning an information security management system; risk assessment; risk treatment
7. Supporting an information security management system
8. Making an information security management system operational
9. Reviewing the system's performance
10. Corrective action

-----------------------------------------------

ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining,

and continually improving an information security management system within the context of
the organization. It also includes requirements for the assessment and treatment of
information security risks tailored to the needs of the organization.
1S0/IEC 27001:2013 specifies 114 controls in 14 groups and 35 control objectives:
• A.5: Information security policies (2 controls)

• A.6: Organization of information security (7 controls)
• A.7: Human resource security - 6 controls that are applied before, during, or after
employment
• A.8: Asset management (10 controls)

• A.9: Access control (14 controls)
• A.10: Cryptography (2 controls)
• A.11: Physical and environmental security (15 controls)
• A.12: Operations security (14 controls)

• A.13: Communications security (7 controls)
• A.14: System acquisition, development and maintenance (13 controls)

• A.15: Supplier relationships (5 controls)
• A.16: Information security incident management (7 controls)
• A.17: Information security aspects of business continuity management (4 controls)
• A.18: Compliance; with internal requirements, such as policies, and with external
requirements, such as laws (8 controls)
1S0/IEC 27001:2013 has the following sections:
1. Introduction: The standard uses a process approach.

2. Scope: It specifies generic ISMS requirements suitable for organizations of any type, size
or nature.
3. Normative references: Only ISO/IEC 27000 is considered essential to users of '27001: the
remaining ISO27k standards are optional.
4. Terms and definitions: A brief, formalized glossary, soon to be superseded by ISO/I EC

27000.
5. Context of the organization: Understanding the organizational context, the needs and
expectations of 'interested parties', and defining the scope of the ISMS. Section 4.4 states
very plainly that "The organization shall establish, implement, maintain and continually
improve" a compliant ISMS.

6. Leadership: Top management must demonstrate leadership and commitment to the

ISMS, mandate policy, and assign information security roles, responsibilities and
authorities.
7. Planning: Outlines the process to identify, analyze and plan to treat information security
risks, and clarify the objectives of information security.
8. Support: Adequate, competent resources must be assigned, awareness raised,

documentation prepared and controlled.
9. Operation: A bit more detail about assessing and treating information security risks,
managing changes, and documenting things (partly so that they can be audited by the
certification auditors).
10. Performance evaluation: Monitor, measure, analyze and evaluate/audit/review the

information security controls, processes and management system in order to make
systematic improvements where appropriate.
11. Improvement: Address the findings of audits and reviews (e.g. nonconformities and
corrective actions); make continual refinements to the ISMS.

1S0/IEC 27033: Information technology --

Security techniques -- Network security
1S0/IEC 27033-1:2015 provides an overview of network security and

related definitions. It defines and describes the concepts associated
with, and provides management guidance on, network security.
It provides a detailed vocabulary of terms associated with information

security and networking
It addresses issues regarding implementation and operating of

network security controls and even the current monitoring and
review process
The purpose of 1S0/ IEC 27033 is to provide detailed guida nee on the security aspects of the
management, operation and use of information system networks, and their interconnections.
Those individuals within an organization that are responsible for information security in
general, and network security in particular, should be able to adapt the material in this
standard to meet their specific requirements." [quoted from the introduction to 27033-1].
1S01/ IEC 27033 provides detailed guidance on implementing the network security controls that
are introduced in 1S0/ IEC 27002. It applies to the security of networked devices and the
management of their security, network applications/ services and users of the network, in
addition to the security of information being transferred through communications links. It is
aimed at network security architects, designers, managers and officers.

Payment Card Industry Data

Security Standard (PCI-DSS)
J The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information
security standard for organizations that handle cardholder information for the
major debit, credit, prepaid, e-purse, ATM, and POS cards
J PCI DSS applies to all entities involved in payment card processing - including merchants, processors, acquirers,
issuers, and service providers, as well as all other entities that store, process or transmit cardholder data
J High level overview of the PCI DSS requirements developed and maintained by Payment Card Industry (PCI)
Security Standards Council :
PCI Data Security Standard - High Level Overview
Build and Maintain a Secure Network Implement Strong Access Control Measures
Protect Cardholder Data Regularly Monitor and Test Networks
Maintain a Vulnerability Management Program Maintain an Information Security Policy

https://www.pcisecuritystandards.org
Failure to meet the PCI DSS requirements may result in fines or term ination of payment card processing priv ileges
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information
security standard for organizations that handle cardholder information for the
major debit, credit, prepaid, e-purse, ATM, and POS cards. This standard offers robust and
comprehensive standards and supporting materials to enhance payment card data security.
These materials include a fram ework of specifications, tools, measurements, and support
resources to help organizations ensure the safe handling of cardhold er information . PCI DSS
applies to all entities involved in payment card processing, including m erchants, processors,
acquirers, issu ers, and service providers, as w ell as all other entities that store, process or
transmit cardholder data. PCI DSS comprises a minimum set of requirements for protecting
cardholder data . High-level overview of the PCI DSS requirements developed and maintained by
the Pa yment Card Industry (PCI) Security Standards Council.
Source: https://www.pcisecuritystandards.org

Health Insurance Portability and

Accountability A.ct (HIP. . . . . . . )
HIPAA's Administrative Slmpllflcatlon Statute and Rules
Requires every provider who does business electronically to use the same
health care transactions, code sets, and identifiers
.....
Ptlvacy Provides federal protections for personal health information held by covered
entities and gives patients an array of rights with respect to that information
Specifies a series of administrative, physical, and technical safeguards for
.....
Security covered entities to use and assure the confidentiality, integrity, and availability
of electronic protected health information
.........
ld111tlll•t
Requires that health care providers, health plans, and employers have standard
national numbers that identify them on standard transactions
--.u1111•Nts
7 , • • •• • • • Provides standards for enforcing all the Administration Simplification Rules

as■
http://www.hhs.gov
The HIPAA Privacy Rule provides federal protections for individually identifiable health
information held by covered entities and their business associates and gives patients an array of
rights with respect to that information. At the same time, the Privacy Rule permits the
disclosure of health information needed for patient care and other important purposes. The
Security Rule specifies a series of administrative, physical, and technical safeguards for covered
entities and their business associates to assure the confidentiality, integrity, and availability of
electronic protected health information.
The office of civil rights implemented HIPAA's Administrative Simplification Statute and Rules,
as discussed below:
• Electronic Transaction and Code Sets Standards
Transactions are electronic exchanges involving the transfer of information between two
parties for specific purposes. The Health Insurance Portability and Accountability Act of
1996 (HIPAA) named certain types of organizations as covered entities, including health
plans, health care clearinghouses, and certain health care providers. In the HIPAA
regulations, the Secretary of Health and Human Services (HHS) adopted certain standard
transactions for Electronic Data Interchange (EDI) of health care data. These transactions
are claims and encounter information, payment and remittance advice, claim status,
eligibility, enrollment and disenrollment, referrals and authorizations, coordination of
benefits and premium payment. Under HIPAA, if a covered entity conducts one of the
adopted transactions electronically, they must use the adopted standard-either from

ASC X12N or NCPDP (for certain pharmacy transactions). Covered entities must adhere to
the content and format requirements of each transaction.
• Privacy Rule
The HIPAA Privacy Rule establishes national standards to protect individual's medical
records and other personal health information and applies to health plans, health care
clearinghouses, and those health care providers that conduct certain health care
transactions electronically. The Rule requires appropriate safeguards to protect the
privacy of personal health information, and sets limits and conditions on the uses and
disclosures that may be made of such information without patient authorization. The Rule
also gives patient's rights over their health information, including rights to examine and
obtain a copy of their health records, and to request corrections.
• Security Rule
The H IPAA Security Rule establishes national standards to protect individual's electronic
personal health information that is created, received, used, or maintained by a covered
entity. The Security Rule requires appropriate administrative, physical, and technical
safeguards to ensure the confidentiality, integrity, and security of electronic protected
health information.
• Employer Identifier Standard
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires that
employers have standard national numbers that identify them on standard transactions.
• National Provider Identifier Standard (NPI)
The National Provider Identifier (NPI) is a Health Insurance Portability and Accountability
Act (HIPAA) Administrative Simplification Standard. The NPI is a unique identification
number for covered health care providers. Covered health care providers and all health
plans and health care clearinghouses must use the NPls in the administrative and financial
transactions adopted under HIPAA. The NPI is a 10-position, intelligence-free numeric
identifier {10-digit number). This means that the numbers do not carry other information
about healthcare providers, such as the state in which they live or their medical specialty.
• Enforcement Rule
The H IPAA Enforcement Rule contains prov1s1ons relating to compliance and

investigations, the imposition of civil money penalties for violations of the HIPAA
Administrative Simplification Rules, and procedures for hearings.
Source: http://www.hhs.gov

Information Security Acts:

Sarbanes Oxley Act (SOX)
0 Sar banes-Oxley is a United States federal law t hat sets new or enhanced standards for all
0
US public company boards, management, and accounting firms.
The r ules and enforcement policies outlined by the SOX Act amend or supplement
existing legislation dealing with security regulations.
0
0 Section 302 0 Sectlon404 0

le A mandate that requires senior e A requirement that management
management to certify the accuracy and auditors establish internal
of the reported financial statement controls and reporting methods
e CEOs and CFOs of accounting on the adequacy of those controls
company's client s must sign e CEOs, CFOs, and auditors must
statements verifying the report on, and attest to the
completeness and accuracy of the effectiveness of internal controls
financial reports for financial reporting
...
0 0 0 0
Enacted in 2002, the Sarbanes-Oxley Act aims to protect investors and th e public by increasing
the accuracy and reliability of corporate disclosures. This act does not explain how an
organization needs to store r ecord s, but describes records that organizations need to store and
the duration of the storage. The Act mandated a number of reforms to enhance corporate
responsibility, enhance financial disclosures and combat corporate and accounting fraud.
Key requirements and provisions of SOX are organized into 11 titl es:
• Title I: Public Company Accounting Oversight Board (PCAOB)
Title I consist s of nine sections and establishes th e Public Company Accounting Oversight
Board, to provide independent oversight of public accounting firms providing audit
services ("auditors") . It also creates a central oversight board ta sked with r egistering audit
services, defining th e specifi c processes and procedures for compliance audits, inspecting
and policing conduct and quality control, and enforcing compliance w ith th e specific
mandates of SOX.
• Title II: Auditor Independence
Title II consist s of nine sections and establishes standards for external auditor
independ ence, to limit conflicts of interest . It also addresses new auditor approval
requirements, audit partner rotation, and auditor reporting requirements. It restri cts
auditing companies from providing non-audit services (e.g., consulting) for th e same
cli ents.

• Title Ill: Corporate Responsibility
Title Ill consists of eight sections and mandates that senior executives take individual
responsibility for the accuracy and completeness of corporate financial reports. It defines
the interaction of external auditors and corporate audit committees, and specifies the
responsibility of corporate officers for the accuracy and validity of corporate financial
reports. It enumerates specific limits on the behaviors of corporate officers and describes
specific forfeitures of benefits and civil penalties for non-compliance.
• Title IV: Enhanced Financial Disclosures
Title IV consists of nine sections. It describes enhanced reporting requirements for

financial transactions, including off-balance-sheet transactions, pro-forma figures and
stock transactions of corporate officers. It requires internal controls for assuring the
accuracy of financial reports and disclosures, and mandates both audits and reports on
those controls. It also requires timely reporting of material changes in financial condition
and specific enhanced reviews by the SEC or its agents of corporate reports.
• Title V: Analyst Conflicts of Interest
Title V consists of only one section, which includes measures designed to help restore
investor confidence in the reporting of securities analysts. It defines the codes of conduct
for securities analysts and requires disclosure of knowable conflicts of interest.
• Title VI: Commission Resources and Authority
Title VI consists of four sections and defines practices to restore investor confidence in
securities analysts. It also defines the SEC's authority to censure or bar securities
professionals from practice and defines conditions to bar a person from practicing as a
broker, advisor, or dealer.
Given below is the continuation of SOX titles:
• Title VII: Studies and Reports
Title VII consists of five sections and requires the Comptroller General and the Securities
and Exchange Commission (SEC) to perform various studies and report their findings.
Studies and reports include the effects of consolidation of public accounting firms, the
role of credit rating agencies in the operation of securities markets, securities violations,
and enforcement actions, and whether investment banks assisted Enron, Global Crossing,
and others to manipulate earnings and obfuscate true financial conditions.
• Title VIII: Corporate and Criminal Fraud Accountability
Title VIII, also known as the "Corporate and Criminal Fraud Accountability Act of 2002,"
consists of seven sections. It describes specific criminal penalties for manipulation,
destruction, or alteration of financial records or other interference with investigations,
while providing certain protections for whistle-blowers.

• Title IX: White-Collar-Crime Penalty Enhancement
Title IX, also known as the "White Collar Crime Penalty Enhancement Act of 2002,"
consists of six sections. This title increases the criminal penalties associated with white-
collar crimes and conspiracies. It recommends stronger sentencing guidelines and
specifically adds failure to certify corporate financial reports as a criminal offense.
• Title X: Corporate Tax Returns
Title X consists of one section and states that the Chief Executive Officer should sign the
company tax return.
• Title XI: Corporate Fraud Accountability
Title XI consists of seven sections. Section 1101 recommends the following name for this
title: "Corporate Fraud Accountability Act of 2002." It identifies corporate fraud and
records tampering as criminal offenses and joins those offenses to specific penalties. It
also revises sentencing guidelines and strengthens their penalties. This enables the SEC to
resort to temporaril y freeze "large" or "unusual" transactions or payments.
Source: www.soxlaw.com

Information Security Acts:

Gramm-Leach-Bliley Act (GLBA)
The objective of the Gramm-Leach-Bliley Act was to ease the transfer of financial
information between institutions and banks while making the right s of the
individual through security requirements more specific. 0
Key Points Include:

e Protecting consumer's personal financial information
held by financial institutions and their service
providers
e The officers and directors of the financial institution
Although the penalty is small, it
shall be subject to, and personally liable for, a civil
is easy to see how it could
penalty of not more than $10,000 for each violation
impact a bank
The Gramm-Leach-Bliley Act requires financial institutions - companies that offer consumers
financial products or services like loans, financial or investment advice, or insurance - to explain
their information-sharing practices to their customers and to safeguard sensitive data.
Source: https://www.ftc.gov

Information Security Acts: The Digital Millennium

Copyright Act (DMCA) and Federal Information
Security Management Act (FIS )
The Digital Mlllennlum Copyright Act Federal Information Security

(DMCA) Management Act (FISMA)
.J The DM CA is a United States copyright law t hat .J The FISM A provides a comprehensive framew ork for
implements tw o 1996 treaties of the World ensuring the effectiveness of information security
Intellectual Property Organization (WIPO). controls over information resources that support
Federal operations and assets .
.J It defines legal prohibitions against t he
circumvention of technological protection 0 It includes
measures employed by copyright ow ners to e Standards for categorizing information and information
protect their w orks, and against t he removal or systems by mission impact
alteration of copyright management e Standards for minimum security requirements for
information. information and information systems
e Guidance for selecting appropriate security controls for
information systems
e Guidance for assessing security controls in information
systems and determining security control effectiveness
e Guidance for the security authorization of information
systems
http://www.copyright.gov hrtp:j/csrc.nist.gov
The Digital Millennium Copyright Act (DMCA)
The DMCA is a United States copyright law that implements two 1996 treati es of the World
Intellectual Property Organization (WIPO): the WIPO Copyright Treaty and the WIPO
Performances and Phonograms Treaty. It defines legal prohibitions against circumvention of
technological protection measures employed by copyright owners to protect their works, and
against th e removal or alteration of copyright management information in order to implement
US treaty obligations. The DMCA contains five titles:
• Title I: WIPO TREATY IMPLEMENTATION
Title I implements the WIPO treaties. First, it makes certain t echnical amendments to US
law, in order to provide appropriate references and links to the treati es. Second, it creates
two new prohibitions in Title 17 of the U.S. Code-one on circumvention of technological
measures used by copyright owners to protect their works and one on tampering with
copyright management information-and adds civil rem edies and criminal penalties for
violating the prohibitions.
• Title II: ONLINE COPYRIGHT INFRINGEMENT LIABILITY LIMITATION
Title II of the DMCA adds a new section 512 to the Copyright Act to create four new
limitations on liability for copyright infringement by online service providers. The
limitations are based on the following four categories of conduct by a service provider:
• Transitory communications

• System caching
• Storage of information on systems or networks at direction of users
• Information location tools

New section 512 also includes special rules concerning the application of these limitations
to nonprofit educational institutions.
• Title Ill: COMPUTER MAINTENANCE OR REPAIR

Title Ill of the DMCA allows the owner of a copy of a program to make reproductions or
adaptations when necessary to use the program in conjunction with a computer. The
amendment permits the owner or lessee of a computer to make or authorize the making
of a copy of a computer program in the course of maintaining or repairing that computer.
• Title IV: MISCELLANEOUS PROVISIONS
Title IV contains six miscellaneous provisions, where the first prov1s1on provides
Clarification of the Authority of the Copyright Office. The second provision grants
exemption for the making of "ephemeral recordings". The third provision promotes the
distance education study. The fourth provision provides exemption for Nonprofit Libraries
and Archives. The fifth provision allows Webcasting Amendments to the Digital
Performance Right in Sound Recordings, and the sixth provision addresses concerns about
the ability of writers, directors and screen actors to obtain residual payments for the
exploitation of motion pictures in situations in which the producer is no longer able to
make these payments.
• Title V: PROTECTION OF CERTAIN ORIGINAL DESIGNS

Title V of the DMCA, entitles the Vessel Hull Design Protection Act (VHDPA). It creates a
new system for protecting original designs of certain useful articles that make the article
attractive or distinctive in appearance. For purposes of the VHDPA, "useful articles" are
limited to the hulls (including the decks) of vessels no longer than 200 feet.
Federal Information Security Management Act {FISMA)
FISMA is the Federal Information Security Management Act of 2002 to produce several key
security standards and guidelines required by Congressional legislation. It requires each federal
agency to develop, document, and implement an agency-wide program to provide information
security for the information and information systems that support the operations and assets of
the agency, including those provided or managed by another agency, contractor, or other
source.
Source: http://www.copyriqht.gov, Source: http://csrc.nist.gov

Other Information Security

Acts and Laws
n USA Patriot Act 2001

The Audit Investigation and
Community Enterprise Act 2005
n
The Human Rights Act 1998
Freedom of Information Act (FOIA)
The Electronic Communications

Privacy Act
Computer Fraud and Abuse Act n
USA Patriot Act 2001
Source: https://www.fincen.gov
The purpose of the USA PATRIOT Act is to deter and punish terrorist acts in the United States
and around the world, to enhance law enforcement investigatory tool s, and other purposes,
some of which include:
• To strengthen U.S. measures to prevent, detect and prosecute international money

laundering and financing of terrorism
• To subject to special scrutiny foreign jurisdictions, foreign financial institutions, and

classes of international transactions or types of accounts that are susceptible to criminal
abuse
• To require all appropriate elements of the financial services industry to report potential
money laundering
• To strengthen measures to prevent use of the U.S. financial system for personal gain by
corrupt foreign officials and facilitate repatriation of stolen assets to the citizens of
countries to whom such assets belong.

The Data Protection Act 1998
Source: https://www.gov.uk
The Data Protection Act controls how your personal information is used by organizations,
businesses or the government. Everyone responsible for using data has to follow strict rules
called 'data protection principles'. They must make sure the information is:
• used fairly and lawfully
• used for limited, specifically stated purposes
• used in a way that is adequate, relevant and not excessive
• accurate
• kept for no longer than is absolutely necessary
• handled according to people's data protection rights kept safe and secure
• not transferred outside the European Economic Area without adequate protection
Freedom of Information Act (FOIA)
Source: http://www.foia.gov
The Freedom of Information Act (FOIA) has provided the public the right to request access to
records from any federal agency. It is often described as the law that keeps citizens in the know
about their government. Federal agencies are required to disclose any information requested
under the FOIA unless it falls under one of nine exemptions, which protect interests such as
personal privacy, national security, and law enforcement.
The Electronic Communications Privacy Act
Source: https:1/it.oip.qov
The Electronic Communications Privacy Act and the Stored Wire Electronic Communications Act
are commonly referred together as the Electronic Communications Privacy Act (ECPA) of
1986. The ECPA updated the Federal Wiretap Act of 1968, which addressed interception of
conversations using "hard" telephone lines, but did not apply to interception of computer and
other digital and electronic communications. Several subsequent pieces of legislation, including
The USA PATRIOT Act, clarify and update the ECPA to keep pace with the evolution of new
communications technologies and methods, including easing restrictions on law enforcement
access to stored communications in some cases.
The Audit Investigation and Community Enterprise Act 2005
Source: http://www.legislation.gov.uk
An Act to amend the law relating to company auditors and accounts, to the provision that may
be made in respect of certain liabilities incurred by a company's officers, and to company
investigations; to make provision for community interest companies; and for connected
purposes.

The Human Rights Act 1998
An Act to give further effect to rights and freedoms guaranteed under the European
Convention on Human Rights; to make provision with respect to holders of certain judicial
offices who become judges of the European Court of Human Rights; and for connected
purposes.
The Freedom of Information Act 2000
An Act to make provision for the disclosure of information held by public authorities or by
persons providing services for them and to amend the Data Protection Act 1998 and the Public
Records Act 1958; and for connected purposes.
Computer Fraud and Abuse Act
Source: https:1/ilt.ef{.org
The Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030, is an amendment made in 1986
to the Counterfeit Access Device and Abuse Act that was passed in 1984 and essentially states
that, whoever intentionally accesses a computer without authorization or exceeds authorized
access, and thereby obtains information from any protected computer if the conduct involved
an interstate or foreign communication shall be punished under the Act. In 1996 the CFAA was,
again, broadened by an amendment that replaced the term "federal interest computer" with
the term "protected computer."18 U.S.C. § 1030. While the CFAA is primarily a criminal law
intended to reduce the instances of malicious interferences with computer systems and to
address federal computer offenses, an amendment in 1994 allows civil actions to bring under
the statute, as well.

Country Name Laws/Acts Website
Section 107 of the Copyright Law mentions the doctrine of" fair use"
http://www.copyright .gov
Online Copyright Infringement Liability Limitation Act
The Lanham (Trademark) Act (15 USC§§ 1051 - 1127) http://www.uspto.gov
The Electronic Communications Privacy Act https://www.fas.org
Foreign Intelligence Surveillance Act https://www.fas.org
Protect America Act of 2007 http://www.j ustice.gov

United States
Privacy Act of 1974 http://www.j ustice.gov
National Information Infrastructure Protection Act of 1996 http://www. n rote.navy. mil
Computer Security Act of 1987 http://csrc.nist.gov
Federal Information Security Management Act (FI SMA) http://csrc.nist.gov
The Digital Millennium Copyright Act (DMCA) http://www.copyright.gov
Sarbanes Oxley Act (SOX) https://www.sec.gov
Cyber Law in Different Countries CND

(Cont'd) ""'""' •-·• "''"''"'

The Trade Marks Act 1995
The Patents Act 1990

Australia http://www.comlaw.gov.au
The Copyright Act 1968
Cybercrime Act 2001

The Copyright, Etc. and Trademarks (Offenses And Enforcement) Act
2002
United Kingdom http://www.legislation.gov.uk
Trademarks Act 1994 (TMA)
Computer Misuse Act 1990
Copyright Law of People's Republic of China (Amendments on October

http://www.npc.gov.cn
27, 2001)
China
Trademark Law of the People's Republic of China (Amendments on
http://www.saic.gov.cn
October 27, 2001)
The Patents (Amendment) Act, 1999, Trade Marks Act, 1999, The
http://www.ipindia.nic.in
Copyright Act, 1957
India
Information Technology Act http://www.dot.gov.in
Section 202a. Data Espionage, Section 303a. Alteration of Data, Section

http://www.cybercrimelaw.net
303b. Computer Sabotage

Cyber Law in Different Countries CND

(Cont'd) ""'""' •-·• "''"''"'
Penal Code Article 615 ter http://www.cybercrimelaw.net
The Trademark Law {Law No. 127 of 1957), Copyright Management

Japan http://www.iip.or.jp
Business Law (4.2.2.3 of 2000)
Copyright Act (R.S.C., 1985, c. C-42), Tradema rk Law, Canadian Criminal

Canada http://www.laws-l ois.justice .gc.ca
Code Section 342.1
: ... Computer Misuse Act http://www.statutes.agc.gov.sg
Tradema rks Act 194 of 1993 http://www.cipc.co.za
Copyright Act of 1978 http://www.nlsa.ac.za
Copyright Law Act No. 3916 http://home.heinonline.org
Industrial Design Protection Act http://www.kipo.go.kr
Copyright Law, 30/06/1994 http://www.wipo.int
Computer Hacking http://www.cybercrimelaw.net
Unauthorized modification or alteration of the information system http://www.mosstingrett.no
Article 139 of the Basic Law http://www.basiclaw.gov.hk

□ Security policies outline constraints using rules and regulations concerning every
aspect of an organization's network security
□ The security policy is an integral part of the Information Security Management

Program for organizations
□ Security Policy Training and Awareness is required for effective implementation of

security policies
In this module, you have learned the various aspects of security policies such as the role of
security policies, its characteristics, policy content, policy statement, types of information
security policy, etc.
Through design considerations, the module also provided guida nee on how to design a policy
statement for various types of security policies for your organization. The module also taught
you the various laws and standards that you may need to comply with.

Physical Security
Module 05
Physical Security
Physical Security
Module 05

Module 05: Physical Security
Exam 312-38
Module OS Page 349 Certified Network Defender Copyright © by EC-Cll■Cil

Physical Security
After network policy design and implementation, the next step is the physical security of the
network and its equipment. According to John Canavan, the first rule of security is to physically
safeguard the systems and networks. Organizations should con sider placing appropriate
physical security control s to deal with unauthorized physical access, personal security threats,
and environmental threats. The administrator should ensure that all the physical security
measures are in place and working properly in order to keep the organization away from
physical security threats.
As stated in the HIPAA Security Rule, physical safeguards are "physical measures, policies, and
procedures to protect a covered entity's electronic information systems and related buildings
and equipment, from natural and environmental hazards, and unauthorized intrusion."

Physical Security
Unde rsta nding physical security

Describing various access control
Discussing th e need of physical auth entication techniqu es
security
Und erstanding workplace security
Discussing the factors affecting
Understanding personnel security
physical security
Describing environmental controls
Describing various physical security
controls Understanding the importance of
physical security awareness and
Understanding th e selection of
training
appropriate physica l security controls
Physical Security deals with the security of physical devices, personnel, networks and data from
attacks. Any damage to the physical devices or the data may lead to the loss of information and
increased cost to the organization. The security of the data, networks and devices, includes
protection from environmental and man-made threats. Organizations need to use appropriate
preventive measures to ensure physical security. The organization should consider all the ways
which may affect the physical security of their infrastructure and information systems.
This module discusses the various physical security controls, security measures, and best
practices to deal with physical security threats. It also helps you choose the best possible
physical security solution depending upon your organization's need. With this module, you will
be able to design a more robust physical security environment for your organization.

Physical Security
Physical security is the base of any information

security program in an organization
Physical
It deals with restricting unauthorized physical Security Alert
access to the infrastructure, office premises,
workstations, and employees of the organization
A successful unauthorized physical access may

lead to theft, damage, or modification of the
information systems
A physical security breach can directly impact

confidentiality, integrity, and availability of
information and systems
Physical security is an important part of the organization's information security program. In the
past, people would relate physical security with keys, locks, security personnel, gates, fencing,
etc. Now, the physical security paradigm has completely changed. Organizations need to
manage manpower, property and assets. It has become a critical task for organizations to
manage physical security of these assets. Everything such as planning the building layout,
purchase of equipment, manpower recruitment, natural disasters, power supply, temperature
control, etc., are all needs to consider while designing physical security for an organization.
Every organization, whether it is a small, medium, large or multinational company gives utmost
importance to the security of information assets. Implementing security at each level has
become the primary function of an organization.
Physical security refers to protecting an organization's building and assets including software
and hardware from robbery, vandalism, natural disasters, climate changes, environmental
conditions, and man-made threats. Having strong multileveled security at appropriate places
will provide effective protection against a physical security breach. The first level of security
should effectively deal with external vehicles and control traffic outside the premises of the
organization. It should restrict outsiders or intruders from entering the premises without
permission thereby minimizing the security risk to a great extent in the first level. The next level
of protection should control the vehicles, people and other-related organizational assets from
internal and external entities. This level keeps the power supply system in a secure location
with appropriate measures such as fire extinguishers, backup systems, etc. The main building
will be separated from the parking lot; well-equipped plumbing system should be in place with

Physical Security
proper ventilation, alarm system, etc. The next level is the most crucial part of physical security
where managing access of insiders (employees) and outsiders comes into light. At this level if an
attacker gains access to physical assets, they can acquire sensitive information related to an
organization.

Physical Security
Physical breaches
accounted for 61 % of all
Other
HIPPA Violations for 2015 13%
Physical Access
Breach
Hacking/ff
34%
Breach
23%
Physical Theft
27%
..
~---=-~~.::--=~~~---- _,,
http://www.alphaguardian.ne
Need for Physical Security

(Cont'd)
THE PHYSICAL LAYER OF YOUR NETWORK

IS NOT PROTECTED BY TRADITIONAL FIREWALLS
. ------------~
1
APPUCATION lAVER 7
~
:
i PRESENTATION LAYER 6
TRADITIONAL :
i SESSION LAYER 5 FIREWALL :
i TRANSPORT LAYER 4
i NETWORK lAYER 3
i
, _______________ _ DATA UNK lAYER 2
-----------------'
PHYSICAL LAYER 1
THE 7 LAYERS OF OSI

http://www.alphaguardian.net
M odule OS Page 354 Certified Network Defender Copyright © by EC-Cll■Cil

Physical Security
Although cyber-attacks are becoming more complex, attackers are continuing to use various
techniques to compromise the physical security of an organization. Organizations are focusing
more on strengthening their IT security which overshadows the importance of physical security.
Physical security is the most-overlooked aspect of security and it has been brought to the
forefront of many organizations over the last five years. Knowing this fact, attackers are taking
advantage of loopholes to compromise the physical security of the organization. According to
data collected by the US Dept. of Health and Human Services Breach Portal, it has been found
that physical security breaches are among the most occurring security incidents in organizations
in 2015.
According to the findings of the fifth annual Horizon Business Continuity Institute (BCI) Scan
Report, physical security is now perceived as a growing concern for business continuity
professionals. According to this report, a degree of concern has been expressed concerning the
possibility of both an act of terrorism and a security incident such as vandalism, theft or fraud
disrupting their organization at some point.
"Physical security poses growing concern for organisations"

observes latest SCI Horizon Scan
Posted On 24 Feb 2016 By : Brian Sims
Physical security is now perceived as a growing concern for business continuity professionals That's according
to the findings of the fifth annual Horizon Scan Report published by the Business Continuity Institute in
association with the British Standards Institution (BSI)
Among the ranks of potential threats that today's organisations face, acts of terrorism gained six places, rising
from tenth in 2015 to fourth, while security incidents moved from sixth place to fifth.
Some 55% of respondents to the global BCI survey expressed a degree of concern about the possibility of both
an act of terrorism or a security incident such as vandalism, theft or fraud disrupting their organisation at some
point. That compares with 42% and 48% respectively for the previous year's study.
FIGURE 5.1: Fifth annual Horizon Business Continuity Institute (BCI)
Physical security breaches are totally different than other security breaches. They can be
carried out with little to no technical knowledge. The real physical security concerns arise when
traditional security measures such as a firewall, IDS, etc., does not ensure physical security.
Deploying a firewall at various levels ensures security from different types of attacks but it does
not hold true with the physical security of the organization. The firewall has nothing to do with
physical security as traditional firewalls work above the physical layer of the OSI model.
Physical security cannot be dealt with in the same way as network, application, or database
security. Separate security measures are required to ensure physical security. Physical security
should be dealt with at the physical layer of the OSI model.
• A physical layer includes:
• All cabling and network systems.
• Physical access to cables and systems.

Physical Security
• Power support for cables and systems.
• Environment supporting the systems.
Source:http://thepaper.uk.com

Physical Security
Factors Affecting Physical Security CND
Natural/Environmental Man-made Threats

Threats
► Floods ► Vandalism
► Device loss
► Fires
► Damage of physical devices

► Earthquakes
► Theft
► Lightning and thunder
► Terrorism
► Temperature and humidity
► Social engineering
► Unauthorized access to systems
Organizations are at risk with the following types of physical security threats:
Natural/Environmental Threats
• Floods: Floods commonly occur due to heavy rains or the melting of ice. Heavy rains
increase the level of water beyond the carrying capacity of a river and this results in a
flood. Floods may affect electrical systems and server rooms in an organization. Server
rooms located in the basement have a greater chance of getting affected by floods.
• Fires: Fires mainly occur due to short circuits or poor building materials. These may affect
the operational facility and computer rooms in an organization. Fires can completely
damage the hardware, cabling system, and other important components.
• Earthquakes: An earthquake is the sudden release of stored energy in the Earth's crust
that creates seismic waves. It disrupts the physical infrastructure in an organization. It
damages computers and other hardware devices and documents in the sensitive areas
inside an organization. It can affect the safety or security of the organization. Earthquakes
mainly affect the cabling, the wiring system and the physical building itself. Any damage in
the cabling system affects the working of the computer systems.
• Lightning and Thunder: Lighting and thunder occur due to environmental changes. It
necessitates the shutdown of all outdoor activities. Lightning and thunder lead to power
and voltage fluctuations that in turn affect the working of the system. It may affect
memory chips and other hardware components of the system. It may lead to a short
circuit in the cabling and other wiring systems, if they are not covered properly. The

Physical Security
information system may stop working with one strike. Lightning may damage all electrical
and electronic appliances and lead to the loss of all sensitive information.
• Temperature and Computer systems operate between a range of
Humidity:
temperatures, otherwise they will function in an inappropriate manner. Computer
systems do not like hot areas. Computer systems may get damaged if the temperature
rises or lowers by extreme amounts. Even though every computer system has cooling
systems, performance of a computer still depends on the exterior temperature
conditions. Electrical and electronic appliances in an organization may be affected by the
change in the humidity. High humidity leads to issues like Corrosion, short-circuits and
damages the magnetic tapes, optical storage media. Low humidity affects the electronic
devices mainly due to electric discharge.
Man-made Threats
The biggest threat to physical components and the network is from man-made errors, both
intentional or unintentional errors. A wide range of possibilities include hackers/crackers, theft,
fire, and human error. Some of the examples of human error that may lead to man-made
threats are the unintentional pressing of a wrong button, unplugging the wrong device, etc.
Typical man-made threats include mechanical, electrical disturbance, pollution, radio frequency
interference, explosion, etc.
• Vandalism: Disgruntled employees or former employees may try to compromise the
system by willingly breaking or harming the system components. During civil unrest or a
disaster, there is a chance of the systems being mishandled.
• Device Loss: Unauthorized access may give way to the loss of important information and
devices. Device theft is a concern if not properly secured.
• Damage of Physical Devices: Improper device maintenance activities such as how the
device is handled or the information, not replacing damaged devices, poor cabling can
damage the physical devices to great extent.
• Theft: Lack of proper security and locks may result in equipment theft.
• Terrorism: Terrorism activities such as planting a vehicle bomb, human bomb, postal
bomb in and around the organization's premises, will impact physical security in many
ways.
• Social Engineering: Social engineering is defined as an illegal act of getting personal

information from other people. The attacker gains unauthorized physical access by
performing social engineering on an organization's employees.
• Unauthorized access to systems: Both internal users and external users can try to gain
unauthorized access to a system or information about the organization.

Physical Security
Physical access cont rols help organizations monitor, record, and control access to t he
informat ion asset s and facility
Categories of Physical Security Controls
Administrative Controls Physical Controls Technical Controls 1
Creating policies and Placing physical barriers lJ Access Controls

procedures Hiring security Mantrap
Designing site architecture personnel lJ Fire Fighting Systems
lJ Security Labels and .J Physica I locks lJ Lighting

Warning Signs lJ Alarm System
.J Workplace security lJ Power Supply

measures lJ Video surveillance
lJ Personn el security lJ Weapon/Contraband Detection
measures lJ Environmental Controls
•···· •► •· ··••►
Without proper security controls, it becom es quite difficult to have any physical security at all.
Physical security control s should be applied at various levels in order to create a robust physical
security environment. Based on the level at w hich the physical security controls are applied,
they are classified as:
Administrative Control
It includes the human factors for security controls. All levels of personnel should be involved in
building administrative control s. It is based on the resources and information each user has
access to. It involves management constraints, operational procedures, accountability
procedures, and acceptable level of protection for the information syst em. It is basically a
personnel-oriented technique implemented to control people's behavior.
Physical Control
Physical control deals w ith the prevention of damage to th e physical syst ems in an organization .
It invol ves deterring or preventing unauthorized access to devices, the facility or other sensitive
areas. In addition, physical security controls are required to deal w ith physical threats such as
device loss/ th eft, and destruction or damage by accident, fire, or natural disaster.
Technical Control
Technical control is referred to as logical controls. It makes use of t echnology to control access
to th e physical asset s or th e facility of th e organization. It is generally incorporated in the
computer hardw are, software, operations or applications to control access to sensitive areas.

Physical Security
Physical Security Controls: Location

and .Architecture Considerations
Location Considerations: Site Architecture Considerations:
Visibility of assets Identify what are the critical infrastructures

Neighboring buildings Have a separate location for the server and
storage room
Local considerations
Impact of catastrophic events Identify what safety measures are required for
these systems
Joint tenancy risks
Have emergency exits
Make plans to manage environment hazards
Define who will be responsible for managing
these systems
Establish procedures explaining how they
should be protected
Use a proper sanitation system such as
manholes, sewers etc.
Keep parking away from the main building
Location Considerations
Organizations should consider various factors that may affect physical security before planning
to buy or lease a building for an organization. It may include the facility location, neighboring
buildings, power and water supply, sewage systems, proximity to public and private roads,
transportation, emergency support, fire station, hospital, airport, local crime or rate of riots and
prior security incidents that happened in the surrounding area. The location should not be
prone to natural disasters such as floods, tornadoes, earthquakes, hurricanes, excessive snow
or rainfall, mudslides, fires etc.
Site Architecture Considerations

After gaining adequate information about the facility location details, planning and designing of
the internal infrastructure and architecture should be done. While planning and designing the
site architecture, an organization should prepare a list of all of its assets in the facility.
The organization should consider the following points while designing the infrastructure and
architecture:
• Decide the number of entrances required for the building, including the main entrance,
staircase, parking, lift, hallway, and reception area.
• Find the neighboring facilities around your site location and check the internal and
external architecture for them. Talk to the supervisors or owners of the buildings to gain
additional insights about the surroundings.

Physical Security
• Analyze the assets that can be impacted by catastrophic failures and visibility of assets
from outsiders
• Think about the joint tenancy factor, if the facility is shared with other companies and
their impact on your sensitive information and critical assets
• Identify the necessary critical infrastructure that is required for managing the physical
security, storing sensitive data and running business operations effectively.
These critical infrastructure systems may not use standard information technology [IT]) for
safety, performance, and reliability but they are critical to business operations. An improper or
faulty implementation of certain physical measures such as electricity, backup, storage
facilities, lighting, wiring and cooling systems can be critical to the business operations of the
organization.

Physical Security
Physical Security Controls:

Fire Fighting Systems
Types of Fire Fighting Systems
Active fire protection (manual or automatic) Passive fire protection (structural consideration)
J Use of fire-resistant construction materials
!.J Fire detection
J Compartmentalization of the overall building
e Smoke, flame and heat detectors
J Emergency exits
!.J Fire suppression
J Minimizing inflammable sources
e Fire extinguisher
J Maintenance of fire fighting systems
e Standpipe system
J Emergency procedures
e Sprinkler systems
J Educating the occupants
■
Suppressant
Fire Source
water I I
Foam Dry Chemical Wet Chemical Clean Agents and CO2 ISpecial Chemicals
A Ordinary solid combustibles y y
v I v I I
B Flammable liquids & gases y
v I I v I
C Electrical equipment y y
D Combustible metals y y
K Oils and fats v I y
Fire is a risk that can occur with or without any warnings usually from man-made errors, short
circuits, defective and faulty equipment. Fire protection is an important aspect of physical
security. Firefighting systems mainly deal with detecting and alerting the occupants to the fire
incidents. Fire incidents may be identified either manually or automatically.
Different types of firefighting systems include:
Active Fire Protection

Active fire protection provides an alert to the occupants of an organization regarding a fire
incident. This t ype of fire protection system is generally used in commercial places, process
industries and warehouses in order to protect the storage vessels, processing plant, etc. The
main aim of implementing an active fire protection system includes controlling the spread of
fire and extinguishing it as soon as possible, thereby facilitating the clearance of occupants in an
organization. The system requires a certain amount of actions to handle the fire incidents.
These actions may be performed either manually or automatically.
Certain active fire systems include w ater sprinklers, fire/ smoke alarm systems, spray systems
and fire extinguishers. Fire/Smoke alarms indicate the presence of any fire or smoke in the
building. Water sprinklers reduce the spread of the fire and fire extinguishers help put the fire
out. Water sprinklers fall under the category of automatic fire protection system s, wh er eas fire
extinguishers and stand pipes fall under th e category of manual fire protection syst ems.

Physical Security
Active fire protection systems include:

• Fire Detection System: Fire detection system helps detect a fire incident before letting
the fire spread.
Automatic fire detection systems include:
• Smoke Detectors: Smoke detectors generally detect the presence of smoke and send
an alert about the suspected fire incident in an organization. Upon detection of
smoke, detectors send out an alarm to the fire alarm control panel or generate an
audio/visual alarm.
• Flame Detectors: Flame detectors mainly deal with the detection of flames in a fire
incident. Flame detectors normally include sensors which detect the existence of
flames. The working of aflame detector includes:
o Generate an alarm on fire flame detection.
o Cutting the supply of gas through the fuel line.
o Activate the fire suppression system.
Flame detectors work more efficiently and faster than a smoke detector and a heat
detector.
• Heat Detectors: Heat detectors are used to detect and respond to thermal energy
generated due to fire incidents. Heat detectors are further classified into: fixed
temperature heat detectors and rate-of-rise heat detectors.
• Fire Suppression: A fire suppression system is used to quench the fire without much
human interaction. Fire suppression systems regulate the destruction and device loss. A
fire suppression system can be classified as: manual and automatic. Commonly used fire
suppression systems include:
• Fire Extinguisher: Fire extinguishers deal with extinguishing fires at the initial stage.
These may not be used in case of a fire covering a large area. A fire extinguisher
normally consists of an agent that is discharged, inside a cylindrical vessel. Fire
extinguisher systems need to be checked often in order to ensure they are working
properly in case of fire. Fire extinguishers are usually inspected yearly or bi-yearly by a
trained professional. They can also be recharged.
Dry chemicals, water, wet chemical, water additives, clean agents and carbon-dioxide
are used as agents in fire extinguisher systems. The following table provides details
about selecting the proper extinguisher based on various types of fire sources:
■
Suppressant
Fire Source
Water Foam Ory Chemical Wet Chemical Clean Agents and co, Speci al Chemicals
A Ordinary solid combustibles y y y y
B Flammable liquids & gases y y y
C Electrical equipment y y
0 Combust ible metals y y
K Oils and fats y

l y
FIGU RE 5.2: Classification for fi re extinguishers

Physical Security
• Standpipe System: Standpipe systems deal with the connection of hose lines to the
water supply. This provides a pre-piped water system for organizations and provides
water supply to hose lines in certain locations. Three types of standpipe systems
include: Class I -A, Class II - A, Class Ill - A. These types differ in accordance with the
thickness of the hose lines used and the volume of water that is used for fire
suppression.
• Sprinkler System: Fire sprinkler system maintains a water supply system in order to
supply water to a water distribution piping system that controls the sprinklers.
Sprinklers are used in order to avoid human and asset loss. These are mainly used in
areas where fire fighters are not able to reach with their hose lines.
Passive Fire Protection

Passive fire protection systems are used to prevent the fire from spreading further across the
organization. Fire-resistant doors, windows and walls may be used for passive fire protection.
This facilitates protecting occupants inside the organization and reduces the rate of damage
due to the fire. Passive fire protection systems do not need to be activated by the other
systems and no operational assistance is required in implementing passive fire protection
systems.
• Passive fire protection is put into practice in the following ways:
• Minimal use of flammable materials.
• Building additional floors and rooms in a building slowing down the spread of the fire.
• Providing adequate training to the occupants regarding the procedures to follow when
a fire occurs.
• Proper maintenance of fire related systems.
• Adequate amount of emergency exits.
• Steps to deal with fire incidents:
• Detect fire.
• Evacuate occupants in the building to another safe location.
• Notify the fire department and safety department regarding the fire.
• Close down all electrical and electronic systems in order to avoid the fire spreading.

Physical Security

Physical Barriers
Physical barriers restrict unauthorized people from entering the building; always use a
combination of barriers to deter unauthorized entry
Fences/ Electric fences/ Metal Rails: First line of defense to stop trespassers
Bollards: It is used to control vehicular and pedestrian traffic
Turnstiles: It facilitates entry and access controls
Other Physical barriers : Include doors, windows, grills, glass, curtains, etc.
Many factors determine the physical security of an organization. All these factors are essential
and contribute to the successful operation of physical security in an organization. The main goal
of physical security relates to the control and prevention of unauthorized access, while physical
barriers restrict unauthorized people from entering the building. Physical barriers define the
physical boundary of your area and also divides vehicle traffic from pedestrians. Use of a
physical barrier deters and delays an outsider from entering the premises. An intruder or
outsider can compromise a barrier by spending time, money, planning and contemplating on
the site architecture. In order to discourage these intruders, it is a good policy to use a
multilayer approach such as external barriers, middle barriers and internal barriers. External
barriers are fences, walls, etc.; although they are built to form a structure, they inadvertently
act as an obstruction. Middle barriers are equipment used to obstruct the traffic and people.
Internal barriers are doors, windows, grills, glass, curtains, etc.
Types of Physical Barriers used in a building are:

• Fences/ Electric Fences/ Metal Rails: It's a first line of defense that stops a trespasser and
most commonly used across the globe. Fences/metal rails/electric fences generally mark
the restricted areas, controlled areas and prevents unauthorized access.
The aim of deploying physical barriers is:
• Blocks and deters attackers.
• Marks the boundary of the organization.

Physical Security
• Protects the security guards from external attacks.
• Prevents the entry of vehicles.
• Protection against explosive attacks.
FIGURE 5.3: Metal Rails
• Bollards: A bollard may be defined as a short vertical post which controls and restricts
motor vehicles to the parking areas, offices etc. This facilitates the easy movement of
people. Bollards are mainly used in building entrances, pedestrian areas and areas that
require safety and security. It is effective in controlling pedestrian and vehicle traffic in
sensitive areas.
FIGURE 5.4: Bollards

Physical Security
• Turnstiles: This type of physical barrier allows entry to only one person at a time. Entry
may be achieved only by the insertion of a coin, ticket or a pass. It allows the security
personnel to closely watch the people entering the organization and stop any suspicious
persons at the gate. However, the use of a turnstile can affect the fast evacuation of the
occupants in case of a fire emergency.
FIGURE 5.5: Turnstiles
• Other Barriers: It includes installing doors, windows, grills, glass, curtains to limit the
access to certain area.
• Doors: It can be used as a good source in controlling the access of users in a restricted
area. Door security may be increased with the installation of CCTV cameras, proper
lighting systems, locking technology, etc.
• Windows: An intruder can use windows to gain unauthorized access to restricted

areas. Proper security measures should be considered while installing windows. Some
of these considerations include:
o Method of opening the window.
o Assembling and construction of window.
o Technique used in locking the window.

o Hinges used for the window.
• Grills: Grills should be used with doors and windows for better security. Grills may be
used for internal as well as external security.
• Glass: Sliding glass doors, sliding glass windows provide a better level of physical
security.
., ,.
,,
, .::.,II• 11.,.,.
.........
,.,........
IH:I •Illt:111111'11
·••••••·•••·•··•·•
·1t11t:•
.Utt•••••••••••• ··-····
1"
··"•"!.tlz:~.
r,· ...
. IIJHUi.!•!~•; ·.
,, :~~~_,,,.,.,
, r' , . • . - ~·
.
FIGURE 5.6: Other Barriers

Physical Security
• The following are security considerations for physical barriers:
• Use a combination of barriers to deter unauthorized entry.
• Use bullet resistant windows and glass.
• Install doors both at the main entrance and inner building.
• Lock doors and windows.
• Use electric security fences to detect climbing and cutting of wires.
• Use alarms to alert any intrusions from the fences.

Physical Security

Security Personnel
0 0
Efficient and well trained security personnel are critical to implement, monitor, and
maintain the physical security of organization
Organizations often neglect the importance of security personnel in maintaining physical

security
People involved in physical security include guards, safety officer, plant's security
officer/supervisor, etc.
0
0 0
Security personnel should be aware of:
Physical security policies Handling emergency

Patrolling procedures
and procedures situations
First aid and medical Trespassers and crowd

Fire prevention
assistance management
0 0
Security personnel/guards are hired to implement, monitor and maintain the physical security
of an organization. They are individuals who are responsible for developing, evaluating, and
implementing security functions such as installing security systems to protect sensitive
information from loss, theft, sabotage, misuse, and compromise. Hiring skilled and trained
security personnel can be an effective security measure for any organization. They play a crucial
role in physical security. Organizations are not considering them as a core competency that
they want to invest in as part of their strategic plan.
Organizations should hire security personnel by themselves and provide adequate training on
physical security or they can contact dedicated physical security service firms who handle
physical security for them. There are organizations that are dedicated to training security
officers, provide standardized procedures, and manage the security on a 24x7x365 schedule, by
sharing guards across different organizations.
People involved in Physical Security are:

• Guards: Their responsibilities include screening visitors and employees at the main gates
or entrance, documenting names and other details about the visitor, conducting regular
patrols in the premises, inspecting packages, luggage, and vehicles, managing vehicle
traffic, guiding visitors to the reception area after noting their details, etc. Guards should
maintain visitor logs and record entry and exit information. (CCTV) to act as a deterrent as
well as provide a mechanism to detect and possibly prevent an intrusion is normally
handled by guards.

Physical Security
• The plant's security officers/supervisors: Their responsibilities include training and

monitoring activities of the guards, assisting guards during crisis situations, handling
crowds, and maintaining keys, locks, lights, greenery, etc. of the facility.
• Safety officers: Their responsibilities include implementing and managing safety-related

equipment installed around the facility and ensuring proper functioning of this
equipment.
• Chief Information Security Officer (CISO): In the past, it was common place for the CISO
of an organization to be an extremely technically competent individual who has held
various positions within an enterprise security function or may even have come from a
networking or systems background. Today, a CISO is required to be much more than
technically competent. The modern CISO must have a diversified set of skills in order to
successfully dispatch their duties and establish the appropriate level of security and
security investment for their organization.
Continuous training for your security personnel will provide maximum benefits and an effective
team for your organization. Regardless of the position, security-related personnel should be
selected based upon experience and qualification required for the job. Executives should
thoroughly evaluate the personnel's past experiences and based upon this information provide
adequate training to fill the gap between ability and skills necessary for the job.
An organization should train newly hired security personnel on following areas:
• Organizational culture, ethics and professionalism.

• Security policies and procedures.
• Policy enforcement.
• Trespassers and crowd management.

• Handling emergency situations.
• Human and public relations.

• Patrolling procedures.
• Managing workplace violence.
• First aid and medical assistance.

• Fire prevention.
• Vehicle traffic management.
• Handling foreign guests, invitees, etc.

• Report writing.

Physical Security
Access Control Authentication

Techniques
U Physical access controls work by authenticating individuals to provide access to

organization premises, infrastructure, and information systems
Something You Know Something You Have Something You Are

(Knowledge Factors) (Ownership Factors) (Biometric Factors)
e Password e ID card e Fingerprint verification

e Pass phrase e Smart/proximity cards e Vein Structure
e Personal identification e Security token e Retina scanning
number (PIN} e Cell phone with built-in e Iris scanning
e Challenge response hardware/ software e Facial/hand recognition
e Security question token
8 Voice recognition
8 Signature
Note: You can also combine two or more authentication techniques (multi-factor authentication) for better access control
Access control restricts the unauthorized access of the properties of an organization. The access
control mechanism uses various types of authentication to verify the user's identity with the
system.
The different types of access control authentication schemes are:
• Knowledge Factors: Authentication with the system is done with knowledge factors.
Users have to prove knowledge of a secret they hold to authenticate themselves with the
system. The user may hold secret knowledge, such as a unique password, pass phrase,
personal identification number (PIN), challenge response, security question, etc.
• Ownership Factors: Ownership factors may also be described as "Something You Have".
Authentication with the system is done with these possession factors. Users have to prove
their identity with the system by using the physical devices such as an ID card,
Smart/proximity cards, Security token, mobile phone with a built-in hardware/software
token, etc. The users possess these physical devices to authenticate themselves with the
system. It is always recommended that a 2-factor authentication be used with physical
devices in order to add an extra layer of security.
• lnherence Factors: Authentication with the system is done with inherence factors. Users
prove their identity with the help of biometric data that they hold. Biometric data
depends on the behavioral and psychological characteristics of the user. The Biometric
authentication scheme may include fingerprint verification, vein structure, retina
scanning, iris scans, facial/hand recognition, voice recognition, signature, etc.

Physical Security
Authentication Techniques:
l{nowledge Factors
Password/ Pass phrase Challenge response Security question

/ Personal identification
number (PIN) J Users have to answ er a Questions are asked so users
question, or pattern to can authenticate themselves
The Numeric or alphanumeric
confirm their identity with system
characters, sequence of
words or other text are used :.J It adds an extra layer of Security Questions
to authenticate a user with security to the system
system
.
Wewtll Utt Y0'1f H( Qut s encl antwtrt !()
corill,mvo.. ~eni,r., al ,m.s wNin.,... - ~ It
"
SCOJrlty Check
fn~r both WOl'ds bdow, s~ab!d by a spit()e..
C.vi'lread this?Try anothet.
Try an auclo cap«tia
-·
1} Wlait¥CUfavcwtecdorfior•c.1 v
Text ii the box: I
◄ Back w,:.u
Passwords, passphrases or PIN based authentication offers an easy way of authenticating users.
Users have to supply their unique password, pass phrase or Pl N to authenticate with the system.
• Passwords: Passwords generally contain a combination of letters and numbers. Users

created their password at the time of th eir first login with the system. Organizations
should enforce a strong password creation policy.
• Passphrase: Passphrase is similar to a password, but is generally longer for added

security. It is generally used with cryptographic programs and systems. The user supplies a
passphrase as an encryption key to these cryptographic programs and systems.
• Personal Identification Number {PIN): A numerical password provided in order to

authenticate a user with system. The PIN is generally used for authentication while using
an ATM card. PIN lengths can be a maximum of 12 characters long.
• Challenge Response: A question and answer t y pe authentication where the system

throws a challenge to users and users have to provide a valid response in order to confirm
their identity. One of th e examples of the challenge response syst em is CAPTCHA.
CAPTCHAs are distorted images with hidden letters. The user needs to r etri eve th e hidden
letters and respond to it to confirm th eir identity. This kind of authentication system is
used to ensure the input is human generated not computer generated.

Physical Security
• Security Questions: Security questions are used as an extra step for authentication. These
are generally used by banks and wireless providers to reconfirm the identity of the user.
Security questions are generally implemented with "forgot password" features which
reconfirms or proves your identity.

Physical Security
Ownership Factors
ID card: It is a small, standard credit-card-sized identification card fl",, --

-
used to verify the ident ity of a person a,a =-
: It is a chip card, or an integrated circuit card
~(l'!!C~C':1)"'t~li11 'l•c~lu•a~e111s•a•n• eiim
atlll'!in r ,,o•er.a~a-ea integrated circuit . Card owners
prove t lieir identity witli t lie system oy airect pliysical contact o~
w ith a remote contactless ra aiofrequency interfa ce
Security token: A security token is a small hardware device which

users can authenticate themselves with the system
Mobile phone with a built-in hardware/software token:

Mobile device are also be used as th e authentication device
ID Card
Identity document (ID card) can be used to authenticate users with the system. It includes ID
cards such as a driver's license, photo ID card, passport, etc. Generally, an ID card is the same
size as a credit card.
Smart Card
A smart card is a credit card -sized plastic device that contains a silicon computer chip and
memory . It can store, process, and output data in a secure manner. It commonly stores
cryptographic keys, digital certificates, identification credentials, and other information. It
provides strong two-factor authentication using a PIN number. The International Organization
for Standardizations (ISO) uses the term Integrated Circuit Card (ICC) instead of smart cards.
The smart card has the dimension of 85.6 mm x 53.98 mm x 0.76 mm which is similar to ATM
cards and credit cards. Smart cards can provide additional functionality such as credential
storage.
• Benefits of Smart Cards: There are many benefits of smart cards such as:
• Lower Administrative Costs: As there are fewer passwords in the network, the cost to
support and manage the system decreases.
• Reduce Losses and Liabilities: Security is increased as encryption and a strong two-
factor authentication protects the data.

Physical Security
• Increased Convenience: Smart cards are portable and simple to use. The convenient
factor for this system of authentication is high.
• Smart Card Uses: One of the important factors behind smart card use is the fact that
multiple applications are involved. A smart card provides portable secure storage for the
digital certificates. The smart card can also be used for many applications, such as:
• Logon/logoff authentication of an operating system.
• Authentication to website.
• Sending/receiving of source email.
• Encryption of data files.
Proximity Cards
A proximity card is also similar to a credit card. Several companies use proximity cards to
control physical access. When using this card, the employee holds their card within a few inches
from the reader. The card reader receives a unique ID from the card and transmits it to the
central computer that tells the receiver whether or not to open the door.
Proximity cards are harder to duplicate and have more control when turning off access. Some
systems combine the logical and physical access on the same card. Different techniques are
used for card sensing like an integrated circuit which is embedded in the card to generate a
code magnetically or electrostatically and circuits are embedded with the code that is tuned to
varying resonant frequencies. It is a best practice to place the company's logo and address on
the keycard so if it is lost or stolen, it can be returned.
Security Token
Security tokens are generally used for verifying the identity of a user by means of electronic
devices. Users may store cryptographic keys like digital signatures, biometric data etc. as a
security token. Tokens consist of secret information that verifies the identity of the user. The
information may be stored using the following tokens:
• Static Password Token: Contains hidden information that 1s available during each
authentication step
• Synchronous Dynamic Password Token: Uses a cryptographic algorithm that uses a
synchronized clock between the token and the authentication server
• Asynchronous Token: Generates a one-time password using a cryptographic algorithm
• Challenge Response Token: Uses public key cryptography
Mobile phone with a built-in Hardware/Software Token

Mobile phone with built-in hardware/software tokens is a two-factor authentication security
device that authenticates the services running on a computer device. Software tokens are
placed on the devices and are easy to replicate. Hardware tokens are stored as credentials
inside the hardware device and are unable to be replicated.

Physical Security
Biometric Factors
Fingerprinting Retinal Scanning Iris Scanning

Uses the ridges and f urrows on Analyzes the layer of blood vessels in Analyzes the colored part of the eye
fingers to identify a person the retina to identify a person suspended behind the cornea
Vein Structure Scanning Face/Hand Recognition Voice Recognition

Analyzes the thickness and location Uses facial or hand geometry to Analyzes voice pitch and frequency
of veins to identify a person identify or verify a person to identify or verify a person
Fingerprinting
Fingerprint verification or scanning is a popular biometric authentication technology used for
authenticating individuals. In the fingerprint verification, the entire fingerprint image of an
individual is obtained and stored in a database. The identity of the user is confirmed by
comparing the fingerprint with the stored image. If it matches, authentication becomes
successful. Biometric fingerprint scanning systems do not store a full image of the fingerprint in
a database. A small template created from the fingerprint is stored.
Fingerprint scanning devices come in different packages. For example: a stand-alone device for
the desktop PC, to small portable devices for laptop computers, built-in keyboards and built-in
mice.
Retinal Scanning
It is another method of biometric authentication where authentication is made based on a
retinal scan of the individual. The retina is a part of the human eye and holds different
characteristics for each person. Even identical twins have a different retinal pattern. The retina
is a thin layer of nerves (about 1/ S0thof an inch, or a 0.5 mm thick) found on the back of the
eye. As a part of th e eye, th e retina transmits impulses through the optic nerves to th e brain.
Retina scanning is difficult compared to other scans in biometric t echnology. To present the raw
biom etric data, users must move their head into position with their eye very close (less than an
inch) to the scanner for it to read the retina through the pupil. During the scan process, the user

Physical Security
will focus on a green light in the scanner. After generating the template, it provides an excellent
matching.
Iris Scanning
Each individual holds a unique iris pattern same as the retina. It can be different in structure
such as ligaments, furrows, striation, ridges, and zigzags. lridian technology measures 247
independent variables in an iris.
Iris scanning is a process of taking images of an iris and creating biometric templates used in
matching functions. Similar to fingerprints, it also requires a device to capture the image and
software to process the image. The iris scanning device uses a camera, which can be either a
still or a video camera to capture the iris information. The camera captures a high-resolution
image of the iris and then the device will locate the border between the pupil and the iris. The
device will then convert the data to a grayscale image. This gray scale image identifies the
unique feature of the iris.
Vein Structure Scanning

Vein structure scanning is also known as vascular biometrics and mainly depends on the
patterns in a user's vein. The vein scanning technique focuses on authenticating a person's
identity by checking the patterns of the vein structure. Veins are normally found under the skin
and scanning requires the flow of blood in the veins.
Users need to place the palm, the back of the hand or the wrist on the scanner. The scanner
takes a picture of the part placed on the scanner using infrared light. Hemoglobin absorbs
infrared light and it highlights the veins in the picture. A reference template is created
according to the shape and location of the vein structure.
Face or Hand Recognition

• Facial Recognition: Facial scanning or facial recognition is famous due to large-scale
implementations that have taken place for surveillance purposes. It works by picking out
the unique characteristics of a human face and matching these against facial images in a
database. These are the facial characteristics that a face scanning system looks for:
• Size of eyes
• Distance between the eyes
• Depth of the eye sockets
• Location of the nose
• Size of the nose
• Location of the chin
• Size of the chin
• Jaw line
• Size, position, and shape of the cheekbone

Physical Security
The facial scanning process starts with the acquisition of an image of a human face. This
image can be acquired by using any imaging source, static cameras or video cameras, both
analog and digital. After capturing the isolated facial image, the system will create a face
print of that image. The face print is the template for the system. This is the process of
translating the facial image into unique code or a data set that can represent the facial
image.
• Hand Recognition: Hand Recognition is a biometric technique used to identify a user by

the shape of their hand. It is a simple and accurate procedure. The use of this technique
requires special hardware and can integrate into any system or device. It uses finger
width/height, thickness and shape for identification purposes. The user places the hand
on a metal surface, which has a guida nee page on it. The pages align the hand in a proper
position so the device can read the hand attributes. The device then verifies the user
details in its database.
Voice Recognition
Human voice scanning and recognition is another method of biometric authentication where a
user's voice is recorded using voice recognition software and it performs a matching function to
identify the individual. It is based on identifying a unique characteristic of the human voice. This
system uses voice recognition software to allow users to interact with the computer by issuing
commands verbally instead of using an input device, such as a mouse. Any microphone,
landline telephone, cellular telephone, or any other device is used to capture the human voice.

Physical Security

Physical Locks
Mechanical locks:
Digital locks:
Uses a combination of
Requires a fingerprint, smart
springs, tumblers, levers,
card or Pl N authentication to
and latches, and operates
unlock
by means of physical keys
Types of Locks
Electronic / Electric
Combination locks:
/ Electromagnetic locks:
Requires a sequence of
Uses magnets, solenoids and
numbers or symbols to
motors to operate by
unlock
supplying or removing power
Various types of locking systems are available to improve the restriction of unauthorized
physical access. The organization should select an appropriate locking syst em according to their
security requirements.
Different types of locks are:
• Mechanical Locks: Provide an easy method to r estrict unauthorized access 1n an

organization. Mechanical locks come with or w ithout keys. There are two types of
mechanical locks.
• Warded Lock: Contains a spring loaded bolt attached to a notch. A key inserted into
the notch moves the bolt backw ard and forward. Only the correct keys can be inserted
into the notch and it blocks th e wrong key.
• Tumbler Lock: Consists of pieces of metal inside a slot in the bolt. This prevents the
bolt from movement. A correct key contains grooves that allow the bolt to move by
raising the metal pieces above the bolt. It is further classified into Pin Tumbler, Disk
Tumbler and Lever Tumbler locks.
• Digital Locks: Digital locks use fingerprint, smart card or a Pl N on the keypad to unlock. It
is easy to handle and does not require keys, so there is no chance of forgetting or losing
the keys. It provides automatic locking for doors. The user onl y has to use their fingerprint
impression, sw ipe th e smart card or enter the Pl N to unlock it.

Physical Security
• Electric/Electromagnetic Locks: Electric locks or an electronic locking system operates on

an electric current. Locking and unlocking is achieved by supplying and eliminating power.
It mainly uses magnets or motors to activate or deactivate the locks. It does not require
keys to be maintained for the locking system.
An electromagnetic lock or magnetic lock consists mainly of an electromagnet and an
armature plate. The locking device consists of two types of status "Fail Safe" or "Fail
Secure". Fail secure locks remain locked even during power loss, whereas Fail safe
remains inactive when de-energized. The electromagnetic part may be placed on the door
frame and the armature plate may be placed on the door. The magnetic flux created by
the electromagnet gets attracted towards the armature plate and this initiates the door
closing process.
• Combination Locks: It has a combination of numbers and letters. The user needs to
provide the combination to open the lock. Users may enter the combination sequence
either through a keypad or by using a rotating dial that intermingles with several other
rotating discs. Combination locks do not use keys for functioning.

Physical Security
Physical Security Controls: Concealed

Weapon/ Contraband Detection Devices
Contraband includes materials that are banned from entering the environment such as explosives, bombs,
weapons, etc.
Use different tools such as hand held metal detectors, walkthrough metal detectors, X-ray inspection
systems, etc. to detect contraband materials
metal detectors, X-ray inspection systems walkthrough metal detectors
Contraband Detection Devices act as an important physical security control as it restricts

activities and/or a person carrying contraband substances from entering the premises.
Contraband substances are illegal materials such as explosives, bombs, weapons, etc., which
should be banned from the premises. The person trying to enter into the office with
contraband substances can be considered an act of terrorism. Contraband Detection Devices
are able to detect substances, even though it is covered with other objects.
Different types of devices are used to detect contraband materials such as a handheld metal
detector, walkthrough metal detector, X-ray inspection system, etc.
Walkthrough metal detectors are mainly used in airport terminals, schools, sports stadiums etc.
These help check people who have admission to certain areas. The walk through detectors
should be maintained and properly monitored. It should be deployed at each entry point of the
organization.
Handheld metal detectors allow people to be screened more closely and to detect any
suspected elements. Handheld detectors are used in all places where the walk through
detectors are used.
X-ray inspection systems are easy to handle and use. They use X-rays instead of visible light to
screen the objects.

Physical Security

Mantrap
.J It is a security system having an entry and

exit door on opposite sides, separating non-
secure area from secure area
.J It allows only one door to be opened at a

time, people enter the mantrap, request
access and if granted they are permitted to
exit. If access is not granted they are held I
inside until security personnel unlocks the
mantrap
.J Passing these doors is allowed only through

access control mechanisms such as access
cards, password, voice recognition,
biometrics, etc.
.J It operates automatically, useful in

authorizingvisitors, reduces the manpower
with using security systems and guarantees
the safety of the organization
Mantrap is another type of physical access security control which is used for catching
trespassers. It is most widely used to separate non-secure areas from secure areas and
prevents unauthorized access. It is a mechanical locking mechanism comprised of a small space
with two sets of interlocking doors. The first set of doors must close before the second set
opens. User authentication at mantrap doors is performed using smart cards, keypad/PIN or
biometric verification. The closing and opening of doors is handled automatically or through
security guards.
How Do Mantraps work?

• Step 1: Authenticates the person trying to access
• Step 2: The first door opens after authentication. The person walks in.
• Step 3: First door closes soon after the person enters the room. Now the person gets
locked inside the room. This signals the second door to get unlocked.
• Step 4: The second door opens with the person walking out of the room. The first door
gets automatically locked soon after the second door opens.
• Step 5: The second door gets into locked state soon after the person walks out the second
door.

Physical Security

Security Labels and Warning Signs
Security labels are used to mark the security Warning signs are use to ensure
level requirements for the information assets someone does not inadvertently intrude
and controls access to it in any restricted areas
Organizations use security labels to manage Appropriate warning signs should be
access clearance to their information assets placed at each access control point
Security label scheme :
Unclassified
Restricted RESTRICTED
Confidential
Secret
AREA
Top Secret
AUTHORIZED
PERSONNEL ONLY
Security labels are used to restrict access to information in high and low security areas as a part
of mandatory access control decisions. This enables easy understanding for users with and
without permission to access and easy clearance of a large group of users. It defines the
sensitivity of the data or the object and authorizations required for accessing the object or data.
It provides a list of users who can access the document or the device and enables the user to
understand the documents that they can access.
Security labels are categorized into different t y pes based on who can access the data or object.
• Unclassified: No access permissions are required in order to access unclassified

documents. Any person at any level may access these documents.
• Restricted: Only a few people can access the data or object. Sensitive data may be
restricted for use in an organization due to its technical, business and personal issues.
• Confidential: Confidential data or objects exposed may lead to financial or legal issues in
an organization. Documents may be highly confidential or just confidential. Revealing this
data is irrespective of whether it is confidential or highly confidential, either will lead to
the loss of critical information.
• Secret: Users authorized to access secret files may access secret, confidential, restricted
and unclassified data. Users cannot access documents or objects la belled as top secret as
it requires a higher clearance level.

Physical Security
• Top Secret: Users accessing top secret documents may access top secret, secret,
confidential, restricted and unclassified data.
Warning signs are generally used in order to restrict any unauthorized access in an organization.
Warning signs are kept at entrance points, boundaries of the locality and sensitive areas.
Warning signs should be visible to users such that people will understand the prohibited areas
where they should not enter. Warning signs also help organizations to clear a large amounts of
people from entering into sensitive areas. Warning Signs are generally kept at all sensitive areas
where there could be a threat of damaging and distrusting of information, assets, or life. For
example, a typical use of warning is kept on an Electrical fence. It may pose a threat to life,
when someone touches an electric fence unknowingly. Typical warning signs are RESTRICTED
AREA, WARNING, CAUTION, DANGER, BEWARE, etc.

Physical Security

Alarm System
Proper alarm systems should be installed inside and at the entrance to report
intrusions, suspicious activity, and emergencies
It can be turned on either automatically or manually by smoke detectors, heat

detectors, security personnel, etc.
It should be audible to everyone in the building and set at intervals of 5 minutes

such as the first alert, second alert and then the final alert to evacuate
Proper management and regular assessments of the alarm system should be

performed with emergency drills
Alarms are used to draw attention when there is a breach or during an attempt of breach.
Alarm sounds can be different types based on a facility such as sirens, flash lighting with a
sound, email, and/or voice alerts. The organization should divide their large facilities such as
buildings, floors, sections, and offices into small security zones and depending upon their
significance, the appropriate alarm system should be placed. Security zones that store high
priority data are given multilevel security, such as restricting access with access control devices,
biometrics, surveillance, locks and alarms to draw attention in any event of intrusion.
Organizations should have a proper power backup to alarm systems so that it will work in
emergencies and also during a power shutdown. All wiring and components of an alarm should
be protected from tampering and even conceal the alarm box with proper locks and limited
access.

Physical Security

Video Surveillance
.J Video surveillance refers to monitoring activities in and around the premises using CCTV (Close
Circuit Television) systems
CCTV systems can be programmed to capture motion and trigger alarms if an intrusion or
movement is detected
Pan/tilt/zoom CCTV cameras are recommended for a closer look of suspicious objects
Surveillance systems should be installed at strategic locations in and around the premises such as
parking lots, reception, lobby, work area, server rooms, and areas having output devices such as
printers, scanners, fax machine, etc.
Establish procedures and guidelines for storage, retention, and disposal of CCTV recordings
Basic Types of
CCTVCamera
Bullet-type CCTV Camera Dome-type CCTV Camera
Video surveillance is considered as an important component of physical security. These systems

protect an organization's assets and building from intruders, theft, etc. CCTV is used as part of
the organization's security system. CCTV covers a large area and is often placed near gates,
reception, hallways, and at the workplace. It captures illicit activities inside the premises and
also helps monitor activities inside, outside and at the entrance. They are even programmed to
capture motion and initiate an alarm whenever it detects a motion or an object. They help
identify activities that need attention, collect images as evidence and aid in an alarm system.
The devices used for video surveillance should be automatic, powerful, and capable of
pan/tilt/zoom to capture the action and store them for later review.
There are many things that need to be considered for installation, management and
maintenance of a video surveillance system in an organization such as the camera, lens,
resolution, recording time, recording equipment, cabling, monitoring system, storage devices
and centralized control system/equipment. Recording activities through CCTV and storing this
footage for reference can also help facilities provide evidence in a court of law. It is also
important to decide what type of lens, resolution, and coverage area your camera should cover,
along with recording the time and date of the video. Another important aspect is storing video
recordings and for how long they will be stored. What will happen with the old video recordings
and how will they be disposed?
The following are a few considerations for video surveillance systems:
• Install surveillance systems at the parking lot, reception, lobby, and workstation.

Physical Security
• Place output devices such as printers, scanners, fax machine, etc., in public view under
surveillance.
• Integrate surveillance with an alarm system.
• Establish a procedure for the amount of time the recorded video should be kept and then
later disposed.
• Store all devices in a secure location with limited access.

• Use proper disposal systems such as deleting contents, overwriting, and physical
destruction.
Different types of CCTV cameras available are:

• Dome CCTV: Mainly used in indoor security and surveillance purposes. Dome CCTV are
built as a dome shaped model to prevent the cameras from any sort of damage or
destruction. It is impossible to locate the direction at which the cameras are moving and
thus allows for observing areas at a wide angle and cover larger areas. Speed Dome CCTV
camera units provide the facility with pan/ tilt/ zoom and spin features, allowing the
operator to move the cam era according to their need.
FIGURE 5.7: Dome CCTV
• Bullet CCTV: It is used for indoor and outdoor surveillance. These are generally placed in
protective covers that prevent it from dust, rain or any other disturbances. Bullet CCTV is
normally a long, cylindrical and tapered shape that facilitates for long distance
surveillance.
·- ----_/
FIGURE 5.8: Bullet CCTV

Physical Security
• C-Mount CCTV Camera: It consists of detachable lenses, which provide surveillance for
more than 40.ft. Other CCTV camera lenses provide only 35 - 40 ft. coverage. C-Mount
allows different lenses to be used according to the distance to be covered.
---
---
FIGURE 5.9: C-Mount CCTV Camera
• Day/Night CCTV Camera: It is commonly used for outdoor surveillance. It can capture
images even during low light and darkness conditions. These t y pes of camera do not
require infrared illuminators in order to capture images. These can capture clear images
during glare, direct sunlight, reflections etc.
FIGURE 5.10: Day/Night CCTV Camera
• Infrared Night Vision CCTV Camera: It is commonly used for outdoor surveillance and can
capture images in complete darkness. You can use an infrared LED's for areas having poor
lighting.
FIGURE 5.11: Infrared Night Vision CCTV Camera

Physical Security
• Network/IP CCTV Camera: It consists of wired and wireless models. It allows sending
images over the internet. It is easier to install a wireless IP camera than a wired camera as
they do not require any cabling.
FIGURE 5.12: Network/IP CCTV Camera
• Wireless CCTV Camera: Wireless CCTV cameras are easier to install and use different
modes for wireless transmission.
'
FIGURE 5.13: Wireless CCTV Camera
• High-Definition HD CCTV Camera: It is mainly used in sensitive locations that require

more attention. It allows operators to zoom into a particular area.

Physical Security
Physical Security Controls: Physical

Security Policies and Procedures
Organizations need policies Physical security policies Physical security

and procedures for include: procedures include:
effective management of .J Orga nization's stand on .J Locks management
physical security controls physical security
.J Intrusio n incident
.J Roles and responsibilities reporting
of staff
.J Visit or management
.J Access control
.J Disposal of confidential
management
material
.J Reporting and auditing
Organizations should enforce required physical security policies and procedures for effective
physical security management. Physical security policies may differ from one organization to
another.
• Typical physical security policies may include:
• Organization's stand on Physical Security: It defines an organization's scope of

physical security such as what it wants to achieve with an effective security policy.
• Roles and Responsibilities of the Staff: It explains the roles clearly and the
responsibilities of every person associated with the facility. It also identifies how they
should perform their duties in order to maintain the security posture of the
organization.
• Access Control Management: Organizations need physical security equipment and

technologies in order to maintain the security posture. They need to focus on different
types of devices and technologies that are required in order to provide adequate
physical security.
• Reporting and Auditing: Organizations need to have proper documentation, reporting

and auditing mechanisms to archive for future reference.
• Physical Security procedures may include:
• Locks management: It includes a procedure about the management of locks and

alarms.

Physical Security
• Intrusion incident reporting: It includes steps and procedures to adopt when an event
is found or has occurred.
• Visitor management: It includes basic procedures that define different types of

visitors and how to manage new visitors, clients, stakeholders, new employees, etc.
• Disposal of confidential material: It includes confidential material procedures and

how these should be disposed, using different techniques such as degaussi ng, physical
destruction, and overwriting.

Physical Security
Other Physical Security

Measures: Lighting System
Adequate lighting should be provided inside,
outside, and at t he entrance of t he building
which helps in seeing long distances during
security patrols
Adequate lighting will discourage intruders

from entering the premises and concealing
behind stones, bushes, trees, etc.
Apart from standby lights, movable

searchlights should be used for security
patrolling premises
Alternate power systems such as generators

should be in place to deal with power failures
and emergencies
Types of lighting systems:
► Continuous
► Standby
► Movable
► Emergency
Security lighting is an important aspect of physical security of a facility. If the organization has
not implemented an adequate lighting system in and around the organization, it can drastically
degrade the function or performance of all other security measures. For example, if the
organization does not have lighting at rear corners, near bushes, plants, parking, and near
surveillance cameras, then it is difficult to find people or objects hidden in these locations.
With poor lighting, it will be difficult to identify people entering the premises, as an intruder
may act as an employee or use tricks to circumvent the security. Lighting systems in a location
depend on its layout and sensitivity.
• Continuous Lighting: Fixed sets of lights arranged so they provide continuous lighting to a
large area throughout the night.
• Standby Lighting: Used whenever any suspicious activity is detected by security personnel
or by an alarm system. These operate either manually or automatically.
• Movable Lighting: Manually controlled lighting system that provides a lighting system at
night or only w hen needed . Normally used as an extension of a continuous or standby
lighting system .
• Emergency Lighting: Used mainly during power failures or if other normal lighting systems
do not operate properly.

Physical Security
Other Physical Security

Measures: Power Supply
Use UPS (Uninterruptible Power Supply) systems to manage unexpected power disruptions or
fluctuations in primary electric supply that may lead to equipment failure, business disruption or
data loss
Different types of UPS systems (UPS Topologies):
Standby: Most commonly used for personal computers
I Line Interactive : Most commonly used for small business, web, and departmental servers
Standby on-line hybrid: Most commonly used for server rooms

I
Standby-Ferro: No longer commonly used because it becomes unstable when operating a
modern computer power supply load
Double Conversion On-Line: Generally used in environments where electrical isolation is

necessary
Delta Conversion On-Line: Can be useful where complete isolation and/or direct connectivity is
required
Facilities may suffer blackouts or power outages that could make the systems inoperable unless
appropriate alternative power management capabilities are kept in place. Power outages could
impact the ability to provide information technology as expected and also in maintaining
physical security. Power spikes, surges, or blackouts could result in too much or not enough
power and could damage equipment.
Consider the following security measures to deal with blackouts or power outages:
• Be prepared for power fluctuations.

• Use Uninterruptible power supply (UPS) to manage power outages.
• Safeguard systems from environmental threats.

• Protect systems from adverse effects of static electricity at a workplace.
• Use plugging equipment properly.
An Uninterruptible Power Supply (UPS) allows computers to function properly during a power
failure. It protects the computers during fluctuations in the power supply as well. An UPS
contains a battery that senses power fluctuations in the primary device. Users need to save all
the data when the UPS senses the power fluctuation. The operator needs to provide measures
which must be followed at the time of power loss. An UPS is commonly used to protect
computers, data centers, telecommunication equipment etc.

Physical Security
Different types of UPS include:

• Standby: An offline battery backup facilitating the maintenance of the primary device
from a power fluctuation. A standby power supply contains AC-DC circuitry that connects
to the UPS during a power fluctuation.
• Line Interactive: Line interactive mainly deals with maintaining continuous power
fluctuations. This method of a power supply needs very little battery usage.
• Stand by On-line hybrid: These are mainly used to supply power below 10k VA. It 1s
connected to the battery during a power failure.
• Stand by Ferro: A Ferro resonant transformer is used for filtering the output. Stand by
Ferro provides ample time for switching from main power to battery power.
• Double conversion on-line: It is used to supply power above 10k VA. It provides an ideal
electric output presentation, and its constant wear on the power components reduces the
dependability. It exhibits a transfer time only during a large load of current.
• Delta conversion on-line: It contains an inverter that supplies the load voltage. It is
available in a range between Sk VA to 1 MW. It controls the power input performance and
charging the UPS battery.

Physical Security
Workplace Security:
Reception Area
The reception area shou ld be spacious and offer a proper

scope to control building access, visitor traffic and assess
visitor's behavior
Important files and documents or devices should not be

kept on the reception desk
The design and placement of reception desks should help in

discouraging inappropriate access to t he admi nistrative
area
J Computers at a reception desk should be positioned so the

screens are not visible to visitors
J Com puters at the reception desk m ust always be locked

when t he receptionist personnel is away from t he desk
The reception area is alw ays the initial contact for an unknow n between th em and the
organization. The reception area can be vulnerable to physical security breach es as it provides
easy access to strangers. Organizations often have regular visits from clients, the general public,
invitees, etc., and require staff to greet, assist and direct them . Receptionists should be able to
recognize or identify any unusual behavior, including solicitors and peddlers, charity
organizations, ex- employees, etc. The reception personnel should maintain eye contact, non-
confrontational facial expressions or posture w hile m eeting people. They should be proficient
enough to handle emergency situations and follow procedures to cal I immediate attention,
alarm, radio, first aid, etc.
The reception area should be small in size. This provides a better area to closely monitor visitors
and the reception area. Reception personnel should observe people entering th e company.
They should notice and r ecord odd behavior for any strangers. Ther e should be certain
benchmarks to judge peopl e arriving to the organization . Their intentions have to be noted,
wh ether a person is searching for someone or for something.

Physical Security
Workplace Security: Server/

Backup Device Security
Keep critical network assets, such as servers and backup

devices, in a separate room
Protect the server room and backup devices with an appropriate

access control
Keep the server room and backup devices under video surveillance
The organization should consider the physical security of their critical servers and backup
devices. Physical access to these devices should be restricted. Only approved personnel should
have access to these devices.
Typical physical security measures for server and backup devices are:
• Keep the server and backup devices in a separate room. This reduces the accessibility of
these devices from the public and unknown people.
• Mount the CCTV, smart card, biometric authentication to track and monitor unauthorized
physical access to the server and backup devices.
• Use rack mount servers. This restricts attackers from stealing or damaging the servers.
• The server should be attached to an UPS so that it protects the server from file damage or
corruption due to temporary power loss.
• Keep the devices in locked drawers, cabinets or rooms.
• Backup devices should be stored at off-site locations and ensure that they are secured.
• Do not encourage employees to take backup on CD, DVD, USB, or external hard disks.
Ensure the backups are locked up at all times in a drawer, safe or separate room.
• Do not allow employees to leave an area carrying a backup device with them. Use motion
sensing alarms to detect movement of any backup device.
• Implement full disk encryption on backup devices.

Physical Security
Workplace Security: Critical

Assets and Remo· ...... ble Devices
0 Keep your network devices and computer equipment in

locked cabinets
U Some cabinets comes with biometric locks and climate

control features
U Restrict the use of removable devices such as DVDs, USB pen drives,
SD cards, mobile phones, cameras, etc.
U Design and implement acceptable-use policies to manage the use of
removable device
U Implement a regular inventory review of removable devices
U Consider using corporate-controlled locked-down devices instead of
implementing a bring-your-own-device (BYOD) policy
The organization should always pay attention to their server and backup storage device
security. At the same time, they should not ignore the security of their other critical assets such
as workstations, routers and switches, printers, other network equipment, removable devices,
etc. The organization should employ all the physical security measures of server/backup devices
to critical assets and removable devices.
• Workstations: Workstations at unoccupied desks, empty offices, receptionist's desk, etc.
are more vulnerable to physical security breaches. Disconnect or remove such unoccupied
workstations or otherwise lock the doors to the room where the workstation is located.
• Routers and Switches: Keep these critical network devices in a locked room.
• Printers: Like servers and workstations, printers can store important information, should
be bolted down, and located in separate places.
• Removable Devices: Portable removable devices such as laptops, handheld computers,
mobile devices, SD cards, USB, Bluetooth etc. can pose physical security risks. Keep these
devices in a drawer, a safe or permanently attach a cable lock.

Physical Security
Workplace Security:
Securing Network Cables
...J Lay network wiring separate from all other wiring fo r easy
maintenance, monitoring, and to prevent electronic
interference
...J Consider installing armored cable if there is a threat of

rodents, termites, etc.
...J Use transparent conduits for cabling in high sensitive areas
which allow easy identification of any damage or interference
...J All network and communication cables should be hidden and
protected appro priately
...J Undergrounding cables will prevent physical access to the
cables
...J Do not lay cables above false ceiling to avoid fire risks
...J Access to cabling pathways and spaces should be restricted to
authorized persons only
...J Create redundancy to avoid single point of failure in case of a
disaster
~ Document the entire cable infrastructure
Network cable security is often overlooked as an aspect of physical security. The organization
should consider the importance of cable security before planning and installing any cabling.
Network cabling should be nice and neat, if it is not an organization can suffer from unplanned
downtime. With flawed or insecure network cabling, an attacker can easily access sensitive
information by passing other security controls. Wiretapping, physical damage or thefts are the
risks associated with network cabling.
Types of Cable used in Network Cabling

• Unshielded Twisted Pair (UTP) Cable:
It reduces the crosstalk and interference between pairs of wires. UTP cable is prone to
wiretapping. An attacker can easily tap the information flowing through network cables.
• Advantages:
o Easy to install.
o Suitable for domestic and office Ethernet connections.
• Disadvantages:
o Easily susceptible to electromagnetic and radio frequency interference.

o Less commonly used for long distance networking.

Physical Security
• Shielded Twisted Pair (STP) Cable:
In STP cable, each pair of wires is individually shielded with foil. It is less susceptible to
external interference as the shielding absorbs all the EMI and RFI signals.
• Advantages:
o Immune to crosstalk and interference.

o Ensures secured data transmission.
• Disadvantages:
o More expensive than UTP.

o More difficult to install than UTP.
• Fiber Optic:
It is made up of made of glass or plastic. Fiber optic cabling 1s least susceptible to

wiretapping threats.
• Advantages:
o Can carry information over greater distances.

o Immunity to electromagnetic interference.
o No crosstalk.
• Disadvantages:
o Limited physical arc of cable.

o Highly expensive.
o Need optical transmitters and receivers.

• Coaxial Cable:
Coaxial cable is made up of a single copper conductor at its center. A plastic layer provides
an insulated center conductor and a braided metal shield. The metal shield prevents
interference from fluorescent lights, motors, etc.
• Advantages:
o Can carry information over greater distances.
o Moisture resistant.
• Disadvantages:
o It does not bend easily and is difficult to install.

Physical Security
Workplace Security: Securing

Portable Mobile Devices
.J Use cables and locks to safeguard .J Do not leave your device unattended in
laptops public places
.J Encrypt hard drives to make it .J Label the device or attach a sticker with
impossible to access files when it's lost the name and contact details so the
or stolen device can be returned if lost
.J Install anti-theft software that can .J Enable the lockout option so the device
remotely lock and track devices using a will lock when consecutive unsuccessful
data connection attempts to login are made
.J Install device tracking software that _J Use a docking station that permanently
can assist in recovering stolen/lost affixes the laptop to the desktop and
devices also locks the laptop securely at one
place
.J Enable or install a remote wipe feature
to erase data stored in devices .J Use security gadgets like motion
detectors and alarms to alert when the
.J Do not lend your device to third
parties
laptop is moved without authorization
The use of portable mobile devices in an organization has risen over th e past f ew years. The risk
of physical security threats to these devices also has increased. These devices often are
vulnerable to physica l threats such as theft, loss, damage, resale, etc. The organization should
take proper care to deal with any security incidents related to th ese devices.
• Apply all security measures common for these network devices such as servers, backup
devices, portable devices, etc.
• Physically secure th e mobile device location.
• Apply proper access control procedures for these devices.

Physical Security
Personnel Security: Managing the

Staff Hiring and Leaving Process
Co nsid er and implement person nel secu rity measures starti ng from the se lection and
hiring of staff or cont ractorst o relieving t hem of t hei r d uties
•• • • • •• •• •• •• •• •• •• •••••••• .. &•••••
.... ♦
, ................................................. ,
Provide orientation Insert clauses in the Remove access rights and

sessions explaining the contract to enforce collect all company assets
company background, personnel security for from employees and
their roles and contractors and audit their contractors when they
responsibilities, and compliance leave the organization
security policies
•:-..............................................
~ .! •
·..................................................•·
..----.---•---
• ... •·
--~.•---- • - - - -, •.r--- - - - -
{.-··r·················································-.'-: .···!··················································. .... -··r··································· ..... ·······..__
i • : ( ~ \ i • i
i Hire employees after a j Contractors should be I Sign an NDA with j
i thorough ident~y : hired w ith the same due employees and
:,verification and
;
i diligence as in-house contractors
i background check employees
: :i
:: :
:
. :
'••················································
.. .. ..
Employees, regardless of their designation should understand the confidentiality of information

and their separate personal and professional identities. A uniform procedure should be in place
to explain the risks associated with a particular designation. Non -performance and disregard of
an organization's sensitive data can affect the organization's security adversely.
Personnel Security for Employee/Contractors

• Establish an effective background screening process to find out the working potential of
an employee.
• Perform background checks to find criminal, financial screen, ng, education, past
experience, and other certifications.
• Provide an orientation session for new employees and explain the company's background.
• Clearly explain the roles and responsibilities of each employee.
• Create security awareness and explain the concept of data confidentiality.

• Sign contracts/ agreements with employees so they know not to share confidential data
with others. It may include a confidentiality/nondisclosure agreement, acceptable use
agreement, user rules of behavior, and a conflict-of-interest agreement.
• Hold employees accountable for every action performed and take disciplinary actions
against those who oppose or neglect the security policies.

Physical Security
• All physical security practices for employees also apply to contractors. In addition, the
organization should:
• Make sure only contractors with proper clearance level have access to sensitive
information.
• Contractors should have an office identity card with their photo and personal details.
It may even have an expiration date.
• All contractors should carry their ID cards when they work on the floor. Contractors
must exhibit their ID cards clearly to the security officer. Contractors should submit
their ID cards when they are terminated by the office and also submit their ID card
when they resign.
Employee/Contractors resignation and Clearance Procedures

The employee should send their resignation or retirement letter to the department head and
Human Resource Department (HRD). HRD will consult with the relevant department head to
discuss and accept the resignation. They collect various items such as their ID card, laptop,
parking cards, etc., from the employee before the clearance procedures conclude. All related
access controls provided to the employee are terminated.
The following steps are to clear an employee from his responsibilities:
• An employee has to submit their resignation and/or retirement letter to the department
head with a copy going to the HR (Human Resource) department. The department head
will forward the resignation letter to the central leave coordinator to relieve the
employee from their responsibilities.
• After receiving the resignation letter from the employee, the department head will
provide the last working day for the employee.
• An employee should fill out the clearance form and have a meeting with the central leave
coordinator of the HR department who will provide a plan for the last working days of the
employee.
• After having a chat with the employee, the HR department will send a notice to obtain
clearance from all departments specified in the clearance form.
• After receiving the notice from the HR department, all departments will send the
certificates to the central leave coordinator, within two days.
• The employee should inform the central leave coordinator on their last day, so the
employee can complete the clearance process.
• After verifying all the clearance certificates from all departments, the central leave
coordinator will clear the employee through the clearance form.
• After getting all the clearance certificates, the central leave coordinator will provide the
employee with the following forms:
• W-2 change of address form.

Physical Security
• Insurance form.
• Exit interview form (optional).
• The central leave coordinator will sign the clearance form, which depends on the
clearance certificates received from all the departments.

Physical Security
Laptop Security Tool: EXOS CND

MO I
EXOS allow s you to t rack and

locat e laptops, smartphones, ........ ---~ ....... - - .
and tablets across you r
o rga nization in real-time
N -- -
- - -- -
Features:
-
► Provides asset inventory,
geolocation, and command
execution in real-time -. -
► Uses Wi-Fi and cellular
t riangulation, GPS, MAC
address correlation, Google
•
••
. -
Maps, and IP add ress
databases to locate assets
._.. -
-- ---
http://www.exo5.com
Copyright© by EC-Co■ncil. All Rights Reserved. Reproduction is Stri ctly Prohibited .
EXOS helps you track and locate laptops, smartphones and tablets across your organization in
real-time
Features:
• Real-time Agent: The EXOS agent uses a persistent and secure connection to provide
asset inventory, geolocation and command execution in real -time. Information is always
up-to-date, which is critical in developing a theft scenario.
• Ultra-accurate Location: EXOS uses multiple methods to locate assets to provide the best
location accuracy worldwide, including Wi-Fi and cellular triangulation, GPS, MAC address
correlation, and IP address databases from multiple providers.

Physical Security
+- e ._ 0 II
. ....
--· "'-·
.._. ,...,
- ,__
-
-
- -
- --- .
-
-
-- -
.-
- -1'"'.-.
- - - -..
·-- --.
•
..
-· - 'F.
- ~-
FIGURE 5.14: EXOS M aps
• Dynamic Maps: Use the Google Maps interface to quickly locate assets, or the real -time
LiveMap and Google Earth display for a commanding view of your entire organization.
--· -· --· --
FIGURE 5.15: Dynamic Maps
Source: https://www.exoS.com

Physical Security
Ztrace Gold LoJack

http://www.ztrace.com http://www.dell.com
Prey Adeona
http://preyproject.com http://odeona.cs.washington.edu
Snuko Anti-Theft and Flamory TrackMylaptop

http://flamory.com __J http://trackmylaptop.net
Laptopcop My Laptop Tracker

https://awarenesstechno/agies.com http://www.mydevicetracker.com
GadgetTrak Locate Laptop Desktop Security

http://www.gadgettrak.com http://www.unistal.com
Ztrace Gold
Source: http://www.ztrace.com
ZTRACE GOLD is an invisible software security application that traces the location of missing
laptops for recovery. It is undetectable and cannot be removed from a laptop hard drive.
Prey
Source: http://preyproject.com
It is tracking software that helps users find , lock and recover th eir computer, tablet or
smartphone w hen stolen or missing.
Snuko Anti-Theft and Flamory
Source: http://flamory.com
Snuko Anti-Theft and Flamory help you to track your Android device w hen it is lost or stolen.
You can remotely activate geolocation tracking, data encryption, data backup and device lock
dow n to protect against unauthorized use.
Laptopcop
Source: https:1/awarenesstechnoloqies.com
LAPTOP COP allows you to identify, track, and control w ho accesses data on a stolen laptop,
what data is accessed, and w hat can and cannot be done w ith that data .

Physical Security
GadgetTrak
Source: http://www.gadgettrak.com
GadgetTrak provides mobile security software for a range of mobile devices including mobile
phones, laptops, flash drives, external hard drives and more. It helps you in finding your lost or
stolen laptop.
LoJack
Source: http://www.loiack.com
LoJack allows you to track, manage, secure and recover mobile computers. It has remote data
and device security to prevent use of a lost laptop, protect privacy remotely, and map a
laptop's location.
Adeona
Source: http://adeona.cs.washinqton.edu
Adeona allows you to track the location of your lost or stolen laptop that does not rely on a
proprietary central service.
TrackMyLaptop
Source: http://trackmylaptop.net
TrackMyLaptop helps you track your stolen laptop.
MyLaptopTracker
Source: http://www.mydevicetracker.com
My Laptop Tracker can track down your stolen or lost laptop within minutes.
Locate Laptop Desktop Security
Source: http://www.unistal.com
Locate Laptop protects your laptop from being stolen. It is used to locate and recover lost or
stolen laptops.

Physical Security
Environmental Controls: Heating,

Ventilation and Air Conditioning
Continuous pow er consumption/supply makes Consider various factors and components such
data centers, hardware, and equipment as hardware, cabling, fire protection, and
become hot very quickly power supply, etc. before installing the HVAC
equipment
Improper equipment placement can increase
th e risk of fire M aintain baseline temperature and humidity
levels to keep equipment working reliably
HVAC (Heating, Ventilation, and Air
Conditioning) systems control th e surrounding Continuous monitoring of equipment that
environment in a room or building especia lly emits hot or cold air is necessary
hu midity, temperature, and air flow
.J HVAC ensures th e information system

components are less prone to damage due to
environmental changes
.J HVAC maintains odor-free and clean air
It is a special syst em that controls th e surrounding environment in a room or building ,

especially the humidity conditions in the air and ventilation . It is deployed to maintain
comfortable t emperatures in a room so the hardw are is not affected by the moisture and
changes in the air. In these controll ed conditions, the hardw are and the components are also
safer and less prone to damage from environmental factors. The HVAC also purifies the air in
the room from smoke, odor, heat and dust particles. Having an environment where the air is
odor free, clean and the humidity is under control provides a good atmosphere for the people
working with that organization . These ventilation systems are desired mostly in medium to
large scale organizations involv ing heavy equipment and a larger amount of staff. A pre-
programmed sensing device is used to ch eck for changes in the temperature and it acts
accordingl y. Manual controlling the HVAC also can be done.
A refrigeration component is added to a HVAC system, also know n as HVAC&R or HVACR

(heating, ventilating and air-conditioning & Refrigeration) system
Types of HVAC Systems

• Heating and Air-Conditioning Split System: The most traditional and commonly used
HVAC system . You may find the components of th e system both inside and outside th e
building. HVAC split systems have:
• An air condition er in order to cool the refrigerant.
• Furnaces, a fan or evaporator coil: Converting the refrigerant and circulates the air.

Physical Security
• Duct: Allow air flow throughout the building.
• Air quality fittings like air cleaners, air purifiers etc.

• Hybrid Heat Split System: This is an advanced version of a split system having better
energy effectiveness. Here, the heat pump provides an electrically fueled HVAC instead of
gas furnace heat. A typical hybrid heat split system includes:
• Heat Pump: Cool/heat the refrigerant.
• Furnaces/Evaporator Coil: Converts refrigerant and circulates the air.
• Duct: Allow air flow throughout the building.
• Control or Thermostat: An interface to control the system.

• Duct - Free Split Heating and Air Conditioning System: Most commonly used in locations
where the traditional split systems cannot be used. A typical duct-free split system
includes:
• An air conditioner in order to cool the refrigerant.
• Fan Coil: Converts the refrigerant and circulates the air.
• Refrigerant tubing and wires: Connects outdoor unit to the fan coil.

• Packaged Heating and Air-Conditioning System: Most appropriate air conditioning
system used mainly in locations where the space required for fixing all the components of
a split system is available. Packaged units can be used in spaces that range from an entire
building to one room units. Packaged heating and air-conditioning system includes:
• Packaged Products: A heat pump or an air conditioner combined with a fan coil or an
evaporator coil in a single unit.

Physical Security
Environmental Controls: Electromagnetic

Interference (EMI) Shielding
e EMI occurs when electronic device's performance is interrupted or

degraded due to electromagnetic radiation or conduction
e High levels of disturba nce ca n cause severe damage such as shaky monitors,
system failures, un explained shutdowns, etc.
EMI shielding is a coating on electronic equipment kept in metal boxes

which block emissions and radiation
Electromagnetic radiation emitted from different electronic devices interferes with surrounding
devices and causes a problem with their functions. EMI shielding is the practice of coating the
electronic equipment with metals so the electromagnetic waves do not interfere with other
devices or block the field with certain materials. EMI shields separate one part of the
equipment from another.
Shielding uses materials such as metals or metal foams. An electric field produces a charge on
the conducting material applying an electromagnetic field on a conductor. The conductor
produces another charge which cancels the effect of the externally applied electric charge on it.
This causes no change in the conducting material. When the electric field is applied to the
material, it produces eddy currents (currents that flow within a material in closed loops). These
currents cancel the effect of the magnetic field. In this way the shielded material has no outside
effects or disturbances on it.
As organizations use heavy equipment, electronic hardware interference will become a
problem and EMI shielding will be needed for all devices in these t ypes of environments. Many
industries, such as t elecommunication, hospitals, etc. prefers to use EMI shielding.

Physical Security
Environmental Controls:
Hot and Cold Aisles
...J A hot and cold aisle is an arrangement of server

racks and networking equipmentto manage cold
••••••• ·>1 and hot air flow
.. •
.. ...J This arrangement isolates the cold and hot aisles
.. from each other, by placing them in opposite
I
I
.. directions
.... ..•
I
..••
..••
I ..•• ...J Cold aisles typically face air conditioner output
.. ducts and hot aisles should face air conditioner
. input ducts
=·······►
...J It saves the hardware from humidity and heat,
increases hardware performance and maintains
consistent room temperature
It is a systematic arrangement of equipment to maintain air flow and to save energy. Many
organizations follow hot and cold aisle alignment, mostly used in server rooms, data centers,
etc. where heavy electronic equipment comes into use.
In the rack of heavy equipment or servers they are arranged so the front of them faces th e cold
air coming from th e air conditioners. The backs of the equipment face the back of the next rack
of equipment. This goes on for all the equipment in the room . This arrangement pushes the hot
air coming from the back of the equipment to one end of the room. The cooling conditions are
kept so that the hot air coming out of the equipment is sucked out and does not mix w ith th e
cool air inside th e room. Place the cooling system below th e room or above the room
depending on the convenience.
Cold Aisle: Advantages and Disadvantages

• Advantages:
• Easy to implement as it does not require any supplementary architecture to give out
air.
• Requires doors only at the end.
• Less expensive.
• Can easily fit into an existing data center with issues like power, network distribution
etc.

Physical Security
• Can be used with a raised floor supply space.
• Controls the air supply to match with the severe airflow.
• Disadvantages:
• Creates operational issues, if low-density storage or communication racks are installed

in the data center space.
• Most of the cold aisles have ceilings immediately above the aisle affecting fire and
lighting design.
• Air leaked from the raised floors and openings under the equipment enters the air
paths to the cooling units. This affects the efficiency of the system.
Hot Aisle: Advantages and Disadvantages

• Advantages:
• Leakage from the raised floor openings are passed over to the cold space.
• More effective.
• Works well in a slab environment by supplying an adequate volume of air and covering
the exhaust air.
• Provides cooling to general data center space.
• Perfect distribution of air throughout the space.

• Disadvantages:
• Always requires an additional space for the flow of air from the hot aisle to the cooling
unit.
• Very expensive.
• Hot aisles it uncomfortable for technicians during maintenance work.

Physical Security
Physical Security:
Awareness/Training
.J Proper training should be given to educate U Different methods to train employees on

employees on physical security physical security are:
.J Training increases the knowledge and e Classroom style training

awareness about physical security
e Round table discussions
.J Training should include and educate
employees about:
e Security awareness website
e How to minimize breaches

e Providing hints
e How to identify the elements that are e Making short films on physical
more prone to hardware theft security
e How to assess the risks handling

e Conducting seminars
sensitive data
e How to ensure physical security at the

workplace
Copyright© by EC-CIUDCil. All Rights Reserved. Reproduction 1s Strictly Prohibited.
Well trained and skilled personnel can minimize the risk of a physical security threat to a great
extent. The organization should provide proper physical security awareness training to all of
their employees.
The training or awareness program should include:
• Provide methods to reduce attacks.
• Examine all the devices and the chances of a data attack.

• Teach the risks of carrying sensitive information.
• Teach the importance of having security personnel.

An organization can use various methods to conduct physical security training awareness
programs:
• Classroom Training
Classroom training provides an interactive lecture based session. The benefits of having
classroom training are:
• All doubts regarding the topic may be cleared.
• Can provide web based and live training sessions.
• Can be made more interactive by imposing role plays and simulation games.

Physical Security
The duration of the classroom training can vary. It depends upon the technique used in
implementing the classroom session.
• Round Table Sessions: Round table sessions may be conducted to train employees
regarding the need for physical security. These sessions may be held weekly or monthly.
• Security Awareness Website: Creating a security awareness website enables the

employees to login and learn for themselves regarding physical security measures. Several
videos, pictures and examples should be included in the website stating the importance of
physical security. Several topics may be covered through the website training as there is
no time constraint.
• Providing Hints: Hints regarding changing passwords or password security may be
provided through hints.
• Making Short Films on Physical Security: Teaching using examples can help employees
understand more about the importance of physical security. Filming instances describing
the need for physical security, chance of risks and methods to prevent them.
• Conducting Seminars: Several seminars on each topic for physical security may be
conducted. Seminars may include examples, discussions and debates regarding the topic.

Physical Security
Physical Security Checklists CND

1 Ensure that proper access control methods are implemented to prevent unauthorized access
2 Ensure that sensitive areas are monitored with proper lighting
Ensure an ala rm system is installed fora II types of threats such as fire, smoke, electricity, water, etc. and is
3
working properly
4 Ensure an appropriate door lock system is implemented and is working properly
s Ensure an adequate number of security guards is hired to monitor the physical security of the campus
• Ensure the security personnel is given proper training
7 Ensure the security personnel is hired from a trusted agency
8 Ensure surveillance cameras are working properly and monitored regularly
• Ensure proper procedures are implemented for detecting and reporting physical security incidents
10 Ensure employee contact information is maintained for use during emergencies
Physical security can be built in layers, or follow a Defense-in-Depth strategy to implement

physical security for the organization. The organization should consider implementing all the
physical security controls and measures to ensure a Defense-in-Depth physical security for their
organization.
The following checklist will help an organization ensure they are implementing proper security
controls and measures:
• Follow copyright rules and licensing restrictions: The organization should enforce
copyright rules and licensing restrictions in order to prevent outsiders or insiders from
creating illegal copyrighted copies of the software.
• Store all removable and important items in the locker when not in use: Employees
should ensure to lock all sensitive information and important devices in a locker. Do not
leave any important information unattended as it may catch the eye of an attacker.
• Keep the sensitive areas under surveillance: The organization should ensure security for
sensitive areas like server rooms, etc. CCTV surveillance and guards may be enforced in
order to maintain security in the sensitive areas. The organization should enforce 24x7
surveillance for the sensitive areas.
• Always advise employees to swipe the card at the entrance: Swiping ID cards at the
entrance helps the organization to audit the login details of the employees in case of an
incident.

Physical Security
• Do not keep any combustible material in the workplace area: Always keep any sort of
combustible materials away from the workplace area. This ensures the safety of the
employees, the information stored and the devices stored inside the workplace area.
• Always ensure company satisfaction: Employ security measures that guarantee
satisfaction of the employees. The policies and procedures imposed by the organization
should ensure compatibility with the company infrastructure. Physical security measures
imposed should detect, report, correct and prevent attacks.
• Evaluate the physical security of the location: Proper security ensures the security of the
employees and the information in the organization. Preventing attackers from entering
the workstations and server rooms, authenticating each person using ID cards or
biometric ensures better security of the location. Other security measures include
ensuring locking cabinets, doors and windows, proper surveillance using CCTV, proper
lighting etc.
• Do not disconnect consoles from ports: Disconnecting cables or consoles from ports will
lead to a disconnection for the user. You should make sure the cables are all connected to
the ports and are working properly.
• Use of alarms and sensors during fire, smoke etc.: The organization should ensure proper
use of sensors and alarms in order to detect fire or smoke on the premises. An
organization may include sensors for devices in order to detect if anyone tries to take
those devices out of the organization.
• Prevent damage to hardware and software: Any damage to the hardware or software
results in damage of the information systems in the organization. Damage to the
hardware will lead to the damage of the electronic and mechanical systems used in data
processing. Damage to software leads to the damage in the programs and instructions
used for data development.
• Do not leave any devices or important data in the parking areas or cars: Any unattended
devices or data may attract attackers and may lead to the loss of these valuable items or
information. The organization should employ an adequate number of security guards to
monitor all parked cars. Proper lighting must be installed to watch these areas clearly.
Employ security cameras in sensitive areas and log the who is accessing those areas.
• Avoid storing confidential information on mobile devices: Storing sensitive information

in a mobile device is not recommended as it is easy to manipulate the data stored in a
mobile phone. Attackers may gain access to your mobile devices and then acquire all of its
sensitive information.

Physical Security
□ Physical Security is the core layer of the information security program which deals
with restricting unauthorized physical access attempts to the infrastructure, office
location, workstations and employees of an organization
□ Organizations should adopt a holistic approach to secure key physical and cyber
assets
□ Hiring efficient security personnel to implement, monitor and maintain the physical
security of an organization
□ Video surveillance systems protect an organization's assets and building from

intruders
□ Organizations need physical security policies and procedures for an effective physical
security management
-;-r--;.... ·~---
In this module, we have discussed the importance of physical security, and its role 1n the
organization's information security program. This module introduced you to the various
physical security controls and security measures that organizations should consider while
implementing physical security. It will help the organization implement their Defense-in-Depth
strategy for physical security.
In the next module, we will discuss security of an individual host on the network. We will make
discuss various security measures required to harden security of a host which may include
workstations, routers, switches, servers, etc.

Bost Security
Module 06
•
♦
Host Security
Host Security
Module 06

Module 06: Host Security
Exam 312-38

Host Security

Host Security
Understanding host security Und erstanding and describing security

requirements for different types of
Understanding need of securing
servers
individual hosts
Und erstanding security requirements
Understandingthreats specific to hosts
for hardening of routers
Identifying paths to host threats
Und erstanding security requirements
Understanding the purpose of host for hard ening of switches
before assessment
Understanding data security at rest,
Describing host security baselining motion and use
Describing OS security baselining Understandingvirtualization security
Network security starts with securing the individual host on the network. Host security is the
next layer of security in defense-in-depth that should be taken care of. This module focuses on
security measures and techniques required for securing individual hosts. The module covers all
the security tools, techniques, best practices and recommendation s required for securing and
hardening various t y pes of hosts in the network. The module also provides a brief overview of
virtualization security, application security, and data loss prevention t echniques that help you in
attaining a complete host security.

Host Security
.J Host Security is a comprehensive approach taken towards hardening each host on the network
individually
.J It involves hardeningthe host's operating system and applications to ensure protection against
possible risks and threats
.J The host can be any device which has an IP address on the network
Workstations ....- - - - . Network Servers
Wirelessly
Laptops
Host Networked Devices
Routers Switches
Any device with an IP address connected to the network is considered a host. A host is an
important and integral part of any network in the organization. Host security plays a vital role in
securing organization network activities since the host can be the major conduit. If the host is
compromised, all devices and services risk being compromised as well. Host security refers to
the protection of hardware, software, information stored and services running on these
computers from any kind of theft or damage. The organization should ensure the
confidentiality, availability and integrity of the host and the data they hold. An insecure
configuration of a host can put the entire network at a security risk. Even though proper host
security measures are taken into consideration while installing host in the network, the host
can still be insecure through its use. Over time, the hardware and software installed on the host
get outdated and are prone to various types of threats inherent to poor patch management
methodologies. Thus, it is important to address and ensure the security of the host during its
lifecycle.
The organization needs to systematically monitor the hosts in order to check for the chances of
attacks and to identify the various possibilities of attacks on the hosts. Understanding the areas
of compromise can help the administrators come up with solutions to prevent those attacks.
They can put forward various policies and regulations in strengthening the security of the hosts
and thereby providing negligible or no impact to the business of the organization. Appropriate
training and awareness can help administrators maintain the security of the host in an
organization.

Host Security
Common Threats Specific to

Host Security
\ I \ I
\
' /
Malware Infection Accidental or

.J Viruses intentional
- J Worms
deletion of data
- J
J
Trojan
Spyware
.._
Unauthorized
- access
Hosts can be at risk of both internal and external threats. The internal threats mainly occur
within an organization and the damage caused by these threats can lead to a great loss to the
assets of an organization. These threats include malware attacks, information theft,
unauthorized access, illegal use of corporate resources etc. Any sort of attack on the host
internally can affect the end users and the business of an organization. Administrators should
evaluate their host against possible internal as well as external threats.
To ensure host security, you should be aware of different threats that the host is vulnerable to.
The host can be at risk of being exploited by the following major threats.
Malware Attack
• Viruses: Viruses are programs that replicate by reproducing itself to infect the host
system. These make changes in the host by deleting files, reformatting hard drive etc. A
virus infected system cannot operate again as before.
• Worms: They are viruses that repeat itself without much human interaction. They have
the ability to spread and infect systems as they travel through the network or the
internet.
• Trojans: Trojan is considered one of the most complex threats and creates damage to the
host. They hide the payload part of the data packet while travelling through the network,
thereby allowing file corruption, remote access, interrupting firewalls and anti-virus etc.
Another impact of a Trojan is its ability to steal data. This makes it easier for the attackers
to gather sensitive information.

Host Security
• Spyware: Spyware is a malware that is used for spying on the actions performed by a user
on the system. This gathers the information of all activities performed by a user on the
system. For example, Keylogger is a type of spyware that is used to capture the
keystrokes.
• Backdoor: A backdoor is planted to skip all the authentication steps required and gain
unauthorized access to remote computers.
Accidental or intentional deletion of data

Users can sometimes delete any confidential data intentionally or accidentally that affects the
security of the host.
The deletion or removal of data can affect the host security:
• A person gaining access to the host can perform intentional or unintentional deletion or
modification of data present in the system.
• Acquire the information present in the system.
• Compromises the availability, confidentiality and integrity of the data stored.
Unauthorized Access
Unauthorized access refers to gaining unauthorized access to restricted files, data, operation,
services, etc. running on host. An attacker, if successful in gaining unauthorized access to the
system, can perform any malicious action, which will affect the security of the hosts in the
network. The unauthorized access can result in stealing, accessing sensitive files, installing a
virus in the system, among other actions.

Host Security
Where do they Coltle froltl?
Social
Engineering
Internet
Downloads
An attacker can take advantages of various vulnerabilities, which exist in order to compromise
the specific host. Threats of exploiting vulnerabilities on a host can take various ways to get
into the system and infect it. The lack of sufficient knowledge, skills, and insecure
configurations on host security opens the network to different types of the security threats:
• Un-patched Computers: The majority of attacks on a host are due to the lack of proper
patching or the use of outdated software installed on the host. The unpatched computer
can create security loopholes and gives attackers a path to compromise it.
• E-mail: Host system security can be compromised through sending unsolicited emails such
as phishing, malicious attachments, and spam e-mails etc.
• Network File Sharing: Network file sharing permits the users to share files between their
individual systems over the internet. Even though it makes things easier for users to share
files, it paves the way for many threats such as Malware infections, Exposure of sensitive
or important information, etc.
• Internet Downloads: Internet downloads from untrusted sources can lead the users in
downloading malware onto th eir systems.
• Social Engineering: Attackers use social engineering techniqu es to gain sensitive
information which may help them further to gain unauthorized access, ma lware infection
etc.
• Blended Threats: Attacker uses a combination of multiple techniques to attack or infect
the system.

Host Security
Before configuring host security, identify the purpose of each host
Q Category of information stored and processed by the host
( ) Security requirements needed for information
Purpose of
Each Host
Q Network services provided by host
0 Security requirements needed for network services
<:) User groups that have access to the host
Q Trust relationships between hosts
Hosts in the network are configured or dedicated to perform certain functions. These hosts
store and handle various types of sensitive information and provide various services of the
organization. Different types of hosts require different levels of security based on the data or
services it handles.
For example, the hosts that act as servers in the network, storing sensitive information and
performing critical functions, require more security than a normal host or workstation.
A prior host assessment is required to assess the existing level of security and to determine the
level of security required for a particular host based on its criticality, the level of sensitive
information it stores, network services provided by them, and security requirements specified
for them.

Host Security
Host Security Baselining
.J Security ba seline refers to a minimum security configuration standard (al so known

as guidelines and checklists) established for each host in the network
.J Different security ba selines are required for different types of hosts
OS Security Baseline: Set Security baselines for different OS and versions
Server Security Baseline: Set security oaselines for aifferent types of servers
✓• Application Security Baseline: Set security baselines for different types of applications
Host security baselining plays an important role in enhancing the host security of the
organizations. Administrators must define and establish a security baseline for hosts in the
network depending upon their purpose, criticality, etc. The establishing of security baselines
depends on the needs of the organization. Defining any security baseline requires active
involvement of management and various departments of an organization to include their
preferences.
Host security baselines help you easily identify the hosts with configurations that do not match
as stated in the baseline.
A Host security baseline sets a security objective, standards, guidelines, checklists, etc., which
must be met to attain a high level of host security for organizations. It specifies the reference
points for installation, hardening, placing of new hosts in the network and all activities
performed on the host. Baselining facilitates more protection of the host and helps in
determining the actions taken for further security. The baselines should undergo a regular
update and monitoring.
The baselines help you to determine:
• The way the host performs in the network.
• Type of data the host uses to communicate across the network.
• Identify the services and resources associated with each host.
• The t ype of connectivity required for each host.
• A clear picture regarding the working of each host.

Host Security
The baselines are different from the security policies in a way that the baselines define the
structure of the security policies. There are two types of security structures for the baselines:
High-level and technical. The execution of these two standards depends on the requirements of
the organization. The high-level standards are independent of operating system and depend on
the security policies of the organization. The technical baseline consists of statements for each
operating system configured in the system and the functions carried out by them. The best
method to implement a baseline is to create a simple baseline first and then increase the
complexity of the baselines as moving forward with the configurations.
The host security largely depends on the OS and applications installed on the host. Establishing
a host security baseline also requires establishing security baselines for the OS, user accounts,
and applications to be installed on the hosts.

Host Security
OS security refers to the practice of securing OS system files, file system, and its resources
from any unauthorized access, modification, or destruction
.J Operating Systems play a vital role in host security as the built-in security features in
operating systems can be hardened to secure the hosts
.J OS Security Elements
e Baselining Operating System Security
e Operating System Security Settings Configuration
e Patch management
Operating system security refers to securing three components: OS integrity, confidentiality

and availability. Each host in the network has a specific OS installed and running. Typical
functions of an OS are managing security, system, communication, Input/Output, and hardware
and software services for the host on which it is installed. OS security has a direct impact on
host security. OS-level protection is required to attain host security. Each OS provides a number
of built-in security features in it. The security features help administrators in hardening the
security of the host, if configured appropriately based on the OS security baseline established
by the organization. The OS security puts forth certain steps to protect the hosts from malware
or hacker invasions.
As the operating systems are large and complex, it may come across many security issues. The
chances of a virus or a worm invading the system are more when there are not adequate
security policies. Also, the operating system provides many services that are critical to the
functioning of the operating system. The OS security features must include measures that can
take control of these services running on the OS.
The overall security of the host or the computer depends on the security of the operating
system. The organization can provide OS security through user authentication, access control
mechanisms, separation of kernel and user spaces, managing system resources. Securing the
operating system is an integral part of the security policy in an organization. A corrupted OS or
malware attacked OS cannot perform any desired task. One of the most commonly used
methods for OS security is the least privilege method that each user and program can perform
only the assigned task. This helps in controlling the users within a limit. The OS can also confirm

Host Security
that the applications and services running in a system include only required resources in order
to perform the desired actions.

Host Security
Baselining Operating System

Security
An OS security baseli ne should consist of a standard/checklist for basic OS hardening techniques
~ Disable Non-essential services
.,, W Apply Patches and Fixes regularly

cu
~
~
·-
.c
CT
C
Use Strong Password s for accounts
u
~ ~ / Disable unnecessary accounts
bO
·-cu
C
~
-a..
C
ca
% f-o/
Install Antivirus Software
Use of Access Control Lists (AC Ls) and file permissions for File and Directory Protection
~ ~
-Iu
1 ft
File and File System Encryption
r-o/ Enable Logging
- ~ Disable any unnecessary file sharing
The organization establishes OS security baselines to implement a standard for installing and
configuring the operating system. The setting up of the baseline varies from one organization to
another. The administrators should take immense care while creating the baseline for an
operating system and confirm that it meets the company requirements. The baseline for the OS
needs to include the configuration of various operation system settings as well as recording
each step, so that it helps for future configurations. The baseline for the OS should also include
the actions performed on the system.
The organization decides on the security baselines required for the OS and implement all the
settings based on it. An organization can use several security templates to decide the OS
security baselines required for their organization. The process of baselining the operating
system includes hardening the key components of the system architecture in order to reduce
risk of attack.
The OS security baseline should address the following security configurations at a minimum:
• Non-essential Services: Only essential services should be enabl ed on the OS. Enabling
unnecessary services on OS can give a path to an attacker to compromise the host
through OS security flaws. For example, if a host is not functioning as a web server or a
mail server, it should be disabled immediately.
• Patch Management: The operating system should undergo patch management regularly
in order to ensure that the OS is updated w ith all the latest updates and fixes.

Host Security
• Password Management: Operating systems need to persuade the users to use complex
and strong passwords based on the organization's policy. Password management should
also urge the users to change the password after a certain period of time and implement
user lockout after a certain fixed number of attempts.
• Unnecessary Accounts: Organizations need to monitor the account details of the users.
They may remove or delete all unwanted and guest user accounts.
• File and Directory Protection: Organizations should control the file and directory
permissions using Access control lists.
• File and File System Encryption: Encryption of files and folders, formatting disk partitions
with a file system with the help of encryption features provided by the OS.
• Enable Logging: Tracking all log activities of an operating system.
• File Sharing: Disabling unwanted file sharing applications running on the operating
system.

Host Security
OS Installation Install Antivirus Software
e Dedicate a single partition on HDD Turn off unnecessary services
e Format disk using NTFS file system Application Installation
Fixing OS vulnerabilities e Centrally assign applications using

group policies
e Download and install latest patches
Fixing applications' vulnerabilities
e Turn on Windows Automatic Updates
checking e Turn on each application's automatic
update checking
.J Configure Window s Firew all
Microsoft announces the security baseline settings for their desktop and server OS products
periodically. With each release, Microsoft reevaluates older settings to determine whether they
address contemporary threats or not and adds updated baseline settings to address newly
discovered vulnerabilities and misconfigurations.
It generally includes guidelines and checklists for:
• Installing software.
• Disabling unnecessary services.

• Applying Windows OS security updates and patches.
• Applying local security policy settings.
• Configuring automatic update settings.

• Managing user accounts.
• Managing passwords.
The Windows security baseline defines the steps for identifying the security updates and
configuration changes required. The baselines compare and measure the sch eduling,
construction methods, management and results in the operating syst em.

Host Security
Microsoft Baseline Security

Analyzer (MBSA)
1:1a
~ • Microsoft Mk:rosoft
~ ~ tr' Baseline Security Analyzer
1
.J The Microsoft Baseline Security

Analyzer provides a streamlined Which computer do you want to scan?
method to identify missing security
updates and common security
misconfigurationsof a Windows OS
0 Check for r:i_w!ovn 11d:nnistr4 li,,~ vuhet-.tibc::-
0 Oleddorweatpa,s...e,6$
.J It performs local or remote scans of ~ Oleck fo, DS ~ o l l lve ~at,,10t$
0 Che<kfot~4dffl::-1t1!:rl\',\l.ncr11~
MicrosoftWindowssystems 0 Olt&f«Sf.O.rity~am
D COl'ltwe~5 fOt »croooft ~tt.vdscarrin91Yer~1eS
0 AdYarnd ~ te So!rvice::-1»!xll'I::-:
SC¥! <l'Wl!J i ! . ~ w,-~,"5 ser-,er ~-~ servic:esttisus) w,,er,~,
Sc.:n uw,g t,cro~ft Upcfa:c orly
S<o-'lu~o!An!:u~Ol"lly
Learn more about SCaMhO Opt!Ons
l,t. i Scao U Caocel I
https://www.microsoft.com
Copyright© by EC-Co■ncil. All Rights Reserved. Re production is Strictly Prohibited.
Microsoft Baseline Security Analyzer (MBSA) lets administrators scan local and remote systems
for missing security updates as well as common security misconfigurations. Microsoft baseline
security analyzer is used to analyze the security standards for the organization by identifying
the updates required by the organization and rectifying the weaker settings of Microsoft
Windows.
MBSA helps small and medium sized business organizations analyze the security status and
standards and check whether it is compatible with the Microsoft security recommendations.
All the scan results produced by MBSA check for critical issues, non-critical issues and best
methods that describe the remedies that can be taken for securing the operating system.
Understanding the scan report

After the MBSA tool is ran successfully on the system, it generates a report in the
%userprofile% directory of the scanned system. MBSA generates the output in the form of
different categories that are represented by different icons depending on the severity of the
vulnerability. Below are the details of the icons.

Host Security
Microsoft Baseline Security Analyzer 2.3

~ ( Microsoft Microsoft
~ ~ Qi Baseline Security Analyzer
Computer name.: WORKGROUP\WIN-EUGG l'IGDNQF

IP address:
Security report name.:
10.o.2.1s
WORKGROUP - WIN-EUGG l'IGDNQF ( 2-10-2016 10-06 PM)
"
Scan date, 2/10/20 16 10:06 PM
Scanned with MBSA version: 2. 3.2211.0
catalog synchronization date, Security updates scan not performed
:l,ort Order: IScore (worst first) VI

Security Updat e Scan Results
Score Issue Result

I Security Canrnot load security CAB file.
Updates How to correct this
Windows Scan Results
Administrative Vulnerabilities
Score Issue Result

~ Automatic The Automatic Updates feab.Jre has not been configured on this computer. Please upgrade to the latest Service Pack to obtain the latest version of this
Updates feab.Jre and then use the Control Panel to configure Automatic Updates.
What was scanned How to correct this
Password Some user accounts {1 of 2) have non~xpiring passwords.
Expiration What was scanned Result details Hovv to correct this
0 Incomplete No incomplete software update installations were found.
Updates What was scanned
0 Windows Windows Firewall is enabled and has exceptions configured. Windows FirewaU is enabled on an network connections.
Firewall What was scanned Result details Hovv to correct this
'(J Local Account Some user accounts ( I of 2) have blank or simple passwords, or could not be analy zed.
Password Test What was scanned Result details
'(J File System All hard drives ( I) are using the NTFS file sy stem.
~ ~rint this report ID !:;_opy to dipboard C:;I Previous security report Next security report CI!
OK
FIGURE 6.1: Microsoft Baseline Security Ana lyzer

Host Security
- I - 11 ' I -, I
N,:1.1n lldv'l11ced tlout Exit
..J Setting up a BIOS Passw ord is the first
!tea Specific Help
protection layer of the computer Supervisor Password ls: Clear
User Passuord Is: Clear
Supervisor Pa-d
controls access to ll1e
..J It helps you maintain OS security at a Set Superuisor PasS\Jor.d selu ullllty.
low-level 1
, •,;, I i I 1 11
t:11tP1 fitcw P,i:-;:~•,J1Jr<l

Confirn New Ptlssword
..J Steps :
- - - - - - . -,- 1 1 , - , - ,- , , . - , - , - - - - -
1. Enter BIOS Setup Utility interface N'llll fldv,;1rn Pd llnnt Ix It
Ite■ Specific Help

Supervisor Password ls: Set
2. Select Security and set Supervisor User Passo,ord Is: Clear
User Password controls
Password. It will control the access to 1111D access to the ¥tell al
Set Superv lsor Password IE'nterl boot.
t he setup utility
Password on boot
3. Now, set User Password
Enter ,
Esc _ ,.
Setting up a BIOS password helps you in controlling the access of the system from external
users. The BIOS of an operating system provides the feature of setting up a password that in
turn prevents other users from:
• Accessing the system.
• Booting the computer.
• Booting from r emovable devices.
• Changing BIOS settings.
BIOS passwords are most suitable for system s 1n public places or a workplace that disables
other users from installing another operating system over an existing one. A BIOS setup
program can be used for setting a BIOS passw ord . This is easily done by clicking any key before
the booting of the operating system. Clicking on " Press F2 to enter set up" message helps the
user to go the BIOS settings page. Every computer has documentation available that helps in
the easy setting of the BIOS passw ord.
The BIOS provides an extra layer of security by starting even before the operating syst em and
other hardw are starts. This allow s the user to enter the password and prevents many
passw ord-cra cking applications to run. It is a complex task to retain the BIOS password w hen
compared to operating the passw ord . Hence, users need to rememb er the BIOS password
because if the user is unable to remember the BIOS password, th en the user w ill be locked out.
The users can always try resetting the BIOS password, but most of the time all the attempts are
in vain, as it requires more time and provides onl y less chances of changing it.

Host Security
rfk Registry Editor

W indows registry stores all the
file Edit View favorite:$ Help
~ ~Iii) Computer Name Type Data configuration settings of the applications
I>·• H:KEV_CLASSE.S_ROOT .e)(Ddault) REG. SZ (value not set)
and systems
~ ..it HXEV_CURRENT_US'ER
I> ·• H)(EY_LOCAL_MACHINE
>··~ HXEV_VSl:RS
~ • HXEY_CURR£NT_CONflG
OS records every action taken by the
-
user in the registry
Process Monitor - Sysintemals: www.sysinternals.com I - IO I x I
Fife Edit Event Filter Tools Options Help
f..J It maintains the registry keys for various

Tme ... Process Nane PIO Qoe,rat:iOn Path P,egut Oetal .!.: user actions in terms of Log, Autorun
1:13:0... ~ ext>IOC'ef.exe 5384 tf.R.egQJeryKey HKCU\ Software'Oat~s SUCCESS Oue,y: ~L
M3:0.. (;;.eirplorer.exe ~ tl,ResQ.ieryKey HKCIJ\Sofi...,,. ,re\Oo~:. SUCCESS Ou,,y: H
Locations, MRU lists, UserAssist, etc.
1:13:0... ~ CO'Dlorer.«xe
1:13:0... ~ e»>lorer.exe
1:13:0... iaeiq,loner.exe
53! [!]
S3l I
Registry Summary 1- lc:1111'11
1:13:0... Cioi>lon::r.cxe ~ ~ s:trv paths aoccsscdd!.WIO trace:
1:13:0... 1:iie.xt,1orer.exe
1:13:0... G;.~orer.exe J Re,g~ T'rne Tota~ veru OpeN; Dose, Reads V,'tle~ '.J Organizations usually do not audit the
1:13:0... ~ e,i>lon::,.cxe 531: 24.5286599 327.841 108.111 87.830 92.343 421 C registry of the workstations
1:13:0... c:iextllorer.exe 53~ 2.4821720 16.730 2.176 2. 1io 0 0
1.13:0... e_e,cp1orer~ S3l 0.0llll791 3.544 4.272 •.272 0 0
1:13:0... ~ ~orer.cxe S3l 0,0772053 3.544 4.272 ~.272 0 0
1:13:0... i:=iexi:ilorer.exe 53! 0.0831863 3,544 4,272 4,272 0 0
1.13:0... ~ e,cplorer~ : 0.0958143 t544 4,272 4.272 0 0 '.J Regular Monitoring and Auditing of the
1:13:0... Ciie,plorer.exe 4.272
53! 0.1540749 8.544 4.272 0 0
1:13:0... Q exi:il0ter.exe
Sll 0.0n8093 8.544 4.272 4.272 0 0
registry can help you detect traces of
1.13!0 ... (i.iexplOtef~
MJ:0,.. (;;;.c,cp!orer,ex.c S3l 0.0,3341 3.544
a..544
4.272 • .272 0
0
0
0
malicious activ ity on the system
r:i'exi:,lorer.exe
1:13:0... 53~ 0.1200543 4.272 ~.212
1.13:0... (a"exploret.exe ~ 0.07S3412 t544 4,272 4,272 0 0
1-13:0... ~ e,rpiorer.ex.c ~ .. - ~-- -- • • V
1:13:0... c:;"«xPIOt8f.ex8 ~~ 

<I" . '.J Use the Process Monitor utility to
Showing 392,.679 of 886,768 event
I .,,.,... I 3572 items I s...... 1I Clos• I monitor registry activity in real t ime
https://technet. microsoft. com
Windows registry, otherwise known as registry, is a database of all the configurational settings
of Microsoft Windows. Windows registry stores details like settings for software programs,
hardware devices, user preferences, OS configurations etc. At a glance, windows registry
consists of all details regarding th e operating system. Accessing windows registry requires the
user to execute the regedit command in the command prompt. The windows registry window
is as follows:
- □-
-~File Ed~ View Favorites Help
Reg istry Editor
• fa "' Computer I Name Typ• Data

~ ..~ HKEY_CLASSE.S_ROOT
~ ..Q; HKEY_CURRENT_USER
~ ..Q; HKEY_LOCAL_MACHINE
~ ..Q; HKEY_USERS
~ ..Q; HKEY_CURRENT_CONFIG
-
Computer ...
FIGURE 6.2: Registry Editor

Host Security
A registry key is similar to folders. Folders contain files, whereas registry keys contain registry
values and other sub keys. Registry Hives are the group of registry keys found at the top of the
hierarchy. The registry keys are as follows:
• HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT: Here, HKEY_LOCAL_MACHINE is the

registry hive and software and Microsoft groups under this registry hive. Microsoft falls
under the Software registry key.
• HKEY_CURRENT_ CON FIG: This registry key contains information regarding the currently
used hardware profile.
• HKEY_CURRENT_USER: This registry gives all details regarding the users that are currently
present on the computer. The user details include: desktop settings, network connections,
printers, application preferences, personal program groups. A new HKEY_CURRENT_USER
sub key is created every time a user logs in.
• HKEY_CLASSES_ROOT: This key contains the file name extensions and COM class
registration information.
Process Monitor Tool

Source: https:1/technet.microsoft.com
Process monitor (Procmon) tool is one of the monitoring tools that help administrators monitor
and audit the registry, file system and the network. It captures specific types of input/output
operations, which might occur through the registry, file system or network. It combines the
features of Filemon and Regmon, thus, giving real-time results related to file system and
registry.
• Some of the features of Process Monitor include:
• Captures input and output data.
• Allows setting up filters as per the user requirement. Reducing the loss of data.
• Gathers accurate information of process details.
• Relationship among the processes can be traced.
• Native log format stores all data in one location.

Host Security
.J Administrator should setup different user accounts, if a system is accessed by multiple

users
I
.J Secure all the accounts with a strong password management policy
.J Windows allows the setup of three types of user accounts f or user management
Administrator Account Standard Account

------===========:::::I,
II
Has full control and access to all files and Has limited access and users can access
f olders in the system their own account files and folders
- ~=============:=I!"
Guest Account
Has only read and write access. Users are
not allowed t o install new applications or
make changes to existing applications
The Windows operating system has a different view 1n managing the user accounts and
passwords.
User management in Windows helps administrators identify and control the users logged in the
system. This management includes identifying people logged into the network, managing the
user login and logout times. User management provides a better authentication and
authorizations of users accessing the network. Monitor user permissions before granting
permission to access the network and analyze the logging details. The administrators have the
benefit of analyzing the user details and activities. They can filter the user details by IP address
or by user, thereby enabling easy management for the users. The whole concept of user
management is based on user logging in and logging out of the system. A user trying to access
the system is first authenticated and allowed access to the system. There are certain policies for
user management that define certain rules for managing the user accounts.
A user can have multiple accounts or a single account. Multiple accounts in a single computer
allow multiple users to store data and files in the same system, apply background themes
according to each user's preference etc.
Users can create three types of accounts in Windows:
• Administrator Account: These account users have the complete privilege of performing
any action on the system. These users can install and uninstall programs make
configurational changes to the system, add or remove other user accounts in the system
etc.

Host Security
• Standard Account: Standard account users are users that have a limited access to the
systems. They can access only those files and folders saved in their user account. They do
not have the permission to change or delete any configurations of other users.
• Guest Account: These types of users do not have the access to any of the files and folders
on the system. These users can only check their e-mails on the system.
The password management in windows proceeds with the authentication of the user trying to
access the system. In other words, all user accounts should be efficiently secured with
passwords.
An organization should have a well -defined and effective password policy that helps in
minimizing the risks of password compromise during authentication. The policies created need
to ensure the availability, confidentiality and integrity of the passwords. Allowing access to only
authorized users and preventing unauthorized access. Several access controls assist in
maintaining the integrity and availability of passwords, wh ereas, maintaining the confidentiality
of the passwords always remain a challenge to the organization. Maintaining the confidentiality
of the password includes several security controls and decisions.
• Some of the guidelines for creating strong and complex passwords are:
• Ensure that the password created does not include the user name.
• Construct it using a combination of uppercase characters, lowercase characters, digits,

special characters.
• Avoid using the passw ord used previously.
• Change the passwords periodically.
• The passw ords need to be a minimum of eight characters in length.
• The passw ord should not be a w ord from a dictionary.
• Always set a length for the passwords.
• Avoid storing the passwords at any location. If you need to store it, do so 1n an
encrypted form.
• Do not share the passw ord.

• Best practices for using passwords in a better way are:
• Train users on the best ways to protect the passwords.
• Make them aware of the various forms of attacks on passwords.
• Use encryption techniques in order to securely store the password.
• Properly define the password security policies followed throughout the organization.

Host Security
Disabling Unnecessary User

Accounts
1. Go to Control Panel ➔ User Accounts ➔ Manage Accounts
2. Turn Off The Guest Account, if it is ON
3. The guest account users can make unauthenticated access to the Internet
Manage Accounts
® • 1' ~ « AIControJP4ncl ltcms ► UserAt,counb t M4nag,eAccount~ .,, C, I Su.rch Control P4ntl
Choose the user you would like to change
Adininisu atol'
A Lc<a!Account
Admini~ rc,tor
P4~~word protc«cd
Add 4 u~cr «count
Administrators should disa ble unwanted accounts by deactivating them. Deleting a user
account is entirely different from disabling an account. Disabled user accounts can be restored,
whereas deleted user accounts cannot be restored. Here are the steps for disabling a user
account in Windows:
• Go to Control Panel and press Enter
• Select the option Administrative Tools
• Click on Local Security Policy
• Click on Local Policies option on the left side of the pane and click on Security Options
under it. Find the option 'User Account Control' from the list of options in the results
pane. Disable the user account option

Host Security
Local Security Policy - C
File Action View Help
• -.1~ ~ x ~ @}I ~ fB1I

ii Security Settings Policy Security Setting
I> fl Account Policies ~ Accounts: Administr~tor account status Enabled
.i fl Local Policies ~ Ac count5;: Block Microsoft ~ccounts Not Defined
I> Q Audit Policy IQ Accounts: Guest account status Disabled
~ Q User Rights Assignment ~ Accounts: limit local account use of blank passwords t o co ... Enabled
~ 4 Security Options ~ Accounts: Rename administrator account Administrator
~ □ Windows Fi r=all w ith Advanced Sec,
l:,;;J Accounts: Rename guest account Guest
□ Network List Manager Policies
~ Audit: Audit the access of global system objects Disabled
I> [j Public Key Policies
~ Audit: Audit the use of Backup and Restore priv ilege Disabled
1> □ Software Restri ctior> Policies
~ Audit: Force audit policy subcategory settings (Windows Vis.., Not Defined
I> □ Application Control Policies
~ Audit: Shut down system immediately if unable to log secur.., Disabled
I> {!, IP Security Policies on Local Computi
I> ...:I Adv anced Audit Policy Configuration ~ DCOM: Mac hi n e Access Restrictions in Security Descriptor D, .. Not Defined
~ DCOM: Machine Launch Restrictions in Security Descriptor ... Not Defined
~ Devices; Al low und ock without hav ing to log on Enabled
~ Devices: Allowed to format and eject removable media Not Defined
~ Devices: Prevent users from i nst~l ling printer driv ers Enabled
~ Devices: Restrict CO-ROM access to locally logged-on user ... Not Defined
~ Devices: Restrict floppy ~ccess to local ly logged-on user only Not Defined
~ Domain controller. Allow server operators to scheduletasks Not Defined
~ Domain controller. LDAP server signing requirements Not Defined
~ Dom ain controller. Refuse machine account password chan .. , Not Defined
~ Domain member: Digitally encrypt or sign secure channel d ... Enabled
~ Dom ain member: Digitally encrypt secure channel data (wh.., Enabled
 ~ Domain member: Digitally sign secure channel data (when ... Enabled V
FIGURE 6.3: Disabling Unwanted Accounts
An alternative method for the above mentioned step is as follows:

1. Go to Control Panel ➔ User Accounts ➔ Manage Accounts
2. Turn Off the Guest Account if it is On
Manage Accounts I- l e. .
® T t I~« All Control Panel Items • User Accounts • Manage Accounts ..., C, I I Search Control Panel ,P I
Choose the user you would like to change
Administrator
Local Account Guest
Administrator Guest account is off
Password protected
Add a user account
FIGURE 6.4 Managing Accounts

Host Security
Configuring User Authentication CND
_!J Change names and passwords for default accounts
~. Disable inactive accounts

]
__:!J Assign rights to groups not individual users
~ Don't permit shared accounts, if possible
~ Enforce an appropriate strong password policy
Authentication validates and identifies the users accessing the application. It defines whether
the user trying to access the system has user permissions to access and to perform actions.
• Change names and passwords for default accounts: Systems which have multiple
accounts should maintain different usernames and passwords.
• Disable inactive accounts: If an employee leaves the company it is the role of the
administrator to disable/delete all the accounts of the employee. Timely action can save
the resources of the system from intrusion.
• Assign rights to groups not individual users: Administrators should deploy and implement
group policy in the organization. Group policies allow the administrators to assign rights
to specific users. Implementation of group policies makes it easy for administrators to
monitor the user activities.
• Do not permit shared accounts: Avoid shared accounts in a network. Accounts shared by
users act as an open invitation to intruders.
• Enforce appropriate strong password policy: Administrators should encourage users to

create strong passwords for their accounts. Easy passwords are more vulnerable to
threats.

Host Security
Patch M anagement ensures appropriate and Patches are the small programs which apply a
updated patches are installed on the system fix to a specific type of vulnerability
It involves applying patches, Service Packs Service Packs can fix vulnerabilities along with
and/or upgrading Windows to a newer version some functionality improvements
Use Patch M anagement tools to identify the Version upgrades fix vulnerabilities and come
missing patches and install them on the system with improved security featu res
.J Patch Management Activities:

e Choosing, verifying, testing and applying patches
e Updating previous version of patches to current ones
e Recording repositories or depots of patches for easy selection
e Assigning and deploying applied patches
Patch management is an integral part of OS security. Patch management enhances the security
of the system with regular updates. In an IT infrastructure, patch management needs to be
efficient in order to maintain the security of the system. Patch management involves applying
patches, service packs or upgrading the OS to a newer version. Patch management facilitates a
consistent configured environment that is secure against the v ulnerabilities and threats on an
operating system.
• Patch Management Process:
• Detect: Install tool s that can automatically detect updates and initiate the patch
management process.
• Assess: Id entify the severity of the v ulnerabilities and the amount of patch required to
remove the error.
• Acquire: Take the patch for t esting if proper security measures are not taken for the
detected vulnerabiliti es.
• Test: Conduct a patch on a test system.
• Deploy: Deployment of all the patches to other systems.
• Maintain: Maintain all other syst ems by sending notifications regarding the detected
vulnerabilities.

Host Security
• The patch management process can be implemented in two ways on the user machines:
• Distribute a written process among the employees that can be implemented on their
host machines.
• Implement an auto patch management system that allows the administrators to

control the deployment of the patches on host machines.
• Patch Management Processes:
• Written Process: In this process, the organization trusts their employees by allowing
them to install patches and keep their system updated. In such scenarios,
organizations randomly check the systems of the users to make sure, if employees
adhere to the patch management policy. However, following this process 1n an
organization is not safe and can easily expose the IT infrastructure to intrusions.
• Automated Process: Automated process is more reliable in terms of keeping the

security of the organization. Once the vendors release the security updates, it
becomes the responsibility of the administrators to apply those patches in time. These
updates can fix the security vulnerabilities of the system that may occur in the systems
or in the network. Installation of security patches reduces the risk of data loss.
• Patch Management Principles:
• Every patch management strategy should have a service pack.
• Product lifecycle can be a key element in the patch management strategy.
• Perform risk assessment.
• Use mitigating factors for determining applicability and priority.
• Use only workarounds for deployment.
• Use only methods available for the detection and deployment.

Administrators should be aware of the security requirements of their organization and ensure
that patch management is based on those requirements. They can also inform other users
regarding the security patch and updates. Several scheduling and prioritizing is required in
performing patch management in windows. Every patch management needs to have a patch
cycle that provides a standard application for the patches and updates.

Host Security
Configuring an Update Method

for Installing Patches
Change senings
1. Go to Start ➔ Control Panel ➔ @ • t IID « All Cont,ol Panel Item$ > WindOW5 Upd.1~e ► Ch.:i~ e $citing$ v C, I I Se.uch Control P.:ind
System and click Windows
Choose your Windom Update settings
Updates and select option When your PC is onllne,. Windows can automatiu lty check for impo11ant updates and i.nsu ll them using these
settings. When new updates art av,1il<1bfc. you on .1lso choose to instan them when you shut down your PC.
Install update automatically
lmportenl upd.!1CS
2. You can also use a third-party • IInstall upd4tes 11utom,d ic:alty (1« ommended)
Windows update tool for Updates will bt autom,1tic:.ilty downloaded in tht background when your PC is not on • mct~td
lntmiet conn«tion.
remote-desktop patch Update$ will b<e 11ulom.,u u ty in$t11lk d during tM: m11 mten11ncc window.
management Recommended upd .r(es

~ Give mt rccommtndcd upd.atcs the samtw-r I rtctivc imporunt updatts
Advantages of automated patching

~Give m e upddtes for oth er Mic1o~oft p1odud~ ,men I vpcbte \Vmd~
e You can force updates to install by
Not e: Windcvm Upd11tc mi.,ght update i1self 11utom 11tiu 1Jy firU mien chccffl9 fo, othtt upd.rlci.. Reed ou r
specific date priv11cy st11lement onhM .
e Computers not on the Internet can

receive updates
e Users cannot disable or circumvent - -
updates OK 11 Canc el I
The Windows OS provides users the option of automated updates. Turning on the windows
automatic updates in the control panel enables Windows to download and install all the
updates. The process can take place automatically without much interaction from the user.
However, the user must respond on time to the alerts that occur during the update process.
Missing out on any alert can actually stop any important updates.
• Windows Update Requirements:
• Windows 8: Update to Windows 8.1 or Windows 10.
• Windows 7: The device should include service pack 1 in order to receive security fixes
through windows update.
The user must ensure there is enough disk space available before performing a Windows
update. Windows can configure updates properly if around ten percent of the system partition
capacity is free.
There are situations wherein the automatic windows update is turned off for a very long time.
Here, the user needs to perform an anti-virus scan before even applying the updates. The
scanning can ensure that no malware is present in the system.

Host Security
Accessing Windows Update Configuration

• Windows 10:
• Open Start Menu
• Type Advanced or Update in the search box
• Click Advanced Windows Update options under settings category

At times, the window for Advanced Windows Update option might open and close immediately.
The user needs to repeat the sa me process until the window opens properly.
Settings
® Advanced Windows Update options

~
® Themes and related settings
G.:iil Configure advanced user profile

pro perties
Apps
Windows Firewall with Advanced

Security
Web
P advanced
II My stuff J) Web
advanced!
FIGURE 6.5: Advanced Windows Update options in Windows 10
• Windows 8:
• Open Start Menu
• Click on Optional Updates
In Windows 8, the user may find another option Windows Update. This update option does not
provide any configuration option and hence the users must be careful while selecting the
option for update in Windows 8
• Windows 8.1
• Open Start Menu

Host Security
• Click on Windows Updates
Search
Setting, v
updat~ X Iii
0 Windows L'pjate settings
Search
update" Settings Choose whether to automatically
install Windows upd3:es
updatel X
If Update device drive
View your J:J Jate history for
Windows
Install optional upd,
~ ~ , Windows Update
() Settings !mi"i. ~
View update history
FIGURE 6.6 : Windows Update option in Windows 8 and 8 .1
• Windows 7:
• Open Start Menu
• Type Update in the search box
• Click Windows Update
Programs (1)
~ Windows Update
Co Delivers software updates and drivers, and provides automatic updating

options.
- Check for updates
-,Device Manager
.,., View recent messages about your computer
.,., Review your computer's status and resolve issues
.,.,View relia bi lity hi story
.,., Fix problems with your computer
.,.,View recommended action s to keep Windows running smoothly
.,.,Check security statu s
.,., Choo se how to ch eek for solutions
.,.,View message archive
~ Change device insta llation settings
' Turn automatic updating on or off
~ See more results
I update ________x] I Shut down j ► I
FIGURE 6.7: Windows Update option in Windows 7

Host Security
Enabling and Scheduling Windows Update

Windows may release the updates, service packs, fixes after the scheduled date. Windows
checks for all updates the next time the user turns on the computer and connects to the
network. The recommended update settings for Windows 10 are as follows:
• In Windows 10, the configuration updates are available in Modern UI/ Metro style
settings app. The user can actually schedule the restart after Windows update in the
Choose how updates are installed screen. There are two options in the drop-down -
Automatic (Recommended) and Notify to schedule restart. Clicking on Notify to schedule
restart allows the user to know if there is a need for a reboot or restart of the device
Settings D X
© ADVANCED OPTIONS
Choose how updates are installed

Automatic (recommended)
Notify to schedule restart ~
"-CC., eve, yu ""Y I UI II Ill 'Y :,11 ,uvthly. We'll restart your device
automatically when you're not using it. Updates won't download over a
__metered connection (where charges ma~ ply).
FIG URE 6.8: Selecting the method of installing updates (Step 1)
• Select the check box for the option Give me updates for other Microsoft products when I
update Windows. This provides updates to Microsoft products
• Make sure the users do not select the option Defer Updates as it postpones large feature
upgrades
~ Settings D X
@ ADVANCED OPTIONS
Choose how updates are installed

I Automatic (recommended) v I
Keep everything running smoothly. We'll restart your device automatically when you're not using it Updates
won't download over a metered connection (where charges may apply).
0 Give me updates for other M icrosoft products when I update Windows.
0 Defer upgrades
Learn more
View your update history
Choose how updates are delivered
Note: Windows Update might update itself automatically first when checking for other updates.
Privacy settings
FIGURE 6.9: Options to select for Automatic (recommended) update installation (Step 2)

Host Security
• The user can now click on Choose how updates are delivered
II Give me updates for other Microsoft products when I update

Windows.
D Defer upgrades
learn. ore
View your update history
Ch~se how updates are delivered

"
FIGURE 6.10: Selecting the option for when to receive updates (Step 3)
• Updates from more than one place allows applying the sa me updates to many Windows
10 devices
• The slider option can be turned off if there is only one Windows 10 device
• If there are several Windows 10 devices, turn the slider on and enable the option Updates
from more than one place
• Select the option PC's on my local network

• Make sure the users do not select the option PC's on my local network and PC's on the
internet. This option can allow attackers to achieve a connection to the device
@ CHOOSE HOW UPDATES ARE DELIVERED
Updates from more than o ne place

Download Windows updates and apps from other PCs in addition
to Microsoft. This can help speed up app and update downloads.
" Learn more
When this is turned on, your PC may also send parts of previously
downloaded Windows updates and apps to PCs on your local
network, or PCs on the Internet, depending on w hat's selected
below.
ti[) On
Get updates from Microsoft, and get updates from and send
updates to
~ PCs on my local network
0 PCs on my local networlc, and PCs on the Internet
FIGURE 6.11: Selecting the option to install updates for more than one Windows 10 machine (Step 4)

Host Security
• The recommended update settings for Windows 8, 8.1 and 7
• Open Start Menu
• Click on Windows Updates
• Click on Change settings option

Windows Update
® • t Fa- ► Control Panel ► All Control Panel Items ► Windows Update Search Control Pane-I p
Contro l Panel Ho me
Windows Update
Check for upd ates
I Change settings
i I~ You' re set to auto matically install u pdates
View update history
Restore hidden updates ~ 12 optional updates are available
Mo.I recent check for update~ Today at 9:01 AM

Updates were in stalled: Tod ay at 9:02 AM.
You receive updates: For Windows and other products from Microsoft Update
See also
Installed Updates
FIGURE 6.12: Change settings option
• Select the default option to Install updates automatically (recommended)

Change settings - 0
• t ,n. « All Control Panel Items ► Windows Update ► Change settings ., C Search Control Panel p
Choose your Windows Update settings

When your PC is on line. Windows can automatically check for important updates and install them using these
settings. When new updates are available, you can also choose to install them when you shut down your PC.
Important updates
~ updates automaticalfy (recommended)
Updates MUbe autom atically downloaded in the backgro und when you r PC is not on a metered
Internet connection .
Updates will be automaticalfy installed during the maintenance window.

Recommended updates
~ Give me recommended updates th e sam e way I receive important updates
Microsoft Update
~ Give m e updates for oth er Microsoft products wh en I update \\fin dows
Note: Windows Update m ight update itself automaticalfyfirstwhen checkin g for other updates. Read our
privacy BatE;ment 9nl1ne.
[__j_K__j LJ:•ncel__j
FIGURE 6.13: Install updates automatical ly (recommended)

Host Security
• Make sure that the options: Give me recommended updates the same way I receive
important updates and Allow all users to install updates on this computer are
enabled
• In Windows 7, the user gets an option to schedule the installation of new updates
Choose how Windows can install updates
When your computer is on line, Windows can automatically check for important updates and install them
using these settings. When new updates are available, you can also install them before shutting down the
comput er.
How does aut omatic upd ating h elp me?
Important updates
[Install updates automatically (recommended) ·]

_ d_ay_ _ _ _ _•...J] at [.....3_:o_o___•~]
Install new updates: [..._E_v e_ry
Recommended updates
rll Give me recomm ended updat es the same way I receive important updates
Wh o can install upd ates
II
~ Al low al l users to install updates on this computer
Note: Windows Update might update itself automatically first when checking for other updates. Read our
priv acy statement online.
FIGURE 6.14: Scheduling the installation for new updates in W indows 7
• In Windows 8 and 8.1, Click on the link: Updates will be automatically installed during
the maintenance window
C oose your Win ows Up ate settings
When your PC is online, Windows can automatically check for important updates and install them using these
settings. When new updates are avai lable, you can also choose to install them when you shut down you r PC.
Important upda tes
Install updates automatically (recommended)
Updates wi ll be automatically downloaded in the background when your PC is not on a metered

Internet connection.
U date~ w,11 be automatrcallv installed du rm the maintenance wmdow.
Recommended updat
~ Give me recommended updates the same way I receive important updates
Microsoft Update
~ Give me updates for other Microsoft products when I update Windows
Note: Windows Update might upd ate itself automatically fi rst when checking for other updates. Read our
privacy statem ent online.
FIGURE 6.15: Automatic Update Installation for Windows 8 and 8.1

Host Security
• The Automatic Maintenance window opens
Automatic Maintenance
Windows automatically runs scheduled maintenance on a daily schedule when you' re not using your
computer.
This includes tasks such as software updates, security scanning, and system diagnostics. This maintenance
will run daily if you aren't using your computer at the time you've chosen. If your computer is in use at the
scheduled t ime or maintenance is behind schedule,. Automatic Maintenance will run the next time the
computer is not being used.
Automatic Maintenance
Run maintenance tasks daily at 13:00 AM ~...,

D Allow scheduled maintenance to wake up my computer at the scheduled time
FIGURE 6 .16: Schedu ling the time in Automatic Ma intenance for Windows 8 and 8 .1
• The user can set the time for daily schedule

Administrators can also use various third party tools such as ManageEngine's Desktop Central
to install or uninstall patches/service packs from a central location.
You can click on Install Patch and select the OS that you wanted to deploy patches/service
packs to.
Steps to remotely install and uninstall patches for Windows using Desktop
Central
Source: https://www.manageengine.com
1. Click Patch Management
2. Under Deployment select lnstall/ uninstall Patch

3. Choose the operating system as Windows and then create a configuration that needs to
be deployed
4. Provide a name and a description for the lnstall/ uninstall Patches Configuration
5. Define Configuration and Specify the Add the Patches, operation type, Scheduler Settings,
Deploy ment Settings, etc. as Install to install the patches/service packs
6. Define Target
• You can deploy the configuration to any of the following:
• Site - to deploy the configuration to all the users/ computers of that site.
• Domain - to deploy the configuration to all th e users/computers of that domain.
• Organizational Unit - to deploy the configuration to all the users/computers of that

OU.
• Group - to deploy the configuration to all the users/computers of that Group.
• User/Computer - to deploy the configuration to the specified users/computers.
Module 06 Page 453 Ce rtified Network Defender Copyright © by EC-Cll■Cil

Host Security
• IP Addresses - to deploy the configuration to the specified IP Addresses. You can also
specify a range of IP Addresses to deploy a configuration by selecting the IP Range
option and specifying the starting and ending IP. This option is available only for the
computer configurations.
• Custom Group - to deploy the configuration to all the users/computers of the

selected Custom Group.
7. Click th e Deploy button to deploy th e defined Install Patches Configuration 1n the
defined targets

Host Security
BatchPatch Landesk Patch Manager

https://batchpatch.com http://www.landesk.com
Desktop Central Shavlik Patch

https://www.manogeengine.com http://www. shavlilc.com
SolarWinds - Patch Manager Kaseya

http://www.solarwinds.com http://www.kaseya.com
~
GFI LanGuard j~ LabTech's App-Care
http://www.gfi.com http://www. labtechsoftware.com
-·
·~ Altiris Patch Management Solution
https://www.symantec.com
Lumension
https://www.lumension.com
Batch Patch
Source: https:1/batchpatch.com
BatchPatch is Windows Update & WSUS Patch Management Software used to remotely initiate
Windows Update, WSUS, software deploy ments, and reboots on many computers.
Desktop Central
Desktop Central is patch management tool used to install/ uninstall patches and service packs
for Windows operating systems from a central location. It not only manages patch deployment,
but also scans for network vulnerabilities, identifies missing security patches and hotfixes,
applies th em immediately and mitigates risk.
SolarWinds - Patch Manager
Source: http://www.solarwinds.com
SolarWinds Patch Manager makes it easy to perform third party patch management across tens
of thousands of servers and workstations and enables you to leverage and extend the
capabilities of Microsoft WSUS or SCCM to report, deploy, and manage third -party patches as
well as Microsoft patches.

Host Security
GFI LanGuard
Source: http://www.g[i.com
GFI LanGuard patches Microsoft, Mac OS X, Linux and more than 60 third-party applications,
and deploys both security and non-security patches. GFI LanGuard scans your operating
systems, virtual environments and installed applications through vulnerability check databases.
Altiris Patch Management Solution
Source: https://www.symantec.com
Altiris Patch Management Solution allows you to proactively manage patches and software
updates by automating the collection, analysis, and delivery of patches across your enterprise.
Landesk Patch Manager
Source: http://www.landesk.com
LANDESK Patch Manager evaluates, tests, and applies patches across the enterprise easily and
automatically to drastically simplify your efforts. It maintains patches for Microsoft Windows
and other vital operating systems by downloading patches automatically and streamlining
patch testing and deployment.
Shavlik Patch
Source: http://www.shavlik.com
With Shavlik Patch you leverage a single Configuration Manager workflow for publishing
updates for both Microsoft and non-Microsoft products.
Kaseya
Source: http://www.kaseya.com
Kaseya provides the tools and infrastructure to enforce policies and to easily address the
complexities of software and security patch deployment and simultaneously deploys all
required patches across machines.
LabTech's App-Care
Source: http://www.labtechsoftware.com
The App-Care patch management solution extends LabTech's Microsoft update patching to
third party applications with seamless integration to close security holes and guard against
attacks. It automatically downloads third party patches from the manufacturer and pushes
them to computers automatically to close security gaps in third party applications.
Lumension
Source: https://www.lumension.com
Lumension patch management software helps IT professionals uncover security vulnerabilities

and deploy security patches across an entire network to eliminate them. This patch
management software can be used on Windows, Mac OS X, UNIX and Linux platforms as well as
third-party applications and infrastructure devices.

Host Security
Go to Control Panel ➔ i;;;i ?
Administrative Tools ➔ Services

• • I
OtS<.npbOn SUM SUtwp Typt ,. I .
• Disable the following service on

any machine other than a server
~ the-
l?Aw ttltSfMCt
8':sia tMWV!Ct
iu
X ln~•llu (A.lln:tSV)
rFt.~~Upd.tt -
: VfflilDft C11tCS4
Ndinus
Pr0Yidc5 lk,~
r A(to1:,.c Upd,111t St,v._ Micbe: A(fO- fwMing
lh!lHn1u-
Adobee \'ec111-
G& ~ps ,,_
M,nu,11
.:...._omM.l<
M,m1,I
M..nual
M•nu•I
local Systt- _
lool Systt- =
loul Sy,:tf-
1.ocal S -"
--
loolSynt-
D~tription; :.tJOnbperi«lu P10<tU.tt-
11S P,o,.,,do ....,,nii.t,.tivc ~,.,.,u, fo,
IS, fo. Ull'l'lf'ltc tol'lfigu,,t,on hkto,y '
1S)"it'"--
--
-,_ndApphc.sllon, Pool .c:u,I.Wlt .-IOORldt:nt,iy Oct,l'Mlnft -
mapping, If thts str.i<t ism11ptd, ~ nlnfomuben fa<llit.MU t.. RuM Step
FTP <onf.g~ hl5'0ty' Md lod)ng
down fits Of dirtctorits with
:.ftionlfy'tfwt~ ... ProYidn su...
--
:.bORMINg,c,n,tnl P10<dkf.,_
Appli(arion Pool spt'mc Acctn
Con!JOI tntliff 'MIi not w,oi41, Dqiloyment Servl<t t- Provide$ ,nf,_
SQLServer n St.tee Sctvicec PrOYidtt su...
--
Al Tub
1oundll"ltdll9tntlr;)I\.. TrMslfflfil,_ ltuM
Proxy services o,urid l .tSb ll'lfr,m,;,.., Windows in..

lltcring lngine The Luc Fit- R:uM)
ltvnni R.drtsh
--- ..C.c:h<t TMKn10- R.unn

Telnet (4!<: Pfop.g.tiOWI
f0t ""S
Copits ~c, -
(nJ~ this.- ltlinning
Hdp
A1,ttom'1)( NttWOrt
Syslt-
s...
- Universal
machine
Plug And Play on any
;cylwlwon
• Evoent Sy$tem
l htCNG i;-
~Pf'MS Sy._ !tunning
"
M,,w,1(ln9-..
Aulom-'be
loul Sy,t-
loul SeMcoe v
···~
--
Copyright© by (C-CD■Dcil. All Rights Reserved. Reproduction is Strictly Prohibited.
Unnecessary services run in the background on the systems the user is not aware of. Leaving
these services enabled can give a path to the attacker to compromise the system as some of
them can be vulnerable to different types of attacks. Administrators can find unnecessary
services running on the system based on an organization policy. The policy statement may
include lists of necessary services that should be allowed to run on the system and unnecessary
services that should be not allowed to run. An administrator can create, pause, stop and restart
a service as per the system and user requirement. On the user machine, administrators can
disable a service which is not required. Disabling unnecessary services is important as it reduces
the chances of system exploitation. Services like 115, FTP, SQL Server, Proxy services and Telnet
are usually not required by the users. Administrator privileges are required to enable and
disable services on a particular host.

Host Security
Set Appropriate Local Security

Policy Settings
Check if security policies are set based on the policies designed for your local network
-'l,, Local Security Policy 1- ( CI ~

••I~ x 1;;tl 6 Im
lri>. Sec\JrityScttings ] N ame Description
p Q Account Policies Q Account Policies Pass>A'ord and account lockout policies
I> Iii l out Policies Q local Policies Auditing.. user rights a nd security options policL
I> ii Windows Firewall with Advanced Sec• ~ Windows Firewall with Advanced Security Windows Firewall with Advanced Security
tl Nttwork List Manage, Policies ~ Network list Manage, Policies Network name, icon a nd loc.11tion g,oup policies.
I> Iii Publ:ic Key Policies Iii Public Key Policies
I> ~ Software Restriction Policies
■ Software Restriction Policies
I> G Appliu tion Control Policies ::::!I Application Co<ltrol Policies Application Control Policies
f, {!, IP Security Policies on LO,Cal ComputE
(!. IP Security Policies on Local Compvte, lnteinet P,·o tocol Se<1.11ity (lPs«) Adminis:ttatio ...
Go to Control Panel ➔ I> .S Advanced Audit Policy Configu,ation
:IAdvanc.cd Audit Policy Configuration Advanced Audit Policy Configuration
Administrative Tools ➔ Local
Security Policy
lI
Copyright© by EC-Co■ncil. All Right s Reserved. Reproducti on is Stri ctl y Prohibited.
Local policy settings allow enforcing many systems, users, and security related settings in
Microsoft Windows. These policy settings include Password Policy, Audit Policy, and User
Permissions. There are default policy settings available; however, the administrator needs to
configure more policies in order to confirm security. An administrator should define and set the
policies as per organization's security policies.
Steps for configuring the Local Policy Settings for the computer:
1. Go to Control Panel
2. Click Administrative Tools -> Local Security Policy
3. In the security settings, perform one of the following actions:
a. Click Account Policies in order to edit password policy and Account lockout policy
b. Click Local Policies in order to edit Audit policy, User rights assignment and security
options
4. Double - click on the policies in order to modify or edit the policies
5. Click OK after performing the desired action
Every organization should enforce their employees to change the password after a specified
time of interval. This urges the need for employing certain policies that outline the
requirements for setting a password. The changes in password policy affect only the local

Host Security
computer. However, the configuration of the policies depends on the policies for each
organization.
For instance, an organization can edit or configure the local password policies as follows:
• Click on Account Policies ➔ Password Policy in the left pane
• Double click on Enforce password history in the right pane

a
' .:!i
Local Security Policy - □-
-.;-.. I ~ !ffll X ~ I 6 rm
,_
ii Security Settings n_1·__
~ "---.,, - ~n-1:,;--
Ij I ;.a Enforce password history I

Password Policy! I ..ti Maximum password age
1.4 ACCOU n, LOCKOU< "oucy
~ Minimum password age
1> Q local Policies
~ Minimum pasMord length
I> ~ Windows Firewall with Advanced Security
~ Password must meet complexity requirements
~ Network List Manager Policies
I> f:I Public Key Policies :S Store passwords using reversible encryption
f:I Software Restriction Policies
I> f:I Application Control Polici~
-!, IP Security Policies on Loe al Computer
I) [l Advanced Audit Policy Configur~tior>
< >
.!
FIGURE 6.17: Enforcing Password Policy
• Maximum password age: Determines the time period for using a password. Default value
is 42.
• Minimum password age: Determines the minimum number of days the user needs to use
the password.
• Minimum password length: Determines the length of the passwords. Usually the
minimum va lue is '8'.
• Password must meet complexity requirements: Determines the criteria for creating a
password. This option is enabled and includes upper and lower case letters, numbers and
special characters.
• Store passwords using reversible encryption: Always "Disabled", as it allows th e attacker

to crack th e password easily.

Host Security
Configuring Windows Firewall CND

- -
Go to Control Panel ➔ Windows Firewall and click Turn Windows Firewall on or off
ti W,ndows:F.,.~I L- LD- ;; Cusiomize Seumos 1- 10 -
~
• . 1' r. t ConlJOl,.ntl , Mc..ncrdP...... 11:fflw; 1 W~f.ftwd
.. "1 [ ~t:'11 c-t>o1 '•"'" p -~ . t [• .. • 11Con~Pant11ttm1. • w,noow,i;,_11 • C--.i:rS,tttings ... <i] [ w.m1(_;;-P•..;- P] I
c..e..i,__ ..._. H~lp protect your PC W1Ch Windows firtwal .
Customiz~ ~«in~ klr ~-'Ch type of network
-...~.,,.......,. ~-··~
I---,-~--
W~F---•c#l~~.. "-lfllOl,..,._~,-...,_.,,..c.tMteye,11"Kt~---
Y-ov<.- ffiOdfly t!rit l•ew•k'l•'""O!I IOI' w<ll~ol~fl, 1Nl:7°"' uH..
•
r'-'lh~"'--
0..111Jf: llcef--tt,gi
Pfw4l c nd\OOllt ktllncp
(tlr,.t110 f l ~h l ~
r•-• • lfl
$'
...
r-~r-.-""., w.tl._. nol 1aiing fie ,__,,.,,.
'411. .IO,,.tlflt'I ,-.-,,.._.
l3,UM:1tt_,-itd~ ]
Q Blod al ;......,;,,9con---.._ irdu&r,J t ho,.. ffl t he Ir.I .,f ~ ~pp,
Q Nol.fy~ ...... ~lvfW411blOdt••ntw•PI'
$~d..wb
61 . ._ ... _ "
'Mli• •·"" ·(--\,flt",J 0 O r..,11of1Wlftdo-, fi-tll [llot rec011'1111eadtd)
' "°'___,.. ll'ly,.._.ll

1 1) Pnva,e netwot1<s Conn«t«I 0 •
Public ndloOllt.~
lfl (!) r.,nOfl'ld~hl~
N.'1~ « ~ 01.otll wlw•)'O"'.,,__.•"",,_,M~•lld,e.,j,(nClflffl•~

Q llod d ;.......,;,,9con....<Mm, ...ctu&r.Jt ho.. i11 t he Ir.I .,f ~ ~pp,
Q Nol.fy~ ...... W.......,lw~WOdt••ntwtHI
~,-.._.Ulel Off
0 O r "'" cir Wil\do,l,1 111- t ll [llot re<OW1111....clcd)
11'1(911'""9(-1;,o. .
~ ...,
cir.__..~-•"'""'..."'"el'l"'lid
Acw. pn,,;11.f rwr..ofb: 2' ......,.,
NM"C.c-ue
,_..,
l)eNt..,,..,....,,__,._;IIIHllf,1"""'"""Wl(l,:,;11
,.._ I ti Guest or public nffil!Ofks ,_«10 -

.t.t11011C•"'•
N11t..o""- •!Id Sfwu,g C-• ~,.,,,... ..,. .
~ ,ti,.,..!C pl.Kn_,., M wpc,,u«u:liee~
°" V
I o, II '-• I
Configuring Windows Firewall

(Cont'd)
., Windows s-,,..-.,11 with Actv.ncfd Stalnty - a=iiij

.,._
Configuring Inbound and "" a :ij ... a r,;;,
Ii♦ ♦
v;- H,lp
.,_
..... ...,.. ,....... .....
ii W,n.-lwcw.olallt.~ m::=
Outbound rules . .-
~-
Q IN:lt ,._,
~ ., -
a• o.,,.
~ C-,
._...,_
Jillc, It)' , ...it •
c,, c,,i
($1 (St
......
..... Yti
:J 11 Ntwftf.lle.,
J MorM: Fillt11t)'Sutt
..
• 1otCS1c.sa .....
......
y.,
y., V f«'1bJPtoNc •
~
~ ' ·-..,..,.
Click Advanced Settings •
·-........,_......
...v-c..,.cs.4s,,,.,.. V f.AdbJSt.cc
f ,11,,~GN. .
... v-nCwCSdSo::r.~ ......
.....
Yn
Yn V Rtttbt-Grciup •
and configure ......
--
i.v--nc.... cs, s,,._ Yn
•
inbound/outbound rule
... v-11 c.. cs.a So::RICI
"'V-,.on C11t C$,I $,t,- .....
.....
Yn
y..
---
1otV.-..onC1M cs.a S.,- l=f
""' ......
.....
y., bpor1Lnl,M
for your firewall

v -• -(Adllt'l,n,w-i,
0 8ol.lonerci-,dln.-.1tr_,,
0 6't1o"""" (T~•t.J ~ f t U • I ) .... Ya
Yn
••
u ""'
restrictions 0 8'1.lontt'Cl\lOP•ln)~.._.,►
o-r.,..- (C."'"'9,am
..... Fift~.MiNill,, r,,_ .. y.,
---·
y.,
0
o ,.,..(C.'\Pltogr_ ,_ _1\Me~fl,_ ......
PM. .
......
Ya
Ya
.....
--...
0 'f1tdol' fC...\J'111191111tHes ~Mo:,11, f-..
-...............
Yn
Click Monitoring to active
firewall rules, active
0 'firtfo;' IC..\J'i.g1,m , -°"11Moall1 f
G ~Olf,ctO..-Ok
0 M1raoMm OMHci(t
..... Yn
y.,
YH
0 ~0ntHct. Yn
Connection security
--
0 t.k.lolooft011.Helt ~ YH
O ~OneHClt• y_,
0- Yft
rules, Security
·•~·'-°'-- ....
• 8'-tft(hC.OW Conttt11 lt111'°"'.i ltfTTP•ll'I) • ·~ •(Ofll.,1~- Al
""'
--·
.8'MCIIG!dw: Hctsud c..dlt ~ IHTT- 1 . - ~ · Hou.led C.ach_ A.I
Associations, etc. • •-i.c~ ""'
,
l>itw OiM....,.(WSD-ln)
e cOM, ~Amu(OCOM,•)
• COM· P.trnott A d ~ (DC~lf\J C()t,I. Rtr,,,«t ~ r f l l l- ..
COM• ~l.&u.cu ""'
""'
""' ,
.........•
<I I
" •

Host Security
Windows Firewall is a built-in feature that governs the security of Windows. It helps in
preventing intrusions internally or externally. Windows Firewall has the ability to monitor the
incoming and outgoing traffic. Rules and exceptions in the Windows firewall maintain the logs
of the traffic. Administrators can apply rules and exceptions based on the type of the network
and location of the machine.
Turning the Firewall ON can stop filter communication passing through it. Administrator
privileges are required to turn ON the Windows firewall feature.
• The following steps define how to turn ON the Firewall:
1. Start ➔ Control Panel ➔ Windows Firewall
2. Click Turn Windows Firewall ON or OFF

Beside traffic filtering and blocking, The Windows firewall also maintains addition al information
such as:
1. Windows Firewall state: Informs if the firewall is ON or OFF.

2. Incoming connections: Notifies, the action th e firewall will take for incoming
connections.
3. Active private network: Displays th e name of the active private network.
4. Notification state: Notifies the action taken by the firewall for applications.
Configuration of Windows Firewall is done through the option Advanced Security. Windows
Firewall with Advanced Security displays the detail functioning of the firewall. It helps in the
implementation of rules and exceptions for the firewall. The snap-in displays the rul es and
exceptions for inbound and outbound traffic.
Windows Firewall with Advanced Security

,j# Windows Firewall wit h Advanc Inbound Rules Actions

- - - - - - - - - - - - - - - - - - - -
Inbound Rules
I:! Outbound Rules
Name Group Profile Enabled Action A '
•
e er-,nchC.ache Content Ret,ievil {HTTP-In} 8r;,nchCache - Content Retr... All No Allow
ft, Connection Secunty Rules . BranchCachc Hosted Cache Xf'Vct (HTT... BranchCache • Hosted ( 4ch... All No Allow
1> · Monitoring
eeranchCache Pttr Ois.covery (VJSO•ln) BranchCache - Peer Oiscove.... All No Allow
- " Filter by Profile ►
""
. COM,.. Network Access (OCOM-fn) COM• Network Access All No Allow Fitter by State
.CQM,. Remote Administtalion (OCOM-ln} COM+ Remote Administrali... All No Allow Filter by Group ►
0 Corc Networking · Ocstination Unreacha... Core Networking All Yes Allow
View ►
0 Core Networking • Destination Unreacha... Core Networking All Yes Allow
C, c ore Networking• Dynamic Host Config... Core Networking All Yes Allow @ Refresh
fj core NetvJOrking • Dynamic Host Config... Core Netwo,king All Yes Allow fl} Export list...
0 Core Networking • Internet Group M.:in.:i... Col'CNetworking All Yes Allow
O core Networking • IPHTTPS (TCP-In} Core Networking All Yes Allow
~ Help
O c ore NetYJOrking - 1Pv6 (IPw-ln) Core Networking All Yes Allow

0 Cote NetvJOrking • Multicast Listener Oo... Core Netwo,king All Yes Allow
O core NetvJOrking. Multic.,st Listener av... COl'CNetwo<king All Yes Allow
0 Core Networking • Multicast Listener Rep... Core: Networking All Yes Allow
C,c ore NetYJOrking • Multiu st Listener Rep•.. Core Networking All Yes Allow
fi c ore NetvJOrking • Neighbor Discovery A... Core Networking All Yes Allow
O co,e NetvJOrking • Neighbo, Discove.y s... Core Netwo,k.ing All Yes Allow
O c ore Networking · P.,ckct Too Big (lCMP... Core: Networking All Yes Allow
O coee Networking • Parameter Problem (I.., Core Networking All Yes Allow
C,c ore NetvJOrking • Router Advertisement... Core Networking All Yes Allow
fj core NetvJOrking • Router Solid t.ation (IC... Core Netwo,king All Yes Allow
0 Core Networking· Teie:do (UDP-In) Core: Networking All Yes Allow
O core Networking • Time Exceeded (ICMP... Core Networking All Yes Allow
.Oiruibuted Transaction Coordinator (RPQ Distributed Transaction Coo... All No Allow
eoisttibuted Transaction Coordinato, (RP... Distributed Ttansaction Coo... All No Allow
.Distributed Trans.,ction Coordinatoi (TC... Distributed T,ansbction Coo... All No Allow
. File and Printer Sharing (Echo Request • I... File and Printer Sharing All No Allow
.File and Printer Sharin (Echo Request • I... File and Printer Sharin All No Allow V
< Ill ) ( II
FIGURE 6.18: Setting Inbound and Outbound Rules in Windows Firewall

Host Security
• Inbound Rules: They apply to traffic that is coming from the network or the Internet to
your Windows computer or device. For example, if you are downloading a file through
BitTorrent, the download of that file is filtered through an inbound rule.
• Outbound Rules: These rules apply to traffic that is originating from your computer and
going to the network and the Internet. For example, your request to load a website in
your web browser, that is outbound traffic and is filtered through an outbound rule.
• Connection security rules: Less common rules that are used to secure the traffic between
two specific computers while it crosses the network. This type of rule is used in very
controlled environments with special security requirements. Unlike inbound and
outbound rules which are applied only to your computer or device, connection security
rules require both computers involved in the communication to have the same rules
applied.
All the rules can be configured so that they are specific to certain computers, user accounts,
programs, apps, services, ports, protocols, or network adapters. You can display the rules of a
certain type by selecting the appropriate category in the column on the left.
• Creating an Inbound/Outbound Rule:
1. Go to Outbound Rule ➔ In the Actions pane, click New Rule

2. Select the Type of Rule you want to create ➔ Next
3. Type the pathname of the program ➔ Next
4. Select the Action you want to take ➔ Next
5. Select the Network Location for implementing the rule ➔ Next
6. Enter the Name of the rule and Description if necessary ➔ Finish
7. The new rule created, will appear in the Actions pane

Host Security
Install Antivirus Software CND

.J Install up-to-dateantivirus software to protect your system from virus infections
.J You can either use built-in antivirus or third-partyantivirus software
.J Built-in Antivirusfor Windows 10 /Windows8 - Windows Defender
Your PC is being m onitored and protected. Scan options:
@Quick
Q Full
O cu,tom
~
~
ReaHim e protection:
Virus and spyware definit ions:
On
Up t o date
L Scan now
Keeping the system away from virus infections is an important task for host security. Securing
the system from viruses is the utmost need of the administrators and the users working on the
system. By installing updated antivirus software, you can keep your system from virus infected
files, system crash, unwanted pop-ups and damage to the operating system caused by a
malware infection. Administrators can also use various third party antivirus solutions for better
protection.
Windows has a built-in antivirus solution called Windows Defender to protect the system from
virus infection. Windows Defender runs in the background and notifies you when you need to
take specific action. However, you can use it anytime to scan for malware if your computer isn't
working properly or if you clicked a suspicious link on line or in an email message.
Windows Defender is malware protection software used in order to detect and mitigate viruses
and other malicious programs.
Windows defender scans process:
1. Search for Windows Defender in the search bar
2. Open windows defender
3. Select the Type of Scan of choice:
I. Quick scan: Scans only those areas of the computer, wherein those areas are more
prone to virus attacks.

Host Security
II. Full Scan: Scans all files and folders present 1n the system. This process may be a
time consuming process.
Ill. Custom Scan: Scans only those files or folders as provided by the user.
4. Click Scan Now
Mi Window s Defender
PC status: Protected
Home History Settings
Your PC' is being monitored and protected, Scan options:
@Quick:
Q Full
O c ustom
~ Real-time protection: On
Scan now
~ Virus: and spyware definitions: Up to date
FIGURE 6.19: Windows Defender

Host Security
Third-party Antivirus Software CND

AVG Antivirus Quick Heal

http://free.avg.com http://www.quickheal.co.in
Symantec Norton Security

Kaspersky
with Backup http://www.kaspersky.com
https://in.norton.com
Avast Pro Antivirus Panda

https://www.avast.com http://www.pondasecurity.com
McAfee GData
http://home.mcafee.com https://www.gdatasoftware.com
•
0"-\. Trend Micra's Maximum
Avira ~
http://www.avira.com • Security
http://www.trendmicro.com
Below is the list of some third-party antivirus software which can be used to protect you host
from malware infections.
AVG Antivirus
Source: http://jree.avg.com
AVG Antivirus helps stop, remove and prevent the spreading of viruses, worms, and Trojans. It
protects you from malware on your PC and helps stop anything that's infected.
Symantec Norton Security with Backup
Source: https:1/in.norton.com
Norton Security Scan to determine if your system has been infected with viruses, malware,
spyware, or other threats. It checks for suspicious or dangerous cookies and remove those that
raise a concern.
Avast Pro Antivirus
Source: https://www.avast.com
Avast Pro Antivirus scans for all the files being downloaded through torrents, servers or flash
drive. The files are first tested before being saved in the system. The software has the feature
of securing the DNS settings, preventing from hijacking of DNS, fake-password attacks etc. The
anti-virus pre-determines the malicious packet/ data travelling towards the user's router device
or network and dumps it, before exploitation.

Host Security
McAfee
Source: http://home.mcafee.com
McAfee antivirus software tool scans the core components of the system and maintains it up-
to-date. The software timely installs the updates in the background without affecting the
productivity of the system. The tool has the feature to diagnose malware, worms or Trojans
hiding in the backend of the processes and modules. McAfee has the feature to maintain
schedule scans on the host machine.
Avira
Source: http://www.avira.com
Avira antivirus tool protects the system from viruses, worms and Trojans. It scans unknown files
in real time for malware and exploits, blocks harmful websites before they load and
identifies potentially unwanted applications hidden within legitimate software.
Quick Heal
Source: http://www.quickheal.co.in
Quick Heal is antivirus software used to protect your system from viruses, worms, Trojans,
spyware and other such threats.
Kaspersky
Source: http://www.kaspersky.com
Kaspersky antivirus delivers essential protection against all types of malware. It safeguards you
from the latest viruses, spyware, worms and more.
Panda
Source: http://www.pandasecurity.com
Panda provides real-time protection against the latest release malware. It protects PC, Mac or
Android device against all types of threats.
GData
Source: https://www.qdatasoftware.com
GData has the feature of proactively detecting the malware from the system. It scans SSL
encrypted emails for malicious attachments and suspicious content.
Trend Micra's Maximum Security
Source: http://www.trendmicro.com
Trend Micra's Maximum Security helps you to prevent identity theft by blocking phishing
emails. It scans privacy settings on social media accounts and provides a secure browser for
safe online banking.

Host Security
Spamming is an act of sending unsolicited bulk messages
Use good anti-spam applications to block spammers
Anti-spam applications typically use one or more filtering methods to

identify spam and stop it from reaching a user's in box
Email threats have rapidly evolved as one of the major concerns for cyber users. Spamming is
one such threat to email security. Spamming involves sending unsolicited bulk email (UBE), junk
mail, or unsolicited commercial email (UCE) frequently to individual users or group of users.
These email spa ms typically cost users money out-of-pocket to receive. Spam mail sent via virus
infected networks can install a backdoor that allows the spammer to access the computer and
use it for malicious purposes.
Anti-spam is a method of denying spam e-mails in the user's e-mail. Generally, antispam
methods sea n the computers IP address, e-mail signatures and data. This can minimize users
from receiving spam emails. There are many types of anti-spam systems used together with
many e-mail systems and internet service providers (ISP).
There are various benefits for using e-mail security:

• Provides complete security from any kind of cyber-attacks through e-mail by preventing
unwanted bulk e-mails and viruses.
• Identify unknown malware and other malicious links in the e-mails.

• Helps in reacting to the detected spam e-mails.

Host Security
MX Guarddog K9
https://www.mxguarddog.com http://keir.net
FireEye Email Security Spamihilator

https://www.fireeye.com http://www.spomihHotor.com
Symantec Email Security G-Lock SpamCombat

https://www.symontec.com http://www.glocksoft.com
Spam fighter Cyberoam Anti-spam

http://www.spamfighter.com www.cyberoam.com
~ -
Avast
https://www.avast.com "~
. AVG Antivirus
http://www.avgcloudcore. net
The below is a list of anti-spammer tools for email security.
MXGuarddog
Source: https://www.mxquarddoq.com
M X Guarddog offers complete email security, with no software to install and no changes to
your email clients. The tool protects user emails against, viruses, malware, phishing emails, Dos
attacks etc.
FireEye Email Security
Source: https://www.fireeye.com
FireEye Email Security products detonate and analyze susp1c1ous email attachments and
embedded URLs and block malicious activity to enhance email security. With these capabilities,
organizations can prevent, detect, and respond to email -based cyber-attacks. AV and anti-spam
protection are available to handle casual attacks and nuisance traffic. Customers can select
Email Threat Prevention Cloud (ETP) for a complete, off-premise email security solution with no
hardware or software to install.
Symantec Email Security
Symantec Email Security effectively blocks unwanted email. It is a cable of blocking spear-
phishing and targeted attack malicious URLs with Real Time Link. It analyzes the email body,

Host Security
subject, and headers, as well as text within document attachments, to identify and prevent loss
of confidential data.
Spam Fighter
Source: http://www.spamfiqhter.com
Spam Fighter protects all the email accounts on your PC. It protects against phishing, identity
theft, and other email fraud. Blacklist and block emails and domains.
Avast
Source: https://www.avast.com
Avast Internet Security has anti-spam features which allow the so you can stay safe from
phishing and do not have to waste your time with junk emails.
K9
Source: http://keir.net
K9 is an email filtering application that works 1n conjunction with the regular POP3 email
program. It automatically classifies incoming emails as spam (junk email) or non-spam without
the need for maintaining dozens of rules or constant updates to be downloaded. It uses
intelligent statistical analysis that can result in extremely high accuracy over time. K9 is for
standard POP3 email accounts only. It does not support IMAP nor does it support Hotmail, AOL
or any other kind of webmail type systems. It does not natively support SSL or secure
authentication.
Spamihilator
Source: http://www.spamihilator.com
Spamihilator works between the email client and the Internet and examines every incoming
message. It filters the spam and non-spam mails. The Spamihilator uses a number of filters in
order to identify spam present on the user network. The program works with almost every
email client, such as Outlook, Mozilla Thunderbird, Eudora, lncrediMail, Pegasus Mail, Phoenix
Mail, Opera, etc.
G-Lock SpamCombat
Source: http://www.qlocksoft.com
SpamCombat removes the spam, virus, and junk emails from the inbox. It eliminates all
unwanted messages at the server level without receiving them with the email client. G-Lock
SpamCombat uses filters like: Complex Filter, Whitelist, Blacklist, HTML Validator, DNSBL filter,
and the Bayesian filter in order to avoid spam in the in box.
Cyberoam Anti-spam
Source: https://www.cyberoam.com
Cyberoam Anti-Spam solution provides real-time spam protection over SMTP, POP3, IMAP
protocols, protecting organizations from zero-hour threats and blended attacks that involve
spam, malware, botnets, phishing, Trojans.

Host Security
AVG Antivirus
Source: http://www.avgcloudcare.net
AVG anti-virus is a cloud-based email security service that delivers comprehensive protection
against spam, viruses, phishing attacks, and other email-borne threats. It performs an
automatic update and identifies the spam before it affects the user's network.

Host Security
.J Ma lw are may come t hrough unwanted Pop-ups on the site that users are visiting
.J Enable Po p-up Blockers feature to prevent unwanted windows from opening
Content
Go to Control Panel ➔ Internet Options ➔ select a setl!ng for lhe :nternet rone.
Medium
Privacy tab • elod<s thrd,p¥ty cookies that
Drivacv poky ,_.,c..l_
• 900:S thrdwrty cookies thoA 11e,.... ,_,. r,__ _ ,
be I.Md to QQntod you v.Hhout
• R~strict$ flrsl1)1!11t y CX>Ol:il!S Iha
ean be u!;!d to centaet you vf.lh
• Col""•ntWltf'IGS
e •
Location -------l
[JNc:'/Cf olO'H websites to tCQUC$t Yo'$
Go to Options ➔ Content and Check Block pop- physicd !ocabon
?op;UP S:od<er
up windows checkbox
CrPrtvate - - - - - -• , - - - - - - - - ,
"'~- I
• •
e Go to Settings, Click Show advanced settings. loUtlon
e Under "Privacy," click Content settings.

e Under "Pop-ups," select Do not allow any site to
show pop-ups (recom mended) or Allow all sites
to show
Pop-up blocker is a feature that automatically prevents websites from opening windows that
aren't the main browser window. Pop-up blockers allow you to control what happens as you
travel the web and prevent sites from filling your desktop with pop-up windows you do not
want or need. Now all modern browsers have pop-up blockers.
It prevents the unnecessary webpages and their pop-ups to store in the system. Usually, sites
add pop-ups so that users can get extra information about th eir search. However, it is advisable
to turn on the pop-up blocker, to avoid any intrusion on the system.
Follow the below steps to enable pop-up blocker feature to prevent unwanted windows from
opening:
• Internet Explorer:
1. Click on Start ➔ Control Panel
2. Select Internet Options ➔ Privacy tab
3. To enable th e pop-up blocker, check on th e box "turn on pop-up blocker"
4. Click on Settings option, to provide exceptions to the w ebsites
5. Enter the name of the websites in the textbox "Address of website to allow" ➔Allow
6. Select the "Blocking Level" as per the r equirement
7. Close ➔ Apply ➔ OK

Host Security
j Internet Properties
1
I Gener al I Serurity I Privacy IContent I Connections I Programs I Advanced I

Settings - - - - - - - - - - - - - - - - - - - - -
Select a setting for the Internet zone.
Medium
-Blocks third1)arty rookies that do not have a compact

privacy policy
-Blocks third-party ~ookies that save information that can
be used to contact you w1 thoot your explicit consent
- Restricts firsti)arty cookies that save information that
can be used to contact you without your implicit consent
'-I_ S_it_
e s_ _,I '-I_ Im_po
_ r_t __.I I Advanced 11 Default
Location - - - - - - - - - - - - - - - - - - - - -
□ Never a llow websites
physical locabon
to request your I dear Sites I
Poo~o Blocker
[i1 r um oo Pop~p Blocker I Settings I
InPrivate - - - - - - - - - - - - - - - - - - - - -
~ Disable toolbars and extensions when InPr1vate Browsing starts
._I_ O_
K ____,I I Cancel I[ 8J)ply J
FIGURE 6.20: Enabling Pop- up Blocker in Internet Explorer
• Google Chrome:
1. In Google Chrome, I- Click ➔ Settings
2. Go to Show advanced Settings ➔ Privacy ➔ Content Settings
3. In Pop-ups ➔ Do not allow any site to show pop-ups ➔ Finished
#-f_,D
,._
ch_,om_•_ _ _ _x_:J, (I S.rongs. Content S.nm, x ,._.._
•~....,.........................................................................""I''
~ C D chrome;//settings/content
X
Content Se ttings ...
Pop-ups
,-.
,. Q Allow _..u ~ite; to show pop·up~
. i_!,I Oo not ;,llov, ;my site to show pop·ups (l't'comm<ndcd)
I Manage e,cceptions... I
Location
0 Allow all sit~s to trM:I: your physical location
I,,!) As.I: when.,, ; ite tne; to tr.>ek your ph~suil ioc.,,tion (recommended)
G Do no~allow any site to mid: )'Our physical location
I M.in.igeexceptions... I
I
Notifications
Q Allow .JIU ~it!!~ to i how no.:if1u tions
(!J Ask when .i site w<1n.s to show notJfic.,;io,n-s (recommended)

0 Do not allow any site to show notifiution s
' I Manage exceptions... I

I ,.,;,hod I
FIGURE 6.21: Pop- ups settings in Google Chrome

Host Security
• Mozilla Firefox:
1. In Mozilla Firefox, click

-- ➔ Options
2. Go to Content ➔ check the box "Block pop-up windows"
3. Exceptions tab will allow adding the URL which exclude from pop- up block rule
4. Click OK
Optio ns
General Tabs Content Applications Privacy Security Sync Advanced
~ !!lock pop-up windows I fxceptions... 1
Fonts & Colors
Qefault font: ITimes New Roman •I !iize: ~ I8dvanced .. , I

I ~olors... I
Languages
Choose your preferred language for displaying pag~ Ch2ose. ..
OK Cancel !:!elp
FIG URE 6.22: Enabling pop-up windows in Mozilla Fi refox

Host Security
...J Conduct peer log review and audit periodically to '...J Typical log entries contain following types of
look for any suspicious activity and respond to the information about the events:
security incidents
e Level: It defines the severity of event. Various
...J You need to have administrative access privileges types of severity levels are Information,
to conduct a log review and audit Warning, Error, Critical. and component
~ Event Viewer provides a quick overview of when, e Keywords: It defines type of event occurred.
where, and how an event occurred Various types of events are Auditfailure,
AuditSuccess, Classic, Correlation Hint, Response
'...J Navigate to Control Panel, go to Administrative Time, SQM, WDI Context and WDI Diag
Tools, and then double-click Event Viewer
e Date and Time: It defines date of events
'...J Check Windows Event Log for various types of logs occurred
e System log e Source: It defines the source of event
e Security logs e Event ID: An unique event ID is assigned for
---
""
Setup logs
Application logs e
each type of event.
Task Category: It defines task categories
Note : Critical systems require at least a daily log review
Windows Logs Review and Audit

(Cont'd)
... ....... .,_

• • .c..Q Ii fa.
Mi--·,.....,...-
-
·-
~-..~-
T_,,_,_
.,___
..<11--
i»-
~·-""
"'9lf t ,..11....
'---
lo--~
~-,--,..
----
.,._
Conduct a Windows Event log review based
a•-
....
,'.,._
g.._
--
·-- ..
·--
...-,--
(1--
,._
c,-- ....
~
~·-""
·~ ""'
~ ,.,._....,
~·~""'
l,'W:nllS",W
---~c..,..,-,.,
--NIMoj.
'---~
---
,.._
...--
,.,. -·_ on the Event ID, source, date and time of
----.. _
(I-
~ i,..,_,,_"'
_ events and its severity levels

.. .. "'-
-
·1,1-----
~
,__
.,_
(I-
..
~ ,,,.,,,..,
"""''•1•""
---s,,_c-........
~-,--...
.~-
.,,__
lil•<I-
Iii-•-
(II--
(1--
c,---
ia---
\."Yltltl'111,l'J't,'
,.,,.,!""'
"~'~"'
~ ,:o:..:, ...
1,'W:C. IU.:.!'1,W
---
---s..-~-;,,,
·---"'""':I.
,.._
--
-·- ~-----------------------------♦
....... _,
W?N I J - N
Some log entries for suspicious behavior can

... .__ __ • be:
• • • iii g
.. .,....._.,,"811 ! Consecutive login failure attempts
• 4 '-"r-
•T•""-
,--·
Ill,,..~.,.
-·
......,,..._'-•
.....
1.1 .., ........
"- -·,, ..... -...
....,t.,c..,.
,.........
,--·
l,VJl'll:U..._._
"ll»IIH,!..,.
-··
>,-IO!i:... - - -
-.--: I_.. ,...,.
_,,...
~ · t.,...
r-. c_1_.,.
e Login in attempts in non office hours
~--
i.wmua.
...
"-·- ·--
·--
~::::...- .,.,.
-·, .... s..i,...
Ullllf\ .... - ••
J,s,»IH"
l,\llll1J...__. .
Of;';,_
,..,... ,.,...
...,,,_
~--
e Authority change, addition and removal
.....- ,·--
•-·-
,--
1,1-... ,..w,,,
-··
1,wz,,-.., - ·---
,.,,,,iouo... - - -
...oci,...,.
,.,.. attempts
-·
Iii •-,--•.. - ·
.... ... ~vir••~- -
1,"'10!•---
··
o-
,1
i.1-~,-~-
,..- .........
"""'-•-Cfl"
............
.... $,,.,...1'1>L-•. .
~
,, _"""''
l,Wlt!l ~1L
~~h~L
- ••
...... .....
~ 1...... ,....
,_
~r-.c..-- e Account unlocked/password reset
~•-
>,\IJl!fV.111...---
.._M_, l,V)J!>l,\.)I,..-----
attempts
~ _ _ _. . , ~ l,\'»lUUOUM
,-•
..--
...., ,.u...,..,."""'
Note : CND Resource Kit contains detailed list of Event IDs for corresponding log events.

Host Security
Windows Log review and Audit involve monitoring and analyzing the log entries for suspicious
behavior. Administrators find the log review and audit helpful in troubleshooting problems with
Windows and other programs as well as detecting signs of the malicious activities or attempts
such as unauthorized login attempts made on the computer.
All the activities of a user on a Windows computer is recorded and stored in a file called
Windows Event Log. Administrators can view these log entries with the help of Event Viewer.
Event Viewer tracks information in several different logs.
• Event Viewer:
1. Go to Control Panel ➔ Administrative Tools
2. In the Administrative Tools window, double click on Event Viewer
Control Panel ► All Control Panel Items ► Administrative Tools ►
...
Name Date modifi ed Type
Terminal SeNices 7/26/2012 6:05 PM File folder

iii• Component Services 7/26/2012 6:22 AM Shortcut
r}r Computer Management 7/26/2012 6:19 AM Shortcut
~ Defragment and Optimize Drives 7/26/2012 6:18 AM Shortcut
l@J Event Viewer 7/26/2012 6:20 AM Shortcut
~ iSCSI Initiator 7/26/2012 6:22 AM Shortcut
IA Local Security Policy 7/26/2012 6:19 AM Shortcut
f; ODBC Data Sources (32-bit) 7/26/2012 6:29 AM Shortcut
~ ODBC Data Sources (64-bit) 7/26/2012 6:25 AM Shortcut
@ Performance Monitor 7/26/2012 6:17 AM Shortcut
FIGURE 6.23: Event Viewer
• The main screen of the Event Viewer is divided into three parts:
• Navigation Pane: It displays the various types of logs and their related features.
Q Event Vitwer (Local) I

• Q Custom Views
'f' Administrative Events
• _ Windows Logs
~ Application
~ Security
~ Setup
~ System
~ Forwarded Events
• !:c\ Applications and Services Logs
~ Hardware Events
~ Internet Explorer
~ Key Management Service
~ ~ Microsoft
~ Microsoft Office Alerts
~ Windows PowerShell
~ Subscriptions
FIGURE 6.24 : Navigation Pane in Event Viewer

Host Security
• Detail Pane: In the detail pane, event entries are listed in chronological order.
Clicking on any event entry will show the event's detailed information in the bottom half of the
pane.
Each of these events also includes a level which indicates its severity. There are three levels:
1. Information messages: These are shown with icons with an "i" in a white circle, which
depicts the system performed the task successfully.
2. Warning messages: These are shown with a yellow triangular icon, which depicts that
an event occurred which, might create a problem later.
3. Error and critical messages: These are shown with an exclamation mark inside a red
circle, which depicts that a significant problem occurred.
Event Viewer llocaO

------------------------
Oveiviewand Summary Last refreshed: 5/11/20164:50!36 PM
Overview •
,,
To view events that have occurred on your com puter, select the appropriate sou re e,
log or custom view node in the console tree. The Administrative Events custom view
contains all the administrative events, regardless of source. An aggregate view of all v
ISummary of Administrative Events • J
,.
Eventlvi:>e Event ID Source Loci Last hour 24 hours V
< >
IRecent ly Viewed Nodes

-I
,.
Name Description Modified Created V
< >
ILog Summa,y
-I
LoQ Name Size (Curr... Modified Enabled Retentior ~
< >
FIGURE 6.25: Summary w indow of an Event
• Action Pane: The action menu items on the right pane include many of the options available
from the main menu bar. This includes saving event entries to a file, opening a saved event
file, exporting or filtering events, etc.
Actions
Event Viewer Local)

~ Open Saved Log .. ,
T Create Cust om View..,
Import Custom View...
Connect to Another Computer...

View ►
IQ) Refresh
fi Help ►
FIGURE 6.26: Action Pane in Event Viewer

Host Security
• Windows Event Logs consists of five types of logs:
1. Application Log: It stores logs of applications installed on the computer.

2. Security Log: It stores information related to login attempts, user account privileges,
etc.
3. Setup Log: It stores the information captured during the time of OS installation.
4. System Log: It stores the information of the messages sent by the OS.
5. Forwarded Events: Other host machines in the network send these events when the
local machine is acting as a central domain for them.
• Each event in a log contains the following information:
• Date: The date of the occurrence of the event.
• Time: The time of the occurrence of the event.
• User: The name of the user logged in at the time of the occurrence of the event.
• Computer: Na me of the computer.
• Event ID: The identification number that states the event type.
• Source: The source for the occurrence of the event.
• Type: The type of event occurred.
• Level: Represents the severity of the events. The different levels are as follows:
o Information: Informs regarding the change in the application.
o Warning: Informs that an issue occurred can impact the services of the system.
o Error: Informs that an error has occurred.

o Critical: Informs that an error that occurred in the application cannot be rectified.
• Keywords: Used to search for events.
• Log: The name of the log where the event was created.
In an organization, an administrator should have the practice of monitoring and auditing the log
files. Example of some of the suspicious activities on the computer may include:
• Log entries for suspicious behavior can be:
• Consecutive login failure attempts.
• Login in attempts in non-office hours.
• Authority change, addition and removal attempts.
• Account unlocked/password reset attempts.

Host Security
Install and configure a Host -based IDS/IPS solution to detect intrusion attempts on
a single host system
It can detect intrusion attempts such as syst em compromise, rootkits,

malicious processes and modifications of critical configuration files such
as registry settings, /etc/passwd, etc.
It monitors and reports on the system configuration and application

activity
It is an effective solution for detecting computer misuse f rom trusted

insiders
The host-based IDS analyzes and identifies the presence of any malicious activity in a computer
system on which the IDS works. It analyzes all the parts of the computer system, especially the
resources used by each application, the current state of the system, the storage information
that includes RAM, log files, file system, and checks for any changes in the application.
The host-based IDS detects for:

• System compromise.
• Unwanted or unused applications.
• Any kind of modification in the critical configuration files like registry settings.
• Malware.
• Rootkits.
• Rogue processes.
• Any important services that paused in between.
• User access to systems and applications.

The host-based IDS analyze the internal and external of a computer system and checks whether
all applications and programs in the computing system follow the security policies. The host-
based IDS can work in combination with NIDS, which means that host-based IDS can detect any
malfunction missed by network-based IDS. The administrator can compare the analysis done by

Host Security
host-based IDS and network-based IDS in order to confirm the presence of any changes in the
system performed by the intruders.
However, the network administrator should consider implementing both network-based IDS
and host-based IDS to secure their network.
Certain differences between the NIDS and HIDS are:
Difference Host-based IDS Network-based IDS
Analysis Analyze the log files and contains all Network based analyze the
information regarding the status of network traffic
the system
Protection Protects even when LAN is off Protects only when LAN is ON
Versatility More Versatile Less versatile
Affordability More affordable Cheaper to implement and

needs less administration
TABLE 6.1: NIDS vs HIDS
Advantages of host-based IDS:

• Very low false positives: The host-based IDS perform analysis directly on the host, thereby
analyzing all the log files. This reduces the number of false positives.
• Narrow operating system focus: Host-based IDS function only on certain operating
systems which in turn minimizes the number of drawbacks.
• Non-network based attacks: Identifies the attacks on the physical machine as well.

Host Security
OSSEC is a free, open-source host-based

intrusion detection system (HIDS)
It can perform log an alysis, integrity

checking, Windows registry monitoring,
rootkit detection, time-based alerting, and
active response
It provides intrusion detection for most

operating systems, incl uding Linux, Open BSD,
Free BSD, OS X, Solaris and Windows
http://ossec.github.io
OSSEC is a platform to monitor and control your systems. It mixes together all the aspects of HIDS
(host -based intrusion detection); log monitoring, Security Incident Management (SIM)/Security
Information and Event Management {SIEM). It runs on most operating systems, including Linux,
OpenBSD, FreeBSD, Mac OS X, Solaris and Windows.
Key Features:
• File Integrity checking: The goal of file integrity checking (or FIM - file integrity monitoring)
is to detect these changes and alert you when they happen. It can be an attack, or a misuse
by an employee or even a typo by an admin, any file, directory or registry change will be
alerted to you.
• Log Monitoring: Every operating system, application, and device on your network generates
logs (events) to let you know what is happening. OSSEC collects, analyzes and correlates
these logs to let you know if something suspicious is happening (attack, misuse, errors, etc.).
• Rootkit Detection: Criminal hackers want to hide their actions, but when using rootkit
detection you can be notified when the system is modified in a way common to rootkits.
• Active Response: Active response allows OSSEC to take immediate action when specified
alerts are triggered. This may prevent an incident from spreading before an administrator
can take action.
Source: http://ossec.qithub.io

Host Security
Host-based IDS: AlienVault Unified

Security Management (USM)
~ USM can be used fo r both, host based intrusion det ection (HIDS) and network based intrusion
detection(NIDS)
System compromises Unwanted Malware Rogue Privilege

applications processes escalations
5 9
USM detects intrusions such as:
2
Modification of critical User access to
Rootkits Critical services that configuration files (e.g. systems and applications
have been stopped registry
settings,/etc/password )
https://www.alienvault.com
AlienVault's Unified Security Management™ (USM™) platform accelerates and simplifies threat
detection, incident response and compliance management for IT teams with limited resources.
With essential security controls and integrated threat intelligence built-in, AlienVault USM puts
complete security visibility of threats affecting your network and how to mitigate them within
fast and easy reach.
• Its intrusion detection capability includes:
• Network IDS
• Host IDS
• File Integrity Monitoring (FIM)
Source: https://www.alienvault.com

Host Security
Tripwire is a host-based IDS for monitoring hosts across Windows,

Linux, Solaris, AIX and HP-UX platforms
It provid es real-time detection of anomalies, change, and threat

indicators
It ensures the integrity of critical system f iles and directories of system
http://www.tripwire.com
Tripwire software can help to ensure the integrity of critical system files and directories by
identifying all changes made to them. Tripwire configuration options include the ability to
receive alerts via email if particular files are altered and automated integrity checking via
a cron job. Using Tripwire for intrusion detection and damage assessment helps you keep track
of system changes and can speed the recovery from a break-in by reducing the number of files
you must restore to repair the system.
Tripwire compares files and directories against a baseline data base of file locations, dates
modified, and other data. It generates the baseline by taking a snapshot of specified files and
directories in a known secure state. (For maximum security, Tripwire should be installed and
the baseline created before the system is at risk from intrusion.) After creating the baseline
database, Tripwire compares the current system to the baseline and reports any modifications,
additions, or deletions.
Source: http://www.tripwire.com

Host Security
File System Security: Setting

Access Controls and Permission
Use Access Control List (ACLs) and Permissions t o control access to Files and fold ers
Access Control
Allow/deny access to file or directories for user or group of users
Entry(ACE)
Access Control
It is a collection of ACEs for accessing specific files or directories
Ust(ACL)
Access control on specific file or folder is achieved by

enforcing certain permissions on it
Permissions
Two types of permissions
- 1. NTFS permissions (Security Perm issions) 2. Share permissions
Access controls can provide the authority to users, groups and computers to access files and
folders in the computer. When a user or an application requests for an access to the operating
system resources, they need to submit their credentials to the operating system. The
credentials are access tokens created every time a user or an application tries to log in. The
operating system verifies whether the access token created as the permission to access the
objects before permitting the user or the application to access the objects. Here, the OS
compares the details contained in the access tokens with the Access Control Entries (ACE) for
verification. The ACE's can block or permit the services depending on the t ype of the object. For
example, the ACE's available for a Printer are Print, Manage Printing and Manage Documents.
The ACL's contain a combination of the ACE's of an object.
• Access Control Principles:
• Least amount of access of objects to users or user groups, thereby allowing them to
perform only needed functions.
• The owner of an object is the one who created that object.
• Proper permissions are set up for files and folders while installing the operating
system. Upgrade the level of permissions from least privilege to the desired level
during installation itself.
• The files and other documents included in a folder can inherit the permitted privileges
assigned to that folder.

Host Security
• Appropriate tools can help in managing the permissions of any folders.
• Event viewer helps in viewing the security logs associated with any object.
• Access Control Entries: An ACL can have zero or more ACE's wherein each ACE has the
access to an object. Overall, there are six types of ACE's out of which securable objects
support three (Generic types) and the other three are directory service objects (Object-
specified types).
• The three generic types of ACE's are:
• Access denied ACE: Used in the discretionary access control list in order to prevent
access to any user.
• Access allowed ACE: Used in the discretionary access control list in order to allow
access to any user.
• System Audit ACE: Used in the system-access control list in order to create an audit log
for each attempt by a user while accessing the objects.
• The three types of object-specified types are:
• Access denied, object specific: Used in the discretionary access control I ist to block
access to a property or property set. It can even stop the inheritance level of a
specified type of a child object.
• Access allowed, object specific: Used in the discretionary access control list to permit
access to a property or property set. It can even stop the inheritance level of a
specified type of a child object.
• System audit, object specific: Used in the system-access control list in order to create
an audit log when a user attempts to access the child object.
The object-specific types and generic types differ only in the design of the inheritance level.
• Access Control Lists: An access control list is a table that provides a detailed description of
the access rights of the users towards accessing objects. Every object has an access
control list that contains the details of the user rights and privileges for accessing that
object. Each OS system has specific ACL's. The ACL's has one or more ACE's that contains
the details of the users.
• Permissions: Each container or object has a security descriptor attached to itself. This
security descriptor contains a detailed description regarding the user access rights. The
security descriptor is created along with the container or object. An ACE represents the
permission to users or user groups and the whole list or set of permissions is contained in
an access control list (ACL). There are two types of permissions:
• Explicit permission: Permissions that set by default upon creation.
• Inherited permission: These are permissions achieved from the parent object to the
child object.

Host Security
For example, any files and folders in a folder can inherit the permissions applicable to that
particular parent folder. Here, the parent folder has explicit permission, whereas the files and
folders have inherited permissions.
• There are two sets of permission entries for accessing a folder on a file server:
• Share Permission on a folder: Used for files and folders shared across the network or
many user accounts. The permissions can be either denied or allowed depending on
the users or user accounts. The most commonly used shared permissions are: Full
control, Change and Read.
• NTFS permission on a folder: Controls the perm1ss1ons over network and local
computers. The most commonly used NTFS permissions are: Full control, Modify, read
and execute, Read, Write.
Each are independent of each other, however, the final decision on confirming the access
permission depends on either of the two.

Host Security
File System Security: Setting Access Controls

and Permission to Files and Folders
Special permissions associat ed with each of NTFS file permissions:
-
Special Read and
Modify Read Write
Permissions Execute
Applying NTFS permissions
~ ~ ~
Traverse folder/
•
Execute File
~ ~ ~ ~
List Folder/
Rea d Data
Rea d Attr ibutes ~ ~ ~ ~

0 Rea d Ex tended
Attri butes ~ ~ ~ ~
~ ~ ~
Create Fi I es/\Nrite
.J Typical file permissions allowed
Data
on NTFS file system are:
~ ~ ~
Create Folders/
Append Data
~ Full Control
Wri te Attributes ~ ~ ~
...
~ Modify W ri te Extended
~ ~ ~
...
~
Read & Execute
Attri butes
~
Del eteSubfolders
~ Read and Fi les
~ Write
Delete ~
Rea d Permission ~
.J Each of these permissions Cha nge
Permi ssion ~
includes a logical group of
special permissions Take Ownership ~
Synchronise
~
https://technet. microsoft. com

and Permission to Files and Folders (Cont'd)
-
Special Read and List Folder
Modify Read Write
Typical folder permissions Permissions Execute Contents
allowed on NTFS file system Traverse Folder/
are Execute File ~ ~ ~ ~
e Full Control Li st Fol der/
Read Data ~ ~ ~ ~ ~
e Modify Read Attri butes
~ ~ ~ ~ ~
e Read & Execute Read Extended
Attri butes ~ ~ ~ ~ ~
e List Folder Contents
~ ~ ~
Create
e Read Fi I es/Write Data
e Writ e Cr eat e Folders/

Append Data ~ ~ ~
Each of these permissions Wri te Attri butes
~ ~ ~
include a logical group of
Wri te Extended
special permissions Attri butes ~ ~ ~
Delete
Subfoldersand
Fil es
~
Special permissions
Delete ~
associated with each of
Read Permi ssion
~
NTFS folder permissions -v Change
Permi ssion ~
Take Owner ship
~
Synchr onise
~
h . ech

Host Security

Properties
General Sharing Secumy Previous Versions Customize
Ol>ject name : D:\CND new\ Research
To set, view, ed it, or remove special Group or user names:
permissions : Authenticated Users

~SYSTEM
~ Administrators {WIN-BMCH3JBIUGO\Administrators)
1. Go to specific file or folder on ~ Users (WIN-'BMCH3JB IUGO\Users)
which you want to set special
To change permissions. dick EdH. EdL
perm 1ss1on
f ennissiorns for /Uhenticated
Users l'Jlow Deny
2. Right-click the file or folder, Full control "
click Properties, and then click Modify ../
the Security tab
Read & execute ../ =
List folder <:0ntents ../
Read ../
3. Click Advanced Write V
f or special permissions or advanced settings, Advanced

dick Advanced.
4. Click Add to set special permissions
for a new group or user in
Permission Entry Window .Apply '
OK 11 Cancel
Applying NTFS permissions to Files and Folders

Setting access controls to files and folders can specify which users and user groups can have the
access permissions. NTFS files and folder permissions allow users to access files stored on the
local computer and also access files stored in a shared folder over the network. NTFS also allow
sharing permissions on shared folders in accordance with file and folder permissions.
• NTFS permissions for file:
• Full Control: Specifies whether a user has all permissions to files. Users having full
control have a complete access right to any file even if he/she is denied permission.
• Modify: This allows the user to read, write, execute and traverse.
• Read and Execute -Allows the users to go through each directory, read all files.
• Read: This allows the users to list folders, read files, read attributes and read
perm1ss1ons.
• Write: Allows users to create files, write data, create folders and set attributes.
• NTFS permissions for the folder:
• Full Control: Specifies whether the user has complete access to folders.
• Modify: This allows the user to read, write, execute and tra verse .

Host Security
• Read & Execute: This allows the users to list folders, read files, read attributes and
read permissions.
• List Folder Contents: Specifies if the user can access the folders and sub folders
included.
• Read: This allows the users to list folders, read files, read attributes and read
perm1ss1ons.
• Write: Allows users to create files, write data, create folders and set attributes.
List Folder contents permissions can be set only when these are inherited by folders and not
files whereas, the read and execute can appear for files and folders.
It is possible to back up and restore data on NTFS files. However, with FAT files, it is not possible
to set permissions to individual files and folders.
To set, view, change, or remove special permissions for files and folders, go to a specific file or
folder on which you want to set special permission.
1. Right-click the file or folder, click Properties, and th en click the Security tab
2. Click Advanced
3. Click Add to set special perm1ss1ons for a new group or user 1n the Permission Entry
Window

Host Security

·-
>,\ File Sharing
Applying Share Permissions
Choose people to share with
Sha re permissions are applied Ty pe a name and then click Add, or click t he arrow to f ind som eone,
when you need to provide access

to a shared folder over the vi[ AdU
network Nam e Permission level
& Administrator Read/Write •
With Share permission, you can ~ Administrators Owner
ioEvvyon• Read/Write •
restrict access to share folders
1. Go to the specific file or folder
on which you want to set Share
I'm having t rouble sharing
Permissions
2. Right-click the folder, and click ! ~ Sha,• !! C,ncol
Share with option
3. Select specific user or group to
whom you want to assign share
permission such as Read,
Read/Write
Note: Use NTFS Permission in addition to shared permissions to provide more restriction to shared folders
Applying Share Permissions to Folders

The Shared folders can be accessed over the network. Only users with access permission to any
particular folder have the rights to access folders over the network.
The shared folders can contain personal information, application, etc. Hence, configuring
shared permission depends on the t ype of data contained in a particular folder.
• The principals involved in a shared folder are as follows:
• Shared folder permissions are applicable only to folders and not individual files.
• Shared folders do not ask for access permission to users accessing the folder from the
system where the folder is stored. The access permission is asked for those users who
access the folder over the internet.

Host Security
Creating and Securing a

Windows File Share
...
Browse For Folder
Creating New File Share • .. '1 ~ -" Wt l HCTci ..,
Pick a folder you would like to share. To add a new folder,
(ompUUJM ~ ~ : St\wl fl Mlt fo!Nrl>lllh
4 fJ $)1ttMfOOIJ ~ ~ ACMIH$ C.-\W_._,
cid< Make New Folder.
•0 lfflScNd-"" _.cs C."\
• II lwftt\~e.a illJ C&l•looli lk\C&l•Tools
,. 11,, S/l,111~foldcts ei)O Of\ ;':) This PC A
... I>\
Go to Computer Management a) W:" Ne,,o,21,t- ~ :-'l Desktop
a o~ r_. ~w.....--
• ~ t.oul u
9 ,.110,,. v-
---·..., I> iii Documents
1. Click System Tools, right- 0
a Or,r,,,l,cc Rdrnh ~ ,:i Downloads
•t2Sw~ t.pc,,tlilt...
click Shares and click New Share • • Vt,ndo,, I> Music
(If Oid,Mf 1-ftlp
► • S-.u .-rd Appl,c.rbOm I> ']I Pictures
2. Browse t he fol der that you to share
Cte,ne A S~red folder Create A Shared Folder Wizard
3. Enter the [Share Name] ,..-., °""°""'.iWI. .. Sd1infe
Soeo..,hQof~-...:1..-N!tlno-"lt"I:~ 511-irtd Fokkr Pc::rml:sslOns
Pef'IM~ons l!'t you
4 . Select Customize permissions and
click Custom to customize the Share
Folder Permissions
Mve.
S<:t N b'ld of IX'fffll$$IOn$

Q ,.tuser1 t1aw,ea6
o ~ t rat«S ha\'t I
---
C..,..o,--
Customize Pefmissio
......,,
5. Add the correct Active Directory

User(s) &/or Group(s)
0 AdninlsO-atol"$
® Q.i~lomi:c pc,me .
I "''""'··· I
N'j\
[ J
e The Share Permissions only allow
Users and/or Group of users to
access to a specific shared Folder
SydefulJt. orl:fNe
~ to lh'.ls fd.der'
~ on the 5«1.r'ity
........,,.,e..-
"'""'"'
0.-..
"'"
-
"""··· 11-
D
D
@
On-
D
D
D
I
e The User(s) and/or Group(s) must

also have the appropriate
NTFS Permissions to access the files
I "" II c.,.., I
The windows environment puts forward the concept of shared folders that allow all the users
to access the resources contained in that particular shared folder. Shared folder enables every
user to view and access the contents of the folder without any restriction. However, the
organization needs to employ certain restrictions or permissions that can protect the contents
in the shared folder.
A shared folder can contain applications, personal data or any other data. The permissions set
on the data depend on the type of content included in the shared folder. Certain features of a
shared folder are:
• The shared folder permissions apply only to folders and not files.
• The shared permissions do not apply even to the files and folders contained in the shared
folder.
• The permission to access the folder applies to all users who gain access to connect to the
folder.
• Resources using FAT use shared folder permissions for protection.

• Permission applied to a group includes permission for each and every user 1n that
particular group.

Host Security
There are certain best practices followed while providing shared folder permissions:
• Assign folder permission to group accounts and not user accounts: Assigning permission
to group accounts is much easier than applying to user accounts. A user in a user account
can be a part of different shared folders. And, each folder can have different share folder
permissions. This leads to a combination of user and group folder permissions. Whereas in
the case of group permissions, it is just a matter of addition or removal of users from the
group and no need to reassign the permission to the users.
• Assign certain restrictions on the permissions applied to the users in such way that the
users can still perform their task.
• Consolidate all the application and other resources in one location.
• Do not explicitly deny permission to a shared resource: if there are any denied shared
folder permissions to a user, then that user cannot have that permission, even if they are
allowed permission to another group.
• Set NTFS file system permissions for users logging locally: Shared folder permissions apply
to those resources that are shared through the network and not locally. Also, shared
folder applies to those files and folders in FAT volume.
• Ensure that the copied or moved share folder possess the shared folder permissions.
These steps will show how to create and secure a Windows file share.
1. Click on Start Menu and in the search box, type "Computer Management''
2. Click System tools ➔ Share Folders
3. Right click Shares ➔ New Shares
4. Create A Shared Folder Wizard will launch ➔ Next
5. In "Folder path" textbox, enter the path of the folder to be shared ➔ Next
6. In "Share name" enter the name of the folder to be shared ➔ Next
7. As per the requirement administrators can select the option from set the kind of
perm1ss1ons
8. Finish

Host Security
Data and File System

Encryption
Advanced Attributes
J You can use the Windows built-in Encrypting a Folder in
~ Choose the set11ngs vo..i want for this folder.
or third-party encryption utilities Windows When you dck Cl< or A{,py on the Properties dlabg, you wll be
asked if ','OU want the manges to affect all Sl.bfdders and fies
to encrypt your data aswel.
1. Right click on the folder that
Ardive and Index attrb..rtl!S
J Windows Operating has a built-in you want to encrypt and click
0Folder is ready for ard"M\'lng
encryption mechanism called Properties ~Allo'lf ffes n !Ns foldet to have e>ntents nde.xed n additiOn to file
prope,tles
Encrypted File Systems (EFS) and
2. Click Advanced
Bitlocker to encrypt your data or Compress or Encrypt att-b.rtes
volume 3. Select Encrypt contents to □compress contents to ~ve <Ssk $p,,?lct

[ ~Encrypt contents to secure d&tll ] Oe:~s
secure data check box and
J EFS is part of Microsoft Windows
file system ( NTFS)
click OK ! OK !I cancel !
4. Click Apply
U It uses public key encryption '- - .
technology and can be used with
---
--
either workstation or server
Bit locker ..,,.-o.,;~ s...-..- -.. - -... - -
___
._.... _,
_Iii)'
___. ...... . .
..'$,.11•,-,.
.•.
---
~
U EFS Limitations
~ ~
, f ;,..,,._ ~, . . . . , ....
......
,,_,, '""' .........
n lr..,,_..,,.'-'......t... ..,.11-~
Bit l ocker is a full-disk 19iiiM:5@ I
•
-•~~..,~OOI
• ..,_ _ _ o,,, • ...,
..._.,
e It works only for NTFS file system encryption solution that 1
0
, 1!1-.;1,r""'"" ......
, ...<_,...,.
'~ ._...,......,...,,_
_.._t..4
..... ....... ...
..,_.,..........-
...,...,( ....,..,~
□
.........,_,.,...,
e
e
Loses encryption when encrypted
data copies to non-NTFS system
Risk of data loss

encrypts an entire volume
Install and use Bitlocker to

perform full- disk encryption
□--
"""""'-·
□ ..-n.,~
'
n•-"••f.oo• --
Note: Always use full-disk encryption instead of encrypting specific files or folders
Data encryption is used to prevent intercepting and altering or misusing. The Windows
operating system provides a built-in encryption mechanism such as EFS and Bit locker to
encrypt specific file, folder or entire drive.
EFS (Encryption File System)

EFS (Encryption File System) is a built-in mechanism in Windows operating system. EFS uses the
standard DESX algorithm that depends on a 128-bit encryption key .
• EFS Features:
• Enabling encryption is an easy task.
• Helps in deciding the users that can access files and folders.
• Enables easy opening and closing of encrypted files.
• Easy to disable the encryption applied to a folder.
• EFS Limitations:
• It works only for NTFS file system.
• Lose encryptions when encrypted data copi es to non-NTFS system.
• Risk of data loss.

Host Security
Bit locker
Bitlocker extends the level of protection to the disk level. All the sensitive and important
documents on the drive can be easily protected using the Bitlocker. It prevents the attackers
from achieving the system password or documents even after removing the hard drive and
placing it on another PC. The main feature of the Bitlocker is that it encrypts any new file added
to the drive. But, copying files to a not her drive or PC keeps the files in the decrypted form. The
Bitlocker finds its application in encrypting:
• The operating system drive
• The internal hard drives

• The external hard drives
The Bitlocker checks for any security changes during the system start-up. If it finds any kind of
change in the BIOS, it locks the operating system and prevents it from performing further
actions. The Bitlocker use TPM (Trusted Platform Module), a microchip built into the computer
that helps in storing the encryption keys. The TPM assists the Bitlocker to keep the system
away from attacks and theft.
• Benefits of Bitlocker:
• Provide protection by encrypting the hard disk. Thus providing protection to the
information stored in a physically damaged and irreversible hard drive.
• As Bitlocker offers boot time inspection, it prevents the chances of any unauthorized
changes.
• It helps protect data even in the case of a system theft as the attacker cannot access
the encrypted files.
• Provide better protection for files and other sensitive documents at an offline. While
being online, the user needs to configure NTFS permission or use EFS.

Host Security
Data Encryption
Recommendations
Encrypt folders inst ea d of individual files
Use strong password for encryption
If you have sensit ive data in co mputer system
e e
e
e
Encrypt C:\HOME directory
Encrypt My Documents under C:\Docum ents and Settings
Encrypt Local Settings under C:\Documents and Settings
•
The organization should consider encrypting important and sensitive data related to Business
information or "secrets"/ intellectual property. It may include messages, financial reports, legal
docs, patents, product releases, research and development data, etc. Data is protected from
prying eyes even if the computer gets stolen .
• You should consider encrypting sensitive information stored in following locations:
• Encrypt C:\HOME directory.
• Encrypt My Documents under C:\ Documents and Settings.
• Encrypt Local Settings under C:\ Documents and Settings.
• Data Encryption Recommendations:
• Prefer Full disk encryption on drive to protect all your data .
• Encrypt folder instead of individual files.
• Encrypt folder that contains sensitive information .
• Use strong password for encryption .
• Use third party encryption tools to encrypt your sensitive data, if required.

Host Security
Third-party Data Encryption Tools CND
VeraCrypt OpenPuff
https://veraaypt.codep/ex.com http://embeddedsw.net
7Zip Cryptoforge
http://www.7-zip.org http://www.cryptoforge.com
Cryptainer LE AutoKrypt
http://www.cypherix.com http://www.hiteksoftware.com
AxCrypt EncryptOnClick
http://www.axantum.com http://www.2brightsparks.com
~
•
KeePass ~ Steghide
http://keepass.in/o • http://www.securityfocus.com
VeraCrypt
Source: https:1/veracrypt.codeplex.com
VeraCrypt is used for on-the-fl y encryption (OTFE). It can create a virtual encrypted disk within
a file or encrypt a partition.
7Zip
Source: http://www.7-zip.org
7-Zip is o pen so urce software which performs encry ptio n with hig h co mpression .
Cryptainer LE
Source: http://www.cypherix.com
Cryptainer LE can encrypt every kind of file format, w hether it is textua I, tabular, graphical,
organized in a database, audio or video. It also allow s users to password protect files and
folders on CD ROMs, DVD's etc.
AxCrypt
Source: http://www.axantum.com
AxCrypt integrates seamlessly w ith Windows to compress, encrypt, decrypt, store, send and
work with individual fil es. Password Protect any number of files using strong encryption.

Host Security
KeePass
Source: http://keepass.info
KeePass supports the Advanced Encryption Standard (AES, Rijndael) and the Twofish algorithm
to encrypt its password databases.
Steghide
Source: http://www.securityfocus.com
Steghide is a steganography program, which hides bits of a data file in some of the least
significant bits of another file in such a way that the existence of the data file is not visible and
cannot be proven.
OpenPuff
Source: http://embeddedsw.net
OpenPuff securely encrypts and hides files inside of other files. It supports many file formats
like Images (BMP, JPG, PCX, PNG, TGA), Audio support (AIFF, MP3, NEXT/SUN, WAV), Video
support (3GP, MP4, MPG, VOB), Flash-Adobe support (FLV, SWF, PDF).
Cryptoforge
Source: http ://www. cryptoforge. com
CryptoForge is file encryption software for personal and professional data security. It allows
protecting the privacy of sensitive files, folders, or emailing messages. After encrypting the
information, one can store it on insecure media or transmit it on an insecure network-like the
Internet-and still keep it secret. Later, it decrypts the information into its original form.
Internet- and still remain secret. Later, the information can be decrypted into its original form.
AutoKrypt
Source: http://www.hiteksoftware.com
AutoKrypt is data encryption software designed for automation. It automatically encrypts or
decrypts files and folders on a schedule.
EncryptOnCI ick
Source: http://www.2briqhtsparks.com
EncryptOnClick helps to encrypt and protect sensitive files.
• Features:
• Secure encryption and decryption method is used (256-bit AES encryption).
• Files are both compressed & encrypted, which results in a smaller file.
• Password protected.
• Encrypt single files or all files in a folder.
• Unicode enabled so filenames in any language can be encrypted.
• Encrypt, decrypt, compress, and un-compress files, which can also be opened and
decrypted using third party programs like WinZip 9 (provided the correct password is
used).

Host Security
Linux Baseline Security

Checker: buck-security
.J buck-security allows you to get a quick
ove rview of th e secu rity status of your
system
.J It conducts a security check against the
baseline
e Searching for worldwriteable files
e Searching for worldwriteable directories
e Searching for programs where the setuid is set
e Searching for programs where the setgid is set
e Checking your umask
e Checking if the sticky-bit is set for /tmp
e Searching for superusers
e Checking firewall policies
e Checking if sshd is secured
e Searching for listening services
e Creating and checking checksums of system
programs
e Searching for installed attack tool packages
http://www.buck-security.net
buck-security is a security scanner for Debian and Ubuntu Linux. It runs a couple of important
ch ecks and helps you harden your Linux system . This enables you to quickly overview the
security status of your Linux syst em. As a syst em administrator, you often get into situations
wh ere you have to take care of a server that has been maintained by other peopl e. In this
situation, it is useful to get an idea of th e security status of th e system immediately. Buck
Security w as designed exactly for this. It runs a few important checks and returns the results. It
was designed to be extremely easy to install, use and configure.
Source: http://www.buck-security.net

Host Security
Use strong "root" passw ords according

to th e organization's policy
The default system password policy

should match your organization's
passw ord policy
lJ Go to the /etc/login.defs file to view

and change the default password policy
settings per the organization's passw ord
policy
...J Use f ollowing command to view and

change th e default password policy
settings
e # sudo vi /etc/logins.defs
The / etc/ login.defs file defines the site-specific configuration for password management in
Linux. The users in an organization need to ensure that the default password policy matches the
organization's password policy.
The "root" account is the most privileged account in Linux. The root account gives access to
administrators to add accounts, change user passwords, audit and monitor log files etc. The
root account does not have any security features imposed on it. Administrators can easily
perform their tasks with a root account.
If an administrator wants to change the password on behalf of a user, they have to log in to the
" root" account.
The user and group accounts can change their own passwords using the commands below:
• An individual user can change th eir password using the command: $ passwd. This
prompts the user to change the password by asking for the current and the new
password.
• An administrator can change the password for an individual user from his end using the
command: # passwd user name. This prompts the admin to provide the new
password.
• The administrator can change the password of any group accounts by the command: #
passwd -g group name.

Host Security
Change password for a user account

• $ passwd
Output
• Changing the password
• (current) UNIX password:
• Enter new UNIX password:
• Retype new UNIX password:
• passwd: password updated successfully
Change Group Password

When the -g option is used, the password for the named group is changed.
#passwd -g marketing
Using the above command will change the password of the users in the Marketing group.
With the help of /etc/ login.defs, you can set common best practices for password management
in Linux such as:
• Use strong 'root' passwords
• Avoid using old passwords
• Always set a minimum password length
• Provi de complex passwords
• Set an expiration period

Host Security
Disabling Unnecessary Services CND

root.bit "
'..J Know what type of services is running on your File Edt V11rw Se.itch Term,n,I M4lp
system
e #ps ax
'..J Know the processes that are accepting
connections and a list of open ports
e # netstat - lp
e # netstat - a
J Use the following commands to d isable
unwanted services on Red Hat, Fedora, and Red
Hat based Linux distributions
e # c hkconfig [service name]off
e # c hkconfig [service name] - del
e # service [se rvice name] stop
J Use the following commands to disable

unwanted services on Debian, Ubuntu, and
other Debian based Linux distributions
e # update-rc.d -f [se rvice name]

r emov e
The user needs to be completely sure about the services running on their Linux system and they
should be based on the organizational policy. Normally, installing an operating system installs
many services and packages automatically. These packages will automatically be installed
without the user's knowledge. The installation of many unnecessary services create security
threats to hosts. The unnecessary services which are not required or against the organization
security policy should be disabled. Administrators should check if their Linux system is running
unnecessary services and disable them periodically.
The administrator can use the command # ps ax in order to view all the services running in the
particular Linux system . This command lists the active services running in the system along with
their product ID (PIO). They can then compare the services running on a host with an
organization's policy and disable any unwanted services.

Host Security
:- # ps ax
PID TTY STAT TIME COMMAND
l ? Ss G:01 lnlt [ 2 l
2 ? s G:00 [kthr0add]
3 ? s 0: 01 [ k soft i rqd/ 0]
5 ? S< G:00 [kworker/G:0H]
6 ? s (:
1
00 : [kworker/ul28:0]
7 ? s 0:(:)0 [ re u scr10dJ
-
8 ? s 0:00 [ re u bh]
-
9 ? s G:00 [migration/(:)]
10 ? s G:00 [,,atchdog/G]
l l ? S< 0:(:)0 [kh0lp0r]
12 ? s G:00 [k.d0vtmpfs]
13 ? S< G:00 [ netns]
14 ? S< G:00 [,,rit0back]
15 ? s1,1 0:00 [ksmd]
16 ? s1,1 G:00 [ khugepaged]
17 ? S< (:00
1
: [kintegr1tyd]
18 ? S< G:00 [bios0t]
19 ? S< 0:00 [kbloc kd]
21 ? s G:00 [khungtaskd] I
22 ? s G:00 [ks.-apdO]
23 ? s 0:(:)0 [fsnotify mar-~]
24 ? S< G:00 [cr-ypto]
FIGURE 6.27: ps ax command
Next, it is possible to find active ports using the netstat command: # nets tat -lp
Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address State
PIO/Program name
udp O O ~:bootpc
3086/dhclient
udp O 0 ~:36509
3086/dhclient
udp6 O 0 [ : : l : 62636 [ .... l .. ·•·
3086/dhclient
Active UNIX domain sockets (only serve r-s)
P rot □ RefCnt Flags Type State I-Node PID/P rog 1-am name
ath
unix ') L [ ACC STREAM LISTErHNG 9658 2898/x-session-mana @
/tmp/.ICE-unix/2898
unix 2 [ ACC l STREAM LISTErHNG 8206 2412/dbus-daemon I
var/run/dbus/system bus socket
unix -,
-
L [ ACC l STREAM LI STErH t~G 8445 2502/Xorg @

/tmp/ . Xll-unix/XO
unix -, L [ ACC STREAM LI STErH t~G 8495 2609/pcscd I
(
var/run/pcscd/pcscd . comm
unix ...,
L [ ACC l STREAM LISTErHNG 8446 2502/Xorg I'
tmp/.Xll-unix/XO I
unix ')
L [ ACC STREAM LISTErHNG 9373 2880/gnome-keyring- I
FIGURE 6.28: nets tat command
The netstat command helps identify the unwanted services running in a system. This makes it
easier for the administrator to disa ble those services. The command chkconfig enables and
disa bles services in Fedora and CentOS. For example, suppose the administrator needs to
disa ble the Apache Web server at the system startup, they can use the following command:
• # chkconfig httpd off
■ # chkconfig httpd -del
In other operating systems like Ubuntu and LinuxMint the command: # update-re. d - f
[service name] remove helps to disable a service.

Host Security
Disabling unwanted services in this way increases the processing speed of the operating system
and does not waste system resources for these unwanted services.

Host Security
l{illing Unnecessary Processes CND

0 0
Use the 'Kill PID' command to kill unwanted processes
0 0
e Knowing PID of target process

► #ps ax I grep [Target Proce s s]
e Killing target process
► #kill -9 [ PIO ]
The kill command is usually used in order to terminate any services in Linux. This allows the
service to run without a reboot after killing a service. There are many ways to execute the Kill
command. The kill command is generally represented using:
• # kill [signal or option] PID (s)
It is mandatory to know the PIO before running the kill command.
Type the command # ps -A in order to know the PIO's for all the processes running in the
system. After knowing the PIO for a particular service, type the command for killing a service.
For example, in order to achieve the PIO for the service cupsd, type th e command:
• #ps ax I grep cupsd
This provides the PIO for the service cupsd. Now in order to kill this service, t ype the command:
■ # kill -9 1511
This w ill kill the cupsd service running in the system.

Host Security
...J Update or patch your Linux system in one of ...J Most Linux distributions come with a
the following ways: command line or even graphic software to
update your Linux system
1. Download updated packages from a
distribution's website and manually e Use the following tools to update your
install it on your system Linux system
@ Check your distribution's website e Use up2date for Red Hat based
for the latest patch and update Linux distributions
2. Download and install updates using e Use apt-get for Debian based
third-party applications Linux distributions
e Use swaret for Slackware based

Linux distributions
..__, e
-
, .............. l •......... ·►
Use autoupdate for other RPM-
based Linux distributions
Patch
In Linux, the patch updates are applied to software components of Linux such as kernel or
services. The patches help you remove any existing vu lnerabilities, look into security problems
and include the latest features. Administrators are required to test the patches before installing
on a host machine. Testing the upgraded software helps verify the upgraded software is
correct.
Some Linux distributions can be configured to warn you when patches for installed software are
available. Security fixes are the most important patches that resolve security issues of the
systems. Once the security threat is revealed, Linux distributes its security patches in hours. An
administrator shou ld keep themselves up to date while handling security issues of Linux.
An easy way to receive all the updates is to constantly subscribe for updates from the vendors.
The updates should be for kernel, inetd and for certain services.
• Linux systems can have a command line or a graphic software tool.

• Most of the updates can be located on the distribution's website.
• The admin can download and install updates using third-party applications.
The Red Hat Linux distribution provides a patch management system solution through two
tools:
1. Red Hat Network (RHN): To get the benefits of patches available in RH N,
organizations are required to purchase its license. The web resource can be configured
on host machines. It provides information on the current available patches for Linux.

Host Security
Users can have custom based or free services from the online resource. For routine
awareness of patch releases, administrators are advised to setup a Java based
program called RHN Alert Notification Tool. When a new update is released, it notifies
the administrator through a change in its icon.
2. RPM Package Manager: The functioning of RPM is similar to RHN; however, it does
not provide detailed information about every patch available. RPM provides a list of
available patches through a user interface. The functioning of RPM is operated by the
command rpm. When an important patch is set to necessary, RPM downloads the
patch on the system.

Host Security
Understanding and Checking Linux

File Permissions
Type ls -1 co mmand t o list out list of fil es and t heir permissions under home directory
Types of permissions
e r ➔ denotes read permission
e w ➔ denotes write permission
e x ➔ denotes execute permission
e - refers to No permission.
Permission details::
e The first character in the directory list denotes file
type(d, if directory)
e The next three characters denote user permissions.
e The next three characters denote group permissions.
e The fina l three characters denote other permissions
Permission Groups: Owner and group
e First name after number is Owner name
e Second name after number id group name
Access control through file permissions is useful to control unauthorized access to system
resources. An individual user, group of users or all who access the system can have access to
certain directories and files if they have the permissions to access them.
Each file and directory has three user based permission groups:
• Owner: Applies only to the owner of the files or directories.
• Group: Applies to the group using the files and directories.

• All users: Applies to all the users in the system.
Permission Types
Each file or directory has three types of basic permissions:
• Read: Users can only read the contents of the files or directories.
• Write: Users can only write or modify the changes of the files or directories.
• Execute: Users can execute the files or directories to view its contents. The Execute
permission affects a user's capability to execute a file or view the contents of a directory.

Host Security
User Rights/Permissions
The permission in the command line can be written as: rwxrwxrwx 1 owner: group
1. The first three characters (rwx) are for the owner permissions.
2. The next three characters (rwx) are for the Group permissions.
3. The next three characters (rwx) are for the All Users permissions.
4. The number in the command represents the hard links of the file.
5. The Owner and Group assignment formatted as Owner: Group.

Host Security
J Check for permission on sensitive files

J Use ch mod com mand to change the permissions of a file or di recto ry
e chmod [permissi o n Value] [File Name]
Common Directory Permission Settings Common File Permission Settings

~
-
"l_f_l=_I I ■r • ■ ~•I • ~
-" : -
"r.lllf!l "'' . . -i;l]J
" (Rwxrwxrwx) No restrcitions on anything. Anybody can do
777
(rwxrwxrwx) No restrctions on perm issions. anything. Generally, not a desirable setting
777 Anybody can list files, create new files in the
(Rwxr-xr-x) The fi le owner may read, write, and execute the
directory, and delete files in the directory
755 file. Others can read and execute the file. This setting is useful
for all programs that are used by all users
(Rwx••·--- )The file owner my read, write, and execute the file.
(Rwxr-xr-x) The d irectory owner has ful l access.
700 Nobody else has any rights. This setting is useful for programs
All oth ers can list the directory but ca nnot read or that only user may use and are kept private from others
755
delet e it. This sett ing is useful for directori es t hat
you wish to share with oth er users 666 (rw-rw-rw) All users can read and write the fi le
(rw-r- r--) The owner can read and write a file, whi le others
644 may only read the file. A very common setting where
(Rwx--- -- ) The directory owner has full access. everybody may read but only the owner can make changes
Nobody else has any rights. This setting is useful
700 (rw•-···--) Owner can read and write a fi le. Others have no
for directories that only the user can use and
must be kept private from others 600 rights. A common setting for files that the owner wants to
keep private
Modifying the Permissions

chmod is a Linux command that will allow administrators to change the permissions of the file.
Administrators can edit the permissions using chmod . Administrators can explicitly assign the
permissions or can use the binary number series.
Permissions defined Explicitly

Administrators need to refer the Permission Group and Permission Types. The Permission
Groups used are:
• u: Owner
• g:Group
• o or a: All Users
The operators used along with the groups are the+ (plus) and - (minus). These assignment
operators define if the permission has to added or deleted.
Example: A file has its permission set to r w r w r w, which means that the owner, group and
all users have read and write permission.
• If the permission has to be removed from All Users, the modification will be:
chmod a-rw filel
• If the same group permission has to be added, the command will be:
chmod a+rw filel

Host Security
Permissions defined through Binary Numbers

A sample permission string would be chmod 640 filel, which means that the owner has read
and write permissions, the group has read permissions, and all other users have no rights to the
file. The first number represents the Owner permission; the second represents the Group
permissions; and the last number represents the permissions for all other users. The numbers
are a binary representation of the rwx string.
• r= 4
• w= 2
■ x=l
Administrators are required to include the binary permissions for each of the three permission
groups.
Advanced Permissions
The special permissions flag can be marked with any of the following:
• _ :no special permissions
• d: di rectory
• I: The file or directory is a symbolic link
• s: setuid/setgid permissions.
• t:sticky bit permissions.

Host Security
Check and Verify Permissions for

Sensitive Files and Directories
Permission File Pathname Description
600 /boot/grub/menu.1st GRUB boot loader menu file

400 /etc/cron.allow List of users permitted to use cron to submit periodic jobs
400 /etc/cron.deny List of users who can't use cron to submit periodic jobs
644 /etc/crontab System-wide periodic jobs

List of hosts al lowed to use internet services that are started using TCP
644 /etc/hosts.allow
wrappers
List of hosts denied access to internet services that are started using TCP
644 /etc/hosts.deny
wrappers
644 /etc/logrotate.conf File that controls how log files rotate
644 /etc/xinetd.conf Configuration file for xinetd server
755 /etc/xinetd.d Directory containing configuration files for specific
755 /var/log Directory with all log files
644 /var/log/lastlog Information about all previous logins
644 /var/log/messages Main system message log file
664 /var/log/wt mp Information about current logins

Directory with configuration files for pluggable authentication modules
755 /etc/pam.d
(PAMs)
http://www.dummies.com
Check and Verify Permissions for

Sensitive Files and Directories (Cont'd)
Permission File Pathname Description
644 /etc/passwd Old-style password file with user account information but not the passwords
755 /etc/rc.d Directory with system-startup scripts
600 /etc/securetty TTY interfaces (term inals) from which root can log in
755 /etc/security Policy files that control system access
400 /etc/shadow Files with encrypted passwords and password expiration information
400 /etc/shutdown.allow Users who can shut down or reboot by pressing Ctrl+Alt+Delete
755 /etc/ssh Directory with configu ration files for the Secure Shell (SSH)
755 / etc/ sysconfig System configuration files
644 / etc/sysctl.conf Kernel configuration parameters
644 / etc/syslog.conf Configuration file for the syslogd server that logs messages
Configuration file for udev -the program that provides the capability to
644 /etc/udev/udev.conf dynamical ly name hot-pluggable devices and create the device files in the
/dev directory
600 /etc/vsftpd Configuration file for the very secure FTP server
600 /etc/vsftpd.ftpusers List of users who are not allowed to use FTP to transfer files
http://www.dummies.com

Host Security
The table shown includes the typical numeric permission settings for important system files in
Linux. This may slightly vary depending on the Linux distribution.
After knowing the numeric permission values for common File and Directory Permission
Settings, you will be able to quickly identify the permissions given or changes in the permission
values for sensitive files and directories of Linux. Administrators should compare and identify
permission value allocations and changes in permission for the Linux hosts on their network.

Host Security
Host-based Firewall Protection

with IPtables
IPtables is a built-in
firewall utility for Linux
.Jsage : ipti)blE's ·· ( AcD: cr<J.:. n n.~,e -· spe-c:ficat1-'.):1 :opticnsJ
operating systems. i ptabl.l?S -I chai·1 : rul. erun] rulg-s~0c1 f i cation :opt i ons]
iptabl~s -~ chai'l rul~n~m ,-Jl~ · sp~cification [cpti8rs]
ipti)blE'S · J cha i1 ~ulenl,m [ '.)ptions )
i ptabl.J?S -[LS I [ cta:n [ru1e1u111J: [ cpt10,isj
IPtables comes pre- iptabl~s -[ FZ] [ cra:n] [opll ons:
iptablE'S · ( l<X] C'1ain
installed on any Linux i ptabl.J?S _ ol d- ct··a.:.n -n,;;ing ·1e·1,·-chd i n-n<::1:i11?
iptabl~s _::, chai'l :a i-q~t [options )
distribution. However, you iptablE'S ~ :p r i1t this hel o 1n~orrat10:1)
can update/install it with "~cmmands:
following command '.: i :her long or sh::in options are- allc·,,.ied .
- -ap:::ir.;;nd -A Chdi n .,\poend t o chai·1
-- ch~c k - - cha in
' Ch~ck ~0 1- :hie! i;.xist1:rc'-" o f a ru11ee
del':' :e [: Ch,)in Delste mtitc lnng ··u1e f rom ch <11n
: sudo apt-get - -del. q:Q - [: chai n 1ul. enum
D~lete r c.Jli:,, rulenurn ( l =- fi r-st) f rom cha_:._n
install iptables ch,)in I r -11enum]
: nse rt i·1 cl1ai· 1 as rul.~m..111 '.d<?fdL..~~t l =fiis t)
lptables are command-line firewall utilities that can allow or deny traffic. lptables are
preinstalled in a Linux system. In order to update or install iptables, the user needs to regain
the iptable package using the command:
sudo apt-get install iptables
Every packet traversing through the filter system is assigned to an appropriate table depending
on the tasks performed by the packet. The table contains chains that display the details of the
destination of the packet. The tables can be used to create rules and the user has the facility to
create their own chains and link them from the built-in chains. This facilitates the ability to
create complex rules. However, the user needs to be extra alert while using the iptable
commands as any small error in the command can lock the system and requires the user to fix
the error manually.
There are three different t ypes of chains:
• Input: The input chain verifies the incoming connections and its behavior. The iptable
compares the IP address and port of the incoming connection to a rule in the chain.
• Forward: The forward chain mainly forwards the incoming connections to its destination.
The command: iptables -L - v, verifies whether an incoming connection needs a forward
chain.
• Output: The output chain is used for output connections, wherein the chain checks for the
output chain and decides whether to allow or deny the output request.

Host Security
0 0
Va rious types of Linux OS and core applications logs are stored under
/var/log directory
0 0
I LOR Events To Look For I File Edit View Search Terminal

root@kali: /var/ log
Help
"Accepted Password", "Accepted

Successful User Login
Public key", "Session Opened"
"Authentication Failure", "Failed

Failed User Login
Password"
User Log off "Session Closed"
User account change "Password changed", "new

or deletion user", "Delete user"
"Sudo: ....COMMAND=..." FAILED

Sudo actions
su"
Service Failure "Failed" or "Failure"
Common Linux Log Files

. / var/ l og/me ssages General message and system related stuff
. / var/ l og/a uth . l o g Authentication logs
/var/lo g/kern. log Kernel logs
/var/log/cron. log Crond logs (cron job)
/var/lo g/mai l l o g Mail server logs
/var/lo g/qma i l/ Qmail log directory (more files inside this directory)
/var/log/htt pd/ Apache access and error logs directory

/var/lo g/ l ightt pd/ Lighttpd access and error logs directory
/var/log/boo t . log System boot log
. / var/ l og/mys q l d . l og MySQL database server log file
Authentication log
/ v a r/ log/ s e c u r e o r / v a r/log/aut h . l og
/var/lo g/utmp o r / v a r/log / wtmp
Login records file
. / var/ l og/yum . l og Yum command log file

Host Security
Logs provide a shadow of the system events performed on a computer. It lets you know what
has happened on the system. Regular monitoring and auditing of the logs help the
administrators trace out a user's activities on the system.
Log files are usually text-based files. The logs are stored from the system and various
programs/ services. All log files are stored in the path / var/ log. The log files var/ log/ wtmp,
stores all logins and logouts into the system and / var/ log/ messages stores logs from all kernel
and system programs.
It is advisable to monitor and clean the files in / var/ log at regular intervals. The Logrotate utility
allows for the automatic rotation, compression, removal and mailing of log files. Logrotate can
handle a log file daily, weekl y, monthly or when the log file gets to a certain size.
/etc/rsyslog.conf controls w hat goes inside some of th e log fil es.
Few things to be considered while conducting a log review and audit

• Find the log sources and tools required for performing an audit.
• Keep log records at a single location for easy access.
• Verify whether the user can safely rely on the time stamps due to different time zones.
• Analyze all system changes, updates and errors occurring in the system.
• Check all incidents in a syst em .
• Comparison of logs provide an overall picture of the status of th e system.

• Get all details regarding a log, like the reason for that system event, etc.

Host Security
Systein Log Viewer

) System Log Viewer enables users to view and monitor system logs
A.pp-lication, .,,.,, , ~ •-
. H.,.,..-dio Fite Edit View

• lnt•rn.1 2 06:25:38 kal i CRON[3254] : pam uni x(c ron:se l
' K1lll.Jnux 2 06:39:01 ka l i CRON[3423]: pam:uni x(cron : se
11,11 <>tr« 2 06:39:01 ka li CRON[3423] : pam_unix(cron : se
2 07:09:01 ka l i CRON[3450]: pam_uni x(cron : se
,/ "'•9'-9 2 07:09:01 ka li CRON[3450] : pam_uni x(c ron : se
Iii S."'d&V-
0 , •.•~-., ! ,I > mail.log - ..
:"I'"•. 2
2
07:17:01
07: 17:0 1
ka l i
ka li
CRON[3461]:
CRON[3461] :
pam_uni x(cron : se
pam_uni x( cron : se
• > -• Pre.fetenus
> ~ AddlR•r.ov• Sottwifte
-
- .. 2
2
o~:39:01
07:39:01
ka l i
ka li
CRON[3480]:
CRON[3480] :
pam_unix (cron : se
pam_uni x( cron : se
~ dc0t1t EOtor
-
- .. 2
2
08:09:01
08:09:01
ka l i
ka li
CRON[3507] :
CRON[3507 ] :
pam_unix (cron : se
pam_uni x( c ron : s e
'°4 O.Sld.J-u9e ANlyut'
. . G..'1""9',
-
- .. 2
2
08:17:01
08: 17:0 1
ka l i
ka li
CRON[3522] :
CRON[3522] :
pam_unix (cron : se
pam_uni x( c ron : se
-
- .. 2
2
08:39:01
08:39:01
ka li
ka li
CRON[3537] :
CRON[3537 ] :
pam_unix(cron : se
pam_uni x( c ron : se
..
-
- .. 2
2
09:09:01
09:09:01
ka l i
ka li
CRON[3564] :
CRON[3564] :
pam_unix(cron : se
pam_uni x( c r on : se
\illD,D [ -
- .. 2
2
09:17:01
09: 17:0 1
ka li
ka li
CRON[3579] :
CRON[3579] :
pam_unix(cron : se
-
- . 2
2
2
09:39:01
09:39:01
10:09:01
ka li
ka li
ka ~i
CRON[3598]:
CRON[3598] :
CRON\3625J:
pam_unix(cron : se
pam_unix\cron : se
653 tines (69.8 kB) · last update: Mon Feb 1 04:39:01 2016
Copyright© by EC-Co■ncil. All Rights Reserved. Re producti on is Strictly Prohibit ed.
Most log files are in plain text format. You can view these log files using any text editor.
However, some log files are not readable in a human format when opening with a text editor.
The System Log Viewer is a graphical, menu-driven viewer that facilitates the viewing and
monitoring of the system logs. It comes with a few functions that can help you manage your
logs, including a log monitor and log statistics display. It allows you to view system log files in an
interactive, real-time application.
Log File Viewer is useful if you are new to system administration because it provides an easier,
more user-friendly display of your logs than a text display of the log file. It is also useful for
more experienced administrators, as it contains a monitor to enable you to continuously
monitor crucial logs.
Note: Log File Viewer is useful only to those who have access to the system log files, which
generally requires root access.
To View system logs in Kali Linux, go to Applications ➔ system Tools ➔ Log File Viewer
Source: https:1/he/p.qnome.orq

Host Security
Before Hardening Servers
Identify the network service that server is providing
Identify network service software installed
Identify its users
Determine the users privileges required
Plan for server authentication and authorization
Dete~mine the ccess control strategies and measures fo~ser.ver.

Host Security
Server hardening refers to the increased level of security provided in order for the servers to
operate in a more secured environment. Hardening a server involves applying all the system
security measures with some server specific security measures depending upon the type of
service it provides. Administrators should consider the following points before hardening the
servers:
1. Identify the network service that a server is providing.
2. Identify the network service software installed.

3. Identify its users.
4. Determine the user privileges required.
5. Plan for server authentication and authorization.

6. Determine the access control strategies and measures for the server.
Administrators use various methods and tools for hardening the server. Hardening involves
securing the key components of the IT architecture to reduce the risks of attack.
The three main components which require hardening are:

1. Operating System: The hardening of an operating system involves securing the system so
it is configured to limit the possibilities of internal and/or external attacks. The methods
for hardening may vary depending on the operating system used.
2. Network: Administrators can perform network hardening activities by using security

protocol standards. Administrators can customize and maintain the network policies as
per the organization's requirement. Administrators should regularly review the network
logs and audit them. Network devices which are not operational should be removed from
the network.
3. Applications: Every application and service installed on the network should undergo the
hardening process. This ensures that any loopholes which are present in the applications
and services are protected against attacks. A number of common operating system based
services are installed by default and need to be reviewed.

Host Security
.J Place your webserver isolated on a separate subnet i.e. DMZ
.J Benefit of Webserver isolation:
e If webserver is compromised, it can not be used to comprom ise internal hosts
e It provides better way of monitoring network traffic and makes it easy to detect attacks
e A separate firewall can be used to restrict and block unnecessary traffic on webserver
:·· ...r,
: '4'
..
: ,-
l ,4'-
• •••• •••· •••· •••·. • ••• • ••• • •••••••• ·I• .."' ••••,,.
User
DMZ
Internal Network
E-mail DNS Web

Server Server Server
HardeningWeb Server
(Cont'd)
Place the supporting servers such Directory (LDAP) server, Database server, etc. on protected network
...······························~
•
..-------. ..•
..• ..•
DMZ . .
..: ~~, .
. ··••►
·······:····
..
E-mail DNS Web .
Server Server Server Firewall SQL Server
Protected Subnet
•................................
.
~
..
,,
:···••fl-
..................... ~ ...r.
User Internet Firewall
.~ "'-
Internal Network

Host Security
HardeningWeb Server
(Cont'd)
Configure Firewalls and Configure Firewalls and Use appropriate access

routers to restrict traffic routers to restrict traffic control to web server
between : between : resources :
e External public network and e Supporting servers , e Restrict access to your

webserver software
your web server External network, and web
server e Restrict access to following
e Your web server and resources on webserver
Internal network
e Server log files
e System software and
configuratio n files
e Application software and
configuration files
e Password files
HardeningWeb Server
(Cont'd)
Enable Logging on web server and Enable following types of logging:

regularly monitor and review it for e Transfer logging
any suspicious activity e Error logging
e Agent logging
e Referrer logging
Configure proper authentication and Apply latest patches and updates to

encryption mechanism web server regularly
e Do not use address-based authentication
e Do not use HTTP basic authentication

Host Security
The web server is a client-server architecture that enables service requests through the HTTP
protocol. Proper authentication and firewall techniques enhance the security features for sites
that do not require public or external access. Secure Sockets Layer ensures security for web
based transactions. Proper analysis of the web server logs ensures it is secure and checks for
any unusual behavior.
Any attempts to access suspicious webpages have the potential to exploit the security of the
web server. Administrators should ensure that web servers are updated with the latest patches.
Hardening of Web Servers can reduce

• Attacks into your own network
• Attacks into some other network
General Guidelines for Web Server Security

• Install servers securely
• Configure appropriate access controls
• Properly organize the web server software and web server host OS
• Secure all web server content
• Uphold the reliability of the web server
• Configure authentication and encryption
• Use file integrity checkers

• Enable logging
• Develop a Backup plan for the webserver
• Establish a secure network for a web server
Web Server Hardening Techniques

• Place the web server at an isolated location: This is because any external access to the
web servers could enable them to access internal hosts. Allowing them to capture and
monitor the traffic between the internal hosts. Also, it facilitates better management of
the servers to prevent attacks.
• Place the supporting servers on other isolated subnets: This allows for the passage of
allowed traffic only between the web server and that particular server. For example, only
the SQL protocol is permitted between a SQL server and the webserver.
• Disable source routing and IP forwarding on the router: Enabling source routing and IP
forwarding can lead to MIM attacks and IP spoofing on a web server.
• Place firewalls with the servers
• Firewall protects the traffic between:
• The servers

Host Security
• The external network and the web server
• The internal network and the web server
• Use appropriate access control: Controls the access to the web server software.
• Access control s should be applied to:
• Sever log files
• System configuration and software files
• Application software and configuration files
• Password files
• Recognize the level of protection required: Only authorized administrators can read or
write, web server log files. Some temporary files are restricted and are stored in
subdirectories. Only those services which created the file has the permission to access
those subdirectories and files.
• Enable logging: Proper logging of the web server files helps locate any irregular activities
in the server. The following t ypes of logging help monitor web server logs:
• Transfer logging
• Error logging
• Agent logging
• Referrer Ioggi ng
• Proper authentication and encryption mechanisms: Find methods to overcome the use of
address-based authentication and HTTP basic authentication.
• Keep a copy of the web site content on a secure host: Create strategies for transferring
web site content to a secure location as a backup. Also, helps increase the security
mechanisms for this content.

Host Security
Hardening Email Server:

Recommendations
\ ~ Place Email server in a separate subnet and configure firewall to restrict traffic on Email server
\ ~ Disable any unnecessary configuration options on the mail server software
\f Apply latest vendor supplied updates and patches to mail server software
-.
\f Activate Mail Relay prevention options
\f Limit number of connections to your mail server to avoid DoS attacks

,
\f Configure Reverse DNS Lookup to block bogus senders
.. ''
\f Use DNS-based blacklists(DNSBL) servers to reduce the impact of unsolicited incoming email
- -.
'sf Activate Sender Policy Framework (SPF) to prevent spoofed sender addresses
'sf Use Spam URI Real-time Block Lists (SURBL) filter to prevent from malware and phishing attacks
\ ~ Maintain local IP blacklists on server to block spammers
\ ~ Maintain at least 2 MX records to deal with failover
\ ~ Enforce Proper authentication and authorization on mail server users
\f Ensure secure email communication using SSL (Secure Sockets Layer) and TLS (Transport Layer Security)
An organization requires electronic mail (email) systems (Email Server) for business or simple
exchange of information between people. These email servers, if not configured properly, can
be compromised and used for a malicious purpose.
An important thing about the hardening of an e-mail server is to disable the unwanted
configuration options in the server software. A perfect method to increase the security of the
server is to allow only authorized users access to the e-mail.
Email-sever security guidelines

• Configure the mail relay format properly to prevent attackers from using the mail server
as a gateway.
• Configure the SMTP authentication method. This requires users to access the SMTP server
and provide username and password credentials before sending an e-mail.
• Restrict the number of users that can access the SMTP server. This minimizes the chances
of any DoS attacks on the network.
• Enable DNS lookup to verify the existence of the sender's e-mail domain. This helps
restrict any mail from unknown senders.
• Enable the Sender Policy Framework in order to restrict spoofed sender addresses.
• Activate SURBL (Spam URI Real-time Block Lists) in order to identify any unwanted links
and messages in an e-mail.

Host Security
• Keep track of the spammers who always send spam e-mails. This can limit unwanted
internet connections on the e-mail system.
• Use POP3 and IMAP for authentication purposes.

Host Security
Hardening FTP Servers:

Recommendations
- ...
Internee lntormatton Services (US) Mana9tt
9j • WIH•IMCHJ.rJHJGQ •
"'I FTP Authentication

"ii St~rtP~•
,1 • ~
J>
V.W.8MCH1181U00(\\1N•
~ .Af,pliwtlon Pools
J-1 Sites
.....
Geoup by. Ho Geoupng
AnoaymOU5AMht~ ........,,....
SL.tu~
8tsl( AuthtntoubOt'I
•
Internet Information SeMces (US) Manager
• • WIN·SMCHlJBIUGO •
"
~ St.rtPt19c
ij W'N-8MCMJJIIAJG0f'Mtl+IN
) ::, ~pliution Poob
• FTP Logging
-I
-......
II,.,.
""-------•
Vitwlogt....
~ ,.,.;i s.to
Enable logging for your FTP site
,. >

Recommendations (Cont'd)
lntemet Information Services (US) Manager I- 1° 1 x I
$~ • WIN•
Add Allow Restriction Rule 11.i fl! O ·
Allow acc~s f0t the following IP address 0<do,nain na.Mt::
e,. y I Iii\
@ Spccifk IP Ad'dr¢Ss: Restrict Access by IP or
Allow Entry...
r ~ SartPage
4 -~ WIN·BMCH3J81UGO
DMy Entry... domain name
l••..) Appbu ·tion Pool
0 A range of IP edd1,me-i:: Futu•c Settings._
~o,dcrcd L,~L
~ -till Sites
Mask: •
Internet Information Services (11S) Mana er I - I Cl I x ]
' ..:"~
L"Ji!...'.. ' lr - - - - - - -A-dd_ A_now
__ Au
_1_h0
' -n-·z_a,_io_n_R
_u_l•- - -==="'.I__I pj f_'lt 8 .
-·
f ilt ~ ~,.. tlelp Allow .,e<ess to this content to:
C @ All lkcn;
[ Ole J _ c_._"'_'_'~ e.•
~1
Id I Iii\
··-'1.1 sa 11 p.,9e
0 All Anonymous User-; '.IO'h Rule...
eny Rt.ilt ...
4 ,Gj \VIN•8MCH3J81U 0 59«-ified roles or ust:r groups:
.,tutt Stttings...
r Config\lr<1tion: ·appliu tionHost.config' ~-0 Applk •tion P
I> ~ Site~
Wt'l'lplt: Admins, Guests
0 Sf,ecified tnffl:
Wfflplt: U«1l, Ust r2
PennissioM
Configure Access controls on D Rt11d
□ Write
authenticated FTP accounts
with the help of ACLs < Ill
l Ole
1
I Cancel
( onfi9uration: 'ap,pi u tion ost.con 19

Host Security

Restr.ict •
- 0 ., [ - 0 ,c
jw r-1 •~. ® ~ SM:MllCIUGO ~ ===-..

==7
-~~--l\colJ
& NN-..:H1191JOD • l:} ll •
lat t;- ~ 51. ll- t,111'
"-
:._ ....~. tJ. I• FTP Logon Atttmpt Restrictions
1f, Su1ti>OQ•
"', FTP Request Filtering
,. /ilj 1111K.6MC»l:t.eUGO~.-..
,11.. 1too ,• ...,. to U//H.,,,.,,• i,wc-, ..."' tu .,. n " - "·
~ ~ .,,,..IMQ!l,91UG,O(M,I W,,
;}Wto1.,,_.., rl,...,i.,,,~-...,.,_,i.._ • ~ $lift
l)
r.,•m.N-~fll 1-W,-.s.,.,_1~
..,._ _ _[__ _ _ _"0. ... ..-i.s.- •
'7
u.---
• ~ Sm
,.,._,,._r.,-.
L __]
...
e.e,.,ro1cN-~,._
(do:r~~
l'r • 1 >I 6 1- ••"'-l ' -•~v-

(.c,,f.-,:,,{ ·•l'flol>Cn~«-Y•

tl"3 Internet Information Services (IIS) Manager I - I D~
B 1~a • w1N-BMCHlJa1uGo • IIll fi,( <f; .

f ile
Cannectlal•
0.· Id I
~iew
If.\
t;letp
- ~ FTP SSL Settings I

-:::,y
:·-Vd St, rt P119e Ii)( Cincel
~-~ VIIN•BMCHlJBIUGO~'llN•B' SSLCertffic~e:
9 Help
i· ,0 Applicatioo Pools
~ .~ Sites
INot Selected ·I ~
SSL Policy
® AUowSSl conn«tions
0 Require SSL connections
0 Custom
L Advanced~,
0 Use: 128·bit c:nciyption for SSL connc:<tions Use SSL/

FTPS for
authenticated
II FTP accounts
◄
 ® f eaturt~ Vitw I~ Content Vitw
Configuratio /\: 'appli<ationHost.<onfig' e,1.,,
I ~ ou:
-
' ....a
- «
C°"l'a lllti,c'lfl
I
,_..
Copyright© by EC-CD■ncil. All Rights Reserved. Re producti on is Strictly Prohibited.

Host Security
Administrators should implement the following security measures while configuring the FTP
service:
• Inactivate unidentified FTP accounts: Installing FTP services automatically enables

anonymous access to FTP servers by any user. The users do not need any authentication
to use the account. Disabling this anonymous access will minimize unauthorized users
accessing the FTP server and placing illegal and dangerous files on your sites. This enables
only authorized users to access the FTP server.
• Enable logging for your FTP site: Keeping track of the FTP logs can help in identifying the
users accessing the site and the IP addresses they use. Logs provide a detailed description
on the status of the site and validates if there are any attacks or threats.
• Configure Access controls on authenticated FTP accounts with the help of ACLs: Access
control lists limit unauthorized access to the FTP directory using NTFS permissions.
However, users permitted to the FTP directory should not include everyone in one group
as it changes the configuration for those users who are limited to accessing FTP accounts.
• Restrict access by IP or domain name: Limiting access to FTP to only a certain number of
users reduces attacks from unauthorized users.
• Restrict logon attempts and time: Users access the FTP site within a specified logon time.
FTP denies permission to any user attempting to access the FTP site after the logon time
has expired. With this restriction, only those users who are authorized for a specific time
period can access.
• Configure filtering rules for your FTP service: The filtering rules check for each FTP
request. If it matches the filtering rules, that particular request is allowed or if it doesn't
match a filtering rule, it is declined.
• Use SSL / FTPS for authenticated FTP accounts: This represents the SSL settings for the
FTP service. Increasing the security of the FTP service as only authenticated users achieve
access.

Host Security
Hardening Routers:
Recommendations
Change the default password
Disable IP directed broadcasts
Disable HTTP configuration, if possible
Block ICMP ping requests
Disable IP source routing
Determine your packet filtering needs

I
Establish Ingress and Egress address filtering policies.
Review your router's logs
Maintain physical security of the router
The following are recommended best practices enhancing the security of a router:
• Changing the default password: Most users do not change the default password of the
router after installation. This is the same thing as giving a key to attackers so they can
easily log in to your router.
• Deactivate IP directed broadcasts: Enabling IP directed broadcasts will allow attackers to

send ICMP ECHO requests to another user broadcast address, using a spoofed address.
The broadcast network responds to the ECHO request thereby affecting the working of all
hosts in the network.
• Deactivate the HTTP configuration: Enabling the HTTP protocol for routers sends clear text
traffic.
• Restrict ICMP Ping requests: Accepting PING requests enables attackers to guess the
active hosts and thereby sea n the network without the original user's knowledge.
• Disable IP source routing: Enabling this routing feature allows attackers to identify the
path taken by the packet. This give users the ability to sniff packets from the network.
• Identify the need for packet filtering: Filtering of packets depends on the needs of the
organization. The filtering mechanism helps identify whether to permit or block traffic.
• Creating ingress and egress address filtering policies: Creating policies for verifying the
inbound and outbound traffic based on an IP address increases the security of the router.

Host Security
• Physical security of the router: It is mandatory to maintain physical security of the router
as inappropriate placement of routers allow attackers to sniff and have direct access to
the appliance.
• Review the security logs: Appropriate review of the security logs will provide detailed
information regarding what attacks, if any, have been launched against the router. It also
provides a detailed description of the router. Reviewing logs of the router provides an
overall idea regarding the status of the network too.
In addition to the above recommendations, implement the following best practices to harden
your router security:
• Disable unnecessary router interfaces.
• Disable unnecessary services.
• Disable unnecessary management protocols.
• Disable ARP and proxy ARP.

Host Security
Configure switch security at various levels: Recommendations:
.J Operating System .J Configure proper passwords for the switch's

console and CU access methods
.J Passw ords Management
.J Enable necessary network services such as
.J Network Services SSH (secure shell)
.J Port Security .J Set a strong password for SSH

.J System Availability .J Disable unnecessary network services such as
Telnet
.J VLANs
.J Configure port security to control access
.J Spanning Tree Protocol
based on MAC address
.J Access Control Lists
.J Disable auto-trunking on ports
.J Logging and Debugging
.J Enable Spanning Tree Protocol (STP) root
.J Authentication, Authorization and guard and STP BPDU guard
Accounting(AAA)
.J Ensure physical security of switches
The best way to confirm switch security is by using port level security. Port level security limits
the number of MAC addresses connected to a device. The three different methods of
connecting MAC addresses to a port are as follows:
• Statically: Allows only a single MAC address to be connected to a port.
• Dynamically: These are present by default in the content - addressable memory.
• Sticky: A MAC address given to a specific port. This MAC address can be lost if not sa ved
during reboot.
Additional switch security best practices:
• Create a strong password.
• Create time-out sessions and user access rights.
• Disable auto - trunking on ports and activate port security for MAC addresses in order to
control access.
• Deactivate all ports that are not in use and assign them an unused VLAN number.
• Control the number of VLANs that can pass over a trunk.
• Maximize the use of access control lists.
• Review all security logs of the sw itch
• Implement AAA for local and remote access to the switch.
• Keep the switch configuration file offline and control access to it.

Host Security
J Syslog is a data logging service which enables ..J Components of Syslog:

network devices such as routers, switches, firewal ls,
printers, web-servers, etc. to send and store logging
e Syslog listener
of events and information on a logging server e Database
J Logging server is dedicated server cal led Syslog e Management and filtering software
Server and Event send is called Syslog Messages
J Syslog stores consolidate logs from multiple devices

into a single location
I
Administrators check for Syslog
Messages. Troubleshooting or
Monitorine:
Syslog Messages sentto Syslog Server
~------J---------------
------------------➔
--------------------➔
Admin
Network Devices
Syslog Server
http://www. networkmanagementsoftware. com
Syslog enables network devices to record event messages to the logging server or the syslog
server. It is possible to log many events and the syslog protocol can handle many different
devices. Normally, Windows-based servers do not support syslog. But, there are many third-
party tools available that can actually gather the Windows server log information and then
forward it to the syslog server.
Syslog is the standard for message logging and uses a facility code that determines the software
used for generating the messages and also assigns a severity label to each. The syslog finds its
application in system management, security auditing and debugging messages. Many types of
devices such as printers, routers, etc. use the syslog standard that enables a centralized method
of logging data from different devices.
There are many components available for syslog server:

• Syslog Listener: The syslog server gathers information sent over the network and a syslog
listener acquires all information sent over UDP port 514.
• Database: Syslog servers create a database in order to store log data from large networks.
• Management and Filtering Software: The management and filtering software helps filter
data from the database. At times, network administrators find it difficult to find the log
details from the database. The use of this software can actually enable the administrators
to filter the required data.

Host Security
• Syslog Messages: Syslog messages include all the information like the IP address,
timestamp and the actual log message. The syslog uses a method called facility that
identifies the source of message on any machine. The syslog message also has a severity
level field that determines the severity level. A severity level of 'O' signifies that the
message is an emergency. The severity level of '1' signifies that the messages need
immediate action and the syslog messages severity can go up in range.
Limitations of Syslog server:

• The syslog protocol actually does not provide any specific method for formatting
messages, which causes issues concerning the consistency of the messages.
• Syslog uses UDP as a protocol for the transport of messages. As UDP is connectionless
oriented, there are chances for syslog to lose packets.
• No method for authenticating the syslog messages. It can actually provide access to
another machine and send fake log events.

Host Security
Syslog Servers: Kiwi Syslog Server,

Splunk, GFI EventsManager
Applications Routers
Workstations Firewalls
IDS/I PS
http://www.gfi.com, https://www.splunk.com, http://www.solarwinds.com

GFI EventsManager
Source: http://www.qfi.com
GFI EventsManager performs network wide log monitoring, analysis, management and
archiving.
Features:
• Manage event log data for system reliability, security, availability and compliance.
• Log data analysis for SIEM.
• Log data consolidation for compliance.
• Complete IT infrastructure monitoring and management.

GFI Events Manager is designed to act as a Syslog server and receive Sys log events from various
devices including Cisco PIX firewall. In order to use GFI EventsManager as a Syslog server, you
must configure Cisco PIX firewall and similar devices to send Syslog messages directly to the
machine that is running GFI EventsManager.

Host Security
Syslog Server Properties Et

General )
~ Configure the in-build Syslog server options
To receive messages from Syslog clients, enable the LogMonitor Syslog

server and specify the port on which the server will run.
P' Enable in-build Syslog server on port: J514
(D To configure receiving of Syslog events:
1. Configure Syslog clients to send messages to this server on the

specified port
2. Specify the client name/IP addresses in a computer group
which is configured to accept Syslog messages
____..I ____.... -----

OK Cancel .6.pply
FIG URE 6.29: Enabling Syslog server port
By default, GFI EventsManager will listen for Syslog messages on port 514, therefore you must
make sure that this port is not being used by other applications. The port on which GFI
EventsManager listens for Syslog messages is configurable through the management console.

Host Security
Servers Ef
General J Logan Credentials Operational Time
Windows Event Log I \.l/3C Logs Syslog
~ Specify if this computer group can send Syslog messages to

~ EventsManager
Syslog messages can be received from any computer or device configured

to send Syslog messages to EventsManager
P" A~cept Syslog messages from this computer group
Post message processing
(o' A1chive only
r Erocess using these rule sets:
(!) The EventsManager Syslog server runs by default on port 514.
I[ OK I Cancel Apply
FIGURE 6.30: Enabl ing Syslog server to listen messages
To enable GFI EventsManager to collect Syslog events you need to:
1. Bring up the (computer/computer group) properties dialog

2. Click on the Syslog tab
3. To enable the syslog server and listen for messages sent by the computers in a computer
group, select the option 'the computers specified in this group will send Syslog events'
Kiwi Syslog Server
Kiwi Syslog® Server is a syslog server for IT administrators and network teams. Kiwi Syslog
Server receives logs, displays, alerts on, and forwards syslog, SNM P trap, and Windows event
log messages from routers, switches, firewalls, Linux and UNIX hosts, and Windows machines.
Kiwi Syslog Server also includes log archive management features that allow you to maintain
compliance by securing, compressing, moving, and purging logs exactly as specified in your log
retention policy.
Splunk Enterprise
Source: http://www.splunk.com
Splunk Enterprise is used to collect, analyze and act upon the untapped value of the big data
generated by your technology infrastructure, security systems and business applications-
giving you the insights to drive operational performance and business results. It collects and

Host Security
indexes data regardless of format or location logs, clickstreams, sensors, stream network traffic,
web servers, custom applications, hypervisors, social media, and cloud services.

Host Security
Host security can be compromised through security vulnerabilities of the instal led
I software
All t he application should have gone through security hardening process so

II that there are no weak links in the security defenses
Perform blacklisting and white listing on applications
Keep those applications blacklisted which can pose huge threats to the users
or systems and never install them on your systems
Install or Allow only w hitelisting appl ication to be instal led on your hosts
Application Security
(Cont'd)
Consider following areas of applications to ensure their Security:
_J Application development security:

e Ensure software or appl ication purchased follows standard secu rity practices
- Ensure that application is developed using standard secure coding practices and principles
J Ensure secure code review is performed on applications being installed
e Ensure application is developed based on Standard Application configuration baselines
► For example, Input validation, Error handing, etc.
_J Application Configuration:
e Do no allow application to create and mod ify executable fi les
e Do no allow application to access, create, and modify OS resources unnecessari ly
e Do not allow application to spawns into various processes
_J Application Patch management
e Regularly update your application with latest updates, patches and versions for security implications

Host Security
Application Security -
Recommendations
r Assess secu rity feature of software before purchasing any software
Use centralized management of critical software
r
Monitor software use
Ensure only authorized personnel can install software on the syst em l
Train staff on software use and security policies
Application security plays an important role in host security. An outdated or insecure

application installed on a system, will pose a serious security threat and affect network security
as a result. Administrators should ensure the security of an application before installing it on
the system . Applications should be installed using the installation guide provided by the vendor.
Administrators should change the default password of an application, if it is already set and
then change the password at regular intervals. Administrators should not download and install
applications from untrusted sources or third-party sites. Installing applications such as these,
only adds risk to host security. Untrusted sources may hide malware inside these applications
to compromise your system . Administrators should ensure that applications are using strong
encryption algorithms when handling an organization's data when at rest and in transit.
Monitor vendor sites for new updates and patches for your applications. Organizations need to
continuously monitor their applications for vulnerabilities, to reduce the amount of potential
risk and to maintain the security of the application. Strategies will differ between organizations,
the main concerns are still the same. Secure the applications on the network.
The following points must be considered w hen securing applications on a system:
• Sensitive organizational information.

• Users accessing applications and access permissions provided to each user.
• Existing application vu lnerabilities.
• Application risk factors and the corresponding countermeasures.

Host Security
e Data security ensures protection of data e Use TLS/SSL encrypted tunnel to secure
from unauthorized access or corruption your data in Motion
e Ident ify t he critical business data of t he e Use different Data Loss Prevention(DLP)
organization solutions to secure your data while in-
e Use different data encryption utilities to use, in-motion, and at-rest
secure your data at rest
Data Loss Vectors
....... Data-in-Motion •••••••••••••• 3)-
Web Chat Network
.•
······<···· Data-in-Rest ........... ·►
..•
.. File-Shari ng Database Desktop
Dat a ..
.
..... Data-in-Use ••••••••• 3>-
Removable Devices CD Printer
Data security is the main concern for many organizations, irrespective of their size. Data
security ensures protective measures are applied to computers, databases and websites. A few
examples of data security are hardware/ software encryption, data backup and data masking.
Organizations should ensure various levels of business data security.
Data Security at Rest

Data at rest refers to inactive data stored in digital form at a physical location. It includes
archived or reference data which never changes. Data at rest does not include data moving
through the network.
Data at rest encryption, protects the data using encryption. The process of encryption
preserves and/or protects the data stored in a particular location. Organizations can completely
depend on an encryption process for their data security. The process of encryption applies to
both structured and unstructured data. network administrators need to constantly check the
encryption mechanisms used for protecting data. The encryption of data at rest includes
encryption methods such as AES and RSA. The data needs to be encrypted even in the failure of
access controls. Keep the encryption keys at a separate location and make sure the keys are
updated constantly. A data federation is another method used for protecting data at rest from
unauthorized access.

Host Security
Data Security in Transit

Data in transit can traverse the network and this gives attackers additional access opportunities
to the data. Organizations can protect their confidential data using encryption two types
mechanisms: SSL and TLS. SSH replaces TELNET and SFTP replaces FTP. Any protocols using
SSL/TLS use certificates to exchange public keys and public keys to exchange private keys.
Similarly, a session key uses asymmetric encryption and a certificate for exchange. Symmetric
encryption uses the same session key for secure, fast encryption and decryption.
Network traffic authentication requires encryption for data in transit. Encryption is not a
mandatory mechanism for a public facing website. However, encryption can play a role if the
organization wants users to logon before accessing their web pages. This protects the privacy
and data of the user.
Data Loss Prevention (OLP)

To confirm users do not send or use sensitive data outside the organization, enable OLP. OLP
controls what data users can send through the network. OLP uses different rules to classify
what data is critical and sensitive in an organization.

Host Security
What is Data Loss Prevention

(DLP)
.J OLP is a strategy used by organizations to:
e Discover sources of data leaks
e Monitor those data leakage sources
e Protect organization assets and resources
e Prevent accidental disclosure of information to unintended parties
e Manage resources with business rules, security policies, and software
... ........... Web Mail
DLP Agent
.
Enterprise Network
~
r.
Employee sends
Block
•···········'
Encrypt
:
r............... •♦ [ L-l';'I
-_. Supplier
Networks
11111
various emails •·················~
◄••··························•
-~ . ~
-~-~ . Block
◄ ••·································••I
Encrypt Networks
DLP Server •·············\.
L............. ~~ Partne r
~ Networks
Data loss prevention (OLP) does not allow users to send confidential corporate data outside the
organization. The term is used to describe software products that help a network administrator
control what data end users can transfer. OLP rules block the transfer of any confidential
information across external networks. This controls any unauthorized access to company
information and prevents anyone from sending malicious programs to the organization.
Implement OLP software according to the organizational rules set by management. This
prevents accidental/ malicious data leaks and loss. If an employee tri es to forward or even
upload company data on cloud storage or even on a blog, the action will be denied by the
system.
A OLP policy is adopted by management when internal threats to a company are detected. Data
loss prevention is a policy to ensure that none of its employees send sensitive information
outside the organization. New emerging OLP tool s not onl y, prevent the loss of data, but also
monitor and control irregular activities from occurring on th e syst em.
There are OLP products available that help administrators determine what data users transfer.
OLP products are also known as data leak prevention, information loss prevention or extrusion
prevention products .

Host Security
Data Loss Prevention Best Practices CND
1 Create awareness about the risks and losses associated with data leaks
2 Provide training to employees on the security policies for hand ling data
Restrict employees from sharing sensitive information on social

3 networking sites
4 Identify any loop holes in your network and patch at regular intervals
s Use a high quality router to prevent security threats
8 Before disposing of trash, shred documents first
7 Use strong passwords and phrases to protect confidential data
Secure computers and hard drives with protective measures at entry and
8 I • •
exit points
Monitor employees and their systems for any illegal activities or security
9 policy infractions
10 Security must be the top concern in all business operations
Data loss prevention best practices are:
• Identify the business need for implementing a OLP solution in an organization.

• Ensure the OLP solution supports various data formats.
• Determine the type of OLP required based on the type of data protection needed.
• Always pay close attention while deploying a OLP, as any small mistake 1n the
implementation will impact data protection.
• OLP should be able to mitigate any false positives.

• Regular risk profile updates and an organization needs to ensure OLP incidents are
documented.
• Provide security policy training to employees.
• Restrict employees from sharing sensitive information on social networking sites.

Host Security
Symantec Mcafee
http:// www.symantec.com ht tp:// www.mcafee.com
Websense Palisade Systems

http://www.websense.com http://polisadesystems.com
Trustwave Digital Guardian OLP

https://www.trustwave.com http:// www.difita/guardian. com
J
BlueCoat
https:// www.bluecoat. com
,.
•
~
- PixAlert
http://www.dev.pixalert.com
Code Green Network's

Safend
TrueDLP http:// www. wave.cam
https:// www.codegreennetworks.com
Symantec
Source: https://www.svmantec.com
Symantec DLP keeps track, secures your confidential data and ensures its safety, wherever it
lives: in the cloud, on-premises, or on mobile devices. It helps you keep data safe on Windows
and Mac endpoints by performing local scanning and real -time monitoring. It monitors
confidential data that is being downloaded, copied or transmitted to or from laptops and
desktops, through email or cloud storage. It uses a single web-based console to define data loss
policies, review and remediate incidents, and perform system administration across all of your
endpoints, mobile devices, cloud -based services, and on premise network and storage systems.
Websense
Source: http://www.websense.com
Websense Data Security Suite contains three modules Data Security Gateway, Data Discover,
and Data Endpoint. It provides a single intuitive, web-based interface for management and
reporting of Websense web, email and data security solutions.
Trustwave
Trustwave Data Loss Prevention helps enterprises discover, monitor and secure data at rest, in
motion, and in use to prevent exfiltration and ensure regulatory compliance. It anal yzes all

Host Security
web-based communication and attachments, including email, instant messenger, P2P file
sharing, biogs, social media, FTP and Telnet, for violations of an organization's governance,
compliance and acceptable-use policies. Automatically blocks HTTP, HTTPS and FTP traffic
violating compliance policies. It can investigate data at rest to find and protect sensitive
information residing in the stored data. Discovery of sensitive data allows security teams to
focus their initiatives on specific users and systems, and then implement the appropriate
measures to meet compliance requirements.
BlueCoat
Source: https://www.bluecoat.com
Blue Coat Data Loss Prevention (DLP) enables you to detect and block potential data leaks
quickly and accurately, all while achieving industry and regulatory compliance. With Blue Coat
DLP, you can leverage powerful discovery capabilities to prevent sensitive, unsecured data
from traveling across the network and winding up in the wrong hands.
Code Green Network's TrueDLP
Source: https://www.codegreennetworks.com
Code Green Networks' TrueDLP™ solution is comprised of Network DLP, Discovery DLP and
Cloud DLP, and locates sensitive data resting on databases and network servers, including data
in the cloud.
McAfee
McAfee Total Protection for Data Loss Prevention (DLP) safeguards intellectual property and
ensures compliance by protecting sensitive data wherever it lives on premises, in the cloud, or
at the endpoints. McAfee Total Protection for DLP is delivered through physical or virtual low-
maintenance appliances and the McAfee ePolicy Orchestrator platform for streamlined
deployment, management, updates, and reports.
Palisade Systems
Source: http://palisadesystems.com
Palisade DLP provides a simple, all-in-one, cost-effective approach to data loss prevention
(DLP), which enables organizations to:
• Monitor: Palisade monitors all traffic and data leaving the network making you aware of
what is happening with your most critical data
• Analyze: Palisade inspects and analyzes documents for protected/confidential data to

discover where sensitive data resides, in use, in motion or at rest.
• Prevent: Palisade prevents data loss using DLP enforcement, protocol management and
web filtering and enforcing data protection policies to ensure secure treatment of data
and proper adherence to company protocols.

Host Security
Digital Guardian DLP
Source: https://digitalguardian.com
Digital Guardian OLP provides visibility and audit reporting of potentially unsecured data.
It uses patent-pending Database Record Matching™ detection to accurately locate and identify
sensitive data at rest on endpoints and servers across your networks and cloud storage.
Automatic, configurable scanning of local and network shares using discovery specific
inspection policies ensure sensitive content is discovered wherever it is located. Detailed audit
logging and reports provide you with the information needed to demonstrate compliance,
protect confidential information and reduce data loss risk.
PixAlert
Source: http://www.dev.pixalert.com
Data Leakage Prevention (OLP) programs will effectively secure critical and sensitive data by
discovering & identifying data at rest that needs to be protected. It helps networks discover and
manage where critical data is located, monitoring and protecting networks and employees
against dissemination and leakage of unsecure data.
Safend
Source: https://www.wave.com
The Wave Data Protection Suite goes wherever your devices go, on or off your network, online
or offline. Which means it protects your data from the full range of modern risks: device theft,
emails, flash drives, portable hot spots, hardware key loggers, etc.

Host Security
IE___] Host Operating System : It is the operating system installed on the physica l host machine and its
o components
~
n Guest Operating System : Operating system installed on a virtual machine
Hypervisor or Virtual Machine Manager(VMM): It is an application or firmware that allows

multiple guest operating systems to share a host's hardware resources
Execution Environments: It is t he logical entity envi ronment(hardware/software) that enables

execution of a programming code/ software
Service Levels: It is t he level of service offered by the cloud provider to a customer and is often
part of SLAs where a formal defined contract is signed for those offered services
• Host Operating System: A Host Operating System is the OS installed physically on the
computer hardware which seeks direct access to the hardware resources for
computations. Resources it can access include processor, memory, Storage media etc.
• Guest Operating System: This is the operating system installed virtually on a host
operating system. It is dependent on the host operating system for the computations and
resource allocations.
• Hypervisor or Virtual Machine Manager (VMM): It is an application or firmware that
allows multiple guest operating systems to share a host's hardware resources. It acts as
middleware which allows the user to install a virtual operating system called 'Guest OS' on
the 'Host OS'.
• Execution Environments: It is the logical entity environment (Software/ Hardware) that
enables execution of programming code/software. JVM (Java Virtual Machine) is the best
example which acts as an execution environment for JAVA programs.
• Service Levels: A service level is a signed contract between the cloud provider and the
cloud customer which lists all the services offered by the cloud provider to the customer.
It also includes the terms and conditions between the two parties.

Host Security
Virtualization refers to creating a virtual version of hardware or software resources in a system
Before Vlrtualization After Virtualization
Operati ng Operati ng
Applications System System
Operating System
VMware Virtualization Laye r
X86 Archit ecture
X86 Archit ecture
'~~--~
- - .·- ~; . ...
• [I]
m-T,,
I CPU
·;,111, 1111' 1•1' 1•11:,:, ,,
Memory
-· ,.,.~
ul.. ~,. ,,,.
NIC Disk CPU Memory
- NIC
[c(,)~
Disk
A hardware platform (host machine) is used A hardware platform (host machine) is used to run
to run a single OS and its applications multiple operating systems and their applications
Virtualization offers computing, storage and networking hardware. Virtualization refers to the
separation of the services or requests from the physical processes. The mechanism of
virtualization has enabled IT managers to group resources across the enterprise providing
better management of those resources.
1. Before Virtualization: The hardware infrastructure (host machine) runs a single

operating system with all its applications.
Applications
Operating System
X86 Architecture
[[[J,J,,,'
CPU Memory NIC Disk
FIGURE 6.29: Before Virtualization

Host Security
In the figure above, a single instance of an operating system with a set of applications is
completely utilizing the given 32-bit hardware infrastructure. 'Host OS' directly interacts with
the hardware to request system resources.
2. After Virtualization: A hardware platform (host machine) is used to run multiple sets of
Virtual operating systems and their applications.
.© Applications
~
~
/
Applications
Operating Operating
System System
VMwa re Virtualization Layer
X86 Architecture
CPU M emory Disk
FIGURE 6.30: After Virtualization
In the figure above, the virtualization layer acts as middleware between the operating system
installed and the computer hardware. It logically partitions the hardware resources based on
the requests received from the host and the guest operating systems. The host OS directly
interacts with the computer hardware but the guest OS interacts th rough the Virtualization
Layer. Different types of virtualization techniques are:
1. Full Virtualization: The guest OS is not aware that it is running in a virtualized
environment. It sends commands to Virtual Machine Manager (VMM) interact with the
computer hardware. The VMM then translates the command to binary instructions and
forwards it to the host OS. The resources are allocated to the guest OS through the VMM.
2. OS assisted Virtualization or Para Virtualization: In this type of virtualization, the guest

OS is aware of the virtual environment in which it is running and communicates with the
host machines requesting for the resources. The commands are translated into binary
code for the computer hardware. The VMM is not involved in the request and response
operations.
3. Hardware assisted Virtualization: Modern microprocessor architecture has special
instructions to aid the virtualization of hardware. These instructions allow the guest to
execute privileged instructions directly on the processer. The operating system makes the
system calls behave like a user program.
4. Hybrid Virtualization: In this type of virtualization, the guest OS uses the functionality of
Para Virtualization and uses the Virtual Machine Manager (VMM) for binary translation to
different types of hardware resources.

Host Security
While designing a virtual environment, the levels involved in the application are:
• Storage Device Virtualization: This is the virtualization applied on storage devices such as
data striping and data mirroring. RAID is a good example of storage virtualization.
• File System Virtualization: This type of virtualization provides complete virtualization to

the data for sharing and protection within the software at this level. Virtual ized data pools
manipulate the files and the data based on user demand.
• Server Virtualization: Server level virtualization enables management to partition or
virtualize the server's operating system environment. Logical partitioning of the server's
hard drive is involved in the server virtualization.
• Fabric Virtualization: This level of virtualization makes the virtual devices independent of
the physical computer hardware. It creates a massive pool of storage areas for different
virtual machines running on the hardware. Virtualization uses Storage Area Network
(SAN) technology to perform fabric level virtualization.

Host Security
Characteristics ofVirtualization CND
e Ability to run multiple operating systems and applications

on a single physical system by virtual partitioning of the
hardware resources
Isolation
Each virtual machine is isolated from its host physical system and
other virtual machines
e A virtual machine represents a single file that can be easily

identified based on its services
e Encapsulation protects a virtual machine from any
interference from other virtual machines
Virtualization has the following characteristics:
• Partitioning: It is the ability to run multiple operating system instances with their
applications on a single physical system, by virtually partitioning the hardware resources
and the resources are allocated to handle host and guest requests.
• Isolation: Each virtual machine is isolated from its host physical system and other virtual
machines. This characteristic of virtualization prevents the effects of actions performed by
one virtual machine from affecting the other machines.
• Encapsulation: A virtual machine represents a single file used for identification based on
its services. Encapsulation protects a virtual machine from interference from the other
virtual machines.

Host Security
Resource Efficiency Increase in Uptime

Increases the hardware utilization and t hus increases Ava ilability of redundant system resources and
Return-on-Investment (ROI) intercon nections on a single physical system
Reduced Disk Space Consumption Increased Flexibility

Virtualization enables effective utilization of th e available Virtua li zation provides greater flexibility in the
disk space thus minimizing disk space consumption deployment and increases network resource multiplexing
Business Continuity Improved Quality of Services

Helps in achieving business continuity and disaster Virtua lization provides better quality of services (QoS) by
recovery distributing th e network load between the virtual
machines
Migration Environmental Benefits

Ability to move data, applications, operating system, Less CO2 emissions, power saving, etc.
processes, etc. from one machine to another
Virtualization provides:
• A cost-effective solution for the central data hub: Replacing the physical hardware with
virtual machines can actually cut down the cost of purchasing more hardware, increasing
the space in the server room. Too many servers can emit a lot of heat leading to a server
crash.
• A time efficient option for the IT infrastructure: The use of virtual machines can reduce
the time it takes for installing computer components in an organization. The concept of
virtualization enables the network administrator perform tests on the software without
consuming time and resources.
• Back up the Servers: Virtualization ensures the complete restoration of the network at a
faster rate. The use of virtual machines reduces the time it takes, by the physical
hardware, to perform recovery.
The virtualization process enables users in an organization to use different platforms in a single
machine according to their needs. It provides continuous transition from one operating system
to another in the same machine.
The following are the benefits of virtualization technology :
• Centralized storage in virtual machines prevents the loss of data.
• If the virtual machines are remote, then only one application present 1n one VM 1s
attacked.

Host Security
• The VM allows secure sharing of sensitive information.

• An attacked VM can be rolled back to a state prior to the attack.
• Virtualization improves the physical security due to the presence of a few physical devices
and a few data centers.
• Provides better event incident handling.

• Provides better methods for effective handling of VM' s.

Host Security
\/Ill
VMware:
Source: http://www.vmware.com
VMware virtualizes networking, storage and security to create virtual data centers and
simplifies the provisioning of IT resources
•
CITRIX
• Citrix:
Source: http://www.citrix.com
Citrix virtualizes and transforms Windows apps and desktops into a secure on-demand
service and meets the mobility, security and performance needs of both IT and end users
ORA CLE '

Oracle:
Source: http://www.oracle.com
Oracle offers a complete and integrated virtualization, from desktops to data centers and it
enables virtualization and management of an organization's hardware and software stack
Microsoft:
= Microsoft Source: http://www.microsoft.com
Microsoft virtualization products range from the data center to the desktop for managing
both physical and virtual assets from a single platform
VMware
Source: http://www.vmware.com
VMware virtualizes computing, from the data center to the cloud to mobile devices, to help
customers be more agile, responsive, and profitable.
It offers services such as:
• VMware vCloud Suite: vCloud Suite is a complete kit used for developing and managing a
private cloud infrastructure effectively.
• VMware vSphere: VSphere virtualization enables creation of a cloud infrastructure and

virtually collaborates all the server related resources.
• Horizon View: Horizon view is a virtual desktop service which offers remote access to
different resources available to the users under a common platform.
• VMware Fusion: Fusion enables Mac users to run Windows based applications without
compatibility issues.
• VMware Workstation: Workstation enables the user to run multiple virtual machines from
a single desktop.
• VMware VCenter Operations Management Suite : Operations management suite

efficiently manages all the services for their user and ensures quality service.

Host Security
Citrix
Source: https://www.citrix.com
Citrix securely delivers Windows, Linux, web and Saas apps plus full virtual desktops to any
device. Citrix solutions for application and desktop virtualization can help your business
increase productivity, enhance security and reduce costs.
ORACLE
Source: http://www.oracle.com
Oracle offers the virtualization, from desktop to the data center. Oracle virtualization enables
you to virtualize and manage your full hardware and software stack.
Oracle provides virtualization applications and tools for:
• Server Virtualization: Server Virtualization enables the IT of an enterprise to effectively

handle its server infrastructure such as Memory, CPU and storage devices. The server
handles multiple client requests simultaneously by logically partitioning and isolating its
resources.
• Desktop Virtualization: Desktop virtualization uses Hypervisors which run on a bare-metal

server i.e. physical hardware. It provides the flexibility to install several virtual machines
and run them along with the host operating system.
• Application Virtualization (App-V): Application virtualization enables the ability to logically

distribute the application services to all the users under one specific platform.
• Virtual Desktop Infrastructure (VOi}: Virtual Desktop Infrastructure is a way of deploying

an operating system on virtual machines to enable remote access for the desktop and
applications.
Microsoft
Source: http://www.microsoft.com
Microsoft provides built-in virtualization on Hyper-V, which is included in Windows Server.

Microsoft virtualization solutions help reduce costs by consolidating more workloads on fewer
servers. Increase IT agility and flexibility across on-premises and cloud resources with Microsoft
virtualization solutions.

Host Security
Virtualization Security and

Concerns
, r
Virtualization Security is obtained Virtualization Security Concerns
using certain set of security
measures, procedures and processes
e Due to additional layer of
infrastructure complexity, it is
in order to protect the virtualization
difficult to monitor unusual
infrastructure/environment
events and anomalies
Typical Virtualization Security e Offline can be used as gateway to
Process includes: gain access to a company's
systems
e Securing Virtual Environment
e Securing each VM at system level

e Due to dynamic nature of a
virtual machines, workload can
e Securing Virtual network easily be moved to a new virtual
machine with a lower level of
security
A virtualized environment facilitates the detection of new attack exposures thereby forcing the
user to take protective measures for both hosts and the virtual machines. In a non-virtualized
environment, each host is separately held, consisting of separate services and web servers. The
services run in their own spaces and they connect directly to the network. In a virtualized
environment, several guest hosts are placed in a single host. Here, all the services are grouped
together, thereby increasing the chances of vulnerabilities in the system.
Virtualization Security Concerns

There are different issues and challenges while implementing and using virtualization.
Two major challenges are:
1. Traditional threats
2. New threats
Traditional threats to the virtual environment include:

• Malicious code in virtual machines and appliances.
• Errors while configuring virtual network and firewalls.
• Hypervisor Configuration liabilities.

• Data leakage.

Host Security
New threats to the Virtual Machine environments are:

• Management console vulnerability allows the attacker to remotely control the virtual
machines using the management consoles.
• A vulnerable hypervisor can act as a danger to both the host as well as virtual machines.
• Poor Hypervisor design makes the whole system vulnerable to attacks.
• Lack of updating guest OS and installing security patches to the virtual machines.
• Vulnerabilities in the host system makes it easier for the attacker to dive into the virtual
environment without much effort.

Host Security
Lock down hypervisors Turn off unnecessary Services
Use attestation and integrity checks Disconnect unused physical hardware
Attestation records should be patched

Disable unnecessary hypervisor services
and updated
Disable file sharing between the guest

V Careful allocation of resources to VMs OS and the host OS unless they are
needed
Monitor hypervisor for signs of Use hypervisor IDS/IPS and hypervisor

compromise firewalls
Securing hypervisor involves securing the hypervisor during its implementation, management
and development. Hypervisors can face many threats and risks. Most of the attacks occur
within an organization where users try to compromise the virtual machines running in the
system. Experts say that the number of attacks on hypervisors has increased dramatically in
recent years. This urges the need for securing the hypervisors using patch management and
other services.
The hypervisor platform enables multiple types of access like SSH, RDP, etc. However,
minimizing the remote and console access to the systems actually plays an important role in
securing the hypervisor. The hypervisor can be more secure if the hypervisor management is
given only access required to run the business environment.
Proper configuration also plays an important role in securing the hypervisor. Configuring only
the required settings and services can control the possibilities of threats and risks in the
hypervisor. Certain hardening mechanisms like controlling the user and group access on the
local system, controlling file permissions, using only required services, etc., can assist in
increasing the security of the hypervisor. The administrators need to confirm the security of
every platform on the hypervisor.
The hypervisors can decide the amount of resources provided to each guest OS. Resources
provided to each guest OS cannot be shared with another guest OS. Providing only limited
amount of resources to the guest OS can minimize attacks like denial of service and inserting
malicious code into another OS.

Host Security
The network administrators need to be more careful while handling the access to VLANs. The
VLAN assists in keeping the traffic separated between the networks. Allowing the access of
VLANs to the virtual network may allow a compromised machine to access all the other VLANs.
Administrators need to be more careful while configuring the VLANs and should ensure the
presence of only those VLANs that are required for the hypervisor configuration.
Securing hypervisors requires the need to secure the direct interface to the system. Securing
these with complex and strong passwords allows the administrators to handle the out of band
interface (008). Implementing a firewall can limit the access of the 008 subnets to only
approved IP addresses.
The network administrators can also work on controlling the rights to perform a service using
the service account. Controlling the service accounts can actually bring down the risks during
the case of service accounts becoming compromised. Usage of long and strong passwords
enables the security of the service accounts.

Host Security
0 Implement security controls and Apply all the general host security
procedures to each VM:
-- measures to each virtual machines
including:
e Software Firewall : Install software
firewalls on each virtual machine
e e Patch management
to detect and prevent the intrusion
of unwanted and malicious -- e Use user authentication for
verification
applications
e Anti-virus Software: Install

-- e Disable/remove unnecessary
services and applications
antivirus to protect virtual
environments from inherent threat
e e Password management
of viruses, Trojans, worms. etc.
e Access Control
e Encryption: Encrypt virtua l -- e Logging
machines to prevent confidential
data from unauthorized access --
In addition to general security measures for host security, administrators should implement the
following security measures to enhance virtual machine security.
• Implementing Protocols and Procedures: Designing certain rules and strategies helps
secure the virtual machines. Adding the recommendations below will provide more
security:
• Check for operating system updates for the virtual machines on a weekly basis.
• Check for virtualization software updates on a weekly basis.
• Update the virtual machines on a weekly basis.
• Implementing Software Firewall: It is fal se that virtual machines are safe as they are
always looked at as a sandboxed application. They are prone to external and internal
attacks similar to the physical system and always r equire attention.
• Software Firewalls monitor th e flow of network traffic between different virtual

machines.
• Provi des security to each virtual machine and reduces th e attack risk.
• Software firewa lls on eac h virtual machine detects and prevents th e intrusion of
unwanted and malicious applications.
• Virtual or software firewa ll s do not create collision between the firewall impl em ented
on the host operating syst em.

Host Security
• There are many software firewalls available like comodo, zone alarm, etc.
• Deploying Anti-Virus Software
• Install anti-virus to protect the virtual environment from the inherent threats of
viruses, Trojans, worms, etc.
• Antivirus deployed on a virtual machine inspects for any unusual activity and scans all
files and folders for malicious content.
• Installation of anti-virus on a host machine does not secure the virtual machine. Install
antivirus on a virtual machine in order to secure it properly.
• Mostly used antiviruses are Kaspersky, McAfee, Microsoft security essential, Symantec
endpoint protection, etc.
• Encrypting the Virtual Machines: A virtual machine hosts highly confidential data so
encryption is required. Encrypting virtual machines protects the virtual machines from
unauthorized access. Users must enter a password to encrypt/decrypt virtual machines.
Steps to encrypt a virtual machine:
• Step 1: Shut down your virtual machine
• Step 2: Go to configure from the virtual machine menu and a dialogue box appears
• Step 3: Click options and select security
• Step 4: In the security pane, click turn on and provide a password and click ok
• Step 5: The password provided in step 4 will be at the time of encrypting/decrypting

the virtual machines

Host Security
Secure Virtual Network

Management
Virtual network isolation assigns each virtual machine to an internal virtual

network, network isolation is based on the Internet Protocol security (IPsec)
Network packet isolation provides security to the virtual network by

determining which network packet is routed to the virtual machine
Virtual switch provides basic security to the virtual network whereas IDS/IPS,
firewalls provides security within the virtual appliances
= -------------------------- ==,,
Use physical network security devices (PNSD) with VLANs, it minimizes the
consumption of host resource
Using Virtualized Network Security System (VNSS) on the virtualized LAN addresses
external threats, inter-VM exploits, Dos attacks, etc.
= --------------------------
Mapping of virtual networks to the underlying physical network is known as
virtual network embedding (VNE), it minimizes the risks of virtual and physical
machines of the virtual network
Organization approaches for secure virtual network management such as:
• Physical Network Security Device (PNSD): This physical network security device resides
outside the host machine and deploying it for every host machine may reduce
performance. This approach does not provide security to VMs
• Physical Network Security Device (PNSD) with VLANs: Use physical network security
devices (PNSD) with VLANs; it reduces the consumption of host resources
• Host Intrusion Prevention System (HIPS): It resides inside the virtual server, uses host
machine resources and it offers server level protection
• Virtualized Network Security System (VNSS): It resides on a virtual LAN and consumes
host machine resources. It monitors, partitions the virtual environments and provides
security to virtual network segments, VLANs, servers and devices
Methods to secure virtual environments include:
• Resource Limitation: Apply resource usage limits to each virtual machine so that it
minimizes the risk of using multiple shared hardware resources at one time, which can
affect performance of the virtual machine
• Security Measures: Install Antivirus, Spyware and intrusion detection systems. Keep
everything updated on each virtual machine to reduce security vulnerabilities
• Native remote management services: Use native remote management services to reduce
the risk of an attacker intrusion to a virtual machine

Host Security
Guidelines to secure virtual environments are:

• Authentication to the virtual devices.
• Restricted connectivity to all virtual resources.
• Segmenting the virtual infrastructure.
• Virtual resource reservation and limits.

• Apply standard infrastructure security measures into the virtual infrastructure.
• Use native remote management services (RMS) to communicate with virtual machines.
• Host based IPS (HIPS) protects the virtual environment from security threats.

Host Security
Best Practices for Virtual

Environment Security
Create virtualization security policies for

Secure virtual systems as physical systems
OS, networks, kernel, traffic, backup, and
with antivirus, IDS, firewall
deployment
Separate virtual networks into security or Use security controls to limit unauthorized
trust zones and provide high security at access and restrict access to unprivileged
critical areas networks
Implement strong access controls for

Update the hypervisor environment
virtual environment management
regularly
Disable unnecessary hypervisor devices and Monitor configuration of host virtual

all emulated hardware from the virtual machines and VMware infrastructure at
environment regular intervals

Environment Security (Cont'd)
Use strong passwords for Bl OS, OS and

Frequently audit event logs for suspicious
network configuration on both hosts and
and unexpected activity
guest machines
Provide continuous training to improve Audit and control the administrative

administrators' skillset on virtualization access to the hypervisor's accounts and
security trends and technologies credentials
Protect the host system with high security

Implement regular updates for downloaded
measures as it provides direct access to
software and security patches on virtual
VMs, networks, devices, applications, and
machines
hypervisors
Actively audit, monitor and test virtual

Protect the integrity of every guest
networks and network traffic from
operating system
violations

Host Security

Secure the host operating systems and Ensure that every new VM added to the
applications w ith regular security updates network is in accordance to the
and patches organization's standards
Enforce file integrity checks to ensure that

Limit physical access of host OS to protect
content of the file have not been altered
from trespassers
~ Use encrypted communication technologies Avoid operation on all guest machines that
do not work on protected mode
Validate the change management process

Educate user with security awareness
of virtual machines before deploying and
programs
managing changes
The following are additional best practices for virtualization security:
• Enforce the least privileges: It is a core security principle which makes users operate with
the least set of privileges that are necessary to finish the task/ job.
• Harden Access Controls: Deploy controls to the hypervisor and virtual machines 1n a
secure manner to avoid unauthorized access.
• Monitor the virtual traffic: There are various tools available and using these tools to
identify malicious traffic and defend the virtual machines from intrusions and attackers.
• Record VM Migrations: Migration between virtual machines must be recorded to monitor

and diagnose machine failures.
• Monitor VM snapshots and rollback: Create a work environment to monitor virtual

machines. If there any issues, rollback to a stable state using snapshots which are taken at
particular intervals by the administrator.
• Scan and audit virtual machines: Virtual machines are scanned at regular intervals to
discover vulnerabilities and service failures.

Host Security


from trespassers

programs
managing changes



Host Security


from trespassers

programs
managing changes



Host Security


from trespassers

programs
managing changes



Host Security


from trespassers

programs
managing changes



Host Security


from trespassers

programs
managing changes



Host Security


from trespassers

programs
managing changes



Host Security


from trespassers

programs
managing changes



Host Security


from trespassers

programs
managing changes



Host Security


from trespassers

programs
managing changes



Host Security


from trespassers

programs
managing changes



Host Security


from trespassers

programs
managing changes



Host Security


from trespassers

programs
managing changes



Host Security


from trespassers

programs
managing changes



Host Security


from trespassers

programs
managing changes



Host Security


from trespassers

programs
managing changes



Host Security


from trespassers

programs
managing changes



Host Security


from trespassers

programs
managing changes



Host Security


from trespassers

programs
managing changes



Host Security
□ Host security involves the process of hardening each device at individual

levels on the network
□ Organizations should set and follow baselines for host security to protect hosts
from different kinds of host level threats
□ Operating Systems have a vital role in host security and can be hardened using
built-in security features
□ Network Servers should be dedicated to a single purpose only
□ Host Security can be compromised through security vulnerabilities which exist in

the installed software
□ Virtualization security is obtained using a set of security measures, procedures

and processes to protect the virtualization infrastructure/environment
In this module, you have learned how important it is to secure an individual host for network
security. The module described host security, tools and techniques for securing each individual
host on the network. The module helps you prepare security baselines for host security
including workstations, router, switches, servers, etc., and provides security measures to
prevent them from various host security threats. The module also discussed the virtualization
concept and provided security measures for virtual machines in a virtual environment.

Secure Firewall Configuration and Management
Secure Firewall Configuration

and Manage1,--,ent
Module07

Module 07: Secure Firewall Configuration and Management
Exam 312-38

I Firewall implementation is the first line of defense against network attacks
n Firewalls are configured at various levels to limit access to different parts

of the network
Attackers target firewalls to find the way to enter into organization networks
An administrat or 's careless approach, improper design and configuration will

leave security holes when the firewall is implemented
An attacker will take advantage of a weak firewall implementation and will use
various techniques to bypass the firewall restrictions altogether
A firewall is a hardware device or a software program located at the network gateway server
and used for secure communication between different networks according to a specified
security policy. Networks have firewalls configured between the corporate and public network
(internet). A firewall provides a line of defense, against attacks on an internal network from an
external network. It helps prevent unauthorized access to or from private networks connected
to the internet. A firewall application runs on a host that is connected to both trusted and
untrusted networks.
A firewall helps organizations protect confidential information from unauthorized users. The
most important feature of the firewall is that it can distinguish between good and bad traffic. A
firewall placed between a corporate and a public network limits the access to various services
on the internet. It also keeps track of what is going through the firewall. The firewall filters
inbound traffic, known as ingress filtering and outbound traffic known as egress filtering.
However, there are a few concerns with firewall functionality and they are:
• A firewall cannot block certain types of attacks. For example, social engineering, insider
attacks, etc.
• Firewalls sometimes have less computing speed than their network interface. This can
create a problem when a host with a network interface is faster than the firewalls internal
processor.
• Firewalls can restrict certain services that the user wants. The services include: TELNET,
FTP, X Windows, NFS, etc.
• Firewalls can restrict the communication between valid devices in the network thereby
causing unwanted interruption in the flow of data.

What should not be ignored:

Firewall Limitations
~ A firewall does not prevent the network from backdoor attacks
~ A firewall does not protect the network from insider attacks
~ A firewall cannot do anything if the network design and configuration is faulty
., A firewall is not an alternative to antivirus or antimalware
~ A firewall does not prevent new viruses
~ A firewall cannot prevent social engineering threats
~ A firewall does not prevent passwords misuse
~ A firewall does not block attacks from a higher level of the protocol stack
~ A firewall does not protect against attacks originating from common ports and
~ a lications
~ A firewall does not protect against attacks from dial-in connections
~ A firewall is unable to understand tunneled traffic
The need of a firewall in your security strategy is important, but firewall s have the following
Ii mitations:
• Firewalls can restrict users from accessing valuable services like FTP, Telnet, NIS, etc. and
sometimes restricts Internet access as well.
• The firewall cannot protect you from internal attacks (backdoor) in a network. For
example, a disgruntled employee who cooperates with the external attacker.
• The firewall concentrates its security at one single point which makes other systems
within the network prone to security attacks.
• A bottleneck could occur if all the connection s pass through the firewall.
• The firewall cannot protect the network from social engineering and data -driven attacks
where the attacker sends malicious links and emails to employees inside the network.
• If external devices such as a laptop, mobile phone, portable hard drive, etc. are already
infected and connected to the network, then a firewall cannot protect the network from
these devices.
• The firewall is unable to full y protect the network from all types of zero day viruses that
try to by pass it.

.J A fi rew all works on the principle that:

Secure Private
Internet
Network ..
8 A firewall allows traffic to pass through if
the traffic meets certain criteria
A firewall denies traffic if it does not Restricted Traffic

8 ~ Traffic is stopped because it
~ did not meet specifac criteria
match certain criteria
_J These criteria are t he rules and restrictions

configured on t he firew all and it may vary
Firewall
from one type of fi rew all to another
.J Generally, a firew all filters traffic based on

Unknown
the type of t raffic, source or destination
Onty traffic from internet meeting ~
addresses, protocols and ports specified criteria allowed through ~
Access to Specific
Resources
◄················1.--- ......1=-'""'
Firewall
A firewall monitors the incoming and outgoing traffic of the network or a system and blocks the
traffic that does not meet the specified security criteria. The security criteria of the network has
a set of predefined rules. A firewall monitors all the traffic and allows good data generally
known as permitted traffic and blocks suspect data also known as denied traffic. A firewall
filters traffic using various methods such as packet filtering, proxy service, stateful inspection,
etc.
• A firewall filters traffic that does not meet specific criteria.

• The t ype of criteria defined may differ in different firewalls.
• A firewall filters traffic based on the t ype of traffic, source and destination addresses,
source and destination ports.
• Sometimes, even a complex rule base is set on the firewall to filter application traffic.

Hardware Firewall
A hardware firewall is a dedicated firewall device placed on the perimeter of the network. It is
an important part of a network setup and is also built in to Broadband routers or as a stand-
alone product. A hardware firewall helps protect systems on the local network and they are
effective with little to no configuration. It employs a technique of packet filtering. It reads the
header of a packet to find out the source and destination address and compares it with a set of
predefined and/or user created rules that determine whether if it should forward or drop the
packet. A hardware firewall functions on an individual system or an individual network
connected using a single interface. Examples of a hardware firewall are Cisco ASA, Fortigate,
etc. Hardware firewalls provide protection to the private local area network.
However, hardware firewalls are considered a more expensive option, difficult to implement
and upgrade.
• Advantages
• Security: An operating system with its own operating system is considered to reduce
the security risks and has increased level of security controls.
• Speed: Hardware firewalls initiate faster responses and enable more traffic.
• Minimal Interference: Since a hardware firewall is a separate network component, it
enables better management and allows the firewall to shutdown, move or be
reconfigured with less interference on the network.
• Disadvantages
• More expensive than a software firewall.
• Hard to implement and configure.

• Consumes more space and involves cabling.
Software Firewall
A software firewall is similar to a filter. It sits between the normal application and the
networking components of the operating system. It is more helpful for individual home users, is
suitable for mobile users who need digital security working outside of corporate network and it
is easy to install on an individual's PC, notebook, or workgroup server. It helps protect your
system from outside attempts of unauthorized access and protects against common Trojans
and email worms. It includes privacy controls and web filtering and more. A software firewall
implants itself in the key area of the application/network path. It analyzes data flow against the
rule set.
Configuration of a software firewall is simple compared to the hardware firewall. It intercepts
all requests from a network to the computer to determine if they are valid and protects the
computer from illicit attacks that try to access it. It incorporates user-defined controls, privacy
controls, web filtering, content filtering, etc. to restrict unsafe applications from running on an
individual system. Software firewalls utilize more resources and this reduces the speed of your

system. Examples of software firewall s are produced by Norton, McAfee and Kaspersky among
others.
• Advantages
• Less expensive than hardware firewalls.

• Ideal for personal or home use.
• Easier to configure and reconfigure.
• Disadvantages
• Consumes system resources.
• Difficult to un-install firewalls.
• Not appropriate for environments requiring faster response times.

Firewalls are designed and developed with the help of different firewall services
Each firewall service provides security depending on their efficiency and sophistication
Packet Circuit Level Application Virtual Private

Filtering Gateways Proxies Network
r\ r\ r\
Technologies used for creating a firewall service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Stateful Multilayer Application Level Network Address

Inspection Gateways Translation
Copyright© by EC-Council. All Rights Reserved . Reproduction is Strict ly Prohibited.
Several firewall technologies are available for organizations to implement their security
through. Sometimes, firewall technologies are combined with other technologies to build
another firewall technology. For example, NAT is a routing technology but when combined with
a firewall, it is considered a firewall technology instead.
The various firewall technologies used are:
• Packet Filtering
• Stateful Multilayer Inspection
• Circuit Level Gateways
• Application Level Gateways
• Application Proxies
• Network Address Translation
• Virtual Private Network
The table below describes technologies working at each OSI layer:

OSI Layer Firewall Technology

e Virtual private Network (VPN)
Application
e Application Proxies
Presentation e VPN
e VPN
Session
e Circuit-level gateway
e VPN
Transport
e Packet Filtering
e VPN
e Network Address Translation (NAT)
Network
e Packet Filtering
e Stateful Multilayer Inspection
e VPN
Data Link
e Packet Filtering
Physical e Not Applicable
TABLE 7.1: Firewall technologies at OSI layer
The security level of these technologies varies according to the efficiency level of each
technology. A comparison of these technologies can be concluded by allowing these
technologies to pass through the OSI layer between the hosts. The data passes through the
intermediate layers from a higher layer to a lower layer. Each layer adds additional information
to the data packets. The lower layer now sends the obtained information through the physical
network to the upper layers and thereafter to its destination.

e Packet filtering firewalls work at the network e Rules include the source and destination IP
level of the OSI model (or the IP layer of addresses, source and destination port number
TCP/IP) and the protocol used
e They are usually part of a router e The advantage of packet filtering firewalls is their
low cost and low impact on network
8 In a packet filtering firewall, each packet is performance
compared to a set of criteria before it is
forwa rded e Most routers support packet filtering
e Depending on the packet and the criteria, the

firewall can:
e Drop the packet
e Forward it or send a message to the originator
Pacltet Filtering Firewall

(Cont'd)
..J Traffic is filtered based on

Application
specified rules, including source
~
- and destination IP address,
packet type, and port number
TCP
~
IJ ~ ..J Unknown traffic is only allowed
7 - up to level 2 of the network stack

Internet Protocol {IP) X '(
~. .. ) ( Disallowed
-.
- I '¥J Allowed
Network Interface
- -
...................... ········>
Incoming Traffic Allowed Outgoing Traffic
I I

Packet filtering is the most basic core feature of all modern firewalls. They work at the network
layer and are usually part of a router. A packet filtering firewall evaluates each packet on the
basis of the packet header information including: source IP address, destination IP address,
source port, destination port, protocol etc. If the criteria don't match, the firewall drops the
packet or else forwards it. Rules can include source and destination IP address, source and
destination port number, and protocol used. When a data packet passes through the network,
a packet filter checks the packet header and compares it with the connection bypass table that
keeps a log of the connections passing through the network.
There are three methods available for configuring packet filters after determining the set of
filtering rules:
• Rule 1: This rule states that it accepts only those packets that are safe thereby dropping
the rest.
• Rule 2: This rule states that the filter drops only those packets that are confirmed unsafe.
• Rule 3: This rule states that, if there are no specific instructions provided for any particular
packet, then the user is given the chance to decide on what to do with the packet.
A network packet can pass through the network by entering the previously established
connection. If a new packet enters the network, it verifies the packets and checks if the new
packet follows/meets the rules. It then forwards the packet to the network and enters the new
data packet entry of the connection in the bypass table. A packet filtering firewall does not cost
very much and doesn't affect the network performance. Most routers support packet filtering.
Packet filtering is a relatively low level security which can be bypassed by techniques such as
packet spoofing, where the attacker crafts or replaces packet headers which are then unfiltered
by the firewall.
As you can tell from their name, packet filter-based firewalls concentrate on individual packets
and analyze their header information as well as the directed path. Traditional packet filters
make the decision based on the following information:
• Source IP address: This allows the user to check if the packet is coming from a valid
source or not. IP header stores the information about the source of a packet and the
address refers to the source system address.
• Destination IP address: It checks if the packet is heading towards the correct destination,
while the IP header of the packet stores the destination address of the packet.
• Source TCP/UDP port: This allows checking the source port of the packet.
• Destination TCP/UDP port: The port checks and verifies the destination port to allow or
deny the services.
• TCP code bits: Used to check whether the packet has a SYN, ACK, or other bits set for
connecting.
• Protocol in use: Packets carry protocols, and this field checks the protocols and decides to
allow or deny the related packets.
• Direction: Check whether the packet is coming from a packet filter firewall or leaving it.
• Interface: Used to check whether the packet is coming from an unreliable site.

Secure Firewall Configuration and M anagement
Circu it level gateways work at t he session layer of the OSI model, or the TCP layer of TCP/IP
They monitor the TCP handshake between packets to determine w hether a requested
session is legitimate or not
Information passed t o a remote computer t hrough a circuit level gateway appears to have
originat ed from the gateway
Circuit level gateways are relatively inexpensive
They have the advantage of hiding information about t he private network they protect
Circu it level gateways do not filter individual packets
Copyright© by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited .
Circuit Level Gateway

(Cont'd)
..J Traffic is filtered based on

Application specified session rules, such as
when a session is initiated by a
TCP ~..
.
~J ~
...
recognized computer
..J Unknown traffic is only allowed

up to level 3 of the network
; ; stack
Internet Protocol OP) j
.... .:: -~ ) ( Disallowed
. '¥l Allow ed
Network lnterfa, e
.
•.
...
L
..................
. ...... - ~

I L

The circuit level gateway firewall uses the data present in the headers of the data packets to
perform this action. It is not a stand-alone firewall, but it works in coordination with other
firewalls like packet filter and application proxy to perform its functions. Information passed to
a remote computer through a circuit level gateway appears to have originated from the
gateway. They have the ability to hide the information of network they protect. Circuit level
gateways are relatively inexpensive.
If one system wants to view information on the other system, then it sends a request to the
second system and the Circuit level gateway firewall intercepts this request. The firewall
forwards the packet to the recipient system with a different address. After the first system
receives the reply, the firewall checks if the reply matches with the IP address of the initial
system. If the reply matches, the firewall forwards the packet, otherwise it will drop the packet.
Advantages
• Private network data hiding.
• Exemption of filtering individual packets.

• Does not require a separate proxy server for each application.
• Easy to implement.
Disadvantages
• Inability to scan the active content.
• Able to handle only TCP connections.

'I
J Application level gateways are also called proxies
. ,----
J They can filter packets at the application layer of the OSI model
l
r-
J Incoming or outgoing packets cannot access services for which there is no proxy
J In plain terms, an application level gateway that is configured to be a web proxy will not allow any
FTP, gopher, Telnet, or other traffic through
l
Because they examine packets at the application layer, they can filter application-specific commands
such as http:post and get
'
Application Level Firewall

(Cont'd)
J Traffic is filtered based on specified

Application application rules, applications (e.g.
browser} and/or a protocol (e.g. FTP}
.:. ...
;
or a combination of all of these
TCP .. ..
- .. .:
J Unknown traffic is only allowed up
to the top of the network stack
Internet Protocol (IP) l ..
.. .
.. )( Disallow ed
Network Interface .. ~ Allowed
. -
............ ...... ··-~


An application level firewall is a firewall that controls input, output, and/or access across an
application or service. It monitors and possibly blocks the input, output, or system service calls,
which do not meet the policy of the firewall. Before allowing the connection, it evaluates the
network packets for valid data at the application layer of the firewall. The client and server
communication does not happen directly, but happens only through a proxy server. This server
acts as a gateway for two side communications and drops the data packets acting against the
firewall's rules.
• Application level gateways, also called proxies, concentrate on the Application layer
rather than just the packets.
• They perform packet filtering at the application layer and make decisions about whether
or not to transmit the packets.
• A proxy-based firewall asks for authentication to pass the packets as it works at the
Application layer.
• Incoming or outgoing packets cannot access services for which there is no proxy. In plain
terms, design of an application level gateway helps it to act as a web proxy and drop
packets such as FTP, gopher, Telnet, or any other traffic that should not be allowed to
pass through.
• As packet filtering is performed at the application level, they are able to filter application-
specific commands such as GET or POST requests.
• A content caching proxy optimizes performance by caching frequently accessed
information instead of sending new requests for repetitive data transfers to the servers.
The application level firewall checks for those packets that do not comply with the filtration
rules. The unauthorized packets are dropped and authorized packets are forwarded to the
application layer of the destination.

Stateful Multilayer Inspection

Firewall
.._ A stateful multilayer inspection firewall combines

the aspects of the other three types
6 They filter packets at the network layer, determine whether

session packets are legitimate and evaluate the contents of
packets at the application layer
6 They are expensive and require competent personnel to

administer t he device
,, 11
Application ~ ~ I
Traffic is filtered at three levels,
based on a wide range of specified
~
I application, session, and packet
TCP ~ ~ I
filtering rules
Unknown traffic is allowed up to

Internet Protocol (IP) ~ ~
A . .. ~ level 2 of the network stack
~ .... Disallowed
.
Network Interface :
I .: ~ Allowed
..
............. .............;:..

Stateful multilayer inspection firewalls combine the aspects of the other three types of
firewalls. They filter packets at the network layer, determine whether session packets are
legitimate, and evaluate contents of packets at the application layer. They are expensive and
require competent personnel to administer the device. The packet filter firewall overcomes its
inability to check the packet headers using stateful packet filtering.
It eliminates the lack of transparency of application level gateways as it allows direct
connection between client and host. These firewalls use algorithms to examine, filter and
process the application layer data instead of using proxies. Stateful multilayer inspection
firewalls have many advantages such as providing a high level of security, performance
improvement and transparency to end users. They are quite expensive because of their
complexity and are potentially less secure than simpler types of firewalls.
• This type of firewall can remember the packets that passed through it earlier and make
decisions about future packets based on this memory.
• These firewalls provide the best of both packet filtering and application-based filtering.
• Cisco Adaptive Security Appliances contain stateful firewalls.

• These firewalls track and log slots or translations.
The firewall checks for those packets that do not comply with the filtration rules and are
dropped at the network layer of the protocol stack. The other packets forwarded to the next
layer undergo a not her layer of filtration validating whether the packets are in the proper
session. Packets that are currently not a part of the session are dropped at the TCP layer. Next,
packets are filtered at the application layer enabling the user to allow only authorized actions at
the firewall.

An application-level proxy works as a proxy server and filters connections

for specific services
It filters connections based on the services and protocols, when acting as

proxies
For example, A FTP proxy will only allow FTP traffic to pass through, while
all other services and protocols will be blocked
An application level proxy works as a proxy server. It is a type of server that acts like an
interface between the user workstation and the Internet. It correlates with the gateway server
and separates the enterprise network from the Internet. It receives the request from a user to
provide the internet service and responds to the original request only. A proxy service is an
application or program that helps forward user requests (for example, FTP or Telnet) to the
actual services. The proxies are also called an application level gateway, as they renew the
connections and act as a gateway to the services. Proxies run on a firewall host that is either a
dual-homed host or some other bastion host for security purposes. Some proxies, named
caching proxies, run for the purpose of network efficiency. They keep copies of the requested
data of the hosts they proxy. Such proxies can provide the data directly when multiple hosts
request the same data. Caching proxies helps in reducing load on network connections whereas
proxy servers provide both security and caching.
A proxy service is available between the user in the internal network, the service on the outside
network (Internet) and is transparent. Instead of direct communication between each, they talk
with the proxy and it handles all the communication between users and the internet services.
Transparency is the advantage of proxy services. To the user, a proxy server presents the
illusion that they are dealing directly with the real server whereas with the real server, the
proxy server presents the illusion that it is dealing directly with the user.

Advantages
• Proxy services can be good at logging because they can understand application protocols
and allow logging in an effective way.
• Proxy services reduce the load on network links as they are capable of caching copies of
frequently requested data and allow it to be directly loaded from the system instead of
the network.
• Proxy systems perform user-level authentication, as they are involved in the connection.
• Proxy systems automatically provide protection for weak or faulty IP implementations as
it sits between the client and the internet and generates new IP packets for the client.
Disadvantages
• Proxy services lag behind non proxy services until suitable proxy software is available.
• Each service in a proxy may use different servers.
• Proxy services may require changes in the client, applications, and procedures.

Network Address Translation (NAT) CND
Network address translation separates IP addresses into two sets and enabling
the LAN to use these addresses for internal and external traffic respectively
It also works with a router, the same as packet filtering does, NAT will also modify
the packets the router sends at the same time
It has the ability to change the address of the packet and make it appear to have
arrived from a valid address
It limits the number of public IP addresses an organization can use
It can act as a firewall filtering technique where it allows only those connections
which originate on the inside network and will block the connections which
originate on the outside network
The NAT helps hide an internal network layout and force connections to go through a choke
point. The NAT works with the help of a router, helping to send packets and modifying them.
When the internal machine sends the packet to the outside machine, NAT modifies the source
address of the particular packet to make it appear as if it is coming from a valid address. When
the outside machine sends the packet to the internal machine the NAT modifies the destination
address to turn the visible address into the correct internal address. The NAT can also modify
the source and destination port numbers. NAT systems use different schemes for translating
between internal and external addresses:
• Assigning one external host address for each internal address and always applying the
same translation. This slows down connections and does not provide any savings in
address space.
• Dynamically allocate an external host address without modifying the port numbers at the
time when the internal host initiates a connection. This restricts the number of internal
hosts that can simultaneously access the Internet to the number of available external
addresses.
• Create a fixed mapping from internal addresses to externally visible addresses, but use
port mapping so that multiple internal machines use the sa me external addresses.
• Dynamically allocate an external host address and port pair each time an internal host
initiates a connection. This makes the most efficient possible use of the external host
addresses.

Advantages
• Network address translation helps to enforce the firewall's control over outbound
connections.
• It restricts incoming traffic and allows only packets that are part of a current interaction
initiated from the inside.
• Helps hide the internal network's configuration and thereby reduces the success of
attacks on the network or system.
Disadvantages
• The NAT system has to guess how long it should keep a particular translation, which 1s
impossible to guess correctly every time.
• The NAT interferes with encryption and authentication systems to ensure security of the
data.
• Dynamic allocation of ports may interfere with packet filtering.

•, ... :
V1.~.;,;u;f P~. .i ·, .<:>.ate N et. . ~cirt .... C:j'ND

.......... / ..·····•:::::--.. .......... ··-.:::::· ...·....t:~~"' ·- ·· °'''"'"
It is used for the secure

A VPN is a private transmission of sensitive
network constructed information over an
using public networks, untrusted network, using
such as the Internet encapsulation and
encryption
It establishes a virtual The computing device

point-to-point connection
running the VPN software
through the use of
can only access the VPN
dedicated connections
·•........·..( ...<.:: ·........... . ....... ..~-~yright © by EC-Cou■cl. All Rights_Aese'iv~ ...R~production is Strict ly Prohibite d.
·. .. : · .. ··•. : : : : • .. ··.. :
A VPN is a network that provides secure access to the network through the internet. Used for
connecting wide area networks (WAN). It allows computers of one network to connect to
computers on another network. It employs encryption and integrity protection helping you to
use a public network as a private network. A VPN performs encryption and the decryption
outside the packet-filtering perimeter to allow the inspection of packets coming from other
sites. A VPN encapsulates packets sent over the Internet. A VPN is an attempt to combine both
the advantages of public and private networks. VPNs have no relation to firewall technology,
but firewalls are convenient for adding VPN features as they help in providing secure remote
services. All virtual private networks that run over the Internet employ these principles:
• Encrypts the traffic

• Checks for integrity protection
• Encapsulates into new packets, which are sent across the Internet to something that
reverses the encapsulation
• Checks the integrity

• Then finally, decrypts the traffic

Advantages
VPNs provide some security advantages such as:
• A VPN hides all the traffic that flows over it, ensures encryption, and protects the data
from snooping.
• It provides remote access for protocols without letting people attack from the Internet at
large.
Disadvantages
• As the VPN runs on a public network, the user will be vulnerable to an attack on the
destination network.

Bastion host:
A Bastion host is a computer syst em designed and configured to Bastion Host Jt .......................
protect network resources from an attack. It is placed between two ..
networks and acts as an application level gat eway
Internet ....•-...... -:...•
Traffic entering or exiting t he network passes through a firewall,
..
which has two interfaces:
e The public interface is connected directly to the Internet Firewa ll .....................
Intranet
e The private interface is connected to t he Intranet
Screened subnet:
Intranet
.J The screened subnet or DMZ (additional zone) contains hosts
that offer public services
r·····~ ~--~---
.J The public zone is connected directly to the Internet and has no ..= ~
hosts which are controlled by the organization .
••••••••.
.J The private zone consists of systems Internet users have no ..
business accessing Firewall .....................
Intranet
Multi-homed firewall:
This type of firewa ll consists of t hree interfaces which allow for
further subdividing of the systems based on specific security
objectives in t he organization
Firewall 1
.
Firewall 2 : •••••••••••••••••••••
An organization will generally implement the firewall, which provides extremely effective
network based security control on a single machine. It may be a router or a host. The three
types of firewall architectures and their related use are explained below:
Bastion Host
A bastion host is a computer system designed and configured to protect network resources
from attacks. It acts as a mediator between inside and outside networks. The firewall resides
between the Internet and the protected private network. It filters all traffic that is incoming and
outgoing from the network. The bastion host provides a platform for an application level or
circuit level gateway. It requires additional authentication for the user to access the proxy
services. A network administrator installs onl y the essential services or applications on the
bastion host. Simple networks that do not offer any internet services use a bastion host
topology. Suppose the system has two firewalls, then a bastion host is placed inside the two
firewalls or on the public side of the DMZ. Examples of a bastion host include: mail, DNS and
FTP servers.
Traffic entering or leaving the network passes through the firewall. It has two interfaces:
• The Public Interface is directly connected to the Internet.
• The Private Interface is connected to the Intranet.

Screened Subnet
The screened subnet is also known as a "triple-homed firewall" and uses a single firewall with
three network interfaces. The first interface connects the Internet, the second interface
connects the DMZ, and the third interface connects the intranet. The screened subnet or DMZ
(additional zone) contains hosts that offer public services. The public zone connects directly to
the Internet and has no organization-controlled hosts. The main advantage with using the
screened subnet is it separates the DMZ and Internet from the intranet. If the firewall is
compromised, access to the intranet will not be possible.
The screened subnet architecture consists of two screening routers, one is placed between the
perimeter net and the internal network, and the other is placed between the perimeter net and
the external network. This architecture is more secure because to enter the internal network,
the hacker/attacker has to pass both the routers.
Multi-homed Firewall
A multi-homed firewall refers to two or more networks. In this case, more than three interfaces
are present allowing for further subdividing of the systems based on the specific security
objectives of the organization. Each interface connects with the separate network segments
logically and physically. A multi homed firewall allows administrators to assign a different
security policy to each interface. Internet users access only presentation servers, which have
access to middleware servers, which can access only data servers. A multi homed firewall
increases the efficiency and reliability of an IP network. It duplicates all the functions of a
firewall in a single box and replaces the IP router that does not forward packets at the IP layer.
The multi-homed host processes the packets through the application layer, which provides
complete control over handling the packets.
A dual-homed host is similar to the multi-homed host. It has two network interface cards
(NIC's), one connected to an external network (untrusted) and the other to an internal network
(trusted). The key point here is it does not allow traffic coming from the untrusted network to
directly route on the trusted network. A firewall acts as an intermediary.

Choosing the Correct Firewall

Topology
Choose a firewall topology that best suits your IT infrastructure and provides
maximum effectiveness
Choose the topology based on the risks and benefits that they offer:
~
L __
Choose a bastion host topology, if the organization uses a relatively simply network and
do•e•s •no•t •pr-o v-id_e _an_v_p_ub-lic_ s_erv
_ i_ce_s- -- - = = = = =;;.__ _ _ _ __ I
t Choose the screened subnet topology, if t he organization offers public services
Choose the multi-hom ed firewall topology, if the o rganization's network has different
zones which were created based on specific secu rity objectives
Place a separate firewall for each isolated network zone, based on the security demand
Before deploying a firewall on the network as part of their perimeter protection strategy,
organizations should understand which firewall topology suits their business needs best.
Bastion Host
This type of topology is ideal for simple networks. It monitors the traffic between the private
network and the outside world (Internet). This topology offers a single layer of protection. The
network may be compromised if an attacker penetrates through this layer though. Restricting
every user's Internet access through this firewall keeps the network relatively safe from threats.
Organizations use this topology to protect a corporate network intended for surfing the
Internet and other internal communications. It does not provide sufficient protection for web
hosting or protecting an e-mail server.
Screened Subnet
This type of topology is ideal for an organization hosting a website or an e-mail server. A
screened subnet topology provides secure services to internet users. In this type of topology,
the servers that provide public services are set up in separate zone called a demilitarized zone
(DMZ), keeping the trusted network secure from the internet. Users inside the trusted network
will have access to the Internet through the DMZ. Even though a malicious user compromises
the firewall, they cannot access the network inside the DMZ.

Multi-homed Firewall
A multi-homed firewall offers the advantage of protecting your trusted network even if the
demilitarized zone (DMZ) is compromised. This topology operates on two or more network
interfaces. One interface connects to the untrusted network (Internet) and other interface
connects to the trusted network. A DMZ can add a multi-homed firewall by adding a third
interface. The rules for accessing the DMZ are less than those protecting the private network.
This topology is ideal for organizations maintaining two or more network zones.

Build an Appropriate Firewall

Ruleset
Design and configure a firew all ruleset based

on the organizational security need
The firew all ruleset consists of t he rules which

establ ish t he functionality of the firewall
A firewall ruleset contains the following information:

(based on the firewall platform architecture):
ti Packet source address e Traffic type
ti Packet destination address e Action {Allow, Deny, Drop)
You should build rulesets that support and implement the organization's firewall policy while
offering better performance. These should be specific and dependent on the network traffic
they interact with and include information such as traffic types required and protocols used for
management purposes. The t y pe of firewall and specific products affect the ruleset's
development process.
The firewall rule allows a computer to send or receive packets from a program, services,
computers and/ or users. Firewall rules allow three actions:
• Allow the connection.
• Allow the connection only if secured through IPsec.

• Block the connection.
These rules are applicable for both inbound and outbound traffic. Rules can be applied to a
variety of network adapters including LAN, Wireless and remote access.
Most firewall platforms use rulesets as their common system for implementing security
controls. The contents of the firewall ruleset will establish the functionality of the firewall.
Based on the firewall's platform architecture, firewall rulesets contain the following
information:
• Packet source address.

• Packet destination address.

• Traffic type.
The ruleset should ensure that port filtering is performed both at the outer edge of the
network, and inside the network. The ruleset should also be capable of raising an alert if a user
logs on or changes any of the rules.

Blacklist vs Whitelist
• All packets are denied, except

those set to allow
There are two ways to define firewall rules based on the appropriate approach selected when
creating protocols, reducing vulnerabilities on a network and the desired functionality offered.
The two approaches are:
Black list
• In this approach, the network administrator estimates and defines all the properties of
malicious traffic and the firewall will prevent such traffic from entering the internal
network.
• With this type of configuration, it is easier to protect the internal network when using a
firewall.
• The firewall allows all packets, except the ones set to deny.
White list
• In this approach, the firewall contains the properties of acceptable traffic.
• All packets are denied by the firewall, except those, that are set to allow.

Example: The Packet Filter

Firewall Ruleset
The following t ables illustrate a sample packet filter firewall ruleset, helping you t o
configure the packet filtering rules in software as well as hardware firewalls
,-
Source Source Dest .

S.No Add p Add Dest Port Action
ress ort ress
1 Any Any 10.1.1.0 >1023 Allow
2 10.1.1.1 Any Any Any Deny
3 Any Any 10.1.1.1 Any Deny
4 10.1.1.1 Any Any Any Allow
5 Any Any 10.1.1.2 HTTP Allow
6 Any Any 10.1.1.3 SMTP Allow
7 Any Any Any Any Deny
The follow ing tabl e shows how to build th e ruleset for packet filtering firewalls.
st
The 1 rul e in the table is described as:
This row states that if traffic originates from any IP address and port source and for a specified
destination IP address (10.1.1.0 in this case) and the port source is greater than 1023, this t ype
of traffic will be allowed to pass through the firew all.
Source Source
Dest Port Action
Address Port
1 Any Any 10.1.1.0 >1023 Allow
2 10.1.1.1 Any Any Any Deny
3 Any Any 10.1.1.1 Any Deny
4 10.1.1.1 Any Any Any Allow
5 Any Any 10.1.1.2 HTTP Allow
6 Any Any 10.1.1.3 SMTP Allow
7 Any Any Any Any Deny
TABLE 7.2: Packet filtering firewall ruleset

If you want to allow all IP traffic between a trusted external host and your internal hosts, the
firewall rule will be as shown in following table
ACK
Rule Direction Source Address Destination Address Set Action
A Inbound Trusted external host Internal Any Permit
B Outbound Internal Trusted external host Any Permit
C Either Any Any Any Deny
TABLE 7.3: IP traffic between a trusted external host and internal hosts
You should use the following tricks to build packet filtering firewall rulesets more effectively
and securely.
• Edit your filtering rules offline.

• Reload rule sets from scratch each time.
• Always use IP addresses, never hostnames.

0 Build a firewall t hat handles application traffic like web, email, or Telnet
0
The policy should explain how the firewall is to be updated and managed
The steps involved in creating a firewall policy are as follows:

0 0
1 Identify the network applications that are of utmost importance
2 Identify the vulnerabilities that are related to the network applications
3 Prepare a cost-benefits analysis t o secure the network applications
• Create a network application traffic matrix t o identify the protection method
Create a firewall ruleset t hat depends on the application's traffic matrix
Firewall policy implementation should be performed following the organization's system

security plan with regards to network traffic, types of traffic protocols, source addresses and
destination addresses, required by applications of the organization.
Define a firewall policy, which explains how the firewall is setup, operated, updated and
maintained. The policy includes the scope of the firewall, services offered and t ypes of
communications supported.
The steps involved in creating a firewall policy are:
• Step 1: Identify the network applications that are of utmost importance, the traffic they
generate, bandwidth required and type of connection they use
• Step 2: Identify the vulnerabilities that are related to the network applications and their
impact over the network as well as the systems
• Step 3: Prepare a cost-benefit analysis to secure the network applications
• Step 4: Create a network application traffic matrix to identify the protection method
• Step 5: Create a firewall rule set that depends on the application's traffic matrix
Checklist: Implementing a basic firewall policy
• Always confirm that the policies implemented meet the needs of the organization.
• Always create one or more firewall rul es for inbound traffic to allow voluntary inbound
network traffic.

Periodic Review of Firewall

Policies
Review and update firewall policies

Create periodic reviews of firewall every six months
policies to achieve accuracy and
timeliness
Firewall installs, systems and other
If a firewall application is upgraded,

then the firewall's rule set must be
formally changed as well
resources must be audited on a
regular basis
•
0 Periodic reviews include: 0
Actual audits and vulnerability assessments of product ion
Backup infrastructure components
Computer systems
0 0
According to recent studies, almost 80% of the firewall s installed were misconfigured. Any small
error in the firewall increases risk for an organization. Security, regulatory compliance, network
availability and performance get altered if there are any issues in the firewall.
Firewall policies should align with day-to-day advancements in threat levels in order to deploy a
protected network. You have to verify the policy defining the processes regularly to check if
they are able to combat any new risks and attacks.
The steps to review the policies are:
• Create periodic reviews for firewall policies to achieve accuracy and timeliness.
• Review and update firewall policies every six months.
• If a firewall's application is upgraded, then the firewall's ruleset must be formally
changed.
• Firewall installs, systems and other resources must be audited on a regular basis.
The scheduled periodic firewall policy reviews include:
• Actual audits and vulnerability assessments of production that give a good idea on what
systems are being used, internal communications patterns deployed and the type of
attacks they are prone to.
• Backup infrastructure components help create a backup in case an attack is performed

leading to data loss.

• Computer systems, shared drives, email servers, web servers and secured networks
placed at various locations must also be reviewed in order to keep the system updated
which offers the utmost speed and efficiency .
Scheduled reviews examine the following:
• Whether proper firewall policies are implemented for each firewall.
• The firewall rules that are not used often and whether they can be eliminated.
• Any changes in network security gives rise to additional or new security exposures.
Periodic firewall reviews help increase security, availability and performance of the

Before Deploying and

Implementing a Firewall
Conduct a security risk assessment to Identify the potential impact of threats to

identify all possible t hreats to the confidentiality, integrity, and availability of
organization an organization's information system
Build an organization's security policy Organization must determine if t hey need

from the results of t he risk assessment to implement a firew all to enforce t he new
security policies
There are some factors to consider before implementing a firewall solution on the network. It is
the responsibility of a network administrator to specify network security issues and address
them during firewall implementation.
When implementing a firewall for the network, organizations must plan the positioning of
firewalls in advance. They should also consider conducting a security risk assessment to know
where a threat to the network would most likely originate and the reasons behind it.
Depending on the potential origin of threats, administrators attempt to build a layout for
firewall implementation. If an organization is considering implementing a firewall, remember to
outline a consistent security policy in advance based on the risk assessment. The security policy
must determine how basic communication will take place at the firewall, where the firewall
must sit and how to configure it.

Firewall Implementation and

Deployment
Use a step-by-step process to ensure a successful firew all implementation and deployment
The process helps to min imize any unforeseen issues and identify any potential pitfalls ea rly on
Firewall Implementation and Deployment Process
Planning Testing Managing and Maintaining

♦ ♦ ♦
I I I
I I I
♦ ♦ ♦
Configuring Deploying
Administrators consider a phased approach to implement and deploy a firewall ensuring

network security. The use of a five-phased approach for implementation and deployment
minimizes unforeseen issues and identifies potential pitfalls. The phases involved in
implementing and deploying a firewall include planning, configuring, testing, deploying and
managing.
• While planning a firewall implementation, consider all the requirements to determine

which firewall to implement while enforcing network security policies.
• After planning, administrators focus on configuring the firewall hardware and software
components and setting up rules for the system to work effectively.
• Administrators test the firewall prototype and its environment after successfully
configuring the firewall. They need to assess the functionality, performa nee, scalability,
and security of the firewall for possible vulnerabilities and issues in the components.
• After resolving all issues encountered during the testing phase, administrators need to
deploy the firewall into the network.
• After successfully deploying the firewall, administrators monitor it for component

maintenance and resolving operational issues throughout its lifecycle. They consider
incorporating enhancements or significant changes when needed.

Planning Firewall Implementation CND

Identify and consider all requirements t o determine which firewall to implement and enforce an
organization's security policy
Points of consideration while choosing firewall
Don't construct a firewall using any other networking equipment such as a router, which are not meant for
use as a firewall. It causes overload on the equipment and does not provide the security intended
Don't overload firewall to do non-security services such as configuring it to be a web server,

email server, etc.
Use firewalls at multiple levels
Sensitive net work data, resources or systems should not be placed behind a firewall to avoid
inside attacks from within the organization
Perform extensive market research to fin d out the capabilities and limitations each firewall
model has
A proper risk assessment is conducted before planning a firewall implementation
The planning includes:
• Detecting possible threats and vulnerabilities in the network.

• Evaluating possible impacts of a threat.
• Identifying appropriate security controls.

Points to consider while choosing a firewall:
• Do not configure a firewall on a device not meant for firewall purposes. For example,
configuring a firewall to function on a router can put additional burdens on the router's
functionality.
• Do not enable additional non-security services such as a web server or email server on the
firewall. This will overload the device and reduce its efficiency to provide network
security.
• Administrators should consider deploying firewalls at different locations at the perimeter,

departments and an individual host level.
• Consider implementing a firew all as an obligation especially as a part of the overall

security program.
• Concentrating on external threats leaves the netw ork v ulnerabl e to internal threats or
inside attacks. Consider keeping all sensitive and criti cal syst ems behind internal firewalls.

• The administrator needs to be careful while deploying a specific type of firewall. It should
be done based on their techniques and limitations. Organizational security policies have
great impact on the type of firewall used.

Factb;s t~'C9:nsi .· / 'r before ~f.chct,i:;ing c ·1·.-·ND

a,t·FirewallS'O!~~~on // ' , /f- ---
Will it provide Remote and Centralized management

capabilities?
What will be its throughput, maximum simultaneous connections,

connections per second, and latency time?
Will it be easy to integrate into the existing network infrastructure

or require specific hardware?
What do you need to secure?
Which types of firewall technologies should it support?
What kind of additional security features does it have?
·• ........·.-( ...--::...-· ·....................... ..~·~yright © by EC-Couocil. All Rights_Aesiiiv~...R~production is Strict ly Protifbited.

·. .. .. · .. ··•. : : _. : •.. ··.. :
FacJ·.b·~s ·t'~·. .
C.9.~ si . . . . .~.. -r before P~f.ch~~ing
a1'y. . Firewa11·· s ·q 1~,ion (Cont'd) ....-:::/·/ . . . . . . . . . . . . . . . . . . . . ..
... : :' .··· ··..:•,.. ... _.· ·· ..:· .. :
Physical Requirements
.J Will it require any additional physical requirements such as additional

power, backup power, cooling syst em, or network connections?
Personnel
.J Will the admin istrator require any training to implement, deploy,

administer and manage the firewall?
.J Will it meet t he future needs of the organization?
·• ...........( ....-.::/ ·...................... ..~·pyright © by EC-Cou■cil. All Rights_Aesiiii,~...R~production is Strict ly Prohibited.

·. : .. · .. ··.. ; : ; ; ··. ··.. ..

The organization should consider the following factors before purchasing and implementing any
firewall solution for their network.
• Management: The firewall should support encrypted protocols such as HTTPS, SSH, and
access over a serial cable for remote management. Check whether any of these remote
management protocols are acceptable for use with the organization's policies.
Administrators need to ensure that it is possible to restrict remote management to certain
firewall interfaces and source IP addresses. In firewalls, look for centralized management
from the same vendor. If it is available, check whether it is a vendor-specific application
which performs this operation or any other application which controls it.
• Performance: Consider the performance of the firewall based on throughput, number of

connections, time required for each connection and its latency time. Check its resistance
against bottleneck problems. Evaluate its failover and load balancing functionality.
• Integration: Consider the hardware requirement for firewall implementation. The

implemented firewalls need to be compatible with all other security devices. Check the
compatibility of the firewall log system with the existing log management system.
• Security Capabilities: Consider all the possible areas of the organization that require
security. Choose the type of firewall technology including packet filtering, stateful
inspection, application firewall, application-proxy gateway that will best address the kinds
of traffic you want to monitor. The administrators should also consider other network
security capabilities like an intrusion detection system, VPN and content filtering while
choosing a firewall.
• Physical Requirements: Consider the physical space and protection required for a firewall.
For example, extra shelf or rack space, adequate power backup facilities and air
conditioning facilities at the location of the placement of the firewall.
• Personnel: Management should choose network operators or the personnel responsible

for managing the firewall. The organization must train network administrators on
managing and maintaining the firewall before deploying it.
• Future Needs: Choose a firewall that meets the future needs of the organization such as
plans to move to 1Pv6, anticipated bandwidth requirements, and compliance with
regulations expected to be implemented.

Configuring Firewall
Implementation
Requires a series of steps for successful firew all configuration
Hardware and software installation Configuring policies

Create and configure the firewall policies and rules
e Install the hardware, OS, patches, vendor updates
and any underlying firewall software when a
software firewall is being implemented
Configuring logging and alerting
e Install patches and vendor updates on the system
Set up logging and alerts to detect security incidents
when a hardware based firewa ll is implemented
e Configure the firewall to protect unauthorized

access Integrating firewall into network architecture
Integrate the firewall with the existing network
e Configure the admin account for firewall
infrastructure, with or without specific hardware
administration duties
depending on the selection of the firewall
Configuring a firewall involves configuring various components and features such as hardware,
software, policy configuration, implementing logging and alerting mechanisms.
Hardware and Software installation

After selecting a certain type of firewall for implementation, the administrator proceeds with
the installation and configuration of the hardware and operating system. If a software based
firewall is being implemented, administrators will consider installing the necessary software. It
is important to perform a timely installation of patches and vendor updates both types of
firewalls. Install the remote management capability software to remotely access the firewall
console and manage it to prevent any unauthorized access. Access to the firewall should be
restricted to the network administrator responsible for managing the firewall. Also, disable
management services for the firewall, such as SNMP. Configure new admin accounts, if the
firewall supports having a separate administrator account to perform firewall administration
duties.
Configuring Policies
Administrators have to focu s on creating the firewall's policies after installing the hardware and
software of a firewall. A ruleset's design depends on the type of traffic flowing through the
network, including the protocols of the firewall such as DNS, SNMP, and NTP. If multiple
firewalls need to have the same rules, sy nchronize all the rules across all the firewalls.

The mandatory ruleset for every firewall should include:
• Enable port filtering at the outer edge and inside the network.
• Create rules to perform content filtering close to the content receiver.
Configure Logging and Alerting

The firewalls should have the capability to store the logs and send and synchronize them in a
centralized log management system. Logging should be done on a case-by-case basis to
determine what to log and how long to keep logs. Administrators create user accounts with
read-access enabled to perform read-only tasks such as auditing and evaluation of the logs. The
administrators should enable alarm systems that notify them in the event of any attack on the
firewall. The sign of attacks can be:
• Any attempt of manipulation for any of the firewall rules.
• Events like system reboots or disk shortages.

• Any system status changes.
Integrating a firewall into the Network Architecture

There are requirements for integrating a firewall with existing network devices which will
interact with the firewall as well as the network's routing structure. Configuring the network
router at the boundary of the network enables it to handle firewall addressing.

Testing Firewall Implementation CND
0 Test and evaluate your firewall implementation before deploying it in t he netw ork
0
Conduct your firewall test on a test network instead of the production netw ork
Test and evaluate the firew all for proper configuration and implementation with respect
to the following attributes:
0 0
(.. Connectivity . . . .. . .,,\ .....•••• • 't••\.
Ruleset (.. Application Compatibility .'\

\ 4.,
······..························..............................··
.,,_4_
························································· ....• '..······........................···································
(.. Management ..\

_.••••··••••••••••••••••••••••••••••••••••••••••••••••••••••••••••• r.~
,....................... ;~~~~~·~~~~..................... \
; Logging ,
'··.····· .........................................................• ...............................................................··
·• ·• ................................................ ············ ....·
...·• • •t·••
;' Security of the Implementation \ ,...... Component Interoperability .,,\ ,...... Policy Synchronization ...\
\ j 0 0
············....................................················ ··..............................................................·· ··...............................................·················
Copyright © by EC-Coa■cil. All Rights Reserved. Reproduction is Strictly Prohibited.
Testing a firewall involves examining the firewall for any bugs. The firewall implementation test
mainly focuses on whether the firewall rules are set according to the actions performed by the
firewall. Firewall testing increases the reliability of the products using the firewall.
Before deploying a firewall, the administrator runs a test on a test network, replicating the
original network. Different aspects of the firewall are evaluated in this phase:
• Connectivity: It involves testing whether users can establish a connection through the
implemented firewall.
• Ruleset: Checks whether the firewall permits and blocks the traffic as per security policies.
The analysis of the firewall rule set includes manual testing to verify if the rules work
according to the outlined security rules.
• Application Check whether the implemented

compatibility: firewall solution 1s
compatible between the existing application or communications.
• Management: Test whether an administrator can manage the firewall 1n an effective

manner.
• Logging: Test whether logging and data management functions adhere to an
organization's policies and strategies.
• Performance: Test the performance of a firewall on a live network using simulated traffic
generators. The testing process needs to include applications that can affect the network
throughput and latency.

• Security of the implementation: Conduct a vulnerability assessment to identify any

vulnerabilities and weaknesses in the firewall implementation.
• Component interoperability: Evaluate the functioning of different components of the
firewall. Using different firewall components from different vendors can create
performance issues.
• Policy synchronization: Test how synchronized policies work or rulesets when multiple
firewalls are used in multiple scenarios.
Testing a firewall includes the following steps

• Developing an appropriate test case
• Derive the test packets from the test case

• Send test packets to the firewall
• Examine the performance of the firewall
If the firewalls do not perform as proposed? Then, the following reasons could be the reason
for their failure:
• Development of incorrect test cases and which causes the wrong prediction for firewall
performance.
• Incorrect implementation of security policies when designing the firewall rules.

• Errors in the implementation of the firewall.
• Losing packets in the network.

• The test environment has bugs.
• Corrupted hardware components.

Deploying and Implementing

a Firewall
Notify the users and/or ow ners of t he syst ems w hich will be effect ed
during the deployment
Deploy the configured firewall per the organization's policy
Integrate the firewall with the other network elements which require
interaction with the firewall
Handle the firewall addressing in t he net work infrastructure
Administrators need to ensure they deploy the firew all according to the security policies of the
organization. Administrators should also al ert th e users of the deploy ment of the firewall. Add
the security policy of the firewall to the network's overall policy and any configuration changes
which happened during implementation should also be included. Employing a phased approach
to deploy multiple firewalls on a network helps detect and resol ve issues regarding conflicting
policies.
Reconfigure the network device on the outside of the network to handle addressing of the
firewall. Proper deploy ment of a firew all fa cilitates the sending and receiving of traffic from th e
new ly configured firewall system.
Deploying a firewall and implementing it is done using

• Update all hosts for th e new firewall deployment .
• Alert all the users regarding the deployment of a new firewall into th eir operational
environment.
• Allow private traffic through the new ly deployed firew all.

Managing and Maintaining a

Firewall Implementation
,----- .
1
Apply the latest patches and updates to the fi rewall device, if released from a firewall vendor
I
-----.,I
I
,I ____ _
I Maintain the firewa ll architecture, policies, software and other components according
to the firewall configuration and deployment
,----- . Update the fi rewall policy based on any new threats which are detect ed
1
I
------lI
,II ____ _
Periodically, review the firewall policy
,-----.
1
Continuously monitor and log all alerts raised when the fi rewall identifies t hreats
I
-----.,I
I
I
I
l----- Regularly, backup the fi rewall rulesets and policies
,-----.
1
I
Update the fi rewall ru lesets based on security requirements
I
-----➔I
I
I,__ --- Perform a firewall log analysis to detect security incidents
Managing a firewall includes maintaining the firewall architecture, policies, software, and other
components deployed on the network. Administrators should update the policy rules when
they identify new threats and if requirements change. The network administrator needs to
ensure the security of the firewall by constantly monitoring and addressing the issues in the
network. They monitor the firewall logs continuously in order to detect new threats and attacks
in the network.
Perform regular backups of the firewall policies and rulesets depending on the rule format used
by the firewall. Use restrictions offered by firewalls on who can change a ruleset and from
which addresses. Review the firewall policy regularly to uncover:
• Rules that are not required.

• Adding new rules to the firewall.
Managing and maintenance of a firewall includes

• Extending its life.
• Make sure it is operating properly.
• Confirm it provides a protective layer to the operational environment.
• Improve the performance.
• Check for required updates.
• Confirm the components are working properly.

Firewall Ad1ninistration CND
Accessing Firewall Platform
e Threats to firewalls arise from exploiting remote management resources

such as the graphical management interface
e Control access to the firewall management using encryption, strong
authentication and limiting access through the IP address
Build Operating System Platform for Firewall
e Implement the firewalls on systems tailored to specifically strong security

applications e.g. Bastion host
e Patch and remove any unnecessary features and services before implementing
the firewall on the platform
Firewall Failover Strategies
e Use fa ilover services like network switches and heartbeat-based services

in case of primary firewall service fai lure
e Network switches are devices responsible for failover and provides load
balancing capabilities
e A heartbeat mechanism initiates the backup systems when a failover event
triggers. It includes the back-end/customized network interfaces
Firewall Ad ... inistration

(Cont'd)
• -------------------------------------------------------------------------------------------------·
Firewall Logging Functionality:
e By default, all firewalls have a method for logging capabilities
e Use a centralized logging service such as a Unix syslog application
which also provides log examination and parsing
• ---------------------------------------------------------------------------------------------
Firewall Backups:
e Use full backups instead of incremental backups
• ----------------------------------------------------------------------------------------·
Security Incidents:
e Firewa lls play a critical role in security incidents. They
correlate all the events which have passed through it,
especially where network attacks are concerned
e Synchronize the firewall w ith network time protocol (NTP)
to effectively correlate the incident events

Firewall administration is the process of maintaining security by managing firewall devices

and/or software. It includes access to the firewall platform, operating system builds, firewall
failover strategies, firewall logging functionality, security incidents, firewall backups etc.
Firewall administration includes the modification of security policies, assessment of

vulnerabilities, identification, detection of new threats and development of counter measures
to combat them. Firewall administrators monitor firewall activities regularly to ensure proper
functionality to prevent the network from attacks.
Methods of firewall administration are:

• Access to the Firewall Platform/Accessing Firewall Platform: Threats to firewalls arise
from exploiting remote management resources such as the graphical management
interface or an operating system console. To prevent unauthorized access to these
resources, a firewall administrator should manage the firewall using encryption and strong
user authentication techniques. The graphic management interface uses Secure Socket
Layer (SSL) which relies on the Hypertext Transfer Protocol (HTTP) to secure
communication over the network.
Under an internal individual authentication process, the user should have a unique user ID
and password to gain access to the interface. Some firewalls also support Token based
authentication to grant access to centralized servers using Remote Authentication Dial-In
User Service (RADIUS).
• Build an Operating System Platform for A firewall: Platform consistency plays a vital role
in the successful implementation of a firewall such as Operating systems (OS) with
hardened security features for the applications. Do not install a firewall on systems that
offer all possible installation options especially after removing unnecessary OS features.
Firewall installations should not affect the functioning of the OS. Install all security
patches on the OS before installing the firewall. Unused network services, network
protocols, applications and user accounts must be disabled.
• Firewall Failover Strategies: Failover strategies are required to balance the security of the
network when a firewall failure occurs. Specially designed Network switches work on a
customized 'heartbeat' mechanism to balance the firewall failover by shifting all the
inbound and outbound traffic to the backup firewall. They reduce the chances of a
network failure. Both primary and backup firewalls are behind a single Media Access
Control (MAC) address to provide seamless functionality.
• Firewall Logging Functionality: Every firewall is equipped with a logging function.

Firewalls use an UNIX syslog application to manage, examine and parse logs. Various
operating systems such as Windows, UNIX and Linux variants support logging of firewalls.
The firewall preserves these logs on the centralized server for maximum security and uses
only few software packages to examine them.
A firewall that does not support a syslog interface will have their own internal logging
functionality. Third party firewalls provide log maintenance and parsing tools such as
firewall analyser and Sawmill.

• Security Incidents: A security incident is a situation when an unauthorized individual tries

to access the computer or network resources. The administrator has various
responsibilities in this situation such as temporarily disabling remote access to the
resources and revoking user authentication until the situation comes under control.
In a minor security incident, the attacker can use basic network probes. Due to its lower
severity, many companies don't treat these incidents as threats. In medium security
incidents, the attacker tries to get unauthorized access to the resources or the system.
A high-end incident describes a situation, where an attacker is successful in obtaining
access to the system. These incidents restrict resource availability, and are treated as a
serious situation.
A firewall uses an event-correlation technique, which works based on the time
synchronization rolling back the state of the firewall to a unique state in order to
reconstruct the phases of the incident.
• Firewall Backups: All firewall backups should be Day Zero or full backups instead of
incremental backups immediately before the production release. Because firewall access
control does not permit a centralized backup scheme, firewalls have in-built backup
facilities.
It is desirable to have all critical file systems backed up to external devices in Windows
operating systems. In UNIX the /var file system directory and sub directories require write
access and contain all the system logs and spool directories.
• System Administration: Proper system administration also contributes to firewall

administration:
• Standardizing operating systems making it ready for updates and fixtures.
• Centralized system administration contributes to better firewall security.
• Examine the communication path between the firewall and the system in order to
uncover any errors or faults in the configuration.
• Decide on the type of firewall that is best suited for a particular company.

Firewall Administration: Deny

Unauthorized Public Network Access
It also does packet filtering which forces a

hacker to perform the attack by scanning
The key component to protecting for network addresses and open ports
a firewall is restricting
unnecessary data access
Deny
Network Access
To know the number of open

connections in Windows, run the
Steps to check opened ports are as follows: built-in network applications such as
netstat.exe
• Click Start, in the search box type command
and press Enter
• In the command prompt type netstat -an
• Press Enter, this will list all the open ports
Copyright© by EC-Council. All Rights Reserved . Reproduction is Strictly Prohibited.
Weak network access controls increase the chances of unauthorized public network access. This
leads to the manipulation of data, services and denial of service attacks. Proper controls such as
user access restrictions and security controls for granting permissions can limit unauthorized
public network access.
Firewalls are equipped with a real time packet filtering mechanism that checks all the packets
for their malicious content and drops the packets if they are suspicious. Organizations should
use SSL and HTTPS protocol services while accessing corporate resources using public networks,
this will ensure the consistency of a firewall policy as these protocols pass only encrypted
information.
To prevent unauthorized public network access, you should scan the network regularly for open
ports and disable them to ensure proper utilization of any remotely accessible resources.
Netstat.exe is the built-in Windows network application, providing a list of open connections.
Steps to check for an open port are

• Step 1: Click Start, in the search box type command and press Enter
• Step 2: In command prompt, type netstat -an
• Step 3: Press Enter, this will list all of the open ports

Firewall .Administration: Deny

Unauthorized .Access Inside the Network
Restrict users from inserting virus-infected removable media into the system
Restrict employees from using remote access software from home, that bypasses
the perimeter firewall
Social engineering is an attack where hackers gather confidential information by

interacting with users to collect passwords, IP addresses, server names, etc. of the
internal private network
Firewall instructions provided by a firewall admin enables the configuration of IP

packets with unauthorized packets
Virus email can spread through all the computers on a network, when a user
attempts to open the mail causing damage to the files on their computer
Restriction of unauthorized access from inside the network prevents the user from running
malicious programs, installation of suspected software, etc.
Necessary security measures to prevent unauthorized access inside the network

are
• Prohibit users from installing plug-and-play devices such as flash drives which may be
virus-infected and when executed can corrupt the data present in the host system or
network.
• Restrict employees from using remotely available corporate resources from public
networks such as an internet cafe or free public Wi -Fi (e.g. hotels), which bypasses the
perimeter of the firewall.
• Educate employees on the topic of social engineering. Which is an attack involving
hackers who build confidence with the unsuspecting user to trick them into collecting
personal information such as user credentials, server information, IP addresses etc. which
is then used to perform network attacks against an organization.
• Firewall instructions are provided by well -trained firewall administrators enabling users to
configure their firewall to filter IP packets for detection of unauthorized packets.
• Emails containing viruses can spread through all the computers on a network, when the
user attempts to open the mail. Using an updated internet security solution can prevent
such email attacks.

• Providing access only to required documents and files. This controls access to those
people working inside an organization that do not have access to al I the sensitive
information.
• Account rights should be carefully structured in order to facilitate proper data access.
• Proper training to users can prevent unauthorized access inside an internal network.
There are limits to this strategy but educating users has many threat prevention benefits.

Firewall Administration: Restricting

a Client's Access to an External Host
A firewall act s as a proxy server allowing high-level application connections related to internal
host s and ot her machines
A single firewall provides both outbound packet filtering and a proxy server
Application proxies restrict users from gaining unrestricted access to the Internet as well as
those technically sophisticated users who might be able to circumvent they security systems in
place
A remote access program is used to access programs such as gotomypc.com.

Providing client software which is installed on home and work computers
The user may dial through the remote access and open a security hole
A client should not have direct access to an external host which could make it vulnerable to
threats. As a result, the client should access the host through the firewall. The firewall would
act as a proxy server allowing high-level application connections related to internal hosts and
other machines. A single firewall acts as both packet filtering at the application level and a
proxy server at the domain level. Application proxies restrict users from gaining unrestricted
access to the Internet. Technically sophisticated users might be able to circumvent the security
systems altogether.
Vulnerable external hosts gather sensitive information from clients such as IP addresses, types
of security, level of security, server locations and remote access credentials. Remote access to
programs can be useful such as gotomypc.com providing remote access to work systems, the
concern is the risks associated with these, such as password sniffing, packet stealing and IP
Spoofing.
The user might dial through the remote access to connect with an illicit server and application,
which opens a security hole.
It is possible to restrict authorized access to areas by employing the following policies:
• Allow only internal IP addresses to pass through the firewall.
• Block traffic containing private addresses.
• Block all outbound traffic from VLAN workgroups.
• Block broadcast traffic and all traffic from servers that require no conn ectivity with any of
the external networks.

Firewalls log user activity in a netw ork, this is known as firewall logging
Attackers tend to leave footprints when trying to pass through a firewall. Investigate the firewall logs to get a basic
understanding on what happened with the attack
Use firewall logging to investigate all the "allow" events. This is very useful when trying to discover potential security
threats on the network
Secure Private Local Area Network Public Network
~ "'·
~ ~ •... ····........ I I
······
··········::~
.. ~
•···················::::
. ... .••..~Modem ...... . Internet
•••• ••
••• • ••
••• •• : Firewall Log
~
~ ca.;;:I •••··
u = Specified traffic allowed
~-~
3. ) ( = Restricted unknown traffic
•
L9............
Firewall Log
Cent ralized Server
Firewall logging is the ability of a firewall to record or log the details of user's activities on a
network. Log file maintenance is crucial to overcoming security breaches, as the attackers
unknowingly leave their footprints when trying to pass through a firewall. Firewall logs can help
you investigate such incidents.
Firewall logs contain information about activities such as port scans, unauthorized connection
attempts, activities from compromised systems and security threat attempts at the boundary of
the network. It helps you trace the source of the network attacks.
An administrator can disable the firewall logs temporarily, while troubleshooting or monitoring
its behavior. A centralized secure server should contain the firewall logs in order to protect it
from the attackers. Otherwise, an attacker could delete the logs which contain their footprints.
If any suspicious activity is detected in a firewall log, it should be handled immediately and all
necessary actions taken to avoid any security incidents.
Firewall analyzer, is an application for firewall log analysis providing many features to gather,
analyze, and report any logs found.

0 Firewall logs are st ored locally or in a centralized logging server (e.g. Syslog Server) o n t he network
0
Firewall devices log important informat ion such as spoofing attempts, fai led authenticat ion, malware
attacks, etc.
0 0
Firewall log data is categorized in as
........
................................... ..... ....
......······· ······ . .. ...
..·· ...
Ev
Virus lo
..
. ..
.
. Attack
..
VPN
Audit
Firewall log data contains information such as failed authentication attempts, abnormal
protocols, virus attacks, etc. Firewall logs are huge datasets to look into. Especially for big
enterprises with more than one or two firewalls. These, record many log files with a very large
number of log file entries every day. Firewall logs are stored locally or in a centralized logging
server (Syslog Server) on the network. The collection of firewall log data helps administrators to
analyze the transactions between the source IP address and the destination IP address. A
firewall creates a huge log volume (approximately 10000 or even more events /sec), it is
necessary to use specialized software to collect and analyze them.
Firewall log data includes activities such as:

• Virus logs.
• Network and device attacks.
• Audit trail.
• Event logs.
• Network traffic.
• VPN connection establishment.
Importance of firewall logs:

• The firewall logs provide details regarding the status of the firewall.

Benefits of firewall logs include:

• Enhances network administration, troubleshooting and debugging.
• Creates baseline information for comparison.

• Provides a clearer outlook of the system.
• Provides solutions for better forensic analysis.

A flawed design and implementation of a firewall from vendors, will

only encourage attackers to bypass the firewall
Bypassing a firewall is possible because of improper traffic

handling, inspection and detection techniques
Most firewall vendors are unable to offer effective protection against

evasions
The flawed design and/or implementation of firewalls encourage attackers to bypass them. An
attacker takes advantage of improper traffic handling, inspection, and detection techniques of a
firewall to bypass it. Most of the firewall vendors are unable to offer effective protection
against evasions.
An administrator should be aware of the following items to limit firewall evasion:
• Accept the fact that evasion can and probably will happen.
• Determine the level of protection offered by a firewall against evasion.
• Measure the level of risk if such an attack happens.

• Enha nee security monitoring procedures continuously.
• Perform advanced penetration testing and assess intrusion detection systems.
To prevent users from bypassing the firewall:
• Block access from their computers to port 80 anywhere on the Internet.

• All common proxy ports should be blocked to prevent users from using an open proxy
server on the Internet.
• TCP ports including 20, 21, 80,443, 3128, 8000, 8080 should be blocked.
• A default-deny approach will restrict access by default and every access needed (port,
protocol, service, network) must be explicitly enabled.

Most fi rew alls are throughput oriented and

ca nnot perform full normal ization on data
t raffic
Throughput oriented fi rew alls neve r detect

complex, hard-to-det ect attacks on the
netw ork
Choose a firewall vendor which normalizes

data traffic to a maximum for every protocol
layer before executing t he payload inspection
Normalization is one of the techniques to prevent firewall evasion. Full data traffic
normalization can prevent firewall evasion by keeping you away from known attacks or by
restricting access to internal machines from an external host. Especially when a firewall detects
a probe or an attack.
Firewall design must incorporate and optimize the inline throughput performance in a network
to prevent attacks. Firewall vendors use shortcuts and execute only partial normalization and
inspection. For instance, TCP segmentation handling is very limited and done only for selected
protocols or ports (if not disabled by default). Evasions exploit these shortcuts and weaknesses
in normalization and inspection processes. Administrators should choose the firewall vendor
that normalizes data traffic to a maximum on every protocol layer before executing the payload
inspection.

Most firewalls are designed to inspect data traffic based on the segments or
pseudo-packets
Attackers craft their malicious payloads over the segments or pseudo-packet

boundaries to enter a network
Choose a firewall vendor that constantly inspects the data stream instead of
only the segment or pseudo-packets of traffic
Note: Firewalls require more memory and CPU capacity for data Stream-based Inspection
A firewall should be able to examine a constant data stream instead of fragments or pseudo-
packets. This vital design issue is extremely difficult to change. Especially in the case of
hardware-based products, the redesign of security devices would require significant R&D. Data
stream based inspection requires more memory and CPU capacity to perform efficiently. For
many vendors, this is impossible and the inspection scope is sacrificed. The attacker can take
advantage of this by spreading attacks over segments or pseudo-packet boundaries. The
administrator should choose the firewall vendor who implements a constant data stream
inspection instead of segments or pseudo-packets of traffic.

Vulnerability-based Detection
and Blocking
Most firewalls use an exploit-based approach and rely on a packet-oriented pattern
It uses 100% pattern match approach to detect and block evasion attempt
It is not possible to create signatures for every evasion combination
Choose a firewall vendor w ho uses vulnerability-based approach to detect and prevent attacks
Some firewall vendors implement an exploit-based approach to detect and block exploit
attempts. An exploit-based approach works on the principle of a packet-oriented pattern
(signature). It uses a 100% pattern match a pp roach to detect and block evasion attempts.
However, it is not possible to create signatures for every evasion com bi nation, new attack
patterns and signatures are invented daily. Firewalls with exploit-based approaches cannot
detect and block all firewall evasion attempts. Relying on these types of firewall s can pose a risk
to the organization's network.
Use a firewall with a vulnerability approach instead. These are implemented and used in the
organization's network. Vulnerability-based protections block exploitation attempts on both
the network and the application layers.

Secure Firewall Implementation:

Best Practices
Configure a remote syslog server and apply

Filter unused and common vulnerable ports strict measures to protect it from malicious
users
If possible, create a unique user ID to run the

Monitor firewall logs at regular intervals.
firewall services. Rather than running the
Include them in your data retention policy
services using the administrator or root IDs
Set the firewall ruleset to deny all traffic and Immediately investigate all suspicious log
enable only the services required entries found
Change all the default passwords and create a Backup the firewall logs on a set schedule. Store
strong password which is not found in any these backups on a secondary storage device for
dictionary. A strong password to ensure brute future reference or for any legal issues arising
force attacks also fail. from an incident
Perform audits at least once a year on the

To enhance the performance of the firewall, firewalls. This is done to evaluate the standards
limit the applications which are running implemented in securing an organization's IT
resources

Best Practices (Cont'd)
Clearly define a firewall change

management plan v Ensure the implementation passes business
and technology-based risk asse ssments
By default, disable all FTP connections to or

from the network v Allow secure Email access thro ugh the
firewall
Catalog and review all inbound and

outbound traffic allowed through the
firewall
v Set a default "deny" rule for inbound traffic
with explicit "allow" rules
Keep firewall ru les as granular as possible v Ensure all rules and objects follow standard
naming conventions
For easy management, always group similar rules

Prioritize the rules in a proper logical order
~ together


- --
Don't complicate firewa II management by

unnecessarily nesting r ule objects
~
v Try to use the same ruleset for similar firewall
policies within the same group object
.
Add expiration dates to temporary rules and

review them later for cl ean-up - v Run regular risk queries to identify
vulnerable firewall r ules
- -
Test the impact of a fire wall policy change
v Clean and optimize the firewall rule base
Schedule regular firewa II security audits v Monitor user access to firewalls and control
who can modify the f irewall configuration
Update the firewall software on a regular Centralize firewall m anagement for multi-
basis ~ vendor firewalls

Run the firewall as a unique user ID, instead of using an Admin or root ID
Specify the source and destination IP addresses as well as the ports
Change the default administrator password before connecting to public networks
Keep the firewall configuration simple
Eliminate redundant rules to ensure secure firewall configuration
Set specific policy configurations with a minimum level of privilege
Only run the required services

The following best practices will help you harden the security in your firewall.
• Filtering unused and vulnerable ports on a firewall is an effective and efficient method of
blocking malicious packets and payloads. There are different types of filters in firewalls
ranging from simple packet filters to complex application filters. A defense in depth
approach using layered filters is a very effective way to block attacks.
• Configuring administrator accounts to run a firewall depends on the security

requirements of the organization and different administrative roles the organization
requires. A role defines the type of access the associated administrator has to the firewall
system. If possible, create a unique ID to run the firewall services rather than running it as
administrator or root.
• While creating a firewall ruleset, organizations should first determine what types of traffic
is needed to run the approved applications. Administrators need to set firewall rules to
deny all the traffic and allow only those services the organization needs.
• Firewalls use a complex rule base to analyze applications and determine if the traffic
should be allowed through or not. Setting up firewall rules to grant access to important
applications and block the rest will improve the performance of the firewall.
• Administrators should ensure the date, time, and time zone on the remote syslog server
matches the network configuration, in order for the server to send syslog messages.
Syslog data is not useful for troubleshooting if it shows the wrong date and time. Also,
configuring all network devices to use NTP ensures a correct and synchronized system
clock on all network devices.
• Network administrators should monitor the firewall logs at regular intervals even if the
company's management policy allows for some private use of its equipment. Monitoring
what websites employees are visiting, what files employees are sending and receiving,
and even the content in their e-mails will assist administrators in maintaining the network
securely.
• Logging firewalls 'allow' actions offer greater insight into malicious traffic and tracking
firewall 'deny' actions help administrators identify threats.
• Take regular backups of the firewall logs, at least on a monthly basis and store these
backups on secondary storage devices for future reference or for legal issues in case there
is an incident. The best way to achieve this is to use a scheduling function in the firewall.
Backup the firewall before and after making a change in its rules and ensure that the
backup configuration file is usable.
• Administrators should perform audits at least once a year on firewalls to evaluate the
standards implemented to secure the organization's IT resources. This will offer a record
of all the files employees open and even failed attempts to access files. Ensuring every
change is accounted for will greatly simplify audits and help the daily troubleshooting.
• Firewalls cannot secure the network from internal attacks. Organizations are required to
implement different strategies such as policies that will restrict employee usage of

external devices in the internal network. For preventing any internal network attacks,
administrators should install monitoring software that will help detect any suspicious
internal activity.
• Clearly defining a centralized firewall management plan and a documented process can
help prevent unwanted changes to the current configuration of the network. It can limit
the chance of a change, opening vulnerabilities in network security.
• The effectiveness of any firewall solution depends on the rules with which it is configured.
In general, a firewall is configured to monitor inbound and outbound traffic and to protect
a network in which it is configured. It also monitors the source and type of traffic
traversing the network.
• Most organizations use it for protecting the network environment from threats and in
tracking the source of a threat. Augmenting a firewall ruleset with an effective logging
mechanism makes it an effective security mechanism to protect the network.
• Administrators should set a default 'deny' rule for inbound traffic with explicit 'allow'
rules. Deny policies at the end of a ruleset ensures you catch traffic that is trying to go to
the wrong zone. It is significant to cover every combination.
• A firewall rule should be properly prioritized based on the security requirement of the
organization.
• Organizations should consider monitoring employee's e-mail messages through the

firewall. They should create a separate email network zone that is firewalled from both
the DMZ and the internal network. Then place both the email and the webmail servers in
that zone. This enables the organization to allow secure email access through the firewall.
• Manage the lifecycle of a firewall rule policy by enforcing an expiration date. This will help
administrators clean up newly created temporary rules for new services. When an
expiration date is set for a rule, the administrator can delete the rule after its lifetime or
can extend its duration if needed.
• Always perform testing of the firewall policies before implementing them in the network.
Testing a firewall can discover unexpected errors in the implementation by assessing
firewall performance, network traffic and other devices. These details provide the
network administrator with a view on how the proposed changes in the firewall
configuration will affect the environment.
• Auditing firewall security policies ensures the firewall rules implemented a re according to
the security regulations of an organization. It is the responsibility of the network
administrator to perform firewall security audits to identify policy violation activities.
• The organization needs to ensure they upgrade their firewall to the latest patches and
updates released by the firewall's vendor. Any delay in upgrading to the latest version can
impact the security of the network. Upgrading to the latest firewall version minimizes the
chances of a vulnerability in the network. It is also possible to conduct vulnerability
assessments on the firewall, enabling an administrator to easily assess the flaws and
weaknesses.

• The firewall administrator needs to ensure they remove the firewall rule base regularly as
it improves firewall security, firewall performance and efficiency. Cleaning the firewall
rule base prevents security and management issues.
• Restrict unauthorized access to prevent any modification in the firewall configuration.

Organizations can implement access permissions which will only permit authorized users
to make changes to the firewall configuration.
• Most organizations implement firewalls from different vendors and the firewall
configuration architecture differs from one organization to another. The organization
needs to ensure that only skilled personnel are looking after the firewall administration
and maintenance.
• Always filter packets for the correct source and destination address in order to prevent
attackers from accessing the network.
• Always make sure to change th e passwords regularly, at least every six months.
• The configuration of the firewall is kept simple and should meet company requirements.
Periodic review of the firewall configuration helps maintain the firewall security.
• Always provid e minimal access to the firewall in order to avoid any incidents.


Recommendations
e Notify the security policy administrator on firewall changes and

document them
e Remove unused or outdated rules
e Do not set conflicting rules or eliminate them, if they already exist
e Use a standard method and workflow for requesting and implementing

firewall changes
- Clean up and optimize the firewall rule base
e Schedule regular firewall security audits
e Keep a log of the firewall rules and configuration changes
• Administrators should document any changes they make to the firewall. With firewalls, it
is especially critical to document the rules they add or change so that other administrators
know the purpose of each rule and who to contact about them. Good documentation can
make troubleshooting easier and reduces the ri sk of service disruptions which are caused
when an administrator deletes or changes a rule they do not understand.
• Organizations can generate analysis reports to evaluate firewall access rules. This assists
them in identifying rules that overlap or conflict with other rules in the access rule policy.
Delete, move or edit conflicting rules using the data from the report. Organizations can
develop an easier to use and more efficient access rules policy if they eliminate
unnecessary rules.
• Implement a consistent workflow solution to manage and streamline the firewall change
process. Identify potential risks and fix configuration errors before making changes to the
firewall. Reduce the time required to evaluate and implement the changes to support the
network.


Do's and Don'ts
♦
I
I
1 Implement a strong firewa II

I
I 9 Don 't overlook scalability
I
2 Limit the applications that ru n on a firewall 10 Don 't rely on packet filtering alone
3 Control physical access to the firewa II Don't be unsympathetic to hardware needs
Don't cut back on additional security
Don't implement without SSL encryption
• Review and refine your policies and procedures Don't use underpowered hardware
7 Incorporate t rust marks 11 Don't allow telnet access through the firewa ll
Take regular backups of the firewa ll ruleset and Don't allow direct connections bet ween the
8 16 internal client and any outside services
configuration files
I
I
♦
• A firewall should include intrusion prevention and detection capabilities to guard against
denial of service attacks (DDoS). The consequences of not having these measures in place
will get worst in the future, if a DDoS incident occurs.
• While implementing a firewall do not overlook scalability. Most firewall vendors claim
they can scale up to thousands of devices. Determine what that actually means in terms
of management and the ability to perform under stress.
• After choosing a firewall that meets the business requirements of an organization, test
the firewall on a live production environment. The organization determines the network
requirements and evaluates the product capabilities accordingly. The test should
determine whether the chosen solution actually performs as expected.
• Installation of proxy servers assures security as it provides access only to selective users.
• When implementing a firewall solution, organizations need to focus on the hardware
required for the implementation. Refrain from buying more technology. First, make sure it
works for you and improves your security.
• The idea behind a workflow in firewall management is a natural extension from the
change management functionality. Manage the change process to ensure only the correct
rules are created. Most vendors offer complimentary workflow products to integrate their
core capabilities with change-management workflow tools. This may not be important if
your organization has a well -defined process and supporting tools already in place.

M,Nff(flJW'IC let• ltc'd I ~s►

.~(:«n,111' tt;t, i f < ~ I , ,t,oc,..t Lao",......
FirewallAnaly~ -;;;;;.- cm iC!!I E:C!'.:I m:11 £::II ~ s ~ fi.1
W Firewall Analyzer
automates the end point
security monitoring,
-
network bandwidth ( (
l"loly, 21111
~ ) . ,_
b ; ~ be-.e:Jtlu fn ~
monitoring, security and 1 ? l t S ~ 1
I 9 10 11 12 13: ,~
compliance auditing. IS 16ri',
- . ~~
l
.. .
W It eases device ■ s.,...,.,, • t .rn• rn ■ ••
'""'w• • .,.....,._.
■
configuration
--· ~-
management by
providing reports and !:(\"bR"f>Ol1"'otllM ¥
0 1-19" ' ~ MttJllffl • . .... 0 ·}MIM:!l fl
fMt'<llo,00 s.c.,.,.E.vto,11 (~APPOl1$

alerts for all configuration , ...._., al
\llll$
0 0 ll ll
changes .. QOOlmrtJ!itPaoe
0
Cis<o_PO: l ~ I 12
0
0 21
0
'
llfHCOM f~ ) Ii
0
0 i 1l
li
11
'
Oltcl<P.-_M-l l~ l l
a . ~ ,~ 1 1
0 0 i
'
Oko_W l~ I .U
0
0
0 §
'
fOIU.Jiie BJ 1~ 1 ! I
0
J
li li
'
,.. •.,.._... , ~ , .!
'0 ll
'
!
•
! ll
'
M firtwalts 98
' "' "'
http://www. manageengine.cam
A firewall analyzer is a program that collects, correlates, and analyzes security device
information from enterprise-wide heterogeneous firewalls, proxy servers from Cisco, Fortinet,
CheckPoint, WatchGuard, NetScreen, and more. It is browser-based firewall/VPN/ proxy server
reporting solution.
It generates scheduled reports on firewall traffic, security breaches, and more that help
network administrators secure networks before security threats arise, avoid network abuses,
manage bandwidth requirements, monitor web site visits, and ensure appropriate usage of a
network by employees.
A firewall analyzer, analyzes the firewall and proxy server logs and provides support
with answering issues such as:
• Who are the top web surfers and the websites they visit?
• Which of the servers receives the maximum number of hits?
• Are there hacking attempts?
• Where do these attempts originate?
• How much network activity is originating from each side of the firewall?
Source: http://www.manaqeenqine.com

Firew alk discovers firew all rules using an IP TTL

expiration technique
Example:
nmap --script =firewalk --t raceroute

<host>
nmap --script =firewalk --traceroute

script -args=firewalk . max -retires=l
<host>

script -args=firewalk . probe-
t ime out=400ms <host>

script -args=firewalk . max -probed-ports=7
<host>
https://nmap.org
Firewalk is an active reconnaissance network security tool for enumerating firewalls. It

attempts to determine what layer 4 protocols a firewall will allow to pass through to internal
hosts.
Firewalk sends out TCP or UDP packets with a TTL one greater than the targeted
gateway/ firewall. If the gateway/ firewall allows the traffic, it will forward the packets to the
next hop where they will expire and elicit an ICMP_TIME_ EXCEEDED message. If the gateway
host does not allow th e traffic, it will likely drop th e packets and there will be no response.
To get the correct IP TTL that will result in expired packets you need to ramp up the hop-counts.
Example Usage
• n■ap --script•f irewalk --traceroute <host>
• nmap - -script•firewalk --traceroute - -script·args•f irewalk .max-retries•l <host>
• nmap --script•firewalk --traceroute --script-args•firewalk.probe-timeout•400111s <host >
• n■ap •·script•fire~alk •·traceroute --script-args•firewalk.max-probed-ports•7 <host>
FIGURE 7.1: Firewa lk example
Source: https://nmap.org

WinGate Proxy Server is a sophisticated integrated Internet gateway and a communications

server designed to meet the control, security and communication needs for businesses
e Vfl'IGate
~ Welcome
e D ""'tomo - 'I tfAT: TCPCOmKIS:ltl to SAG0: 143
,iJ Activity f,J NAT: TCPCom«t.on to SAG0:1-13
~ °'"'t,o,,d ·&N'AT: TCPCOmect on to SAG0: 143
The acbvrty window shows ,n
real time the current
~ CtlCP - f.A HAT: TCP Com«t:on lo SAG0:143 connec:t!ons opc.n to \l/1nG,1te .
..) frMi ~ 121,93,223.173 • ( Unkno-An ) lbg:ht•d idc on an 11cm 1n the
A No;rficav.ons -f i ttAi: TCP COmectiOc'l toSAC-0:143 activity' ttee for more ot)tions.
:j: Ttr..El"l'le
f_i NAT: TCPCom«ton io SAG0:1-13
~ \ 'PN System interni)I activity
P!I 122,57. 155.203 • ( • Authenoca,ed (Neoooatt))
s ~ Web Access Con:rol
@ Vfr'IG.e~ Mena9!m!n l Cont!Ktion
This panel shO'NS lo:iks being
perfotmed by \VinGate itself,
':;] ca:tg0e~s " 192-16$,29.99 • ( t,.h',ci(>',•tn} such as re.mote connec:bons
#'\ A-tecss rule& ··.ftl tfAT: TCP COmect«I to 74, l2:S. 237, 5S:443 for mail delivery.
a • aass:flers f,J NAT: TCP Comecfon to SAG0:1-13
)II ,_.,4!'11.1111 O«.~tier Shortcut keys
..... NAT: TCPCOmecton toSAG0: 1413
(e. Puresdl, 0 htl!):/j\)4e..,~.dlannel.facebook.oomft)A •HTTP/ !!. 1 200
DEL • delete a connecbon, or
all COtV1ections from a
8 9- Conb'CIIPan!I I:, 12S·231-10· l"IS,Jct:;~C$1,Xb".,,<0,nz • ( U,b'lown ) compute r.
Ii] ecr i:mc.,tt&
··.Ji NAi : TCP COmectoo to SAC-0: 143
14 Ctederttia1n.les I:, baroene- • ( lklblown )
~ Oa:a
.:> c.tlS d e!H
http://www.wingate.com
WinGate Proxy Server is an integrated Internet gateway and communications server designed
to meet the control, security and communication needs. WinGate Proxy Server's license options
offer the flexibility to satisfy requirements to manage an enterprise, small business, or home
network.
Features of Wingate include:

• Secure and manage Internet access for your entire network via a single or multiple shared
internet connections.
• Enforce advanced, flexible access-control and acceptable use policies.

• Monitor usage in real time, maintain per-user and per-service audit logs.
• Stop viruses, spam and inappropriate content from entering your network.
• Provide comprehensive internet and intranet email services.
• Protect your servers from internal and/ or external threats.
• Improve network performance and responsiveness with web and DNS caching.
• Ease administration burdens on your internal networks.
Source: http://www.winqate.com

"' .. ...
~ WatchGuard's
,
SonicWALL
I"
• "' http://www.sonicwall.com
'•· Next-Generation Firewall
http://www.wotchguard.com
CheckPoint' Next Generation

Cisco ASA
Firewall
http://www.checkpolnt.com •
-- http://www.clsco.com
FortiGate NetScreen Firewall

http://www.fortlnet.com http://www.junlper.net
McAfee Next Generation

Sophos UTM
Firewall http://www.sophos.com
http://www.mcofee.com
Barracuda Firewall Cyberoam Firewall

https://www.borracudo.com http://www.cyberoam.com
Sonic WALL
Source: http://www.sonicwall.com
The Sonic Wall firewall is a tool that supports network security, secured remote access, and
data protection. It applies Unified Threat Management (UTM) against an array of attacks,
combining intrusion prevention, anti-virus and antispyware with application-level control of
SonicWALL Application Firewall. It provides services for network firewalls, UTMs (Unified
network management), VPNs (Virtual Private Network), backup and recovery, and anti-spam for
email.
Check Point's Next Generation Firewall

Source: http://www.checkpoint.com
Checkpoint firewall products are used in education, energy, financial services, healthcare,
Internet and media, manufacturing, public sector, and telecommunications sectors where this
firewall is preferred.
FortiGate
Fortinet Firewall is a Network Security Solution that helps protect the network, users and data
from continually evolving threats. It helps to secure and manage network security. It also offers
a Data Center Firewall (DCFW), Unified Threat Management (UTM), and Next Generation

Firewall (NGFW) technologies. It is preferred for creating a secure connection between a

protected private network and the Internet. It provides protection against today's wide range of
advanced threats targeting applications, data, and users.
McAfee Next Generation Firewall
McAfee Next Generation Firewall delivers complete, centrally managed network security with
availability, multi tenancy, evasion protection, application control, and flexible deployment
options, including software, physical and virtual firewall appliances. This firewall uses
application control, an intrusion prevention system (IPS), and evasion prevention into a single
solution. It is the next-generation firewall solution to unite anti-evasion security with
enterprise-scale availability. It defends critical assets, such as regulated data sources (customer,
financial, and healthcare data), email and web servers, extranets, and data centers.
Barracuda Firewall
Source: https://www.barracuda.com
The Barracuda Spam Firewall is a hardware and software solution designed to protect email
servers from spam, viruses, spoofing, phishing and spyware attacks. It controls 12 defense
layers to provide industry-leading defense capabilities for any email server within a large
corporation or a small business.
WatchGuard's Next-Generation Firewall
Source: http://www.watchguard.com
The Watch guard's next generation firewall provides security inspection that blocks attacks and
unwanted traffic without stopping Internet usage. It provides users with a platform for network
traffic inspection and enforces a network security policy, with state-of-the-art security and
compatibility. It has secure throughput and with real-time visibility tools.
Cisco ASA
The Cisco ASA firewall enables businesses to segment campus networks and secure data center
environments by integrating firewall security directly into the network infrastructure ..
NetScreen Firewall
Source: http://www.juniper.net
The NetScreen firewall provides a broad range of options from all-in-one security and
networking devices to chassis-based data center security solutions that can secure any size
enterprise data center or service provider with performance, functionality, and security
options. Support for fast, secure, data center and enterprise operations, with performance and
scalability, session volumes, and large-scale connectivity.

Sophos UTM
Source: http://www.sophos.com
Sop hos gives complete security, from the network firewall to web and application control, in a
single modular appliance. The Web Application Firewall intercepts traffic to servers using a
reverse proxy with dual scanning engines and attack pattern recognition. It uses layered
protection to prevent APTs, command and control traffic and targeted attacks.
Cyberoam Firewall
Source: http://www.cyberoa m .com

The Cyberoam Firewall offers stateful and deep packet inspection for network, application and
user identity-based security. It protects organizations from DOS, DDoS and IP Spoofing attacks.
It helps with policy creation for multiple security features through a single interface.

Comodo Internet Security Pro 7 Outpost Firewall Pro

http://www.comodo.com http://www.agnitum.com
Kaspersky Internet Security ZoneAlarm PRO Firewall

www.kaspersky.com http://www.zonealarm.com
Total Defense Internet Security

Norton Internet Security
Suite http://ln.norton.com
http://www.totaldefense.com
Bitdefender Internet Security Windows 8 Firewall Control

http://www.bitdefender.com http://www.sphlnx-soft.com
Private firewall McAfee Internet Security

http://www.privacyware.com http://home.mcafee.com
Comodo Internet Security Pro 7
Source: http://www.comodo.com
Comodo Internet Security Pro 7 offers protection against viruses and malware, focusing on
detection and prevention. Comodo Internet Security Pro 7 offers protection against Viruses,
Trojans, Adware, Spyware and other Malware threats. It contains Auto Sandbox Technology,
which provides protection from unknown threats.
Kaspersky Internet Security
Source: http://www.kaspersky.com
Kaspersky internet security provides protection from internet threats such as viruses, spyware,
phishing, spam, rootkit, banners and online transactions for online banking and shopping.
Additional features include dangerous website alerts, advanced parental control and safe social
networking.
Total Defense Internet Security Suite
Source: http://www.totaldefense.com
Total Defense Internet Security Suite software provides protection for up to 3 devices against
viruses, malware, spyware, spam, inappropriate content, lost fil es, and data corruption.
Without all the hassle and includes Mobile Security in its protection circle. It provides features
such as industry grade solutions, parental controls and mobile security.

Bitdefender Internet Security
Source: http://www.bitdefender.com
Bitdefender prevents unauthorized access to your private data. Internet security includes two-
way firewall, provides parental control and many more. Other products of Bitdefender are Anti-
Virus and mobile security.
Private Firewall
Source: http://www.privacyware.com
The Private firewall monitors the web traffic in accordance with native firewall. It prevents
viruses, spyware and other online threats. It protects the system using application monitoring,
registry monitors, process monitors and Email anomalies.
Outpost Firewall Pro
Source: http://www.agnitum.com
Outpost Firewall Pro provides standard firewall protection by scanning web traffic and
preventing it from entering into the host systems. It keeps the ports closed when they are not
in use to prevent attacks. It offers services such as malware blocking, information privacy and
security, blocks incoming targeted attacks, makes PCs invisible and works without much
utilization of computer resources to boost the system performance.
ZoneAlarm Pro Firewall
Source: http://www.zonealarm.com
ZoneAlarm firewall offers services such as a firewall, two-way firewall, private browsing,
identity protection, Do Not Track methodology, Facebook Privacy scan, Online backup and a
security privacy tool bar.
Norton Internet Security
Source: http://in.norton.com
Norton Internet security provides protection for almost all types of online threats such as
viruses, worms and spyware. It provides safe online banking and shopping. It warns the user
about social media scams, suspicious content and blocks harmful files from downloading. It also
improves system performance by boosting system startup time.
Windows 8 Firewall Control
Source: http://www.sphinx-soft.com
Windows 8 Firewall Control protects both local and remote running applications from
undesirable incoming and outgoing network activity in Windows operating systems. It provides
services such as per-application security settings, instant notification of blocked activity and
zone based network permissions. The program manages external connectivity by automatically
synchronizing hardware firewalls.

McAfee Internet Security
McAfee internet security provides online security from threats and other internet attacks,
which include viruses, worms, phishing websites and spywares. It offers protection to Windows
and Mac operating systems, smartphones and tablets. It protects you from social networking by
preserving the identity. It provides a cloud backup facility to backup and restore important files
and information in case of a system breach.

McAfee Internet Security
McAfee internet security provides online security from threats and other internet attacks,
which include viruses, worms, phishing websites and spywares. It offers protection to Windows
and Mac operating systems, smartphones and tablets. It protects you from social networking by
preserving the identity. It provides a cloud backup facility to backup and restore important files
and information in case of a system breach.

Secure IDS Configuration
and Management
Module 08
• •
•
• •
• •
• •
• •
• •
• • •
• •
• • •
•
• • • •
• • •
•• • •
• • ••
• • •
• • ••
• •• • •
• • • •
• •
• •
• • ••
••
•• ••
••
• • • •
•• • •
••
•
•
•
• •• • •
•
• -
•
• • • •• • •
• •• • •
•
•
•
• • • • •• ••
•• • • •• •
•• • • •
•
• • • ••
• •
• • •
• •
•
•
Secure IDS Configuration and Management
Secure IDS Configuration and

Manage:m.ent
Module 08

Module 08: Secure IDS Configuration and Management
Exam 312-38

Understand the different types of intrusions Describe I OS fine-tuning by minimizing false

and their indications positives and the false negative rate
Understand I DPS Discuss the characteristics of a good I OS

implementation
Understand the importance of
implementing an I DPS Discuss the common I OS implementation
mistakes and their remedies
Describe t he role of an I DPS in network defense
0 es crib ethe functions, components and

how an IDS works
---- Explain the types of I PS implementations
Discuss the requirements for selecting an
appropriate I DSP product
Explain the various types of I OS implementations
Discuss the technologies which complement I OS
Describe a staged deployment of NI DS and HI OS
f unctionality
This module focuses on the configuration and deployment of IDS/ IPS solutions in the network.
The module starts with the basics of intrusion detection and prevention systems, how they
work and the role they play in network defense. The module discusses the different types of IDS
and IPS, their components, etc. The module also provides guidelines on the selection of an
appropriate IDPS product and each of their deployment strategies.

Intrusion is an illega l attempt t o compromise th e confidentiality, integrity and availability t o

j eopardize the security mechan isms which co nt rol mission critica l assets an d processes
Types of Intrusions
I System Intrusions
II Network Intrusions
m File System Intrusions
Intrusion is an Illegal attempt to compromise the confidentiality, integrity and availability or to

jeopardize the security mechanisms of a computer system.
Intrusion is based on three t ypes:
1. System Intrusions: System intrusions include the corruption and/ or damage of the
information stored in the system. An attacker exploits the system level vulnerabilities with
the help of malware such as a Virus, Trojan, Worms, etc. to perform system level
intrusions.
2. Network Intrusions: The attackers exploit network level vulnerabilities to perform
network intrusions. It may include v ulnerabilities which exist in the network
infrastructure, configuration, protocol, etc. Attackers may perform various network level
intrusions to compromise the target network. Some of the network level intrusions are
ARP poisoning, Denial of Service, Spoofing, etc.
3. File System Intrusions: Vulnerabilities in the fil e system exist du e to improper fil e
handling or permissions. Attacks take advantage of file system level vulnerabilities to gain
access to file systems. Attackers modify file permissions or content in the file.

General Indications of
Intrusions
File System Intrusions Network Intrusions System Intrusions

............................................................. .............................................................. .............................................................
.J The presence of new, .J Repeated probes of the .J Short or incomplete logs
unfamiliar files, or available services on your
programs .J Unusually slow system
machines
performance
.J Changes in file .J Connections from unusual
.J Missing logs or logs with
permissions locations
incorrect permissions or
.J Unexplained changes in a .J Repeated login attempts ownership
file's size from remote hosts
.J Modifications to system
.J Rogue files on the system .J Arbitrary data in log files, software and
that do not correspond to indicating attempts to configuration files
your master list of signed cause a Dos or to crash a
.J Unusual graphic displays
files service
or text messages
.J Missing files
.J Gaps in system accounting
.J System crashes or reboots
.J Unfamiliar processes

Intrusion Detection and

Prevention Systems (IDPS)
An IDPS is used to deal with intrusions in a network
It is mainly divided into IDS (Int rusion Detection System) and IPS (Intrusion Prevention System)
An IDS is used to detect intrusions while an IPS is used to detect and prevent the intrusion on the network
Classification of IDPS
( IDPS ]
.
..,• ................................................................. ..:•
[--,o-s -] [--,P-s -]
..•~·····································..• ..,,~·····································..,,
• ,•
[_ _
NID_s_ ) [_ _
HID
_s_ ) [_ _
NI_
Ps _ ) [_ _
HI_
Ps _ )
Intrusion detection and prevention systems (IDPS) are a network security appliance used to
monitor the network for malicious activity. IDPS systems are categorized into Intrusion
Detection Systems {IDS) and Intrusion Prevention Systems {IPS) and are used for identifying,
logging, blocking/stopping and reporting security incidents on the network. An IDPS also helps
you locate weaknesses existing in security policies and assessing the network against possible
threats. An IDPS is becoming an integral part of network security for most organizations.
Intrusion Prevention Systems (IPS) are considered extensions to Intrusion Detection Systems
(IDS). Unlike IDS though, IPS is placed in-line and detects the incident as well as blocks it from
getting into the network.
The IDS identifies and alerts the network administrator during an intrusion attempt. Besides
these activities, an IDPS like IPS can detect and stop the intrusion attempts. IPS systems can
also correct cyclic redundancy check (CRC) errors, defragment packet streams, TCP sequencing
issues and manage the options in the transport and network layers.

~,:? IDPS provides an additional layer of security to the network under the defense in depth principle
IDPS does several things that basic firewalls can't do
IDPS helps minimize the chance of missing security threats that could come from firewall evasions
Im proper IDPS configuration and management w ill make an IDPS fai l ineffective
IDPS deployment is performed w ith careful planning, preparation, prototyping, testing and
special ized training
Relying solely on a firewall for network security can provide a false sense of security. The
firewall is simply implemented in th e IT security policy which allows or denies traffic based on
the policy rul es. It allows certain packets to pass through or denies access if it does not meet
certain criteria specified in a rule. It does not check the content of legitimate traffic, allowed
based on a rule set. The legitimate traffic may contain malicious content which is not evaluated
during inspection by a firewall.
As an example, firewalls can be configured to pass traffic solely to port 80 of the Web server
and to port 25 of the email server but it w ill not inspect the nature of the traffic flowing
through either of these ports.
This is the reason for an IDPS and its applications. An IDPS application will inspect the legitimate
traffic coming from firew all and conduct signature based analysis to identify malicious activity
and raises an alarm to notify the administrators.
Intrusion detection and prevention syst ems (IDPS) are a proactive means of detecting and
responding to threats from both inside and outside a netw ork. It is an integral and necessary
element of a complete network security infrastructure. An IDPS provides a complete level of
supervision for a network, regardless of the action taken, in this way the information w ill always
exist when attempting to determine the nature and source of a security incident.

An IDS works from the inside of the network, unlike a firewall which only looks outside the network for
intrusions
An IDS is placed behind the firewall, inspecting all the traffic, looking for heuristics and a pattern match
for intrusions
•.................. ,.
.:•~··················~
IDS
.:•
:.• ,--~~-- .:•
: .
..• 11 1 I I t ' I
Firewall ..
. ..
················C-····~~~ ....:. ........... :...............!...............: ................
..:
I I • •
Internet . --.,.---,
..
..
Remote User
..
..
.
Intrusion Intrusion Internal
Prevention •
Detection .• LAN
• • • • • • • • • • • • • • • • • • • • 'f
Though firewalls and IDPS applications are security services used to prevent a network from
various types of attack, they are basically two different applications that tend to operate in
tandem. They are functionally different from each other. IDPS is placed behind the firewall in
the network. Firewalls use a filter for inbound/ outbound traffic based on the rules configured.
The purpose of a firewall is to control the traffic that should be allowed into a network based
on static rules. IDPS applications are used to locate and stop malicious activities, mainly through
signature based detection. An IDPS application monitors the filtered traffic coming from a
firewall for malicious activity based on these signatures.

Tracking user policy Monitoring and analyzing both

violations 1 user and system activities
Analyzing abnormal
IDS Analyzing system
activity patterns 5 configurations and
Functions vulnerabilities
Recognizing typical attack Assessing system and file

patterns integrity
In addition to its core functionality of identifying and analyzing intrusions, an IDS can perform
the following types of activities related to intrusion detection:
• Records information about events: Notes down every detail regarding the monitored
events. The intrusion detection systems forward the recorded information to various
other systems such as centralized logging servers, security information and event
management (SIEM) and enterprise management systems.
• Sending an alert: The IDS sends an intrusion alert to the network security administrator
through e-mails, pop up messages on the I OS user interface, etc.
• Generating Reports: The IDS generates reports providing insight into observed events or
any suspicious event which has occurred.

What Events does an IDS

Exam.ine?
I OS observes computer
network activity, keeps track Checks service configuration
of user policies and activity Identifies vulnerabilities files ensuring there are no
patterns to ensure they don't in configuration files unauthorized services on the
violate policies network
•I
I
I
I
•I
I
I
I
I I
I I
I
I
I
I
I I
I I
I I
I I
•
I I
Network observation for

•
Authorization files on a network
detecting virus and malware include user and group authorization.
hidden in the form of An I OS regularly checks t hese
spyware, key loggers, etc. authorizations ensuring they have not
been tampered with.
An IDS observes computer network activity, keeps track of user policies and activity patterns to
ensure they do not violate policies. It also observes network traffic and components for
detecting virus and malware hidden in the form of spyware, key loggers, etc.
An IDS works by gathering information about illicit attempts made to compromise security and
verifies them. It also records the event data and an IT administrator will use this data to take
future preventive measures and make improvements to netw ork security.
An intrusion det ection system works by examining certain events such as:
• Observing Activity: The IDS will track all the activities taking place w ithin a netw ork and
keep track of user policies and activity patterns to detect any kind of attempts to violate
these patterns.
• Viruses: An IDS is capable of detecting virus and malware hidden w ithin a network syst em
in the form of spyware, key logging, password theft, etc.
• Vulnerabilities: The IDS identifies v ulnerabilities in the netw ork configuration files and
netw ork components.
• File Settings: The IDS verifies user authorization and group authorization files on a
netw ork, and checks them for tampering.
• Services: Routinel y ch ecks configuration files for unauthorized services operating on the
netw ork.

• Packet Sniffing: These systems check for unauthorized network monitoring programs that
can monitor and record user account activity data.
• PC Check: The IDS regularly checks PCs on the network for violations.

Network Logging
,----
F-~:::::~·.. . . . Systems
Vulnerability
,----
...... Assessment Tools
Anti-virus
. ,----
.,,,.... Products
Security/Cryptographic
,----
.......... Systems
···......•··· . .::>: ·........................ ..cri'~yright © by EC-Co■ncil. All R1ghts_d!?s'iiri,:~i(R~ product1 on is Strictly Prot,ib,ted.
: : • .. ·•. : : .. : ·•. •,. ..
Contrary to popular belief and terminology employed in the literature on intrusion detection
systems, not every security device falls into this category. In particular, the following security
devices are not an IDS:
• Network Logging Systems: These devices are network traffic monitoring systems. They
detect denial of service (DoS) vulnerabilities across a congested network.
• Vulnerability Assessment Tools: These devices check for bugs and flaws 1n operating
systems and network services (security scanners).
• Anti-virus Products: These devices detect malicious software such as viruses, Trojan
horses, worms, bacteria, logic bombs. When compared feature by feature, these devices
are very similar to intrusion detection systems and often provide effective security breach
detection.
• Security/Cryptographic Systems: These devices protect sensitive data from theft or

alteration and user authentication. Examples include VPN, SSL, S/MIME, Kerberos, and
Radius.

Prevention
Simulation '
Intrusion Monitoring
Analysis
'
Intrusion Detection
Notification '
--------
Response
The main task of an intrusion detection system is detecting an intrusion attempt on a network
and a notification about what occurred. Detecting hostile attacks depends on several types of
actions including prevention, intrusion monitoring, intrusion detection and response. Intrusion
prevention requires a well-selected combination of luring and tricking aimed at investigating
threats. Diverting the intruder's attention from protected resources is another task. An IDS
constantly monitors both the real system and a possible trap system and carefully examines
data generated by intrusion detection systems for detection of possible attacks.
Once an IDS detects an intrusion it issues alerts notifying administrators. Once the intrusion is
detected and notified, the administrators can execute certain countermeasures. It may include
blocking functions, terminating sessions, backing up the systems, routing connections to a
system trap, legal infrastructure, etc. An IDS is an element of the security policy.
An IDS alerts and logs are useful in forensic research of any incidents and installing appropriate
patches to enable the detection of future attack attempts targeting specific people or
resources.

How does an IDS Worlt?

·----
CICll:lll:la
ac:11::11::11:::::i
•11:::u:::1c::1a
■ --CI CI
••=a
-
, '
........
IDS Preprocessor
Internet
•me
-=•
Firewall
I
IDS
I I I I
~~~=
_
•
.
Signature file
comparison ~····••►
i ..:·····•1!'-'1-
.: Osco log sever
A Signature fie
.
~
__
database
Enterprise Network ..
Matched? • • • • • • • • • • • •:
♦ )( ,
..
I I - Anomaly
..
Detection .. Alarm notifies
admin and packet
can be dropped
/
Matched?
~ :
•••••••••••!•••••••••••••••••• :••••• ► d .._
: Action Rule : V
: : Connections a re
: : cut down from that
•
: : IP source
Stateful protocol
analysis l : ~
: =···••► ~
)( / ' ~ i Packet is
••• Switch
Ill ◄•• •••••••••• •••••••• Matched? •••••••••••= dropped
Copyright© by EC-Co■ncil. All Right s Reserved. Re producti on is Strictly Prohibited .
In a network, the IDS's sensor monitors all packets transmitted to and from the network. The
IDS detects network anomalies, attack patterns and the data containing viruses, malware and
other harmful threats. An IDS scans the network traffic and components for anomalies or
patterns that seem to be illicit. Then the IDS takes action against the threat and sends an alarm
signal to the administrator, resets the TCP connection or drops the packet to prevent the threat
signal from entering into the network.
An IDS should be implemented in combination with a firewall to offer better protection to the
network. An IDS generally uses two techniques to detect any abnormalities in the traffic.
Signature/Pattern matching
It involves checking and comparing the network traffic for known attack patterns or signatures.
Attacks are recognized by certain patterns in network traffic called signatures. An IDS is pre-
installed with signatures for known attacks. These signatures are stored in a signature database.
The IDS compares the traffic against these signatures to detect potential threats to the network
and sends an alert, if a pattern match is found. The pattern/signature technique is highly
efficient if and only if the database is up to date. The major disadvantage of this technique is if
pattern matching fail s to identify new attacks because there is no definite signature in the
database.

Statistical anomaly detection

Anomaly-based detection observes the network for abnormal usage patterns by determining
the performance parameters for regular activities and monitoring for actions beyond the
normal parameters. This method allows the administrators to detect new intrusions or attacks
even without a known signature.
Stateful Protocol Analysis

Stateful Protocol Analysis is also known as deep packet inspection, which is a reliable and
resource intensive approach in an IDS. The analysis defines the methods on how a particular
protocol should work. It has the feature of determining the type of attack and responding to it
respectively. For example, stateful protocol analysis can detect an unexpected generation of a
sequence of repeated commands in the network. This also includes detecting variations in
command length, command attributes and other anomalies.
The accuracy of a stateful protocol depends on the efficiency of the protocol models. Protocol
models that already have a proprietary or are poorly defined, cannot have an accurate analysis.
In large organizations, stateful protocol analysis requires a lot of resources to track and analyze
the information. Attacks that do not violate the protocol characteristics go undetected by the
stateful protocol analysis.

An IDSsystem is built on various components

Administrators must be aware of how the components function and where to place each IDS
component in the network
Typical components of an IDS system:
Network Command Attack Signatures

sensors console Database
•
I
I
I
I I
I I
• •
I I
Alert systems Response system
An IDS is comprised of different components. These components are used to collect

information from a variety of systems and network sources, and then analyze the information
for any abnormalities. Major components of an Intrusion Detection System include:
• Network Sensors: These agents analyze and report any suspicious activity.
• Analyzer: Analyzes the data collected by the sensors.
• Alert Systems: These systems trigger alerts when detecting malicious activity.
• Command console: It acts as an interface between the user and the intrusion detection
system.
• Response system: An IDS uses this system to initiate countermeasures on detected

activities.
• Database of attack signatures or behaviors: A list of previously detected signatures
stored in a database that assist the IDS in intrusion detection.

Network sensors are hardware and software components which monitor network traffic
and trigger alarms if any abnormal activity is detected
Placed and located at common entry points in a network such as:
: Internet gateways
: In between LAN connections
: Remote access servers used to receive dial-up connections
: Virtual private network (VPN ) devices
: Either side of Firewall
IDS Components:
Network Sensors (Cont'd)
Possible placement of an IDS sensor
Senso~ .......................
. .
: :
l ~
Remote
User
Internet
1•f '"T "**
Senso~
11
: : : fti················1• • • • r················· - Senso, ······t·············~
1 iiiiliii
Router
Branch
Office Subnetl Subnet2
..............................................................................................................................
Internal Network
0 Option 1: Between a remote user and the internal network
e Option 2: Between a branch office and the internal network
e Option 3: Between one subnet and another subnet

IDS Components:
Network Sensors (Cont'd)
Placing IDS sensors behind a firewall is always recommended for secure IDS deployment
DMZ
Internet
•••
••
Firewall
Dual-Homed Host
Figure: Positioning Sensors inside the Firewall in the DMZ
A network sensor is a hardware and/or software device connected to the network and reports
to the IDS. It is a primary data collection point for the IDS. Network sensors collect data from
the data source and pass it to the alert systems.
The sensor integrates with the component responsible for data collection such as an event
generator. Network sensors determine data collection based on the event generator policy
which defines the filtering mode for event notification information.
The role of the sensor is to filter information and discard any irrelevant data obtained from the
event set associated with the protected system, thereby detecting suspicious activities. Sensors
check the traffic for malicious packets and trigger an alarm when they suspect a packet is
malicious and then alert the IDS. If an IDS confirms the packet as malicious then the sensors
generate an automatic response to block the traffic from the source of the attack.
To detect network intrusions, administrators should place several network sensors at strategic
locations on the network. The positioning of sensors will depend significantly on which kind of
network resources you want to monitor for intrusion. Some organizations will want to use the
IDS to monitor internal resources such as a sensitive collection of machines or a specific
department or physical location. In that case, the most logical place for the IDS sensor will be
on the choke point between those systems and the rest of the internal network. Some of the
critical common-entry points to place sensors include:
• At Internet gateways.
• At connections between LAN connections.

• At remote access servers that receive dial-up connections from users.

• At virtual private network (VPN) devices that connect an internal LAN to an external LAN.
• Between subnets that are separated by switches.
If organizations are planning to monitor intrusions targeting internal servers, such as DNS
servers or mail servers then they place a sensor inside the firewall on the segment that
connects the firewall to the internal network. The logic behind this is that th e firewall will
prevent a vast majority of attacks aimed at the organization, and regular monitoring of firewall
logs will identify them. The IDS on the internal segment will detect some of those attacks that
manage to get through the firewall.
If a firewall is in place to protect the network then positioning sensors inside the firewall is
more secure, then placing a sensor outside the firewall at a position exposed to the Internet. If
it is placed outside the firewall, it can become the major focus for attacks. A more secure
location to place a sensor is behind the firewall in the DMZ.

IDS Components:
Alert Systems
An alert system sends an alert message notifying administrators wh en any anomaly or misuse
is detected
Alerts can be sent using:
Pop-up windows
-------•
-------• E-mail messages
Sounds -------•
-------• Mobile messages
Alert Systems trigger an alert whenever sensors detect malicious activity in the network. The
alert communicates to the IDS about the type of malicious activity and its source. The IDS uses
triggers to respond to the alert and take countermeasures. An IDS can send alerts using:
• Pop-up windows
• E-mail messages
• Sounds
• Mobile messages
When a sensor triggers an alert, there are three possibilities:
• The sensor has correctly identified a successful attack. This alert is most likely relevant,
termed as a true positive.
• The sensor has correctly identified an attack, but the attack failed to meet its objectives.
Such alerts are known as non-relevant positive or non-contextual.
• The sensor incorrectly identified an event as an attack. This alert represents incorrect
information, termed as a fal se positive.
As more IDSs are developed, network security administrators must face the task of analyzing an
increasing number of alerts resulting from the analysis of different event streams. In addition,
IDSs are far from perfect and may produce both false positives and non -relevant positives.

IDS Components:
Command Console
Command console It provides a user interface The Command console

software is installed and to an administrator for the evaluates security event
runs on a separate system purpose of receiving and information from different
which is dedicated to the analyzing security events, security devices
IDS alert message and log files
' '
Caution: If the Command console is installed on a non-dedicated comput er

system (e.g. firewall, backup server), it wi ll drastica lly slow down the response
to security events as t hose syst ems may be busy handling other t as ks
The Command console is software that acts as an interface between a network administrator
and the IDS. The IDS collects all the data from security devices and analyzes it using the
command console. Administrators use the console to analyze alert messages triggered by the
alert system and manage log files. The Command console allows administrators in large
networks to process large volumes of activities and respond quickly.
An IDS collects information from security devices placed throughout the network and sends it
to the command console for evaluation. Installing a command console on the system for other
purposes such as backing up files and firewall functions, will make it slow to respond to events
which have occurred. Installing the command console on a dedicated system provides the
benefit of a fast response.

IDS Components:
Response System
The Response system issues countermeasures against any int rusion which is detected
~ The Response system is not a substitute for an administrator. They must also be
involved in the decision and have the ability to respond on their own
Administrators will make decisions on how to deal with false positives and w hen a
response needs esca lation
Recommendations:An ad ministrato r mu st not rely solely on an IDS response

system for an int ru sion response
A response system in an IDS is responsible for the countermeasures when an intrusion is

detected. These countermeasures include logging out the user, disabling a user account,
blocking the source address of the attacker, restarting a server or service, closing conn ections
or ports, and resetting TCP sessions.
Administrators can set up an IDS to allow the respon se system to take actions against intrusions
or they can respond on their own. In the case of false positives, administrators need to r espond
to allow this traffic into the network without blocking it. Using the response system,
administrators can also define the level of counter action an IDS must take to respond to the
situation, depending on the severity of the intrusion .
An IDS has the advantage of providing real -time corrective action in response to an attack. They
automatically take action in response to a detected intrusion. The exact action differs per
product and depends on the severity and t ype of attack detected. A common active response is
increasing the sensitivity level of the IDS to collect additional information about the attack and
the attacker. Another possible active response is making changes to the configuration of
systems or network devices such as routers and firewalls to stop the intrusion and block the
attacker. Administrators are responsible for determining the appropriate responses and
ensuring that those r esponses are carried out.

IDS Components:
Attack Signature Database
3
If any matches are
found, the IDS will
2 raise an alert and
block the suspicious
Network traffic is
traffic
compared against
1 these known attack
AnlDSdoesnothave signatures and then
the capability to make can make a decision
a decision, instead it
maintains a database
on attack signatures
and patterns
Note: Administrators will periodically update the Attack Signature database for their IDS
Network administrators should exercise their own judgment when evaluating security alerts
because an IDS does not have the ability to make these kinds of decisions. However, an IDS can
use a list of previously detected signatures, which are stored in the attack signature database,
to detect suspicious activity. The IDS compares the signature of packets in the network traffic
with the database of known attack signatures. The I OS blocks the traffic if a packet matches a
stored signature in the database. Administrators should always keep the database updated to
detect new types of attacks.
The IDS uses normal traffic logs to match against currently running network traffic to find
suspicious activity. If an IDS finds unusual traffic activity, it determines the traffic as suspicious
activity and blocks it before it enters the network.

Internet - ........1. 1.. ......f.

1- \ 1- \ I \ 0 Install Database Signatures
Firewall
Internal LAN e Gather Data
Sensor
e Alert message sent
,....---------............................... . IDS Responds

• ~ r-........e ············
~ 1 ~ Administrator Assesses
:. . . . . .!'. . . . ~ Damage
Escalation Procedures
Followed if Necessary
L. ........ . Events are Logged and
Reviewed
Screened Subnet DMZ Trusted management subnet
Copyright© by EC-Co■ncil. All Right s Reserved. Re producti on is Stri ctly Prohibited .
An IDS operates in different ways depending on the purpose of the configuration. There is a
generalized process for intrusion detection. The steps involved in the process include:
Install Database Signatures

The first step of intrusion detection occurs before any packets are detected on the network.
Network administrators install the database of signatures or user profiles along with the IDS
software and hardware. This database helps the IDS compare traffic passing through the
network.
Gather Data
The I OS gathers all the data passing through the network using network sensors. The sensors
monitor all the packets allowed through the firewall and pass it to the next line of sensors. If it
identifies malicious packets, the sensor sends alert messages to the IDS.
Alert Message Sent

The IDS compares all the packets entering the network with signatures stored in the data base.
An alert message is transmitted when a packet matches an attack signature or deviates from
normal network use. The alert message goes to the IDS command console, where the network
administrator can evaluate it.

IDS Responds
When the command console receives an alert message, it notifies the administrator of the alert
through a pop-up window, and/or email message depending on how it is configured for alerts.
However, if the administrator configured it to respond automatically, the IDS responds to the
alert and takes a counter action such as dropping the packet, restarting the network traffic and
more.
Administrator Assesses the Damage

The network administrator has to monitor the IDS alerts and determine whether to take any
countermeasures or not. The IDS sends alerts depending on the database information and
these alerts can include false positives. Administrators need to update the signature database
to eliminate the false positives alarms.
Escalation Procedures (if Necessary)

Escalation procedures are a set of actions written in the security policy and followed if the IDS
detects a true positive (attack). These procedures vary depending on the severity of the
incident.
Events are Logged and Reviewed

Administrators should maintain a log of any intrusion events detected and review them to
decide on what countermeasures should be used for future events. These logs can assist
administrators in updating the database of attack signatures with new events and to detect
future attacks.

Types of IDS Implementations CND

An IDS is classified based on an approach, protected system, structure, data source, behavior and
time analysis
Classification of Intrusion Detection System
:•.........................•.......................
. .
•............•...........•.......................•........................•
. . .
.. ♦ ♦ ♦ ♦ -- t
Intrusion Detection
Approach
Protected
System L :ct
_u_re_ _,,
~
Data Source Behavior after
an Attack l Analysis Timing 'I
. .
\ I - ./ \; ,I
.. -
,···············: ··············, ., ................; .............. ... :........ -.........
-- • • • •
On the fly
y
11 HIDS I NIDS 11 H brid Audit Tral Network Syste m Stale Interval
L____J,,\...______;U\:..__y_ s_ __;/ ===v -.=::=Pa=c=kets

'\,: =v, Analysis 'j
'
Processing based IDS
;\;~ = = ~')
................
: . ........,...........
:···········-···········:
•
Anomaly
y
Signature
• t • • --
Detection Detection Centralized Distributed Active IDS Passive IDS
System System 1.:.;:=.--=::::::::,-1 , - -✓
\:
.. j
•
Agent System
Generally, an IDS uses anomaly based detection and signature based det ection methods to
detect intrusions. Depending on the source of data an IDS uses or w hat it protects or other
factors, they are classified as show n in following figure. This categorization depends on the
information gathered from a single host or a netw ork segment, in terms of behavior, based on
continuous or periodic feed of information, and the data source.

Signature-Based Detection
Known as misuse detection
Monitors patterns of data packets in the network and compares t hem to pre-configured network attack patterns,
known as signatures
This method uses string comparison operations to compare ongoing activity, such as a packet or a log entry, against
a list of signatures
e It detects attacks with minimal false alarms e This approach only detects known threats, the
database must be updated with new attack signatures
e It can quickly identify the use of a specific tool or constantly
technique
e It utilizes tightly defined signatures which prevent
e It assists administrators to quickly track any potential them from detecting common variants of the attacks
security issues and initiate incident handling
procedures
Examples of signatures are

A telnet attempt with a username of 'root', which is a violation of the corporate security policy
An operating system log entry with a status code of 645 indicates the host auditing system is disabled
Anomaly-based Detection
In this approach, alarms for anomalous activities are generated by evaluating network
patterns such as what sort of bandwidth is used, what protocols are used, what ports and
which devices are connected to each other
An IDS monitors the typical activity for a particular time interval and then builds the
statistics for the network traffic
An example: Anomaly-based IDS monitors activities for normal Internet bandwidth usage,
failed logon attempts, processor utilization levels, etc.
e An Anomaly based IDS identifies e The rate of generating false alarms is

abnormal behavior in the network and high, due to unpredictable behaviors for
detects the symptoms for attacks users and networks
without any clear details
e The need to create an extensive set of
e Information acquired by anomaly system events in order to characterize
detectors is further used to define the normal behavior patterns
signatures for misuse detectors

This method compares observed It can identify unpredictable sequences

events w ith pre-determined of commands. For example, it can
profiles based on accepted identify activities such as issuing the
definit ions of benign activity for same commands repeatedly or
each protocol, to identify any arbitrary commands being used
deviat ions of the protocol
state
For any protocol performing

It also detects variations in
authentication, the I DPS w ill
command length, minimum
keep track of the authenticator
/maximum values for
being used for each session and
attributes and other potential
w ill record the authenticator
anomalies
involved in the suspicious
activity
Signature-Based Detection
A signature is a pre-defined pattern in the traffic on a network. Normal traffic signatures denote
normal traffic behavior. However, attack signatures are malicious and are harmful to the
network. These patterns are unique and the attacker uses these patterns to get in to the
network.
Anomaly-Based Detection
The Anomaly-based detection process depends on observing and comparing the observed
events with the normal beha vior and then detects the deviation from it. The comparison
provides an understanding of significant deviations in the events. The normal activity of an
event depends on factors such as users, hosts, network connections and/ or applications. These
factors are considered only after examining a particular activity for a period of time.
The normal behavior of traffic is based on various behavioral attributes. For example, normal
email activity, reasonable failed attempts, processor usage. Any activity that does not match
with normal beha vior can be treated as an attack. For example, numerous emails coming from
a single sender, a high number of failed login attempts can indicate suspicious behavior. Unlike
signature-based detection, anomaly based det ection can detect previously unknow n attacks.

Network communi cation uses various t y pes of protocols to exchange information on different
layers. These protocols define the accepted behavior. Stateful Protocol Anal ysis based IDS

detect the suspicious activity by analyzing the deviation for specific protocol traffic from its
normal behavior. With this analysis, an IDS can analyze the network, transport and application
layer protocols and traffic against their normal behavior.
There are certain IDSs that can specify the suitable activities for each class of users 1n
accordance with the authenticator information.

.Anomaly and Misuse Detection

Systems
Misuse Detection System Anomaly Detection System
[ Detection Module ] c_ Detection Module
Auditing Modu les Profiles Profiles Anomaly Detection

Interference Engine
Ill
Engine
Target Systems
~i ~2
~ I
Anomaly detection system

An anomaly detection system involves detecting intrusions on the network. It uses algorithms
to detect discrepancies occurring in a network or system. It categorizes an intrusion as either
normal or anomalous. Anomaly intrusion is a two-step process where, the first step involves
gathering information of how data flows and the second step is, working on that data flow in
real time. Detecting if the data is normal or not. By implementing this process, anomaly
intrusion detection protects the target systems and networks that can prove vulnerable against
malicious activities. You can detect anomalies in the system through artificial intelligence,
neural networks, data mining, statistical method, etc.
• Advantages:
• It detects and identifies probes in network hardware. Providing early warnings about
attacks.
• It has the ability to detect a wide range of attacks in the network.

• Disadvantages:
• If a legitimate network behavior is not part of the designed model, the system will
detect it as anomalous. This increases the number of false positive alerts in the
system.
• Network traffic varies and deployment of the same model throughout can lead to a
failure in detecting known attacks.

Misuse detection system

In a Misuse detection system, first the abnormal behavior system is defined and then the
normal behavior. A Misuse detection system has a static approach in detecting attacks. The
Misuse detection system works differently to the anomaly detection system. The Misuse
detection system has a low rate of false positive, as the rules are pre-defined. Misuse detection
systems use methods like rule based languages, state transition analysis, expert system, etc.
• Advantages:
• More accurate detection than an Anomaly detection system.

• Has fewer false alarms.
• Disadvantage:
• Unable to detect new attacks due to pre-defined rules.

.-:······ ... ... ... .... ... .... ·••· ... ''••.. .·.·•·· ·.-.-.., .-.-. ..-. ..-.-. ..-.· ..-.- .-...-.-.....·~
- - - ....
-.-
J An IDS is categorized based on how ({ Passive IDS Mode :] Active IDS Mode ·~
, ..
it reacts to a potential intrusion I ll
~ It functions in one of tw o modes,
~
l:
Traffic :
:
~
•
::
g
Traffic :
•
•• • ••
active or passive based on the

behavior after an attack
i
;:
~
~
•
T
Firewall
:
•
;;
::
::
;!;:
• Firewall
•
••
~
::!. ---=-----,,-
- : ..
::::
•
6 Active IDS: Detects and responds to
detected intrusions
~ : : ::
••
•
•
•
•
~ ! : : ! :
6 Passive IDS: Only detects intrusions i ··!:~~~::: II :·!.:~~::~·
~ : Usten and i Usten and i j Active
! -~~:~~
' ------
!II -·---~,~~·-
;, ..
\ ••......................................................) ;............................................................/
Copyright© by (C-CD■Dcil. All Rights Reserved. Reproduction is Strictly Prohibited.
Behavior-based intrusion detection techniques assume an intrusion can be detected by

observing a deviation from normal or expected behavior of the system or users. The model of
normal or valid behavior is extracted from reference information collected by v arious means.
The intrusion detection system later compares this model with current activity. When a
deviation is observed, an alarm is generated. In terms of behavior, intrusion detection systems
(IDS) are classified into two t y pes: active and passi ve.
Active IDS
An Active intrusion detection system (IDS) is configured to automatically block suspected
attacks without any intervention from the administrator. This t ype of an IDS has the advantage
of providing real -time corrective action in response to an attack. An active IDS automatically
takes action in r esponse to a detected intrusion . The exact action differs per product and
depends on the severity and t y pe of the attack.
Passive IDS
A Passive intrusion det ection system (IDS) is configured onl y to monitor and analyze network
traffic activity, alert the administrator of any potential vulnerabilities and attacks. This t ype of
IDS is not capable of performing any protective or corrective functions on its own . It merely logs
the intrusion and notifies an administrator, through email or pop-ups. A system administrator
or someone else w ill have to respond to the alarm, take appropriate action to halt the attack
and possibly identify the intruder.

Unt rust ed Network NIDS

U An IDS is classified based on th e
..
: ~ "\,
system/n etwork if offers protection to

....L .. 111111111 Ill
e If it protects the network, it is called a
Network Intrusion Detection System
(NIDS)
.........................,, ............................
'
.. ..................................
. ..
e If it protects a host, it is called a Host

Intrusion Detection System (HIDS)
HIDS HIDS HIDS HIDS HIDS
e If it protects the network and a host, it

is called a Hybrid Intrusion Detection
System (Hybrid IDS)
Misuse - Known Attack
.J A hybrid IDS combines t he advantages of ....... ·•

Detection Misuse
Detection
1••···························•
•••••••••••
both the low false-positive rate of a : Unknown
•• Fe atures
NIDS and the anoma ly-based detection •
T
of a HIDS to detect unknown attacks Novel Attack
Anomaly .......... ►
Detection
An IDS can be classified based on the device or network to which it offers protection. There are
mainly three t ypes of IDS technologies under this category which includes Network Intrusion
Detection Systems (NIDS), Host Intrusion Detection Systems (HIDS) and Hybrid Intrusion
Detection Systems (H ybrid IDS).
Network Intrusion Detection System {NIDS)

A NIDS is used to observe the traffi c for any specific segment or device and recognize the
occurrence of any suspicious activity in the network and application protocols. The N IDS is
t ypically placed at boundaries bet ween net w orks, behind network perimeter firewalls, routers,
VPN, remot e access servers and wireless net w orks.
Host Intrusion Detection Systems {HIDS}

A HIDS is install ed on a specific host and is used to monitor, det ect and analyze events occurring
on that host. It monitors activities related to net w ork traffic, logs, process, application, fil e
access and modification on th e host. The HIDSs is normally deploye d on servers containing very
sensitive information and publicly accessible servers.
Hybrid Intrusion Detection Systems {Hybrid IDS}

A hybrid IDS is a combination of both HIDS and NIDS. It has its agent install ed on almost every
host in the net w ork. It has the ability to work online w ith encrypted net w orks and storing data
on a single host.

An IDS is also classified as a Centralized IDS or a Distributed IDS,

this classification is based on the structure of the IDS
In a centralized IDS, all data is shipped to a central location for

analysis, independent of the number of hosts which are monitored
In a distributed IDS, several IDS are deployed over a large network

and each IDS communicates with each other for traffic analysis
Centralized Control
IDS Console
D D
- - -
Fully Distributed (Agent·
based) Control
- - -

Depending on the structure, traditional IDSs can be categorized into two types:
Distributed structure of an IDS

A Distributed Intrusion Detection System (dlDS) consists of multiple intrusion detection systems
(IDS) over a large network. These systems communicate with each other, or with a central
server that facilitates an advanced network of monitoring, incident analysis, and instant attack
data. By having these cooperative agents distributed across a network, network operators can
get a broader view of what is occurring on their network as a whole.
A dlDS also allows a company to efficiently manage its incident analysis resources by
centralizing its attack records and by giving the analyst a way to spot new trends, patterns and
identify threats to the network across multiple network segments.
Centralized structure of IDS

In centralized system, the data is gathered from different sites to a central site, central
coordinator analyzes the data for checking the different intrusion. This type of IDS is designed
for centralized systems. In a centralized IDS, data analysis is performed in a fixed number of
locations, independent of how many hosts are being monitored. The centralized structure of an
IDS can be harmed in a high-speed network as a result.

Analysis Ti..... ing based IDS CND
An alysis Tim e is a span of time ela psed between th e events occurring and the an alysis of those events
An IDS is categorized by th e Analysis Time as :
Interval-Based IDS Real-Time based IDS
6 The information about an intrusion e The inf ormation about an intrusion

detection does not flow continuously detection flows continuously from
from monitoring points to analysis monito ring points to analysis engines
engin es, it is simply stored and forwarded
e It perfo rms analysis of the det ected
6 It performs analysis of the detected intrusion on the fly
intr usion offline
Copyright© by (C-CO■llcil. All Rights Reserved. Reproduction is Strictly Prohibited.
Analysis timing refers to the elapsed tim e between th e occurrence of events and analysis of
those events. Based on anal ysis timing, an IDS can be classified into two distinct t ypes: Interval-
Based IDS and Real-Time based IDS.
Interval-Based IDS
Interval based or offline anal ysis refers to the storage of the intrusion r elated information for
furth er anal ysis. This type of IDS checks the status and content of log files at predefined
intervals. The information flow from monitoring points to the analysis engine is not continuous.
Information is handled in a fashion similar to "store and forward" communication schemes.
Interval-based IDSs are prohibited from performing active responses. Batch mode is common in
early IDS implementations because their capabilities did not support real time data acquisition
and analysis.
Real-Time based IDS

Real -Time based IDS are designed for on the fly processing and are the most common approach
for a netw ork based IDS. They operate on a continuous information f eed. Real -Time based IDS
gathers and monitors information from netw ork traffic streams regularly. Detection is
performed by this t ype yields results quick enough to allow th e IDS to take action affecting the
progress of the detected attack. The IDS can conduct online verification of the events w ith the
help of on-the-fly processing, and respond to th em simultaneousl y. An IDS using this t ype of
processing requires more RAM and a large hard drive because of the high data storage required
to trace all of the network packets online.

Source Data Analysis based IDS CND
An IDS is classified based on the type of data source used for detecting intrusions
An IDS uses data sources such as audit trail and network packets to detect int rusions
Intrusion detection using Intrusion detection using

'" l
- -
audit trails - - network packets
e Audit trails help the IDS detect - - e Capturing and analyzing network
performance problems, security - packets help an IDS detect well-known
violations and flaws in applications attacks
- -
- -
- -
Copyright© by EC-Ca■■cil, All Rights Reserved. Reproduction is Strictly Prohibited.
Depending on the data source, an intrusion detection can be categorized into two t ypes :
Intrusion detection using audit trails and Intrusion detection using network packets.
Intrusion detection using audit trails:
Audit trail is a set of records that provide documentary evidence of a system's activity by the
system and application processes and user activity of systems and applications. Audit trails help
the IDS in detecting performance problems, security violations, and flaws in applications.
Administrators should avoid storage of audit trail reports in a single file to avoid intruders from
accessing the audit reports and making changes.
• Audit systems are used to:

• Watch file access
• Monitor system calls

• Record commands run by user
• Record security events
• Search for events

• Run summary reports
• The reasons for performing audit trails are as follows:
• Identifying the signs of an attack using event analysis.

• Identifying recurring intrusion events.

• Identifying system vulnerabilities.
• To develop access and user signatures.
• To define network traffic rules for anomaly detection-based IDSs.
• Provides a form of defense for a basic user against intrusions.

Intrusion detection using network packets:
A network packet is a unit of data transmitted over a network for communication. It contains
control information in a header and user data. The header of the packet contains the address of
the packet's source, destination and the payload is the body of the packet storing the original
content. The header and the payload of a packet can contain malicious content sent by
attackers. Capturing these packets before they enter their final destination is an efficient way to
detect such attacks.

An administrator should plan for a staged IDS deployment in their network
A staged deployment will help the administrator gain experience and discover
how much monitoring and maintenance of network resources is actually
required
The monitoring and maintenance of network resources varies depending on

the size of an organization's network
Before effectively deploying an IDS, administrators have to understand their network

infrastructure and organizational security policies. The organization should consider a staged
deployment of an IDS. The initial deployment of an IDS requires high maintenance. Then the
organization can think of implementing an IDS at the next stage. The staged deployment helps
the organization discover exactly where they need security for the IDS. Implementing an IDS
across the organization's network is advisable when they are able to handle the IDS alerts from
different sensors placed at various places. The staged deployment provides administrators
enough time to think and get used to the new technology. This staged approach is beneficial to
those evaluating and investigating IDS alerts and IDS logs.

An effective deployment of NIDS requires a lot

of attention concerning the network topology
of the organization
An administrator is required to consider IDS
I
rii.
. •
deployment options and all the
advantages/disadvantages associated with
each location
Consider all possible options when placi ng a

network-based IDS
Copyright© by EC-Co■ncil. All Rights Reserved. Reproducti on is Stri ctly Prohibited .
Deploying Network-based IDS

(Cont'd)
Advantages:
Location 1 Place an IDS sensor
e Monitors attacks originating from the outside world
behind each
e Highlights the inability of the firewall and its policies to defend against attacks
external firewall and
e It can see attacks which target the web or FTP servers located in the DMZ
in the network DMZ
e Monitors outgoing traffic results from a compromised server
Advantages:
Place an IDS sensor
outside an e Ability to identify the number and types of attack originating from the
external firewall Internet to the network
Advantages:
Location 3 Place an IDS sensor
.... e Monitors and inspects large amounts of traffic, increasing the chance
on major network for attack detection
backbones
e Detects unauthorized attempts from outside the organization
Advantages:
Place an IDS
sensor on e Detects attacks on critical systems and resources
critical subnets e Focuses on specific critical systems and resources

Deploying Network-based IDS

(Cont'd)
le •
t
.•
, Location
.I. . . . I•1. ...............••
= ~
, • • • • r················ ...
1
7 1 I
r......
: I
~ I ~
. Network backbones
.
l
Location 0
l 8..---...
Location
.... · .............. 1 1111 1111 1111 1111 1
........
Internet Firewall
l
I
\
. ••· •
1·~~~~~'.~-~--~ ...~
.
1. .............
I
..........
I
.I.
I
...
I
Critical subnets
As a NIDS protects multiple hosts from a single location, the administrator can also consider
customizing the NIDS to provide security for the entire network. The administrator should
consider deploying an IDS management console before adding its sensors.
Administrators need to incrementally deploy IDS sensors throughout the network.

Administrators must consider various factors such as the difference in traffic, logging, reporting,
and alerts received when they deploy a new sensor for an IDS.
Different options for the deployment of sensors in the network include:
• Location 1: The sensor is placed outside the organizational network and perimeter
firewall. The sensor placed at this location can detect inbound attacks. They are also
configured to detect outbound attacks. The sensors are configured to detect the least
sensitive attacks to avoid false alarms. These sensors are configured to only log the attack
attempts, instead of sending alerts out for them.
• Location 2: This location is ideal for securing the perimeter network as well as identifying
those attacks that bypass the external firewall. The NI DS sensor secures web, FTP and
other servers located on the perimeter of the network. The NIDS sensors detect attacks
with low to moderate impact in order to avoid the chances of generating false alarms. The
sensors placed here also have the ability to monitor for outbound attacks.
• Location 3: The sensor placed at this location is used to secure the internal network of the
organization. It detects the attack that bypasses the internal firewall. Sensors at this

location are capable of detecting both inbound and outbound attacks. These sensors are
configured to detect medium to high impact level attacks.
• Location 4: The sensors at this location are used to protect sensitive hosts in the network.
It may include critical servers. These sensors are capable of detecting both inbound and
outbound attacks. These sensors are configured to detect high impact level attacks.

Deploying a Host-based IDS CND
Deploying a host-based IDS provides an additional layer of security
This type of IDS must be installed and configured on each critical system in the
netw ork
Administrators must consider installing a host-based IDS on every host in t he

organ ization
0 When deploying a host-based IDS, it is recommended that is has centralized

management and reporting functions. This reduces the complexity for managing
alerts from a large number of hosts
Host-based IDS deployment is done with a proper plan and care, as deploying these types of IDS
on a large scale environment have the potential to generate numerous false alarms. It is quite
difficult to manage such a huge amount of false alarms. Initial deployment of a HIDS is done on
critical servers only. Administrators must consider implementing an IDS management console
before adding additional hosts.
If an administrator comfortabl y manages the HIDS on critical servers at the initial stage, then
and only then can they consider deploying the HIDS on all remaining hosts in the network. This
allows an administrator to provide security at the individual host level. However, deploying
HIDS on every host on the network is quite expensive and requires additional software and
maintenance especially in those cases of a wide-scale HIDS deploy ment.

Types of IDS Alerts

True Positive (Attack - Alert)
An IDS raises an alarm when a legitimate attack occurs
False P.ositive (No Attack~ Alert)
An IDS raises an alarm when no attack has taken place
False Negative(Attacl< - No Alert)
An IDS does not raise an alarm when a legitimate attack has

taken place
True Negative (No Attack - No Alert)
An IDS does not raise an alarm when an attack has not t aken
place
An IDS generates four types of alerts which include: True Positive, False Positive, False Negative
and True Negative.
True Positive (Attack - Alert)

A true positive is a condition occurring when an event triggers an alarm and causes the IDS to
react as if a real attack is in progress. The event may be an actual attack, in which case an
attacker is actually making an attempt to compromise the network, or it may be a drill, in which
case security personnel are using hacker tools to conduct tests of a network segment.
False Positive (No attack - Alert)

A false positive occurs if an event triggers an alarm when no actual attack is in progress. A false
positive occurs when an IDS treats normal system activity as an attack. False positives tend to
make users insensitive to alarms and reduce their reactions to actual intrusion events. While
testing the configuration of an IDS, administrators use false positives to determine if the IDS can
distinguish between false positives and real attacks or not.
False Negative (Attack - No Alert)

A false negative is a condition occurring when an IDS fails to react to an actual attack event.
This is the most dangerous failure, since the purpose of an IDS is to detect and respond to
attacks.

True Negative {No attack - No Alert)

A true negative is a condition occurring when an IDS identifies an activity as acceptable
behavior and the activity is actually acceptable. A true negative is successfully ignoring
acceptable behavior. It is not harmful as the IDS is performing as expected.

A false positive diminishes th e val ue and urgency for real alerts w hen they are raised for legitimate
attacks
It can easily drown out legitimate IDS alerts

Several sources are responsible for the occurrence of a false positive alarm:
False positives based on False positives based on False positives based on non-
reactionary traffic protocol violations malicious traffic
False positives based on False positives based on I OS

network equipment software bugs
In a fal se positive alarm an IDS raises an alarm on a non-malicious event. As false positive alarm
triggers during unjustified alerts, they cause more chaos in the organization. They nullify the
urgency and the value of the real alerts, leading to ignoring the actual alarm situation.
• Causes of a False positive alarm:

1. A network traffic false alarm: A network traffic false alarm triggers when a non-
malicious traffic event occurs. A great example of this would be: an IDS triggers an
alarm when the packets do not reach the destination, due to network device failure.
2. A network device alarm: An IDS triggers a network device alarm when the device
generates unknown or odd packets. E.g. load balancer
3. An Alarm caused by an incorrect software script: If poorly written software generates

odd or unknown packets, an IDS will trigger a false positive alarm.
4. Alarms caused by an IDS bug: A software bug in an IDS will raise an alarm for no
reason.
• Reducing fal se positive alarms:
To reduce false positive alarms it is important to understand the w eakness of the device.
Implementing effective countermeasures can help reduce the occurrences of false
positive alarms.
1. Differentiating Alerts: Administrators distinguish the important priority alerts against
the less important on es. One of the methods used, is to verify the alerts with an alert

triggered earlier. For example, a specific signature triggering an alert at regular

intervals can be termed as an important alert. For future reference, the administrator
can maintain logs of these alerts. They can also classify the alerts based on their
behavior. For instance, classification is done based of normal behavior, intrusion
behavior and suspicious behavior occurring in the network.
2. Aggregating the Alerts: A single intrusion can create multiple alerts with generic
features. Aggregating the alerts helps to reduce the alert volume belonging to the
same attack. These aggregators create sub-aggregators which simplify the process of
alert aggregation.

What Should Be the Acceptable

Level of False Alarms
An IDS w ith no customization will raise false alarms 90% of the time depending
on the network traffic and the IDS deployment
Administrators fine tune their IDS to lower the false alarm rate to around 60%
or even less
Minimizing false positive alarms depends heavily upon the level of tuning an IDS
receives and the nature of the traffic on a network
If the number of intrusions in a network is low, compared to the network usage, the rate of
false alarms will be high. It is important to keep the false positive rate as minimal as possible. At
times an IDS will ignore half of the network traffic, tuning is not the only option. An effective
implementation of an IDS inspects both the incoming and outgoing traffic for anomalies. Based
on the organization's network tolerance towards false positives, administrators can set up a
threshold level for the IDS.
The amount of false alarms depends on two phases:
1. The detection phase: To bring false alarms down to acceptable levels, administrators
enhance the configuration of the IDS and change the detection approach methods. The
higher the detection rate and accuracy, the lower the a mount of false alarms will be.
Techniques like data mining and data clustering reduce the amount of false alarms.
2. The alert processing phase: Alert processing studies the cause of false alarms, recognizes
the high amount and uses case scenarios to subsequently provide a coherent response to
the alarm. Alert processing techniques like statistical filtering and fuzzy alert aggregation
help identify the sequences for false alarms, filters and later discards them from the
system.
Based on the organization's network tolerance, administrators can reduce false alarms by
raising the threshold level of the IDS. The threshold level depends on two statistics called
sensitivity and specificity of the IDS. Sensitivity displays a graph on the legitimacy of alerts
detected by the IDS. Specificity filters the accuracy of the alerts detected in the IDS.

Calculating False Positive and

False Negative Rates
False Positive Rate = False Positive/False Positive + True Negative
False Negative Rate = False Negative/False Negative+ True Positive
The false positive and false negative rates for a specific IDS are calculated with a certain
formula. This formula will help calculate the rate of each for your IDS solution and by fine
tuning the IDS, will reduce both of these rates.
False Positive Rate

• False Positive rate= False Positive/( False Positive+ True Negative).
False Negative Rate

• False Negative rate= False Negative/( False Negative + True Positive).

Dealing with a False Negative CND

0 Generating false negatives is mo re dangero us to an organization t han fa lse 0

positives
An administrator must reduce fa lse negativeswit houti ncreasi ngthe number of

0 false positives 0
t
...J The sources responsible for the occurrences ...J To reduce the rate of false negative alarms,
of false negative alarms are: use these three items::
e Network design issues

e Proper network design, management and
t, Encrypted t raffic design f laws maintenance
e Lack of inter-departmental communication e Properly writing and updating the IDS database
with the latest attack signatures
e Impro perly written signatures
._....e Unpublicized attack e Effective and strong inter-departmental

----~- comnftln1catlon
e Poor NIDS device management
e NIDS design flaw
A false negative is a more complex issue than a false positive. In a false negative, the intrusion
detection system does not detect the legitimate attacks on the network.
Some of the causes behind generating False Negative alarms are:
• Network setup issue: Network flaws involving improper port spanning on sw itches and
netw ork traffic imbalance . Failure of NIDS devices to detect incoming and outgoing
netw ork traffic due to multiple entry points is one of the causes of a fal se negative alert.
Improper configuration of an IDS w ill also raise a fals e negative alert.
• Encrypted Traffic design flaws: An IDS is not capable of detecting intrusions when
encapsulated in encrypted traffic, it is not possible to match encry pted traffic to
signatures. It is advisable to place an IDS behind a VPN t ermination with SSL encryption.
• Misleading signatures: If the signatures are not correctl y w ritten it can mislead in
determining the attacks. Vendors cannot create signatures of those attacks which they
are not aw are. Occasionally eve n th e tools are incapable of determining the legitimate
signatures.
Dealing with False Negative alarms:

To redu ce false negative alerts, it is important to und erstand them and implementation issues
of the device. The effective ways to deal w ith false negative alerts are listed below:

• Appropriate Network Design: The primary requirement for minimizing a false negative
alert is to set up a proper network design. The network design should be parallel to the
security policies of the organization.
• Proper placement of an IDS: The proper placement of an IDS is behind the firewall. This
will raise the alerts against port scans, automated scans and denial of service attacks. The
IDS should also be configured to detect illegitimate signatures.
• Network Analysis: Active network analysis and monitoring will minimize the false
negative alert. For this, administrators can utilize various network analysis tools or
utilities. The IDS should also be configured to nullify false negative alerts from triggering
the rules set on it.
• Inclusion of additional data: False alerts can be reduced by including additional data
about the network in the security event. The additional information includes information
about the organization's assets, users, networks and network device sources. Inclusion of
this additional data can be through automated or manual processes.

Excluding False Positive Alerts

using Cisco Secure IPS
Exclude signatures from or to a specific host or network address from generating false alarms
An IPS will not generate an alarm or log records when an excluded signature triggers
Steps to exclude a specific host (source IP address) from generating a specific signature alarm:
e Go to Configuration ➔ Corp-lPS ➔ Policies ➔ Event e Type the filter name, signature ID, attacker's IPv4
Action Rules > rulesO, and click the Event Action address, and action to subtract in the appropriate fields,
Filters tab and click Add and then click OK
0 ' ifO Add Event Action FUte1 -- J;t
-~ ,fflQ>,l•••"Jn) ·-~--o,qJ ,._. . 't ...,,
~
C........,~.... > C-•P•IINI" > ...k _ > l ' I - l'M:'.tl_.111..,_ > •~·
( Name : Excluded Host ) 7
c:-..-- • Enabled: @ ves O N•
, , ~ ~..... ,
$'1,..._~...
S"1 Ml.:I.
f;,,..-(~0-•I~ (-..n(A(t/Qf'>~. .f
.],,..... ,_OIK.......,.11-l lMT..Oft l
..,.,,_II u .. conlll#lt
c-,c. -(lft ,..... 1.uyev ..,;1,o,t,..,n u-. ..ill(io'"lf •ooci.t• ...._.,
( sioneture 10: ( 210 0
J I
l!I ClO«I
..... ~ Ed,.
="' a Ocltto 1' .f, SU~ lgnature ID;
fl'!.:.... f Attllckcr 1Pv-t Adclrcs ; : ◄ 1 0. t o. :10.1'4 I
S!'lt()f ll. .
ft rAfl_. -•lt"<O
f;ii \ ift..111,4,.._0l!OW Attacker 1Pv6 Address: •
...,.,.
e
ti .....--'-S..-
...
S'j~,._ON
"'ns.,__-•
fll • ..- -
Attacker P0tt:
\llctim 1Pv4 AddrC!;~:

0 -65'535
:a.o.o.o-2ss.2ss.2ss.zss
I
I
y""'"/Wo' .."'""
S'!I
t1w-s.-
Victim JPY6 Address: I I
fl ..., Slo't«v"'"
_ I
·:a::
Victim P~t : 0 -05'535
Ri$k Rbting : 'o r,. r.oo7

iz-
ct.. Golebel,;:ot<tllllllM
Go ••~ - - ~ ...
[ Actions to Subtr<0ct: ~ )
Alert I@)
• More Option s ~
I OK 11 Cancel
11 Help
I
http://www.cisco.com
Excluding False Positive Alerts

using Cisco Secure IPS(Cont'd)
Steps to exclude a network from generating a specific signature alarm:
e Go to Event Action Filters tab and click Add e Type the filter name, signature ID, network address
with subnet mask, and action to subtract in the
appropriate fields, and then click OK
ft:, Add Even, A61ion Fille1·

{ Name: !Exc~ ed Network! ) I
Enabled : € /ves O NO
• fl , r , ~ ~ e
fl All«:I.. E.-,:rtA««i,,.t>'11tUyo., Rlb"'°.«tho o,:ti(nj~soc>no wll'IO'\ o..ort !I tho <ord'Wls1
{Signoture !ID: 12100 l
fii t,!toS ~ EdtQ~e -,. ,f,, Subslgnatu(e ID: Jo-255
fl OeiS ~
fit£- •
ffl toS tPS { Attacker IP.v4 Addr.~ss: j10.10.10.o.2ss.2ss.2ss.o J
· fit N wnti1<ml!Qno
f::'l l21L3MA-~ ed Att~cker 1Pv6 Addl'.ess: I I
· fl l l({WO(l:SCIMu,;
f'l 0, Attacker Port:
::===========:
!0-65535 I
· fl Oth<t' SOMtcS
f::'IPZ'
tfl R« ~#llim,nce
1- v.:t,m'IPv• ,1,d'2'oss: :Cio=.o=.o=.=
o-=2s=s=.2=s=s= = .=2s=s=========:I ~~
.2SS
~ Rde.:aSt»
fl Y"-'~(".I/Wo1M$(ll"OJ,Y -..Ctlm 1Pv6 Address: r I ,ii::,
f5 ....'(ll)SO,V(t'
f5 ,.,so,,:;o;,~ Victim P<><t:
::===========:
io-65535 J
-- ~ ~ ROA»
$ ~ ~
• ~ 4CO
Q(t<)l',1. R.iskR.etr19: IO to ~
f:. Q.c;l:~<:,orr(i/jOtn
i- {Q fnlc'.«t•:ni'Roo~ t-,n .,
. -- >
J J(@
More Options
OK, I ! Ca9cel
.11 .H~

Cisco Secure IPS provides the capability to exclude a specific signature from or to a specific host
or network address. Excluded signatures do not generate alarm icons or log records when they
are triggered from the hosts or networks that are specifically excluded through this mechanism.
For example, a network management station might perform network discovery by running ping
sweeps, which trigger the ICMP Network Sweep with Echo signature (signature ID 2100). If you
exclude the signature, you do not have to analyze the alarm and delete it every time the
network discovery process runs.

:-----· Run continuously with less human intervention

------cI
L____ i Must be Fault tolerant
I
:-----1 Resist to subversion
I
-----!_____~ Minimal overhead on the system 1
,-----·
I
Observe deviations from normal behavior
I
-----◄
!_ ____ i Not easily deceived

I
:-----i Tailored to specific system needs
Ij
-------
!_____1 Copes with dynamic system behavior
An ideal IDS should have the following characteristics:
• Organizations should have an IDS that can run without or with minimal human
intervention. The configuration of the system monitors and detects all suspicious activities
on the host system. However, administrators should have all the privileges in auditing and
monitoring for this to work.
• Even if the host system fails or crashes the IDS will still function reliably. It is advisable to
configure the IDS so it is fault tolerant and does not require a reconfiguration or reboot
every time the host system fails. Also, it should be capable of monitoring itself to avoid
any damage.
• An IDS should have the features for halting and blocking attacks. These attacks can occur
from any application or software. This also involves alerting the administrator through
online, mobile or email notification. The method of notification depends on the
configuration set up by the administrator.
• By having th e feature for information gathering, an IDS helps an administrator detect the
t ype of attack, source of the attack and the effects the attack caused in the network.
Gathering evidence for a cyb er-forensic investigation is one of the required characteristics
of an IDS.
• In large organizations, an IDS is built with a fail -safe feature to help hide itself in th e
network. This feature helps create a fake network to attract intruders to as well as for

analyzing the possibilities of different types of attacks. It also helps vulnerability analysis
of the network.
• An IDS detects changes in the files of the system or network. The file checker feature in an
IDS notifies the administrator if the intruder made any sort of alteration to the files. An
IDS reports every activity which has occurred on the network and this aids an
administrator when analyzing v ulnerabilities and rectifying them.
• When recursi ve changes occur in the network, an IDS should be adaptable to these
changes. This also includes adapting different defense mechanisms for every different
system in the network.
• The configuration of an IDS is such, that it does not cause overh ead in the network or
system.

Deploying an IDS in a location where it does not see all the netw ork traffic
Frequently ignoring the alerts generated by the IDS
Not having the proper response policy and the best possible solutions to deal
with an event
Not fine tuning the IDS for false negatives and false positives
Not updating the IDS with the latest new signatures from the vendor
Only monitoring inbound connections
Below are the mistakes and the workarounds to avoid mistakes while deploying the IDS in the
network:
• Do not deploy an IDS if the infrastructure planning is not efficient. An improper or

incomplete network infrastructure will not help the functioning of an IDS. If the tuning of
the IDS does not follow the network infrastructure, it has the potential to disable the
network by flooding it with alerts.
• After the deployment of an IDS, the organization sets its level to the highest sensitivity
enabling the IDS to detect a large number of attacks. However, this also includes a rise in
the number of fal se positives. An IDS generates a large number of fal se positive alerts per
day, which could cause the administrator to miss an actual alert. In the long run, ignoring
these alerts can be harmful for network security.
• Detecting an intrusion is not enough. Organizations should also design a response policy
that administrators implement in response to an incident which has occurred. This
response policy should answer the following questions: What is the normal event and
what is the malicious event? What is the response for every event generating an alert?
The person reviewing the alerts should be aware of this action plan.
• An infrastructure which has established a NIDS without IPsec network protocols, makes
the network more vulnerable to intrusions. A NIDS listens to all the traffic that it senses
and then compares the legitimacy of the traffic. If it encounters encrypted traffic, it can

only perform packet level analysis as the application layer contents are inaccessible. This
increases the vulnerability of the network.
• Many organizations prefer securing and monitoring only the inbound traffic and ignore
the outbound traffic. It is important to place the IDS sensors throughout the organization.
If th e setup is cost effective, the organization should place th e sensors near the choke
points on the network. This will help monitor outbound as well as internal host network
traffic.
• Do not deploy IDS sensors on a single NIC or on multiple data links. This will lead to an IDS
sensor sending th e data on the same interface on which it is sensing. This leads to
possible attacks as the interface reports all the data to the centralized database. If an
attacker gets access to this infrastructure, they can disable the IDS, preventing further
alerts. The attacker can also intercept the data on the interface and alter it. This issue can
be resolved by connecting the interface to a dedicated monitoring network.

Intrusion prevention syst ems (IPS) are a combination of systems w hich detect
threats and prevent their entry into t he network
IPS id entifies possible threats, record the th reat information, stop t he

attempt and report them to security administrators
The t echnology uses techniques such as st opping the attack, changing the security
environment and changing the content of the attack
An Intrusion Prevention System (IPS) is a network security technology which has the capability
of detecting an intrusion in the network. In addition, it also has the capability of blocking or
stopping th e detected intrusions. Therefore, sometimes it is called an inline firewall. It is
consid ered an extension of an IDS. The main function of an IPS is to detect, log, attempt to
block, and report malicious activity on the network. It provides a layer of analysis for th e
network. It works and is configured efficiently, otherwise deploying an IPS can degrade network
performance. An IPS also uses the same techniques for intrusion detection as an IDS uses.
The combination of an IDS and an IPS enhances network security by identifying real -time
threats and preventing th em.

Internet Firewall Network

Network
Switch
Server
............
··············~
Network Network
IPS Switch Host
IDS
Unlike an IDS, IPSs are placed in-line in the communication path between the source and
destination and generally sit directly behind the firewall. An IPS works from inside the firewall
and monitors for internal attacks as well as attacks penetrating the firewall. It will inspect the
network traffic for attacks before the firewall filters the attacks, thereby serving as an early
warning system and alerting when threats are found. An internal IPS configuration consumes
more time to investigate and the IDS reports to detect the attacks can fail and/ or succeed as
the normal network generates many alerts.
There are major drawbacks with placing an IPS on the outside of the firewall. It results in a
number of false positives making it difficult to manage and sniff out the real issues. Frame
reassembly is also an issue, since your IPS must be powerful enough to handle the reassembly
of packets before it can inspect th em.

M onitors session rates/packets w ith respect to no rmal

I network profiles
n Recognizes network sniffing attempts
Decodes and ana lyzes application layer protocols
Analyzes each individ ual packet f or its content
An IPS detects as well as actively prevents any detected intrusions and even blocks traffic from
improper IP addresses. An IPS recognizes network-s niffing attempts that try to steal data
packets from the network. It decodes and analyzes application layer protocols.
Major functions of an IPS are:

• Identify malicious activity: Detects malicious activity, notifies by raising an alarm.
• Log information: Creates logs on a regular basis w ith the all the information about the
activities performed on the network.
• Attempts to block/stop and report: Blocks the malicious activity by itself and reports the
activity to th e administrator.

e An IPS is designed to detect malicious data packets, stop intrusions and block
malicious traffic automatically prior to any netw ork attacks
e An JPS looks for preconfigu red and predeterm ined attack patterns (signatures).
Making it a highly efficient at com batting nefarious activities than other network
appliances
6 An JPS can handle CRC errors, unfragmented packet streams, prevents TCP
sequencing issues, and eliminates unwanted elements from netw ork and
transport layer
e An JPS uses Deep Packet Inspection to monitor the netw ork traffic for potential
intrusions, which are seen as norma l traffic by a t raditional firew all
- The JPS decreases the number of fa lse positives, helping an organization avoid
diverting precious resources to fight false alarms
An IPS performs the same functions as a firewall, but w ith firewalls most of the rules are to
allow the traffic. In an IPS, most of the rules are to deny the traffic.
AdvantagesofanlPS
• Quickly blocks know n threats.
• Det ects, stops and blocks netw ork attacks automatically.
• Decreases false positives and helps organizations avoid diverting their network resources
to fight false alarms.
• Corrects CRC errors, defragment of packet streams, TCP sequencing issues, etc.
• Uses deep packet inspection to monitor network traffic for potential intrusions which
usually would be seen as normal traffic by a traditional firew all.
• Looks for preconfigured and predetermined attack patterns (signatures), making it more
efficient than other netw ork appliances to combat nefarious activities.

Intrusion Detection System (IDS) Intrusion Prevention System (IPS)
Placed on a network as inactive Placed inline (actively)
Can not parse encrypted traffic Better at defending applications
Installed on network segments Installed on network segments

{NIDS) and hosts {HIDS) {NIPS) and hosts {HI PS)
Becomes reactive by providing Becomes proactive by blocking

alerts
Ideal for blocking web
Ideal for id entifying hacking destruction
attacks
Intrusion Detection System {IDS)

The IDS senses malicious activity on the network and alerts the administrator. Function s of an
IDS are:
• Installed on both a network segment and host systems.
• Monitoring network traffic and detects signs of intrusions.
• Alerts the network administrator concerning potential intrusions.
• Issues include false positives and false negatives.
• Requires continuous monitoring and frequent signature updates.
• Uses encrypted traffic to prevent data intrusions.
Intrusion Prevention System {IPS)

The IPS not only senses the malicious activity on the network, but also tries to give a proactive
response to the attack.
• Installed on both a host and network segments.
• Monitors network traffic, detects intrusions and tries to prevent them.
• Automatically takes action to protect the network from the attacks.
• Reduces the emergency in the implementation of security patches.
• Continuous monitoring is not required.

Network-Based IPS Wireless IPS

•
I
I
I
•
I
I
I
I I
• •
I I
•
I
I
I
•I
I
I
I I
• •
I I
Host-Based IPS Network Behavior

Analysis (NBA) System
Intrusion prevention systems are categorized into four different types:
• Network-based Intrusion Prevention System (NIPS}: Monitors network traffic for

suspicious beha vior.
• Wireless Intrusion Prevention Systems (WIPS}: Monitors wireless network traffic for
suspicious behavior.
• National Behavior Analysis (NBA): Monitors traffic deviating from normal traffic.
• Host-based Intrusion Prevention System (HIPS}: Monitors events on a host for suspicious
behavior.

N etworlt-Based IPS
A network-based IPS consists of a network intrusion detection

system or NIDS which collects information from the network
and an intrusion prevention system or IPS which inspects the
content of all packets moving across the network
They discover unauthorized access to a computer network by

analyzing the traffic for signs of malicious activity
Provides complete network coverage and security

protection
Commonly deployed at a boundary between two networks.

For example, a boundary between VPN servers, remote
access servers and wireless networks
A network-based IPS is comprised of a network intrusion detection system (NIDS) and an

intrusion prevention system (IPS) that monitors a network and analyzes the network traffic,
packet content and application protocol activity. It helps detect signs of possible incidents on
the network and protects the network from suspicious activities such as viruses, malware,
denial of service (DoS) attacks, and buffer overflows. It detects threats and responds to them by
either stopping it or reporting it. It uses detection software known as an agent to detect
statistical and protocol anomalies by transmitting data to the network server in order to
prevent these types of intrusions. It sends alerts about the attack or the threats to the proper
personnel and helps resolve them before they can corrupt and destroy the network.
As a drawback, it sends alerts to conditions that are not threatening. To avoid these problems,
it needs to be reconfigured by altering or reducing the security control signaling these
conditions as incidents. This can be set based on network administrator policies.

Network-Based IPS:
Security Capabilities
..J A network-based IPS provides security capabilities which are classified into f our
categories
-
lnformationgatheringcapabilities are limited and includethe host
_ _ _., .,______n_e_t_
w_o_rk_a_c_t i_v_it_v _a_
lo_n_g_w_it_h_: _ _ _ _ _ _., .,_ ..,
- -- -
e The identification of hosts by creating a list in the network in accordance with the IP
address or MAC address
-
e The identification of the operating systems and versions of all systems on the network,
using a passive fingerprinting technique to uncover user vulnerabilities
e The identification of applications by verifying the ports used and monitoring certain
characteristics of application communications
6 The identification of network characteristics such as the number of hops between two
devices, which is useful when detecting changes in the network configuration
Network-Based IPS:
Security Capabilities (Cont'd)
Detection Capabilities include the evaluation of: Logging Capabilities
J Detecting the accuracy ranges between the high J Storing log data for detected events
rates for false positives and false negatives
J Confirming the validity of alerts (False
J Tuning and customization is required to improve positives and false negatives)
the detection capability
J Investigating incidents
J Technology limitations include:
e Analysis of encrypted network traffic J Correlating events with other logging
sources
e Handling high traffic loads
e Preventing an IPS bypass
J Types of events that are detected include:

e Application layer reconnaissance and attacks
e Transport layer reconnaissance and attacks
e Network layer reconnaissance and attacks
e Unexpected application services

e Policy violations

Network-Based IPS:
Security Capabilities (Cont'd)
Prevention Capabilities are grouped according to the sensor type used

in the systems
..J The capabilities for both

r
..J Passive sensors use session '..J I nline sensors
passive and inline sensors are: sniping to end the current e lnline firewa ll offering rejection
TCP session and cannot be capabilities from suspicious
e Reconfiguring other
used against UDP or ICMP network activity
network security devices
attacks
e Running a third-party
e Throttling bandwidth usage
detects Dos attacks, malware
program or script
distribution and peer-to-peer file
sharing
e Altering malicious content used by

inline IPS sensors to sanitize part
of a packet
The network-based IPS offers many security related capabilities including information
gathering, monitoring, logging, detection and prevention of attacks. There are also certain
network-based I PS products that offer security information and event management (SIEM)
capabilities.
Information Gathering Capabilities

The network-based IPS has the ability to gather information on certain hosts and its network
activities. Examples of information gathering capabilities are as follows:
• Identifying Hosts: An IPS sensor creates a list of hosts arranged according to the IP
address or MAC address on the organization's network. The list identifies the new hosts
on the network.
• Identifying Operating Systems: Using various techniques, an IPS sensor identifies the
organization's host OSs and OS versions.
• Identifying Applications: An IPS sensor identifies the application versions in use by

monitoring the characteristics of the application communication and tracking the ports
that are used. It identifies potential v ulnerable applications and unauthorized use of
applications.
• Identifying Network Characteristics: IDPS sensors generally gather network details such
as number of hops between two devices, network traffic, configuration of network
devices and hosts in network.

Like an IDS, a network based IPS also features detection capabilities which use signature-based
detection, anomaly-based detection and stateful protocol analysis techniques.
The types of events commonly detected by a network-based IDPS sensor include:
• Application layer reconnaissa nee and attacks
• Transport layer reconnaissance and attacks
• Network layer reconnaissance and attacks
• Unexpected application services
• Policy violations
Detection Accuracy
To increase the accuracy and the scope of detection, newer technologies use a combination of
detection methods. The different network-based IDPSs analyze the network activity using a
different method. This is very similar to how different types of web servers understand the
same kind of web requests in different ways. This enables the sensor to enhance their detection
capability and accuracy. Organizations should implement network-based IDPSs to deal with
. .
evasion issues.
Tuning and Customization

The network-based IPSs need extensive tuning and customization in order to improve the
accuracy in their detection. Some examples of the tuning and customization capabilities include
setting thresholds for port scans, authentication attempts, etc.
Technology limitations include:
• Analyzing the encrypted traffic
• Managing heavy load traffic
• Attack resistance against themselves
Logging Capabilities
The network-based IPS is able to log the detected events. These logs are useful when
investigating incidents, checking the validity of the alerts, etc.
The various prevention capabilities provided by a Network-based IDPS is:
• Passive Only
• Ending the Current TCP Session
Passive sensors send TCP reset packets to both endpoints in an attempt to end the
existing TCP connection. Both endpoints will assume the other endpoint wants to
terminate the connection. This process is called sniping. The goal is to get one of the
endpoints to terminate the connection before an attack can succeed. Session sniping
is not widely used as there are newer prevention capabilities that are more effective.

• lnline Only
• Performing lnline Firewalling

A majority of inline IDPS sensors provide firewall capabilities for detecting and
preventing attacks.
• Throttling Bandwidth Usage

lnline IPS sensors limit the percentage of network bandwidth usage by the protocol,
with the precaution to prevent various attacks that may affect bandwidth usage such
as a Dos attack, malware distribution, etc.
• Altering Malicious Content
There are a few inline IPS sensors that can replace the malicious content of a packet
with trusted content and then send the decontaminated packet to the destination.
Some sensors act as a proxy and perform normalization on the traffic to remove the
malicious content from a packet. This sanitizes some attacks involving packet headers
and application headers, irrespective of the attack detected by the IPS.
• Both Passive and lnline
• Reconfiguring Other Network Security Devices

Some sensors have the capability of informing other security devices such as firewall,
router, switches, etc. about reconfiguring themselves to withstand against external
attacks. It is useful when network traffic is analyzed using packet header
characteristics such as IP addresses, port numbers, etc.
• Running a Third-Party Program or Script

When certain malicious activities are detected, some IPS sensors run an administrator-
specified script or program triggering a prevention action, such as reconfiguration of
security devices. Administrators desire third-party programs or scripts when the IPS
does not support prevention actions. Some IPS sensors only indicate prevention
actions to performed by suppressing all other actions.

DMZ
······I Senso, I······ ·r

: WebServer DNSServer Email Server App Server
.
• ............................ , •••••••• ' ••••• ' •• , •• ' ··"··' ••••••••••••• ,,•••• ,,•• •• ,u •• •• ,,....., , ••••• , ••••••
:i::•······························•·.,...•.···••..· ···· ·· ········· ·· ········· ·· ···•,1,•,•,1,•,/',t,•,•,1,•,1,1,•,·,1,•,1,1,•,·,1,•,1,1,•,·,1,1,;,,1,•,·,1,1,1,1,•,1,1,•,t,1,•,1,1,1,1,1,•,1,1,1,1,1,•,•,1,1,1,1,•,•1,..,~:
~ ::
~ ::
~ Command & ,:
~ 'i~:
:: l
.... -~:..... Senso,
·- - - --
l......
~
~
control Subnet
-~~ ........................ ►
-,.:n: ,-
NIPS Software
/
command Console •:
ii
.,,~ re»:m)J)i, _ :!.
..
Internet Firewall
~j•···
~ -.#••·······································································································.
... •' .....................•.....................,..... ,..... ,..... ,..... ,..... ,...... ,...... ,..... ,..... _/}
.
:......
. - z 'S ....
Gateway :
;~ Protected Hosts
"··· .........................................................................................................·
As a single management station supports multiple sensors, each side of the firewall can
therefore have an IPS sensor enabling the user to know what attacks the network is facing and
how exactly the firewall is protecting the network from those attacks. An IPS sensor analyzes
the attacks occurring on the external firewall, determines the potential attacks and stops them
from entering the network. This kind of I PS configuration does not discover the internal threats.
The IPS can work from a secondary location such as the DMZ and host segments to increase the
visibility of the network traffic.

Host-Based IPS
A host-based IPS is aimed at collecting Monitors characteristics and events which occur
information about host activity on a single host. Analyzing, detecting and
preventing suspicious activity
It often performs checks on :

It is most common ly ; Host network traffic
deployed on important hosts including ; System event logs
critical public facing servers ; Processes running on the system
; File access or file modification attempts
; Attempts to change the system and
application settings
A host-based IPS monitors, detects, analyzes and prevents any intrusion activity on a particular
host. It checks the system integrity, logs, programs, applications, file access and/or
modification, traffic, etc. to detect intrusion attempts.
It has detection software known as agents installed on a single host instead of the whole
network, that monitors activity on a host and conducts prevention functions. It monitors the
status of key system files, triggers alerts on changes to file attributes, creation of new files, and
deletion of any existing files. It monitors multiple systems by creating a host configuration file
and making each HIPS report to a master console system.
Advantages
• Detects local events and attacks on host systems, where encrypted traffic is decrypted
and is available for processing.
• Not affected by using switched network protocols.

• Detects inconsistencies in the usage of applications and system programs by examining
records stored in audit logs, to detect attacks including a Trojan horse.
Disadvantages
• Management issues as it is configured on each monitored host.
• Vulnerable to host OS attacks.
• Cannot detect multi-host scanning.

• Vulnerable to denial-of-service attacks.
• Overhead on host systems reduce system performance below acceptable levels.

Internet Router Switch firewal Switch Int ernal Network
.... .
.,,,,.. ""'
. u . . . _
. -----:.i ·····• . . :._·······.·_
~ .
_1
1••••1
,..
..•
o-o -
IPS Consoles
•
.
:·································'
.
------===--.. --------------------!""------'
.
Switch : .. r··················.
..........................
DMZ Switch :
.................•................
. ..
. . .. .. .:
i ~ i j • •
M ail serverwith IPS

IPS Agent Ma nagement Email Server Web Server HTTP Server
Database Server Server
Host-based IPS architecture involves deploying a HIPS agent on each of the hosts in the
organization. The system components communicate over an organization's network instead of
using a separate management network. Most products encrypt th eir communications to
prevent attackers from accessing th e sensitive information. A host-based I PS architecture uses
appliance based agents placed in front of the hosts it is protecting.

Wireless IPS is a d WLAN is com prised of a group of wireless

and analyzes w irel netw orking nodes within a limited area for the
for any suspicious a exchange of data through radio communications
Uses IEEE 802.11 WLAN standards for

communications of which IEEE 802.lla, b,
Its bandw idth ranges from 2.4 GHz to 5 GHz
and g include W ired Equivalent Privacy (WEP)
security features
.:, .................................................
Corporate Network
.~
..••
• • • f\,
..•• ..••
..•• ..
.• ..
............. ··········· t:r::::o®:t" ··········•• ►~
..
IPS Sensor
.......... Firewall
.....................................................
A wireless IPS is used to monitor wireless network traffic for detection and prevention of
network intrusion activity. The system analyzes wirel ess networking protocols to identify and
avert suspicious activities.
The wireless IPS covers devices, which connect over a wireless local area network (WLAN)
through radio communication s and distribute the signals within a limited geographic area. A
wirel ess IPS detects abnormal activities in wireless network traffic which can be a device
compromise attempt or an unauthorized access to the network. It will also identify any device
that tries to spoof the identity of another device.

Wireless IPS: Network Architecture CND

Network Architectures
Sensor Locations
..J A wireless I PS component is connected through a
wired network J Wireless sensors need to be deployed so that it can
monitor the RF range of the organization's WLANs
..J These components use either a separate management
network or the organization's standard network for J To detect rogue APs and ad hoc WLANs, make sure
communication
there is no existing WLAN activity first
..J Some mobile w ireless IPS sensors are used as
standalone devices
Wireless sensor locations are dependent on
Sensor Wired Network Cost AP and Wireless

Connections
Copyright © by EC-CGUDCil. All Rights Reserved. Reproduction 1s Strictly Prohibited.
In an IPS, all the typical components use a wired network to connect with each other. The
wireless IPS components communicate with each other using a separate management network
or the organization's standard network. Some mobile wireless IPS sensors also act as
standalone devices.
The network architecture for a wireless IPS also includes deciding where the sensor locations
are in an IDPS. The location of the sensors should allow it to check regions where the WLAN
activity should not exist as well as monitor all the channels and bands to detect rogue APs and
ad-hoc WLANs.
Selection of wirel ess sensor locations depend on a wide arra y of criteria such as:
• Physical Security: Wirel ess sensors are prone to physical security threats because th ey are
placed in open interior or external locations. The organization should consider some form
of physical security for th e sensors while deploying a WIPS. It is advisable to choose
sensors w ith anti-tamper features.
• Sensor Range: The surrounding walls and doors may affect the range of WIPS sensors. It
may add attenuation problems and reduce their range. It is advisable to use a Wireless IPS
modeling software that helps administrators analyze building floor plans and features of
walls, location of doors, etc.
• Wired Network Connections: Wired netw orks are required to connect sensors, which
may require expanding the w ired network in the area .

• Cost: Organizations should analyze the WLAN threats they face and choose a cost
effective solution. Compare the cost of sensor purchases, deployment, and maintenance
in order to define the solution that is capable of reducing the level of risk required.
• AP and Wireless Switch Locations: The locations of access points and wireless switches
are crucial because they enable the implementation of wireless IPS software on
themselves.

Secure IDS Configuration and M anagement
Wireless IPS: Security Capabilities CND

A wireless JPS offers different types of security capabilities, which are divided into four categories including:
J Wireless IPS Information gathering capabilities: J Detection Capabilities of a wireless I PS includes

evaluation of:
S Identifying WLAN Devices by enlisting the
inventory ofWLAN devices J Types of events detected by wireless I PS
sensors include
el Identifying clients with the help of SSIDs and the
MAC addresses for the devices
•
~ Unauthorized WLAN devices
e Unsecure WLAN devices
e Identifying WLANs as IPS sensors track the •
~ Unusual traffic behaviors
WLANs through their SSIDs
•
~ Wireless network scanning attempts
e Denial of service (DoS) attempts
i J Detection accuracy of the wireless I PS is

expected to be more accurate due to its limited
scope
J Wireless I PS technology limitations include:
e Inability to detect some wireless protocol attacks
I e
e
Susceptible to evasion techniques
Cannot withstand attacks against an IPS
Wireless IPS: Security Capabilities

(Cont'd)
Logging Prevention
Ca pa bi Iities Capabilities
J Wireless IPS logging J Wireless I PS prevention

capabilities include storing capabilities include
log data for detected connections
events between a rogue or
misconfigured STA and an
J It is helpf ul t o confirm the authorized AP and vice-
validity of alerts by versa
investigating incidents and
correlating the log events
with other logging sources

Wireless IPSs offer various types of security capabilities including:

• Information Gathering Capabilities: Wireless IPS solutions are capable of collecting
information on wireless devices. Wireless IPSs collect information in the following ways:
• Identifying WLAN Devices: By listing the inventory of WLAN devices and clients noted
by IPS sensors using SSI Os and the MAC addresses of wireless network interface cards.
• Identifying WLANs: As IPS sensors track the WLANs through their SSIDs and the
identification of new WLANs.
• Detection Capabilities: Detection Capabilities of a Wireless IPS include the evaluation of
attacks, misconfigurations, and policy violations for a wireless network while accessing the
IEEE 802.11 protocol communications. Other detection capabilities of the wireless I DPS
include:
• WIPS sensors detect the following types of events:
o Unauthorized WLANs and WLAN devices
o Unsecure WLAN devices
o Unusual usage patterns
o Wireless scanning activity
o Denial of service (DoS) attacks and conditions
o Impersonation and man-in-the-middle attacks
• Detection accuracy: Detection accuracy of the wireless IPS is expected to be more
accurate due to its limited scope.
• Technology limitations: Technology limitations of the wireless IPS include:
o Unable to detect some protocol attacks
o Can be bypassed
o Can be prone to attacks
• Logging Capabilities: Logging capabilities of a wireless IPS include storing the log data for
detected events, which is used to confirm and investigate an incident.
• Prevention Capabilities: Prevention capabilities of a wireless IPS is to avert connections
between a fake or improperly configured STA and an authorized AP and vice-versa. This
includes both Wireless and Wired connections.
• Wireless: Some sensors can terminate connections between a Station (STA) and an
Access Point (AP) without any kind of direct connection, if there is a misconfiguration
present in either of the components. The sensors send a message to the endpoint to
disassociate the current session and then denies permission to create a new
connection.
• Wired: Certain sensors come with the ability to disconnect a switch on the wired
network to block malicious or illicit network activity.

Wireless IPS: Manage .... ent CND

1-
~.-,
-·
'
- - - - - - - --,__, ............... •-
- - .. - .. ■----- ■------ . --
•
·-~·-·-·-·-•-- .. -...~
-.t;,-_ ■ - ■ ■ I ■ - - ■·••
Management of a w ireless IPS product is to perform efficiently involving major aspects such as:
Implementation follow s the installation Operation and maintenance

and customization of the selected
... Wireless IPS consoles offer management,
w ireless I PS product and it can be done
monitoring, analysis, and reporting
as follows:
abilities along with the physical location
- Design an architecture for detecting threats
e Perform IPS component testing J It is possible to detect even a small

variety of events when using a wireless
e Secure the IPS components and install IPS
Management of a wireless IPS involves crucial tasks like implementation, operation, and
maintenance of the products as well as providing guidelines for performing them effectively
and efficiently.
Implementation
Implementation of a wireless IPS follows the installation and customization of the selected
product.
Steps for implementing a wireless IPS include

• Architecture Design: Architecture includes planning the location of the IPS, number of
sensors required, type of sensors and the process of connecting them.
• Component Testing and Deployment: Implementing a wireless IPS requires short network
outages during installation of the sensors, network taps and load balancers.
• Securing the IPS Components: Do not assign IP addresses for both the passive and inline
sensors used to monitor network traffic, as it keeps the sensors in stealth mode.
Operation and Maintenance

Wireless IPS consoles offer management, monitoring, analysis, and reporting abilities along
with the physical location for detecting threats. The sensors have the ability to detect even a
small variety of events.

Network Behavior Analysis

(NB.A) System
NBA systems are deployed to

monitor an organization's This approach examines network
internal network flows and will traffic against:
sometimes be deployed to e Unusual t raffic
monitor flows between an e Malware attacks
organization and external e Policy violations
networks
A NBA system, also known as Network Behavior Anomaly Detection (NBAD) systems monitor an
organization's internal network flows as well as flows between organizational and external
networks. This approach evaluates and analyzes network traffic or its statistics on active devices
such as switches, routers, firewalls etc. to identify:
• Unusual traffic
• Malware attacks
• Policy violations
• Advanced threats
• Undesirable behavior
• Anomalies
Some threats may evade an IDS and anti-virus software. The NBA system passively monitors the
network traffic from many points and tries to identify such threats. The main advantage of
using a NBA system is it focuses on the overall behavior of the network and flags new patterns
that might indicate the presence of a threat. This allows the organization to address specific
threats for which no signature is available. The NBA system is also capable of monitoring and
recording the variations in the bandwidth and protocol usage.

NBA Components and Sensor

Locations
0 The NBA is comprised of sensors and consoles
0
Sensors are available as appliances, which sniff packets to monitor network activity
NBA sensors are deployed in passive mode using the same connection methods as in a network-
based JPS
Flow is the communication sessions between hosts

0 0
Flow data may include:
Source and destination IP addresses Source and destination ports
Number of packets or Timestamps for the start and end of

bytes transmitted in the session the session
A NBA system can be deployed as a separate management network or as part of a corporate

network. The NBA system is comprised of sensors and consoles, also some NBA products offer
management servers (sometimes referred to as analyzers). Generally though, NBA sensors are
available as a hardware appliance. Some sensors act similar to NIDPS to sniff packets and
monitor traffic on network segments. Whereas, other senors depend on the network flow
information given by routers, switches and other networking devices. Here, flow is the
communication sessions taking place between hosts. Flow data formats have many standards,
including NetFlow, sFlow etc. The intrusion detection is done based on:
• Source and destination IP addresses

• Source and destination TCP or UDP ports or ICMP types and codes
• Number of packets and number of bytes transmitted in the session
• Timestamps for the start and end of the session

Choosing the right place to deploy devices is equal to selecting the appropriate device in the
network. Depending on the location, the NBA sensor can be either passive or inline. Most of
the NBA sensors use the same connection techniques (such as network tap, switch spanning
port) as NIDPS that can be deployed in passive mode. Passive sensors directly monitor the
network traffic, so they can be placed in demilitarized zone (DMZ) subnets.
lnline sensors are placed at network boundaries or in close border firewalls. For instance, a NBA
inline sensor deployed between the firewall and the Internet perimeter router is able to restrict

incoming attacks which overcome the firewall. Some products offer the combination of both
NBA and IPS providing IPS or firewall functions. NBA sensors can be deployed in passive mode
to collect the data from the switches.

NBA sensors detect attack attempts such Logs the same information as a HI PS
as policy violations, DoS, scanning, etc.
-• Information Gathering Ca~abilities • .. ..

..
Information collected includes IP These are identical to a NI PS

addresses, operating systems, services
provided and other hosts which
communicates with it
The NBA system offers a variety of security capabilities that can be classified into four
categories:
• Information capabilities
• Logging capabilities
• Detection capabilities
• Prevention capabilities
Information Capabilities
NBA systems gather information about hosts which is required for most of the NBA system's
detection methods. NBA sensors have the ability to automatically create and maintain a list of
hosts that are included across the organization's monitored network. These sensors gather
detailed information by monitoring the port usage, implements passive fingerprinting and other
techniques on the host. The information obtained for each host includes the IP address,
operating system, services provided by it such as IP protocols, TCP and UDP ports used by it,
other hosts interacting with this host, services used, IP protocols, and TCP or UDP ports it
connects to. The NBA sensors monitor this information consistently for any changes.
Logging Capabilities
NBA systems log detected anomalies. The data fi elds logged by the NBA syst em are:
• timestamp (date and time)

• Alert type
• Rating priority, severity, etc.
• Protocols at application, transport and network layers
• Source and destination TCP or UDP ports or ICMP types and codes
• Additional packet header fields such as IP time-to-live
• Number of bytes and packets
• Prevention action
Detection Capabilities
An NBA system detects different types of malicious behavior that has significant deviations
from normal behavior. To monitor and analyze the network activity most of the NBA system
uses anomaly-based detection and stateful protocol analysis methods. NBA sensors can detect
the following types of events:
• Denial of Service (Dos) and Distributed Denial of Service (DDoS) Attack: If a host utilizes
increased bandwidth, the NBA analyzes this type of activity and determines if it violates
the normal traffic behavior to detect these types of attacks.
• Scanning: The IDS detects scanning attacks by noticing abnormal flow patterns at
different layers, such as banner grabbing at the application layer, TCP and UDP port
scanning at the transport layer and ICMP scanning at the network layer.
• Worms: The IDS can detect worms in more than one way as it depends on the behavior of
a worm, such as its propagation, causing hosts to use undesirable ports, etc. For example,
if a network has a worm infection, the NBA sensor can examine the worm's flow and
identify the host that first transmitted the worm in the network.
• Unexpected Application Services: To detect unexpected application services such as

tunneled protocols, backdoors, use of prohibited application protocols etc., The NBA uses
stateful protocol analysis techniques.
• Policy Violations: In most NBA sensors, it is possible to create detailed policies such as
hosts, groups of hosts, communication between them, permitted activity, time period etc.
They also have the ability to detect policy violations such as running unauthorized services
etc.
Prevention Capabilities
The NBA system provides various intrusion prevention capabilities. The configuration of a NBA
sensor considers different types of alerts raised by NBA sensors in order to determine the kind
of prevention capability required to block a specific known threat. According to the type of
sensor, the following are the prevention capabilities of a NBA sensor:

• Passive sensor: Terminates the session by sending a TCP reset (RST) packet to both
endpoints of a communication line.
• lnline sensor: Performs inline firewall functions to allow or deny any suspicious network
traffic.
• Both passive and inline: Most NBA sensors have the ability to instruct network security
devices to perform reconfiguration to restrict certain types of attacks.
• Running a third-party program or script: If any malicious activity is detected, some NBA
sensors have the ability to run as an administrator-specified script or program.
Most NBA systems use limited prevention capabilities because of false positives, as blocking a
single false positive may disturb the entire network.

IDPS products must meet certain criteria to be deployed in an organ ization

Compare t he different technology types, then select t he most appropriate technology to meet the
requirements of the organization
The products should be evaluated based on orga nizational requirements such as:
I© Gene.al ,equi,ement,
© Required Security Capabilities
0 Performance requirements
© Management requirements
I 0 Life <yde "'" ,equi,ement,
The selection of any IDPS product depends on whether the IDPS products meet certain
requirements. The selection process consists of assessing the four aspects of IDPS technologies,
they include security capabilities, performance, management, and life cycle cost.
Organizations should determine a particular t ype of IDPS technology such as network-based,

wireless, network beha vior analysis (NBA), or host-based that best suits their requirement. The
organization should conduct a risk management to identify security measures required to
mitigate the risk identified.

ID~S Prbd~!:=t ~~lectiotn: )···. ', . ·.·.·. . c''ND

General Re · . :;·:.·. 1:~~men
: : ..
s ...-'.:::>·' ........... ......f:u.,. ·-·· °'''"'"
. . •,
Evaluate t he general requi rements the IDPS p roducts w ill have to meet post deployment
Size of an organization also modifies the number of IDPS p roducts needed
System and Network

Environments ,.,
--._9 Resource
Constraints
Goals and External

Objectives Requirements
Security and Other

IT Policies
···.......... ...-·:>' ·........................ ..cri'~yright © by EC-Co■ncil. All Rights .d!?s•iiri,:~i(R~ product1 on is Strictly Prot,ib1ted .
: .. •.. ·•. : : .. : ·.. •,. ..
IDPS Product Selection:

General Requirements (Cont'd)
System and
An organization's characteristics such as system and network environments should be
Network
Environments
evaluated and examined if the selected IDPS is compatible with them and the
capabilities include event monitoring
Consider the fol lowing characteristics
6 Technical specifications of the IT environment
6 Technical specifications of the existing security protections
Goals and An organization should decide whether a particular IDPS solution satisfies their technical,
Objectives operational, business goals and objectives behind the reason for implementing an IDPS
Consider the fol lowing questions while articulating goals and objectives
e Which type of threats does an IDPS protect against?
e Will an IDPS be able to monit or activities against acceptable use, violations, non -security
reasons, etc.?
Review the current security and IT policies and evaluate whether a certain IDPS will offer
the specified protection to meet an organization's policies
Consider the following points when selecting and IDPS product:
e Policy goals
6 Reasonable use policies
6 Policy violations and consequences


General Requirements (Cont'd)
External Requirements:
D , 6
Security-specific requirements Security Audit requirements
System accreditation requirements B Standards and Law enforcement,

incident investigation ,incident
response requirements
Bl Purchase products previously evaluated

<-- Cryptography requirements
through an independent process
Resource Constraints:
An organization should consider constraints which add extra costs to implement IDPS features
Cons ider the following constraints:
The budget required to purchase, deploy, administer and maintain the IDPS hardware, software and infrastructure
The staff needed to m onitor and maint ain an IDPS
An organization needs to have a clear baseline of the requirements for an IDPS product. Each
IDPS solution may differ in features and services. An organization needs to determine which
IDPS product will suit their requirements the best. For example, there are situations where a
single IDPS product may not satisfy the requirements of an organization. This scenario
encourages the use of multiple IDPS products. Wireless IDPS products have certain general
requirements such as a method of detecting anomalies and the process of connecting to other
components that decide if the product can satisfy the company's requirements.
The selection of an IDPS depends on the following general requirements:
System and Network Environments

The network administrator should be able to select the IDPS product according to the
requirements of an organization and its network configuration. Also, the selected IDPS product
should be able to detect and log interesting events that the organization wants to evaluate and
examine. Consider the following characteristics:
• Technical specifications of the IT environment.

• Technical specifications of the existing security protections.
Goals and Objectives

The network administrator must evaluate their product for the technical, operational, business
goals and objectives. Consider the following characteristics:

• Which type of threats will the IDPS monitor?
• Will it monitor acceptable use violations?
Security and Other IT Policies

The network administrator should review their security policies prior to selecting the IDPS
product. Consider the following characteristics:
• Policy Goals
• Reasonable use policies
• Consequences of no compliance with policies
External Requirements
If the organization is supposed to undergo a review by other organizations, an administrator
will need to assess whether they can review the IDPS implementation in their organization.
• Security-specific requirements help in the investigation of security violations incidents.
• Audit requirements are specific functions an I DPS must support.
• System accreditation requirements help an administrator address the accreditation

authority's requirements.
• Law enforcement investigations and the resolution of security incident requirements.
• Purchase products previously evaluated through an independent process requirement.
Resource Constraints
Administrators should also consider their adequacy in terms of system or personnel to handle
the IDPS feature that they are thinking of implementing. Expenses on additional IDPS features
will be in vain, if the organizations do not have enough resources to handle them. Network
administrators must consider the following constraints:
• The budget for purchasing, implementing and maintaining IDPS hardware, software and
structure.
• The staff needed to monitor and maintain an IDPS.


Security Capability Requirements
Security Capability Requirements:
The selection of an IDPS depends on an organization's environment and policies as w ell as t he
current security and network infrastructure
It is crucial to meet t hese as t he product will be used in conjunction with other security controls
The IDPS product should feature the following security capabilities:
1 2 3 4
e Information e Logging Capabilities w Detection e Prevention

Gathering req uired for Capabilities needed capabilities which
Capabilities req uired performing analysis, to identify threat cater to future needs
for detection and confirming validity of events using different in various situations
analysis of incidents alerts, and methodologies
correlating logged
events
In addition to defining general requirements, the network administrator needs to define a

specialized set of requirements. Organizations should evaluate IDPS security capability
requirements as a baseline for creating a specific set of criteria. This is done by taking th eir
environment, security policies and netw ork infrastructure into consid eration. It is important to
ch eck and confirm the security capabiliti es of an IDPS product. The IDPS products that do not
meet the required security capabiliti es is of no use as a security control and an administrator
must select a different product or use that product in combination w ith another security
control. The IDPS product should f eature security capabiliti es such as information gathering,
logging, detection and prevention.


Performance Requirements
l '°
Performance Requirements: Verify the performance features such as:
Evaluate I DPS products based Tuning features such as manually or automatically configured
on their general performance
characteristics
Network-based IDPS: Ability to

0 Processing capability and memory
monitor and handle network Ability to track va rious products and activities simultaneously
traffic
Latency processing event s caused by t he product
Host-based IDPS: Ability to
monitor a certain number of
events per second Delay in tracking an event
Hardware models and OS configurations
Up-to-date test suites for the IDPS products
Network administrators must evaluate an IDPS product's general performance characteristics

by assessing the capacity to handle the network traffic or packet monitoring capabilities for
network-based IDPS and event monitoring capabilities for host-based IDPS.
Verify the performa nee features such as:
• Verify tuning features of an IDPS as its performance 1s dependent on product

configuration and tuning.
• Check for th e processing capability and memory.

• Ability to track various product state activities simultaneously.
• Latency of processing events caused by the product.
• Delay in tracking an event.
• Hardware models and OS configurations.
• Up-to-date test suites for the IDPS products.


Management Requirements
The product s need t o comply with t he o rganization's management policy in o rder to be

used effectively
M anagement req uirements are assessed based on t he following categories:
Design and Operation and ..J Selected IDPS

implementation criteria maintenance products should be
includes detailed requirements include available with
information about daily usage, resources
technology along with maintenance, and such as training,
features like reliability, applying updates to documentation, and
interoperability, the product technical support
scalability, and security
The products need to comply with the organization's management policy in order to offer
better performance. If the products do not comply with the company's policy, it would be
difficult to handle and make it work effectively. Management requirements for an IDPS include
categories such as:
• Design and implementation criteria include detailed information about the technology
t ype used in the product along with features like reliability, interoperability, scalability
and security.
• Operation and maintenance requirements include daily usage, maintenance and applying
updates to the product.
• The IDPS product should offer better interoperability, which refers to the process of
offering effective performance while working in combination with existing systems.
• Selected I DPS products should be available w ith resources such as training,

documentation, and technical support.
• The products should offer scalability, so that th e company w ould be able to increase or
decrease the product quantity to meet future requirements.


Life Cycle Costs
0 0
Estimated life cycle costs of the products should be within t he available funding
Life cycle costs for IDPS products are divided into two categories:
0 0
Initial Costs Maintenance Costs

Include the costs of appliances, additional Include staff wages, customization costs,
network equipment and components, maintenance contracts and technical support
software and software licensing fees, fees
installation, customization and t ra ining fees
•· ....... •►
IDPS products are environment specific and can be a tedious task for organizations to quantify
the cost of IDPS solutions. The cost of the I DPS product should be proportional to the available
budget of the organization. Estimated life cycle costs of the selected IDPS products should be in
the range of the available funding. Selecting an IDPS based on cost is difficult as the
environment, security and other networking criteria are liable to dominate the situation. Life
cycle costs of the IDPS products include categories such as:
Initial Costs
Initial cost is the starting point for all I DPS product calculations. It includes:
• Cost for deploying hardware or software tools: It involves the cost of network appliances,
IDS load balancers, software tools such as reporting tools, database software, etc.
• Installation and configuration costs: This cost includes internal or external labor for fixing
systems, network appliances or installing network or system accessories.
• Cost of application customization: This type of cost involves the programmers or

developers who develop scripts or applications for maintaining the security.
• Cost for training and awareness: It involves the cost for training and its awareness among
the administrators.

Cost of maintenance
Usually organizations do not have a standard for measuring the cost of maintenance, this
results in different costs of maintenance within the same organization. The cost of maintenance
within the organization includes:
• Cost of Labor: Cost of labor includes the cost of staff handling the IDPS solutions and the
administration.
• Cost of technical support: Organizations using external technical support from the third-
party services are required to pay costs for technical support services.
• Cost of professional services: Technical support vendors that do not provide IDPS solution
services fall under professional services. Organizations using service support from these
IDPS vendors or third-parties are required to pay the costs of these professional services.

An adm inistrator should not depend on implementing an IDS for int rusion
detection
Adm inistrators should implement IDS counterparts to implement IDS

functionality
Use the following tools and techniques to compliment an IDS for better protection:
e Vulnerability Analysis or Assessment Systems e Log File Monitors (LFMs)
e System Integrity Verifiers (SIVs) e Honeypots
Although various types of IDPS and their hybrid solutions are used to detect and prevent
intrusions on a network, they are not always sufficient to detect specific types of intrusions.
Solutions are required which specialize in detecting a specific type of intrusions. There are other
technologies and solutions that act as counterparts to an IDS and help you detect various types
of intrusions on the network. IDPS solutions are more generalized whereas these solutions are
meant for targeting specific t ypes of intrusions and therefore are more specialized. These
solutions, if implemented can provide add-on security to the network. Some of the specialized
intrusion detection systems are:
• Vulnerability Analysis or Assessment Systems

• System Integrity Verifiers (SIVs)
• Log File Monitors (LFMs)
• Honeypots

Secure IDS Configuration and M anagement
Vulnerability Analysis or
Assessment Systems
Vulnerability Assessment is performed to test whethe r a network or host is vulnerable to

known attacks
Vulnerability analysis are classified as
Host-based Vulnerability Analysis Network-Based Vulnerability Analysis
J It involves checking system data J It involves simulating various attacks

sources such as file contents, and recording the responses to identify
configuration settings, and other status possible vulnerabilities
information to identify possible
vulnerabilities
J A vulnerability analyzer performing
vulnerability analysis regardless of
J A vulnerability analyzer is considered whether it has permission to access the
as having permission to access the host target system or not, is known as a
as a result is also known as credential- non-credential-based assessment
based assessment
Ad ''nti~~ & Pisadvant.i.9'e!\i ~f CND

a yti1nerabi·i·1,·y:. .1',nalysis. .-: : ~: : . . ·. . . . . . . . . . . . . . . . . . . . . . . . . .··)·~·" ·-·· °'''"'"
e Helps detect problems on systems where an

IDS cannot be deployed
-- Expensive to bu ild, maintain and manage a
vulnerability analysis system
e Supports security testing capabilities

--- Less accurate and has a high false alarm rate
e
e
Spot changes in security states rel iably
Mitigates a set of security problems

- Some vulnerabil ity checks can crash the
system
··•......-··· ,...-:.>: •...-.................... _.cci°~yright © by EC-Co■ncil. All R1ghts_d!?s'iiri,:~i(R~product1on is Strictly Prot,ib1ted.

; .. • .. ··. : : : : ·.. •,. ..

A vulnerability assessment helps the network administrator decide whether a host or a network
is susceptible to any kind of attack. These tests help the company design a framework for how
vulnerabilities affect the system and provide details about the intrusion detection process.
The vulnerability assessment should address issues related to human errors and also monitor
for any compliance issues with existing devices.
Vulnerability analysis processes include the following categories:
• Host-based Vulnerability Analysis: The system determines vulnerabilities by assessing

system data sources such as file contents, configuration settings, and other status
information.
The credential-based assessment system gathers information from different hosts, as it
has access to those hosts. Information is usually accessible using standard system queries
and inspection of system attributes.
• Network-based Vulnerability Analysis: These vulnerability analysis systems require a

remote connection to the target system. They re-enact system attacks, noting and
recording responses to these attacks or simply probe different targets to infer weaknesses
from their responses regardless of whether it has permission to access the target system.
This type of vulnerability analysis is a non-credential assessment and is capable of deploying an

interference method.
Advantages
• Vulnerability analysis allows detection of problems on systems that can not support an
IDS.
• Provide security-specific testing capabilities that record the current security state of the
systems.
• Vulnerability analysis systems spot changes 1n the security state and offer correction
procedures, when used on a regular basis.
• The tests help the companies to ensure mitigation of security problems and provide
methods to double-check the changes made to systems.
Disadvantages
• Vulnerability analysis systems are costly to build, maintain, and manage, as they require
specific operating systems and applications.
• Certain vulnerability analysis systems are platform-independent and less accurate.
• Some systems that analyze denial-of-service attacks are liable to crash the systems they
are testing.
• Repeated network-based assessments are liable to train certain IDSs to ignore real
attacks.

: .· ·• .. ·... : :· ····...··· :.. ... :

........ ··-.::·-.. ....... . . ........
Ftle 11\tegrlty Chegkers,

: :
........
:
/ .·······••:::•-..
•.. ; ;
_.......
•· •• ••..
/CND
.• 5Crt1h~
··-.:::· ..•· :
le1-rll ~t111K1"1
File Integrity Ch eckers determin e w heth er attackers have altered system files or executables
They use message digest or cryptographic checksums to verify the integrity of critical files
An attacker may change or alter a file for the fol lowing reasons :
Changes files as part of an attack
Changes files to cover To leave back doors

their tracks in the system
···.......··· . .::>: ·........................ ..cci'~yright © by EC-Co■ncil. All R1ghts_d!?s'iiri,:~i(R~product1on is Strictly Prot,ib,ted.

: : • .. ·•. : : : : ·•. •,. ..
File Integrity Checkers are security tool s that complement an IDS and are used to determine a
change in system files or executables. They utilize message digest or cryptographic checksums
for critical files and objects and compare them to reference values for flagging differences or
changes.
The checkers also help determine whether vendor-supplied bug patches or other changes are
made to system binaries. Cryptographic checksums are important, as attackers often alter
system files, at three stages of an attack such as:
• They alter system files as the goal of the attack.

• They attempt to leave back doors in the system through which they can re - enter system.
• They attempt to cover their tracks so that system owners will be unaware of the attack.

Honey Pot & Padded Cell Systems
I • I I • • I • I . . . -. .
- - :
Y.
Defl ect attackers f rom gaining access to cnt1ca I systems..
Encourage attackers to stay on the system in order to
study their unauthorized attempts and respond to
them
Gather information on an attacker's activity
Honey Pot & Padded Cell Systems

(Cont'd)
A padded cell is a simulated environment where attackers are contained once they are detected.
The simulated environment is different from a live environment and it contains fake data and
attackers cannot harm the actual live environment
A padded cell and a traditional IDS operate simultaneously i.e. When the IDS detects the intrusion
from the attacker, it seamlessly transfers the attackers to a special padded cell host
e Helps divert attackers to different targets e Legal implications for these devices are not well
they cannot damage defined
e Gives extra time to decide when responding e Attackers may be encouraged to launch a more
to the incident hostile attack
e Easy and extensive monitoring helps to

e A high level of expertise is required to use these
refine threat models and improve system
systems
protections
e Effective at catching employees who are

snooping around the network

Honey pots
Honey pots are decoy systems designed to lure potential attackers away from critical systems
and encourage attacks against themselves. The defender may lure them away from actual
targets, perhaps detect their presence, and then block access. This approach has the risk of
perhaps luring attackers into the defender's network. Honey pots are decoy systems which
perform important tasks such as:
• Diverting attackers from accessing critical systems.
• Gather information on an attacker's activity.
• Encourages an attacker to stay on the system for a long time.
The system stores information to make it seem crucial to the attacker and lures them to
attempt an attack. The system features monitors and event loggers that detect attacker
attempts to access the honey pot and collect information.
Padded eel I Systems

A padded cell is a protected honey pot that cannot be compromised easily. In addition to
attracting attackers with tempting data, a padded cell operates in tandem with a traditional
IDS. When the IDS detects an attacker, it seamlessly transfers them to a special simulated
environment where they can cause no harm-the nature of this host environment is what gives
the approach its name, padded cell.
A padded cell system is similar to the honey pot as it performs intrusion isolation using a
different approach. Padded cell and a traditional IDS operate simultaneously, i.e., when the IDS
detects an attacker, it seamlessly transfers them to a special padded cell host. Once attackers
are in the padded cell, they are captured within a simulated environment where they can cause
no harm and keep on thinking that the attack has been successful.
Commercial production of padded cell systems has not started, as these systems need certain
permissions from legal counsel for operating in a live environment.
Advantages
Usage of honey pots and padded cell systems enables various functions such as:
• Attackers can be diverted to system targets that they cannot damage
• Administrators have additional time to decide how to respond to an attacker
• Easy and extensive monitoring helps to refine threat models and improve system
protections
• Effective at catching employees who are snooping around the network
Disadvantages
Disadvantages of using honey pots and padded cell systems are:
• The legal implications of using such devices are not well defined.
• An expert attacker, once diverted into a decoy system, may become angry and launch a
more hostile attack against an organization's system.
• In order to use these systems, a high level of expertise is needed.

File Integrity Checlters

File Integrity Monitoring
http://www.solarwinds.com [f] -... Integrity-Checker
http://integrity-checker.com
DARC (Distributed Aide Runtime
~
LogRhythm
Controller) https://logrhythm.com
http://nixbit.com
ADAudit Plus
https://www.monageengine.com [l;j McAfee Integrity Control
http://www.mcojee.com
AFICK Tripwire
http://afick.sourceforge.net http://www.tripwire.com
Alien Vault Trustwave

https://www.afienvault.com https://www.trustwave.com
File Integrity Monitoring

File Integrity Monitoring is used to detect and alert when there are changes to key files, folders
and registry settings.
DARC (Distributed Aide Runtime Controller)
Source: http://nixbit.com
Distributed Aide Runtime Controller detects file system changes in UNIX environments, which is
useful for forensics on compromised systems and tracing illicit system configuration changes.
DARC provides a mechanism to run AIDE integrity checks across many UNIX systems from a
single management station.
ADAudit Plus
Source: https://www.manaqeenqine.com
ADAudit Pius's File Integrity Monitoring (FIM) feature is critical for Microsoft Windows network
security, with respect to changes to configurations, files and file attributes ( DLL, exe and other
system files).
AFICK
Source: http://afick.sourceforqe.net
AFICK is a portable security tool that monitors the changes on your file systems, and can detect
intrusions.

Alien Vault
AlienVault's File Integrity Monitoring (FIM) alerts you to changes In critical system files,
configuration files, and content files.
Integrity-Checker
Source: http://integrity-checker.com
Integrity-Checker verifies the integrity of files on your Windows server. It supports WSSX
integration so you can access all functionality directly from the server's dashboard on Server
2012 Essentials, Windows Home Server 2011, SBS 2011 Essentials, and Storage Server 2008 R2.
Log Rhythm
Source: https:1/logrhythm.com
LogRhythm's File Integrity Monitoring protects your organization's critical files, wherever
they're stored. It sends alerts on malware-related registry changes, improper access of
confidential files, and theft of sensitive data.
McAfee Integrity Control
McAfee Integrity Control checks files and directories for changes to content and permissions. It
provides continuous file integrity monitoring, essential for verifying the security of an
environment and meeting compliance requirements.
Tripwire
Source: http://www.tripwire.com
Tripwire File Integrity Monitoring is available as a standalone solution or as part of Tripwire's
Security Configuration Management suite. With Tripwire, you have continual assurance of the
integrity of security configurations, complete visibility and control of all changes for your
continuous monitoring, change audit and compliance demands. Tripwire File Integrity
Monitoring (FIM) has the unique, built-in capability to reduce noise by providing multiple ways
of determining low-risk change from high-risk change as part of assessing, prioritizing and
reconciling detected change.
Trustwave
Trustwave File Integrity Monitoring monitors OS and registry file data on Windows-based POS
devices, laptops, desktops and servers.

Honey Pot and Padded Cell

System Tools
honeytrap HoneyDrive
http://sourceforge.net https://bruteforce.gr
SPECTER SEBEK
http://www.specter.com https://projects.honeynet. org
KOJONEY KFSENSOR
http://kojoney.sourceforge.net http://www.keyfocus.net
High Interaction Honeypot

Analysis Toolkit (HIHAT) HoneyBow
http://sourceforge.net www.honeynet.org
HoneyC Honeyd
https://projects.honeynet.org http://www.honeyd.org
honeytrap
Source: http://sourceforqe.net
Honeytrap is a low-interaction honeypot daemon for observing attacks against network
services. It monitors the network stream for incoming sessions and starts appropriate listeners
just in time. Each listener can handle multiple connections and terminates itself after being idle
for a certain length of time.
SPECTER
Source: http://www.specter.com
SPECTER is a honeypot-based intrusion detection system that simulates a vulnerable computer,
providing an interesting target to lure hackers away from production machines.
KOJONEY
Source: http://koioney.sourceforqe.net
Kojoney is a low-level interaction honeypot that emulates an SSH server, and the daemon
written in Python using the Twisted Conch libraries.

High Interaction Honeypot Analysis Toolkit {HIHAT)

The High Interaction Honeypot Analysis Toolkit (HIHAT) allows transforming arbitrary PHP
applications into web-based high-interaction Honeypots. Furthermore, it provides a graphical
user interface, which supports the process of monitoring the Honeypot and analyzing the
acquired data. A typical use could be the transformation of PHPNuke, PHPMyAdmin or
OSCommerce into a full functional Honeypot, which offers the complete functionality of the
application to the users but performs comprehensive logging and monitoring in the
background.
HoneyC
Source: https:1/proiects.honeynet.orq
HoneyC is a low interaction client honeypot / honeyclient that allows the identification of rogue
servers on the web.
HoneyDrive
Source: https:1/bruteforce.qr
HoneyDrive is the premier honeypot Linux distro. It is a virtual appliance (OVA) with Xubuntu
Desktop 12.04.4 LTS edition installed. It contains over 10 pre-installed and pre-configured
honeypot software packages such as Kippo SSH honeypot, Dionaea and Amun malware
honeypots, Honeyd low-interaction honeypot, Glastopf web honeypot and Wordpot, Conpot
SCADA/ICS honeypot, Thug and PhoneyC honeyclients and more.
SEBEK
Source: https://projects.honeynet.org
Sebek is a kernel module installed on high-interaction honeypots for the purpose of extensive
data collection. It allows administrators to collect activities such as keystrokes on the system in
encrypted environments and mainly used for Win32 and Linux systems.
KFSENSOR
Source: http://www.keyfocus.net
KFSensor is a Windows based honeypot Intrusion Detection System (IDS) that acts as a
honeypot to attract and detect hackers and worms by simulating vulnerable system services
and Trojans. By acting as a decoy server, it can divert attacks from critical systems and provide a
higher level of information than can be achieved by using firewalls and NIDS alone. Windows
based corporate environments use KFSensor and it contains unique features such as remote
management, a Snort compatible signature engine and emulations of Windows networking
protocols. With its GUI based management console, extensive documentation and low
maintenance, KFSensor provides a cost effective way of improving an organization's network
security.

HoneyBow
Source: https://www.honeynet.org
HoneyBow is a high-interaction malware collection toolkit with integration with nepenthes and
the mwcollect Alliance's GOTEK architecture.
Honeyd
Source: www.honeyd.org
This is a low-interaction honeypot used for capturing attacker activity. Honeyd is a small
daemon that creates virtual hosts on a network configured to run arbitrary services, and their
personality can be adapted so they appear to be running certain operating systems. Honeyd
enables a single host to claim multiple addresses. Honeyd improves cyber security by providing
mechanisms for threat detection and assessment. It also deters adversaries by hiding real
systems in the middle of virtual systems.

I I
Snort is a Net w ork Intrusion 1 1 Features:

Detection System {NIDS) based C I
8 Real-time alerting mechanism using
on libcap, performs packet I I
syslog, pop-up messages in Windows,
sniffing, and wo rks as a logger I I
Server Message Block (SMB), etc.
I I during run-time
Freeware was developed by
Martin Roesch 8 Provides payload verification in the
I I
Application layer and the ability to
I I
It runs on Linux, So laris, BSD, and instruct the layer to collect the
I I
suspected traffic
MacOS X
I I
8 Packet filtering using Berkeley Packet
I I
Filter (BPF) commands
I I
C I 8 Solves the weaknesses of other IDS

I I tools
I I
https://www.snort. org
Snort is an open source network intrusion detection and prevention system developed by
Martin Roesch. It is capable of performing live traffic analysis, packet sniffing, and packet
logging on IP networks. It can perform protocol analysis and content searching/ matching. It can
be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans,
CGI attacks, SMB probes, OS fingerprinting, attempts etc. Snort supports various platforms such
as Windows, Linux, Solaris, BSD, and Mac OS X.
The NIDS functionality of snort is based on libcap. Snort uses a flexible rules language to
describe traffic that it should collect or pass, as well as a detection engine that utilizes a
modular plug-in architecture. Snort has a live alerting capability as well, incorporating alerting
mechanisms for syslog, a user specified file, a UN IX socket, or WinPopup messages to Windows
clients.
Snort has three primary uses: a straight packet sniffer like tcpdump, a packet logger (useful for
network traffic debugging, etc.), or a full -blown network intrusion prevention system.
Features
• Live alert mechanism using syslog, pop-up m essages in Windows, Server Message Block
(SMB), etc. during run -time.
• Provides pay load verification in the Application layer and the ability to instruct the layer
to collect the suspected traffic.
• Packet filtering using Berkeley Packet Filter (BPF) commands.

• Solves the weaknesses of other IDS tools.
Snort: Installation
Snort is a "lightweight" NIDS, non-intrusive, easily configured, utilizes familiar methods for rule
development and takes only a few minutes to install.
SNORTSNARF is a script for alerts from the Snort IDS which is run at regular intervals to
generate a convenient HTML output of all the alerts. SNORTSNARF comes with a load of options
that performs automatic review.
Planning a Deployment
In order to install snort IDS, it is important to locate the position of the IDS in the network.
• Initially, plan the deployment by identifying the type of sensors which will be used either
passive, inline or both.
• Choose which assets will be secured and maintain transparency between the sensors and
other network devices.
• Check the policies and access control for the communication of snort in the network.
• The installation platform of snort includes an operating system and hardware

considerations such as CPU, memory, motherboard etc.
Software Requirements
• Download Snort IDS
• Supported software of snort includes: Database - MySQL, Web server -Apache and PHP
• Snort prerequisites:
• Snort engine - (prefer the most recent release)
• Snort rules - ./oinkmaster.pl -o $RULE_PATH 2>&1 I logger -t oinkmaster, downloads

the snort rules in $RULE_PATH
• pcap-library or WinPcap library should be installed prior to Snort installation (Available

at http://www.tcpdump.org/)
• PCRE
• Libnet-1.0.2.a
• Unified output processing tool
• Other tools such as BASE and ADODB
Source: http://www.snort.org

IBM Security Network Check Point Threat

Intrusion Prevention System
http://www--03.ibm.com IL~
"·
) Prevention Appliance
http://www.checkpoint.com
Cisco Intrusion Prevention

Peek & Spy
http://networkingdynomics.com Systems
INTOUCH INSA-Network
Security Agent
-\c-....... AIDE (Advanced Intrusion
Detection Environment)
_j •
http://www. ttinet. com http://oide.sourceforge.net
-1'!!!
SNARE (System iNtrusion Analysis

SilverSky
& Reporting Environment)
https://www.silversky.com
http://www. intersectollionce. com
IDP8200 Intrusion Detection

Vanguard Enforcer
and Prevention Appliances http://www.go2vonguord.com
https://www.juniper.net
IBM Security Network Intrusion Prevention System

IBM Security Network Intrusion Prevention System appliances stop constantly evolving threats
before they affect your business. This means providing both high levels of protection and
performance, while lowering the overall cost and complexity associated with deploying and
managing a large number of point solutions.
Peek&Spy
Source: http://networkinqdynamics.com
PEEK & SPY lets a privileged user see exactly what is on another user's terminal and then
permits them to either take control of that terminal to fix the problem from their own
computer or let the user have control while they give the needed instructions. If the PEEK & SPY
user chooses to fix it by themselves, then the privileged user can display the input on the user's
screen to show them how to fix it. Where PEEK informs users that they may have watched, SPY
does not. In addition, SPY gives system managers documented proof of security breaches and
provides a tool to lock out unauthorized users.

INTOUCH INSA-Network Security Agent

Source: http://www.ttinet.com
INTOUCH INSA - Network Security Agent scans all user activity on your networks, seven days a
week, 24 hours a day. Whether the intrusion is from the outside (firewall failure) or from the
inside (unauthorized insider activity). With I NTOUCH INSA-Network Security Agent, the
Network manager and Network Security Officer have a tool that allows for the automated
tracking and logging of unauthorized or suspicious activity.
SilverSky
Source: https://www.silversky.com
Intrusion Detection and Prevention {IDS/IPS) systems analyze complex network traffic in real-
time and proactively block malicious internal traffic and sophisticated attacks that might not be
prevented with firewalls alone. SilverSky reduces the costs and complexity of managing IDS/IPS
Systems while improving your ability to respond to evolving threats.
IDP8200 Intrusion Detection and Prevention Appliances
Source: https://www.iuniper.net
The IDP8200 Intrusion Detection and Prevention Appliances are the ideal network intrusion
detection and application security management solution for large enterprise networks and
service providers that require the highest throughput levels and reliability.
Check Point Threat Prevention Appliance
Source: http://www.checkpoint.com
The Check Point Threat Prevention Appliance prevents advanced threats and malware attacks
and enables an organization to control access to millions of web sites easily and confidently.
Protections include stopping application-specific attacks, botnets, targeted attacks, APTs, and
zero-day threats.
Cisco Intrusion Prevention Systems
Cisco IOS Intrusion Prevention System (IPS) is an inline, deep-packet inspection-based solution
that enables Cisco IOS Software to effectively mitigate a wide range of network attacks.
Although it is common practice to defend against attacks by inspecting traffic at data centers
and corporate headquarters, distributing the network level defense to stop malicious traffic
close to its entry point at branch or telecommuter offices is also critical.
AIDE (Advanced Intrusion Detection Environment)
Source: http://aide.sourceforqe.net
AIDE (Advanced Intrusion Detection Environment) is a file and directory integrity checker. It
creates a database from the regular expression rules that it finds from the configuration file(s).
Initialization of this database helps verify the integrity of the files. It has several message digest
algorithms to check the integrity of the file. You can also check the inconsistencies of all usual
file attributes.

SNARE {System iNtrusion Analysis & Reporting Environment)

Source: http://www.intersectalliance.com
SNARE (System iNtrusion Analysis & Reporting Environment) consists of the centrally installed
Snare Server and individual device-based Snare Agents. The Snare Server's role is to give your
system administrator all the tools needed to define, gather, index, track, report on and store all
relevant IT network security events input from Snare and open source agents. Snare Agents
examine all IT events at their source. SSNARE (System iNtrusion Analysis and Reporting
Environment) is a series of log collection, forwarding, filtering agents that facilitate centralized
analysis of audit log data.
Vanguard Enforcer
Source: http://www.qo2vanquard.com
Vanguard Enforcer provides real-time intrusion protection, detection and management
solutions for the z/OS mainframe that prevent human error and deliberate attacks. By providing
24/7 protections for critical information and resources hosted on mainframes, Vanguard
Enforcer guarantees that z/OS and RACF® security standards, profiles, rules and settings should
not become compromised. In less than two seconds, the software can automatically detect and
notify personnel when threat events on the mainframe and network occur, and then respond
to deviations from the security baseline with corrective actions that reassert the approved
security policy.

□ An IDS is used to detect intrusions while an IPS is used to detect

and stop the intrusion in the network
□ Improper IDPS configuration and management will make an IDPS not function
properly
□ An IDS works from inside the network, unlike a firewall which looks outside for
intrusions
□ IDPS network sensors are hardware/software appliances which are used to monitor
network traffic and will trigger alarms if any abnormal activity is detected
□ The staged deployment helps gain experience and to learn more about the amount
of monitoring and maintenance is required for network resources
□ Minimizing false positives depend upon the level of tuning and the type of traffic on
a network
In this module, you have learned the importance of implementing and deploying an IDPS
solution in the network. The module also explained important concepts about an IDPS including
types of I DPS systems, working, components, deployment strategies, etc. With this module, you
will able to determine an appropriate IDPS solution, implement the right IDPS deployment
strategy, configure them properly, reduce false positive and negative rates of an IDPS, etc.

Secure VPN Configuration
and Management
Module 09
--
- --
- ---
-----
-- ---
--
- -- -
-
--
-- ---
--
---- ---... ---
--------...... ---
-- -- -----
--....---.-. ... -
---
----.......--.-.. .................
--- -- -....... _..,...,.,.--
---- ........-..... . ... -- --........-.... -
-- ---
------ -----
--
- -
-- ----------
- - -- -
--- -
Secure VPN Configuration and Management

and Manage111.ent
Module09

Module 09: Secure VPN Configuration and Management
Exam 312-38


and Manage111.ent
Module09

Exam 312-38

Understanding a Virtual
Private Network (VPN)
..J A VPN is used to securely

communicate w ith different
computers over unsecure channels
'F
I -- VPN Connectivity
I
~ VPN c.oncent rat«
/
l 'ft°
' ....
..J A VPN uses the Internet and /' :• ~~r with
I I. . VPN MQdule
ensures secure communication to 1' ; ....,
II ........
distant offices or users within their /I ' ,,
enterprise's network II · •-- • ------ -. •• _ ' ,..._ .
/ · .....__.,,. · ···· ··, - ---•- - .. g.i, Router w,lh
/ ,,/ / $ ; ... ' · .., - ·~ VPN MOdule
3G/ CDMA/HSDPA· / / I / ....... /
Mobile Brood.bond / / I •..~
I / I "ll ~ • Boatdbrand Modem ~ VPN concentratlX
t
rl, ,/
Tetecom,y,{er / / /
Trave~!~ pe/~I
: /
I ' '
/
@ ~ /
Laptop with VPN Client
PC with VPN Olent

-- --
Most of the organization has their offices located at different locations around the world. There
is a need of establishing a remote connection between these offices as a result. Previously,
remote access was established through leased lines with the help of dial-up telephone links
such as ISDN, DSL, cable modem, satellite, and mobile broadband. However, establishing
remote connections with these leased lines is quite expensive and the costs rise when the
distance between the offices increases.
To overcome the drawback of traditional remote access technologies, organizations are
adopting Virtual Private Networks (VPNs) to provide remote access to their employees and
distant offices.
Virtual private network (VPN) offers an attractive solution for network administrators to
connect their organization's network securely over the Internet. VPN is used to connect distant
offices or individual users to th eir organization's network over secure channel.
VPN uses a tunneling process to transport the encrypted data over the internet. IPSec is the
common protocol used in VPN at th e IP level. VPN ensures the data integrity check by using a
message digest and ensures data transmission is not tampered w ith. VPN guarantees the
quality of service (QoS) through service level agreements (SLA's) with the service provid er.

• Typical features of VPN:
• Establishes a connection between the remote system and a LAN across an

intermediary network such as the Internet.
• VPNs allow cheap long distance connections over the Internet since both endpoints
require a local Internet link which serves as a free long-distance carrier.
• VPN uses tunneling or encapsulation protocols.
• VPNs use encryption to provide a secured connection to a remote network over the
Internet and protect your communication.
• They provide virtual access to the physical network as if you are physically located in
the office.
• Advantages of VPNs:
• VPNs are inexpensive.
• They provide the framework for corporate intranets and extranets.
• Ensures secured transfer of data.
• VPN allows you to access both web applications and websites in complete anonymity.
• Disadvantages of VPNs:
• Designing and the implementing the VPN is a complex issue, it requires experts for
configuring.
• Reliability depends on the service provider that you choose.
• VPN Architecture:
A certain set of protocols and standards need to be followed while establishing a VPN
architecture. Network administrators should decide the scope, implementation and
deployment of the VPN along with continuous network monitoring in order to ensure the
security of a VPN. They should be continuously aware of the overall architecture and
scope of the VPN.
• Protocols used in deploying a VPN:
For deploying the virtual private networks, there are two primary options IPsec and SSL.
Each protocol has its own unique advantages and utilized depending on the requirement
of the user or the organization's IT processes.
• IPsec VPN:
IPsec-based VPN is the most commonly used deployment solution by most of

organizations. It is a set of protocols and standards developed by the internet engineering
task force (IETF) for secure communication on the IP layer. It ensures the security of each
packet in communication by encrypting and authenticating them. IPsec connections are

established using VPN client software which is pre-installed and it mainly focuses on the
company managed desktops.
• Advantages:
o IPsec VPNs can support all IP-based applications to an IPsec VPN product.
o It offers tremendous versatility and customizability through modification of the
VPN client software.
o Organizations can control the VPN client functions by using the APl's in IPsec client
software.
o Ensures secure exchange of IP packets between remote networks or hosts and an

IPsec gateway located at the edge of your private network.
The three basic applications when using IPsec VPN's (associated with business
requirements) are:
• Remote-Access VPNs: These allow individual users, such as telecommuters, to connect

to a corporate network. This application creates an L2TP/PPTP session. IPSec
encryption protects this L2TP/PPTP session.
• Intranet VPNs: This helps connect branch offices to the corporate headquarters,
creating a transparent Intranet.
• Extranet VPNs: This allows companies to connect with their business partners (for
example, suppliers, customers, and joint ventures).
• SSL VPN (web-based):
SSL-based VPNs provide remote-access connectivity using a Web browser and its native
SSL encryption irrespective of the location. SSL doesn't require any special client software
to be pre-installed and is capable of any type of connectivity. The connectivity ranges
from company-managed desktops and non-company-managed desktops, such as
employee-owned PCs, contractor or business partner desktops. It helps in reducing the
desktop software maintenance as it downloads the software dynamically whenever there
is need.
• Advantages:
o It offers additional features like easy connectivity from non-company-managed

desktops, little or no desktop software maintenance.
o It provides accessibility of the SSL library and access to port 443 TCP.
o It will work wherever someone can gain access to HTTPS websites such as Internet
Banking, Secure Webmail or Intranet sites.

VPN uses authorization and encryption to connect

..J Client willing to connect to a external host securely
company's network initially connects
to the internet
Client initiates a VPN connection with Unauthorized Host

..•
•.
••. .••
.. ....
•••.•
•• •
••
Authorized Host
•• .•• . .
•• •• w ith VPN client software
the company's server . •.___ _ :
.: :: Which handles authorization
and encryption
Before establishing a connection, Internet

Endpoints must be authenticated
through passwords, biometrics, .. .. ... ...
personal data, or any combination of ,,. .. ....
\:I •
w . .
• •
y ••
these
Once the connection is established

the client can securely access the
Firewall with VPN
option
~. •.. ••
••
company's network ••
••
..
••
.: .: •
•.............., .......•..... , .:......•• ,..........
..... .:.
♦ ♦ ♦ I
~-- -I -- I
"t' NI, -
Internal Network
A VPN enables a secured connection over the Internet from a public network to a private
network placed at a far-off site. All the network traffic in a VPN is encrypted and passes through
a virtual secure tunnel, placed between the client and VPN server.
All the packets passing through a VPN is encrypted or decrypted with respect to inbound or
outbound traffic. The packets are encrypted at the client side and the packets are decrypted at
VPN server. For example, when a client with a VPN connection enabled, browses Youtube.com.
This outbound traffic is encrypted at the client side. The encrypted data is then sent to nearest
VPN server and passes it to the gateway server. Here, the data is decrypted and sent to the
server hosting Youtube.com. When Youtube.com sends a reply request, the VPN server
performs the reverse process on the outbound traffic.
A VPN keeps a close look on any unsecure networks. It creates a new IP address for the
encrypted packet concealing the real IP address which disables attackers from finding the real
IP address of the packets sent.

Why Establish VPN?

A well designed VPN provides the following benefits:
~ Extend geographic connectivity
~ Reduce operational costs versus traditional WANs
Reduce transit times and t raveling cost s for remote users
~ Improve productivity
~ Simplify network topology
~ Provide global networking opportunities
'¥? Provide telecommuter support
'¥? Faster Return On Investment (ROI) than with a t raditional WAN
The easy accessibility of sensitive data over the Internet poses a serious security threat to
organizations. Attackers easily exploit and gain access to sensitive information if it traverses on
an unsecured public network such as the Internet. A VPN ensures reliable communication
through an encrypted tunnel, preventing attackers from gaining access to organization
information. A w ell designed and implemented VPN can provide the following benefits:
• Enables a secured connection across multiple geographical locations.

• Saves time and expenditure for employees as it allow s the sharing of information
betw een a corporate office and its regional office.
• Enhances the level of output for remote users.

• Improves the security of data by concealing the IP address from attackers .
• Handles multiple connections simultaneously and provides the same quality of service for
each connection.
• Ability to provide a secured connection to larger enterprises.
• Implementation of a VPN increases the bandw idth and efficiency of the network.
• Less maintenance cost.
This encrypted traffic proves beneficial when the user connects its system to Wi-Fi hotspots at
public places. The encryption makes it difficult for eavesdroppers in the network to identify the
encrypted data.

A VPN allows users to access the servers across the world making it easy for them to access all
types of content. Users do not have to face restrictions like geo-blocking while browsing. A VPN
allows the user to stay anonymous without sharing their device information in the network. By
hiding this data, a VPN restricts websites from spying or monitoring the user. To avoid excessive
monitoring from third party websites or attackers, users should install a VPN for safe browsing.

VPN components
VPN client Tunnel Terminating Device (or VPN server)
Network access server (NAS) VPN protocol
VPN Client
'r
~ Remote Netw ork
IP IP
.
~
ISP
-~~ T ~-- Internet ...... V ....... ISP ........A................
, : Network Access VPN Server

: : Server
Corporate Network
VPN Client Layer 3 Layer 3

Protocol Protocol
The VPN architecture consists of four main components:
• VPN client: A computer that initiates a secure remote connection to a VPN server.
• Network access server (NAS): It is also called a media gateway or a remote-access server
(RAS). It is responsible for setting up and maintaining each tunnel in a remote -access VPN.
Users need to connect to th e NAS to use a VPN .
• Tunnel terminating device (or VPN server): A computer that accepts VPN connections
from VPN clients.
• VPN protocol: It includes VPN specific protocols used to manage tunnels and encapsulate
private data. It includes the use of PPTP and L2TP protocols along w ith IPsec.

The following diagram shows the use of various VPN components in a remote access VPN:
VPN client
Remote Network
IP IP
ISP
PSTN
···············~········· ............~......... Internet
Networtc Ace:us VPN Server

Server Corporate Network
VPN client Layer 3 uyer3

protocol protocol
FIGURE 9.1 VPN components in a remote access VPN
A typical remote access VPN connection is established as follows:
• The remote user propagates a PPP connection with an ISP's NAS through a PSTN.
• The packets sent by the user are sent to the tunnel connecting NAS and VPN server after
authenticating the user.
• The packet is encapsulated before placing it in the tunnel.

• The location of the VPN server depends on the model used for the VPN implementation.
• The VPN server accepts the packet from the tunnel, de-encapsulates and sends it to the
final destination.

A VPN Concentrator is a network device used to create secure VPN connections
It acts as a VPN router which is generally used to create a remote access or site-to-site VPN
It uses tunnelling protocols to negotiate security parameters, create and manage tunnels, encapsulate,
tra nsmit or receive packets through the tunnel, and de-encapsulate them
r·-----~ ~ -----.;
- Intern et •• •• •• ••••••••••••••• •• •• ••••• I - ~ •
: VPN Acces.s via : : VPN Access via :
i.•..................•!
Modem -
:.
.................. .•-
cable :
low speed remote user High speed remote user
Public Segment (Untrusted)

at Router
..............................................................•.................................................•..............
•-
.-- .--
_-.,;:o-
-==.a-
•
Osco VPN 3000
FTP Server Firew all Concentrator
Firew all Segment : / -

····························································•·!••······························································
-
- 1-
o -·--------C:j.---·-·
File Server M ail Server Intranet Authentication
Private Segment (Trusted) Server Server
VPN concentrators normally enhance the security of the connections made through a VPN_
These are generally used when a single device needs to handle a large number of VPN tunnel s_
They are best used for developing a remote-access VPN and site-to-site VPN _
VPN concentrators impl ement security of th e tunnels using tunneling protocols_ These
protocols manage the following:
• Manage the flow of packets through the tunnel.

• Encapsulation and de-encapsulation of packets _
• Manage the creation of tunnels_

A VPN concentrator w orks in t w o ways:
• Receives plain packets at one end, encapsulates at the other end and forw ards the packet
to the final destination_
• Receives encapsulated packets at one end, de-encapsulates at th e other end and forwards
the packet to the final destination_

:·····,··············.: t.... A. . . . .. =
.•••
:
-
VPN Access via
•
.••
:
Internet ............................ •
•
•
••
~
VPN Access via

.•••
:
: Modem ! : cable :
•••••••••••••••••••• • I It I It I It I It I It It t •
Low speed remote user High speed remote user
Public Segment (Untrustedl

•
a ••
Router
•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••
•
•••
•
Cisco VPN 3000
FTP Server Firewall concentrator
•
Firewall Segment __, : :•
•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••
•
•
FIie Server Mail Server Intranet Authentication

Private Segment (Trusted) Server Server
••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••• ••
FIGURE 9 .2: VPN concentrator
In the figure, the VPN concentrator is placed in parallel with the firewal I supporting remote
users who have both a slow and a fast Internet speed. If the VPN is placed behind the firewall,
the implementation requires additional configuration changes and is vendor dependent.
VPN concentrators provide a high level of security for SSL and IPsec VPN architecture. A normal
VPN tunnel requires IPsec to be implemented on the network layer of the OSI model. A major
benefit of using a VPN concentrator is that the client is considered to be present outside the
network and can access the network as if it is connected.

Secure VPN Co nfiguration and Management
A VPN Concentrator functions as a bi-directional tunnel endpoint
The VPN Concentrator functions are:

Manages security keys
Manages data transfer

Encrypts and decrypts across the tunnel
data Assigns user
addresses
3
Manages data transfer

inbound and outbound
Negotiates tunnel as a tunnel endpoint or router
parameters
_J
Authenticates users Est ablishes Tunnels
A VPN concentrator adds more security controls to the router, improving the security of th e
communication. The functions of a VPN concentrator are as follows:
• Data encryption and encapsulation: The VPN concentrator encrypts the data and
encapsulates it into an IPsec packet. Being bi-directional, it initially encapsulates the plain
packets it receives and later expands them at the end of the tunnel before sending them
to the destination.
• Managing tunnels: By adding the features of adva need data and network security, a VPN
concentrator has the ability to create and manage large VPN tunnels. These tunnels
ensure the data integrity among the systems.
• User Authentication: A VPN concentrator authenticates users at either the computer

level or at the user level. Authentication at the computer level takes place using the Layer
Two Tunneling Protocol (L2TP) protocol whereas authentication at the user level takes
place using the Point-to-Point Tunneling Protocol (PPTP).
• Traffic handler: A VPN concentrator routes the tunneled and non-tunneled traffic
depending on the server configuration. It simultaneously handles traffic of a corporate
network as well as Internet resources.

Client-to-Site (Remote-access)
VPNs
ii Remote-Access VPNs allow )

. VPN Architecture i
individual hosts or cl ients, such as l__--------------------------------------J Head Office
telecommuters and mobile users
to establish secure connections to
a company's netw ork over the
~
,
1-- VPN
Connectivity
~ VPN concentrator
Internet t I ' ....,
1
/, ImI R~
'
1
erwith VPN
ii Each host contains VPN client / 1• • Mod u~
"I
/ I ·, .
softwa re or uses a web-based
client /
I,
/
~·• I '·,
·· ------------
·,•
'-
Routerw ith
/ ./ .__,., lnte,.;-~-~----~ :~:-·--·----• VPN
ii The VPN encrypts the data packets 3G/ CDMA/HSDPA- /

Mobile Broadbanql
// //
/ I /
l-:-::Y Broadband Modem
1
'-.,. / Module
"Ciili:c,i VPN concentrator
to /--
that are forwarded over the I / /
Te leco,rhmut,t/ I / /
Internet to the VPN gatew ay at the Tra?lli~)'~ rsonal I •
edge of the target network, with

the software installed on the
cl ient's mach ine Laptop with VPN Client Branch Office
. A VPN Gateway receives the PC with VPN Cl ient
packets and then closes the

connection to the VPN after
t ransfer is complete
Copyright© by EC-Council. All Rights Reserved. Reproduction 1s Strictly Prohibited.
Remote-access VPNs are used mainly to connect individual hosts to a private network. This
allows the users to access the information provided in the private netw ork. An older name for a
remote-access VPN is a virtual private dial -network (VPDN) in w hich a dial-up configuration 1s
required for the connection to a server .
Every host using remote-access needs to have the VPN client software installed, that wraps and
encrypts the data before the host sends any traffic over the Internet to a VPN gatew ay. After
reaching the gatew ay, the data is unw rapped , decrypted and passed over to the final
destination in a private netw ork. The gatew ay performs the reverse process in order to send
the data packets back to the user. The remote -access VPN consists of two t ypes of
components:
• Network access server (NAS) or remote-access server (RAS) : NAS is required w hile users
are accessing a VPN. A separate authentication process is involved while authenticating
users accessing a VPN
• Client software: Users accessing a VPN from their ow n network need to install softw are
that helps create and manage the VPN connection
VPN cli ent softw are and a VPN gatew ay are required for the hosts supporting a remote-access
VPN. Most of the VPN gateways support onl y IPSec w hile maintaining VPN services.

Advantages
• Minimizes the connection cost for the users.
• Encapsulation and encryption of data packets provides an added security layer . This hides
the IP address of the packets and prevents the attackers from accessing the packets.
• Handle large number of users. The VPN provides the same service even if more users are
added to VPN network.
• Sharing of files from a remote location.
Disadvantages
• Computers without any anti-virus installed pose a threat to the VPN connection.
• Implementing many VPN connections simultaneously may affect the bandwidth of the
network.
• Time consuming accessing files, applications over the Internet.

Site-to-site VPN is classified in two types:

..J Intranet-based: VPN connectivity is between sites of a single organization
..J Extranet-based: VPN connectivity is between different organizations such as business partners,
business, and its clients
Site-to-site VPN extends the Site-to-Site VPNs

company's network, allows access of Site-to-site
an organization's network resources
from different locations
..
connection
:
It connects a branch or remote office ........ Y. ... Main
Office
network to the company's
Internet
headquarters network Branch
Office ..
..J Also known as LAN-to-LAN or L2L .
VPNs
Branch
Office Branch
OfflCe
The site-to-site VPN helps connects all the networks together. For example, the branch offices
of an organization can be connected to the main campus through a site-to-site VPN. The main
differentiation between a remote and a site-to-site VPN is that site-to-site VPNs do not require
the need of any client software. The entire traffic is sent through a VPN gateway that
encapsulates and encrypts the data packets passing through it.
In a site-to-site VPN, the outbound traffic is passed through a tunnel to the VPN gateway. The
data packets in the outbound traffic are encapsulated and encrypted at the gateway and is
passed to the tunnel over the Internet. The traffic is sent to the nearest gateway in the target
location. The nearest gateway decrypts and de-encapsulates the data packets and they are then
forwarded to the final destination.
A site-to-site VPN consists of two types:
Intranet-based
Creates an intra net VPN in order to connect each individual LAN to a single WAN.
Extra net-based
Extranet VPN connects each single LAN of an organization. The extranet VPN configuration
prevents any access to an intranet VPN.

Secure VPN Co nfiguration and M anagement
0 0
A dedicated hardware VPN appliance is used Advantage:
to connect routers and gateways to ensure It is more secure, as the hardware device's
communication over an insecure channel main function is to manage VPN connections
It is designed to serve as a VPN endpoint and Disadvantage:
can connect to multiple LANs
It is more expensive and changes the
network design
0 0
LAN 1 LAN 2
VPN Appliance VPN Appliance
r Encrypted VPN Tunnel
VPN appliances create secure connection between two or more LANs
Manufacturer Product Name Web Site
VPN 3000 series

concent rat ors, VPN 3002
Cisco Syst ems Hardware Clients, 7600 www.cisco.com
series routers, and Web VPN
Services Module
SonicWALL PRO
SonicWALL www.sonicwall.com
5060,4060,3060,2040,1260
Net Screen 5000, 500,200,

Juniper Networks ISG series, and Secure www.juniper.net
Access 6000/4000 series
WatchGuard WatchGuard Firebox X series www. watchgua rd .com

Hardware-based VPNs are separate devices that consist of individual processors and hardware
firewalls. They easily manage authentication and encryption of the data packets. The main
advantage of using a hardware-based VPN is that they provide more protection than the
software variant.
Advantage
• Provides load balancing especially for large client loads.
Disadvantage
• It is more expensive than software VPN.
• More useful for large business organizations than for smaller ones.
• Less scalability.

Software VPNs
VPN software is installed and configured on routers, servers and firewalls or

as a gateway that functions as a VPN
Advantage : Disadvantage:
■ No extra devices need to ■ Extra processing burden to

be installed devices on which it is
installed
■ It is an easy and low-cost
way to deploy a VPN and ■ It is less secure and prone to
does not change the target attacks
network
Manufacturer Product Name Web Site
VPN-1 VSX,VPN-1 Pro,

CheckPoint www.checkpoint.com
VPN-1 Edge, Firewa ll-1
NETGEAR ProSafe VPN www.netgear.com
Symantec Enterprise
Symantec Corporation Firewall, Norton Personal www.symantec.com
Firewall for Macintosh

Software-based VPNs are best suited for network traffic management and when the same party
does not manage the VPN end points. Traffic management is performed using a tunneling
process depending on the protocol and address of the traffic. Hardware encryption accelerators
are used in order to improve the performance of the network.
Advantages
• Minimizes the cost of an additional hardware purchase.
• It is easy to deploy and does not change the target network.
• More scalability.
Disadvantage
• Increased processing tasks for devices implementing the VPN.
• Security is an issue and is prone to more attacks as th ey need to share the server with
other servers and operating systems.

.J Choose the best possible VPN solution for your enterprise
Choose the type of VPN solution based on
.............. ..... ....

...... ...
,• ·
.. .... .
..
.·............. Compatibility ..... ·• ..·· .. ·.·...
.. Vendor Support
Scalability and Capacity \ \.\
...
.. ...
.
..
...
Security
... Need
. Cost
.
•'
····· ... ..··
....... .. ... .•·
'•
........ .. .... ... .
◄·· .... ...
The selection of an appropriate VPN depends on many factors such as cost, protocols, technical
issues etc. The following are a few factors to consider while selecting a VPN:
• Compatibility: The organization should consider the compatibility of the selected VPN
within the organization's network and determine whether it is possible to adopt the
selected VPN. Selecting and implementing a VPN which is not compatible, will add an
extra expense on the company's expenditure and cause security issues.
• Scalability: Increasing the number of employees working for an organization is a common

trend. As the number of employees increases, the configured VPN also needs to
accommodate the extra number of employees at the same time. The inability to handle
the increasing number of users adversely affects the performance of the network. The
organization must select a VPN that can handle any number of users at any time without
affecting the performance of the network.
• Security: Security is an important factor while selecting a VPN. Two maJor criteria 1n
selecting a VPN are:
• Authentication: Organizations need to select an appropriate authentication method

depending on the type of network on which the VPN is implemented.
• Encryption: Organizations should be highly alert regarding the encryption process for
the selected VPN. Some VPNs do not provide direct encryption, allowing attackers to
get information from the network.

• Capacity: Organizations need to foresee the number of users joining the organization in
the future and then select the VPN accordingly.
• Cost: An organization should consider cost as a factor while selecting VPNs.
• Need: The need for a VPN depends on the requirements of an organization. Whether
remote employees need access to the network or there are encrypted traffic rules. Each
organization is different and it these differences which will decide the appropriate VPN
choice.
• Vendor Support: Two different factors in vendor support are as follows:
• Number of servers present and their location: The VPN is selected according to the
location of the vendor server and the activities performed.
• Does the vendor limit connections, use bandwidth throttling or restrict service? VPNs
that control bandwidth, reduce Internet speeds or limits them in any way are not used
in an organization. Also, care should be taken while dealing with the protocols and
services running in the network. The organization needs to decide on whether the
existing services and protocols running are actually needed by the organization or not.

VPN Core Functionality:

Encapsulation
..J Packets over a VPN are enclosed w ithin another packet (encapsulation) w hich has a different IP source
and destination
..J Concealing the source and destination of the packets protects the integrity of the data sent
..J The most common VPN encapsulation protocols:
S Point-to-Point Tunneling Protocol (PPTP)
S Layer 2 Tunneling Protocol (L2TP)
e Secure Shell (SSH)
S Socket Secure (SOCKS)
Encapsulated packet
,---------------..,
Encapsulating data to conceal source and destination information
Internal LAN
has router's IP address ··•••► Source IP 192.168.50.1
Original packet is ········· ·~

encapsulated
Source IP 10.0.50.3
__....--....
,__ • • ♦
=•-. •
•
········{ ~ & ......... ,••• • .~··· ........

~ - {::J........... = - ..-;:-•...
Originating
computer 10.0.50.3
Packet
(encrypted)
VPN router
192.168.50.1
Packet
=~
~
.-.
Encapsulation is the method in which protocols have separate functions to communicate

among each other by hiding the data. Data vulnerability increases if the data does not pass
through a secure channel. When data is transmitted through using VPN Tunneling it is
encapsulated making it secure. It relies on various technologies and protocols such as GRE,
IPsec, L2F, PPTP and L2TP.
The VPN tunnel acts as a path between the source and the destination. To send the
encapsulated data securely, it is necessary to establish the tunnel. All the data packets
travelling through the tunnel are encapsulated at the source point and de-encapsulated at the
destination point. To send the data to the destination point, a tunnel data protocol is created.
The information in the data packet is called a payload. The tunnel data protocol encapsulates
the payload within the header containing the routing information. Once the server receives the
payload it discards the header, de-encapsulates the payload and sends it to the destination.
All data packets transmitted through a VPN network are encapsulated using a VPN base or a
carrier protocol. The encapsulated data packet is then sent through the tunnel which is later
de- encapsulated at the receiver's end.
For example, TCP/ IP packet encapsulated with an ATM frame, hides the TCP/ IP packet within
the ATM frame. Upon receiving the ATM frame, the encapsulated packet de-encapsulates 1n
order to remove the TCP/ IP packet from within.
The main goal is to provide an extra layer of security to each packet travelling across the
Internet. These protocols define the way packets are sent and received by the ISP.

Types of VPN Tunneling

• Voluntary Tunneling: In voluntary tunneling, the client machine sets up a virtual
connection to the target tunnel server. Voluntary tunneling can be setup only when there
is an existing connection between the client and the server.
• Compulsory Tunneling: In compulsory tunneling, the client machine is not the tunnel end
-point. A remote access server configures and creates the tunnel. The dial-up access
server acts as the tunnel end-point.
Advantages of VPN Tunneling

VPN Tunneling allows the deployment of a VPN 1n a public network. It 1s a cost effective
method, as a dedicated network is not required.
VPN encapsulation protocols are:
• Point to point Tunneling protocol (PPTP): This protocol lets multiprotocol to be encrypted
and encapsulates the IP header that is directed across the Internet. Used in both remote
and site-to-site VPN connections. PPTP manages the tunneling using a TCP connection and
encapsulates PPP frames in IP datagrams.
• La yer 2 tunneling protocol (L2TP): Permits multiprotocol to be encrypted and sent across
any medium supporting point-to-point delivery. L2TP is installed using the TCP/ IP
protocol. Encapsulation uses L2TP and consists of two layers:
• L2TP encapsulation: The PPP frame is encapsulated using a L2TP header and an UDP
header.
• IPsec encapsulation: The L2TP message after the first layer is encapsulated using IPsec
encapsulating security payload header, IPsec authentication trail er and a final IP
header.
• Secure shell (SSH): A connection -oriented service that uses a public key cryptography in
order to authenticate a remote user. Includes two types of features:
• Port forwarding
• Secure Tunneling
• Socket secures (SOCKS): Enables clients to communicate with Internet servers through
firewalls. SOCKS are employed on proxy servers.


Encryption
.J Packets sent over a VPN are encrypted to maintain the confidentially of the information
.J Packets are rea d by decrypting with the public keys from the sender
.J Common VPN Encryption Technologies
6 Triple Data Encryption Standard (3DES)
e Secure Sockets Layer (SSL)
Key is sent to VPN

& user to decrypt
~~~•···•
~ C4issc,
Ce . eso
data
..
. ... .. ······ Branch Office
rt1ficat ne Or rr,
Certificate
Authority(CA)
••••• "•••• esto Org ore
·•·· ••··•
.
an,za•·
aons
······ ... ...
······... ...
....-
....,
,
f.!:==~
,... ...
• ••
Internet
.. eI Key is sent to VPN

user to decrypt
.... ........ data
.........-~
Certificates are
managed by
certificate server
.. ...• p
Main Office
Home Office
A VPN uses encryption to provide an additional layer of security to data transmitted over the
VPN. Encryption plays an important role when sensitive data is carried over the Internet in an
organization. All data that enters the VPN tunnel is encrypted and decrypts as soon as it
reaches the end of the tunnel. An encryption key is used in the process helping the process of
encryption and decryption. Encryption disables monitoring, logging or tampering of the data in
an organization.
Encryption helps secure the data passing through the network. The sender encrypts th e data
passing through the network and the receiver decrypts th e data. It requires no encryption on
the communication link between a dial -up client and the internal service provider, as the
process of encryption takes place between the VPN client and the VPN server.
In VPN encryption, both the sender and the recei ver need to have a common encryption key
that is sent along with the data. If a packet travelling through the VPN connection does not
have the keys associated to it, then it is of no use to the computer. There are many mechanisms
to determine the length of the encryption key. The encryption of messages using the same key
enables easy interpretation of the encrypted data. The administrator can always select the
encryption keys used for a conn ection.

In end-to-end encryption, the encryption occurs between the client application and the server.
IPsec is used with an end-to end connection, once a remote access connection is made. IPsec
works as follows:
• Encryption of an encapsulated packet using an encryption key. The key is known only to
the sender and the receiver.
• An encapsulation header, a sub-protocol, conceals the sensitive information of the
packets including: sender identity.
VPN encryption technologies

• Triple DES algorithm: A 64-bit block of data that processes each block three times with a
56-bit key. 3DES prevents the chances of breaking the encryption key.
• Secure Socket Layer (SSL): A secure technology that enables communication between the
server and the client. SSL technology enables the secure transaction of credit card
numbers, login credentials etc. over the internet.
• Open VPN: It is an open source VPN and works with the SSL protocol.


Authentication
U Users are authenticated to access the VPN and its resources

u It uses digital certificates to authenticate their users
u Common user authentication tech niques for a VPN
e IPSec
e MS-CHAP
e Kerberos
VPN Router203. 12.205.40
=~ VPN Router200. 15.150.3
4. Database check determines

• whether authentication was
=• "T'
( - ,.. ~
··L...J··►, • • •
'!'
~ f ~
• . ···••::i-(©•··:,.{ Internet )
~
't'
....l>t • • • • ,........: ......
3. Autho! zation
successful
{f~.........~
( -.':. r,,
Successful
··> =M
=•
j : requested ~
=M 1. Packet(unencrypted)
2. Packet(encrypted
Not successful
Packet is refused and error message
returned to sender
Network 1 and encapsulated) Network 2
Authentication is an integral part of VPN technology, as the hosts rece1v1ng a VPN

communication need to ensure the authenticity of the hosts initiating and sending the VPN
connections. A VPN employs three kinds of authentication:
• User authentication: The VPN deploys the mutual authentication concept. The VPN
server authenticates the VPN client to check whether the client has the permission to
connect. Also, the VPN client can authenticate a VPN server for proper permissions.
• Computer authentication with L2TP/IPSec: Remote-access computers are authenticated

for proper permissions using IPsec and L2TP/ 1Psec.
• Data authentication and Integrity: All L2TP/ 1Psec packets sent are included with a
cryptographic checksum based on the encryption key. Only the sender and the receiver
know this checksum. This is to ensure the data sent is not manipulated during transit.
Authentication techniques used in VPN

• IPsec Family
• Internet Protocol Security (IPsec): All application traffic is secured using the IP
network. IPsec conducts session authentication and data packet authentication for
any two securely connected entities. IPsec ensures a secured connection between two
networks or remote networks to a main network.

• Layer2 Tunneling protocol {L2TP): This protocol initiates a connection between two
L2TP connections. L2TP is always combined with the IPsec protocol in order to confirm
security.
• Kerberos
Kerberos consists of a record of clients and their private keys. Only the client and Kerberos
know the details of the private key. Kerberos generates session keys that encrypt
messages between two clients.
• PAP
Password Authentication Protocol uses a clear text authentication mechanism for

authenticating users. The PAP sends a username and password as per the NAS request.
The NAS receives the username and password in clear text form, which means the NAS
receives the details in an unencrypted form. This makes it easy for attackers establishing a
connection with the NAS to acquire all the information.
• SPAP {Shiva Password Authentication Protocol)

A reversible encryption mechanism that is more secure than PAP. SPAP plays its role when
a Shiva client is attempting to access a server. However, this authentication mechanism is
less secure than CHAP or MS- CHAP.
• CHAP {Challenge Handshake Authentication Protocol)

The CHAP protocol is more secure than PAP. It uses an encryption authentication
technique which transmits a password representation instead of an actual password
during the authentication process. The sever sends a challenge message to the client to
authenticate users. Users respond with a hash value created using a hash algorithm. The
server then compares this hash value with its own calculation of the hash. If it matches,
then authentication is acknowledged. The remote client creates a hash of the session ID,
challenge and the password. It uses the MD-5 one way hashing algorithm.
• MS-CHAP
The Microsoft Challenge Handshake Authentication Protocol uses a remote access server
to send a session identifier and a challenge string to the remote access client. The client in
turn sends an encrypted form of the identifier and challenge string to the server. This
encrypted form is irreversible.
• EAP (Extensible Authentication Protocol)
With EAP, the data for authentication is compared against an authentication database
server. The EAP authentication protocol allows new plug-ins to be added at the client and
server.

1. Trusted VPNs 2. Secure VPNs
J Were used before the Internet became J Used when the Internet became a
universal corporate communications medium
J Companies leased circuits from a J Vendors created a protocol which

communications provider and used them encrypts the traffic at the originating
the same way as physical cables in a computer and decrypts at the receiving
private LAN computer
J Organizations know and control the J The encrypted traffic acts as a tunnel
pathway for their transmission between two networks, even if an
attacker sees the traffic will not be able
J A customer trusted communication
to read it
provider maintains the integrity and
security but not the encryption, these are J Secure VPNs are networks constructed
called Trusted VPNs using encryption
J Technologies such as ATM circuits, frame- J They protect the confidentiality and
relay circuits, Multiprotocol Label integrity of the data, but do not ensure
Switching (MPLS) are used to implement the transmission path
~
trusted VPNs
3. Hybrid VPNs Network Network
..J A secure VPN is part of a

trusted VPN, creating a
hybrid VPN
~ ................................•
..J The secure part of a hybrid
Secure VPN
•
· ·····················-> Secure VPN
VPN is administered by the

customer or the provider, ··················-> Trusted VPN
who has provided the Hybrid VPN consisting of a secure

trusted part of the hybrid VPN across an intermediary
trusted VPN
VPN
Secure VPN
~-·······························•
Network Network

VPN technology enables organizations to connect mobile and remote users with network access
and also to connect separate branches of the same organization to a single network.
Common technologies used to deploy VPNs for secure data transmission are:
Trusted VPN
Even before the popularity of the Internet, service providers provided customers with specific
circuits that could not be used by anyone else. This gave customers privacy and the ability to
have their own IP addresses and policies. In order to provide security measures and avoid
sniffing of the data, VPN providers are entrusted to maintain circuit integrity. This type of VPN
is called a trusted VPN. The technologies used for implementing trusted VPNs over an Internet
Protocol network are: Asynchronous Transfer Mode (ATM) circuits, frame relay circuits and
MLPS.
ATM and frame relay operates at layer 2 of the OSI model and MLPS operates in between the
data link layer and network layer. The requirements for a trusted VPN are:
• Any changes in the path of a VPN can be made only by a trusted VPN.
• All routing and addressing methods need to be described before creating a trusted VPN.
• Only a VPN provider can inject, change, or delete the data in the path of a VPN.
Secure VPN
The main goal behind implementing a secure VPN is to ensure complete security of the data in
transit. In a secure VPN, all the data packets sent through the tunnel undergoes an encryption
process at one end of the tunnel and decryption process at the other end of the tunnel. This
prevents any attempt from the attacker to achieve data in transit. The main requirements for
secure VPNs are:
• All the data packets in the traffic are encrypted and authenticated prior to sending to the
client.
• The client and server need to be 1n a mutual understanding before initiating the
connection between each other.
• Confirm the security of the connection from unauthorized users.
Hybrid VPN
Hybrid VPNs are those with trusted VPNs as part of the secure VPNs. They implement different
network components of an organization at the same time in order to confirm security at very
low costs. A network administrator takes extra time in differentiating between the data transfer
among the secured VPNs that are part of the trusted VPNs. The main requirements for hybrid
VPNs are:
• There should be a clear differentiation between the trusted VPN and the secure VPN.

Network
<llil(••·········································• ►
Secure VPN
Network
Hybrid VPN consistini: of a

secure VPN across an
Intermediary trusted VPN
Trusted VPN
Network
Network
Secure VPN
-c(••·········································· ►
FIGURE 9.3: Hybrid VPN

A VPN topology specifies how t he peers and networks w ithin a VPN are connected
Some VPN t o pologies include
Hub-and-Spoke VPN Topology Point-to-Point VPN Topology
•I
I
I
•I
I
I
I I
• •
I I
•
I
I
I
•I
I
I
I I
• •
I I
Full Mesh VPN Topology Sta r Topology
A VPN topology mainly deals with the specifications of how nodes in a network are connected
and how they communicate with the other nodes. A VPN enables companies in a different
network to communicate with each other and allows data sharing. VPN topologi es enable the
organization to design the way they can communicate with other networks. The different VPN
topologies are:
• Hub-and-Spoke
• Point-to-Point
• Full Mesh
• Star
It is important to note that the selection of topologies depends on the requirements of the
organization. For example, a Star topology is best suited in environments where the company
needs to share information with another company located in a different network. A Mesh
topology is best suited for an intra net.

Each individual spoke connected to the remote office is

communicated securely with the central device (hub)
Branch Office
A separate and secure tunnel is established between the

.... ....
,
Spoke
..
,,
Spoke
hub and each individual spoke

.
.:: Tunnel .:
Secure :
HUB
. ..
A persistent connection is established between an
organization's main office and their branch offices using a
third-party network or the Internet
M ain Optional Secondary
HUBs for resilience :• Secure
Office
: Tunnel
Remote offices exchange numerous amounts of data Spoke Spoke
••• • I··• ·1
t=
This topology is commonly used in organizations with strict
hierarchical structures {banks, governments, retail stores,
international organizations, etc.) Branch Office
In hub-and-spoke technology, the main organization is considered the hub and its remote
offices are considered the spokes. The spokes access the VPN through the hub. This topology is
mainly used in banking and international organizations. The hub controls two types of
communication:
• Communication between a spoke and a hub

• Communication between the spokes
This topology is used to represent an intranet VPN connecting an organization's main office to
its regional offices. The hubs facilitate the sharing of numerous amounts of data. There are
separate tunnel s for data tran sfer between the hub and the spoke. All the data transfers
happen through the hub. The hub-and-spoke topology can become a multilevel topology
depending on the growth of the network.
In a multi-site network, the central hub controls the data transfer or 1s considered as the
gateway for the remote sites to communicate with each other. For example, a cell phone tower
in an area is the hub and all the mobile devices in and around the cell phone tower are the
spokes. The network administrators need to always maintain a thorough study of the hub -and-
spoke technology in their network.

Advantages
• Less expensive and easy to repair when one of the spokes doesn't work.
• Bonded circuits in between the hub and the spoke increase the flexibility of the network.
• Offers better security as each device in the network is separated from the other through
one single connection to the hub.
• These provide high performance, centralization, and simplicity.
Disadvantages
• Any issue in the hub can affect the connection between the hub and spoke and the
connection between the different spokes.
Spoke
,••· .,..
•
··..\. . .
Branch Office
....
,- -,..•~lb
Spoke
•• \•>.
··"~
•• (,1:
•• G,..,.. •••:v
••'">- ,,,,•.,..._~..._..._
• • G,: •
•..• •, ...•••
• <ty ••
HUB
•• • ••• ••
••••••••••••••• •••••••
Internet ·······
I ♦♦ I ♦
·:',
. ,
•• • •• •
...
•••• ••••••••• •••• ••
........
••• •••••
~
··~~~
Main Office
··••1••·•C,~
•• t,.,,,,. .- • ~_,
I •
••t-••
•• '1'
Spoke •• .._.§'
.•·.f"' Optional Secondary
....,...
,
~~
Spoke
•••.,<& HUBs for resilience
Branch Office
FIG URE 9.4: Hub and Spoke VPN t opology
The figure clearly explains the process of the hub-and-spoke topology. In the figure, each spoke
at the branch offices makes a secured connection with the hub at the main office. These
secured connections are made across the Internet. The main office can have more than one
hub at a time, only one hub is used to connect to each spoke. The other hubs are kept as
backup hubs for flexibility.
This topology works well, if the traffic is between the hub and spoke rather than between the
spokes or the remote sites. This is because, traffic between two spokes needs to go through the
hub first and then forwarded to the respective spoke. This increases the chance of a bottleneck
at the hub due to more spoke-to-spoke connections. All IPsec technologies can be used in this
topology.
If the hub faces any issue in the connection, IPsec failover transfers the connection to a backup
hub, used by all spokes. It is possible to configure multiple hubs as a main hub.

Unlike the Hub-and-Spoke This topology treats two end Only Regular IPsec or IPsec/GRE
topology, offices at different points as two peer devices is assigned for the tunnel, as any
locations can directly participating in communication of the peer devices can initiate
communicate with each other the communication
without any IPsec failover
Secure
.... ...........
,...__...._ Tunnel
, Internet
Site 1 Site 2
Point-to-point VPN Topo logy
In a point-to-point topology, any two end points are considered as peer devices which can
communicate with each other. Any of the devices can be used to initiate the connection. The
IPsec technology assigned can be either IPsec or IPsec/ GRE.
Commonly configured as a regular IPsec point-to-point VPN also known as an extranet. This is
where a connection is established between a device in a regularly managed network and an
unmanaged device in the service provider's network.
The major features of point-to-point topology are as follows:
• Easy routing of data as it needs to pass through only one router.
• Optimal routing between the customer sites.
• Introduces encryption and authentication to confirm the integrity of packets in transit.
• Uses a tunneling process in order to capture data packets with normal IP packets for
forwarding over IP-based networks.

This topology is suitable for complicated networks where all peers communicate with one another
Device to device communication in a network takes place with a unique IPsec tunnel
A peer to peer connection is established between each device, preventing a bottleneck at the VPN gateway and
saving encryption/decryption overhead
This topology is reliable and offers redundancy
Secu re
Tunnel
... Secure
....
• ··•• Tunnel
: Site 1
..•• ······ Site 2
Internet Secure
: Secure Tunnel
Secure
: Tunnel
..•• "'-::,,-...:::::::~r" ••••••• Tunnel
..•• ~~- ············.....

..• Secure
Tunnel
,. ......... '
Site 3 Site 4
In a fully meshed VPN network, all peers can communicate with each other, making it a
complex network. This topology allows all the devices in a network to communicate directly
with each other through an IPsec channel. This reduces the chance of any holdup at the
gateway and reduces the overhead of encryption and decryption of the device. A fully meshed
VPN can implement normal IPsec, IPsec/ GRE and GET VPN technologies.
Advantages
• Any failure on one of the devices does not affect the entire network.
• Very reliable.
• Prevents any sort of block at the gateway.
Disadvantages
• Increases the number of devices connected to the network making it difficult to manage.
• Possible chances of redundancy in network connections.

This topology allows remote branches

to securely communicate with
corporate headquarters
Interconnection between branches is
not allowed Branch offic~•••... ..••••••: ranch office
U Deployed in a bank network, preventing ··.:.l ~ 1,,::
one branch from compromising another Ill ii Iii 1U a..
branch ·• Ii Iii III na
ll iii iii i i i
..J Attackers must first compromise the
JiD GQ
central network before being able to ~ Corporate l:.
compromise a second branch •••••••• Head quarters •••••
J New sites can be added easily and only ••• •••••
the central sites needs to be updated
J The central site plays a major role in
this topology. If it fails, all connections
go down Branch office Branch office
0 0
This is the most commonly used topology in almost all organizations. Here, all the remote
offices communicate with the corporate office but at the same time deny communication
between the remote offices. Each device on the network is connected to a central hub that
manages the traffic through the network.
Branch office •••••~ranch office

··:4 ~ 1,;···
iii ii ill iii . . .
iimiiiuu
. ii Ill
·-· Ill
·-· •. ..
.....-=-=.- 11 11
;!'/ Corporate l':.

•••• Head quarters ••••
••••• •••••
Branch office Branch office
FIG URE 9.5: Sta r topology

In the figure, all the branch offices can communicate with each other through the corporate
headquarters. But in this topology, no two branch offices can initiate a separate communication
as these are allowed only through the corporate network.
Advantages
• Most suitable for a financial infrastructure as the compromise on one system does not
compromise another branch without detection.
• Any attack on the branch offices can be performed through the main branch. Any
manipulation in the network can be easily detected by the network administrator.
• Easy to add and remove new branch offices to the main office without affecting the
neighboring sites. But, it is mandatory to update the main site regarding the new addition
or removal of the sites.
Disadvantages
• Any failure in the central site affects the communication of all other sites.
• No two sites can communicate with each other directly.

• Adding more sites to the network can actually affect the capacity of the main site.

VPN Concerns:
VPN Fingerprinting
An attacker can use UDP backoff fingerprinting or Vendor ID fingerprinting for
VPN server fingerprinting
This gives a potential attacker useful information
Ly II i:::;;
A VPN server may expose sensitive information such as type of device,
software version details, etc. during VPN fingerprinting
_ ;;......_ _ __ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __ _ _ _ _.....
..;;
Ike-scan is used to fingerprint the VPN server vendor and the version number
of the IPsec VPNs
The Ike-scan uses its own retransmission strategy to deal with lost packets in
- order to fingerprint the VPN server
A VPN transmits data using various protocols such as TCP, IP, UDPC, IP sec, etc. Among these
UDP is not a reliable transport layer protocol and completely depends on the application to
provide the reliability. The main technique UDP uses for reliability is retransmission with
backoff which allows the application to replace any lost packets.
Because of certain vulnerabilities in transmission protocols, several VPN servers are prone to
fingerprinting. For example, UDP needs backoff and with this, the attacker could fingerprint the
VPN or Vendor ID.
The VPN fingerprinting technique allows the attacker to access useful information such as the
type of connections implemented, devices used and operating systems deployed. Some
systems, such as Cisco PIX or Nortel Contivity, potentially reveal crucial data like the general
type of devices deployed for building the network, while other systems display the software
version details.
Attackers also trace out the IKE (Internet Key Exchange) scan to fingerprint the VPN server
vendor and the version number of IPsec VPNs. The IKE-scan uses its own retransmission
strategy to deal with lost packets and this helps attackers to fingerprint the VPN server. The IKE-
scan log can find similar patterns to determine which IKE implementation a specific host has
deployed.

VPN Concerns: Insecure Storage

of .Authentication Credentials
VPN clients may store VPN authentication credentials in insecure places,

w here attackers can get easy access to these credentials
() USER NAME
This makes it easier for an attacker to steal the credentials, increasing the
security risk
••••••
Credentials can be at risk of being stolen, when a VPN client:
I
Stores the Username Unencrypted i n a File
or the Registry
m Stores the Plain-Text Password in Memory
Uses Weak Registry or File Permissions for

II Stores the Password in a Scrambled Form IV Stored Credentials
Copyright© by EC-Council. All Rights Reserved. Reproduction 1s Strictly Prohibited.
There are certain security issues if the credentials are not stored and protected appropriately.
These security issues are due to an insecure method of storing the authentication credentials
by VPN clients. Common VPN issues with authentication and credentials:
• Storing the username unencrypted in a file or a registry: Attackers can easily perform an
offline attack on the authentication process, if the credentials are stored in an encrypted
format. This is possible if and only if the VPN is using the IKE aggressive mode.
• Storing the password in a scrambled form: If an attacker succeeds in gaining access to the
client computer, they can easily gain the password. Even though the password is in a
scrambled form, there is no key required to decrypt it. This provides for the attacker to
implement a decryption algorithm to crack the VPN encryption.
• Storing the plain-text in memory: Passwords stored in plain-text are always susceptible to
attack. Any user with access to the client machine can initiate the VPN client to dump the
process memory using a tool known as pmdump. This tool will get access to th e
credential s.
• Weak registry or file permissions for stored credentials: Passwords are easy to get if they
are not stored in a secure location and assigned with strict permissions.

VPN Concerns: Username

Enumeration Vulnerabilities
A remote access VPN allows Incorrect log in attempts should not

usernames to be guessed using a prompt which is incorrect
dictionary attack. These attacks (username or password). Doing so
respond differently for valid and will only aid the attacker in figuring
invalid usernames out which is valid or not
VPN usernames are generally

based on people's names and email
Many VPNs ignore this rule id's making it easy for attackers to
recover valid usernames in a very
short amount of time
Many remote-access VPN use the IKE aggressive mode with a pre-shared key authentication
method. The client sends an IKE packet to the VPN server which responds using another IKE
packet. These packets contain several payloads, including the identity payload sent by the client
and hash payload sent by the server. The identity payload contains the username and the hash
payload contains the password. Certain flaws identified in the flow of packets are as follows:
• Few VPN servers only respond to valid usernames.

• Few VPN servers respond with an error to incorrect usernames.
• Few VPN servers respond to valid and invalid userna mes. The hash payload process uses
invalid usernames with null passwords.
In all the above instances, the attacker confirms the difference between the valid and invalid
username from their computational differences. An attacker guesses the correct password
using the IKE aggressive mode can easily uncover the hash from the VPN server. This hash can
be used with a brute-force-attack in order to gain the password.
Identifying all the possible types of attacks which can occur on the login page, account
registration and password changes will help prevent username enumeration vulnerabilities.

VPN Concerns: Offline Password

Cracking
VPN passwords are prone t o offiine passw o rd cracking att empts
An attacker can perfo rm an offline dictionary attack to crack t he password of a VPN client
Offline password cracking activit ies are neither logged in t he VPN se rve r log or
triggers an account lockout
Offline password cracking is one of the most common flaws of a VPN. An attacker can perform
an offline password crack by gaining access to the password hashes. Once the attacker gets the
user credentials, they can easily gain the hash access from the VPN server.
When the VPN server gives a response to the client, it consists of the contents like key
exchange, identity, header, and hash. The server responding with the hash query from the
client is called a hash responder. Since the responses are not in an encrypted form, an attacker
gets the access to the hash responder and uses a pre-shared key to perform the attack. The
attack is offline and as a result the VPN log server does not create any log entry. The attack
goes unnoticed by the administrator.
Simple passwords and using simple words have increased the frequency of passwords being
cracked. To prevent password cracking in the network, implement hash functions like MDS and
SHA.

VPN Concerns: Man-in-the-Middle

Attacks
This attack is possible when the VPN system uses an insecure authentication
protocol like IKE
M alicious attacker intercepts communication between the client and the VPN
server, obtaining the client authentication to the server and using the
credentials to authentication to the VPN server
Attackers may use insecure authentication protocols such as IKE to perform Man-in-the-Middle
attacks on a VPN. An attacker intercepts the communication in between the client and the
server and obtains the client authentication to the server. The attacker then utilizes these
authentication credentials to login and access the VPN server, allowing for complete control
over the VPN Server.
Man-in-the-Middle attacks occur during data transfer through the VPN and allows an attacker
to intercept, insert, delete, and modify messages, reflect messages back to the sender, replay
old messages and redirect messages.

VPN Concerns: Lack of Account

Lockout
Some VPN Client implementations do not permit locking a user's account

after a set number of incorrect login attempts
This allows an attacker to make multiple login

attempts through brute force guessing
-------,
..............................
Check if your VPN client supports

account lockout and ensure it is ---------,
t urned on in the configuration ....................................
The main aim of using the account lockout feature is to restrict the number of login attempts to
a certain limit and if anyone goes on trying login beyond the limit, the account will
automatically get locked out. This feature prevents you from password cracking attacks such as
brute force, dictionary attacks etc. However, there are a few VPNs that do not provide an
account lockout feature and this enables users to perform login attempts repeatedly. Attackers
can take advantage of the lack of an account lockout feature to gain account credentials and it
reduces the security of the account details.

VPN Concerns: Poor Default

Configurations
A major security threat to a VPN is the selection of a weak authentication

mechanism, typically IKE aggressive mode with a pre-shared key by default
Ensure you use a certificate based authentication mechanism
Even if the default security mode is certificate based and very strong, certain default
configurations will allow an end user to switch to a less secure method
All authentication and encryption modes should be made unavailable except only the
strongest
Almost all organizations have an automated configuration set-up. However, if the organization
remains with the default configuration for the VPN, attackers may exploit these default
configurations to compromise the security of the VPN. The organization can go for a better and
secure configuration management solution.
There are certain default configurations that allow an end user to switch to a less secure
method like IKE, even in the presence of stronger certificates. It is mandatory to restrict all
weak authentication and encryption modes. Normally, the end user does not attempt to
change the default configurations of the system thinking the vendors provided the correct and
secure configuration for the system. The default configurations support many ciphers and
modes, ESP and AH. These may include both strong and weak ciphers. An attacker with access
to the client machine can prompt the end user to use the weaker cipher which will make things
easier for them. The end user may not notice the cipher and configuration was changed
because the VPN still functions normally.
The selection of weak authentication mechanisms such as IKE aggressive mode with a pre-shred
key allows attackers to gain authentication credentials. It must be ensured that mechanisms
selected for protecting VPNs have a certificate based authentication mechanism enabled.
Common default configuration flaws
VPN vendors usually provide a default password, which users fail to change. The default
passwords are known and it makes it easy for attackers to enter the network and get access to
the systems.
• Users may change the configuration setting of the VPN without prior knowledge of the
setting.

VPN Concerns: Poor Guidance

and Documentation
A VPN implementation does not provide any important directions and/or documentation for which
configuration is best to use
-
Situations where this guidance is required:
Choosing an appropriate encryption algorithm to prevent weak ciphers being cracked
Choosing an appropriate authentication key mechanism to prevent offline password cracking
Choosing an appropriate protocol for secure and encrypted communication to prevent M ITM
attacks
There are instances where the end user is not aware of the correct configuration for the VPN.
Improper guidance and documentation regarding the VPN implementation can lead the
customers making mistakes while using a VPN. Poor guidance can lead to security
vulnerabilities in the configuration and implementation of a VPN. An incorrect implementation
provides a way for attackers to gain access to the VPN. The following are situations where this
guidance is required:
• Using weak ciphers like export-grade or single DES which can be cracked easily.
• While using the weak key authentication such as pre-s hared key with IKE aggressive
mode, which sends the user name and vulnerable offline password to crack if a valid
userna me is identified.
• Choosing AH protocol which does not encrypt VPN traffic.
Users are not provided any warning message when the implementation is incorrect. Making it
very difficult for the user to know the risks and dangers associated with the improper
configuration.

0 Firew alls establish a protect ion barrier between t he VPN and t he Internet 0
Before implementing a VPN, ensure that a good firewall is in place
Firewalls should be configured to restrict open ports, the types of packets and
protocols that traffic is allowed to pass through to the VPN
0 Firewalls are also used to terminate VPN sessions 0
=•
=•
IPSEC TUNNEL or WAN
: ..... ... ................................••.......
·····-·······
:
.•• ········•.. ,,,t
Firewall
: ..........
••• • • • er,,.,,.
~,..-t
Corporate Network
..
.
····□'
111111:tl
www.sports.com
IAN PCs
Wireless t erminals Branch Server
A firewall can allow or deny the flow of data through the network. These generally help 1n
protecting the network from attackers. Firewalls can be used in two ways w ith a VPN:
• The VPN server is attached to th e Internet and the firew all is located between the VPN
server and intranet.
• Here, packet filters are added 1n order to allow onl y VPN traffic to and from the IP
address of the VPN server.
• Firewall is attached to the Internet and the VPN server is located between the firew all and
intra net.
• Here, the firew all has input and output filters on the Internet interface 1n order to
maintain traffic and passage of traffic to the VPN server.

VPN Security: IPsec Server CND

.J The IPsec server enhances VPN security through the use of strong encryption algorithms and
authentication
Tunnel mode
Both header and Header Payload
payload of each
packet is encrypted
IPsec server
contains
two encryption Transport mode
modes
Header Payload
Only payload of each
packet is encrypted
The IPsec server consists of two types of encryption modes:
Transport mode
This is the default mode for an IPsec server. These are generally used for end-to-end
communication between a server and a client. In transport mode, IPsec encrypts the IP payload
through an Authentication header (AH) or Encapsulating Security Payload (ESP) header. The IP
payloads can be TCP segments (containing TCP header and TCP segment data), UDP message
(containing a UDP header and a message data) and ICMP messages (containing ICMP header
and ICMP message data).
AH does not generally encrypt the data an only provides authentication, integrity and anti-
replay protection. In an AH, it is possible to read the data but it denies all kinds of changes on
the data.
Tunnel mode
In tunnel mode, IPsec encrypts both the IP payload and the header to protect an entire IP
packet by encapsulating it with an AH or ESP header and an additional IP header. This mode is
useful for protecting traffic between different networks and is primarily used for
interoperability with gateways.
Tunnel mode of IPsec is generally implemented in configurations such as gateway-to-gateway,

server-to-gateway and server-to-server. The IPsec tunnel mode is useful in protecting traffic
while it is passing through untrusted networks.

.J The MA server is used to establish secure access in a remote-access VPN enviro nment
AAA server performs the following types of checks
Authentication: Accounting: What do

Who are you? you actually do?
Authorization: What
are you allowed to
do?
Authentication, Authorization and Accounting (AAA) provides additional secure access 1n a

remote-access environment. An AAA server provides users an extra layer of protection and
control when compared to an ACL alone. The access control list (ACL) enables outside users to
access TELNET present in the DMZ network. AAA gives permits to only a few users for accessing
the application after proper authorization and authentication has occurred. This can be
implemented using:
• Who you are (authentication) by verifying the user credentials such as userna me and
password
• What you are allowed to do (authorization) is verified 1n order to offer access controls
such as management commands, network access and VPN access
• What do you actually do (accounting), refers to what type of traffic th e users access
through the VPN. This option tracks traffic that passes through the VPN and records all
user activity
The authentication protocols used for an AAA server are:
• RADIUS
• TACACS+
• RSA SecurlD
• Window s NT
• Kerberos
• LDAP

Remote Access Dial-In User

Service (RADIUS) is the When a user attempts to connect the
simplest way to use • - - --- - -•
centralized authentication in
1 VPN server contacts the RADIUS server
w ho then authenticates the user
VPNs
•--------• through a Windows domain using both
a username and a password (typically a
Windows domain controller)
If the username and

RADIUS is a software
password are correct
application that runs on a
server and has access to all •---- ---• •-------• and they have "dial-
in" access granted
users in the domain
they will be allowed
to access the VPN
In a VPN environment, RADIUS

The VPN equipment must securely
manages both the user
• --- - - ---• communicate with the RADIUS server
authentication and
and verify the user meets certain set
authorization. This reduces the •------•
conditions, before granting permission
total cost of ow nership by
to access the network
managing the credentials from
a central location
Internet ............ ~
VPN
~ ----------·-·-·-·
~
.• ·•
•
Gateway
•
•••
•
•••
•
•••
•
••
.• ·•
•
•• DualSheild
••
11---::----i ... Radius Server
VPN Client Corporate Network
DualSheild
Authentication
.............................. ~
Active
Directory
Server

RADIUS is a client/server protocol which authenticates and authorizes dial-in-users to access

the system or device. RADIUS maintains profiles in their databases enabling the remote servers
to share the data enabling a centralized administration of data. Companies using a VPN
network implements RADIUS for data authentication.
In RADIUS, the VPN server interacts with the RADIUS server once the user attempts a
connection. The RADIUS server authenticates the user using their credentials. The user is
granted access if and only if the user provides the correct credentials and has dial-in access. The
RADIUS server sends a RADIUS message to the RADIUS client in response to the request for
authentication.
The RADIUS messages are sent as user datagram protocol (UDP) messages and the UDP payload
of a RADIUS packet can include only one RADIUS message.
Various RADIUS message types are:
• Access-request: Sent by the RADIUS client to request authentication.
• Access-accept: Sent by the RADIUS server in response to the access-request message.
• Access-reject: Sent by access-server to the RADIUS client informing them the connection
request is rejected.
• Access-challenge: Sent by the RADIUS server to the RADIUS client 1n response to the
access-request from the client.
• Accounting-request: Sent by the RADIUS client to request the information for a permitted
connection.
• Accounting-response: Sent by the RADIUS server in response to the accounting-request
message from the RADIUS client.
~
/ Internet ......... . · l>
..................
VPN •
Gateway :
OualSheild
Radius Server
VPN Client Corporate Network
...,
Au~~:~t~:~:~on
Server
I ·············· l>
Active
Directory
FIGURE 9.6: RADIUS
A RADIUS message consists of a RADIUS header and RADIUS attributes. The RADIUS attributes
provide information regarding the number of connection attempts, username, password,
service requested by the user, etc. Each has a separate RADIUS attribute and they share
information between RADIUS servers, RADIUS clients and RADIUS proxies.

The RADIUS components are:
• Access clients
• Access servers
• RADIUS proxies
• RADIUS servers
• User account databases

Factors that could influence Internet speed while using a VPN service and the techniques to improve
the speed of a VPN are:
VPN SIIWI'
Configure the VPN server located in your area to avoid the losing the Internet connection
LGcalMI
VPN servers with many connected users tend to cause delay and loss in Internet speed. Use
VPN SIIWI' Load
a paid VPN service as they have plenty of free space to accommodate new subscribers
Select a dependable VPN provider which has a very low packet data loss. Ensure the loss is
•1• 11teproulder
at a minimum
Conflpre FIi• • • Su....... Set up and configure the correct firewall on the system to allow the VPN service to flow
t.. Oplll IN VPN Sp 11 II smoothly
Make sure your computers have fast CPU's, this will provide better system speed, capacity
Plac orSp11d
and a stable Internet connection
Use L2TP/IPsec and PPTP VPN protocols since they use 128-bit encryption
Oloose • Stable ISP The better the Internet connection, the faster the VPN service
Many people using a VPN connection are concerned about the speed of the VPN affecting their
internet connection. Factors influencing VPN speeds are:
VPN Server Location

A VPN server at distance would take lots of time for the data packet to move back and forth
through, use a VPN Server located near your area to avoid any loss of Internet bandwidth. This
will help in improving the VPN speed.
VPN Server Load

A VPN server with many connections causes a delay and loss. To avoid this, use a paid VPN
service since they have plenty of free space to accommodate new subscribers.
Reliable Provider
A good and reliable VPN provider offers a zero percent data packet loss for their VPN services.
For better performance select a dependable virtual private network provider which has a
minimum amount of packet data loss.
Configure Firewall Settings to Optimize VPN Speed

Generally, system firewall settings affect the CPU speed and that affects the VPN and Internet
speed. To increase the VPN speed, set up the correct firewall on the system to allow the VPN
service to flow smoothly.
Module 09 Page 810 Certified Network Defender Copyright © by EC-CIISCil

Processor Speed
In order to avoid losses in bandwidth and connection, furnish your computer with a faster and
better CPU or processor to have better system speed, capacity, and a stable internet
connection.
Security Protocol Type

The VPN speed depends upon the level of security encryption. A VPN solution provider offers
basic VPN security protocols like OpenVPN, SSTP, L2TP/ IPsec and PPTP. To get a good and a
stable Internet connection, opt for L2TP/ IPsec and PPTP VPN protocols as they use 128-bit
encryption.
Choose a Stable ISP

The speed of an Internet connection depends on the ISP limitation, which in turn influences the
speed of the connection for the VPN subscription. The higher the Internet connection limit, the
faster is VPN service.
Choose a Wired Connection

Wired connections increase the speed and minimizes the latency. Wireless connections use a
shared connection between the devices affecting the speed of the VPN.
Choose a Proper Device

Certain devices are incapable of handling overhead due to the encryption of a VPN tunnel.
These devices are best used with a better processor.

Iii The Quality of Service (QoS) in VPNs acts as a resource reservation control mechanism for a
VPN
ii It offers better management and use of network resources
QoS manages network features like :
Delay: Denotes time required to send data

Bandwidth: Denotes data transfer rate
from the source to the destination
(
Jitter: Denotes variation in delay l Packet loss: Denotes network packets
loss/drop due to a large amount of traffic
The two VPN models providing QoS:
Hose Model: A customer's CE router sends to

Pipe Model : QoS guarantees the traffic from
and receives from other CE routers on the same
one Customer Edge (CE) to another
VPN
Copyright© by EC-tlUDCil. All Rights Reserved. Reproduction 1s Strictly Prohibited .
Quality of Service in VPNs is an end-to-end mechanism that provides different services to

different applications, users or data flows according to business requirements. Service
providers provide a quality service by defining the service level agreement (SLA) which further
describes the QoS factors. QoS is required in a VPN as different applications have different
requirements and it is mandatory to provide all required services so the VPN functions
properly. Factors that affect th e QoS:
• Bandwidth: Determines the data limit applicable during a data transmission
• Delay: Total time required to transmit data from the source location to the destination
• Jitter: Variation in latencies for packets in a given data stream
• Packet loss: Loss or ID ordering of data packets in a stream
• Throughput: Number of bytes received per second at the destination
• Network Address Translation (NAT): The presence of Network Address Translation (NAT)
or proxy devices betw een the client and the gateway can affect the connectivity in an
undesirable manner. The connectivity alw ays needs a cli ent configuration prior to the
implementation of the tunnel.
• Goodput (Packets): The ratio on th e number of data packets sent versus th e total number
of packets transmitted in th e netw ork.
• Goodput (Bytes) : The ratio of bytes of data sent versus the total number of bytes
transmitted in the network.

• Data Dropped: Data lost or dropped at the destination may be due to improper access to
the medium.
A SSL (Secure Socket Layer) VPN is used to provide remote user with access to web applications,
client/ server applications, and internal network connections. It provides a secure way for
mobile users to access network resources. Deployment considerations of SSL VPNs include:
SSL VPN is categorized into:
• SSL portal VPN: Allows secure access of network devices by enabling a single SSL
connection to a web site. Portal refers to the website that permits the user to access
other services.
• SSL tunnel VPN: Enables web browsers to access multiple network services, applications
and protocols. This is facilitated by a tunnel under the SSL. The SSL tunnel allows a web
browser to access services that cannot be accessed by SSL portals.

••r,,., .J A SLA is an agreement between an ISP and their subscribers. Can also be between peer
ISPs. SLAs specify the service criteria (traffic profile, network behavior and payment/billing)
.J Specifies the penalties a service provider will pay if they fail to meet the committed goals
Challenges and issues providers and subscribers can face due to a SLA:
The challenge for subscribers is to use service management tools to confirm the provider is meeting all the
criteria of the SLA
d If a subscriber uses one SLA to bind more than one provider, especially if the VPN uses multiple providers, the
SLA must address the provider interconnection and end-to-end service performance
The challenge for the provider is to honor multiple SLAs from many service providers
A service level agreement (SLA) is a contract between the ISP, its subscribers and between any
peer ISP's. The SLA specifies traffic profile, network behavior, payment/billing etc., and the
penalties given for not following or meeting the prescribed criteria. The SLA can be fixed
through a phone call, fax or using bandwidth brokers (BBs). Bandwidth brokers are agents
allocating resources and controlling traffic of the administrative domain. These brokers keep a
mutual agreement between each of the neighboring domains. The SLA can be either static or
dynamic. Static agreements are defined with the initialization of the service and changes
frequently. These agreements are negotiated by human interaction whereas negotiating
dynamic agreements require an automated protocol between the BBs.
Providers and subscribers face certain challenges and technical issues using SLAs:
• The challenge for subscribers is to devise and operate service measurement tools showing
an indication of what extent the SLA is honored by the provider.
• When subscribers use a SLA to bind more than one provider, when the subscriber's VPN
spans multiple provider domains, the SLA must also encompass provider interconnection
and the end-to-end service performance.
• The challenge for the provider is to honor multiple SLAs from many service providers.

.J A VPN service provides a level of secu rity to hide you r IP address, geographic location, and protecting
your data w hile online
Private Internet Access Tunnel Bear

https://www.privateinternetaccess.com https://www.tunnelbear.com
TorGuard PrivateTunnel
https://targuard. net https://www.privatetunnel.com
IPVanish VPN VPN Reactor

https://www.ipvanish.com http://www.vpnreactar.com
CyberGhost VPN proXPN's VPN

http://www.cyberghastvpn.com/en_us https://praxpn.cam
Hotspot Shield VPN VyprVPN

http://www.hatspatshield.com http://www.galdenfrag.com/vyprvpn
Some of the VPN service providers are listed below:
Private Internet Access
https://www.privateinternetaccess.com
The service provider offers services to protect your privacy, identity and to Unblock Censorship
Filters i.e. unrestricted access even w hen the user is in another country.
TorGuard
https:1/torgua rd. net

TorGuard VPN is a privacy tool that transforms the blocked traffic as HTTPS traffic to overcome
censorship anywhere in the world.
IPVanish VPN
https://www.ipvanish.com
IPVanish VPN offers features such as:
• It provides faster and more stable speeds.
• It protects from cyber threats and unsecured Wi-Fi hotspots.

CyberGhost VPN
http://www.cyberghostvpn. com
CyberGhost VPN offers features such as:
• Simple & secure access to content from all over the world
• Unblocks the content

• Protect users from hackers, cyber scams, bank-account theft and phishing e-mail fraud
Hotspot Shield VPN
http://www.hotspotshield.com
Some of the benefits of Using Hotspot Shield VPN are listed below:
• Protects privacy
• Bypass VPN Internet censorship
• Secures the Internet
• Enables Wi -Fi security
• Protects devices from malware

TunnelBear
https://www.tunnelbear.com
Some of the features of TunnelBear:
• Secures user data and hides IP addresses.
• Provides access to censored content.
• Blocks online web-site tracking.
PrivateTunnel
https://www.privatetunnel.com
• Secures user communications
• Protects user pri vacy.
• Stops malware and malicious attacks.
• Allow access to the content from anywhere.
VPN Reactor
http://www.vpnreactor.com
VPNReactor maps off the ISP assigned IP address with a mysterious IP. It provides encrypted
untraceable connections between th e network and th e Internet. It w orks on all platforms such
as Windows, Mac OSX, IPhone.

proXPN's VPN
https://proxpn.com
Some of the benefits of proXPN:
■ Unlimited VPN speed
• Access to favorite sites anywhere

• Open all available ports
• Provides PPTP connectivity
• Support for mobile devices

VyprVPN
http://www. qoldenfroq.com
• NAT firewall for additional security.
• When the user connects to VyprVPN, user ISP encounters only encrypted traffic. The
result is faster, unrestricted Internet speeds.
• Multiple Protocols such as L2TP, PPTP for Encryption.

J After a VPN is installed, the VPN client must be tested on every computer, using a VPN step-by-step scenario
If problems arise when

If IPsec is used, verify the IPsec
connecting to the gateway,
Remote user is issued VPN policies on the remote user's
instruct the user to write down
client software and certificate machine and the VPN gateway
or report all error messages, to
are identical
correctly diagnose the problem
I I I I ' I I •
When the connection is

Guide the user in installing the Have the user start the VPN established, the remote user
software and storing the software and connect to the should authenticate by entering
certificate gateway the username and password
j when prompted J
VPN testing can provide the administrator with an idea on the weaknesses in the
implementation. The auditing of a VPN mainly concentrates on the standards, guidelines and
procedures. VPN audits depend on other t ypes of security audits such as a configuration audit,
network security audit, server security audit etc.
After a VPN is installed, the VPN client must be tested on each computer using a VPN step-by-
step scenario:
• Remote user is issued the VPN client software and certificate.
• Guide the user to install the software and store the certificate successfully.
• If IPsec is being used, verify the IPsec policies on the remote user's machine and the VPN
gateway are identical.
• Have the user start the VPN software and connect to the gateway.
• If problems arise while connecting to the gateway, ask the user to write down or report all
error messages to correctly diagnose the problem.
• Once the connection is established, the remote user should authenticate entering their
username and password when prompted.

.J Afte r testing the client, check the VPN to ensure files are transfer red at acceptable rates and that all
parts of the VPN are on line w he n needed
I When a remote user connects to your network, they connect to the server via a web browser
ll User then enters credentials to access the server
ill Select the files to be transferred
N Copy files from the corporate network to the remote user and vice versa
Track the time the file transfer takes
Open the transferred files to make sure if they are transferred completely and working correctly
W The remote user disconnect ed from the corporate network after the file
To ensure a successful file transfer between the VPN host and the client are at an acceptable
rate, all the VPN ports and other VPN components are to be checked for their online availability
such as VPN gateway, Tunnel, etc.
Steps involved in checking the VPN file transfer between the host and the client are:
• Remote user should need a web browser to connect to the network.
• User should enter credentials to access the server. Then the user is to be authenticated
and given access to the server contents if found genuine.
• User has to select the required files from a list of folders that are to be transferred to his
system.
• Copy the files from the corporate network to the client system 1n the specified user
location or directory and vice versa.
• Track the file transfer time either download or uploading of file.

• Open the transferred files in the client system to ensure they are transferred successfully
and in a working state.
• Remote user is to be disconnected from the corporate network after the file transfer is
complete.

Best Security Practices forVPN

Configuration
~ Ensure t hat your VPN service is configured to enforce requirement s defined in the security policy
Recommended practices for a VPN deployment are:
Deploy VPN termination devices

.-------------------=--
En ab Ie an auditing feature to have
a detailed audit trail for access,
i1
D on dedicated network segments
authentication, and use
Limit rules or configurations to

Provide secure access control designated users
for VPN traffic
Use updated software versions

Use dedicated devices for VPN
termination
Audit logs and authentication

Provide additional or
records on a daily basis
complementary authentication to
standard usernames and passwords
Recommendations forVPN
Connections
The VPN should follow federal information
Provide a dedicated firewall for every VPN processing standards (FIPS), approved
connection/server encryption and integrity protection
algorithms
VPN should provide flexible and secure

VPN traffic should be filtered and
communication between the remote
inspected by internal firewalls
connections and the organization's server
Use digital certifications and device

Use symmetric and asymmetric forms of
authentication methods for VPN
cryptography in the VPN
connections
Implement strong application level Provide secure data transmission and

security on each application level information transfer between the networks

ConnectionS(Cont'd)
Configure user authentication, access and Manage and configure IPsec gateways to
restriction to the VPN network protect communication between networks
Design packet filters with restrictions on

Set rules and time limits for termination and
limiting network traffic for additional
disconnection of idle connections
protection
Maintain a list of authorized users and

Define the communication channel for
regularly check for unauthorized access
packet filters between the remote and main
points
office
Strictly restrict and specify the type of Deploy and plan SSL VPN connections
communication permitted between packet according to the requirements of the
filters organization
ConnectionS(Cont'd)
Provide control over all exit and entry

Develop secure remote access to the
points to ensure network integrity is
organization's resources through a SSL VPN
protected
Provide and restrict access of security

Integrate a SSL VPN with intrusion
controls and resources to limited
prevention and detection techniques
groups
SSL VPN implementation should

Deploy a SSL VPN with predefined
support the overall technical,
endpoint security and access point
management and operational
control features
controls of an organization
Maintain an updating, monitoring and

Select a SSL VPN that supports high
securing process for the SSL VPN
scalability and availability features
solution

ConnectionS(Cont'd)
Configure user authentication, access and Manage and configure IPsec gateways to
restriction to the VPN network protect communication between networks
Design packet filters with restrictions on

Set rules and time limits for termination and
limiting network traffic for additional
disconnection of idle connections
protection
Maintain a list of authorized users and

Define the communication channel for
regularly check for unauthorized access
packet filters between the remote and main
points
office
Strictly restrict and specify the type of Deploy and plan SSL VPN connections
communication permitted between packet according to the requirements of the
filters organization
ConnectionS(Cont'd)
Provide control over all exit and entry

Develop secure remote access to the
points to ensure network integrity is
organization's resources through a SSL VPN
protected
Provide and restrict access of security

Integrate a SSL VPN with intrusion
controls and resources to limited
prevention and detection techniques
groups
SSL VPN implementation should

Deploy a SSL VPN with predefined
support the overall technical,
endpoint security and access point
management and operational
control features
controls of an organization
Maintain an updating, monitoring and

Select a SSL VPN that supports high
securing process for the SSL VPN
scalability and availability features
solution

Wireless Network Defense
Module 10
• e
• •
•· . • •
•
•
•
• ••
•
•
• e- -· •• •
e • •
• • •
• •
Wireless Nehvork Defense

Module 10

Module 10: Wireless Network Defense
Exam 312-38

Understand wireless networks Discuss the appropriate placement of a

wireless access point (AP)
II Discuss wireless standards
II Discuss t he appropriate placement of a
Describe wireless network topologies wireless antenna
II Explain various wireless network components Discuss how to monitor wireless network traffic
II Explain wireless encryption (WEP, WPA and Discuss how to detect and locate rogue
WPA2) technologies wireless access points
II Describe authentication methods for wireless Discuss how to prevent RF interference

networks
II Describe wireless network security implications
Discuss wireless network threats types
This module focuses on various defensive techniques used for wireless network security.
Besides the security measures that are used to secure a wired network, a wireless network
requires extra security measures to defend against wireless specific threats. This module covers
wireless network components, topologies, standards, encryption, threats and security
measures that should be implemented to make a wireless network more robust and secure.

Certified Network Defender Exa m 312-38
Wireless Ter111.inologies
Orthogonal Frequency-division Multiplexing Multiple input, multiple output-orthogonal frequency

(OFDM): M ethod of encoding digital data on division multiplexing(MIMO-OFDM): Air interface for
mult iple carrier frequencies 4G and SG broadband w ireless commun ications
Direct-sequence Spread Spectrum (DSSS): Temporal Key Integrity Protocol (TKIP): A security
Original data signal is multiplied w ith a pseudo protocol used i n W PA as a replacem ent for W EP
random noi se spreading code
Frequency-hopping Spread Spectrum (FHSS): Lightweight Extensible Authentication Protocol

Method of tra nsmitting radio signals by rapidly (LEAP): It is a proprieta ry WLAN authentication
switching a carrier among many frequency channels protocol developed by Cisco
Service Set Identifier (SSID): A 32 alphanumeric Extensible Authentication Protocol (EAP): Support s
unique identifier given to wireless local area multiple authentication m ethods, such as t oken
network (WLAN) cards, Kerberos, certificates etc.
Orthogonal Frequency-Division Multiplexing {OFDM)

OFDM is a system modulation format that encodes digital data to multiple channels distributed
across the frequency band. OFDM minimizes the attenuation in transmission resulting in high
throughput. It is used by 802.11 a, g, n and ac wireless standards.
Direct-Sequence Spread Spectrum {DSSS)

DSSS is a modulation technique that transmits digital signals over airwaves. This transmission
process needs spread spectrum modulation. 802.llb network works on the DSSS technique.
DSSS requires more bandwidth as it allows channel sharing.
Frequency-hopping Spread Spectrum {FHSS)

Local Area Wireless Network (LAWN) uses the FHSS modulation technique. The transmission
hop in FHSS occurs several times per second, allowing devices in a short range to work well.
Large systems using the same frequency do not affect how small devices work.
Multiple-input, Multiple Output-Orthogonal Frequency Division Multiplexing

{MIMO-OFDM)
MIMO-OFDM influences the spectral efficiency of 4G and SG wireless communication services.
Adopting the MIMO-OFDM technique reduces the interference and increases how robust the
channel is.

Service Set Identifier {SSID)

SSID is a 32 alphanumeric sequence character that acts as a wireless identifier on the network.
The SSI D permits connections to the required network among an available independent
network. Devices connecting to the same WLAN should use the same SSID to establish the
connection.
Temporal Key Integrity Protocol {TKIP)

A TKIP is an encryption protocol that is a part of a WLAN. It encrypts each data packet with a
unique encryption key. A TKIP is a set of algorithms and is more secure than WEP.
Lightweight Extensible Authentication Protocol {LEAP)

LEAP is a proprietary CISCO authentication version protocol that is used in wireless networks
and point-to-point connections. The authentication protocol depends on WEP keys that change
with the frequent authentication process between a client and a server.
Extensible Authentication Protocol {EAP)

The EAP authentication protocol is used by the point-to-point protocol (PPP). It supports
multiple authentication types such as smart cards, token cards, public key encryption, etc. EAP
has several authentication methods including EAP-TLS, EAP-SIM, EAP-AKA and EAP-TTLS.

0 0
W ireless netw orks use Radio Frequency (RF) signals to conn ect wireless-enabled
devices in the network
It uses IEE E standard of 802.11 and uses radio waves for communication
0 0
1'0"l _ _ _
Advantages
_ _ _ _ _....._~I
Limitations 0
• Installation is easy and eliminates • Wi-Fi Security may not meet the
wiring expectations
• Access to the network can be from • The bandwidth suffers with the
anywhere within the range of an number of users on the network
access point • Wi-Fi standard changes may requi re
• Public places like airports, schools, replacing wireless components
etc. can offer constant Internet • Some electronic equipment can
connection using Wireless LAN interfere with the W i-Fi network
0 0 0 0
The computer world 1s heading towards a new era of technological evolution, using wireless
technologies.
Wireless networking is revolutionizing the way people work and play. By removing the physical
connection or cable, individuals are able to use networks in newer wa ys to make data portable,
mobile and accessible.
A wireless environment opens up so many new expansions and workflow possibilities. With
wirel ess, there is no need to worry if a user wants to move th e PC from one office to the next or
if they want to work in a location that does not have an Ethernet port.
Wireless networking is very useful in public places including libraries, coffee shops, hotels,
airports and other establishments that offer wirel ess local area network (LAN) connections.
The most important thing for wireless networking is an access point where th e user can
communicate w ith other mobile or a fixed host. An access point is a device that contains a radio
transceiver (send and receive signals) along with an RJ -45 wired network interface, w hich
allows a user to connect to a standard w ired netw ork using a cable.
Wireless Technologies
In a w ireless network, data transmits by means of electromagnetic waves to carry signals over
the communication path.

Types of wireless technologies:

• Wi-Fi
Wi-Fi is a part of the IEEE 802.11 family of wireless networking standards. This technology
uses radio waves or microwaves to allow electronic devices to exchange the data or
connect to the Internet. Many devices such as personal computers, laptops, digital
cameras, smartphones etc. support Wi-Fi. Wi-Fi operates in the frequency band between
2.4 GHz to 5GHz. A Wi-Fi network uses radio waves to transmit the signals across the
network. For this purpose, the computer should have a wireless adapter to translate data
into radio signals and then pass them through the antenna and router. This is where the
message is decoded and then the data is sent to the Internet or through another network.
Hotspots refer to areas with Wi-Fi availability, where users can enable Wi-Fi on their
devices and connect to the Internet through a hotspot.
• Bluetooth
With Bluetooth technology data is transmitted between cell phones, computers and other
networking devices over short distances. Signals transmitting from Bluetooth cover short
distances compared to other modes of wireless communication i.e. up to 10 meters.
Bluetooth transfers the data at less than lMbps and operates in the frequency range of
2.4 GHz. This technology comes under IEEE 802.15 and uses a radio technology called
frequency-hopping spread spectrum to transfer data to other Bluetooth enabled devices.
• RFID
RFID stands for Radio-Frequency IDentification. This technology uses radio frequency
electromagnetic waves to transfer data for automatic identification and tracking tags
attached to objects. RFID devices work within a small range, i.e. up to 20 feet.
• WiMax
This technology uses long distance wireless networking and high-speed Internet. It stands
for Worldwide Interoperability for Microwave Access and belongs to the IEEE 802.16
family of wireless networking standards. WiMAX signals can function over a distance of
several miles with data rates reaching up to 75 Mbps. It uses a fixed wireless application
and mobile stations to provide high-speed data, voice, video calls and Internet
connectivity to users. The WiMax forum developed WiMax and states that nearly 135
countries have deployed over 455 WiMax networks.

Wired vs. Wireless Networks

The differences between a wired and a wireless network are shown below:
Wired Networks Wireless Networks

High bandwidth Low bandwidth
Low bandwidth variation High bandwidth variation
Low error rates High error rates
More secure Less secure
Less equipment dependent More equipment dependent
Symmetric connectivity Possible asymmetric connectivity
High-power machines Low- power machines
High- resource machines Low-resource machines
Low delay Higher delay
Connected operation Disconnected operation
TABLE 10. 1: W ired vs. Wireless network
Wireless network advantages:

• Accessibility: Devices connected to a wireless network can be accessed from any location
within the coverage area.
• Flexibility: Devices may be carried from one location to another within the coverage area.
This helps people access the Internet from any location.
• Efficiency: Wireless network improves the efficiency of employees in an organization, as
they are able to access the Internet and perform suitable actions in order to complete the
work within the stipulated time. They can work on the go and do not require an office.
• Easy to Set-up: Low cost and less time to setup makes a wireless network easier to use
than a wired network.
• Security: Advanced security features have been employed for the security of the wireless
network.
• Expandable: Easy to expand the coverage area for a particular location.
Wireless network disadvantages:

There are disadvantages for wireless networks when compared to the wired networks. The
disadvantages include:
• Electromagnetic interference caused by another network or other devices may interrupt
the network, leading to system failure and slow/lost signals.
• Some locations are not suitable for wireless networking and are termed as black spots
where no signals are available.

Frequency Bandwidth Stream Data Rate Range (Meters)

Protocol Modulation
(GHz) (MHz) (Mbits/s)
Indoor Outdoor
802.11
2.4 22 1, 2 DSSS, FHSS 20 100
(Wi-Fi)
5 3S 120
6, 9, 12, 18, 24, 36, 48,
802.ll a 20 OFDM
54
3.7 S000
802. l lb 2.4
22 1, 2, 5.5, 11 DSSS 35 140
It is an enhancement to 802. l la and 802.ll b that enables global portability by allowing variation in
802. l ld
frequencies, power levels, and bandwidth
802.ll e It provide guidance for prioritization of data, vo ice, and video transmissions enabling QoS
6, 9, 12, 18, 24, 36, 48,

802. l lg 2.4 20 OFDM
54
Frequency Bandwidth Stream Data Rate Range (Meters)

Protocol Modulation
(GHz) (MHz) (Mbits/s) Indoor Outdoor
A standard for Wireless Local Area Networks (WLANs) that provides improved encryption for networks that
802. l li
use 802.lla, 802. l lb, and 802.ll g standards
7.2, 14.4, 21.7, 28.9, 43.3,

5 20 70 150
57.8, 65, 72.2 MIMO-
802.l ln
15, 30, 45, 60, 90, 120, 135, OFDM
2.4 40 70 150
150
7.2, 14.4, 21. 7, 28.9, 43.3,

20 35
57.8, 65, 72.2, 86.7, 96.3
15, 30, 45, 60, 90, 120, 135,

40 35
150,180,200
802.ll ac MIMO-
5
32.5, 65, 97.5, 130, 195, OFDM
80 35
260, 292.5, 325, 390, 433.3
65, 130, 195, 260, 390, 520,

160 35
585, 650, 780, 866. 7

Frequency Bandwidth Range (Meters)

Stream Data Rate
Protocol Modulation
(GHz) (MHz) (Mbits/s) Indoor Outdoor
OFDM, single carrier,

802.llad 60 2160 6.75 Gbit/s low-power single 60 100
carrier
802.12 It defines demand priority, media access control protocol to increase Ethernet data rate to 100 Mbps
802.15 It defines communication specifications for wireless personal area networks (WPANs)
802.15.1
2.4 1-3 Mbps 10
(Bluetooth)
802.15.4
2.4 868,900
(ZigBee)
802.15.5 A standard for mesh networks with enhanced reliability via route redundancy
802.16 A group of broadband wireless communication standards for Metropolitan Area Networks (MANs)
IEEE standards
These standards are wireless networking transmission methods. The following are the IEEE
standards:
• 8021.11 (Wi-Fi): It applies to wireless LANs and uses FHSS or DSSS as the frequency
hopping spectrum. It allows the electronic device to connect to using a wireless
connection that is established in any network.
• 802.lla: It is the second extension to the original 802.11 and it operates in the 5GHz
frequency band and supports bandwidth up to 54 Mbps by using Orthogonal Frequency
Division Multiplexing.
It has a fast maximum speed, but is more sensitive to walls and other obstacles.
• 802.llb: IEEE expanded the 802.11 by creating 802.llb specifications in 1999. This
standard operates in the 2.4 GHz ISM band and it supports bandwidth up to 11 Mbps by
using direct-sequence spread spectrum modulation.
• 802.lld: It is an enha need version of 802.lla and 802.llb. The standard supports
regulatory domains. The particulars of this standard can be set at the media access
control (MAC) layer.

• 802.lle: It defines the Quality of Service (QoS) for wireless applications. The enhanced
service is modified through the MAC layer. The standard maintains the quality of video
and audio streaming, real time online applications, VoIP, etc.
• 802.llg: It is an extension of 802.11 and supports a maximum bandwidth of 54Mbps

using the Orthogonal Frequency-Division Multiplexing (OFDM) technology and uses the
same 2.4 GHz band as 802.llb.
It is compatible with the 802.llb standard, which means 802.llb devices can work
directly with an 802.llg access point.
• 802.lli: It is used as a standard for WLANs and provides improved encryption for
networks. 802.lli requires new protocols such as TKIP, AES.
• 802.lln: Developed in 2009. This standard aims to improve the 802.llg standard in terms
of bandwidth amount. It operates on both the 2.4 and 5 GHz bands and supports a
maximum data rate up to 300Mbps. It uses multiple transmitters and receiver antennas
(MIMO) to allow a maximum data rate along with security improvements.
• 802.llac: It provides a high throughput network at the frequency of 5GHz. It is faster and
more reliable than the 802.lln version. The standard involves Gigabit networking that
provides an instantaneous data transfer experience.
• 802.llad: 802.llad involves the inclusion of a new physical layer for 802.11 networks.
The standard works on the 60GHz spectrum. The data propagation speed in this standard
is a lot different from bands operating on 2.4GHz and 5GHz. With a very high frequency
spectrum, the transfer speed is much higher than that of 802.lln.
• 802.12: This standard dominates media utilization by working on the demand priority
protocol. Based on this standard, the Ethernet speed increases to l00Mbps. It is
compatible with 802.3 and 802.5 standards. Users currently on those standards can
directly upgrade to the 802.12 standard.
• 802.15: It defines the standards for a wireless personal area network (WPAN). It describes
the specification for wireless connectivity with fixed or portable devices.
• 802.15.1 (Bluetooth): Bluetooth is mainly used for exchanging data over short distances
fixed and mobile devices.
• 802.15.4 (ZigBee): The 802.15.4 has a low data rate and complexity. Zig Bee is the
specification used in the 802.15.4 standard. ZigBee transmits long distance data through a
mesh network. The specification handles applications with a low data rate, but longer
battery life. Its data rate is 250kbits/s.
• 802.15.5: The standard deploys itself on a full mesh or a half mesh topology. It includes
network initialization, addressing and unicasting.
• IEEE 802.16: It is also known as WiMax. This standard is a specification for fixed
broadband wireless metropolitan access networks (MANs) that use a point-to-multipoint
architecture.

Ad-hoc Standalone Network Architecture (IBSS - ~ ·········································,,g

Independent Basic Service Set) : ············•... ....········· 1'
it Devices exchange information with each other as in a peer- ~ ·······~I,:.····· t
to-peer communication mode without the need of an
_: <:···········➔<--_,,<···········>=
access point for communication
it To setup this mode up properly, first configure the wireless

~
V ..•···
...·······:Yr-........
··...
t
'i'
adapter for all the devices. They should all have the same (t ,~(:::............................. .-::::·!, 0
channel name and 551 D, to activate the connections ( t..
9 t.:... .,., a
..•·
Infrastructure Network Topology (Centrally
Coordinated Architecture/ BSS - Basic Service Set)
··.
· · ·. . . 'r' . · · · . .- Devices in the wireless network are connected through
IL◄II <··········:~ ~ y ~:...........► ~ an access point
~ }'I r ~I'\ ~
.··.· '=• o.J ·.··. An access point {switch or router) connects to the Internet
..··· ··..• via a modem
OJ i,:;...... ·····.:::t~
Installed in large organizations
To plan and install a wireless network, first determine the type of architecture suited for the
network environment.
There are two types of wireless topologies:
Standalone Architecture (Ad-Hoc mode)

Ad-Hoc mode also called an IBSS (Independent Basic Service Set) mode. Devices connected over
the wireless network communicate with each other directly as in the peer-to-peer
communication mode. The Ad-Hoc mode does not use wireless components such as routers
and switches for communication between devices. Configure the wireless adaptors on each
device on Ad-Hoc mode rather than on infrastructure mode. Adaptors for all the devices must
use the same channel name and SSID, to establish the connections successfully.
This mode works effectively for a small group of devices and it is necessary to connect all the
devices with each other in close proximity. Performance degrades as the number of devices
increases. It becomes cumbersome for a network administrator to manage the network in this
mode, because devices connect and disconnect regularly. It is not possible to bridge this mode
with a traditional wired network and it does not allow Internet access until a special gateway is
present.
Ad-Hoc mode works better in a small area and it does not require any access points (such as a
router or switch) minimizing the cost. This mode acts as a backup option and appears when
there is problem or a malfunction in the access points or centrally coordinated network

(infrastructure mode). This mode uses the functionality of each adaptor to enable security
authentication and to use wireless services.
The key characteristics of an Ad-Hoc wireless network:
• Access point encrypts and decrypts text messages.

• Each access point operates independently and has its own respective configuration files.
• The network configuration remains constant with changes in the network conditions.
Centrally Coordinated Architecture (Infrastructure mode)

A Centrally Coordinated Architecture (Infrastructure mode) or BSS (Basic Service Set) mode is
an architecture where all the wireless devices connect to each other through an access point.
This access point (router or switch) receives Internet by connecting to a broadband modem.
This mode will work effectively when deployed in large organizations. It simplifies network
management and helps address operational issues. It assures resiliency while allowing a
number of systems to connect across the network.
This mode provides enha need security options, scalability, stability and easy management. The
downside is that it is expensive, since an access point (router or switch) is required to connect
the devices to each other.
The key characteristics of an infrastructure mode include:
• Increases or decreases the wireless network range by adding and removing access points.
• The controller reconfigures the network according to the changes in the RF footprint.
• The controller regularly monitors and controls the activities on the wireless network by
reconfiguring the access point elements to maintain and protect the network.
• The wireless centralized controller manages all the access point tasks.
• The wireless network controller performs various crucial tasks such as user
authentication, policy creation and enforcement, fault tolerances, network expansion,
configuration control, etc.
• Maintains backups of other access points in another location and is used when the access
point malfunctions.

Typical Uses of a Wireless

Networks
~ ···.•.
• ·• . f..t3A<coss ~ -/&\
Users ............... .
...,,, _.
. .. .
Pi /
•••
/
· ·
..... •
:. f J
~
-
Point
L.:),- .· ·
I
·············l •. • • ;
~ lkoadband
Router
Extension
)
Users : Point
..... "
(._J:················t,"'
Access :
Point ;
........
Users
lJ'
" ' ••~ : ••• Point
......······ i ······.... l Internet
: ......................, Ill •
• Q
Ill • J
~..................~; -~;-~·-························
Users
(j (._J'-.. Internet
Extension to a Wired Network Multiple Access Points
lANl LAN2 ,,, i•

Internet
~
Iii
= 3GUS8
Users
Cell Tower
LAN-to-LAN Wireless Network 3G Hotspot
Wireless networks are classified according based on the connection used and the geographical
area.
Using a wireless network based on the connection:

• Extension to a Wired Network
Extension to a wired network can be obtained by placing access points between the wired
network and the wireless devices.
In this network, the access point acts like a hub providing connectivity for wireless
computers. It can also connect a wireless LAN to a wired LAN, which allows wireless
computers access to LAN resources, such as file servers or existing Internet connectivity.
The two types of access points used in this wireless network are:
1. Software access points can be connected to a wired network and run on a computer
with a wireless network interface card.
2. Hardware access points (HAP) provide comprehensive support of most wireless
features. With suitable networking software support, users on the wireless LAN can
share files and printers situated on the wired LAN and vice versa.

The network may be further extended in accorda nee with the size of the location and
interference from other devices. This enables the wired/wireless connection across the
location for multiple users.
• Multiple Access Points
Wireless computers connect using multiple access points. If a single large area is not
covered by a single access point, then use multiple access points, or extension points.
Extension points are not defined in the wireless standard. While using multiple access
points, each access point must cover its neighbors. This allows users to move around
seamlessly using a feature called roaming. Some manufacturers develop extension points,
which act as wireless relays, extending the range of a single access point. Multiple
extension points can be strung together to give wireless access to distant locations from
the central access point.
• LAN to LAN wireless networks
Access points provide wireless connectivity to local computers and computers on a

different network. All hardware access points have the capability to directly connect to
another hardware access point. Interconnecting LANs by using wireless connections is
large and complex. Several LAN-enabled PCs can be connected to the access point for
wireless communication.
• 3G Hotspot
A hotspot provides Internet access over a WLAN with the help of a router connected to
the ISP. Many devices may be connected at the same time using a Wi-Fi network adapter.
3G networks provide 300Kbits per second. Hotspots use the service from cellular
providers for 3G Internet access. Computers generally scan for hotspots thereby
identifying the SSID (network name) of the wireless network.
Using a wireless network based on the Geographic Area:

Wireless networks are classified into WLAN, WWAN, WPAN, and WMAN based on the area they
cover geographically.
WLAN (Wireless Local-Area Network)

A WLAN is a Wireless Local-Area Network that connects users in a local area with a network.
The area may range from a single room to an entire campus.
• It connects wireless users and the wired network.

• It uses high-frequency radio waves.
• WLAN is also known as a LAWN (Local-Area Wireless Network).
• In 1990, IEEE (Institute of Electrical and Electronic Engineers) created a group to develop a
standard for wireless equipment.
• In the peer-to-peer mode, wireless devices within range of each other communicate
directly with each other without using a central access point.

• While in infrastructure mode, the access point is wired to the Internet with wireless users.
An access point functions as a mediator between the wired and wireless networks.
• Advantages:
• WLAN is flexible to install.

• Wireless networks are easy to set up and use.
• Wireless networks are robust. If one base station is down, users can physically move
their PCs in range of a nether base station.
• It has a better chance of surviving in case of a disaster.

• Disadvantage:
• Data transfer speeds are normally slower than wired network.
WWAN {Wireless Wide-Area Network)

The WWAN is a Wireless Wide-Area Network. It covers an area larger than the WLAN.
• It handles cellular network technology such as CDMA, GSM, GPRS, and CDPD for data
transmission.
• This technology may cover a particular region, nation, or even the entire globe.
• The system has built-in cellular radio (GSM/CDMA), which helps users send or receive
data.
• In WWAN, the wireless data consists of fixed microwave links, digital dispatch networks,
wireless LANs, data over cellular networks, wireless WANs, satellite links, one-way and
two-way paging networks, laser-based communications, diffuse infrared, keyless car
entry, the global positioning system and more.
WPAN {Wireless Personal Area Network)

WPAN is a Wireless Personal-Area Network. It interconnects devices positioned around an
individual, in which the connections are wireless.
• PAN has a very short range. It can communicate within a range of 10 meters. For example,
Bluetooth.
• A WPAN interconnects the mobile network devices that people carry with them or have
on their desk.
• A main concept in WPAN technology is plugging in.
• When any two WPAN devices come within the range of a few meters to the central
server, they communicate with each other, like a wired network.
• Another characteristic of a WPAN is the ability to lock out other devices and prevent
interference.
• Every device in a WPAN can connect to any other device in the same WPAN, but they
should be within physical range of each another. Bluetooth is the best example of WPAN.

WMAN (Wireless Metropolitan-Area Network)

WMAN covers a metropolitan area such as an entire city or suburb.
• It accesses broadband area networks by using an exterior antenna.

• It is a good option for a fixed -line network. It is simple to build and is inexpensive.
• In a WMAN, the subscriber stations communicate with the base station that is connected
to a central network or hub.
• A WMAN uses a wireless infrastructure or optical fiber connections to link the sites.
■ A WMAN links between the WLANs. Distributed Queue Dual Bus (DQDB), is the MAN
standard for data communications, specified by the IEEE 802.6 standards. By the DQDB,
the network can be established over 30 miles with a speed of 34 to 154 Mbits/s.

Components of a Wireless
Network
It is a hardware device that allows wireless communication devices to

Access Point connect to a wireless network through wireless standards such as
Bluetooth, Wi-Fi, etc .
........................................................................................ ..
Systems connected to the wireless network require a network interface
Wireless Cards (NIC)
cards (NIC) to establish a standard Ethernet connection
..........................................................................................
It is a device that receives and transmits the network signals to other
Wireless Modern
units without physical cabling
..........................................................................................
Connects multiple LANs at the MAC layer and is separated either logically
Wireless Bridge or physically. It is used to increase the wireless coverage area
Network (Cont'd)
Wireless Repeater Retransmits the existing signal captured from the wireless router or
access point to create a new network
..........................................................................................
Performs the functions of a router as well as a wireless access point and

Wireless Router
provides Internet access to various devices
..........................................................................................
Routes data packets and functions as a wireless access point. An Internet
Wireless Gateways
connection can be shared between multiple stations
..........................................................................................
Connects different devices to a wireless network in order to access the
Wireless USBAdapter Internet without a computer, router or any other network device

Typical wireless components are devices that connect to the network.

The Key components of a Wireless Network include:
• Wireless Access point (WAP):
A Wireless Access point is a hardware device that uses the wireless infrastructure network
mode to connect wireless components to a wired network for data transmission. It serves
as a switch or hub between the wired LAN and wireless network. It has a built-in
transmitter, receiver and antenna. The additional ports in the WAP help to expand the
network range and provide access to additional clients. The number of APs depends on
the network size. However, multiple APs provide access to more wireless clients and in
turn expand the wireless network range. The transmission range and dista nee a client has
to be from the wireless access point is a maximum default value, access points transmit
usable signals well beyond the default range. The distance a wireless access point signal is
transmitted depends on the wireless standards, obstructions and environmental
conditions between the clients and the access points.
The transmission range and number of devices that a WAP can connect depends on the
wireless standard used and the signal interference between the devices. In the wireless
infrastructure network design, multiple access points can be used to cover an extensive
area or a single access point can be used to cover a small geographical area such as
buildings, homes, etc.
• Wireless Network cards:
Wireless network cards or Wireless network adapters (wireless NICs) are cards that locate
and communicate to an access point with a powerful signal giving users network access. It
is required on each device to connect to the wireless network. Laptops or desktop
computers generally have built-in wireless NICs or have slots to attach them. These
include two types of plug-in cards. One is called a PCMCIA and the other is a PCI. Laptops
have slots to insert the PCMCIA plug-in cards, whereas desktop computers have internal
slots to add PCI cards. The functionality of a wired network card and a wireless network
card is similar to each other. The difference between the two cards is a wired network
card has a port to connect over the network and a wireless network card has a built-in
antenna to connect over the wireless network. Typically, computers having a PCI bus or
USB ports can connect to the wireless NIC.
Data transmitted using a NIC:
• Customization of the computer's internal data from parallel to series before

transmission.
• Division of the data into small blocks which incorporate both the sending and
receiving addresses.
• Informs when to send the packets to the destination.

• Delivery of the packet.

• Wireless modem:
A wireless modem is a device that allows PCs to connect to a wireless network and access
the Internet connection directly with the help of an Internet Service Provider (ISP). They
receive and transmit network signals to other units without a physical cable. Wi-Fi routers
have the capacity to transmit an Internet service up to a confined range, whereas,
wireless modems can be used in almost any place where a mobile phone is present.
Portable devices such as laptops, mobile phones, PDAs etc. use wireless modems to
receive signals over the air like a cellular network. There are various types of wireless
modems. Users can choose a wireless modem based on their needs. Common types of
wireless modems include:
• Cards: Oldest form of wireless connection. Two types of cards are Data cards and
Connect cards which are available from mobile providers and used by laptops, PCs,
and routers. They are small in size and easy to use.
o USB Sticks: Quickly connects to the Internet with a wireless modem. They
resemble a USB flash drive and fit easily into the USB port of a laptop. Computers
require installation of special drivers and software to use them. They are portable.
o Mobile Hotspots
o Wireless Routers
The following features for deciding on a wireless modem:
• Speed of the modem
• Protocols it can support such as Ethernet, GPRS, ISDN, EVDO, Wi-Fi, CPCD
• Frequency band 900mhz, 2.4 GHz, 23 GHz, 5 Hz
• Radio technique such as direct sequence spread spectrum or frequency hopping
• Total number of channels for transmitting and receiving
• Maximum signal strength
• Full duplex or half duplex capability
• Wireless bridge:
A Wireless bridge connects multiple LANs at the MAC layer. These bridges separate
networks either logically or physically. They cover longer distances than APs. Few wireless
bridges support point-to-point connections to another AP and some support point-to-
multipoint connections to several other APs. Wireless bridging helps connect two LAN
segments through a wireless link. Two segments reside on the same subnet and look like
two Ethernet switches connected with a cable to all computers within the subnet.
Broadcasts reach all the machines on that subnet allowing DHCP clients in one segment to
obtain respective addresses from a DHCP server from a different segment. A wireless

bridge can be used to connect computers in one room to computers in another room
without a cable.
• Wireless repeater (range expanders):
This device retransmits the existing signal captured from the wireless router or access
point to create a new network. It works as an access point and station simultaneously. The
clients who are too far away from the router or access point can integrate with the same
wireless local area network via a repeater. It means that it extends the signal by taking it
from a wireless access point and transmits it to the uncovered area. These repeaters
require an omni-directional antenna. It captures, boosts and retransmits the signals.
• Wireless Router:
A wireless router is a device in a wireless local area network (WLAN) which interconnects
two types of networks through radio waves to the wireless enabled devices like
computers, laptops and tablets. It functions as a router in the LAN, but also provides
mobility to users. Wireless routers have the ability to filter the network traffic based on
the sender and receiver's IP address. A wireless router provides strong encryption, filters
MAC addresses and controls 551D authentication.
• Wireless Gateways:
A wireless gateway is the key component of a wireless network. It is a device that allows
Internet-enabled devices to access the connection. It combines the functions of wireless
access points and routers. Wireless gateways have a feature like NAT, which translates the
public IP into a private IP and DHCP.
• Wireless USB Adapter:
A wireless USB adapter enables Internet access through a USB port on a computer. It also
supports communication links and syncs between two or more devices. There are three
main varieties of a wireless adapter:
• Cellular
• Bluetooth
• Wi-Fi

Network: Antenna
U Converts electrical impulses into radio waves and vice versa
Omnidirectional Antenna
Directional Antenna It provides a 360 degree horizontal

radiation pattern. It is used in wireless
Used to broadcast and obtain radio
base stations
waves from a single direction
Yagi Antenna
Parabolic Grid Antenna A unidirectional antenna commonly

used in communications for a frequency
It is based on the principle of a satellite band of 10 MHz to VHF and UHF
dish and can pick up Wi-Fi signals from a
distance of ten miles or more
Reflector Antennas
Dipole Antenna Reflector antennas are used to

Bidirectional antenna, used to support concentrate EM energy which is
client connections rather than site-to-site radiated or received at a focal point
applications
An antenna is a device that is designed to transmit and receive electromagnetic waves that are
called radio waves. An antenna is a collection of metal rods and wires that capture radio waves
and translate them into electrical current. The size and shape of an antenna is designed
according to the frequency of the signal they are designed to receive.
• An antenna that gains high frequency is highly focused, while a low-gain antenna receives
or transmits over a large angle.
• A transducer translates radio frequency fields into AC current and vice-versa.
Antennas Functions
The antenna functions are:
• Transmission line:
Antennas transmit or receive radio waves from one point to another. This power
transmission takes place in free space through the natural media like air, water and earth.
Antennas avoid power that is transmitted through other means.
• Radiator:
It radiates the energy powerfully. This radiated energy 1s transmitted through the
medium. A radiator is always the size of half a wavelength.

• Resonator:
The use of the resonator is necessary in broadband applications. Resonances that occur
must be attenuated.
Antenna Characteristics
The characteristics of an antenna are:
• Operating frequency band: Antennas operate at a frequency band between 960 MHz and
1215 MHz.
• Transmit power: Antennas transmit power at 1200-watt peak and 140-watt average.
• Typical gain: Gain is the ratio of power input to the antenna to the power output from the
antenna. It is measured in decibels (dBi). Gain is 3.0dBi.
• Radiation pattern: The radiation pattern of an antenna Is In a 3-D plot. This pattern
generally takes two forms of patterns: elevation and azimuth.
• Directivity: The directivity gain of an antenna is the calculation of radiated power in a

particular direction. It is generally the ratio of radiation intensity in a given direction to
the average radiation intensity.
• Polarization: It is the orientation of electromagnetic waves from the source. There are a
number of polarizations like linear, vertical, horizontal, circular, Circular Left Hand (LHCP),
and Circular Right Hand (RHCP).
There are five types of wireless antennas:

• Directional Antenna:
A directional antenna can broadcast and receive radio waves from a single direction. In
order to improve the transmission and reception, the directional antenna is designed to
work effectively in a specified direction. This also helps in reducing interference.
• Omnidirectional Antenna:
Omnidirectional antennas radiate electromagnetic energy in all directions. They usually

radiate strong waves uniformly in two dimensions, but not as strongly in the third. These
antennas are efficient in areas where wireless stations use time division multiple access
technology. A good example of an omnidirectional antenna is the one used by radio
stations. These antennas are effective for radio signal transmission because the receiver
may not be stationary. Therefore, a radio can receive a signal regardless of where it is.
• Advantages :
o Omnidirectional can deal with signals from any direction.
• Disadvantages :
o The distance covered by omnidirectional antennas may be wasted because of the

interference of walls and other obstacles. It is difficult for an omnidirectional
antenna to work in an internal environment.

• Parabolic Grid Antenna:
A parabolic grid antenna relies on the principle of a satellite dish, but it does not have a
solid backing. Instead of a solid backing, this kind of antenna has a semi-dish formed by a
grid made of aluminum wire. These grid parabolic antennas can achieve very long distance
Wi-Fi transmissions by making use of the principle of a highly focused radio beam. This
type of antenna can transmit weak radio signals millions of miles back to earth.
• Advantages:
o Parabolic Grid Antenna is wind resistant.
• Disadvantages:
o A parabolic grid antenna is expensive, as it requires a feed system for reflecting the
radio signals.
o Along with the feed system, the antenna requires a reflector as well. The
assembling of these components makes the installation time consuming.
• Yagi Antenna:
Yagi antenna is a unidirectional antenna commonly used in communications for a

frequency band of 10 MHz to VHF and UHF. The main objectives of this antenna is to
improve the gain of the antenna and reduce the noise level of a radio signal. It not only
has unidirectional radiation and response pattern, but also concentrates the radiation and
response. It consists of a reflector, dipole and directors. This antenna develops an end fire
radiation pattern. The other name of Yagi antenna is Yagi Uda antenna.
• Advantages:
o A Yagi antenna includes good range and ease of aiming the antenna.
o The Yagi antenna is directional, focusing the entire signal in a cardinal direction.
This results in high throughput.
o The installation and assembly of the antenna is easy and less time consuming
compared with other antennas.
• Disadvantages:
o The antenna is very large especially for high gain levels.
• Dipole Antenna:
A dipole is a straight electrical conductor measuring half a wavelength from end to end
and connected to the RF feed line's center. The other name of dipole antenna is
"doublet". It is bilaterally symmetrical so it is inherently a balanced antenna. Usually, a
balanced parallel-wire RF transmission line serves this kind of antenna.
• Advantages:
o A Dipole antenna offers balanced signals. With the two-pole design, the device
receives signals from a variety of frequencies.

• Disadvantages:
o Although the indoor dipole antenna might be small, the outdoor dipole can be
much larger, making it difficult to manage.
o To get the perfect frequency, antennas are required to undergo multiple

combinations. This can be a hassle especially in the case of outdoor antennas.
• Reflector Antennas:
Reflector antennas are used to concentrate EM energy that is radiated or received at a

focal point. These reflectors are generally parabolic.
• Advantages:
o If the surface of the parabolic antenna is within the tolerance limit, it can be used
as a primary mirror for all the frequencies. This can prevent interference while
communicating with other satellites.
o The larger the antenna reflector in terms of wavelengths, the higher the gain.
• Disadvantage:
o Reflector antennas reflect radio signals, the manufacturing cost of the antenna is
high.

WEP (Wired Equivalent

Privacy) Encryption
!..J WEP is a security protocol defined by the 802.llb standard; it was designed to provide a wireless LAN w ith a
level of security and privacy comparable to a w ired LAN
!..J A 24-bit arbitrary number know n as Initialization Vector (IV) is added to the WEP key. The WEP key and the IV
together are called as a WEP seed
!..J The 64, 128, and 256-bit WEP versions use 40, 104, and 232-bit keys respectively
!..J The WEP seed is used as the input for the RC4 algorithm to generate a keystream (keystream is bit-w ise XORed
with the combination of data and ICV to produce the encrypted data)
!..J The CRC-32 checksum is used to calculate a 32-bit Integrity Check Value (ICV)forthe data, w hich, in turn, is
added to the data frame
!..J The IV field (IV+PAD+KI D) is added to the cipher text to generate a MAC frame
r--;;PKey Store(~
1C2, K3, K4) ;
..............1...............................
• l
ACIIC-32
;···············➔~
' WEP Seed ~
1.. ... ... ... ~~~~ ··· ··· ··· ··· ·~~......
XOR Algorithm
=-f
i................... fl
@ ··································································;
·· ··· ··· ··· ·!i':····· ·;· ··· ··· ··· ··· ··· ··· ·· . . 1' ......................................................)ic ............
iiilllil ! : .--
.......~~~~~·············· •.......· :............► Keystream
~ i~
L~ ...PAD· ····KID·········· Cphertext········
:..............................................................................; WEP-i!ncrypted Packet (Frame body of
MAC Frame)
The 802.11 MAC implementation specifies a protocol called Wired Equivalent Privacy (WEP).
The objective of WEP is to make WLAN communication as trustworthy as a wired LAN
communication. WEP presents two vital segments to the architecture of wireless security. They
are the validation of data and the secrecy of the data. WEP uses a mechanism in which a key is
used in common with a cipher that is symmetric, called RC4.
A standard 64-bit WEP is used as a string of 10 Hexadecimal (Base 16) characters (0-9) (A-F).
Each character has 4 bits and 10 digits of 4 bits is 10 * 4 = 40 bits (WEP-40). Now the 40 bit keys
are attached to another 24 bit Initialization Vector (IV) which completes the 64-bit WEP (4 * 10
= 40 bits + 24-bit IV = 64 - bit WEP key).
Another WEP standard used is the 128-bit WEP that uses a 104-bit key. The 128-bit key is
entered as a 26 Hexadecimal character. Here, 26 digits * 4 bits= 104-bit key. Again, adding 24-
bit IV gives 104-bit + 24 bit= 128-bit WEP key.
Similarly, 152-bit and 256-bit WEP is available that uses a 128-bit and a 232-bit key respectively.
Now adding th e 24-bit IV to 128-bit key and 232-bit key provides the 152-bit and 256-bit WEP.
The steps involved in how WEP works when using RC4:
• Packets to be transmitted are passed through an integrity check algorithm In order to
generate a checksum (checksum avoids the message from being chang ed).
• The 24-bit Initialization Vector (IV) together with a 40-bit WEP key produces the 64-bit
key.

• RC4 uses this key to generate the key stream. The key stream should have the same
length as the plain text or original message with the checksum included.
• The keystream is XORed with the original message or the plain text along with a
checksum. This generates a cipher text or an encrypted packet.
• The client on the other hand, receives the encrypted text and XOR it with the same key
stream to generate the plain text or original message. The client validates with the
checksum in order to authenticate the message.
WEP Issues
WEP has the following issues:
1. CRC32 is not sufficient to ensure complete cryptographic integrity of a packet:
• By capturing two packets, an attacker can reliably flip a bit in the encrypted stream
and modify the checksum so that the packet is accepted.
2. IVs are 24 bits:
• An AP broadcasting 1500 byte packets at 11 Mb/s would exhaust the entire IV space in
five hours.
3. Known plaintext attacks:
• When there is an IV collision, it becomes possible to reconstruct the RC4 key stream
based on the IV and the decrypted payload of the packet.
4. Dictionary attacks:
• WEP is based on a password.
• The small space of the initialization vector allows the attacker to create a decryption
table, which is a dictionary attack.
5. Denial of service:
• Associate and disassociate messages are not authenticated.
6. Eventually, an attacker can construct a decryption table of reconstructed key streams:
• With about 24 GB of space, an attacker can use this table to decrypt WEP packets in
real-time.
7. A lack of centralized key management makes it difficult to change WEP keys with any
regularity.
8. IV is a value that is used to randomize the key stream value and each packet has an IV
value:
• The standard allows only 24 bits, which can be used within hours at a busy AP.
• IV values can be reused.
9. The standard does not dictate that each packet must have a unique IV, so vendors use
only a small amount of the available 24-bit possibilities:
• A mechanism that depends on randomness is not random at all and attackers can
easily figure out the key stream and decrypt other messages.

WPA (Wi-Fi Protected Access)

Encryption
WPA is a security protocol defined by 802.lli standards; it uses a Tempora l Key Integrity Protocol {TKIP) that utilizes
the RC4 stream cipher encryption with 128-bit keys and 64-bit MIC integrity check to provide stronger encryption, and
authentication
The temporal encryption key, transmit address, and TKIP sequence counter {TSC) is used as an input for the RC4
algorithm to generate a keystream
A MAC Service Data Unit (MSDU) and message integrity check (MIC) are combined using the Michael algorithm
The combination of the MSDU and the MIC is fragmented to generate the MAC Protocol Data Unit (MPDU)
A 32-bit ICVis calculated for the MPDU, the combination of the MPDU and the ICV is then bitwise XORed with
keystream to produce the encrypted data
The IV is added to the encrypted data to generate the MAC frame
Data to Transmit
Tr•n•mlt IHI .........:) ..::.

MSOU
MICkoy -
.................)> .,.,_, ................. :)
,....................................................................................... -
MSOU + MIC
v:
y : ...... .......................... )> CIIW2
WEPNed v •'. . --
MPDU ICV ~ ...............;
l,',,,,,,,, " ' , " ' -
19' XOR Alcorlttvn V ··························································································-:

. v
I .... . . . . . .:) ~
· Ke·ystl'Hm · . -Hoodor • 11D ip Cl--~.,

l.................................................................................................................................. ~ .....................l Packet to transmtt
Wi-Fi Protected Access (WPA) is used as a security standard for Wi-Fi connections. WPA
provides refined data encryption and user authentication techniques. WPA uses TKIP for data
encryption and TKIP eliminates the weaknesses of WEP by including per-packet mixing
functions, message integrity checks, extended initialization vectors and re-keying mechanisms.
WEP normally uses 40-bit or a 140-bit encryption key whereas TKIP uses 128-bit keys for each
packet. The message integrity check for WPA avoids the chances of the attacker changing or
resending the packets. TKIP uses a Michael Integrity Check algorithm with a message integrity
check key to generate the MIC value.
WPA requires 802.lX authentication and changes the unicast and global encryption keys. TKIP is
used in an unicast encryption key, which changes the key for every packet, thereby enhancing
the security. This change in key for each packet is coordinated between the client and the
access point. In a global encryption key, the access points advertise the change in the key to the
connected wireless clients.
What is a Temporal Key Integrity Protocol {TKIP)?

TKIP is comprised of three main elements that increase encryption:
• A key integration function for individual packets.

• An enhanced Message Integrity Code (MIC} function named Michael.
• An improved IV, including sequencing guidelines.

TKIP is a short-term fix for WEP, organized as a simple software/firmware upgrade. A number of
design weaknesses are made in order to sustain reverse compliance with the large number of
existing hardware in the field. TKIP detects all of the identified weaknesses linked with WEP.
WPA works using the following steps

• The IV or Temporal key sequence, Transmit address or the MAC destination address and
temporal key are combined with a hash function or a mixing function to generate a 128-
bit and a 104-bit key. This key is then combined with RC4 to produce the keystream which
should be the same length as the original message
• The MAC destination and source address and MIC keys are combined with a hash function
in order to produce the MIC va I ue
• The MIC value is fragmented to produce the MPDU. The checksum is later attached to the
MPDU
• The MPDU along with the checksum is XORed with the keystream to produce the cipher
text
• This cipher text may be XO Red again by the client using the same keystream in order to
produce the original message
Types of WPA
1. WPA-Personal: This version makes the use of set-up passwords and protects
unauthorized network access.
2. WPA-Enterprise: It confirms the network user through a server.
Features of WPA
• WPA Authentication: WPA needs 802.1 x authentications. WPA makes the use of a pre-
shared key for the environment without the Remote Authentication Dial-In Use Service
(RADIUS) infrastructure and uses the Extensible Authentication Protocol (EAP) and RADIUS
for environments with a RADIUS infrastructure.
• WPA Key Management: It is necessary to change both the unicast and global encryption
keys while using WPA. The temporal key integrity protocol (TKIP) keeps changing the key
for every frame when using an unicast key. In the case of a global key, WPA enforces the
wireless access point to report the changed key to the connected wireless clients.
• Temporal Key Management: In WPA, encryption with TKIP is needed. TKIP changes the
WEP by a new encryption algorithm that is stronger than the standard WEP algorithm.
• Michael Algorithm: 802.11 and WEP data uses a 32-bit integrity check value (ICV) to check
the integrity. In WPA, the Michael technique identifies the algorithm that determines an
8-byte Message Integrity Code (MIC} with the help of the methods present in the wireless
devices.
• AES Support: WPA supports Advanced Encryption Standard (AES) as a substitute for WEP
encryption. This support is optional and it depends on vendor driver support.

• Supporting a Mixture of WPA and WEP Wireless Clients: A wireless AP maintains both
WEP and WPA simultaneously, to help the gradual transition of WEP-based wireless
networks to WPA.

0 0
WPA2 is an upgrade to WPA, it includes mandatory supportfor Counter Mod e with
Cipher Block Chaining Message Authentication Code Protocol (CCM P), an AES-based
encryption mode with strong security
0 0
r ,
1 I
•·an r r es ./
e WPA2-Personal uses a set-up password e It includes EAP or RADIUS for centralized

(Pre-shared Key, PSK) to protect client authentication using multiple
unauthorized network access authentication methods, such as token
cards, Kerberos, certificates etc.
e In PSK mode each wireless network device
encrypts the network traffic using a 128-bit - Users are assigned login credentials by a
key that is derived from a passphrase of 8 to centralized server which they must present
63 ASCII characters when connecting to the network
' '
Copyright© by EC--Oo■ncil. All Right s Reserved. Reproduction is Strictly Prohibited.
WPA2 depends on IEE 802.lli standards for data encryption and has replaced WPA technology
in 2006. This protocol provides greater protection compared to WPA and WEP. It uses
Advanced Encryption Standard (AES) to encrypt the data over wireless networks and supports
for the CCMP (Counter Mode with Cipher Block Chaining Message Auth entication Code
Protocol) encryption mechanism.
There are two modes of authentication in WPA2:
• WPA2- Personal: Mostly used in home networks. It supports homes or locations where
authentication servers are not used. Each wireless device uses the same 256-bit key
generated from a password to authenticate with th e AP. The router uses the combination
of a passphrase, a network SSID and a TKIP to generate a unique encryption key for each
wirel ess client. These encryption keys keep changing con stantly.
• WPA2- enterprise: Mostl y used for securing wireless networks in organizations. It

supports netw orks that includ e authentication servers. It uses EAP or RADIUS for
centralized client authentication using multiple authentication methods, such as token
cards, Kerberos, certificates, etc. WPA Enterprise assigns a unique ciphered key to every
system and hides it from the user in order to provide additional security and to prevent
the sharing of keys.
How WPA2 Works

During a CCMP implementation, additional authentication data (AAD) are generated using a
MAC header and is included in the encryption process that uses both AES and CCMP

encryptions. Because of this, it protects the non-encrypted portion of the frame from alteration
or distortion. The protocol uses a sequenced packet number (PN) and a portion of the MAC
header to generate a Nonce that it uses in the encryption process. The protocol gives plaintext
data, temporal keys, AAD and Nonce as an input to the encryption process that uses both AES
and CCMP algorithms. A PN is included in the CCM P header to protect against replay attacks.
The results from the AES and the CCMP algorithms produces encrypted text and an encrypted
MIC value. Finally, the assembled MAC header, CCMP header, encrypted data and encrypted
MIC forms the WPA2 MAC frame. The following diagram depicts the functions of WPA2.
Prio rity destination

address
MAC header PN Temporal key Plaintext data
V
~
Bulld <···.,,
AAD
.
~ V .
. ~ :
Nonce •·· ·j·······➔
. AES ~··················=
...... ................... ................... ..;. ...... .:::,. CCMP ·················
V .:
Build
.
CCMP
header
. .
~················'9'·········~ ············~ ······~•
•
• MAC CCMP Encrypted Encrypted :
······· ········· ····················~
• header header data MIC :
•• ••
•••••••••••••••••••••••••••••••••••••••••••••••••••
WPA2 MAC Frame
FIGURE 10.1 : W orking of WPA2
• Additional authentication data is taken from the MAC header in order to add to the
implementation of the CCMP implementation of WPA2.
• The packet number (PN) attached in the CCMP header creates the Nonce used for the
encryption process.

Encryption Attributes
Encryption Encryption Key Integrity Check
IV Size
Algorithm Length Mechanism
WEP RC4 24-bits 40/104-bit CRC-32
Michael algorithm
WPA RC4, TKIP 48-bit 128-bit
and CRC-32
WPA2 AES-CCMP 48-bit 128-bit CBC-MAC
Should be replaced with more secure WPA and WPA2
Incorporates protection against forgery and replay attacks
WEP initially provided data confidentiality on wireless networks, but it was weak and failed to
meet any of its security goals. WPA fixes most of WEP's problems. WPA2 makes wireless
networks almost as secure as wired networks. WPA2 supports authentication, so that only
authorized users can access the network. WEP should be replaced with either WPA or WPA2 in
order to secure a Wi -Fi network. Both WPA and WPA2 incorporate protections against forgery
and replay attacks. The previous slide provides a comparison between WEP, WPA, and WPA2
with respect to the encryption algorithm used, size of Encryption Key and the initialization
vector (IV) it produces, etc.

Wi-Fi Authentication Methods:

Open System Authentication
Open System Authentication:

Any w ireless device can be authenticated with the access
points, allow ing the device to transmit data only w hen its WEP
key matches with the WEP key of access point
Probe Request
--~ ··············································➔
I ,~_,-
,..' : Probe Response (Security Parameters)
~ -c[••············································'\b'··
Open System Authentication Request
••~ ••••••••••••••••••••••••••••••••••••••••••••••])- F✓III -- \
Open System Authentication Response - - . i . . . _ • • • • • • • • • •, • • • • 1• • • • • • • • •
-c[•• .. ···········································~ -- ~ - -
' '-- .,, Switch or cable
. . , . -.-
··'\:!,················· ..............................
Association Request (Security Parameters)
3>- Access Point (AP) Modem
Client attempti~ Internet
to connect ,<£ •••••••••••••• ~J~S~!t'!~ ~'!~e~~.5.~ ••••••••••• \§,·.
Open System Authentication Process
In the open system authentication process, any wireless client that wants to access a Wi -Fi
network sends a request to the wireless AP for authentication. In this process, the station sends
an authentication management frame containing the identity of the sending station, for
authentication and connection with the other wireless stations. The AP then returns an
authentication frame to confirm access to the requested station and completes the
authentication process.
Open System Authentication is a null authentication algorithm that does not verify whether it is
a user or a machine. It uses clear-text transmission to allow the device to associate with an AP.
In the absence of encry ption, the device can use the SSID of a WLAN available to gain access to
the wireless network. The enabled WEP key on the access point acts as an access control to
enter the network. Any user entering the wrong WEP key cannot transmit messages via the AP
even though th e authentication is successful. The device can only transmit the messages when
its WEP key matches with the WEP key of the access point. This authentication mechanism does
not depend on a RADIUS server on the network.
Advantage
• You can use this mechanism with wireless devices that do not support complex
authentication algorithms.
Disadvantage
• In this mechanism, there is no way to check wheth er someone is a genuine client or an
attacker. Anyone who knows the SSID can easily access the wireless network.

Wi-Fi Authentication Methods:

Shared Key Authentication
Shared Key Authentication:

The station and access point uses the same WEP key to provide authent ication which means that t his
key should be enabled and configured manually on both the access point and the client
...~ -............................................
Authentication request sent to AP
►
•
Cl1ent •
attempt•~ ... ·1. 5
Oient connects to network
••••••••••••• ••••••••••••••.•.•••.•••.••.•••• ►
1 Internet
to connect --
Shared Key Authentication Process
In this process, each wireless station receives a shared secret key over a secure channel that is
distinct from the 802.11 wireless network communication channels. The following steps
illustrate the establishment of a connection in the shared key authentication process:
• The station sends an authentication frame to the AP.
• The AP sends the challenge text to the station.
• The station encrypts the challenge text by making use of its configured 64 -bit or 128-bit
key and it sends the encrypted text to the AP.
• The AP uses its configured WEP key to decrypt the encrypted text. The AP compares the
decrypted text with the original challenge text. If the decrypted text matches the original
challenge text, the AP authenticates the station.
• The station connects to the network.
The AP can reject the station if the decrypted text does not match the original challenge text,
and then the station will be unable to communicate with either the Ethernet network or 802.11
network.
Advantage
• It is more secure compared to an open key authentication method.
Disadvantage
• This mechanism is not suitable for large networks, as it requires long-key strings
configured on each device, which is a highly cumbersome task.

Wi-Fi .Authentication Process Using

a Centralized .Authentication Server
Client :o
..
:··
..
Oient requests connection
·················································>:.
. .
: Access Point RADIUS
Server
. ..
!.:(.. !!'. !!.".~! ~-"- ~ -~.e.~~~!!!?.~~!~~r_t!i~!.i~.e..".!~r..
.:
1
.:
&·
..••t.e■ •••••••• ~-~~-Sf.~~!~.~~ !~~?~~Y...............~-.
..•• e . .-~-'~~
Forward the identity to the
~!~!~ ~.s!~~-t-~~ ~-~~~~!~~~~~- ~~!! .... ·> ~
•
..••
:
: : Sends a request to the w ireless client via the AP
: be
specifying the authentication mechanism to
:-<(······················································•·!·•·················································
.• .•
used
··:.•
:
e:
: The wireless ctient responds to the : :
!·. G·.... ~~~( f........................................................►i
~~.s.e.,r;;,.e.,r.V:!t_~ !t.5.~~e..~!~!!~~-~i~.t.h.e_ ~!'......
.: Sends a multicast/global authentication key .: Sends an encrypted authentication
.:
I.:(...e..n.~~~!!~~~-~ P.e..~-J!~!~~"- ~.n}~~ !~~~"-~!.x. -~ .. I.:(....~~r.t~!~:.~.i!.t~.e.~~~:;~-~~e. ~~~:f.~~~1:.. ft .. I
- ~ V . ~ V .
The 802.lX standard provides centralized authentication. For 802.lX authentication to work on
a wireless network, the AP must be able to securely identify the traffic from a specific wireless
cli ent. In this Wi -Fi authentication process, a centralized authentication server known as
Remote Auth entication Dial in User Service (RADIUS) sends authentication keys to both the AP
and the clients that want to authenticate with the AP. This key enables the AP to identify a
particular wireless client.

War Driving Rogue Access Point Attack

Attackers drive around with Wi-Fi enabled laptops Rogue wireless access points placed in a 802.11
to detect open wireless networks network can be used to hijack the connections of
legitimate network users
Client Mlsassoclatlon Mlsconftgured Access Point Attack

An attacker sets up a rogue access point outside the Misconfigured access points enable intruders to steal
corporate perimeter and tricks employees to connect to it the SSID giving them access to the network
Unauthorized Association Ad Hoc Connection Attack

Attackers infects a victim's machine and activate APs Wi-Fi clients communicate directly via an ad hoc
provided them with an unauthorized connection to mode that does not require an AP to relay packets
the enterprise network
HoneySpot Access Point (Evil Twin) AP MAC Spoofing

Attack A hacker spoofs the MAC address of a WLAN client's
An attacker traps people by using fake hotspots equipment to mask as an authorized client and connects
to th e AP as the client and eavesdrop the t raffic
Wireless Network Threats

(Cont'd)
Denial-of- Wireless DoS attacks disrupt network Attackers sniff and capture packets and
WEP Cracking
Service Attack · wireless connections by sending run a WEP cracking program to derive the
broadcast "de-authenticate" WEP key
commands
WPA-PSK Attackers sniff and capture Man-ln-the- Attackers set up a rogue AP, and spoofs
authentication packets and run a the client's MAC address to position
lddle Attack
brute force attack to crack t he WPA- himself between the real AP and the
PSK key client to listen to all the traffic
Attackers replay the valid RADIUS Fragmentation Attackers obtain 1500 bytes of PRGA
server response and successfully Attack (pseudo random generation algorithm) to
authenticate to the client without generate forged WEP packets which are in
valid credentials turn used for various inj ection attacks
An attacker spoofs the MAC of a client Jamming An attacker stakes out the area from a
~RP Poisoning
and attempts to authenticate to the AP lgnal Attack nearby location with a high gain
Attack
which leads to updating the MAC address amplifier drowning out the legitimate
info to the network routers and switches access point

Wireless proves to be an advanced networking option for Internet users. However, wireless
networks may pose various security risks that can affect the function of the entire network. The
wireless network can be at risk to various types of attacks, including access control attacks,
integrity attacks, confidentiality attacks, availability attacks, authentication attacks, etc.
War Driving
In a wardriving attack, wireless LANS are detected either by sending probe requests over a
connection or by listening to web beacons. An attacker who discovers a penetration point can
launch further attacks on the LAN. Some of the tools that the attacker may use to perform
wardriving attacks are KisMAC, NetStumbler and WaveStumber.
Client Mis-Association
The client may connect or associate with an AP outside the legitimate network, either
intentionally or accidentally. This is because the WLAN signals travel in the air, through walls
and other obstructions. This kind of client mis-association can lead to access control attacks.
Unauthorized Association
Unauthorized association is a major threat to a wireless network. Prevention of this kind of
attack depends on the method or technique that the attacker uses to become associated with
the network.
HoneySpot Access Point (Evil Twin) Attack

Attackers can setup a fake honey pot AP or hotspot. Once the user's device is connected to the
AP or hotspot, they will get a fake login page which steals the user's credentials once they enter
them.
Rogue Access Point Attack

In order to create a backdoor into a trusted network, an attacker may install an insecure AP or
fake AP inside a firewall. The attacker may also use a software or hardware AP to perform this
kind of attack. A wireless access point is termed as a rogue access point when it is installed on a
trusted network without authorization. An inside or outside attacker can install rogue access
points on your trusted network for malicious intention.
• Types of Rogue Access Points:
1. Wireless router connected via the "trusted" interface
2. Wireless router connected via the "untrusted" interface
3. Installing a wireless card into a device already on the trusted LAN
4. Enabling wireless on a device already on the trusted LAN
Misconfigured Access Point Attack

This is an internal threat that arises when a networking device is misconfigured. A
misconfigured networking device acts as an open gateway for data theft. If users improperly

configure any of the critical security settings at any of the APs, the entire network could be
open to attack. If the networking devices are managed centrally, it can go unnoticed.
Ad Hoc Connection Attack

An attacker may carry out this kind of attack by using any USB adapter or wireless card. The
attacker connects the host to an insecure client to attack a specific client or to avoid AP
security.
AP MAC Spoofing
Using the MAC spoofing technique, an attacker can reconfigure a MAC address to appear as an
authorized AP to a host on a trusted network. Tools for carrying out this kind of attack include
changemac.sh, SMAC, and Wicontrol.
Denial of Service {DoS)

In a DoS attack, an attacker floods a victim system with non-legitimate service requests or
traffic to overload its resources.
WEP Cracking
It involves capturing data to recover a WEP key using a brute force or Fluhrer-Mantin-Shamir
(FMS) cryptanalysis.
WPA-PSK Cracking
Attackers use various sniffing tools like packet analyzers to sniff for authentication packets in
the network. With the brute force method, the attacker can crack the WPA-PSK key.
Man-in-the-Middle Attack
In M ITM attack, the attacker runs traditional MITM attack tools on an evil twin AP to intercept
TCP sessions or SSL/SSH tunnels.
RADIUS Replay
It involves capturing RADIUS Access-Accept or Reject messages for later replay. In this type of
attack, the attacker maliciously repeats the valid data.
Fragmentation Attack
A fragmentation attack is the process of breaking up a single packet into multiple packets of a
much smaller size. Fragmentation attacks can be performed through:
1. Ping of Death: It is a denial of service attack that utilizes the ping utility for creating an IP
packet. It uses fragmented ICMP packets, after reaching the destination exceed the
allowable size of an IP datagram.
2. Tiny Fragment Attack: Small fragments are used to gather the TCP header information.
This attack targets the filtering rules set on the networking device.
3. Teardrop Attack: It causes the target machine to reboot or shutdown. The attack occurs
on the IP protocol, which utilizes the offset fields of a UDP packet.

ARP Poisoning Attack

In this spoofing attack, the attacker first spoofs the MAC address of the victim's wireless laptop
and attempts to authenticate to APl using the Cain & Abel ARP poisoning tool, which is a
password recovery tool for Windows. APl sends the updated MAC address information to the
network routers and switches, which in turn update their routing and switching tables. The
system does not send traffic now destined from the network backbone to the victim's system
to AP2, but sends it to APl.
Jamming Signal Attack

Jamming is an attack performed in a wireless environment in order to compromise it. During
this t ype of exploitation, overwhelming volumes of malicious traffic result in a DoS to
authorized users, obstructing legitimate traffic. All wireless networks are prone to jamming.
Spectrum jamming attacks usually block all communications completel y. An attacker uses
specialized hardware to perform this kind of attack. The signals generated by jamming devices
appear to be noise to the devices on the wireless network, which causes them to hold their
transmissions until the signal has subsided, resulting in a Dos. These jamming signal attacks are
not easily noticeable.

,
Leaking Calendars and Address Books
At tacker can stea l user's personal information and ca n

[ Bugging Devices
Attacker could instruct t he user's device to make a phone

J
use it for malicious purposes call to other phones without any user interaction. They
could even record the user's conversation
Causing Financial Losses
Terrorists cou ld send false bomb threats t o airlines using Hackers could send many MMS messages with an
the phones of legitimate users international user's phone, resulting in a high phone bill
L Remote Control Social Engineering
Attackers trick Bluetooth users to lower security or

Hackers can remotely control a phone to make phone disable authentication for Bluetooth con nections in
calls or connect to the Internet order t o pair with them and st eal information
( Protocol Vulnerabilities
i
I Mobile phone worms can exploit a Bluetooth Attackers exploit Bluetooth pairings and communication
connection to replicate and spread itself protocols t o st eal data, make calls, send messages,
conduct DoS attacks on a device, start phone spying, etc.
Similar to wireless networks, Bluetooth devices are also at risk of compromise from various
threats. Attackers target the vulnerabilities in security configurations of Bluetooth devices to
gain access to confidential information and the network to which they are connected.
Here are a few of the common threats to Bluetooth:

1. Leaking Calendars and Address Books: Once the attacker gets access to the information
such as the user's address book, calendars, photos, personal messages, etc. it can be
stolen, changed and used in malicious way.
2. Remote Control: Attackers can gain access to the target phone and make changes to the
settings. The affected device can be used to send bulk random messages or make phone
calls.
3. Bugging Device: Attackers can program the device to perform random activities without
the user's consent. An attacker can eavesdrop on the user's conversation converting the
user's device into a bugging device.
4. Social Engineering: Attackers can perform social engineering through the user's phone to
steal sensitive information from the intended victim.
5. Sending SMS Messages: Attackers can send messages with false bomb threats through a
user's mobile phone.
6. Malicious Code: An attacker can use Bluetooth -specific malicious code to infect a user's
device or gain access to the user's phone.

7. Causing Financial Losses: With the user's phone, an attacker can send a large number of
MMS messages which is expensive for large files especially for international
communication.
8. Protocol Vulnerabilities: Attackers can exploit vulnerabilities which already exist in the
core Bluetooth protocol of the devices, making it vulnerable to various types of attacks.

Create inventory of wireless devices
Placement of wireless AP and antenna
Disable SSI D broadcasting
Select stronger wireless encryption mode
Implement MAC address filtering
Monitor wireless network traffic
Defend against WPA cracking
Detect rogue access points
Locate rogue access points
Protect from Denial-of-Service attacks : Interference
Assess wireless network security
Deploy Wireless IDS (WI DS) and Wireless I PS (WI PS)
Configure security on wireless routers
An attacker can easily compromise a wireless network, if proper security measures are not
applied or if there is no appropriate network configuration. Lack of adequate knowl edge and
skills can pose a large risk to the wireless network. Besides wireless network policies,
administrators need to apply various security measures and tricks to ensure the security of
their wireless network from various types of attacks. The administrator needs to focus on an
appropriate use of security controls and their effective configuration to defend their networks.
The following points should be clearly stated in the organization's wireless security policy.
• Identify the users who are using the network.

• Det ermine whether the user is allowed to access or not .
• Clearly define who can and cannot install the access points and other wirel ess devices in
the enterprise.
• Describe the information type that users are allow ed to communicate over the wireless
link.
• Provide limitations on access points such as location, cell size, frequency, etc. in order to
overcome wireless security risks.
• Clearly define the standard security setting for wireless components.
• Describe conditions where w ireless devices are allowed to use the network.

Furthermore, a successful and effective wireless security implementation should involve the
following:
• Centralized implementation of security measures for all wireless technology.
• Security awareness and training programs for all employees.
• Standardized configuration s to reflect security policies and procedures.
• Configuration management and control to make sure the latest security patches and
features are available on wireless devices.
The following activities help administrators defend and maintain the security of the wireless
network.
• Creating an inventory of the wireless devices
• Placement of the wireless AP and antenna
• Disable SSI D broadcasting
• Selecting a stronger wireless encryption mode
• Implementing MAC address filtering
• Monitoring wireless network traffic
• Defending against WPA cracking
• Detecting rogue access points
• Locating rogue access points
• Protecting from Denial-of-Service attacks
• Assessing the wireless network security
■ Deploying Wireless IDS (WIDS) and Wireless IPS (WIPS)
• Configuring security on wirel ess routers

Creating an Inventory of the

Wireless Devices
Identify and document al l the client devices according to the make/models/apps, encryption, firmware,
wireless channel, etc.
This helps network admins manage and monitor wireless devices in the network
Acrylic Wi·Fi HeatMaps

Namo · De-s.cription · Blueprint !Calibration 'Caotur
□•
? D
8•
□
■ 8 fhird1oct
• - •·~- - - - - - -
?
□• ""'
8D
. ......... .,,_
-- __
D
□
■G•• • • ,
A
..,_ '°'°° 0101 W.OCE NCT - -•• • 20 big 17d8m
I'<•- ~ -'"
8• 8 5170 WO 20dlm
,
s~ NU
- T l Pi.-.,
-
C V :I I -•PSI( •20 b only 12d8m
?
?
"
0..,,., ...., 0 ,..
D
E
~
53101.X
MS-008
w.-..XP
WEP
,. ~.o
bony
•""II
20d8m
20dlm
http://www. acrylicwifi. cam
Use of wireless devices in an organization is continuously growing. Therefore, it becomes

increasingly important for organizations to track and manage their wireless assets for security
purposes. Maintaining an accurate and up-to-date inventory of wireless devices is required for
proper security.
Network device inventory helps administrators consolidate all the updated network data and
devices. The inventory can help administrators quickly identify any non-functioning devices as
well as any rogue network devices which are present on the network. A list of those devices
that are not connected to the network should also be added to the list. This helps detect
unknown devices in the network. Regular scanning of the inventory is important. Through
scanning, administrators can determine the rogue network devices, problem devices, potential
vulnerabilities, which devices need a patch/update, etc. in the network. A network is only as
secure as its weakest link. Administrators should maintain information about all the devices
regardless of their configuration settings or the vendor.
An administrator should maintain the inventory either manually or with the help of an effective
inventory tracking solution. At times, an inventory tool may not auto update the network
device. In such scenarios, administrators are required to add the device in the inventory list.

Proper deployment of a wireless AP is

necessary to avoid outside access and
improve performance
No AP is ideal for all locations as AP vendors
design their APs to be installed in specific
locations
Deploy an AP in a location recommended by
.,... .-51
the manufacturer r '
,: !__A
I ' •
,. I '
AP deployment guidelines: '
e Place APs in central locations

.I
,
e I
e
Install an AP on the cei ling
Avoid placing APs too high on ceili ngs ·-·
e Avoid mounting an AP on a wall as it may
Recommended Not ~eommendt'd
e
restricts its 360 degree coverage • AP • AP
- ..,. ..,.
e
Avoid installing APs in corridors
Avoid installing APs above suspended ceil ings
..,. • AP
• AP • AP •AP
e Use locks and a plastic Sa rel enclosure to secure ..

■ De1f'ict
•AP .. ■ O.vle,
the AP from theft

.., .., ... ... .., .., .,., 11
e Avoid enclosing the AP in a metal cage
1:: ...·-· .., :1 I
.,., ..,
• O.-♦
e Keep the AP away from metal objects
The appropriate location of APs is important as it plays a vital role in achieving a high network
performance, coverage and speed. Many organizations have their APs placed across their
interior spaces. Every AP requires installation at a specific location and angle. Installation of APs
at random locations will restrict the network performance. Plan the coverage area wisely.
Overlap is good. Be careful to not create dead-zones.
Below are guidelines that help with placing APs at appropriate locations and to achieve the
maximum coverage, performance and speed.
• APs with an antenna cover a circular area and can be obstructed by walls, metal shutters
or furniture. It is good practice to set up APs at a location with no interference. Place the
AP within a line of sight so that users can optimize the maximum network performance
from it.
• The ideal placement of an AP is the ceiling. Although this location will not always be
feasible in organizations with very high ceilings. Setting up an AP correctly on the ceiling is
also important. An AP that is facing upwards will not provide good coverage and it will
drastically impact the network performance. It is beneficial to place the AP upside down
to get an optimal network performance.
• Placing APs on a des k is not part of a good network infrastructure implementation. APs, if
placed on a desk encounter large amounts of interference such as phones, Bluetooth
devices, furniture, etc. All these interferences will nullify the wireless connectivity

affecting the network performance of the organization. Also, if an AP is on a desk, it is not

secure. Easier to tamper with and/ or remove.
• APs placed near metal sources will reduce the range of travel. Metal interference acts like
a mirror for APs. This also means that APs should not be kept in a closet or in a metal case.
• Do not point the antennas of the external AP in the same direction. The antennas should
always be tilted in opposite directions. Antennas facing upward are not part of an optimal
network setup.

Placement of a Wireless
Antenna
0 Placement of an antenna depends on the type, I
angle, location of the AP and the coverage required
l
0 Antenna placement guidelines:
e Use t rial and error to select an appropriate location and
direction
-
e Place the AP ant enna in a perpendicular direction Wlfl Router
e
e
Avoid keeping the antenna at a 45 degree angle
Point antennas gain toward users
tJ Metal Fifing
Mirror"'
GoodWlff
e Know the antenna radiation patt erns cabinet
e Do not place obstructions or objects t hat interfere wit h i Dead Spot
the function of the antenna

e Using external antennas as integrated antennas has a
limitation
e Tilt antennas down when installed on t he ceiling
GoodWlff
e Use omni-directional antennas point ing down to
at tenuate signals t raveling up t o the AP
e Avoid using simple dipole ant ennas for an optimal
Dead Spot
solution
e Use single frequency ant enna elements rather than dual Good WiFI
tuned elements
Guidelines for the placement of a wireless antenna:
• A wireless device should be placed in the center of a room with proper positioning of the
antennas. The antennas should be positioned vertically, especially in a spacious interior.
• Use third party applications to help find the best location for placing the device.
Applications like HeatMapper builds a map of the interior and according to the map
designed, it provides a guide helping place the device in the best location.
• Choose an appropriate band and channel for the wireless antenna to work on. A reliable
frequency starts from 2.4 GHz. Establish a frequency that is compatible with the wireless
device and can travel through walls. To analyze an appropriate channel use applications
like WiFi Analyzer.
• Replace the wireless antenna to get better networking results. Setup omnidirectional
antennas that will help improve the range of the wireless environment.
• Try to avoid keeping the wireless devices near objects interfering with EM radiations. CRT
TVs, monitors, loudspeakers are some of these devices that should not be placed near the
wireless device.
• Use a trial and error method to determine the best location of the wireless device.

Disable SSID Broadcasting CND
!..J If the 551D is broadcast the AP will

announce its presence and name,
allowing everyone to attempt to
authenticate and connect to the
wireless network Mi~
[WRTS4G,3 J
6 - 2.437GHz "
!..J Network admins should disable the
551D broadcast. Then an AP will only
broadcast its presence and not its $1/ltut : SES ln~,c
I R.eHt ~ 1,1rit y I
name.
!..J This discourages unauthorized association requests to the network and permits connections
from legitimate users to the wireless network who have the correct 551D
The SSID is the character sequence or code that is attached to each packet in a wireless
network. This is used to identify the packet that is covered in a particular network when there
are a number of networks present. The code can contain a maximum of 32 alphanumeric
characters. All wireless devices that communicate with each other have the same SSID. A SSID is
used to uniquely identify a set of wireless network devices that work in the given service set.
A wireless network SSID can be either broadcast or hidden. By broadcasting a SSID, anyone can
find it and access it. If the SSID is hidden, the user has to know the exact SSID in order to
connect to the wireless network. Network administrators should always disable SSID
broadcasting on their devices.
SSID broadcast, if enabled

By enabling the SSID broadcast, the wireless router will broadcast its presence and its name.
When scanning for available wireless connections, if the SSID is broadcast, the network name
and presence will be identified. It may be locked with a password, but anyone will be able to
see it.
SSID broadcast, if disabled

If the SSID broadcast is disabled, then the wireless router will broadcast its presence but will
not display the name. It displays as an "unnamed network" connection present within your
range. The user can connect to the wireless setup after naming it and providing it with the
correct authentication credentials.

Selecting a Stronger Wireless

Encryption Mode
..J Select a stronger wireless encryption mode for the wire less network
l_•N~~y~•
..J Order of preference : A Oi'I\Sion of Cisco Systems, Inc.
Wireless-G Broadband Router

1. WPA2 Enterprise with
RADIUS Wireless Applications
Admini.stration Stutua
& Gaming
2. WPA2 Enterprise
Wireless Secunty Security Mode: You may
3. WPA2 PSK dloose from Disable, WPA
Securty Mooe: Disabled • Personal, WPA Enterprise,
Disabled WPA2 Personal, WPA2
4. WPA Enterprise WPA Personal Enterprise, RADIUS. WEP, Al
dcvic:cs on your network musl
WPA Enterp<ise use the same securty mode in
WPA2 Personal order to communielile ,
5. WPA More_
6. WEP Cmo Snrrns
Save Settings
Administrators should use a strong wireless encryption mode to keep their wireless network
safe from various types of attacks. There are various encryption modes that can be used for the
organization's wireless network.
Order of preference for choosing encryption modes

1. WPA2 Enterprise with RADIUS
2. WPA2 Enterprise
3. WPA2 PSK
4. WPA Enterprise
5. WPA
6. WEP
Order of preference for choosing Wi-Fi security methods

1. WPA2 +AES
2. WPA+AES
3. WPA + TKIP/AES
4. WPA + TKIP
5. WEP
6. Open Network (no security at all)

Implementing MAC Address

Filtering
..J MAC Address Filtering enables the

network admin to block all
unauthorized devices from
accessing the network by allowing
only known MAC addresses to
Wiw )cn MAC Fdlc·,
connect to the network
..J If MAC address filtering is enabled,

@it!AACF~ the access point or router stores
and maintains a list of MAC
addresses for the wireless clients
..J When a client tries to connect to

the network, the AP checks the list
of MAC addresses for the client's
MAC address and allows the
connection only if the MAC is found
in the list
Most wireless routers have MAC address filtering capabilities. The MAC address filtering
feature, permits access to known MAC addresses only and restricts all others.
MAC address filtering has two options, open or closed. In a closed MAC filter, only the listed
addresses are permitted to access the network. This option is a more secure way of accessing
the network. In an open MAC filter, the addresses listed in the filter are prevented from
accessing the network. This is not always practical in a large network.
MAC address filtering maintains the list of all known MAC addresses. When a user tries to enter
the network, the access point first ch ecks the user's MAC address against the list of MAC
addresses stored locally. If the user's MAC address matches an address in the list, then the
access point allows the user to enter and access the wireless network.
In this technique, the client authentication is based on MAC addresses. This type of
authentication is more secure compared to an open and a shared authentication method.
However, an attacker can bypass this filtering t echnique with the help of a MAC spoofing
attack. This authentication method minimizes the unauthorized users accessing the network.

Monitoring Wireless N etworlc

Traffic
~ Wireless netw ork traffic analysis helps identify intrusion attempts on the wireless network
.J Network administrators must continuously monitor and analyze the wireless network traffic for
any abnormalities
.J Use the Wireshark sniffing tool to conduct the wireless traffic monitoring and analysis
Pro-toe~ length Info

~Ol . 1 1 i i u Pl"Ol)e Res p oos e , SN•l l ) Y , F,-.•..u . F l ags .... . . . .. . . c , a1 -1.ou . SSIO..WLAN_xv
80 2 . 11 19S Beaco n fr ame . SN•3S90, t= N=O, t=lag s • . •• . . • . . c . 61• 100 , SSIC>a.Ro~ os
scn . 11 2l6 8 t\lC:01'1 frame, SN•l160, FN•O, Fhgs - . . . . . . .. c. &I• lOO, S$11),o'lll,.A ~
80 2 . 11 19S 8 eacoo frame . SN• 3S91 . F'N=O. Flags a , •• . •• .. C . 8!•100 , SSIO=ltodMos
802, 11 226 Beaco n fr ame . SN•116 1 , t= N•O, t=lag.s• . •• . . • . . , . 61•100, SSI C>-'IILA"LXY
80 2 . 11 19S e eacoo frame, SNoolS92 , FN-0 , Flags ... . . . . . .. , . SI--100 , SSI O,..ROdMOS
oadc ast 80 2 . 11 226 Beaco n fr ame , SN• ll6 2 ,t=lags a , •• . •• . . C , 81•100 , SSI D=-'HLA ~
F N=O,
oadcast s o2.11 19S eeacon frilmt, SN•3S93, FN- 0 , i: 1.-9.s- . .. . .. .. c , &1• 100, ss10--11:oct-1os
oadcast 80 2 . 11 226 Beacon frame , SN• 1163. FN•O, Flags• . . . . . . .. c . 6 1• 100, SSi l),i.'NLA ~
,.,.,.,... ~ Al\, '1 1 111. • .,..,..,. f:,.,..,.
,oic. <"-~C.OA c . .- 1\ c 1 .,,...,_ r RT-i nn <<T,..,__~,....i.,.,.,.
' "'
l♦Eit;A{W§►M~j'•·m■H·lri Ri◄♦tl❖l•IIPMh1i·NifffltliliiS·l♦tl❖l·Hfil·l1hUl■?ifii¥• ,
e Ra o tap Hea er vo, Lengt 21
Header revis ion : 0
=
0000 00 00 1 / 00 2 00 00 00 l ~/ 00 00 00 00 00 • •• • • • • • • G •• •• •
0 0 10 6 02 6c 0 9 00 04 c4 50 08 3,, 01 30 85 ,19 5b .1f .l. . . P . : 0 . ( .
0 0 20 9b 60 a4 4 c 69 d2 48 60 a4 4c 69 d2 48 so 48 sa '. Li . H' . Li.HP
Cii
0030 cl 29 ee b2 0 1 00 00 64 00 11 04 00 07 57 4c 41 .) • • • • d •• • •• n1.
0 040 e Sf 58 59 0 1 08 82 84 Sb 96 24 30 48 6< 03 01 -._xv . . . . . SOHL.
E) Fr.mt (fr• mt}. 220 bytes
http://www. wireshark. arg

Administrators are required to monitor the traffic of a wireless network in order to find any
abnormalities or signs of an attack. Just like a wired network, the network traffic on a wireless
network can be monitored using packet sniffing utilities such as Wireshark. Select the wireless
network interface corresponding to the wireless router and start sniffing the traffic on it. Look
for the traffic based on 802.11 standard wireless protocols denoting wireless network traffic.
Apply various filters to filter out the traffic most interested for the particular analysis.

Defending Against WPA

Cracking
8 The only way to crack WPA is to sniff 8 Select a random passphrase that is not
t he password PMK associated with made up of dictionary words
t he "handshake" authentication
8 Select a complex passphrase which
process, and if this password is
contains a minimum of 20 characters and
extremely complicated, it might be
change the passphrase at regular intervals
almost impossible to crack
8 Use WPA2 with AES/CCMP encryption only

e Use a virtual private network (VPN) such as
a remote access VPN, Extra net VPN, Intranet
e Properly set t he client settings (e.g. validate VPN, etc.
the server, specify server address, don't
prompt for new servers, etc.) 8 Implement a Network Access Control ( NAC)
or Network Access Protection (NAP)
solution for additional control over end-user
connectivity
WPA cracking defense recommendations:
• Construct a strong WPA password/ Key

• Do not use words from the dictionary
• Do not use words with numbers appended at the end
• Do not use double words or simple letter substitution such as p@SSwOrd
• Do not use common sequences from your keyboard such as qwerty

• Do not use common numerical sequences
• Avoid using personal information in the key/ password
WPA password should be constructed according to the following rules:
• Random
• At least 12 characters in length
• Contains at least one upper-case letter
• Contains at least one lower-case letter

• Contains at least one special character, such as @ or !
• Contains at least one number

Wireless Scanning Wired Network Scanning SNMP Polling
e Perform wireless network e Use network scanners such !! Use the Simple Network
scanning to detect the as Nmap to identify APs on Management Protocol
presence of wireless access the network. It will help (SNMP) to identify the IP
points in the vicinity locate rogue devices on the devices attached to the wired
wired network network
e Discovery of an AP not listed
in the wireless device !! Use the SNScan SN MP
inventory indicates the Detection utility to identify
presence of a rogue AP SNMP enabled devices on the
network
e Use wireless discovery tools
such as inSSIDer,
NetSurveyor, NetStumbler,
Vistumbler, Kismet, etc. to
detect wireless networks
Note: To use SNMP polling, enable the SNMP service on all IP devices in the network
Wireless access point is termed as a rogue access point when it is installed on a trusted network
without authorization. An inside or outside attacker can install rogue access points on a trusted
network for their malicious intent.
Types of Rogue Access Points:
1. Wireless router connected via the "trusted" interface
2. Wireless router connected via the " untrusted" interface

3. Installing a wireless card into a device already on the trusted LAN
4. Enabling wireless on a device already on the trusted LAN

Use following methods to detect wireless networks in th e vicinity of the network and compare
the detected wirel ess access points with the wireless device inventory for the environment. If
an access point is found that is not listed in the inventory, it can generally be considered a
rogue access point.
1. Wireless Scanning:
• Perform active wireless network scanning to detect the presence of wirel ess access
points in the vicinity.
• It will help detect unauthorized or hidden wireless access points that can be malicious.
• Use wireless discovery tools such as inSSIDer, NetSurveyor, NetStumbler, Vistumbler,
Kismet, etc. to detect wirel ess networks.

2. Wired Network Scanning:

• Use wired network scanners such as Nmap to identify a large number of devices on a
network by sending specially crafted TCP packets to the device (Nmap-TCP
fi ngerpri nti ng).
• It will help locate rogue access points attached to the wired network.
3. SNMP Polling:
• Use Simple Network Management Protocol (SNMP) polling to identify IP devices
attached to the wired network.
• Use SNScan SNMP Detection Utility to identify SNMP enabled devices on the network.

Wi-Fi Discovery Tools:

inSSIDer and NetSurveyor
lnSSIDer NetSurveyor
e Inspect the WLAN and surrounding networks e NetSurveyor is a netw ork discovery tool used
to t roubleshoot competing access point s to gather information about nearby wireless
e Track the strength of a received signal in dBm access points in real time and display
over time and filter the access point in an it in useful ways
easy-to-use format
·-
-
... ·-~-
-... ____ -
._...
__ ___ -
....
- - . ......
~
,_
·- -• -- -
~·-···....
........
_,,.....
~..... ...." ·-·-. ... ,.,
._
--
""''-" -.....
..,..
-- -......
-
~-...- , \-
.. .-
http:// www.inssifler.com http://nutsoboutnets.com

Administrators can use the following Wi -Fi discovery tools for their wireless network scanning
activity.
inSSIDer
Source: http://www.inssider.com
lnSSIDer is an open source, multi-platform Wi -Fi scanner software. It provides the user with
information about the proper channeling of a wireless network, while offering the ability to
check co -channel effects and overlapping networks. The application uses a native Wi -Fi API and
the user's N IC and sorts the results by MAC address, SSID, channel, RSSI, MAC, vendor, data
rate, signal strength and Time Last Seen. Features: Inspect WLAN and surrounding networks to
troubleshoot competing APs, track the strength of the received signal in dBm over time, filter
APs, highlight APs for areas with high Wi -Fi concentration, export Wi-Fi and GPS data to a KML
file to view in Google Earth, shows which Wi -Fi network channels overlap and compatible with
GPS devices.
NetSurveyor
Source: http://nutsaboutnets.com
NetSurveyor is an 802.11 (Wi-Fi) network discovery tool that gathers information about nearby
wirel ess APs in real time and displays it in useful ways. It displays the data using a variety of
different diagnostic views and charts. It records and plays back the data. Features: Provides six
graphical diagnostic views, generates reports in Adobe PDF format that include the list of APs
and their properties along with images, supports most wireless adapters installed with a N DIS
S.x driver or later.

Wi-Fi Discovery Tools:

Vistumbler and NetStumbler
Vlstumbler NetStumbler
e Finds wireless access points e Facilitates detection of Wireless LANs using the
802.llb, 802.lla, and 802.llg WLAN standards
e Uses the Vista command 'netsh wlan show
networks mode=bssid' to get wireless information e It is commonly used for ward riving, verifying
network configurations and finding locations with
e It supports GPS and live Google Earth tracking
poor coverage in a WLAN, etc.
- - ---.\ll\f•..... ... ... .... ........ ... .......

.... - i- ""
0 ._- g .. . •• -,, • T
-·
---- •• -......-· ............ ........ ... .................. ··-·•-·-
U.(,S ~ " f t ' i ll i-..11aoc1Xa
i.....,.l_,Mllt
--....
~
-.. , 011-,1 .....,.._.oe '. •

0
_,,.. •' """ m.'IU - ~ •• •• ~ *.. ,.., .. ,'liO ...

•• 00.b.ll.. . . . .
, •• •l.1.,_ ' ,...,_Uutf ..
__ ........ ... ... ·-·-··----.....

'4f1cr..-.
»•
,. .ff .. 1.
............ -...... --
00,lS;il-.s.t I
"" _ •..,
·~ •• .....i........,..
a, ._ '' R Ofl'J,..,._l _,
f,ft, ......
·" G,14',V,.. . . .
,, " ,._ Y,O,Al..,,.,,,..,

''
II
11
Nt:1..-U "'
u11u..,,.,,
OlM-.M.._..
,. . .,IJ.........
......... ......-· ooa<•--· -........ ~-

.. ,. ·-
'" ,
-....
•Al~, ' '
•"
- ~ -
"' "
~ J l...... ¥#"1-4"'""'" '
•• ~>t•'-M "'""
""'
--· "' ..
..
~- ~- ... ·- u "
'
-- .-...........,.,..
·-
'
.....•••. -...... -~
"'
00,!U,. . . .
'' .._
.. ,. .... .""'
...... .... - .... ---
IDIIMl.4. .
.,.
IOfUN•
"" ...
.....
·-
..... ''"
•41-----
,...,_, ._,_
. . ...
- ---
......... .
....
te.(► • • t , ...'I
~"
~,..,_ -. "'
u,
-
:.t»J~ . . . .
......
.....
.,._ ·•-
.,. '"
W,,i.J~
.,..,._ ·-(-
... .
""~
'
..••., ... -·~ ...... .. ..., ......

.•• -·
••• -·
•
,
,._
i;
-·
,.__,.
-··
"'"'
"' "
"
,...
"
"' ••
ft
"
a(Ul_. . . ..._._
-·
"
-
,!C.'(J . . .
..
OMO◄MI.-- Kl<;~
ao, .. ,.,o,•
...
.....
--
~-
·-
OCIV..J,
S..••-
.....
"
,.
,,. ,._ '
•• ·•- •""
--
---
.,_
.............
IW'.i..!....__
'
'
'
'
'
''
'·
,._
-•-
·•-
http://www.vistumbler.net http://www.netstumbler.com
Other Wi -Fi discovery tools include:
Vistumbler
Source: http://www.vistumbler.net
Vistumbler Features:
• Find Wireless APs
• GPS support
• Export/ import APs from Vistumbler TXT/ VSl/ VSZ or Netstumbler TXT/ Text NSl
• Export AP GPS locations to a Google earth kml file or GPX (GPS exchange format)
• Live Google Earth Tracking: auto KML automatically shows APs in Google Earth
• Speaks, signal strength using sound files, Windows sound API, or MIDI
NetStumbler
Source: http://www.netstumbler.com
NetStumbler Uses:
• Wardriving
• Verifying network configurations
• Finding locations with poor coverage in a WLAN

• Detects causes of wireless interference

• Detects unauthorized (rogue) APs
• Aiming directional antennas for long-haul WLAN links

WirelessMon Wifinder
http://www.passmarlc.com ht tp://www.pgmsaft.com
Kismet Wellenreiter
http://www.kismetwireless.net http://wellenreiter.sourceforge.net
Wifi Hopper AirCheck Wi-Fi Tester

http://www.wifihapper.com http://www.jlukenetworks.com
Wavestumbler AirRadar 2
http://www.cqure.net http://www.koingosw.com
~ -
iStumbler
http://www.is tumbler. net "~
.
Xirrus Wi-Fi Inspector
http://www.xirrus.com
In addition to those discussed already, there are many tools administrators can use to discover
rogue wireless networks:
WirelessMon
Source: http://www.passmark.com
WirelessMon is a software tool that allows users to monitor the status of wireless Wi -Fi
adapter(s) and gather information about nearby wireless APs and hot spots in real time. It can
log the information it collects, while also providing comprehensive graphing of signal level and
real time IP and 802.11 Wi -Fi statistics.
Kismet
Source: https://www.kismetwireless.net
Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.
Kismet will work with any wirel ess NIC that supports raw monitoring (rfmon) mode, and (with
appropriate hardware) can sniff 802.llb, 802.lla, 802.llg, and 802.lln traffic. Kismet also
supports plugins, which allow sniffing other media such as DECT.
WiFi Hopper
Source: http://wifihopper.com
WiFi Hopper is a WLAN utility that performs Network Discovery and Site Survey. It includes a
collection of network details, filters, RSSI graphing, as w ell as built-in GPS support for

identification and advanced characterization of neighboring wireless devices. WiFi Hopper can
connect to unsecured, WEP, WPA-PSK and WPA2-PSK networks directly from within the
application.
Wavestumbler
Sources: www.cqure.net
Wavestumbler is console-based 802.11 network mapper for Linux. It reports AP details like
channel, WEP, ESSID, MAC, etc. It has support for Hermes-based cards including Compaq and
Lucent/Agere.
iStumbler
Source: http://www.istumbler.net
!Stumbler is a wireless discovery tool that provides plugins for finding as well as information on
AirPort networks, Bluetooth devices, Bonjour services and location information with Mac-based
devices.
WiFinder
Source: http://www.pgmsoft.com
WiFinder is a wireless network discovery tool for android-based devices allowing the user to
connect with all types of Wi-Fi networks, including Open, WEP, WPA and WPA2.
Wellenreiter
Source: http://wellenreiter.sourceforge.net
Wellenreiter is a wireless network discovery and auditing tool that supports Prism2, Lucent, and
Cisco-based cards. It is a Linux scanning tool capable of discovering BSS/IBSS networks and
detecting ESSID broadcasting or non-broadcasting networks and their WEP capabilities, as well
as the hardware manufacturers. Wellenreiter is available in two flavors including the perl/gtk
based version and the Wellenreiter II C++ based version.
AirCheck Wi-Fi Tester
Source: http://www.flukenetworks.com
AirCheck Wi-Fi Tester is a Wi-Fi troubleshooting software tool designed to troubleshoot most of
the common issues with Wi-Fi networks. The tool provides enterprise, Carrier Wi-Fi hotspot,
and residential Wi-Fi deployments with the ability to validate and troubleshoot issues.
AirRadar 2
Source: http://www.koingosw.com
AirRadar 2 is a wireless network discovery and maintenance tool specifically built for the Apple
Mac OS. The tool enables personalized scanning of open wireless networks and allows the user
to tag or filter them out.

Xirrus Wi-Fi Inspector
Source: http://www.xirrus.com
Xirrus Wi-Fi Inspector is a utility for monitoring Wi-Fi networks and managing the Wi -Fi
operation of a laptop. It provides information about available Wi -Fi networks, management of a
laptop's Wi-Fi connection, and tools to troubleshoot Wi - Fi connectivity issues.

AirCheck Wi-Fi Tester is a handheld tool

that identifies and locates authorized or
rogue wireless access points in the
network
http://www.flukenetworks.com
Once a rogue access point is detected in the network, the next step is to trace its location in the
organization. This can be done with AirCheck Wi-Fi Tester. It helps find the exact location of any
wireless access point. It is handheld wireless tester. The AirCheck Wi -Fi Tester must be carried
to track the rogue access point. It detects the access point based on the signal strength.
AirCheck Wi-Fi Tester
Track down rogue and other APs by graphing the signal strength over time or by using an
audible indication, which can be muted.
Source: www.f/ukenetworks.com

Protection from Denial of

Service Attaclcs: Interference
Detect excessive RF interference to

avoid Denial of Service attacks such as
RF Jamming, Signal Bombing and War
Spamming
---
Use RF Spectrum Analyzing tools to
detect RF interference. They provide - - - - - ..
notification about excessive RF :lif ' I

interference on the wireless network
RF Spectrum analyzers:
e r• ·.· .·.·_\:
- ~-
AirMagnet Spectrum XT
e
http://www.flukenetworks.com
WiFi Surveyor
• ., 0 -
http://rfexplorer.com
e Ekahau Spectrum Analyzer

http://www.ekahau.com
Wireless networks are often susceptible to Denial of Service (DoS) attacks, as wireless networks
have a shared medium of tran smission. DoS attacks may be carried out in the various levels of
the OSI network layer. The Dos attack in the physical layer is carried out through signal jamming
or intentional interference.
Wireless networks use radio frequencies for communication and RF spectrum analyzing tools
can be helpful in detecting the radio frequency interference.
There are various RF spectrum analyzers available:
AirMagnet Spectrum XT
AirMagnet Spectrum identifies the radio frequency interference impacting a wireless network's
performance.
Wi-Fi Surveyor
Source: http://rfexplorer.com
Wi-Fi Surveyor provides the following services:
• Displays the RF environment
• Monitors RF signals
• Troubleshoots RF issues
• Detects sources of RF interference

Wi-Fi surveyor helps detect the wireless devices and RF interference in the network that may
affect the network's performance.
Ekahau Spectrum Analyzer
Source: http://www.ekahau.com
Ekahau is a device, which assists in determining the devices causing the interference.

Assessing the Security of a

Wireless Networlc
Locate,
the risks posed by the current configuration of a wireless network
and
Mitigate
Perform security assessment/testing to detect potential

vulnerabilities in the wire less network and mitigate them before
Potential attackers can exploit
Vulnerabilities
Use differen* automated tools to perform security

assessment and vulnerability scanning
Vulnerability
Scanning Tools
A wireless network should be regularly checked for possible vulnerabilities. Parameters such as
security, performance and speed should be considered while performing the assessment. This
helps to ensure that the wireless network is adequately protected from attacks. Use various
security assessment and vulnerability scanning tools to find the potential v ulnerabilities.
Typical wireless security assessment steps should be:
• Check if proper and up to date inventory is maintained for all wireless network devices
• Check the location of access points, to make sure they are properly placed
• Check if the wireless antennas are pointing in the right direction
• Discover new wireless devices
• Document all the findings for new wireless devices
• If the wireless device found is using the Wi -Fi network, check if it is using weak encryption
• Create a rogue access point and check if it can be detected
• Check if the SSID is visible or hidden

• Check if MAC filtering is enabled or not

.J It is a Wi-Fi network auditing

and troubleshooting tool
.J Automatically detects
security threats and other
wireless network
vulnerabilities
.J It detects Wi-Fi attacks such

as Denial of Service attacks,
authentication/ encryptions
attacks and network
penetration attacks
.J It can locate unauthorized

(rogue) devices or other
policy violations
r
- http://WWW•fl
ukenetworks.com
AirMagnet Wi -Fi analyzer offers continuous evaluation of the wireless channels, devices,
speeds, interference issues and RF spectrum. It helps automatically detect security threats and
wireless network vulnerabilities, common wireless performance issues including throughput
issues, connectivity issues, device conflicts and signal multipath problems.
AirMagnet Wi- Fi Anal yzer can detect Wi -Fi attacks such as DoS attacks,
authentication/ encryptions attacks, network penetration attacks, etc. It can easil y locate
unauthorized (rogue) devices or any policy violator. The tool examines 802.lla\ b\ g\ n and 5GHz
channels for interference and can be installed in PCs, laptops tablets etc. in order to assess for
interference issues.

WPA Security Assessment Tool:

Elcomsoft Wireless Security Auditor
Elcomsoft Wireless Security Auditor - Cl

File Action Options Help
•
..J Elcomsoft Wi reless Security Import • Cre:.,te Open Seve 5t.,,t • P11u5e: Ched: fo, Help
data project project project att.aclc attack updates contents
Auditor allow s netw ork Dictionaries totlll: DictioMries left:
Time ~PStd: Time left
adm inistrators to audit C1nent speed: Avetage speed:
lllst p,,ssword: Prottssor bod:
-
accessible wireless networks
Ssid Possword Sto.,,
.J It comes with a built-in wireless
network sniffer (w ith Ai rPcap •
adapters)
..J It tests the strength of

WPA/WPA2-PSK passwords
protecting your w ireless net w ork
-·-
Click 'Import' button to add the data you want to rtCOYt:r
V
http://www. e/comsoft.com
Elcomsoft Wireless Security Auditor allows you to verify the security of a company's wireless
network by executing an audit of accessible wireless networks. It comes with a built-in wireless
network sniffer (with AirPcap adapters). It attempts to recover the original WPA/ WPA2 -PSK text
passwords in order to test how secure the wireless environment is.
Source: http://www.elcomso[t.com

WPA Security Assessment Tools CND

WepAttack Portable Penetrator

http://wepattack.sourceforge.net http://www.secpoint.com
Wesside-ng CloudCracker
http://www.aircrack-ng.org https://www.cloudcracker.com
Aircrack-ng coWPAtty
http://www.aircrack-ng.org http://sourceforge.net
WEPCrack Infernal-Twin tool

http://wepcrack.sourceforge.net https://github.com
WepDecrypt CommView for Wifi

http://wepdecrypt. source/orge. net http://www.tomos.com
WepAttack
Source: http://wepattack.sourceforqe.net
WepAttack is a WLAN open source Linux tool for breaking 802.11 WEP keys. This tool is based
on an active dictionary attack that tests millions of words to find the right key.
Wesside-ng
Source: http://www.aircrack-ng.org
Wesside-ng incorporates a number of techniques to seamlessly obtain a WEP key in minutes. It
first identifies a network, then proceeds to associate with it, obtain PRGA (pseudo random
generation algorithm) xor data, determine the network IP scheme, reinject ARP requests and
finally determine the WEP key.
Aircrack-ng
Source: http://www.aircrack-ng.org
Aircrack-ng is a complete suite of tools to assess Wi-Fi network security.
It focuses on different areas of Wi-Fi security:
• Monitoring: Packet capture and export of data to text files for further processing by third
party tools.

• Attacking: Replay attacks, de-authentication, fake access points and others via packet
injection.
• Testing: Checking Wi-Fi cards and driver capabilities (capture and injection).
■ Cracking: WEP and WPA PSK (WPA 1 and 2).
WEPCrack
Source: http://wepcrack.sourceforqe.net
WEPCrack is an open source tool for breaking 802.11 WEP secret keys. It cracks 802.11 WEP
encryption keys using the latest discovered weakness of RC4 key scheduling.
WepDecrypt
Source: http://wepdecrypt.sourceforqe.net
WepDecrypt guesses WEP Keys based on an active dictionary attack, key generator, distributed
network attack and some other methods.
Portable Penetrator
Source: https://www.secpoint.com
With Portable Penetrator, you can recover Wi-Fi Passwords WEP, WPA, WPA2, and WPS PINs. It
can reveal Wi-Fi Passwords from Access Points for WEP WPA WPA2 WPS Encryption.
Cloud Cracker
Source: https://www.cloudcracker.com/
It is an online password cracking service, which will help you in checking the security of WPA
protected wireless networks, crack password hashes or break document encryption.
coWPAtty
coWPAtty is designed to audit the security of pre-shared keys selected in WiFi Protected Access
(WPA) networks.
Infernal-Twin tool
Source: https://github.com
Infernal-Twin tool can help assess wireless security.
Feature of Infernal-Twin tool involves:
• WPA2 cracking
• WEP cracking
• WPA2 Enterprise cracking
• Wireless Social Engineering

CommView for WiFi
Source: http://www.tamos.com
CommView for WiFi captures every packet on the air to display important information such as
the list of access points and stations, per-node and per-channel statistics, signal strength, a list
of packets and network connections and protocol distribution charts.

Wi-Fi Vulnerability Scanning

Tools
Zenmap Nexpose Community Edition
http://nmop.org http://www.rapid7.com
Nessus Wifish Finder

http://www.tenable.com http://www.airtightnetworks.com
Penetrator Vulnerability
OSWA
http://securitystartshere.org Scanning Appliance
http://www.secpaint.com
WiFiZoo SILICA
http://www.dorknet.org. uk http://www.immunityinc.com
Wireless Network
Network Security Toolkit
http://networksecuritytaolkit.org Vulnerability Assessment
http://www.secnop.com
Wi-Fi vulnerability scanning tools determine the weaknesses in wireless networks and secures
them before attackers actually attack. Wi -Fi vulnerability scanning tools include:
Zenmap
Source: http://nmap.org
Zenmap is a multi-platform GUI for the Nmap Security Scanner, which is useful for scanning
vulnerabilities on wireless networks. This tool saves the vulnerability scans as profiles to make
them run repeatedly. The results of recent scans are stored in a searchable database.
Nessus
Source: http://www.tenable.com
Nessus is a vulnerability, configuration and compliance scanner. It features high -speed
discovery, configuration auditing, asset profiling, malware detection, sensitive data discovery,
patch management integration and vulnerability analysis of a wireless network.
OS WA-Assistant
Source: http://securitystartshere.org
The Organizational Systems Wireless Auditor Assistant (OSWA-Assistant) is a wireless auditing
toolkit. This toolkit can be used for wireless security/auditing to execute technical wireless
security testing against a wireless infrastructure and clients.

WiFizoo
Source: http://www.darknet.org.uk
WiFizoo tool is intended to get all the possible info from open wifi networks (and possibly
encrypted networks, at least with WEP) without joining any network and covering all WiFi
channels.
Network Security Toolkit
Source: http://networksecu ritytool kit.orq

Network Security Toolkit (NST) is a Fedora-based application that provides easy access to open
source network security applications. The toolkit includes an advanced user interface for
system/network administration, navigation, automation, network monitoring, host geolocation,
network analysis and configuration of many network and security applications found within the
NST distribution.
Nexpose Community Edition
Source: http://www.rapid7.com
Nexpose is a vulnerability management application that analyzes vulnerabilities, controls and
configurations to find security risks. It uses RealContext, RealRisk and the attacker's mindset to
prioritize and drive risk reduction. This tool helps a user to understand the network, prioritize
and manage risks effectively.
WiFish Finder
Source: http://www.airtiqhtnetworks.com
WiFish Finder is a vulnerability assessment tool that determines if active Wi-Fi devices are
vulnerable to 'Wi-Fishing' attacks. A user can perform this assessment through a combination of
passive traffic sniffing and active probing techniques. Most Wi-Fi clients keep a memory of
networks (SSIDs) they have connected to in the past. Wi-Fish Finder first builds a list of probed
networks and then determines the security setting of each probed network. A client is a fishing
target if it is actively seeking to connect to an OPEN or a WEP network.
Penetrator Vulnerability Scanning Appliance
Source: http://www.secpoint.com
The Penetrator Vulnerability Scanning Appliance is a vulnerability-scanning tool that discovers
vulnerabilities in firewalls, routers, Windows, Linux, MAC, Mobile devices, printers and any
device with an IP address. The tool can scan both public and local IP addresses.
SILICA
Source: http://www.immunityinc.com
SILICA is a vulnerability scanner that determines the true risk of a specific AP. SILICA does this
by intrusively leveraging vulnerabilities and determining which assets behind the vulnerable AP
can be compromised. SILICA also reports whether an attacker can successfully exploit the
vulnerability.

Wireless Network Vulnerability Assessment:
Source: https://www.secnap.com
A Vulnerability Assessment Unit (VAU) is deployed onsite to perform the network scans that are
central to this assessment and it remains active onsite throughout the assessment. SECNAP
audit staff install the VAU after receiving a completed pre-installation questionnaire and a
conference call with the IT and Security team. This ensures that a properly sized VAU is utilized
for the engagement and identifies the IP address ranges to be tested and excluded. Since the
VAU is not placed in-line with the client Internet connection, there is generally no impact on the
network during installation.

Deploying a Wireless IDS (WIDS)

and a Wireless IPS (WIPS)
Wireless Intrusion Detection Wireless Intrusion Prevention

System (WIDS) System (WIPS)
A w ireless intrusion detection A wireless intrusion prevention system

system (WIDS) collects data about (WIPS) provides additional features
user activity beyond that of a WIDS to prevent
wireless threats
It monitors unauthorized network
activity, policy violations, and Consisting of three components:
known patterns of wireless attacks
e Sensors : Antennas or radios deployed
It alerts system administrators if it to scan and captu re packets
finds any abnormalities in the
e Servers: Analyze t he captu red packets
network, rogue wireless AP,
unencrypted traffic, etc. e Console: A user interface for the
network ad min to manage and report
A wireless intrusion prevention system (WIPS) is a network device that monitors the radio
spectrum to detect access points (intrusion detection) without the host's permission in nearby
locations. It can also implement countermeasures automatically. Wireless intrusion prevention
systems protect networks against wireless threats and provide administrators with the ability to
detect and prevent various network attacks.
Airsnarf Attack , - - - - , - - - - - , - - - - - r - - - - , - - - - - , - - - - - :
Day-zero Attack t - - - - t - - - - - i - - - - - - 1 - - - - ~
Unauthorized
Assodation t-=-
Pr-o~
bl~n,- a-n-:
dt:-N:-
e-:--
tw- o-rk:---'.
Disco ery
Fragmentation
Attack ---
Honeypot
Attack Crack Attack APs Spoofing Server
FIGURE 10.2: Wireless IPS

A wireless intrusion detection system (WIDS) is a tool that collects data about user activity. It
monitors unauthorized network activity, policy violations and known pattern s of recognized
wireless threats. It alerts the system administrator if it finds any anomalies in the network,
rogue wireless AP, unencrypted traffic, etc. Wireless intrusion prevention systems (WI PS)
provide additional features beyond a WIDS to prevent wireless threats.
Consisting of three components:
1. Sensors: Antennas or radios deployed to scan and capture packets.
2. Servers: Analyzes the captured packets.
3. Console: User interface for system admin to manage and report.

Typical Wireless IDS/IPS

Deployment
.•···························•.
DMZ 1 ~ ~ '·\, ~ ............... ························► Internet

l~ ~
•
;:~..,,,re
······························
r Authentication
~ ~······ .. 1 !.. · · · ►~
Database Mail Server
Server Wi-Fi Access
Point
b=5 'f'·v·'f' M
Wi -Fi Access
Point - i
~ ' Wi-Fi
Intru sion
Preve ntion
System
Corporate WI-Fl Network
A WIPS consists of a number of components working together to provide a unified security

monitoring solution.
Component functions in a Cisco Wireless IPS Deployment:
• Access Points in Monitor Mode: Provides constant channel scanning with attack
detection and packet capture capabilities.
• Mobility Services Engine (running wireless IPS Service): The central point of alarm
aggregation from all controllers and their respective wireless IPS Monitor Mode Access
Points. Alarm information and forensic files are stored on the system for archival
purposes.
• Local Mode Access Point(s): Provides wireless service to clients in addition to time-sliced
rogue and location scanning.
• Wireless LAN Controller(s): Forwards attack information from wireless IPS Monitor Mode
Access Points to the MSE and distributes configuration parameters to APs.
• Wireless Control System: Provides the administrator with the means to configure the
wireless IPS Service on the MSE, push wireless IPS configurations to the controller and set
APs in wireless IPS Monitor mode. It also allows the user to view wireless IPS alarms,
forensics, reporting and access the threat encyclopedia.

Adaptive Wireless I PS (WI PS) provides wireless network threat detection, mitigation against malicious attacks
and security vulnerabilities
It provides the ability to detect, analyze, and identify wireless threats
, I, Ii 111, r AhoffllSu_...., q ., • 0 T o 0
y) WirelHS Control System
CISCO
Us.r: £l221. @> Virtual Domain: root •
1ft t!_on1tor • B,eport~ • £onf1gure • ierv1c:cs • ,$.dm1n1str-1t1011 • }ools • tj,.Jp • E) \.~ ,a l ogout
system 0 Advanced Paramet ers: sanity-mse
S!f~es . f@ltx SrrrisM. Sy!t~. Ad'rlln«td P$rame-1~$
l3 GenetalPr~ e,s:
~ ~y.
l,;J NMSP P41Mieters
58Ssions
[!j r,ac,oe~
Cenel'ol lnfolfll.OtJon
Pr oduct Name
Version
Cisco Mobility Setvice E"Qine
6 .0A2.0
Ckco UOl
Produet Identifier (PIO)
Verst0n Identified (VIO)
AIR•MS!•3310·K9
VOl
l.iJ Advftn.:c:d P«ameteN: S~1'tecd At 2/16/09 1:49 PM ~tial Number (SN) Not Specified
~ toos Cur~nt $ en1er Time 2/11/09 9:$4 AJWI
► ~ A«CU'llS Ameriea/los,..Anoetes
► i) status D
t1<1rd..., <1re Restarts 10
► Iii ►\'lnte~ Number of Days to keep Even« ._
I> _ _,j 1 • 99999
A~ e Seuions
Context Aware Setvioe ® Se n ion Time~ 30 I • 99999 f'linJ
wJPS Service ®
l oooino Level I Trece 1;;:;.il
f<IIR Ser vice ® Corl!' Eft9.1ne El En.able ~Advancff COMmalWk
o atabase @ En.able I I Rt bool H~~rt I
0 En.able Q ru;td- H,,,:iw,,CJ
@ (n,0bl¢
MSEAocation Serv ers
I cru, confi91;1,i;o11 I
Obje ct M.aneger 0 En.able
~ Jom• nt l>.llJ-;;;;-J
SNf~P Mediation D En.,bJc
XML Med1abon El En.able
~
Asynchronous
t lMSP Protocol
D Encable
0 fn.abte _J
V
http://www.corecom.com
Adaptive Wireless IPS (WIPS) provides specific network threat detection and mitigation against
malicious attacks, security vulnerabilities and sources of performance disruption. It provides the
ability to detect, analyze and identify wireless threats. It also delivers proactive threat
prevention capabilities for a hardened wireless network core. This is impenetrable by most
wireless attacks, allowing customers to maintain constant awareness of their RF environment.
Source: http://www.corecom.com

~fPFDashboa·d Netv,ork Alarms Co;1ftgurat10

Lw Cvstoml ,otlon Sec uri ty hlfrastruclure P e.r for tlli!lll(t,
Network Cu stOMl Custom? customs
Save
Oo,hb o4rd Compooents
Drao al\<! drop co"'°onents
III] .tippli.:,ncc St.:itvs What does AirDefense do?
S BSSs by Confu;uretlon
~ 8SSs by Last Seen

AirDefense provides single Ul-based platform for wireless monitoring, intrusion
liD Device T.iblc protection, automated t hreat mitigati on, etc,
~ Dc-Yiccs by Configur.-,ti• It provides tools for wireless rogue detection, pol icy enforcement, intrusion
~ Devices by ust sun
prevention, and regulatory compl iance
~ lnfr.,struicturc events b
mlnfr.:i$tructurc Ovcrv,,:-, It uses distributed sensors that work in tandem wit h a hardened purpose-built
~ JnfroSb'~ re Staws serve r appliance to monitor all 802,11 (a/b/g/n) wireless traffic in real-time
[w Lust 5 Al,)rms on Systc It analyzes existing and zero-day threats in real-ti me against historical data to
ml.4r;t S lnfru tfucturc I\I accurately det ect all wireless attacks and anomalous behavior
Im Mona-:ed Device Sre.ak
~ M,:m,)!JCd Device erc11k It enables the rewinding and reviewing of detailed wi reless activity records that
fm PC! ll.l Stews assist in forensic investigations and ensure poli cycompliance
Im PCJ Status
~ Pcrlorm,)n"c Th~,:,t by
Device T.Jble lnfr.-:istn1c:ture Overview
~ Pcriorme.ncc l hrcot br ' '
~ Perlormance viola.tions 9 17 v nlmovtn Devices Name Online Comp!ianoo Offline
Failuse
~ Po,lic.y complioncc 26 AAS
S Polle-I! Wirc lcu Cbcnt 7 Wired switches

APs a •• a
s Wireless Switches
w ired Switches a 5 a
Im Quick SeOJrity v iew wireless Swit c ... a 5 a
6 sensors
~ R.adio Ch,)MCI &rc,)kd
1,298 Wireless Cli ents
Sensors • 0 2
~ Rogue Wireless l\cceH 1,624 SSSS
http://www. airdefense. net

All Rights Reserved, Reproduction is Strictly Prohibited,
Wi-Fi Intrusion Prevention System CND

,:a -,,
Extreme Networks Intrusion --------
~
Network Box IDP
Prevention System http://www.network-box.com
http://www.extremenetworlcs.com
RFProtect Wireless Intrusion

AirMobile Server
Protection http://www.oirmobile.se
http://www.orubonetworks.com
Dell SonicWALL Clean

AirPatrol WLS
Wireless http://www.gigotest.net
http://www.sonicwoN.com
HP TippingPoint NX FortiWiFi
Platform NGIPS http://www.fortinet.com
http://wwwB.hp.com
ZENworks Endpoint Security

AirTight WIPS
http://www.mojonetworks. com Management
http://www.novell.com
Wi-Fi intrusion prevention systems block wireless threats by automatically scanning, detecting
and classifying unauthorized wireless access and rogue traffic to the network. This prevents
neighboring users or skilled hackers from gaining unauthorized access to the Wi -Fi networking
resources. The following Wi -Fi intrusion prevention systems can be useful in the prevention for
all the various threats on a wireless network:
Extreme Networks Intrusion Prevention System
Source: http://www.extremenetworks.com
The Intrusion Prevention System (IPS) gathers evidence of an attacker's activity, removes the
attacker's access to the network and reconfigures the network to resist the attacker's
penetration technique. It ensures the confidentiality, integrity and availability of critical
resources with intrusion prevention capabilities. These include in -line intrusion prevention to
provide advanced security in a specific location, distributed intrusion prevention to automate
response to threats in real -time, out-of-band intrusion detection that simultaneously utilizes
multiple response technologies, forensics tools for session reconstruction to simplify threat
mitigation/ resolution and threat containment that leverages existing network investments.
Rf Protect Wireless Intrusion Protection:
Source: http://www.arubanetworks.com
RFProtect software prevents Denial-of-Service and Man -in-the-Middle attacks and mitigates
over-the-air security threats.

Dell SonicWALL Clean Wireless
Source: http://www.sonicwall.com
Dell SonicWALL Clean Wireless combines 802.lln technology with network security appliances
to deliver comprehensive network security and performance while simplifying set-up and
management of 802.11-based wireless networks. SonicPoint-N Series wireless APs used in
conjunction with the Dell SonicWALL family of firewall security ensure that wireless traffic is
scrutinized with the same intensity as wired network traffic, allowing IT administrators to retain
control over their entire network.
HP TippingPoint NX Platform NGIPS
Source: http://wwwB.hp.com
The HP TippingPoint NX Platform Next Generation Intrusion Prevention System (NGIPS) offers
in-line threat protection that defends critical data and applications without affecting
performance and productivity. The NGIPS platforms leverage advanced threat research with the
correlation of security events and vulnerabilities.
AirTight WIPS:
Source: http://www.moionetworks.com
AirTight WIPS is a wireless intrusion prevention system that precisely blocks only those Wi-Fi
connections that violate network policies or pose a threat to network security, without
affecting legitimate Wi-Fi communication on local or neighboring networks.
Network Box IDP:
Source: http://www.network-box.com
The Network Box IDP (Intrusion Detection and Prevention) module scans network traffic at the
application level and blocks malicious behavior with zero latency. A comprehensive database of
IDP signatures precisely matches and actively blocks known exploits. A database of
vulnerability-class based signatures and heuristic (expert system) anomaly-based behavioral
analysis provides the protection against newly emerging threats.
AirMobile Server:
Source: http://airmobile.se
The AirMobile server sorts incoming scanning reports from the agents. The server discovers and
analyzes the APs, estimating the level of threat the AP poses to the network. When a new AP is
discovered, the server automatically matches the AP's MAC-address to the database containing
all known MAC addresses by the switches, pointing out where the AP is connected to the
network. The server will raise the risk indicator to 100% if it finds any AP on the network that
runs without encryption.

ZENworks Endpoint Security Management:
Source: https://www.novell.com
ZENworks Endpoint Security Management is a client/ server endpoint solution that works on
Novell's ZENworks Control Center platform (ZCC}. It provides VPN and wireless security
enforcement, client firewall, device control, file/ folder encryption and other features. It puts
end-user devices behind a potent firewall and protects against bugs in USB Storage devices. A
user can deploy it physically or virtually to Windows or Linux platforms using a number of
compatible database backend systems and directory services. It deploys the Endpoints to
Windows' client OSs.
AirPatrol WLS
Source: http://www.gigatest.net
WLS can be used as an Intrusion Detection solution in " no-wireless" environments and easily
scales to protect and manage wireless networks.
FortiWiFi
FortiWiFi Thick APs integrate an 802.lln wireless LAN radio and antennas into the FortiGate
Connected UTM. FortiWiFi provides access to both the wired and wireless LAN in a single
device, delivering network security visibility and control. It provides security functions such as a
firewall, VPN and traffic shaping, application control, IPS, antimalware, web filtering etc.

Configuring Security on Wireless

Routers
W l rel ess..G Broadb.and Router WHl!>¢G
Administration - - - - - - -. --.- -••-,,..,,-.-...

U Change the default password on Set u p \Jlirclcf<fl Secu rity Rct.lOCt.oon a & Gruruni:i
Ad
in:n1
,....,,
tion
St.rt,,,
s
IA.magCf!ICfll I log I ~ I FadOI')' Oc,'-M, I nn.arc UP7adC I Conng ~

t he wireless router
Routi;,r PossWOJd
J Assign strong and complex ~OCAI Ro uttf Acc:eu P.-so.Yllf\1;

Ft<:•l'nlN»
Clffifrm: J
password to th e router
@ HTTP O KTTPS
J Choose HTTPS f or secure <!) Enabl,t 0 Oltaflfie
communication Remele = ,._,Oltaflfie

Remo(C Ro uttf Acc:eu U;in~cmcn1; ..,- Enabl,t >!,
J Disable remote router access U11n119c-menl P«t aoe:o ]

U!ll!I~
UPnP. @ Enatile O Oi&&bte

LIN. ~vs·
A o,,•6i:ft 01 Ciu.o ~s.. lrc.
W ireless G BrO<ldbund Router
Admin istration Ac:ccsa Applicalioll8

Admini,lllrlio n
log I DidQIIO!lli:a
Re~b id ion11 & G11m1ng
St11t u s
U Enable logging on the router
Log: ® e nable E) Oiu bk
I 1ncoo,;ng Log I Outgo;ng Log J
sa~e Settings Cencel Cha
To harden the wireless router, apply all the recommended security configurations on the
wireless router. These security configuration settings will help minimize any wireless attacks
and will provide the best performance, security and reliability when using Wi -Fi.
It should include:
1. Changing the default password of the wireless router.
2. Assigning a strong and complex password to the router

3. Choosing HTTPS for secure communication
4. Disabling remote router access

5. Enabling the firewall to block certain WAN requests
6. Configuring an Internet Access policy
7. Specifying the blocked services, URL, keywords, etc.

8. Disabling the DMZ option
9. Configuring the Quality of Service (QoS) settings

10. Avoid using the default IP ranges
11. Keep the router firmware up-to-date

Additional Wireless Networlc

Security Guidelines
Change the default SSID Disable the remote router login and administration
Set the router access password and enable firewall

Regularly change the passphrases
protect.ion
Use SSID cloaking to keep certain default wireless

Choose Wi -Fi Protected Access (WPA) instead of WEP
messages from broadcasting the ID to everyone
Do not use the SSID, company name, network

Implement WPA2 Enterprise wherever possible
name, or any easy to guess string in passphrases
Place a firewall or packet filter in between the AP

Disable the network when not required
and the corporate Intranet
Limit the strength of the wireless network so that it Place wireless access points in a secured location
cannot be detected outside the organization
Regularly check the wireless devices for

Keep the drivers updated on all wireless equipment
configuration or setup problems
Implement a different technique for encrypting Use a centralized server for authentication
traffic, such as IPSEC over wireless
The following list contains the security measures and configurations an administrator should
use for Wi-Fi Security:
• Log out of the router's web interface when not in use.

• Everything should be password protected in order to avoid unauthorized access of the
content in the system.
• The WEP keys should be changed often. Recommend using a very difficult key to avoid
unauthorized access.
• The wireless access point should be password protected.

• The MAC address filtering technique should be used in a smaller network.
• Change the SSID value so only the user understands.
• The access points should be kept in the middle of the building 1n order to avoid war
driving.
• Avoid the broadcasting of SSIDs as they can become easy for the intruder to enter the
network.
• Identify the physical location of the WLAN threat.

• Gather information about the source, destination IP address, ports, MAC address, log 1n
names/IDs, duration and timestamps for analysis and investigation.

• Collect the connection logs can help to determine the unnecessary utilization of a wireless
network in the organization.
• Monitor using WIDPS sensors and WLAN scanners to detect a rogue WLAN connection.
• Scan the locations within a close proximity to the organization.

• Monitor the security of the link passing information among the components 1n the
network.
• Detect the laptops that are being illegitimately used as access points.

• Collect the connection logs can help to determine the unnecessary utilization of a wireless
network in the organization.
• Monitor using WIDPS sensors and WLAN scanners to detect a rogue WLAN connection.
• Scan the locations within a close proximity to the organization.

• Monitor the security of the link passing information among the components 1n the
network.
• Detect the laptops that are being illegitimately used as access points.

Network Traffic Monitoring
and Analysis
Module 11
•
•
• • •
• • •• • •
• • •
'
r.\ · ·:'/\
- • • •• - •
•
•• ••
Network Traffic Monitoring and Analysis

and Analysis
Module 11

Module 11: Network Traffic Monitoring and Analysis
Exam 312-38

Understanding network traffic monitoring and its

Discuss the various techniques for attack
importance
signature analysis
Discussing techniques used fo r network
Understand Wireshark and its components, how
monitoring and analysis
it works and the features
Discussing the appropriate position fo r network Demonstrate the use of various Wireshark filte rs
monitoring
Demonstrate how to monitor LAN traffic against
Discussing the connection between a network a policy violation
monitoring system and a managed switch Demonstrate network traffic security monitoring
Understanding network traffic signatures Demonstrate how to detect various attacks using
Wireshark
Discuss baselining normal traffic
Discuss network bandwidth monitoring and how
Discuss the various categories of suspicious
to improve performance
traffic signatures
Network monitoring and analysis is a very important day to day task for the network
administrator. It provides an additional layer of security to the network and involves analyzing
network performance and traffic patterns to detect abnormal activities in the network.
This module will teach you various aspects of network monitoring signature analysis. The
module starts with an introduction to the network monitoring concept, its importance, and
then educates you on how to detect and analyze various types of attacks on your network.



and Analysis
Network monitoring is a vital and demanding task within network security operations
L
'.
Network monitoring is a retrospective approach network administrators adopt to deal with

performance issues and security incidents
Firewalls and IDS are unable to detect malicious traffic due to continuous changes in attack
patterns, which is why manual network traffic monitoring is essential to detect attacks on the
network
I•
Network administrators are required to continuously monitor and analyze traffic for all
abnormalities
Network traffic monitoring is the process of capturing network traffic and inspecting it closely
to determine what is happening on the network. Network Administrators should constantly
strive to maintain a smooth network operation. If a network is down even for a small period of
time, productivity within a company would decline. In order to be proactive rather than
reactive, administrators need to monitor the traffic movement and performance ensuring a
security breach doesn't occur within the network.
The network monitoring process involves sniffing the traffic flowing through the network. It
requires capturing network packets and conducting a signature analysis to identify any
malicious activity. Administrators should continuously monitor and analyze the network traffic
to look for the presence of attack signatures.
Network operators use network traffic analysis tools to identify malicious or suspicious packets
hiding within the traffic. They monitor download/upload speeds, throughput, content, traffic
behaviors, etc. to understand what is going on in the network operations.

Advantages of Network Traffic

Monitoring and Analysis
·•· ...➔ Understand data flows in your network
......➔ Optimize network performance
......{ Avoid bandwidth bottlenecks

Monitoring network
traffic help to
l··'""' ······l>-f Detect signs of malicious activity
......➔I Find unnecessary and vulnerable applications
....... ➔ Investigate security breaches ]

Network traffic analysis is done to get an in-depth insight into what type of network packets or
data is flowing through a network. Typically, it is done through network monitoring or network
bandwidth monitoring utilities. The traffic statistics from the network traffic analysis helps:
• Understand and evaluate the network utilization.
• Download/upload speeds.
• Type, size, origin, destination and content/data of packets.
The typical network monitoring advantages are:
• Proactive: Network monitoring proactively detects the applications that consume

maximum bandwidth and reduce bandwidth. It manages the server bottleneck situation
and other systems connected to the network. Network monitoring delivers an efficient
quality of service to users. Network monitoring creates a record of all the irregularities
occurring in the network that administrators handle later.
• Utilization: It is important to analyze the need for network utilization, especially with all
the new and evolving technology. Network monitoring provides the complete details on
the infrastructure. This provides an idea about the amount of load a network can handle
during heavy traffic periods. Leading to the required utilization of the space in the
network.
• Optimization: Network monitoring techniques gather the network infrastructure

information in a timely manner and save it for the administrator. The admin can then take

the required actions, before the situation worsens. Applications that prove vulnerable to
the network are located by this technique.
• Minimizing Risk: Network monitoring techniques comprise all the required SLAs and
compliance applicable to users or consumers. The complete infrastructure information is
required when drafting the SLAs. Real -time monitoring of network topologies and
channels helps document these SLAs.
The network monitoring technique is beneficial for administrators. It is very easy to setup and
implement considering the complexity of the networks.

Network Monitoring and

Analysis: Techniques
Router Based Non-Router based
Most routers have built-in Uses additional hardware and/or

network monitoring capabilities software such as such as packet
sniffers, network monitoring software,
Advantage: et c.
► Ext ra software and/or hardware is 0
Advantages:
not needed
► More flexibi lity
Disadvantages:
Disadvantage :
► Less flexibility
► Extra monitoring software and/or
hardware is required
A network administrator can implement two t y pes of techniques to monitor their network.
Each technique has advantages and disadvantages. It is recommended that both a router-based
and non-router based techniques be used for the network monitoring task.
Router based monitoring technique

In router based monitoring, the functionality is hardcoded into the router. To use this
functionality it must first be enabled and configured using the router interface. With its built-in
feature, it is less expensive, but offers less flexibility. This inbuilt feature uses SN MP monitoring,
Netflow monitoring and remote monitoring techniques to monitor the network.
Non-Router based monitoring technique

In non-router based monitoring, a dedicated external hardware device or additional software is
required to monitor your network. Because of this, it is more expensive than using a router
based technique. However, it offers more flexibility in monitoring than a router based
technique.

Router Based Monitoring

Techniques: SNMP Monitoring
A router uses SNMP based monitoring to manage t he network performance and problem s
Example: Steps to enable SNMP based routing on CISCO router/ switches

Create or modify a SNMP view record (optional)
Create or modify an access control for the SNMP community (required)
Specify a SNMP server engine name {ID) (optional)
0 Specify SNMP server group names (optional)
el Configure SNMP server hosts (required)
Configure SNMP server users {optional)
Enable t he SNMP agent shutdown mechanism (optional)
0 Set t he cont act location ad serial number for the SNMP agent (optional)
Define the maximum SNMP agent packet size (optional)
Limit the number of TFTP servers used by SNMP (optional)

0 Monit or and troubleshoot the SNMP status (optional)
Disable t he SNMP agent (optional)
Configure SNMP notifications (required)
Configure the router as a SNMP manager (optional)
Simple Networking Monitoring Protocol (SNMP) is a part of the TCP/ IP suite and functions on
the application layer. SNMP helps administrators manage network performance by resolving
network issues it encounters. The passive sensors implemented from a router to a host gather
traffic statistics.
Elements of SNMP-based Monitoring

SNMP consists of a SNMP manager, SNMP agent, managed devices and a management
information base (MIB).
• SNMP Manager: SNMP manager is a system that maintains the proper network function.
The communication between the SNMP manager and agents uses a message format. The
SNMP manager controls and monitors the activities of the host. The main role of a SNMP
manager 1s:
• Querying the SNMP agents.
• Receiving a response from the SNMP agent.
• Implementing changes to the agents.
• Monitors asynchronous events from the agent.
• SNMP Agent: SN MP agent maintains and saves the data for network devices. This data is
passed on to the managing systems of the network. An SNMP agent can only work when a

relationship is defined between a SNMP manager and a SNMP agent. The main role of
SNMP agents is:
• Gathering management information.
• Storing and retrieving management information.
• Notify the SNMP manager an event has occurred.
• Managed Devices: Network based devices such as routers, switches and servers require
some form of monitoring and management.
• Management Information base {MIB): The SNM P manager uses the device records saved
by the SNMP agent. The sharing of this database is known as the Management
Information Base. The MIB allows the SNMP manager to query SNMP agents about the
devices.
• SNMP Commands: The SNMP commands make the implementation of SNMP less
complex for administrators. Here are the SNMP commands:
• GET: It retrieves the information from the managed device. It 1s used by SNMP
managers.
• GET NEXT: Works similar to GET and also retrieves the object identifiers from the
MIB.
• GET BULK: Retrieves large amounts of data from the MIB.
• SET: SNMP managers use this command to modify or assign the value of the managed
device.
• TRAPS: SNMP agents use this command to notify SNMP managers about an event
occurring in the network.
• INFORM: Similar to TRAPS, but it includes the SNMP manager's acknowledgement to

receive the notification.
• RESPONSE: The SNMP manager uses this command to carry the actions back to the
agents.
Information collected by SNMP helps to control the network by resol ving the issues in real time
before affecting the productivity of the organization.

Router Based Monitoring

Techniques: Netflow Monitoring
0
The Netflow feature in Cisco routers collects and monitors the IP traffic passing through
the router
0 0
To specify the interface and enter Enable net flow for IP routing
interface configuration mode Use the following command:
Use the following command: ► Router(Config - if) # I P route -
► Router(config) # interface type cache flow
slort/port - adapter/port (Cisco
7500 series routers)
OR
► Router(config) # interface type
slort/port (Cisco 7200 series
routers)
Step 1 Step2
The Netflow monitoring technique has the ability to collect the IP network traffic while entering
or exiting the interface. This helps administrators determine the source and destination of the
traffic, class of service and reason for traffic congestion, whenever it occurs. Netflow monitoring
allows a network a wide view of the traffic enhancing the performance monitoring and security
of the network. Cisco devices support Netflow based network monitoring.
Elements of Netflow-based Monitoring

• Netflow Exporter: The Netflow exporter collects all the packets and transfers the data
towards the collector.
• Netflow Collector: The Netflow collector involves pre-processing flow of data received
from the Netflow exporter.
• Analysis Console: Administrators are responsible for the analysis console that analyzes
the intrusion detection or traffic profiling.

Non-Router Based Monitoring

Techniques
The non-router monitoring technique is a passive form of monitoring using packet sniffers
and network monitors
Network Monitors
Uses packet sniffing Uses network monitoring

utilities to inspect every utilities to inspect the
data packet travelling in packets, network,
the network bandwidth being used
and performance
Non-router based monitoring techniques use active or passive monitoring or a combination of

these to monitor the network. The administrator uses a variety of tools to help them monitor
their network performance and analyze traffic patterns. Typically, these tools involve packet
sniffing, network monitoring and bandwidth monitoring. Network and bandwidth monitoring
tools use SNM P to monitor devices, bandwidth, performance, availability for all devices and
services. Packet sniffing tools are used to analyze the traffic pattern and identify anomalies in
the network traffic.

Network Monitoring: Positioning your

Machine at the Appropriate Location
u To run network t raffic monitoring/sniffing ut ilit ies, t he machine must be pla ced at an
appropriat e location
, .............................................•
Internal Network/LAN
User ~
.: Normal Traffic
·>--.~
•••••••·:::::::::::. ••••••·."'!JJ,,,
Malicious Traffic
Switch
• ~
Internet
Attacker
Wireshark Running Network Administrator
Administrators should place and connect their system so th ey can view all the inbound and
outbound traffic flowing through their network. Network administrators should ensure that
each packet is inspected against policy violations. The machine must be placed as described in
the figure below. It should connect to the switch in front of the firewall and is installed with the
required packet sniffing and network monitoring tools.
• ••••••••••••••••••••••••••••••••••••••••••
Internal Network/LAN
User >..
• Sw itch
•
•
: Normal Traffic
••••••••••••••••••• ]>.. <IIIIIIC(_■ ••••••••••••• ·> 4.·.· ~ ·>=
~·················,...
Malicious Traffic
,_,~ <llllif(••·············> - -/JiA
- - <C("
Firewall
Internet : :
•• ••
-
.: .... -.. .,_ '
•
•
••
•
•
••
w
• t ::
:·······... .. ...........................................
Attacker
Wi reshark Ru nning Network Adm inistrator
FIGURE 11.1: Deployment of machines at appropriate location

Network Monitoring: Connecting

Your Machine to a Managed Switch
~ Connect the capture device to the port running in

monitor mode (managed switch)
Managed SWITCH
~ The managed switch allows the specific port to run
in monitor mode
~ All the packets passing through the switch are

replicated to a specific port in monitor mode
~ This feature is called Port Monitoring or Port

Mirroring Ingress Traffic Egress Traffic Destination
SPAN Port
J Use the switch management interface to both
select the port and assign a specific port to monitor <........... Source SPAN Ports ···········>
J Different vendors have this feature but use different
names for it:
e Switched Port Analyzer (SPAN) - Cisco
e Roving Analysis Port (RAP) - 3Com
Administrators should ensure the switch is connected and configured as a managed switch. A
managed switch can only view the network traffic flowing through the network. Configure the
switch as a managed switch by enabling the port monitoring or port mirroring feature on a
specific port in the switch. Different vendors have different names for this feature. For example,
the port mirroring feature on a CISCO switch is known as a Switched Port Analyzer (SPAN) port.
The port mirroring process includes copying the switch network traffic and sending it to
another port in the switch so the monitoring tool can analyze it.
The managed switch can configure, manage, and monitor the LAN. It allows the administrator
to have greater control over the flow of data traversing the network. With accessibility to
manage the data flow, the chances of an intrusion are much lower. Though a managed switch
may cost more than an unmanaged switch, it assures better security and filtered data
transmissions among the system.

Network Traffic Signatures C ND

..J A signature is a set of traffic characteristics such as a source/destination IP address, ports, TCP flags,
packet length, TTL and protocols. Signatures are used to define the type of activity on a net work
Types of Signatures
Normal Traffic Attack Signatures

Signature
Accept able t raffic patterns Suspicious t raffic patterns
allowed to enter the not allowed to enter the
network net work
A signature is a set of characters that define network activity, including IP addresses, TCP flags,
and port numbers. It includes a set of rules used to detect malicious traffic entering a network.
Signatures are used to:
• Alert for unusual traffic on the network.
• Identify suspicious header characteristics in a packet.

• Configure an intrusion detection system to identify attacks or probes.
• Knowledge about a specific attack that happened or a vulnerability to be exploited.
• Match patterns in a packet analysis.
Type of Signatures
Signatures are classified into two main categories depending on their behavior:
• Normal Traffic Signatures: They include the normal network traffic regularly flowing to
and from the network. These signatures are defined based on a normal traffic baseline for
the organization. These signatures do not contain any malicious signature patterns and
can be allowed to enter the network.
• Attack Signatures: The traffic patterns that look suspicious are generally treated as attack
signatures. These signatures should not be allowed to enter the network. If allowed, they
often are the reason for a network security breach. These signatures deviate from the
normal signature behavior and should be analyzed.

Baselining Normal Traffic

Signatures
A network baseline is the accepted behavior for normal network traffic. It is a benchmark to
differentiate between normal and suspicious traffic
Network traffic baselines differ between organizations and change over time according to
the operating environment and prevailing threat scenario
Some considerations to create a baseline for normal traffic:
e TCP/IP communication is a three-way 8 Any DHCP traffic from unknown DHCP

handshake for normal traffic servers indicates a rogue DHCP server
e SYN flag appears at the beginning and the 8 Mail traffic originating in the network but
FIN flag is at the end of a connection not sent to a mail server is suspect
e All conversations originating inside the DMZ 8 Any DNS traffic not sent to the DNS server
are trusted traffic items is suspect
e Any traffic violating the network policies 8 Any outgoing traffic with internal
indicates malicious traffic. For example, if addresses not matching the organization's
there is FTP traffic where this type is address space may be malicious
restricted, indicates a potential issue
The network traffic baseline helps understand the behavioral patterns of the network.
Baselining allows a set of metrics to monitor network performance. These metrics define the
normal working condition of an enterprise's network traffic. The network traffic is compared
with metrics to detect any changes in the traffic, which could be an alert to the security of the
network. A network traffic baseline establishes the accepted packets, which are safe for the
organization. Baselining the traffic makes it easier to detect suspicious activities on the
network. Any deviation from the normal traffic baseline can be considered suspicious traffic
signatures. The administrator should define a network baseline for their organization and
validate the traffic against it. Baselining is more effective if it works in parallel with the
organization's policy. With the help of normal traffic baselining administrators can judge the
requirements needed to secure the network.
Although, there is no industry standard to measure network traffic performance baselines,

there are network monitoring tools which provide estimates on what type of traffic is normal. A
network traffic baseline should be defined for all incoming, outgoing, internet traffic and WAN
links. The network traffic baseline should also contain the traffic for critical business data and
backup systems.

• According to a network traffic baseline, normal traffic signatures for TCP packets should
have the following characteristics:
• To establish a three-way handshake TCP uses SYN, SYN ACK and ACK bits in every
session.
• The ACK bit should be set in every packet, except for the initial packet in which the
SYN bit is set.
• FIN ACK and ACK are used in a terminating the connection. PSH FIN and ACK may also
be used initially in the same process.
• RST and RST ACK are used to quickly end an on -going connection.
• During the conversation (after a handshake and before termination) packets only
contain an ACK bit by default. Sometimes they may also have a PSH or URG bit set.
• A suspicious TCP packet, has one or more of the following characteristics:
• If both SYN and FIN bits are set, it is an illegal TCP packet.
• SYN Fl N PSH, SYN FIN RST, SIN FIN PSH RST are all variants of SIN Fl N. An attacker sets
these additional bits to avoid being detected.
• A packet which has only a FIN flag is illegal as FIN can be used in network mapping,
port scanning and other stealth activities.
• Some packets have all six flags unset known as a NULL flag. These are illegal packets.
• Source or destination port is zero.
• If the ACK flag is set, then the acknowledgement number should not be zero.
• If a packet onl y has the SYN bit set (which is at the beginning, to establish a
connection), and any other data is present then it's an illegal packet.
• If the destination address is a broadcast address (ending with O or 255) it's an illegal
packet.
• Every TCP packet has two bits reserved for future use. If any of them or both of them
are set it's an illegal packet.

Suspicious Traffic Signature

Categories
....
Informational Reconnaissance
Traffic containing certain signatures ~ Traffic containing certain signatures

that may look suspicious but might that denotes an attempt to gain
not be malicious information
Unauthorized Access Denial of Service

11================1: 1~==============~1~
1
Traffic containing certain signatures ~ Traffic containing certain signatures

111!1!11!9"'
that denotes an attempt to gain that denotes an attempt to perform a
unauthorized access DoS attack by flooding the traffic with
a large number of requests
Network traffic deviating from its normal behavior, 1s categorized as a susp1c1ous traffic
signature. It is classified into four categories:
• Informational: The informational traffic signature detects normal network activity.

Although this may not look suspicious, the data gathered through the information
signature can be used for suspicious activities. For example, the informational traffic
signatures may include:
• ICMP echo requests
• TCP connection requests
• UDP connections
■ Reconnaissance: The reconnaissance traffic consists of signatures which indicate an
attempt to gain network access. Reconnaissance is an unauthorized discovery of
vulnerabilities, mapping of systems and services. Reconnaissance is also known as
information gathering and in most of these cases it normally precedes a network attack.
For example, the reconnaissance traffic signatures may include:
• Ping sweep attempts
• Port sea n attempts
• DNS query attempts

• Unauthorized Access: Traffic may contain signs of someone attempting to gain

unauthorized access, unauthorized data retrieval, system access or privileged escalation,
etc. An attacker who does not have privileges to access an organization's network, usually
generates this type of traffic with the intention of capturing sensitive data. For example,
the unauthorized access traffic signatures may include:
• Password cracking attempts
• Sniffing attempts
• Denial of Service: Traffic may contain a large number of requests from a single or
multiple sources as an attempt to perform a Denial of Service attack. This type of attempt
is made to disrupt the service of the target organization. For example, the DoS traffic
signatures may include:
• Ping of Death attempts
• SYN Flood attempts

Attack Signature Analysis

Techniques
Content-based signature analysis Context-based signature analysis
..J Attack signatures are contained in packet Attack signatures are contained in packet
payloads headers
HEADER I PAYLOAD I HEADER PAYLOAD
..J Check for specific strings occurring in the u Inspecting packets for unusual/suspicious Header
suspicious payload Information such as:
e Source and Dest inat ion IP Address
8 IP Options, Protocols and Checksums
8 Source and Dest ination Port Number
e IP fragmentation flags, Offset or Identification
Atomic signature-based analysis Composite signature-based analysis
..J Single Packet analysis is enough to detect attack Multiple packet analysis is required to
signatures detect attack signatures
HEADER PAYLOAD ~'-I

_ H
_ E_AD
_E_
R --'-I_ PA
_Y_
LO_Ao____,I r-~E~E~ -I - ~~o~ - I~
Copyright© by EC-CODDcil. All Rights Reserved. Reproductio n 1s Strictly Prohibited.
Attack signature analysis techniques are classified into four different categories including:
• Content-based Signature: Content-based signatures are detected by analyzing the data in

the payload and matching a text string to a specific set of characters. If undetected, these
signatures can open backdoors in a system, providing administrative controls to an
outsider.
• Context-based Signature: Packets are usually altered using the header information.
Suspicious signatures in the header can include malicious data that can affect:
• Source and destination port numbers
• IP options
• IP protocols
• IP, TCP and UDP checksums
• Atomic Signature: To detect an atomic signature, administrators need to analyze a single

packet to determine if the signature includes malicious patterns. To detect these
signature patterns, administrators do not require any knowl edge of past or future
activities.
• Composite Signature: In contrast to atomic signatures, administrators need to analyze a

seri es of packets over a long period of time to detect attack signatures . Detecting these

attack patterns is very difficult. ICMP flooding is an example of the attacks performed
using composite signatures. In this attack, multiple ICM P packets are sent to a single host
so the server is busy responding to the requests.
Attacker signatures may be located in either the header or payload of the packet.
Unusual/Suspicious information in Header

The attacker can alter the packet header information to bypass the filter and get into the
network. To detect packets with malicious header formats, administrators should have an
understanding on the header fields they can modify. Header fields include suspicious signatures
such as:
• Source and destination IP address
• Source and destination port number
• IP options, protocol, and checksums
• IP fragmentation flags, offset, or identification

Administrators should also have an understanding of the various attack signatures that may
come through the header information. This helps them take remediation actions against
suspicious packets.
Although an illegal header value is certainly a fundamental component of these signatures,

administrators should also understand valid headers can also have suspicious header values.
For example, suspicious connections to port numbers may provide a quick method to identify
possible Trojan activity. Unfortunately, normal traffic may also use these odd port numbers. A
detailed signature includes other characteristics of the traffic and is needed to determine the
true nature of this traffic. Suspicious but legal values such as a port number are best used in
combination with other values.
Suspicious Data in the Payload

Administrators should also have an understanding of the possible attack signatures that may
come through data in the payload. They should check for specific strings occurring in the
payload of each packet before allowing it through the network.
Administrators need to examine the packet payloads within TCP and UDP to identify suspicious
payload values. They should understand that a protocol such as DNS is contained within TCP or
UDP. Decoding a packet's IP header information, gives a clear indication of whether its payload
contains TCP, UDP or another protocol. If the payload is TCP, administrators need to process
some of the TCP header information within the IP payload before accessing the TCP payload.
DNS data is contained within UDP and TCP payloads.
An example for this is a DNS buffer overflow attempt contained in the payload of a query. By
parsing the DNS fields and checking the length of each, administrators can identify an attempt
to perform a buffer overflow using a DNS field. Another method is to look for exploiting
shellcode sequences in the payload.

Wireshark is a widely used network packet analyzer for analysis
It captures and intelligently browses the traffic running on a network
....-----------------... '
.
Features:
d
"'' • E•t v,.., Go
,, """"
r-'l ,: e <\ - StillOsciu ...
capturing from vEthemet (Dell Wireless 1705 802.1 lb On (lAGHZ) • Virtual Switch)
, ,_,, Wi1tltss
e.e. e. !I
Tools Http
-
·r - I Cl
-
<'- • Q f .!~ ~
"
1•1~.,.!._, .... ,c(.i,-: I•
~ ·IE»-"'°"
...
♦
.,,o
e Deep inspection of hundreds of protocols '''"' """'"" ""'""' IAIY.,;h
e Live capture and offline analysis
e Standard three-pane packet browser

"
e Runs on Windows, Linux, OS X, Solaris, FreeBSD,

NetBSD, and many others
e Captured network data can be browsed via a

GUI, or via the TTY-mode TShark utility
. .,, -.elhfflld(l),itV.ec5S uoseo1.1u,g .~SM!ch): 41.-=: co:iu~i,,,pr07eess. NoP.io:bts fltodle: Oefd
• https://www. wireshark.arg
A packet analyzer or packet sniffer is a tool that can intercept and log traffic passing through
the network. The sniffer is used in network management because of its monitoring and
analyzing features, which help to detect intrusions, supervise network contents, troubleshoot
network and control traffic. Network administrators use them to analyze the behavior of an
application or device causing network issues.
The information running through a network is a valuable source of evidence to counter
intrusions or anomalous connections. The need to capture this information has led to the
development of packet sniffers.
Wireshark
Wireshark is an open source cross-platform packet capture and analysis tool. It is available for
Windows and Linux operating systems. The GUI window gives a detailed breakdown of the
network protocol stack for each packet. Wireshark can also save packet data to a file for offline
analysis as well as export and import packet captures to and from other tools. Statistics can also
be generated for packet capture files.
Wireshark can be used for network troubleshooting, to investigate security issues and to
analyze and understand network protocols. The packet sniffer can exploit information passed in
plain text.
• Features:
Wireshark has a rich feature set which includes the following:
• Identify poor network performance due to high path latency

• Locate internetwork devices that drop packets

• Validate optimal configuration of network hosts
• Analyze application functionality and dependencies
• Optimize application behavior for best performa nee
• Analyze network capacity before application launch
• Verify application security during launch, log in and data transfer
• Identify unusual network traffic indicating potentially compromised hosts
Network Packet Capture Prerequisites

Setting up Wireshark to capture packets for the first time can be tricky. Here are a few common
problems that are encountered while capturing packets with Wireshark for the first time:
• Administrators require special privileges to start a live capture.
• You need to choose the right network interface to capture packet data from.
• You need to capture at the correct location in the network to view the traffic you want to
see.
Wireshark Network Analysis Activities

Capturing live network data is one of the major features of Wireshark. The Wireshark capture
engine enables administrators to:
• Capture from different types of network hardware such as Ethernet or 802.11.
• Stop the capture based on different triggers such as the amount of captured data, elapsed
time or the number of packets.
• Simultaneously show decoded packets while the capturing is in progress.
• Filter packets, reducing the amount of data to be captured.
• Save packets in multiple files during a long capture.
• Simultaneously capture from multiple network interfaces.
First Network Packet Capture using Wireshark

To capture packets using Wireshark, first install and launch the tool on your network. Select the
appropriate network interface to capture traffic from. Different methods used to start
capturing packets with Wireshark:
1. Double-click on an interface in the main window.
2. You can get an overview of the available interfaces using the Capture Interface dialog box.
3. Start a capture from this dialog box using the Start button.
4. You can immediately start a capture using your current settings by selecting Capture ➔
Start or by clicking the first tool bar button.
5 . If you already know the name of the capture interface, you can start Wireshark from the
command line: $ wireshark -i ethO - k

•
A The Wireshark Network Analyzer
I File EditI Capture I Analyze Statistics
View Go Telephony Wireless Tools Help
I
A: ■ Lt ~ !:!l ~~~ ~ ~ 4 ,::;;\IJ 1 Q ~ ~El_€l_!}
111Apply • doplay filter . <Ctrl·/> a · IExpression... +
[ welcome to Wire shark
Capt ure
.. .1Jsiig I
this filter: Enter a capb.Jre filter .
@) US8Pcop1
(@) US8Pcop2
local Area Connection~ 11
Et hem et __
vEthernet (Dell Wireless 1705 802.1 l b g n (2.4GHZ) • Virtual Switch) _ _
Wi·Fi L__
l)Jetw,ork)
Inter.f ac::e,s,
Learn
User's Guide Wiki Questions and Answers Mailing Lists
You are rum ing \'/ireshark 2.0. 1 (v2.0. 1-0-g59ea380 from master·2.0). You rtt~e au tom&tk updates.
II
~
No Pad<ets 11 Profie: Defallt ..
FIGURE 11.2: Wireshark network analyzer

.
.d Capturing from vEthernet (Dell Wireless 1705 802.11 b g n (2.4GHZ) - Virtual Switch) I- le-
I File Edit View Go Capt ure Analyze Statistics Telephony Wireless Tools Help
I I
[i] it ® ~ 181 ~ ~ <ea> oe, ~ lt 9l ~ ~ ~ El. €l. D

I. IAeDIY a dselay filter ... <Ctrl·l> I
E i • Expression ... +
No. Time Source Destination Protocol Length Info A
l
43 85 .• f e80: : 9991 : b379 : 3fl ... f f02 : :1 : 2 OHCPv6 157 Solicit XID: 0x4f96bb CID : 00010 ...
44 86 .• f e80: :9991 : b379 : 3fl... f f 0 2: :1 : 2 DHCPv6 157 Soli cit XI D: 0x4f96bb CID : 00010...
45 87_ f • 80: :9991 : b379 : 3f1... f f02 : :1 : 2 DHCPvG 157 Solicit XID: 0x4f96bb CID: 00010 .•
46 91 .. f e80: :9991 :b 379: 3fl... ff0 2: :1 : 2 DHCPvG 157 Solicit XID: 0x4f 96bb CID : 0001 0 ...
47 92.• 169 . 254. 208 .147 239. 192 . 152 . 143 UDP 161 plysrv- https ➔ p l ysrv- https Len ... -
48 93.• 169 . 254 . 208 .147 239. 2SS . 255.250 SSDP 341 NOTI FY * HTTP/1 . 1
-
V
~
~
fr ame 157 bytes on wi re (1256 bits) , 157 bytes ca pt ur ed (1256 bit s ) on i nt e r f ace 0
1:
Eth~rn~t I I , Src: HonHa i Pr _23 : 3~ : cl (4S : 5a:b6:23:3~:c1) , Ost : IPv6mcost_01 :00 :02 ( 33:33:00:01 :00:02) -
A
~ I nt ernet Protocol Version 6, Sr c : fe80 : :9991:b379 : 3f l3 : d093, Ost : f f02 : :1 : 2

-
~
. User Dat agram Prot ocol , Src Por t : dhcpv6 -c lient (546), Ost Port : dhcpv6- ser ver ( 547 )
,
-
V
0000 33 33 00 01 00 02 48 Sa bG 23 3• cl 86 dd 60 00 33 . . • . HZ ,# ) • • •
0010 00 00 00 67 11 01 fe 80 00 00 00 00 00 00 99 91 . • . g• . . • .. . .. . . .
0020 b3 79 3f 13 d0 93 ff 02 00 00 00 00 00 00 00 00 . y ? . . .. . ........
0030 00 00 00 01 00 02 02 22 02 23 00 67 Sa bl 01 84 .......- .# . gZ. . .
0040 9d 3a 00 08 00 02 02 bf 00 01 00 0e 00 01 00 01 . . . .. . .. .. . ' .. ' .
0050 le b5 f4 c8 74 86 7a 30 c2 44 00 03 00 0c 21 48 . . .. t . z0 . 0 . . . . ! H
0060 Sa b6 00 00 00 00 00 00 00 00 00 27 00 11 00 0f z. . . . . . . . . . . . ' .
0070 57 49 4e 2d 42 4d 43 48 33 4a 42 49 55 47 30 00 HIN·BMCH 3JBIUG0.
0080 10 00 0e 00 00 01 37 00 08 4d 53 46 54 20 35 2e . . .. . . 7. .MSFT 5 .
0090 30 00 06 00 08 00 18 00 17 00 11 00 27 0 • . . • . . • ....
0 .,, II Packets: 48 · Displayed: 4S (100.0%) 11 Profile: Default
FIGURE 11.3: Capturing network interfaces
Source: https://www.wireshark.org

Understanding the Components

ofWireshark
d Capturing from vEthemet (Dell Wireless 1705 802.11b 9 n (2.4GHZ) - Virtual Switch) ~
File Edit View Go C11cturc Anehr:c St.,tistics Tclcchonv Wird css Tools Hcfo I ,,.. Menu Bar
Menu Bar: Hosts the features of
Wireshark
Id ••~ e l!'5 IX\ b
11"''"""'" a d"-.u fHer .. <Cb1·/>
No. Time SOtXce
s ~ ~ "" i
:.
Oes.tlnat!Oo
!!l .:ii~ <A E\. e,
Fi1t or Tnnl
Protocol
M,,. r
Length Info
tt 1
• Tool Bar
• :11
-
• IE~:;$'0t'I, .. +
A
14 12... 169. 254. 208 . 147 169 . 254. 255 . 255 BRONSER 243 Ho st Announcement WI N-8MCH3)8IUG8,
15 12... 169. 254. 208 . 147 239 . 255. 255 . 250 SS.DP 140 "1- SEARCH + HTTP/1. l
140 M-seARCH • HTTP/1. 1 Packet List
Tool Bar: Hosts the more frequently
used tools and icons
I 16 13-. 169 . 254 . 208. 14 7
17 13 •. 169 . 254 . 208. 147
18 1 L 0.0 . 0 . 0
239 . 255.255 . 250
239 . 255.255 . 250
255 . 255. 255 . 255
SSDP
SSDP
OHCP
140 1-l- SEARCH • HTTP/1. 1 Panel
342 DttCP Di scover - Tr ansaction I D 8~~ >- -
V

w Filter Tool Bar: Filters the traffic based ;-f rame 1 : 157 byt e$ on wi re (1256 bi t $) , 157 byte$ capt ured (1lS6 bi t$) on interface 8
~ Ether net I I , Sr c: HonHoi Pr_23:3c:c1 ( 48 :So:b6 :23: 3c:c1) , Ost : I Pv6mcost _01 :08:8 2 ( 33:33:00 :81 :08 :82)
A
-
on filter options ~ I nt ernet Prot ocol Version 6, Src: f e88: :9991 : b379 :3f13:d893, Ost: f f 82: :1:2 Packet
I> user Datagram Protocol , Sr,c Por t: dhcpv6•client ( 546) , Ost Port: dhcpv6•ser ver ( 547) Details Panel >- V
-
0000 33 33 00 01 00 82 48 Sa b6 23 3e cl 86 dd 60 00 33 • . • •HZ . S> •• .
0018 80 80 00 67 11 81 f e 88 00 00 00 00 08 08 99 91 . . .g. . . . ........
W Packet List Panel: Displays the captured 8028 b3 79 3f 13 d0 93 ff 82 00 00 00 00 00 00 00 00 .y ? .. . . : .. ... .. .
8038 00 00 00 01 ee 02 02 22 82 23 00 67 Sa bl 81 as ..... .. .,.gz.. .
packets 8048 00 66 80 88 00 82 18 9d 80 91 80 0e 00 81 00 01 . f • .. . . . .. ... .. . Packet Bytes
oos0 le b5 f4 c8 74 86 7a 38 c2 44 00 03 00 ec 21 48 . . . . t .ze .o . . . . !H
0068 So b6 80 80 00 08 08 00 80 80 00 27 08 11 00 0f z.. .. ... .. . . .. . Panel
8078 57 49 4e 2d 42 4d 43 48 33 4a 42 49 55 47 30 oo Will·S:.'IC.H 3J8IUG0.
W Packet Details Panel: Displays the 0088
8098
18
30
80
00
0c 80
06 00
00 01 37 08
08 00 1S 00
88
17
4d
00
53
11
46
00 27
54 28 35 2e . . • . • •7• . XSFT S.
0 . . .. . . . .. ..
detailed information about the captured
packets at a granular level
I
0 .,, II Pacb!ts: ts · IX~il!ayed: 18 (100.0 %) Ptofile: oefad l
Packet Byte Panel: Displays the captured
-
packet's bytes in a hex dump format https://www.w,reshark.org
The main menu of the Wireshark tool contains the following items:
• File: This menu contains items to open and merge, capture files, save, print, import and
export capture files in whole or in part, and to quit the Wireshark application.
• Edit: This menu contains items to find a packet, time reference or mark one or more
packets. It handles the configuration profiles and sets your preferences.
• View: This menu controls the display of the captured data, including colorization of
packets, font zoom, showing a packet in a separate window, expanding and collapsing the
packet tree details.
• Colorize Packet List: This option allows administrators to control whether or not
Wireshark should colorize the packet list. Enabling colorization will slow down the
display of new packets while capturing and loading capture files.
• Coloring Rules: This option allows administrators to color packets in the packet list
pane according to the filter expressions of their choice. It can be very useful for
spotting certain t ypes of packets.
• Colorize Conversation: This menu item brings up a submenu that allows the color of
the packets to be changed in the packet list pane based on the addresses of the
currently selected packet. This makes it easy to distinguish packets belonging to
different conversations.

• Go: This menu contains options to navigate to a specific packet including a previous
packet, next packet, corresponding packet, first packet and last packet.
• Capture: This menu allows the capture to start, stop and restart and edit capture filters.
• Capture Filters: This option allows administrators to create and edit capture filters.
Filters can be named and saved for future use.
• Analyze: This menu contains items to manipulate, display and apply filters, enable or
disable the dissection of protocols, configure user specified decodes and follow a different
stream including TCP, UDP and SSL.
• Follow TCP Stream: This option displays all the TCP segments captured that are on the
same TCP connection as a selected packet.
• Follow UDP Stream: This option displays all the UDP segments captured that are on
the same UDP connection as a selected packet.
• Follow SSL Stream: This option displays all the SSL segments captured that are on the
same SSL connection as a selected packet.
• Statistics: This menu contains options to display various statistic windows, including a
summary of the packets that have been captured, display protocol hierarchy statistics, 10
graphs, flow graphs and more.
• Telephony: This menu contains options to display various telephony related statistic
windows, including a media analysis, flow diagrams, display protocol hierarchy statistics
and more.
• Wireless: This menu shows Bluetooth and IEEE 802.11 wireless statistics.
• Tools: This menu contains various tools available in Wireshark, including creating firewall
ACL rules and using the Lua interpreter.
• Firewall ACL Rules: This allows you to create command-line ACL rules for many
different firewall products, including Cisco 105, Linux Netfilter, 0penBSD and Windows
Firewall. Rules for MAC addresses, 1Pv4 addresses, TCP and UDP ports, and 1Pv4+port
combinations are supported. It is assumed that the rules will be applied to an outside
interface.
• Lua: It includes options that allow administrators to work with the Lua interpreter,
which is built-in to Wireshark. Wireshark uses Lua to write protocol dissectors.
• Help: This menu contains items to help the user, including access to basic help manual
pages for the various command line tools, online access to some of the webpages and the
About Wireshark dialog.
• The Main Toolbar: The main tool bar provides quick access to frequently used items from
the menu. This tool bar cannot be customized by the user. If the space on the screen is
needed to show more packet data, then hide the toolbar using the View menu. As in the
menu, only the items useful in the current program state will be available. The others will
be greyed out.

• The Filter Toolbar: The filter toolbar allows administrators to quickly edit and apply display
filters.
• Packet List Panel: This is a list of packets in the current capture file. It colors the packets
based on the protocol. Each line in the packet list corresponds to one packet in the
capture file. If you select a line in this pane, more details will be displayed in the Packet
Details and Packet Bytes panes.
The default columns will show:
• No: The number of the packets in the capture file. This number won't change, even if a
display filter is used.
• Time: The timestamp of the packet. The presentation format of this timestamp can be
changed.
• Source: The address where this packet is coming from.
• Destination: The address where this packet is going to.
• Protocol: The protocol name in a short version.
• Info: Additional information about the packet content.
• Packet Details Panel: This views the details of the selected packet. It includes the
different protocols making up the layers of data for this packet. The protocols and fields of
the packet are displayed using a tree, which can be expanded and collapsed. Layers
include Frame, Ethernet, IP, TCP, UDP, ICMP and application protocols such as HTTP.
• Packet Bytes Panel: This panel views the packet bytes in a hex dump and ASCII encodings.
For a hex dump, the left side shows the offset in the packet data and the middle of the
packet data is shown in a hexadecimal representation. On the right the corresponding
ASCII characters are displayed.
• The Status Bar: The status bar displays informational messages. In general, the left side
will show context related information, the middle part will show the current number of
packets and the right side will show the selected configuration profile. Administrators can
drag the handles between the text areas to change the size.
Source: https://www. wireshark. orq

Wireshark Capture and Display

Filters
0 0
W ireshark provides different filter types which will show only the types of traffic
needed
0 0
0 Capture Filters 0 Display Filters 0

- - ...
0 The filters are applied bef ore starting the 0 Display filters are used to filter captured
capture on the selected network packets
int erface
0 Go to the Analyze menu and select
0 They are used to capture specific traffic Display Filters... to view all the available
on the network display filters
0 Go to the Capture menu and select the
Capture Filters ... to view all the available
car il rs .
0 0 0 0
Note: The CND resource kit contains the cheat sheets for all available capture and display filters
Wireshark provides the opportunity to use different t ypes of filters to sort out the network
traffic. The tool helps confine the search and shows only th e desired traffic. By default,
Wireshark provides Capture Filters and Display Filters to filter the traffic.
Administrators can define filters and give them labels for later use. This saves time in recreating
and retyping the more complex filters used often.
Display Filters
Display filters are used on captured packets. These are useful when the need to apply filters
before starting packet captures is not required. Capture all the packets that traverse on the
netw ork and th en sort the captured items using display filters.
Display filters are used w hile displaying packets. They allow administrators to concentrate on
the packets they are most interest ed in, while at th e same time hiding th e uninteresting ones.
They allow administrators to select packets by:
• Protocol
• The presence of a field
• The value of a field

• A comparison betw een fi elds
To define a new filter or edit an existing one, select Capture ➔ Capture Filters or Analyze ➔
Display Filters. A dialog box will open with options to define new and edit existing filters.

The mechanism for defining and saving capture filters and display filters is almost identical.
Administrators can use the"+" (plus) button to add new filters and the " -" (minus) button to
remove any unwanted filters. The copy button is used to copy a selected filter. Administrators
can edit existing filters by double-clicking on the filter. After creating a new filter or editing an
existing filter, click OK to save the changes.
Capture Filters
Capture Filters are applied before starting a capture of the traffic on the selected network
interface. You cannot apply capture filters directly on captured traffic. A capture filter should
only be applied when the administrator knows what they are looking for. Administrators should
be aware of all capture filters available, to quickly find network anomalies.
Wireshark uses the libpcap filter language for capture filters. A capture filter takes the form of a
series of primitive expressions connected by conjunctions (and/ or) and optionally preceded by
'not'. The syntax of a capture filters is: [not] primitive [and I or [not]
primitive ... ]
For example, a capture filter for Telnet that captures traffic to and from a particular host is:
tcp port 23 and host 10.0.0.5
Source: https://www. wireshark.orq/

Monitoring and Analyzing

FTP Traffic
...J The FTP protocol is used to transfer files over TCP and its default port is 21
...J FTP causes security concerns especially w here it is used in an organization
FTP sends data in a clear text format and it is susceptible to sniffing
Use the ftp filter to check w hether any unauthorized FTP sessions have been established in the
network
. .
File Edit View Go Capture Analyze Statistics Telephony 1ools Help
~
• I
•ftp
® ~ ~ ~ ~ $$<='=~ ~ ~~ ~ ~ Il
I
No. Time Source Destination Protocol Leng Info
1
28 3 . ... 206 .188 .192. 205 192.168.0.57 FTP 77 Response: 220 FTP Server ready .
I
1 ... 7 . ... 192.168.0.57 206.188.192.205 FTP 6 Request: USER Admin ]
I
1 ... 7 . ... 206 .188 .192. 205 192.168.0.57 FTP 87 Response: 331 Password required for Admi n ~
I
2 ..
3 ...
12..
20...
192.168.0.57
206 .188 .192. 205
206.188.192.205 FTP
192.168.0.57 FTP
69[Request: PASS
76 Response: 530
tEst@123 I
Login i ncorrect . -
~ Frame 127: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 0
~ Ethernet II, Src: Oell_24:93:e7 (64:00:6a:24:93:e7), Ost: Ciscolnc_1e:02:c1 (f4:0f:1b:1e:02:c1)
~ Internet Protocol Version 4, Src: 192.168.0.57, Ost: 206.188.192.205
~ Transmission Control Protocol, Src Port: 30936 (30936), Ost Port: 21 (21), Seq: 1, Ack: 24, Len: 12 ·,
~ File Transfer Protocol (FTP) ...
~ USER Admin\r\n
FTP doesn't offer a secure network environment nor does it offer secure user authentication.
Individuals do not need authentication to access the FTP server in the network. This provides an
easy method for attackers to get on the network and access resources. FTP does not provide
encryption in the data transfer process. The data transfer between the sender and the receiver
is in plain text. The critical information such as usernames and passwords is exposed to
attackers. Implementation of FTP in an organization's network leaves the data accessible to
external sources. Deploying FTP in a network can lead to types of attacks such as, FTP bounce,
FTP brute force and packet sniffing.
Administrators should monitor the FTP traffic using Wireshark. It provides the administrator
with complete information a bout the FTP traffic on the network. Applying a FTP filter helps
detect unauthorized sessions running on the server. Apart from monitoring the traffic on the
FTP server, administrators should also monitor the existing file content and the file size stored
in the server.


TELNET Traffic
~ ' Ethernet I
Telnet can provide access to a remote host,
File Edit V.ew Go Captufe Analyze Statistics Telephony Wireless Tools Help
including most network equipment and
• ~ ~ ~ ~ ~ ~
.., ,;a;; 'f ~ ~ - ~,
operating systems 1 1telnet I
■ ,1
'"" "' El. @t
No. T,n,e swce oestinatiOn Ptoto<ol len<)II\ !nfo
Telnet is not encrypted, the password and all 2S4 17_ 192. 16 8 . 0 . 158 192 . 168 . 0 . 142 TELUET 75 Te l net Data . ..
258 17_ 192. 16 8 . 0 . 142 192 . 168.0. 15 8 TELUET 57 Te l net Data . ..
other data is t ransmitted as clear text 259 17_ 192. 168 . 0.158 192 .168.0. 142 TELUET 62 Te l net Data ...
- 2 60-1.1-192-•.168_~9..-142 - l .92..._168-Jt,._l '" ... .. .. 1 •te..t. ~ a1...r.e1ne.t-Da.ta..-.
Ethernet 1 Fibre Channel FOOi 1Pv4: I IPvt IPX JXTA NCP RSVP SCTP I TCP: I !Toi
Ideally it should be disabled, enabling it
TCP Conversations
poses huge security risks to the network
Addr r.·Wireshark • Follow TCP St ream (tcpstream eq 0) • wireshark_pcapng_S9476B6..L ~ IIMes J
It becomes essential to check whether any

telnet session is established within the --
~ • •%• • • • • • • • • • • • • • • • • • • •%• •
%• • • • • • • • • • • • • ' • • • • • • •x . •. . • . •. . . . • ' •. . • . • . •SFUTLIITV£R, SAJTU111"00c . . . . !II. • • •
( • • • • • • • Nlt.MSS$> . . . . . . . . . . . . . . . . .. . . . . . . .
•. ( • . . . •. . •~ •. . • . •. . . . • . IITLHSSP . • . . . •. . • 8 •. . • . . . •. 1.Q•. .•.•. •. .•. •. .V. . . •. .
X. . • . W. !.ff . · . 6 . 0 .8 . k . 7 . l.K. S . U. O. I' • • • • •M. I . II.·. 6 . 0 .8 . K. ? . l . K. S . U. O. I' • • • • • N. I . II
I-
,-
network ~ Na 8 . l( . 7 . ) . K. S . U. 0 . , •. . . . W. I , N. • .6.0.8 . K. 7. ) .K. S . U. 0 . , • . •. . N. I . II. •. 6 .0.8. K. 1. ) . K.

s.u.o.F .. .. . .\t>• • •. . . •• . •. •• .. ... , •Sf UTt.tfl'VfA, 2. SfVIUITMOO!: , Con ~olc , • . •
X. .. , , , .. . . , ,tlTLMSSP • • • , .. .. , , , .. H,H .... , , , • •X., .. .. , v , • • • • , .. .. , ... . . . , .. .. ,
-s
-
! • , (. , . , j/Nr , . , , . , , , . , ,$O.E.S.K. T. O.P. • ,1,A,O. k, 8 ,Q, ) , W, i. n. • .1 .0.O. E. S. K. T ,O,P
To check for established telnet sessions: 1 .A.O.K,8,Q, ) , . . . . . ... . . . . .. . . . ....... w• • •w.. . . Q. ♦ . . ,<, ... . . ...
\ 0,. , . , , , T. ·" · ,. , . , , , , .w. I ·"· • ,6.O, 8 ,K, 7,J,I(, s.u.o.F, . , , .w.1 .11. • ,6,O.8,K. 7 , J ,K -
s .u.o.F, , . • ·"'·I.ff.· ,6,0,8, k. 7 .J ,K, s.u.o. F. , , , .w. I . N. • .6,0,8,1(, 7. J .K. s.u.o. F. , •
e Go to the Statistics Menu and click on \o.. . .. .. .. . .. .. .o.e. .. . .. .. . .. . . . s. ?s.c .. u . ; • . 3. ·• · .z.. .. 'R . . 1" ..
.. .. . .. .. .. .. . .. . .. . ( .t . ~ . } . n . e . t ./ .
t.9.2 . . . 1.6.s . . • e •. . 1.s.s . . . . . . .. . . . . . . . . ht .. . e . •. . • . . . .. . !II • • ...
Conversations Telnet $Cr\'«' could not l og you in ud.ns IITLH :tuthcnt icMion.
You r p;i$$WOrd rr...3Y h4vc expired.
Login u$i.nS u~cr n~IIC ond po~~MOrd
e Go to the TCP tab and select the appropriate l(c} COffc to Micr O$Of-t Telnet Se rvice
Telnet communication indicated by port 23 and

login: a♦ddffll1n1'1 1 lss.t tN"U UOOl't
Click Follow Stream...
p~;-;word: u-;t@U3
,,
e The Telnet traffic and the credentials in clear text Denying ACM connec tion~ due to t he l it1it on nunbcr of conne ction$ •.
will be viewable
•·
. . .
The Telnet protocol works on a client server model. It provides access to remote network
equipment and operating systems. The data transferred through Telnet is not encrypted,
making it easy for intruders to eavesdrop. If a person has access to a network device with
Telnet configured, they can gain access to the network and user account information.
Generally, Telnet should be disa bled in the organization.
Telnet is a session oriented protocol, which means the connection has to be open during the
entire session. Attackers can use Telnet open sessions to carry out a network security breach.
Administrators should monitor Telnet sessions (if any) running on their network. Timely
monitoring of Telnet sessions through Wireshark can greatly minimize the risk for a network
intrusion.


HTTP Traffic
~
-
C, pturc Tool,
·Ethernet :::J
File ~ Vin'I Go Anely-..e Ste-tisbcs Telephony Wirtle¾ Help
HTTP sends information in plain , ■ ,~ ® ... ~ ~ ~ <\ "' e& ~ 1ii .¥z. GI ~ ®. (;1. €\ ll
11 lhttp«ontr· ....~
text format .... Tirre so.rce
"'"""'"' Pro,::xol LEn11!h In.~
I
40319... 192 . 168.0. 87 192 .168 .0 .10 KTTP 326 GET / goodshopping/ HTTP/1 .1
41419... 192 .168 .0 . 87 192.168 .0 . 10 KTTP 412 GET /goodshopping/tlllp/ t op_slider/slidE
Monitor and analyze HTTP traffic 998 41... 192. 168.0.87 192. 168.0.10 KTTP 809 POST /goodshopp1ng/ HTTP/1.1 (•ppl1"
1008 41.• 192 .168.0.87 192. 168.0.10 HTTP 4.12 GET / goodshopping/Ulp/top_slide r/slidE
to:
II
@ Check if there is any sensitive
information using HTTP > I nt ernet Prot ocol Ver sion 4, Src: 192.168. 0.87, Ost : 192 .168.0.10
> Trans• i ssi on Cont r,ol Prot ocol , Src Port: 8591 (8591) , Ost Po rt: 80 (80) , Seq: 631, Ack: 11399, l <
) 1111vn1:rttvt T,.ansf tf' vrntocol I
@ Detect malicious traffic 4 H TML Fol'11 URL Encoded: applicatiOt1/X•t,ww-foN1-urlencoded

~ Form i t em: " _ VI Eh"STATE" • "/wEPOi,UL LTEt..OTQxMDY011DRkZtlivZS9cUBR7l pq4Er gt 4hdmf l rSUA9a9gw8wr jbsa
1> i:orm i t em: " EVEtlTVALIDATI 011" .. ../~dAAWOc7 s saS+G XqwRe 32RT6 7PVK78rRAt Eiqu9nGi= EI+j 8 3Y2ff\c 6S r nA
@ Check the traffic against a policy • Fo rm i t em: "txt User name" = " stevenjeccouncil.org'"
Key: t xtUser name
violation Value: st eve~ccounci l . or s
• Form i t em: "txt Passwol'd" = " t Est@l.23"
Key: t xtPassword
@ Detect applications using Value: tEst@l23
1> ►Orm i t em: "btnlogtn· • "l og i n"
1> Fo rm i t em: "rtail ·· = ""
unnecessary/restricted services
Use the http filter to check the

specific HTTP traffic
Applications implementing HTTP send data in clear text format. Impl ementing HTTP can pose
security risks to the organization as sensitive information such as username and passwords are
sent over as HTTP requ ests. The attacker can easily sniff th e traffic and steal sensitive
information for malicious use. Administrators have to ensure that th eir HTTP traffic is sent over
an encrypted protocol such as HTTPS. At the same time, they should monitor and ensure their
applications do not send data over HTTP. Monitoring the HTTP traffic also helps detect the
volume of HTTP traffic flowing through the network.

0 Attackers use various fingerprinting techniques t o det ect the OS type and version 0
running on the t arget system
OS Fingerprinting techniques include:
e Passive OS
0 e Active OS 0
,- - - - - - - - - - - - - - - -
I
I
•
························'II··········~····
: -
- -
:
I :
Attacker I :
L.. =g
Internet
L----------------
Internal Network
OS fingerprinting is a process of gaining information a bout the target host's OS. Attackers use
this method during their reconnaissance phase. Once the target OS is identified, the attacker
can then find out what possible vulnerabilities exist in the OS or a specific version of the OS. An
attacker can get into the network with the vulnerabilities existing in the OS. The attacker can
attempt both active and passive OS Fingerprinting to detect the target OS.
Passive OS Fingerprinting
In this t echnique, the attacker does not send any packets to the target instead, they sniff the
TCP/ IP ports and analyze the default value for the various IP packet fields.
Active OS Fingerprinting
In this technique, the attacker sends packets to the target. If the target responds to the packets,
the attacker analyzes the responses and identifies th e underlying OS.

Detecting Passive OS
Fingerprinting Attempts
Protocol Default
Field Operating System
Header Value
u Check for certain
64 Nmap, BSD, Mac OS 10, Linux
fingerprinting values in Initial
IP Time to 128 Novell, W indows
Wireshark to detect passive Live
255 CISCO IOS, Palm OS, Solaris
OS fingerprinting attempts
Don't Set BSD, Mac OS 10, Linux, Novell, W indows, Palm OS, Solaris
IP Fragment
U The table shows the Flag Not set Nmap, CISCO IOS
common passive OS 0 Nmap

Maximum
fingerprinting values TCP Segment 1440 Windows, Novell
Size
1460 BSD, Mac OS 10, Linux, Solaris
1024-
Nmap
4096
6 5535 BSD, Mac OS 10
2920-
Window Linux
5840
TCP Size
16384 Novell
4128 CiscolOS
24820 Solaris
Variable Windows
Set Linux, Windows. Open BSD

TCP Sack OK
Not set Nmap, FreeBSD, MacOS 10, Novell,Cisco IOS, Solaris
In passive OS fingerprinting the attacker does not send any packets in the traffic rather, they
sniff the TCP/IP ports. The detection of the target OS is done based on verifying the various IP
header fields. The IP header consists of a field such as initial TTL, do not fragment flag,
maximum segment size, window size, sack OK. The default values of these fields can help
administrators to detect the fingerprinting attempt. Administrators should inspect these fields
to detect OS fingerprinting attempts on their network. However, the default values for these
fields may vary when the packet traverses between one router and another. It is very difficult
to detect a passive fingerprinting attempt. Firewalls or other security devices cannot detect
passive OS fingerprinting either. It has become essential for administrators to detect these
attempts manually with the help of packet sniffing tools.
The following table shows the possible default values of the IP header fields for different types
of OSes. This will help administrators compare and identify OS fingerprinting attempts.

64 Nmap, BSD, Mac OS 10, Linux

Initial
IP Time to 128 Novell, Windows
Live
255 CISCO 105, Palm OS, Solaris
BSD, Mac OS 10, Linux, Novell, Windows, Palm OS,

Don' t Set
Solaris
IP Fragment
Flag
Not set Nmap, CISCO 105
0 Nmap
Maximum
TCP Segment 1440 Windows, Novell
Size
1460 BSD, Mac OS 10, Linux, Solaris
1024-4096 Nmap
65535 BSD, Mac OS 10
2920-5840 Linux
Window
TCP 16384 Novell
Size
4128 Cisco 105
24820 Solaris
Variable Windows
Set Linux, Windows. Open BSD

TCP Sack OK
Not set Nmap, FreeBSD, MacOS 10, Novell,Cisco 105, Solaris
TABLE 11.1: Default values of IP header for different operating systems

Detecting Active OS
Fingerprinting Attempts
U Wireshark can detect active OS fingerprinting attem pts based on t he probes sent by attackers
lJ An attacker may send ICMP probes and TCP probes to look for a response from the potential
t arget OS
..J Attackers make different types of active OS fingerprinting attempts on a target such as:
t, ICMP-Based
6 TCP-Based
In active OS fingerprinting, an attacker sends packets to th e target and waits for the reply. Th ey
will then analyze the repl y received from th e target to determine the OS. An attacker performs
active OS fingerprinting in two ways. They can either use ICMP probes or TCP probes to detect
the target OS. The attacker then anal yzes the reply from the target and makes an educated
guess based on the reply obtained from the target.
Administrators can detect active OS fingerprinting attempts much easier compared to passive
OS fingerprinting attempts. Administrators use specific W ireshark filters to filter out the OS
fi ngerpri nti ng traffic.

Detecting ICMP Based OS

Fingerprinting
Attackers send unique ICMP probes to t he target and look for the response
Use t he follow ing filter to locate unusual ICM P requests
e (icmp . type==B && ( ! (icmp . code==B ))
e (ic mp . type==l 3 ) I I (icmp . type==l S I I (icmp . t ype==l 7)

-
Discover t he unique ICMP probes, unusual ICMP code, ICMP timestamp requests(13),
ICMP information requests(lS) and ICMP address mask requests (917) from the t raffic
to make an educated guess to detect OS fingerprinting
An attacker can use various tools to perform ICMP based fingerprinting. These tools send a
specific ICMP probe to the target. It depends upon how it manipulates the ICMP probe to
detect the target OS.
• Some tools use unique ICMP probes.
• Some tools use ICMP echo requests with an unusual ICMP code.
• Some tools use ICMP Timestamp requests (13), ICMP Information requests (15), ICMP
Address Mask requests (17), etc.
The administrator can use various traffic filters on ICMP and check for these types of ICMP
requests being received from the outside.

Detecting TCP Based OS

Fingerprinting
Attackers send TCP probes using specific field values in the header to look for the response
and reveal details about the OS
The fields to look for when trying to find OS fingerprinting attempts are Initial Sequence
Numbers, timestamp, IP ID sequence and TCP options
~ Use the following filter t o find OS fingerprinting attempts
e (tcp.flags==Ox02) && (tcp.window_size <1025)
e tcp.flags=Ox2b
e tcp.flags=OxOO
e tcp.options.wscale_val==lO
e tcp.options.mss_val<1460
In TCP based OS fingerprinting, an attacker sends TCP probe packets to the target and then
waits for the response. Based on the response received from the target, the attacker then
makes a valid guess to determine the OS. An attacker may use a variety of tools to perform
TCP-based fingerprinting such as Nmap and Queso. The attacker sends different types of TCP
probes and based on the response received can detect the OS running on the target.
• FIN Probe: Sending a FIN without an ACK or SYN flag to an open port. Many broken OS
implementations such as MS Windows, BSDI, CISCO, HP/UX, MVS, and IRIX replies back to
a FIN probe with RESET.
• BOGUS Flag Probe: Sending a SYN Packet with an undefined TCP "flag" in the TCP header.
The Linux OS version prior to 2.0.35 responds to this packet with the flag set.
• TCP Initial Window: Checking the size of the window field in the response.
• TCP ISN Sampling: Sending the connection request and then finding specific patterns in
the initial sequence numbers in the response.
• IPID Sampling: Checking the IPID value for each packet in the response. Most operating
systems increment a system-wide IPID value.
• TCP Timestamp: Checking the TCP timestamp option values in the response. It may be at
frequencies of 2Hz, l00Hz, or l000Hz, and still others return 0.
• Don't Fragment bit: Some OS set a "Don't Fragment" bit in the response.
• ACK Value: Checking the ACK field in the response.

Exam the Nmap Process for OS

Fingerprinting
Attackers generally use Nmap for target OS fingerprinting
Administrators must be aware of Nmap's OS fingerprinting process in order to detect OS

fingerprinting attempts
■ ICMP Echo Request (Type 8) with no payload
■ ICMP Echo Request (Type 8) with 120 or 150 byte payload of 0x00s
■ ICMP Tiemstamp Request with Origin Timesta mp value set to 0
Examine the ■ TCP SYN with 40 byte options area

Nmap Process ■ TCP SYN with Window Scale Shih Count set to 10
for OS ■ TCP SYN with Maximum Segment Size set to 256
Fingerprint ing
■ TCP SYN with Timestamp Value set to 0xFFFFFFFF
using W ire shark
■ TCP Packet with options and SYN, FIN, PSH and URG bits set
■ TCP packet with options and no flags set
■ TCP Acknowledgement Number fie ld non -zero without the ACK bit set
■ TCP packets with unusual TCP window size fie ld values
In most cases, attackers generally use Nmap to perform target OS fingerprinting. It is necessary
to understand how Nmap is used to perform OS fingerprinting. Knowing the Nmap process for
OS fingerprinting will help to detect OS detection attempts made using Nmap.
The Nmap Process for OS Fingerprinting

Nmap sends a series of TCP and UDP packets to remote hosts and examines every bit in the
response. Nmap compares the results for all the fields tested with its database nmap-os-db.
If the database finds a match for the tested fields it gives the OS information. The database
consists of a complete description for the OS, including the vendor name, OS generation, OS
type and device type. OS fingerprinting is one of the main features of Nmap. The Nmap process
depends on the response from the devices. The responses received will vary every time. If a
Windows OS receives the response as a TCP ACK frame, the response of Linux for the same
frame will be different. With these minor responses, Nmap builds detailed fingerprints for
different operating systems.
Nmap investigates the TCP/IP stack of the systems by sending them eight different packets.
Once the target machines receive the packets they either:
• Respond with a different TCP/IP stack respectively.

• Respond with a consistent TCP/IP stack.
This test allows Nmap to determine the accurate information for the operating system running
on the machine and its version. The tests sent by the machine running Nmap are:

• Tseq: The machine sends a series of SYN packets to the targets to analyze their TCP
sequence numbers.
• Tl: A SYN packet with the options (WNMTE) is sent to an open TCP port.
• T2: A NULL packet with the options (WNMTE) is sent to an open TCP port.
■ T3: A SYN, FIN, PSH, URG packet with the options (WNMTE) is sent to an open TCP port.
• T4: An ACK packet with the options (WNMTE) is sent to an open TCP port.
• TS: A SYN packet with the options (WNMTE) is sent to a closed TCP port.
■ T6: An ACK packet with the options (WNMTE) is sent to a closed TCP port.
■ T7: A FIN, PSH, URG packet with the options (WNMTE) is sent to a closed TCP port.
■ PU: A packet to a closed UDP port.

An attacker will use several methods to determine the target OS, few of them are:
• Did the target host respond?

• Did the target host have the "Don't Fragment" bit set?
• Window size of the target host.
• Status of the ACK number for the TCP packet sent to Nmap.
• Flags set in the TCP packet.

These methods can be applied to any operating system or the version of the operating system.
All of the matched OS fingerprints are saved in a text file in Nmap called nmap-os-fingerprints.

Detecting a PING Sweep

Attempt
File Edo View Go Capture Analyze Statistics Telephony Wireless Tools Help
({ <s,, ~ 1Y 11!. ::; ~ <a El. <a y Attackers use a ping sweep to
A ■ ,~. @ .J ~ /gl ~ $
111lorl),type= =S or iorl),type= =O determine the live hosts w ithin a
-
No. Tme Souce
22 e .... 192.168 . 0 . 54
Oestnation
-
192.168 . 0.55
Protocol
I GIP
L<n91h Info
106 Echo (ping) request id•0x0001j
specified IP range
- 23 e .... 192 .168 . 0 . 54

24 e .... 192 , 168 , 0 , 55
2s e .... 192 .168 , 0 . 57
26 e .... 192.168 . 0 . 54
192 .168 . 9 . 57
192 .168 ,8.54
192 .168 . 0. 54
192.168 . 0. 56
ICMP
ICMP
10 1P
! GIP
106 Echo (ping) request
106 t:cho (ping) reply
106 Echo (ping) r eply
106 Echo (ping) r equest
id=0x0001J
i d=0X0001,
id• 0x0001.,
id=0x0001,
!J It is accomplished using ICMP, TCP or
UDP
21 e .... 192 -16$ . 0 . 56 192 .168 . 0 . 54 ICMP 106 t:cho (ping) reply id=0X0001,
45 1 .... 192. 168 , 0 . 54 192,168 , 0, 53 ! GIP 106 Echo (ping) request i d=0x0001,
46 1 .... 192.168 . 0 . 53 192.168 . 0. 54 !CNP 106 Echo (ping) reply id• 0x0001,
J Attackers send a series of ICM P, TCP
58 2 .... 192 . 168 . 0 . 54 192 . 168 . 0 . 55 ICMP 106 Echo (ping) request i d=0x0001, or UDP echo requests to the specified
59 2 .... 192,168 , 0 , 54 192.168 . 0. 57 10 1P 106 Echo (ping) request i d=0x0081~
60 2 ... 192 .168 . 0 .54 192.168 . 0 .56 ICI-\P 106 Echo (ping) request id•0x0081, IP range
61 2 .... 192 . 168 . 0 . 55 192 .168 . 0 . 54 ICMP 106 Echo (ping) reply i d=0x0001,
62 2 .... 192.168.0 , 57 192. 168 , 0. 54 I CMP 106 Echo (ping) reply id=0X0001,
63 2 .... 192. 168 . 0 . 56 192.168 . 0. 54 ! GIP 106 Echo (ping) reply id•0x0001, ► Use the filte r icmp. type==B or
73 2 .... 192 .168 . 0 . 54 192 .168 . 0 . 53 ICMP 106 Echo (ping) request id=0x0001,
74 2 .... 192 ,168 , 0 , 53 192 .168 , 0.54 ICMP 106 Echo (ping) reply i d=0X0001,
icmp. t ype==O to detect an ICMP
179 4 .... 192 ,168 . 0 , 54 192.168 . 0. 55 10 1P 106 Echo (ping) request id•0x0001, ping sw eep attempt
18-0 4 . ... 192 .168 . 0 . 54 192.168 . 0. 57 ! GIP 106 Echo (ping) request id=0x0001,
181 4 .... 192 -168 . 0 . 55 192 .168 . 0 . 54 ICMP 106 t:cho (ping) reply i d=0X0001,
182 4 .... 192,168.0.54 192.168 , 0, 56 ! GIP 106 Echo fn ino'i reauest i d=0x0001, ► Use the filter tcp . dstport==7 to
Frame 22: 106 bytes on wi r e (848 bits) , 186 bytes capt ured (848 b i t s) on interface 0
I~
V
Ethernet II, Src : cadausco_09 :ef :ce ( 08 :00:27 :09:ef :ce) , Ost: cadmusco_00:36:dd (08 :00 :27 :00 :36:dc
I nternet Prot oco l Ver sion 4, Sr c : 192.168 . 0 ,54, Ost : 192 .168.0. 55
I nternet Cont rol Mess age Protocol
►
detect a TCP ping sweep attempt
Use the filter u dp. dstport ==7

Type, 8 ( fc ho (ping) reques t )
Code : e to detect an UDP ping sweep attempt
Checksum: 0xcf l a ( correct ]
II
A ping sweep scan helps attackers discover the active systems in the network. It involves
sending multiple ICMP, TCP or UDP ECHO requests to target ports and then analyzing the ECHO
reply obtained from the port.
In an ICMP ping sweep, the attacker sends an ICMP type 8 ECHO request followed by an ICMP
type O and analyzes the ECHO reply. To detect the ICMP ping sweep, find the ICMP t ype 8 and
ICMP type O ECHO request s in the network traffic. It is recommended that a filter is used to
accomplish this task. Use the filter icmp. type==S or icmp. type==O to detect an ICMP
ping sweep attempt.
In a TCP/ UDP ping sweep, an attacker sends an ECHO request packet to the TCP/ UDP port 7. To
detect the TCP/ UDP ping sweep attempt, find the TCP ECHO request packets going to port 7
and the UDP ECHO request packets going to port 7 in the network traffic. Use the filter
tcp. dstport==7 to detect the TCP ping sweep and the filter udp. dstport==7 to detect
the UDP ping sweep attempts. If the target port doesn't support an ECHO reply, then this
technique will not work.

Detecting an .A. Sweep/ A

Scan Attempt
.J An attacker's ICMP ping sweep will

not work if a firewall is implemented
""
~ ..
! .,,
"'· L
.... ....
-=~
@
Go C11p:turc
31_ CadnusCo_09:ef:ce
.,,,,,.~ SUtittks
""""""
Sc-oadcast
- -
.. !!!I !!It ~ 'l ee ,g Wl :; 'g ~e,.e,. r.
"'"""
ARP
\VnfC'f,$ took
"°'~2 rm has 192. 168. 0 .194? Tell 192.168.8 . 54

Mtlo
L 31_ CadnusCo_09:ef:ce Htlo has 192. 168. 8 .194? Tell 192.168.8 . 54
in the network J_ 31_ CadnusCo_09:ef:ce
Bc-o&dcast
Bc-o&dcast
ARP
ARP
42
42 Htlo has 192. 168. 8 .195? Tell 192. 168. 8. 54
L J-L CadnusCo_09: d:ce Bc-o&dcast ARP 42 Who has 192. 168. 0 .195? Tell 192. 168. 8. 54
J_ }L Cad11UsC0_89: ef:ce ARP
Bc-oadcast
...,, 42 Wtio hos 192. 168. 0 .198? Tell 192. 168. 0. 54
..J Attackers will then try an ARP sweep
technique to scan hidden hosts behind
1- 31_ Cad11UsC0_89: ef:ce
L 31- Cad,.,sCo_09: ef:c•
L 31.- Cad,.,sCo_09: ef:c;•
1- »- Ci1d1111sCo_89: ef:u
Bc-oadcast
Bc-oadcHt
6roadcast
6roildCi1St
.........,,
...,, 42
42
42
.e2
h'tlo has
Wtio has
h't!o
tftlo
h.1s
hills
192. 168. 0 .198?
192. 168. 0 .199?
192.168. 0 .199?
192.168. 0 . 288?
Tel l
Ttll
1•11
Tell
192. 168. 0. 54
192.168. 0. 54
192.168.8 . 54
192-168.8 . 54
the netw ork fi rewall 1- »- Ci1d1111sCo_89: ef:ce 6roildcast .e2 htio has 192.168-0-288? Tell 192.168.8. 54
1- »- Cad1111sCo_09: ef:ce Broadcast ARP .e2 tftlo h.as 192.168.0.281? Tell 192.168.8.54
1- »- Cad1111sC0_09: ef:ce Broildcast ARP 42 htio has 192.168.0.281? Tell 192.168.8.54
1- »- CadlllJsCo_09: ef:ce Broadcast ARP 42 h'tlo h.as 192.168.8.282? Tell 192.168.8.54
42 Mho has 192.168.8.282? Tell 192.168.8.54
..J In the ARP sweep technique, an attacker 1- 31-
1- 31-
CadlllJsCo_09:ef:ce
CadlllJsCo_09: ef:ce
Broadcast
Broadcas"t
ARP
ARP 42 h'tlo h.as 192.168.8.283? Tell 192.168.8.54
sends an ARP broadcast request to 1- 31-
1- 31-
CadlllJsCo_09:ef:ce
CadlllJsCo_89:ef:ce
Broadcas"t ARP 42
42
Mho
M'tlo
has
h.as
192.168.8.283?
192.168.8.284?
Tell
Tell
192.168.8.54
192.168.8.S4
Broadcas"t ARP
every IP in the network. If they get an 1- 31_ CadlllJsCo_89:ef:ce Broadcas"t ARP 42 lillo has 192.168.8.284? Tell 192.168.8.S4
1- 3L CadlllJsCo_89:ef:ce Broadcas"t ARP 42 tfflo has 192.168.8.28S? Tell 192.168.8.S4
ARP response, then they know the host 1- 31- CadlllJsCo_89:ef:ce Broadcas"t ARP 42 tfflo has 192.168.0.28S? Tell 192.168.8.S4
L 31- Cadra,sCo_89:ef:ce Broadcas"t ARP 42 h1'1o has 192.168.0.288? Tell 192.168.8.S4
is live L 31_ CadlllJsCo_89:ef:ce Bt-oadcas"t ARP 42 h1'1o ha s 192.168.0.288? Tell 192.168.8.S4
L 3L CadiaisCo_89:ef:ce Bt-oadcan ARP 42 1-ft'lo ha s 192.168. 0 .209? Tell 192.168.8 . S4
L 31_ CadmusCo_89: ef:ce Bt-oadcas"t ARP 42 lotlo ha s 192.168. 0 .209? Tell 192.168.8 . S4
..J Use the arp filter to detect ARP sweep 0000 ff ff ff ff ff ff 1c 56 fe 99 80 0.a 08 06 80 01 ... . ... v . . . . .. . •
I, 0010 08 00 06 04 08 01 le S6 Te 99 80 0a c9 as 00 b? . . . . . .. v . . . . . . . .
and ARP scan attempts on the network 0020 00 00 80 00 00 00 c0 a8 00 89 00 00 00 00 00 00 ... ... .. .. ......
0030 00 88 00 00 00 00 00 00 88 00 00 00 ........ ....
-
- - '
Similar to a ping sweep scan, an attacker also uses an ARP Sweep/ ARP Sean to locate active IPs
in the network. Attackers use this method especially when a firewall is implemented in
between them and the target network. If a firewall is implemented in the network the ping
sweep method will not work. In an ARP sweep, an attacker broadcasts ARP packets to all the
hosts in the selected subnet and waits for a response. If they get an ARP response from a
specific host, this indicates the host is live.
ARP communications cannot be disabled to restrict an ARP sweep attempt on the network as all
TCP/ IP communication is based on it. If ARP communication is disabled, it will also break the
TCP communication. However, administrators can easily monitor and detect this type of
attempt using an ARP filter in Wireshark. If they detect an unexpected number of broadcast
ARP requests, then they also know it indicates an ARP sweep attempt on the network.

Detecting TCP Half Open/

Stealth Scan Attempts
File Edit 1/it'YI Go C11pturc An11lyu St11tittics Telephony \\lirclcs$ Tooh Help
A ■ ,t ® 1o11 ~ 11!1 ~ q e><E> ~ W.ill. GJl@ El.El.El.l!
Attackers use the TCP Half Open/Stealth

port scan technique to find open TCP ports
181IQ,, ~S'tl'\H
,...
- _.,,.,
47 S.973811
48 S.973811
49 '5,.973912
1
t92. 16a. e.1n

192.168.9.177
1,2.16s.e.1n
192.168.9.93
192.168.&.93
192-168.9.93
Pro:ocol
CP
TCP
TCP
TCP
l.(tlglh Info
'
t:l Cl -I
on the target system 5e S.97ltl2 192.161.9.177 192.168.6.93 TCP

51 S.973912 192,168,9.177 192-168.&.93 TCP
An attacker sends a SYN packet and Fit E"1 Vi('W &> C...Vrt Nl,ly::t Scatisix, ldtptlon)" Wirdfs;s Tools Hq)
receives a SYN+ACK response if the port is • • . ® ~ l!l ~ 'l ,.,,. r;;,1. [:;J~ e.e.e.!!
open and a RST or RST+ACK response if

w_~ &:,s.s,n--1.ww:1 IQ)_~
r..
td;:--1
~ ""'-
"'· ,1 S.972SU """
192.168.0.9]
~tor\
t92.1u.e.1n TCP
the port is closed S6 S.97ltl6
111 s.,nns
192.168. 9.9)
192.163.9.9)
1t2. u1.e.1n
1t2.u1.e.1n
TCP
TCP
91 S.97J1S2 192.161.8.9) 191.Ut.t,1'7 TC•
Ut1 7.2)81'1 192,JM.t.9) ltl,161.t.177 TCP
A Stealth scan or TCP full connect scan 14zt 7.J197'J 1,2. 1wi.e.9l 192.161.t.177 TCP
attempt is recognized if there are a large Fil,:, Edit View Go Capt..c ArMllyu St.l'littiu Telephony \Vitti«.~ looK Hdp
amount of RST or ICMP type 3 packets A • a • ~ ~ ~ ~ 'l •• ■ ¥A ~ ~ €\El.€\il

~
e Go to Statistics -> Conversations • 1
"'
192 .1'
•••
192.H,IS. 8 . 9.!
'" :R'.>l] ,, 1 ;' Ii
:<J]. 168.8.177 . -l W
and click on the TCP tab to view and
ll] S.974S99
113 5. 9745'J9 :•'.12.16-8.0.117
l'H.168 . 6 . 93
191.168. 1).93 "'
S4 344&9 -.
S4 ~ 3,1 " [R'ST j
13 [11ST} s - 1 "
"'
4
1191 7 . 239356 '...92.16-8 . 0 . 177 192 . 168.0.93 TCP 'i4 3448'9 • '19 5' [RS'.'" J i,q~l
analyze multiple TCP sessions 14'.>2 I • .1-202..12 : 92 llxl.0 192.1'.,IS. 8 . 9.!
'" '>4 .J441S9 • 49 '.. l (R'>~ ]
1685 7 .433311 :92. 168.9.177 "' 192.168. 8 . 93
-"'q-1
[RS'.") ,-,,q-1
114') 7.436112 :•1 2. 168.0. r n 191.168. 0 . 'H "' S4 :l-44&9 -. 49
S4 ¾48-!l "
49 S5 [RS'.'") -i>q-1
e "'
4
If the communication is less than 4 17-41

1902
7 . 4}6113
/.4'.>ISl>(ll
'...92.16-8 . 0 . 177
: 92 llxl.9.11/
192 . 168.(L93
192.10:.8. 0 . 9J.
TCP
'"
'i4 34-18') • '19
S4 J-4489 • 49 ,,ss
[R5'.'" J i,q-1
(RY ] -"'q~1
2124 7.5-41598 :92. 168.8.177 -,,q-1
packets then it is a sign of a TCP port
192.168. 8 . 93
"' S4 ¾-lS9 .. 49 RS'.'"
'"
scan on the network
[C~l<:11hud wi ndow ~i :~: 0]
The attacker uses a TCP Half Open/ Stealth scan to detect open or closed TCP ports on the
target system. It involves sending a SYN packet to the target port exactly like normal TCP
communication and waits for the response. If they receive a SYN+ACK packet in the response,
then it indicates the target port is open. If they receive a RST or RST+ACK packet in the
response, then it indicates the port is closed. If the target port is behind a firewall, then they
will receive an ICMP type 3 packet with a code 1, 2, 3, 9, 10 or 13 in the response.
The TCP half connection can act as an open gate for attackers to get in to the network. It is
necessary for administrators to detect the TCP Half Open connection. If there are too many RST
packets or ICMP type 3 response packets in Wireshark, then it can be a sign of a TCP Half
Open/ Stealth scan attempt on the network.

Detecting a TCP Full Connect

Scan Attempt
In a TCP ful l connect scan, the attacker performs a complete three-way handshake to find open ports on the target system
A TCP full connect scan is recognized using the same methods to detect a stealth scan or a TCP full connect scan attempt
Check for SYN+ACK, RST & RST+ACK packets or ICMP type 3 packets
Use the fol lowing filters to quickly detect both TCP half open and TCP ful l connect scanning attempts on the network
To check SYN+ACK, RST & RST+ACK To check SYN+ACK, RST & RST+ACK
packets in communication packets along with ICMP type 3 packets
e tcp.flags==Ox 002 or e tcp.flags=Ox 002 or
tcp.flags==Ox 012 or tcp.flags=Ox 012 or
tcp. flags==O x 00 4 or tcp. flags=Ox 004 o r
tcp.flags==Ox 01 4 tcp.flags=Ox 01 4 or
To check ICMP type 3 packets with a (icmp.type=3 and
code 1, 2,3, 9,10, or 13 Packet (icmp.code=l or
icmp.code=2 or icmp.
e icmp. type==3 and
code==3 or
(icmp.code==l o r
icmp.code=9 or
icmp.code==2 o r
icmp.code==3 o r icmp.code=lO or
icmp. code=l3 ) )
icmp.code==9 o r
icmp.code==lO o r
icmp.code==l3)
Detecting a TCP Full Connect

Scan Attempt (Cont'd)
,... . . ..,_ <i• (-,bl" ANtyU S...t.t,u 'ltlepllo,,. . . . '°"" Hep
r:u ~1111 <1 • :.. " 1 -: - a a a n
-
,. • ti)
L!l=·-..t!"••1..-c110~,.-•-1'=1'
9l. =
M•''"-
-- - - - - ~
- lWle S.Sot
1,,.,••.•.•, "'"'·
..
" ,,,,., ..
.... 67)1'6f
17 4 613HI
lt:t.lM ••. an
ltl-1 ... f.177

Hl
Hl
141 t
HI•
177
177
H , 161.9 9)
91 161 e .,
ltJ 161 • H
TCO
"'
T(O
SYN
1'2 , .. t 177
•"' ,s ,.,.u
7'P4tl
lN 111 • 177
JtJ,16199!
"'
_ , ,_..
- '7974U 1N UI • 1n
.l.U••• 177 File Ecfit View Go Copturc An11ly:c St11ti~cs Te lephony \tfstcltH Tools Help
a, s.n,""
u, 6.9117-" .. ■ ,, e r;i ~ ~ q ..., * ~ w §L ~ @! El. e. ®. i1
u, ff •UNI
9l1Nf
111tcp.f!oq:;.syn n l oYld tq,.11. ~--l Md p .5rc--192. 168.0.93
U51 UJ'JW 92Ultl77 No, Ttne SOurce Detti'la tiOt'I Protocol
1)7 7 eH7e7
uo,_
W 7 Ul.lN
HJUltl71
Ul 1111.t 111
ltJHltl
146
1S5
7.-
7 __
192.168. 9 . 93
192.168. 9 . 93
192 . 168 .9 .177
192 .168 .9 .177
TCP
TCP
66
66
445 • 541 [SYN. ACK]
139 .. 541 [SYN. ACK]
SVN+ACK
228 7 __ 192.168.9.93 192.168.9 .177 66 135 .. [SYN, ACK)
1M 7 UMH tN uae an TCP
Wl711WM IN 111 t 177 227 7 __ 192. 168.8. 93 192 . 168 .9 . 177 TCP 66 445 .. 539 (SYN, ACK)
SS1711NN J91 J.11 t 177 261 8 . - 192.168.8.93 192 . 168.9. 177 TCP 66 23 .. S464 [SYN. ACK)
~ .
1'1171- INHlt177
4'St 9-- 192-168.8, 93 192-168.8.177
11•17 , ..... IN lat t 11'7
l'M7..,.... lN U l t 1'1 619 19- 192-168, 9 , 93 192 -168.9.177 f ill Edil Y- Go C.,curc AI\W)-:1 S.M,JWI Wrplony W.itkM Tool, Http
... ,... 192 .168 .9 .177 ,i ~ <\ •,. <ii T .._ ;:: ~ a~e. !!
"''~
W 1 24"41
IN lttt 177
IN,. . . 177
763 12..
98813..
192.168. 8 .93
192.168.8.93 192.168.8.177
-in..:
®
~ .-•.,.-,eick••tn
l.,Jt,e2'f,I ltJ 161 t 117
1822 14-
192. 168.8. 93
192. 168.8. 93
192 .168 .8 . 177
192 . 168 .8 . 177
... n, '·-
l'lec ~ cc
OS<••?!ll.1M,o.1n
192.168. 8.ln
,,,,_
192.168.8.9}
1157 lS- 192.168.8, 93 192-168.8.177
1185 15- 192-168, 9 , 93 192-168 .9.177 2.U 1,- 19"2,168,t.ln U2.1'8,t.9J
nee 17_ 192.168. 8 . 93 192 .168 . 9 .177
1427 18- 192.168. 8 . 93 192.168.9.177 191:,1"9, •• ln 192,lM,.,9)
272 · · -
1S62 19_ 192. 168.8.93 192 .168 .9 . 177
•55 '·- 1.92.168. &.1» 1.92.168.&.9}
1698 28.. 192. 168.8. 93 192 . 168 .8 . 177
1848 22.. 192. 168.8, 93 192.168.8. 177 615 1e... 192.168. t.ln i,1.168.e.tJ
u,,o~~
~
Frame 111 : 66 byt e~ on wi r e (528 b i ts) , 66 byt e~ ca
Ethern et II, Sr c : Ki c r osof_00: 39: 00 (00: 15 : Sd :00: 39
761 17... 1.,.,,.. . • • 1n
m.16a,e.1n
117.lf.l .••H
1.92,168,&.9)
RST+ACK
916 U-
~ Interne t P·rot oc;o l Version 4 • Sr c : 192. 168.8 .93, Os t
~ ..-a5111i u ion Con t r o P toc:ol Src. Port: 445 445 9U IA- 192.168.1.ln 192.168.8.9}
till 1"- 192.168.1.ln ltl.168.8.f}
....... " .....

> l'r o• tU: S4 tiy,:u en wlr~ ( 02 blts-) , S4 tiy,:u coptur~ (•U blu) on lntuf.c~ e
> EUIHMt rt , Sc'c: l'dC('()SOf _et: l9:U ( M:lS: W:M: 39: 83), On : l'llcrosof_ee: J 9 : et ( M : 1S : Sd: M : l
> I nt~ t Pl"otocol Vtt-slon • • St"C: 191.16a. e .1n, on: 19"2.168. t.9)
> lr•":,IO.i n ion Cont rol Protocol, S.-c ~ t : s.6 ( Sile6) , (h t Por t: .US ( U S) , S.q= 1 , Adi;: t. '--

-----------------------------------------------------------------
M odule 11 Page 951 Ce rtified Network Defender Copyright © by EC-Cll■Cil

A TCP full connect scan or a TCP connect scan is the default scan that establishes a complete
three-way handshake connection. A successful three-way handshake means that the port is
open. To establish a TCP full connect scan, the attacker sends a SYN probe packet to the target
port. If the port is open the attacker will receive a SYN/ACK packet in the response. It indicates
the target port is open. The attacker will complete the communication by sending an ACK flag
and will send a RST flag to terminate the session. If the port is closed, the attacker will receive
the response as a RST/ ACK. If the target port is behind a firewall, they will receive an ICMP t y pe
3 packet with a code 1, 2, 3, 9, 10 or 13 in the response.
As a full TCP connection is established in the network, it is easy for an administrator to detect a
TCP full connect scan attempt with the help of Wireshark. The following filters are used to
detect a TCP Full Connect scan attempt:
Apply the filter for SYN, SYN+ACK and RST+ACK packets:

tcp.flags==Ox002 or tcp.flags==Ox012 or tcp.flags==Ox004 or
tcp.flags==Ox014
Apply the filter for ICMP type 3 packets:

icmp. type==3 and (icmp. code==l or icmp. code==2 or icmp. code==3
or icmp.code==9 or icmp.code==lO or icmp.code==13)

Detecting a TCP Null Scan

Attempt
L'l
I•"''Itcp.■ flaos==OxOO
®✓ . .
~ ~ ~ t'{ $> <$ ,;,;
.
W .l ~ ~ E\. El. El ~
■ In a Null port scan an attacker
sends a TCP packet without -
No. lime S01Sce
1... 4 . ... 192 .168. 0 . 54
L 4 . ._ 192 .168 . 0 .54
Oestination
~
192 .168. 0 .57

192 .168. 0 .57
Protocol
TCP
TCP
Leng Info
54
54
37853
37853
• 801 [<None> ""
• 44: [<None >) s
setting a flag on it 1... 4 . ... 192 .168. 0 . 54 192 .168. 0 . 57 TCP 54 37853 -> 80 <None> ]
1... 4 .... 192 .168. 0 . 54 192 .168. 0 .57 TCP 54 37853 • 23 [<None> ) e
"
L 4 . ._ 192 .168 . 0 .54 192 .168. 0 .57 TCP 54 37853 • 102 > [<None >
TCP 54 37853 -> 19S [<None> ] 5
■ If they receive a RST packet in 1... 4 . ... 192 .168. 0 . 54 192 .168. 0 . 57
1... 4 .... 192.168 . 0 . 54 192.168. 0 . 57 TCP 54 37853 -> 25E [<None> ) s
response, then the port is closed. L 4 . ._ 192 .168 . 0 .54 192.168. 0 .57 TCP 54 37853 • 111 [<None >) s
1... 4 .... 192.168.0 . 54 192.168. 0 . 57 TCP 54 37853 -> 99' [<None>] 5
If there is no response, then the 1... 4 .... 192.168 . 0 . 54 192.168 . 0 . 57 TCP 54 37853 -> 53 [<None> ) e
port is open or filtered 1-. 6 . ._ 192. 168 . 0 .54 192 .168. 0 . 57 TCP 54 37854 • 53 <None>) e
1... 6 .... 192.168 . 0 . 54 192.168. 0 . 57 TCP 54 37854 ➔ 99' [<None >) s
1... 6 .... 192.168. 0 . 54 192 .168 . 0 . 57 TCP 54 37854 -> 11: [<None> ) s
1-- 6 . ._ 192 .168 . 0 . 54 192.168. 0 . 57 TCP 54 37854 • 25E [<None>) s
■ Use the following filter to view 1... 6 .... 192 .168 . 0 . 54 192.168. 0 . 57 TCP 54 37854 • 19< [<None >) s
the packets moving without a flag 1... 6 . ... 192. 168. 0 . 54 192 .168 . 0 . 57 TCP 54 37854 -> 10, [<None>
1-- 6 . ._ 192.168 . 0 .54 192.168. 0 .57 TCP 54 37854 • 23 <None>)-- I;;
set 1... 6 .... 192 .168 . 0 . 54 192 .168. 0 . 57 TCP S4 37854 • 80 <None>)
"
1... 6 . ... 192 .168. 0 . 54 192 .168 . 0 . 57 TCP 54 37854 -> 44. [<None> ) s
1-- 6 . ._ 192 .168. 0 . 54 192.168. 0 .57 TCP 54 37854 • 80S a [<None>
1... 6 . ._ 192 .168 . 0 .54 192 .168. 0 . 57 TCP 54 37853 • 11, [<None>) s
TCP.flags==OxOOO 1... 6 . ... 192 .168. 0 . 54 192.168 . 0 . 57 TCP 54 37853 -> 55~ [<None> ] s
1... 6 . ._ 192 .168. 0 . 54 192.168. 0 . 57 TCP 54 37853 • 22 <None> ) e
1... 6 . ._ 192 .168 . 0 .54 192 .168. 0 .57 TCP 54 37853 - 58. [<None >) s
A TCP Null scan helps attackers identify the listening ports in the network. A TCP Null scan is a
series of TCP scan packets containing a sequence number of O and no set flag. Since the null
scan does not contain any set flags, it can penetrate through a router and a firewall that filter
incoming packets with particular flags set.
In the TCP Null scan, the attacker sends a TCP packet to the target port. If the port is closed, it
will receive a RST flag. If the port is open, the port will not respond because there are no flags
sent with the packet. A TCP Null scan sets all the TCP headers (ACK, FIN, RST, SYN, URG, and
PSH) to NULL. By applying the filter tcp. flags==0x000 in Wireshark administrators can
detect a TCP Null scan on UNIX servers. A TCP Null scan does not support Windows.

Detecting a TCP Xmas Scan

Attempt
CJ In a TCP Xmas scan an File Edit View Go Capture Analyze Statistics Telephony V-/ird ess Tools Help
~ • ~ • ~ ~ ~ ~a~ff
attacker sends packets
11!ta,. fl•os --0x029
with the FIN, PSH & URG No. rome :so,,,,e Deslinaltion Pl'Otocol Length tnfo
,U711.. 92 .168.&.Sol 192.168.&.55 TCP Sol 515:IA .. 135 FIN.,, PSHJI URG
TCP flags set and waits for 488 11- 192.168.9.54 192.168.9.SS TCP 54 S1S14 • 33 [FIN, PSH, U s
489 11- 192.168.0.54 192.168.0.SS TCP 54 51514 • 21 FIN, PSH, URG)
the response 490 11- 192.168.0.54 192.168.0.SS TCP 54 51514 -,. 338 (FIN, PSH, U
491 11- 192.168.0.54 192.168.0.55 TCP 54 51514 -,. 172 (FIN, PSff, U
492 11- 192.168.0.54 192.168.0.55 TCP 54 51514 • 587 (FIN 1 PSff1 URG
r.J If they receive a RST 493 11- 192.168.0.54 192.168.0.55 TCP 54 51514 _. 25 FIN, PSH., URG)
494 11- 192.168.9.54 192.168.9.SS TCP 54 S1S14 • 443 (FIN, PSH, URG s;
packet in the response, 495 11- 192.168.0.54 192.168.0.SS TCP 54 51514 • (FIN, PSH, UR6
110 s.
496 11- 192.168.0.54 192.168.0.SS TCP 54 51514 • 5 (FIN, PSH, U
then the port is closed. If 599 1L 192.168.0.54 192.168.0.SS TCP 54 51514 -,. 111 (FIN., PSH., URG 5<
591 11- 192.168.0.54 192.168.0.55 TCP 54 51514 -+ 23 FIN, PSH, URG)
there is no response, then 584 1L 192.168.0.54 192.168.0.55 TCP 54 51514 _. 445 (FIN, PSH, UR6
se5 1L 192.168.9.54 192.168.9.55 TCP 54 51514 -+ 182 (FIN, PSH, UR
the port is either open or 506 1L 192.168,0.54 192.168.0.SS TCP 54 51514 • 22 FIN, PSH, URG)
7 T p 4 N R6
filtered 512 11-192 .168 ,0,54 192 .168 , 0 ,55 TCP 54 51514 '" 88 FIN, P5ti , URG)
513 11-192.168.0.54 192.168.0.55 TCP 54 51514 -+ 139 (FIN, PSH, UR6
S14 lL 192.168.9.54 192.168.9.55 TCP 54 51514 -+ 995 (FIN, PSH, UR6
515 lL 192.168.9.54 192.168.9.55 54 51514 -+ 554 (FIN, PSH, UR6
.J Use the following filter to
1
S18 lL 192.168.9.54 192.168.9.55
TCP
TCP 54 51514 • 143 (FIN, PSH, UR6 s.
view the packets with FIN, 521 lL 192.168.0.54 192.168.0.SS TCP 54 51514 • 993 (FIN, PSH, URG s.
522 1L 192.168.0.54 192.168.0.SS TCP 54 51514 -+ 53 FIN, PSH, URG)
PSH & URG TCP flags set:
[ St re~m i ndex: 4 5)
tcp.flags==0X029 [ TCP segment Len : 0]
Sequence nu~ber : 1 (re l at i ve sequence number)
Acknowl edp ent number : 9
Hea der Length : 20 b es
> Flags ;,,0x929_ (1;IN,....,Pc,-,
SH,,_.,,
u""
R6,)~ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __
0 1
In the TCP Xmas scan, attackers scan the entire network and look for the machines that are up
and running. It also scans for the services running on those machines.
The Xmas scan involves sending packets set with URG, PSH, ACK and FIN flags. If the port is
closed, it will receive a RST flag. If th e port is open, the port will not respond as there are no
flags sent with the packet.
The TCP Xmas can scan through the firewa ll and ACL filters. An ACL filter blocks the ports with
the help of SYN packets. However, the FIN and ACK packets bypass this security.
FIN sca ns do not work on many operating systems. Operating Systems like Microsoft Windows
send a RST flag to any malformed TCP segment. This makes it difficult for th e attacker to
distinguish bet ween th e open and closed ports.
Apply the filter tcp . flags==OX029 in Wireshark to det ect a TCP Xmas sca n attempt.

File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help
A ■ ~ - (@, IID ~ ~ ~ q <e-,..,~w~ ~ ~ <t1.E\.€l. ff
!I , ~ . fla~ ==Ox003
No. Tine Soll'Ce Destination Protocol Leng Info Attackers send
1- 1._ 192.168.0 . 54 192.168.0 . 57 TCP 58 43484 -+ 1720 (FIN , SYN] Seq-t
1- 1. _ 192.168.0 . 54 192.168.0 . 57 TCP 58 43404 • 111 FIN, SYN] eq-0 packets with both
1- 1. _ 192.168.0.54 192.168.0 . 57 TCP 58 43404 • S87 FIN, SYN] eq•0 l
1_ 1. _ 192.168.0.S4 192.168.0 . S7 TCP S8 43404 • 199 FIN, SYN] eq•0 the SYN and FIN
1_ 1. _ 192.168.0.S4 192.168.0.57 TCP 58 43404 • 993 FIN, SYN] eq-0
1- 1._ 192.168.0.54 192.168.0.57 TCP 58 43404 -> 256 FIN, SYN] eq-0
flags set in an
1- 1. _ 192.168.0.54 192.168.0.57 TCP 58 43404 -+ 554 FIN, SYN] eq=0 attempt to DDoS the
1- 1.- 192.168.0.54 192.168.0.57 TCP 58 43404 -+ 139 FIN, SYN] eq=0
1- 1.- 192.168.0.54 192.168.0.57 TCP 58 43404 -+ 1025 (FIN , SYN] Seq~ network
1- 1._ 192.168.0.54 192.168.0 . 57 TCP 58 43404 -+ 1723 (FIN , SYN] Seq~
1- 2.- 192.168.0 . 54 192.168.0.57 TCP 58 43405 -+ 1723 (FIN , SYN] Seq~
1- 2.- 192.168.0.54 192.168.0.57 TCP 58 43405 • 1025 (FIN, SYN] Seq•f .J Use the filter
1- 2.- 192.168.0.54 192.168.0 . 57 TCP 58 43405 • 139 FIN, SYN] eq-0 l
1_ 2.- 192.168.0.54 192.168.0 . 57 TCP 58 43405 • 554 FIN, SYN] eq-0 l tcp.flags==0x003 to
1_ 2._ 192.168.0.54 192.168.0.57 TCP 58 43405 • 256 FIN, SYN] eq-e l detect a SYN/Fl N
1- 2.- 192.168.0.54 192.168.0.57 TCP 58 43405 -> 993 FIN, SYN] eq-0
1-
1 .,
2. - 192.168.0.54
101 1"R t:\ CA
192.168.0.57
101 1"R t:\ C1
TCP
_TCP.
58 43405
ro A:t.AtU:.
-+
➔
199
l:.R7
FIN, SYN]
CTll C~l
eq=0
M-4
attack
Sequence numbe r : 0 (r e lat ive sequence number)
Acknoi,ledgment number : 0
Header Length : 24 bytes
~ IFlaas : 0x003 <FIN SYNl I
IJ ; n ,t~., c i 7 0 u ::io 1 110 • 1 ~,JI
-
In a SYN attack, the attacker sends a succession of SYN requests to a target's system in order to
make the system unavailable for legitimate users. It exploits a known weakness in the TCP
connection.
Typical TCP communication (TCP three-way handshake) works as follows:
1. Client sends the SYN packet to request a connection

2. Server responds back with SYN-ACK
3. Client then responds with an ACK to establish the connection

The SYN flood attack is initiated by not responding to the server with an expected ACK in the
last step of the TCP communication. The server will wait for the acknowledgement, causing
network congestion problems.
The SYN flag establishes a connection and the FIN flag terminates the connection. In a SYN/FIN
DDoS attempt, the attacker floods the network by setting both the SYN and FIN flags. In a
typical TCP communication, both the SYN and FIN are not set simultaneously. If an
administrator detects traffic with both a SYN and FIN flags set, then it is a sign of a SYN/FIN
DDoS attempt. The SYN/FIN DDoS attempt can exhaust the firewall on the server by sending the
packets regularly. To detect such susp1c1ous attacks, you should use the filter
tcp. flags==OX003 to find out if these traffic entries are in the same packet.

file fdit ~it:¥1 Go C•ptuu: 6Nl)'?.C St~ Telephony )!lirclc~s Jools ~
A ■ ,, ® ,.. SI ~ ~ <\ e e lii vi ½ ::; [ii ®. ®. ®. !!
In a UDP scan an attacker sends UDP

packets to a target port and waits for
the response
The attacker will receive an ICMP Type

3 Code 3 response if the port is closed
or if no response is received then the
port is either open I filtered
~ Et herne t u , Sr c: C.:11:h usco_ac: b? : U (88:88: 27:8c: b7:U), Ost : C11dftusco_e9 :cf: cc (88:88: 27:89:cf:c e)
1> I t1terr1et Protocol Vef'sion 4, Sf'C: 192 . 168 .0,Sl , Dst: 192,168.8 . 54
~ In t e r ne t cont rol Mcss11 c Protocol
Type: 3 (Dest1n&t1on unread,al>l e)
Code: 3 (Por t unreach11bl c)
Ched:sun: 0x7ed2 COl'f'«t
U If the target responds with a large number of packets with an ICMP Type 3 Code 3 then the port is unavailable,
then it is sign of UDP port scan on the network
U Use the follow ing filter to view packets with an ICMP Type 3 Code 3 port to detect UDP scan attempt:
icmp.type=3 and icmp.code==3
The UDP service can receive packets without establishing a connection. When an attacker sends
a UDP packet to the target, either of the following can occur:
• If the UDP port is open, the target accepts the packet and does not send any response.
• If the UDP port is closed, the ICMP packet is sent in response.
UDP scanning is more difficult to probe than TCP as it does not depend on the
acknowledgements received. A UDP scan gathers all the ICMP errors received from closed
ports. Administrators should take proper measure to handle open UDP ports to avoid any
intrusion in the network. While monitoring if any machine is replying with bulk ICMP type 3
responses, it is a sign of a UDP scan attempt on the network. To identify the UDP scan attempt,
run the filter icmp. type==3 and icmp. code==3 in Wireshark.

Detecting Password Cracking

Attempts
Attackers can make several password cracking attempts on network

services such as FTP, SSH, POP3, HTTP, Telnet, RDP, etc.
They use attack techniques to crack passwords such as brute-force

and dictionary attacks
..J They use a variety of tools t o perform these password cracking attacks
Password cracking is a process of gaining or recovering passwords either through trial and error
or running a passw ord guessing attempt using an available file. These contain the most
commonly used passw ords. These techniqu es are called a brute force attack and a dictionary
attack respectively.
Brute-Force Attack
Though brute-force attacks can be a lengthy process, attackers use various tools to implement
on the network.
Dictionary Attack
The attacker uses a limited set of w ords to perform a dictionary attack. With SSH services
running in th e netw ork, it is easier for attackers to perform a dictionary attack. SSH dictionary
attacks rely on th e log files or on the network traffic. The dictionary attack can be accomplished
easily on an account that has a weak password. This type of attack is performed on a single
target machine or on the network.
An administrator can detect this t ype of attack by monitoring the number of log in attempts
made from the same IP address or username.

Detecting FTP Password

Cracking Attempts
: . .. .
•• ,1 ® . ~ ill\ ~
ftti,reo.,est.eommani:J
~ <Sa e9 <§ "i> l!I. ::; E <1l. El.
,d Capturing from vEthemet (Reallek PCle GBE Family Controller• Virtual Switch)
No, nme source

2 156 45_ 192 .168. 0.151
2173 46- 192 . 168. 0 . 151
294,; 68- 192 . 168-0. lSl
Destlnaton
192 . 168.0. 37
192.168.0.37
192, 168 -0 , 37
"·-
FTP
FTP
FTP
Fik
#.
No,
Edit
ii: a. ®
View
ft?.mpomc.cocic--sJO
Ttn! Soo.s'ct
Go C-,pMc
~ ~ ~ <\
An~ly',_c
*..,
St~
Ot$ti'lation
wm
Telephony Wirclc~~ Tool~
~ ©.Et©. iI
Pl'otirxol l enc:h
Hd p
tnfo
3836 7 1_ 192 .168. 0.151 192. 168 .0 . 37 FTP 1864 18- 192 .168.0.37 192 .168. 8 .151 FTP 79 R.e~ponsc : 530 U~cr cennot l og in.
3875 73- 192 . 168. 0 . 151 192. 168 .0 .37 FTP 1519 29- 192, 168 .8 , )7 192- 168.8, l Sl HP 79 ltt$pon $t:: S38 VHf' ( Mnot l O{l in .
7888 20- 192.168.0.1S1 192.. 168 .0 . 37 FTP 11 74 46- 192 . 168.0.37 192 .168. 8 .151 FTP 79 R.e~ponsc : 530 U~cr connot log in ,
7983 2L 192.168. 0.151 192. 168.0. 37 FTP 3976 73_ 192, 168.8 , 37 192 . 168. 8 , l Sl HP 79 Res pon se: S38 IJsc r c.,nnot l og in .
~ fr e~e 7983: 71 byt es on wi re (568 bit s), 71 bytes ceptured (l

~ Ether net I I , Src: Del l _c3:c3:cc (d4 :be :d9 :c3:c3:c<), Os t : Ki~
~ Inter net Pr otocol Version 4, Src : 192 ,168.0,151, Ost: 192,16~
" -v£thernet (Realtek Pele GBE Famity Controller • Virtual Switch)
~ l r ans• iss i on Contr o l Pr o t ocol, Src Po rt: 49 300 (49300) , Ost P. f il-e Edit View Go C~p,urc An.:J,-:c St.iti~ ic~ Telephony Wifde~ Toots Help
~ Fi l e Transfer Protocol (FTP)
,I • •~ ® I;;! ~ ~ <\ *.., ~ w.i». l;;I_~ ©.Et©. li!
....
0018
00
00
15
39
Sd ee 01 03
4b 0d 46 00
d4
80
bt d9 c:3
86 00 oo
c3 c:c: 08 00 45 00
ce a8 00 97 ce a8
.. ) . .
.9K. @
No, Ttn! Sot.rct
949 26- 192 .168. 8 . 37
~ tion
192.168,8 . lS l
0028
8838
8G
lf
2S
cc
c& 94 8G l S
82 38 00 08
fb
50
67 co f 4
41 53 53
86 4f 7o cd 50 18
20 11 ' ' 65 72 14
·"···
.. , 8,
8048 79 48 31 32 33 ed &a ytil 23
Q o/ w eshark,.JXaPnQ_0):112.;f-8e9=-4377-8822'fl2313'l8COEl>_20160'111115
I> Ff'il• t 949 : 75 bytes on wit'e ( 6e0 bits ) , 75 bytes optvred ( 600 bits) on i nt erla,c e 8
I• Ethe rnet !I, Src: Microsof_00:81 :03 (00:1S:Sd:00:0 1:03) , O~t: Odl_d : d: cc ( d4 : be:d9:c3:c3:cc)
I> In t eMet P/"Ot ocol Vef'sion 4, $1'(: 192, 168,0 , 37, Ost : l 92,16S,0-151
I• Tr-,n smiuion Control Pr otocol , Sr c Port: 21 (21) , O~t Port: 49298 ( 492'98 ), Seq: St, Ack: 36, Len: 21
Use ftp .request.command to filter FTP I> File Tr;,.nsf tr Protocol ( FTP)
requests "80 d4 b~ d9 c3 <3 cc 00 15 5d 00 81 83 $8 00 45 08 .. ... . . . ] . . . .. f.

0010 00 3d 3S <1 40 80 s0 % 3f ed c0 as oo 25 ce as ...s.f .. . ?. .. . %• •
0020 00 97 00 15 <O Sa al 23 e3 41 f 3 f 7 (7 6a 50 ts . .. . .. .. ,A.. . j P.
J Use ftp .response.code==230 to verify 0038 02 01 11 34 80 80 32 33 30 20 SS 73 6S 72 20 6c • , ,4 , .23 8 User l
~ 6f 61 61 6S 64 20 69 6,e 2e 0d % 06,6Cd i n
the success of the password cracking
attempt • ..,, I Packets: mo ·~ : 1(0.1¼) · OtOOOtd: O(O.O%) fl Profre-: Otf<IIJt
The file transfer protocol (FTP) is a standard protocol to transmit files between systems over
the Internet using the TCP/ IP suite. FTP is a client server protocol relying on two
communication channels between a client and a server. One manages the conversations and
the other is responsible for the actual content transmission. A client initiates a session with a
download request, which the server responds with the particular file requested.
An FTP session requires the user to login to the FTP server with their username and password.
In an FTP password attack, the attacker tries to gain user's password.
Use the filter ftp. request. command in Wireshark to detect a FTP password cracking
attempt in the network. The filter ftp. request. command provides all the FTP requests
made in the network. It also displays the number of attempts made by the attacker to gain
access to the FTP server.
• To check the successful attempt of FTP password cracking, apply the filter
ftp.response.code== 230
• To check the unsuccessful attempt of FTP password cracking, apply the filter
ftp.response.code== 530

Detecting Sniffing (MiTM)

Attempts
Attackers sniff the network traffic looking for sensitive information
They use different approaches to sniff the traffic depending on the type of network
Passive sniffing is used to sniff a hub based network while active sniffing is used to
sniff a switch based network
An attacker uses Mac flooding and ARP poisoning to sniff the network traffic
Identify sniffing attempts by detecting the signs of a Mac flood and/or an ARP poisoning
using Wireshark
Sniffing or Man in The Middle attacks are a form of eavesdropping w here an attacker captures
packets by placing themselves between a client and a server. Sniffing is attempted using either
an active form or a passive form.
Active Sniffing
Sniffing performed over a switched network is called active sniffing. The attacker injects packets
into the network traffic to gain information from the switch, which maintains its own ARP cache
known as content addressable memory (CAM).
Passive Sniffing
Sniffing performed on the hub is called passive sniffing. Since a hub broadcasts all packets, an
attacker only has to initiate the session and wait for someone else to send packets on the same
collision domain.
The methods used in sniffing are:
• MAC flooding
• ARP poisoning

Detecting a Mac Flooding

Attempt
,-
1~~
•
la V-
"'~ ',!
.. <-
~ '"'
St.od- •
~ M l e l i.
......, - . . . .. .... ....
vf~et (Oell Wlfftffi 110S 802.1 lb 9 ti t2.4GHZJ • Virtual Sw,IICl\l
~
' !!
D-
....
--- . •
- ~>
~ " - '.. l&loot.. ~ Ecw-
~
'" ..,,,.,.c...... .
...J Wireshark detects MAC Flooded packets using Po,,_,,_,
the Expert Information window c-..-..ii.nJ:11... .
( 111-Sli!I-(
&r.bli!fOr,;,lot,:li,..
OKOlltA~
iwo..ll.,..P1¥Ji..
..
c,11.s,.,ti.t
,_...,__
...J Wireshark considers these as malformed packets ..."''
~
...J To view these malformed packets, go to the

Analyze menu and select Expert Information
...J The signs of a MAC flooding are detected by
II
analyzing the source IP, destination IP and t he
-
• '7 ~ 1 2 " ~ M1 IOClf<E218_;t)ll!0111!60IJ, ""°""' •'-=-t>
- -
l'>tllr.~
.
TTL values
lOU • .,.,..- 11).• .1u, u: . 1-, l!lt,1-N,, l ~
ltt. t n . t:.· o U l . 1M.U.I
...J Check if the traffic is originating from various IP 1fM
H.1'
0.♦1'UO)
. . .:"( ~J a s.MM . IIJ,1,1) lllt. tu.,t.1
10
fU
addresses going to t he same destination IP

addresses with t he same TTL values
...J This is an indication of a MAC flooding attempt

on t he network I
l e &ror,,1 (23597) o w,m;ng,,o(O)

-
8 Notes,0(0) e o..u:otw l, I
-
O...ils:l3597 I
IG,oup 4 Protoc:ol • Summa,y I
:t3 Maffomied TCP
MAC flooding is an active sniffing method in which the attacker connects to a port on the
switch. They send a flurry of Ethernet frames with various fake MAC addresses. The switch
maintains a CAM (content addressable memory) table, which the attacker is trying to gain
access to. This attack is also known as CAM flooding attack.
A MAC flooding attempt is detected in Wireshark by carefully analyzing the packet's source and
destination addresses along with its Time to live (TTL).
After capturing the packets go to the 'Analyze' tab and click on 'Expert Information' from the
drop down context menu.

· Ethemet
Fde Edit View Go C~pture Anol :c St11ti~ics l elq,1,ony Wirele ss lools Help
Displ11y Filt~ ...
I :.wtv a cfisplay fi tcr .,. <Clrl·/> Display filttt Macros._

,,..so,«• Apply es Column Length Info
8 1 •.192,168.0. Apply as Fillet 92 Name query HS l,JPA0<00>
9 1 •.fe80 , ,745S: Prtp,are a filter 86Neighbor Solicitation for fe80 : :b434:elea :869f :40ed from 48:Sa: b6 : 23:3e:cl
10 1.. fe80 , : •5cb : Convcn;.:11ion f i!tc,
1s0sol icit xro, 0x8cSdoc cro, 0001000117d948f124b6fd57c 921
111•. fe80 , : 4070: 208 r1-SEARCH • HTTP/1.1
12 2-, fe80 , :745S: En1blcd Protocols.- Ctrl .. Shiftt-E 86 Neighbor Solicit ation fol" f e 80 : :4SS7:1ec0 :dS45 : bflS from 48:Sa:b6 : 23:3e:cl
Decode As.....
1> Frame 11: 208 bytes es capt ured (1664 bits) on i nterface 0
Reload Lua Plu9i t1s
1> Ethernet II, Src : D 40), Ost , IPv6mcast _0c (33,33 ,00 ,00,00 ,0c)
1> I nternet Protocol V SCTP 6 , c96e , f999, Ost, ff02 , ,c
1> User Datagram PMto follow Ost Poot, 1900 (1900)
1> ertext Transfer. ·I I_
. &i,ert ln.f0tmatioo
0000 33 33 00 00 00 C )4 60 )d 25 56 4 60 00
0010 00 00 00 9a 11 01 fe 80 00 00 00 00 00 00 40 70
0020 7f b6 c9 6e f9 99 ff 02 00 00 00 00 00 00 00 00 . . .n . . . .
0030 00 00 00 00 00 0c d9 7e 07 6c 00 9a 3a bl 4d 2d N , 1. , ,, ,1•
0040 S3 4S 41 S2 43 48 20 2a 20 48 54 S4 S0 2f 31 2e SEARCH • HTTP/1 .
0050 31 0 d 0 a 48 6f 73 74 3a Sb 46 46 30 32 3a 3a 43 1. . Host: [ F F02: : C
0060 Sd 3• 31 39 30 30 0d 0a S3 S4 3• 7S 72 6e 3• 4d ) , 1900 .. ST, von ,M
0070 69 63 72 6f 73 6f 66 74 20 57 69 Ge 64 6f 77 73 i c rosoft Wind ows
0080 20 50 6S 65 72 20 4e 61 6d 6S 20 S2 65 73 6f 6c Peer Na me Resol
0090 75 74 69 6f 6 e 20 50 72 6 f 74 6f 63 6f 6c 3a 20 ution Pr otocol :
00a0 S6 34 3a 49 50 S6 36 3a 4c 69 6e 6b 4c 6f 63 61 V4 :IPV6: Li nkl oca
00b0 6c 0d 0a 4d 61 6e 3a 22 73 73 64 70 3a 64 69 73 1 . . Han :" ssdp:dis
00c0 63 6f 76 65 72 22 0d 0a 4d 58 3a 33 0d 0a e d 0 a c ove r " .. MX:3 .. . .
Q ?'
FIGURE 11.4: Selecting Expert Information from Analyze tab in Wi reshark
Look for malformed packets in the Expert Information tab.
Wireshark. Expen Information . wireshark_pcapng_f4245890·C8B3•41B5•9EC7·23D4A815EDCA_20160128122129_a05792

'-
Group Protocol Count
Und~cod~d SSI. 6 .,
321: BER: Oiuector for 0 10 not implemented. Cont...
324: BER: Dissector for 0 10 not impl0"r'ltnted, Cont.. ,
33(); BER: Oisse.ctor for 0 10 not implemented, Cont...
I 333: BER: Ois~ctor for OJO not implffllented. Cont..,
340: BER: Diucctor for 0 10 not implemented. Cont...
•I~N=ot•-------------,.Ma=W
.o,rem
, esd,.__.,_H
cT,.TP
,c.----., .--------------------------------------iL
346c BER: Dissector for 0 10 not implcmt.ntcd, Cont,,,
704: HllP body subdisse<to, failed, llying h euristi,_

•
, ''""7~7: Thi$ fr•me is ., (suspected) rctr.,n$mission
Scauence TCR l
748: Dvplicate ACK (•I)
,
753: This frame is a (suspect ed) ret1anunission
··t
100: M•SEARCH ,. HTTP/1.l\r\n
.. •
237: GIT I HTTP/1.1\r\n
2-1(); M·SURCH • HTTP/1.1\r\n
241: HllP/ 1.1 301 Moved ~m~Mntly\1\n
261: GIT / HTlP/1. l\r\n
318: GIT /Port,1ls/. dd<111h/Sl:ins,fl-,lollow·OttpPink...
359; GIT / Portals/O/ec·council·logo·rtflection,pn9..,
36(); GH / Portals,( ddault/$kin$/Hollow·OttpPink.. .
361: GIT / Port11ls/. dd6ult/Sl:ins/Hollow•OttpPink.. .
36l: GtT /Port,1ls/. dd, 11h/Sl:ins,fl-,lollow·OctpPink..,
3~ HTTP/I. 1 304 Not Mod'lfied\r\n
3951 HTTP/ 1. 1 304 No-t Mod"tfied$\n
39& HTTP/ 1.1 304 Not Modtfied\r\n
397: HTTP/ I. I 304 Not Modified\r\n
~01: HTTP/t.1 304 Not M.ocflfie.d\r\n
633: HTTP/ 1. 1 200 OK$'\n
634: GH / poMl$/O/lmj9.es/im9/icons/gtt-certifi~..
642: GIT / port.!ils./O/lm,19es/imcJlicons/cci~o•lo90•-·
645c GIT /Port,1ls/. dd<111h/Cont,1ifl.f)ts/OitkKni9ht-,
646c GIT / portals/O/lma9eS/im9/ icons/lnte.rne.t-Se...
I I I
FIG URE 11.5: Ma lformed packets in Expert Information tab in W ireshark
Malformed packets result for various reasons and they may not be an attempt to MAC flood. To
accurately detect a MAC flooding attempt check if several packets are destined towards the
same machine but originated from different sources.

'tthernet - U'M
file Edit l/ie,v Go Capture Analyze Statistics Telephony Wireless Tools Help
i • ,t ~ ~ ; 11 q~ $ ~ i ! ~I~ @. ~ ~ fl
11Aw,y adsp~y firer ...<Ctrl·/> C •IExpression +
t,b, rrne 501.m Destilation Protocol L6tglh Info II
r-
16 0.., 192,168,0.3 192,168.0,87 TCP 1514 [TCP segment of a reassembled POU]
17 0.., 192.168,0.3 192.168.0.87 TCP 1514 [TCP segment of a reassembled POU]
18 0.., 192,168.0.3 192,168.0,87 TCP 1514 [TCP segment of a reassembled POU]
19 0.., 192.168.0.3 192.168.0,87 SM82 1110 Find Response; Find Response, Error: STATUS_NO_MORE_FILES
200.., 192,168,0,87 192,168.0.3 TCP 54 56467 ➔ 445 [ACK] Seq=439 Ack=10489 Nin=256 Len=0 -
..'I.
FIGURE 11.6: MAC flood attempt
Although in the above screenshot, the destination address is the same it should be noted the
source address is the same, which implies the packets were sent from a legitimate source.
Administrators can also verify the TTL values for each packet. If every source has the sa me TTL
values and all the packets are directed towards the same machine, it is an indication of a MAC
flood attempt on the network.
Preventing MAC Flooding:
• MAC flooding can be avoided by using Port security that is a built-in feature with Cisco
switches. Port security limits the number of MAC addresses. It creates a small MAC
address table as compared to the traditional larger ones.
• Implementing authentication, authorization and accounting (AAA) by vendors, minimizes
the MAC flooding risk.
• Implementing IEEE suites allows packet filtering rules to be installed by an AAA server.

Detecting an .A. Poisoning

Attempt
~ In an ARP poisoning attack, the attacker's MAC address is associated w ith the IP address of the target host or a
number of hosts in t he target network
~ Check for 'duplicate IP address configured' messages in the Warnings tab in Wireshark
~ To locate duplicate IP address traffic use the filter:
arp . duplicate-address-detected
,.. ... v- Go c. ,:cuiie An.ly.te Strtkna lrlq,hony

• enr .!l ::; E e.e.can
Wi~len ,~. .....
• e. "' -~e 'l
·-
11l!::2•~~_.uc1ec1
... 6,_
Tme So.r<t
36... t6:cb:ec:6b:2b:e7
o...-
8road<1st
""' .,~
ARP 42 Who has 192.168.8.H Tdl 192.168.8.54 (dupl ic1te use of 192. 168.8 . 54 det«tedl)
6.. 36... 16:c.b:ec:6b:2b:e7 Broadcast ARP 42 Who has 192.168.8. l l Tell 192.168.8. 54 (duplicate use of 192.163.8.S-4 detected!)
4- 2IL Chcolnc_te:82:ct a.8:98: 9c:Bo:68- ARP 68192.168.8.1 i5 at f4 :9f: 1b:1e:82 : c1 (ct. pl icate use of 192,168.0 . 54 detected!)
4- 23... a8:98:9c:8e:68:46 Broadcast ARP 42 WhO has 192 . 168 .8.ll Tel l 192. 168.8 . 54 (duplicate use of 192. 168.8 . 54 dete<ted!)
4- 2L a8:98:9c:8e:68:46 8r-oa<kut: ARP 42 Who has 192 .168.e.u Tell 192.168.fJ.54 (duplicate use of 192, 168.8,54 detKtedl)
4_ 27- Clscoinc_le:02:c:1 a8:98:9c : 8e:68- ARP 68192 . 168 .0 . 1 ts at f4:&f : 1b:1e:02: '1 (d: pUcate use Of 192. 168.0 . 54 det.ecud!)
4.. 27- a8:98:9c:8e :68:~ 8ro.td-cast ARP 42 Who has 192.168.0.1? Tell 192.168.0.54 (duplicate use of 192.168.0.54 detKtedl)
4_ 27- .S:98:9c:8•:68:46 Broodust ARP 42 Who has 192.168.0.1} T• ll 192.168.8.54 (duplicat• UH of 192. 168. 0.54 dottcUd!)
3_ IIL CadaJsCo_99:ef:ce Ciscoln<_le:82- MP 42 WhO has 192.168.0.H Tell 192.168.&. 54 (duplicate use of 192. 168.&. 54 detected!)
3... 18,.. Chcolnc_le:02:cl .C:18:91:98:d.. ARP 68 192.168.&.J is at f4:&f:lb:le:82:cl (ct; plic.n• use of 192,168,8,54 dtttcttd!)
3... lL a4:a8:91:90:t3:3b 8r<>a<kUt ARP 42 Who has 192. 168 .9.1? T•ll 192.168.&. 54 (<tupUcatt ust of 192. 168.8 . $4 dttt<ttd!)
3... 1&. -4:a8:91:99:e3:3b 8roadcut ARP 42 WhO his 192 .168.0. 1) Te ll 192.168.8.54 (duplicate use of 192.168.8.S,4 detKttdl)
3... 1&.. Ctscolnc_b:02:cl a4:a3: 91:98:d... ARP 68192.168.8.1 is at f4:&f:1b:1e:82:cl (ct; pllcate use of 192. 168.8.54 detected!)
3... 18,_ a4:a8:91:90:e3:3b 8r-oadcut ARP 42 Who has 192.168.0.H 1-11 192.168.8,54 (<tupliute us♦ of 192. 168.9 . 54 dettcttdl)
3.. l L a4:a8:91:99:e3:3b 8r-oadcast ARP 42 Who has 192.168.0. 1 > Tell 192.168.8, 54 (dllplicate use of 192.168.8.S4 d-etectedl)
2- 16... Chcolnc_le:02:ct e3:38: 78:74:8d.. ARP 68192.168.0.1 is at f4:&f:1b:1e:82:cl (d plicate use of 192. 168.8.54 detected!)
2- 16.... d:30:78:74:Sd:36 8r-oa6c: ast ARP 42 WhO has 192.168.0.ll Tell 192.'168.8.54 d1J&l1cau use of 192.168.8.S4 deu-cted!)
• Fl"eint 631: 42 bytes on wlr-e (336 bits), 42 bytes captured (336 bits) on lnterf•c• 0
• Ethernet II, Src : 16: c'b: tc:6b: 2b: t7 (l6: cb:tc:6b:2b:t7), Ost: Broadcast (ff: ff: ff: ff:ff:ff)
l
~ Otst1n•t10fl: 6t-oadc•1t ( ff:ff:f-f:ff : ff : ff)
► Source: 16:cb:ec:6b:2b:e7 (16:cb:ec:6b:2b:e7)
T··-e, . . . , ...... ,
• l (Ou~llcate IP cKSdress detected for 192.168,8. 5~ (16:cb:ec:6b:2b:e7) • also in use by (c:f8:51:74:6<: l d (frame 70)~ 1 :
• !wff....ihmWli.-Utliu...u.s.e gf If a~d.c.e-.u..:.-1.a)
The address resolution protocol (ARP) maps the MAC address to an IP address. In an ARP
poisoning attack, an attacker changes the MAC address of the target system to his MAC
address. All packets destined to the target system are now going to the attacker's machine. An
attacker can monitor the data flow in the network, forge more than one device on the network
and have all their packets directed towards them instead. An ARP poisoning attack can be
detected in Wireshark by looking for a warning message which reads 'duplicate IP address
configured'. An administrator can use the filter arp.duplicate-address-detected, after capturing
the packets. The packets with these messages are shown in figure below. It is an indication of
an ARP poisoning attempt on the network.
~ Errors: 0 (0) Q Warnings: 6 (420) 0 Notes: 0 (0) Chats: 0 (0) LJ Details: 420
◄ Protocol ◄
ffi Sequence ARP/ RARP Duplicate IP address configured (192.168.20.254)

!±I Sequence ARP/ RARP Duplicate IP address configured (192.168.20.132)
L±I Sequenc e ARP/ RARP Duplicate IP address configured (192.168.20.128)
ffi Sequenc e ARP/ RARP Duplicate IP address configured (192.168.20.2)
1+J Sequence ARP/ RARP Duplicate IP address configured (192.168.20.1)
FIGURE 11.7: ARP poisoning attempt

Additional Packet Sniffing Tools CND
Network Sniffer dsniff

http:// www.colasojt.com http:// www.monkey.org
VisualSniffer PacketMon
http://www.biovisualtech.com http://www.analogx.com
SniffPass Password Sniffer SmartSniff

http://www.nirsoft.net http://www.nirsoft.net
Capsa Packet Sniffer Tcpdump

http://www.colasojt.com http://www.tcpdump.org
ColaSoft Packet Builder Snort

http://www.colasoft.com https://www.snort.org
Network Sniffer
Network Sniffer can help you locate network problems by allowing you to capture and view the
packet level data on your network. It consists of a well -integrated set of functions that can
resolve network problems. It can list all the network packets in real -time from multi-network
cards (Include Modem, ISDN, ADSL) and can also support capturing packets based on
applications (SOCKET, TOI etc.).
VisualSniffer
Source: http ://www. biovis ua /tech. com
VisualSniffer is a packet capture tool and protocol analyzer ( IP sniffer or packet sniffer) for a
Windows system. VisualSniffer can be used by LAN administrators and security professionals for
network monitoring, intrusion detection and network traffic logging. It can also be used by
network programmers, for checking what the developing program has sent and received or
others to get a full picture of the network traffic.
SniffPass Password Sniffer
Source: http://www.nirso[t.net
SniffPass captures the passwords that pass through th e network adapter. Sniff Pass can capture
the passwords of the following Protocols: POP3, IMAP4, SMTP, FTP, and HTTP (basic
authentication passwords).

Capsa Packet Sniffer

Capsa Packet Sniffer is a network analyzer for Ethernet monitoring, troubleshooting and
analysis. It monitors network activities, pinpoints network problems and enhances network
security.
ColaSoft Packet Builder
Colasoft Packet Builder creates custom network packets. It helps check the network protection
against attacks and intruders. It also supports saving packets to packet files and sending packets
to the network.
dsniff
Source: https://www.monkey.org
dsniff includes a collection of tools for network auditing and penetration testing. These tools
help passively monitor a network for interesting data (passwords, e-mail, files, etc.). Some of
the tools in the tool suite facilitate the interception of network traffic normally unavailable to
an attacker.
PacketMon
Source: http://www.analogx.com
PacketMon captures the packets transmitted through the network in order to monitor and
administer the network properly.
SmartSniff
Source: http://www.nirsoft.net
SmartSniff is a network monitoring utility allowing the capture of TCP/IP packets that pass
through the network adapter and view the captured data as a sequence of conversations
between clients and servers.
Tcpdump
Source: http://www. tcpdump.orq
Tcpdump is a command line network analyzer tool or more technically a packet sniffer.
Administrators can use this utility for network analysis.
Snort
Source: https://www.snort.org
Snort is capable of real-time traffic analysis and packet logging. Snort can be configured to run
in three modes:
• Sniffer mode, which simply reads the packets off the network and displays them in a
continuous stream on the console (screen).
• Packet Logger mode, which logs the packets to the disk.
• Network Intrusion Detection System (NIDS) mode, which performs detection and analysis
on the network traffic. This is the most complex and configurable mode.

Network Monitoring and .Analysis

using the PRTG Network Monitor
.... -
OK
.. ...,_,,
...,....
'"
!Top Talkers!
t
.....
'"
[Top Connections I - .~
,_,..
!Acid Toplistl
Total
._,
°"' / ....,.Citnx
/
fTP/PlP
·-·....,,, /
lnfnlffNctUfe
,_..
o....
-- ·-· Mj,i1
/
NetBIOS
·-
R.tmou Conucii Var',ous
68 kbit/s 0 .,...,, "- O\W,

/ <l'l\tlit/J
WWW
I ltbit/1 --
https://www.paessler.com
Copyright © by EC-COllDcil. All Rights Reserved. Reproductio n 1s Strictly Prohibited.
PRTG Network Monitor is a network monitoring software which supports remote management
using any web browser or smart phone, various notification methods and multiple location
monitoring. Administrators can use this utility for availability, usage and activity monitoring,
covering the entire range from website monitoring to database performance monitoring.
It helps:
• Avoid bandwidth and performance bottlenecks.
• Identify applications or servers using up the available bandwidth.

• Instantly identify sudden spikes caused by malicious code.
• Reduce the costs of purchasing additional hardware and bandwidth.

PRTG can collect data for almost anything of interest on the network. It supports multiple
protocols for collecting this data:
■ SNMP and WMI.

• Packet Sniffing.
■ NetFlow, IPFIX, jFlow, and sFlow.

Additional Network Monitoring

and Analysis Tools

https://www.microsojt.com
= Fiddler
http://www.telerik.com
Nagios NetworkMiner
https://www.nogios.org http://www.netresec.com
OpenNMS Pandora FMS

http://www.opennms.org http://pondorofms.com
Advanced IP Scanner Zenoss Core

http://www.odvonced-ip-sconner.com https://www.zenoss.com
Capsa Free Network Analyzer Total Network Monitor

L.]:U:i http://www.co/as oft.com http://www.softinventive.com
Message Analyzer enables an administrator to capture, display and analyze protocol messaging
traffic and other system messages. Message Analyzer also can import, aggregate and analyze
data from log and trace files.
Nagios
Source: https://www.naqios.org
Nagios monitors the entire IT infrastructure to ensure systems, applications, services, and
business processes are functioning properly.
OpenNMS
Source: http://www.opennms.org
The application comes with a large number of service monitors that perform synthetic
transactions ranging from a simple ICMP request (ping) or port check, up through complex
website monitoring and round trip e- mail testing.
Advanced IP Scanner
Sou re e: http ://www. advanced-ip-scan ner. com
Advanced IP Scanner analyzes the traffic in the LAN. The program shows all network devices,
provides access to shared folders and FTP servers. It provides remote control of computers and
can even switch computers off remotely.

Capsa Free Network Analyzer

Capsa Free Network Analyzer is a network analyzer that allows monitoring network traffic,
troubleshooting network issues and analyzing packets. It allows an administrator to monitor
network activities, pinpoint network problems and enha nee network security and so on. It
automatically diagnoses network problems and suggests solutions. It lists all hosts in the
network with details (traffic, IP, MAC, etc.)
Fiddler
Source: http://www.telerik.com
Fiddler enables an administrator to inspect incoming and outgoing data to monitor, modify
requests and responses before the browser receives them.
NetworkMiner
Source: http://www.netresec.com
NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect
operating systems, sessions, hostna mes, open ports etc. without putting any traffic on the
network. NetworkMiner can extract files and certificates transferred over the network by
parsing a PCAP file or by sniffing traffic directly from the network.
Pandora FMS
Source: http://pandorafms.com
Pandora FMS monitors a client's network, with no external access. It uses industry standard
SNMP vl, v2c and v3 processing alongside powerful SNMP trap management for network
monitoring. It uses a native IPAM integration to manage IP addresses (1Pv4/1Pv6 compatible).
Zenoss Core
Source: https://www.zenoss.com
Zenoss automatically builds and maintains a topology model of the entire network, including
devices, routers, interfaces and routes. It keeps up with rapidly changing network usage
patterns.
Total Network Monitor
Source: http://www.softinventive.com
Total Network Monitor is a network monitoring software program that is designed to
continuously monitor the local network, individual computers and services that require careful
attention and thorough control. It monitors and keeps track of a particular aspect of service
operation, server health or a file system. The monitor log shows the full history of the executed
actions and readings from all the monitors.

Bandwidth is the amount of information that can be transmitted over a network in a given
amount of time
Network bandwidth selection plays a vital role in the design, maintenance and performance of an
organization's network
Poor bandwidth management leads to network congestion and poor performance of the
network
...J Bandwidth monitoring involves measuring and controlling the traffic on a network link to avoid
overfilling of link
..J Factors for measuring bandwidth are:

e Determine the amount of available network bandwidth
e Determine the average utilization required by a specific application
Bandwidth Monitoring
(Cont'd)
.J Understand the bandwidth and IJ Focus on the following considerations to

resource consumption for better lower down the bandwidth
network management requirements:
.J Use bandwidth monitoring tools to ► Server-side computing

measure the bandwidth of the
network link ► Data caching
► Data compression
► Latency mitigation
► Loss mitigation

-------------------------------------------

Bandwidth is the amount data that can be transferred from one point to another. Bandwidth is
one of the criteria defining network performance. An effective bandwidth is the one that
provides the highest transmission rate. The bandwidth monitoring test will identify the
maximum throughput of a system. Bandwidth monitoring tools provide output of the real-time
network traffic for any device. The tools provide bandwidth information at the interface level
and the device level. If the bandwidth detected is low, it degrades the functioning of the
network.
An organization works on two types of bandwidth speed: upload and download. The speed at
which the data is sent to the destination is called the upload speed. The speed at which the
destination receives the data is called the download speed. With growing networks and huge
volumes of data, organizations have started to maximize their upload and download speeds.
It is also important to consider the bandwidth capacity in the network. Bandwidth capacity
involves the maximum data rate a link can transfer. With hundreds of users in the network, it is
important to know the bandwidth usage required per day. Although it can be a tedious job for
administrators to determine the usage per day capacity of the bandwidth, a blue print of the
usage can help draft a proper bandwidth monitoring plan.
Bandwidth monitoring includes monitoring various bandwidth utilizations that are
implemented in the organization. Many software tools allow you to monitor bandwidth in real
time. Bandwidth monitoring benefits are:
• Bandwidth monitoring helps determine the network utilization for the system. Systems
using high bandwidth amounts should be monitored closely as they can be suspicious
activities or have become a victim of suspicious activity.
• High amounts of network traffic lead to network congestion and affect the function of the
organization. Deploying a network limit, will provide an alarm when the network is about
to reach the maximum bandwidth.
• If the network congestion is high depending on the size of the organization, additional
links can be added to the network. An additional link in the network will boost the
network performance resulting in reduced network congestion.
Improve Bandwidth Usage

Organizations should follow certain rules to increase bandwidth usage in their environment.
The rules below differ per the size and requirement of the organization:
• Limited Use of Media Sites: Organizations can limit their employees using media access,
like online gaming, movies, music, etc. This will enhance the upload as well as the
download speed of the overall network.
• Proxy Cache: When a user visits a website for the first time, the content of the site is
saved (cached) on the proxy server. If the user visits the same website again the content
does not have to be downloaded again.
• QoS: Quality of Service (QoS) is a bandwidth reservation mechanism. Certain applications

require additional bandwidth, administrators can configure the QoS for these

applications. In the future if a user accesses these applications, the QoS bandwidth will be
utilized. Utilizing QoS bandwidth will not affect the bandwidth usage for other users in the
network.

Bandwidth Monitoring - Best

Practices
Best practices for administrators considering current and future bandwidth needs :
It is recommended to use only a single bandwidth monitoring tool to assess the current utilization of
bandwidth for the organization
Define and categorize the bandwidth need based on the application, user, user groups, time
period, etc.
Calculate the total number of nodes that contribute to the overall bandwidth requirement including
workstations, shared printers, and servers
Calculate the average bandwidth required per node
Always consider peak bandwidth requirements for the organization
Determine, assess and list the type of application that should be used within a specific time period )
and how much bandwidth it will consume _,_)
Check with the Internet service provider (ISP) as to whether they allow provisions for growth in the
bandwidth requirements
Copyright© by EC-CODDcil. All Rights Reserved. Reproductio n 1s Strictly Prohibited.
The following best practices can also be helpful in effective bandwidth monitoring:
• Timely educating or training the employees about excessive bandwidth consumption can
create awareness among them concerning bandwidth usage.
• Monitor the traffic consumed by th e network components in the organization.

• Implement of QoS policy to prioritize bandwidth usage as per the application
requirem ent.
• Optimize the WAN capacity to increase the bandwidth of the network.
• Backup the devices that are configured on the network. During a power failure or network
failure, these backups act as a good configuration and keep the bandwidth stable.

SolarWinds Real-Time
=
BitMeterOS
https://codebox.org. uk Bandwidth Monitor
http://www.solorwinds.com
FreeMeter Bandwidth Rokario Bandwidth Monitor

Monitor http://www.rokorio.com
http://miechu.pl
ManageEngine Bandwidth
BandwidthD
http://sourceforge.net
Monitor
http://www.monogeengine.com
PRTG Bandwidth Monitor tbbMeter

http:// www.poessler.com http://www.thinkbroodbond.com
NetWorx ShaPlus Bandwidth Meter

https://www.softperfect.com http://www.floriongilles.com
BitMeter OS
Source: https:1/codebox.orq.uk
BitMeter OS keeps track of how much of the internet/ network connection is used and allows an
administrator to view this information either via a web browser or by using the command line
tools.
FreeMeter Bandwidth Monitor
Source: http://miechu.pl
FreeMeter Bandwidth Monitor 1s used to monitor the network bandwidth and any or all
network interfaces. It also provides supporting utilities, including Ping, Trace, UPnP utilities, etc.
BandwidthD
Source: https:1/sourceforqe.net
BandwidthD monitors the amount of traffic being received/ transmitted by specific machines
and or subnets. It tracks the usage of TCP/ IP network subnets and builds HTML files with graphs
to display utilization.
PRTG Bandwidth Monitor
PRTG Bandwidth Monitor analyzes the traffic 1n the network and provides detailed results -
tables and graphs. It monitors network devices, bandwidth, servers, applications, virtual
environments, remote systems, loT and many more.

NetWorx
Source: https://www.softperfect.com
NetWorx monitors all the network connections or just a specific network connection, such as
Wireless or Mobile Broadband. The incoming and outgoing traffic is represented on a line chart
and logged into a file, so the statistics can always be viewed about the daily, weekly and
monthly bandwidth usage and dial-up duration. The reports can be exported to a variety of
formats, such as HTML, MS Word and Excel for further analysis.
SolarWinds Real-Time Bandwidth Monitor
With the Real-Time Bandwidth Monitor, critical and warning thresholds can be set to instantly
see when usage is out of bounds.
Rokario Bandwidth Monitor
Source: http://www.rokario.com
Rokario Bandwidth Monitor enables an administrator to keep a close eye on the amount of
bandwidth accumulated over the current hour, day, week, month or even year. Advanced
logging tools make it easy to view the bandwidth usage and make alterations to bandwidth
logs.
ManageEngine Bandwidth Monitor
The Bandwidth Monitor tool provides real-time network traffic of any SNMP device. It provides
the bandwidth usage details both on an interface - level and at the device-level. It uses SNMP to
fetch the bandwidth utilization details of a network interface. The bandwidth utilization of the
device displays a comparison of the individual traffic and its interfaces.
tbbMeter
Source: http://www.thinkbroadband.com
tbbMeter is a bandwidth meter that monitors Internet usage. It shows how much the computer
is sending to and receiving from the Internet in real time. It also shows how the Internet usage
varies at different times of the day.
ShaPlus Bandwidth Meter
Source: http://www.shaplus.com
ShaPlus Bandwidth Meter is a bandwidth monitoring software used to track Internet bandwidth
usage. It displays the bandwidth usage in the current session, day and month.

□ Network traffic monitoring and signature analysis involves capturing network

packets and analyzing them to identify any signs of malicious activity
□ Signatures are patterns created using a set of rules which identify typical intrusive
activity on the network
□ Signature ana lysis helps differentiate legitimate traffic from suspicious traffic
□ Wireshark is a widely used network packet analyzer for network ana lysis
□ A network baseline is a description of the accepted behavior for the network traffic
□ Administrators should monitor the network t raffic for different types of attack
attempts
. ... ; ....
This module covered the importance of manual network traffic monitoring, types of network
signatures, network traffic baselining, network monitoring tools and detection techniques for
various types of attacks. The skills acquired include the ability to monitor and detect various
types of network traffic abnormalities in the network. The information learned in this module
provided the skills to manage and monitor the network devices in the infrastructure. Then also
the skills to monitor the network bandwidth.

Network Risk and
Vulnerability Management
Module 12
Network Risk and Vulnerability Management
Network Risk and Vulnerability

Management
Module 12

Module 12: Network Risk and Vulnerability Management
Exam 312-38


Understanding risk and risk management ii Understanding vulnerability assessment and its
importance
Ident ifying t he key roles and responsibilities in r isk
Identifying requ irements for an effective network
management
vulnerability assessment
Understanding Key Risk Indicators (KRI) in risk
Discussing internal and external vulnerability assessment
management
Recalling the steps for effective external vulnerability
Explaining phases involved in risk management assessment
Understanding enterprise network risk management Describing the various phases involved in a vulnerability
Describing various risk management frameworks assessment
Discussing best practices for effective implementation

ii Discussing the selection of an appropriate vul nerability
assessment tool
of risk management
Discussing the best practices and precautions for
Understandingvulnerability management
deploying a vulnerability assessment t ool
Explaining various phases involved in vulnerabi lity
ii Describing vulnerability reporting, mitigation,
management remediation and verification
This module focuses on network risk and vulnerability management. Organizations are required
to manage network risks and vulnerabilities to an acceptable level. This module describes the
impact of risk and vulnerabilities on the organization. Dealing with various phases involved in
risk and vulnerability management. It will guide you through the various risk levels, roles and
responsibilities for the people involved in risk management, different risk management
frameworks, vulnerability phases, and the tools used for a vulnerability assessment.

0 0
Risk refers to a degree of uncertainty or expectation that an adve rse event may
ca use damage to t he system
0 0
0 0 "11 0 0
Risk is a function of the following Potentiality of the risk is best
factors: expressed by answering the followi ng
..J Presence of weakness in the questions:
system (Vulnerability) e W hat is risk?
..J Probability of the occurrence of t:j What is the impact of risk?
an adverse event (Threat ) t:j W hat is the frequency of risk?
..J Consequences of the adverse
event (Impact)
.
0 0 J ~
0 0
Risk is an expectation that a threat may succeed to potentially damage resources under
specified conditions. In another way, risk can be also defined as:
• Risk is a probability of the occurrence of a threat or an event that may damage, or cause
loss or have other negative impacts, either from internal or external liabilities.
• Risk is a possibility of a threat, acting upon an internal or external vulnerability causing
harm to a resource.
• Risk is the product of the likelihood an event will occur and the impact the event would
have on an information technology asset.
The relation between Risk, Threats, Vulnerabilities and Impact is as follows:

RISK= Threats x Vulnerabilities x Impact
The impact of an event on an information asset is the product of a vulnerability in the asset and
the asset's value to its stakeholders. IT risk can be expanded to
RISK = Threat x Vulnerability x Asset Value
Risk is the combination of the following two factors.
• Probability of the occurrence of an adverse event and

• Consequences of the adverse event.

Impact of Risk
Events which restrict the normal performance and affects the project cost or schedule
outcomes. The impact of risk on an organization, process or system is affected by the adverse
conditions. The impact indicates the potential seriousness of the risk that occurred.
Frequency of Risk
Depending on the risk identification and risk assessment, classification of risk depends on the
frequency of the occurrence and the severity of their consequences. Frequency and severity are
the most important characteristics used to monitor risks. Risks are separated into two
categories. Minor risks that don't require further management attention and significant risk
that requires management attention and further analysis. The two-dimensional matrix method
1s a common method to classify risk into three categories, based on the frequency and the
severity.

Cl Risks are categorized into different levels according to their estimated impact on the system
Cl The impact level of a risk depends on the value of assets and resources it affects, and the
severity of the damage
Risk Level Action
► Immediate measures should be performed to combat risk

Extreme / High
► Identify and impose controls to reduce risk to a reasonably low level
► Immediate action is not required but it should implemented quickly

Medium
► Implement controls as soon as possible to reduce risk to a reasonably low level
Low ► Take preventive steps to mitigate the effects of risk
The risk level is an assessment of the resulted impact on the network. Various methods exist to
differentiate risk levels depending on the risk frequency and severity. One of the common
methods used to classify risks is to develop a two-dimensional matrix.
To analyze risks, you need to work out the frequency or probability of an incident happening
(likelihood) and the consequences it would have. This is referred to as the level of risk. Risk can
be represented and calculated using the following formula:
Level of risk = consequence x likelihood.
There are four risk levels. Those include extremely high, high, medium and low levels.
Remember that control measures decrease the level of risk, but do not always eliminate them.

s Immediate measures should be performed to

Serious or combat the risk
Extreme
Imminent
/High Risk f, Identify and impose controls to reduce risk to a
danger
reasonably low level
Medium Moderate
" Immediate action is not required, but it should
be implemented at the earliest
Risk danger
" Implement controls as soon as possible to reduce
risk to a reasonably low level
Negligible
Low Risk f, Take preventive steps to mitigate the risk effect
danger
TABLE 12.1: Risk Levels
High Risk Events

These risks warrant specific directed management action to reduce the occurrence of risk and
its negative impact. These risks have a high likelihood of occurrence with moderate impact or
high impact with the least moderate likelihood. Such risks pose imminent/serious danger and
immediate action is necessary. Identify and implement controls to reduce the impact.
Moderate Risk Events

These risks can either be a high likelihood, low consequence events or low likelihood high
consequence events. Individually the high likelihood, low consequence events have very little
impact on project cost or the schedule outcomes and will significantly alter the
system/organization outcomes. Whereas the low likelihood, high consequence events require
periodical monitoring for changes. Recovering from such an impact will require expenditure and
additional resources.
Low Risk Events

Risks categorized as low are usually negligible or can be eliminated from further assessment.
During periodical evaluation, users close these low risks or move them to a high risk category.
Recovering from such an impact will require minimal expenditures and resources.

A risk matrix is used to scale risk by considering the probability, likelihood, and consequence/impact of the risk
Probability Consequences
Insignificant Minor Moderate Major Severe
Very High
81-100% Low Medium High Extreme Extreme
Probability
High
61-80% Low Medium High High Extreme
Probability
"t:I
0
0
.s::. Equal
41 - 60% ·- Probability
Low Medium Medium High High
J!
·-
_,
Low
21-40% Low Low Medium Medium High
Probability
Very Low
1 - 20% Low Low Medium Medium High
Probability
The risk matrix scales the risk occurrence/ likelihood probability along with their consequences
or impact. It is the graphical representation of Risk Severity and the extent to which the
controls can/will mitigate it. The Risk matrix is one of the simplest processes to use for
increased visibility of risk and contributes to management's decision making capability. The risk
matrix defines various levels of risk and categorizes them as the product of negative probability
and negative severity categories. Although there are many standard risk matrices individual
organizations need to create their own.
Probability Consequences
Insignificant Minor Moderate Major Severe
Very High
81-100% Low M edium High Extreme Extreme
Probability
High
61- 80% Low Medium High High Extreme
Probability
"t:I
0
0
41-60% ·-.s::. Equal
Probability
Low Medium Medium High High
J!
·-_,
Low
Probability
Very Low
Probability
TABLE 12.2: Risk Determination Matrix

The above figure is the graphical representation of the risk matrix which is displayed for
visualizing the risk and comparing risks. It is the simple way for analyzing risks and differentiates
the two levels of risk.
• Likelihood/ The chance of risk occurring

• Consequence/ Severity of the risk event that occurred
Each cell in the risk matrix represents the combination of likelihood and severity. The
seriousness of the risk is related to the likelihood and the impact. Depending on the occurrence,
the risk likelihood has five categories including:
1. Very High Probability: The probability of occurrence is more than 80% and will most likely
cause more problems.
2. High Probability: The probability of occurrence is 61-80% and will likely cause more
problems.
3. Equal Probability: The probability of occurrence is 50/ 50.

4. Low Probability: The probability of occurrence is low about 21-40%, this occurrence
should not be ruled out. These occurrences are still a risk.
5. Very Low Probability: The probability of occurrence is rare and exceptional, which have
less than a 20% chance to occur.
Depending on the severity, the risk consequences are included in five categories including:
1. Insignificant: These risks cause a negligible amount of damage.
2. Minor: These risks cause damage, but not to a large extent and do not affect the network
significantly.
3. Moderate: These risks do not impose a great threat, can inflict sizable damage.
4. Major: These risks have significantly large consequences, which lead to a great loss to the
organization.
5. Severe: These risks make the network completely unresponsive and are the top priority
risk for management.

.J Risk management is the process of Risk Management Benefits:

reducing and maintaining risk at an
acceptable level by means of a well-
e Focuses on potential risk impact areas
defined and actively employed security e Addresses Risks according to the Risk level
program
e Improves the risk handling process
.J It involves identifying, assessing, and e Allows the security officers to act
responding to the risks by effectively in adverse situations
implementing controls to the help the
organization manage the potential
effects
" Enables effective use of risk handling
resources
e Minimizes the effect of risk on the

.J Risk management has a prominent organization's revenue
place throughout the system security
life-cycle
" Identifies suitable controls for security
Risk management is the process of identifying, assessing, response and implementing the
activities which control how the organization manages the potential effects. Risk management
has a prominent place throughout the security life cycle. Risk management is a continuous and
ever-increasing complex process. The type of risks vary from organization to organization,
preparing a risk management plan will be common between all organizations.
Risk Management Objectives

• The main objective of risk management is to identify the potential risks.
• Identify the impact of risks and help the organization develop better risk management
strategies and plans.
• Depending on the impact/severity of the risk, prioritize the risks and use established risk
management methods, tools and techniques to assist.
• Understand and analyze the risks and report identified risk events.
• Control the risk and mitigate the risk effect.
• Create awareness among the security staff, develop strategies and plans for risk
management strategies that last.

Risk Management Benefits

Risk management provides a structured approach to identifying risks. Having a clear idea of all
risk allows an organization to analyze, prioritize and take the appropriate actions to reduce
losses. Risk management has other benefits for an organization, including:
• Focuses on the potential risk impact areas.
• Risks can be addressed according to a level.

• Improves the risk handling process.
• Allows security officers to act effectively in adverse situations.
• Enables effective use of resources.

l{ey Roles and Responsibilities

in Rislc management
Senior Management: The support and involvement of senior management is required for
effective risk management
Chief Information Officer(CIO): Responsible for IT planning, budgeting, and performance

based on a risk management program
System and Information Owners: Responsible for the appropriate security control use to
maintain confidentiality, integrity and availability for an information system
Business and Functional Managers: Responsible for making trade-off decisions in the risk
management process
IT security program managers and computer security officers (ISSO) : Responsible for an
organization's information security programs
IT Security Practitioners: Responsible for implementing security controls
Security Awareness Trainers : Responsible for developing and providing appropriate

training on the risk management process
Risk management team member roles and responsibilities are:
• Senior Management: It is the responsibility of the senior management to supervise the

risk management plans carried out in an organization. They develop policies and
techniques required to handle the commonly occurring risks. Senior managers, through
their expertise can design the steps required for handling future risk.
• Chief Information Officer {CIO): The person entitled with the position "Chief Information
Officer" is responsible for executing the policies and plans required for supporting the
information technology and computer systems of an organization. They play a vital role in
the formation of basic plans and policies for risk management. The main responsibility for
a CIO is to train employees and other executive management regarding the possible risks
in IT and its effect on business.
• System and Information Owners: System and information owners mainly monitor the
plans and policies developed for information systems. Their responsibilities include:
• Take part in all discussions regarding the configuration management process.
• Keep a record of the information system's components.
• Conduct an investigation on all the changes in the information systems and its impact.
• Prepare a security status report for all information systems.
• Update the security controls required for protecting the information systems.

• Update the security related documents on a regular basis.
• Examine and evaluate the existing security controls in order to confirm their efficiency
in protecting the system.
• Business and Functional Managers: They are responsible for maintaining all management
processes in an organization. They are empowered with an authority to manage almost all
the processes in an organization. The roles defining functional managers are:
• Development team manager
• Sales manager
• Accounts receivable manager
• Customer service ma nag er
• IT Security Program Managers and Computer Security Officers (ISSO): 1550 provides
required support to the information system owners with the selection of the security
controls for protecting the system. They also play an important role in the selection and
the amendment of the security controls in an organization.
• IT Security Practitioners: The IT security practitioners protect the personnel, physical and
information security in an organization. The main responsibilities include:
• Framing better security methods in the organization.
• Developing methods that fulfil the company's standards.
• Examining the company's security approach to risk management and business

planning.
• Handling and recording security incidents.
• Assigning roles and responsibilities for security in an organization.
• Supervise the overall security measures taken in an organization.
• Security Awareness Trainers: Security awareness trainers provide IT security awareness

and training programs in an organization. People responsible for this role will be subject
matter experts and validate only proper content is included in the program.

KRI is an importa nt component of an effective risk management process which shows the riskiness
of an activity
Understanding th e organizational goals is required to id entify KRI
A Key risk indicator (KRI) is a metric showing the risk appetite probabilityfor an organization
KRI assists in performing the following: Key Risk Indicators

---.
......................................•....................................
.. .. . ..
.. Define risk for an
objective
Identifying the Notifying on Backward Identify the Possibility

adverse effect of an threshold levels of looking view on of Adverse Effect
event and alarming the risk risk events G. I .
Key Risk Indicators (KRls) are an important component of an effective risk management
process, which show the riskiness of an activity at an early stage. Understanding of the
organizational goals is required to properly identify KRI. It is a metric which is capable in
showing the risk appetite probability of the organization. KRls are the most important
indicators of an organization's overall health helping reduce loss and prevents risk exposure.
Risk exposure is prevented by measuring the risk profiles and risk situations in advance, before
the risk event occurs.
KRI assists in performing the following:
• Event effect identification
• Threshold level notifications

• Backward looking view on risk events
The KRI should accurately measure and reflect the negative impact on the organization's key
performance indicators (KPI). KPI is the metrics that assess the progress of an organization
reaching its goals. Providing leading indicator information about emerging risks from external
events that affect the demand for an organization's products or services . The KRI represents
key ratios, the organization tracks as indicators of evol ving risks and potential opportunities,
which show the necessary actions. The KRI framework is managed by the KRI manager w ith the
help of the KRI libraries. KR ls can link to multiple risks and controls, while the user notes the KRI
values manually through an intuitive wizard and uploads additional KRI values from

spreadsheets, using the powerful Force.com data loader or input automatically via the
Force.com web services API.
Management identifies the KRls to execute its strategic initiatives by mapping the risks. An
effective method for developing KRls is to first identify the risk events that affect the
organization's financial status, then find the intermediate and root cause for the risk event. The
indicator assists management with responding to the risk event in advance.

Rislc Management Phase:

Rislc Identification
e Identifying the sources, cau ses, con seq uences, etc. of t he internal and extern al risks
affecting the security of t he organi zation
e Understand the current posture the e Determ ines the effect of risk
organization operates in
e Calibrates the possible outcome of risks
e Defini ng t he external and internal
environment in w hich the orga nization is
operating
Risk management is a continuous process performed by achieving goals at every phase. It helps
reduce and maintain risk at an acceptable level utilizing a well -defined and actively employed
security program. This process is applied in all stages of the organization, i.e., strategic and
operational contexts, to specific network locations.
The 4 key steps commonly termed as risk management phases a re:
1. Risk Identification
2. Risk Assessment
3. Risk Treatment
4. Risk Monitoring & Review
Every organization should follow the above steps while performing the risk management
process. The initial step in this process is to identify the risk events before they cause
harm/ damage. After identifying and assessing the severity of the risk event across an
organization, the employees need to take certain actions to control the risk situation and
reduce the damages inflicted from it. The last and important step is to monitor and review, to
ensure that the controls are working and there is no danger for new risks.

Risk Identification
It is the initial step of the risk management plan. The main aim is to identify the risks before
they cause harm to the organization. The risk identification process depends on the skill set of
the people and it differs from one organization to another organization. It identifies the
sources, causes, consequences, etc. of the internal and external risks affecting the security of
the organization. Risks commonly originate from five key areas.
The purpose of risk identification is to generate a list of threats and opportunities based on
those events that may enhance and prevent the achievement of objectives. They are:
• Environment: Risks associated with the environment can include tight work spaces,
clutter, hot/cold environments, smoking, poor lighting, and electrical hazards.
• Equipment: Risks associated with equipment are poor repair condition, not working,
unavailable, and inappropriate for the task.
• Client: Risks happen with clients due to conditions changing, unpredictable movements,
and poor communication.
• Tasks: These include insufficient time allocated, repetitive tasks, work design, task
organization, maintaining a fixed posture, poor postures, and insufficient employee
numbers.
Steps in Risk Identification

• Establishing Context: The employee defines the external and internal environment and
understands the current conditions in which the organization operates.
• Quantifying Risks: Determines the effect of risk and calibrates the possible outcome of
the risks.
Risk identification reduces the bias in the risk assessment while at the same time reduces any
for likelihood or impact in the future. There are many ways to identify risks, there are
documents and tools available to support the risk identification process. Most identification
processes begin with an issue examination and concerns created by the development team.
The risk identification process varies, depending on a few factors such as the nature of the
network and the risk management skills of the team members.


Rislc Assessment
0 0
The risk assessment phase assesses the organization's risk and provides an
estimate on the likelihood and impact of the risk
The risk assessment is an on-going iterativeprocess assigningprioritiesto risk

mitigation and implementation plans
It determines the quantitative and qualitative value of risk

0 0
0 Risk Analysis 0 0 Risk Prioritization 0
Defines the nature of the risk ~ Risks are prioritized and treated
Determines the level of risk according to the severity
exposure e Whi le performi ng the risk
Provides an understanding of response step, consider the risk
inherent and controlled risk prioritization
0 0 0 0
The risk assessment phase assesses the organization's risks and estimates the likelihood and
impact of those risks. Risk assessment is an ongoing iterative process and assigning priorities for
risk mitigation and implementation plans. This helps determine the quantitative and qualitative
value of risk. Every organization should adopt a risk evaluation process in order to detect,
prioritize, and remove risks.
The risk assessment determines the kind of risks present, the likelihood and severity of risk,
priorities and plans for risk control. Organizations perform a risk assessment when they identify
a hazard, but are not able to control it immediately. After performing a risk assessment, you
need to update all information facilities at regular intervals.
After assessing the risks, prioritize them depending on their severity or impact on the
organization. The prioritized list helps develop and handle the plans, preparing a handling task
sequence list, and allocating handling resources. The numbers represent risk prioritization in
accordance with their severity such as:
1-2: The risks with a priority of 1-2 need to be eliminated immediately (usually within 24
hours) or if you cannot eliminate it, reduce the risk of the hazard to a lower rating by
implementing at least one control measure.
3-4: Risks with this priority need to be eliminated or control the hazard within a reasonable
timeframe.
5--6: Eliminate this type of risk as soon as possible or control the hazard when possible.

Steps in Risk Assessment

• Risk Analysis: Defines the nature of the risk and determines the level of risk exposure. It
provides an understanding of the inherent and controlled risk.
• Risk Prioritization: Risk prioritization is the process of rating a risk during its analysis
according to its severity and designing a response plan.


Rislc Treatment
Risk treatment is a process of selecting and implementing

appropriate controls on the identified risks
Risks are addressed and treated based on its severity level
Decisions made in this phase are based on the results of

a risk assessment
The risk treatment is the process of selecting and implementing appropriate controls on the
identified risks in order to modify them. The risk treatment method addresses and treats the
risks, according to their severity level. Decisions made in this phase are based on the results of a
risk assessment. The purpose of this step is to identify what treatments for the risks that fall
outside the department's risk tolerance and provide an understanding of the level of risk with
controls and treatments. It identifies the priority order in which individual risks should be
treated, monitored and reviewed. Before treating the risk, you need to gather the information
about:
• Select the appropriate method of treatment

• People responsible for treatment
• Costs involved
• Benefits of treatment
• Likelihood of success
• Ways to measure and assess the treatment
Once you have decided how to treat identified risks you need to develop and regularly review
the risk management plan. The different options that are performed to treat the risks are
avoiding the risk itself (avoiding the activities that lead to a rise of risk), reducing the risk
(reducing the likelihood of the risk occurring and reducing the impact if the risk occurs), transfer
the risk (shift the risk responsibilities to another party through insurance or partnership).

Accept the risk (if it cannot be avoided or transferred). Employees will perform the following
actions to minimize or to eliminate the risk.
• Develop a risk control plan.
• Find the impact of risk control on a service delivery.

• Constraints required for risk control are identified and considered when completing the
risk control plan.
• Implementation of risk control strategies.

• Uncontrollable risks.
• Client resistance to risk control.
• Communicate with support workers/other workers during risk control.
• Completely document the risk control plan as a part of the risk control process.


Rislc Treatment Steps
Eliminate Eliminating the risk by applying controls to reduce the threat of exploiting the
the risk vulnerability to zero
Transfer the
Transferring the risk treatment responsibility to another party or organization
risk
Mitigate the Reducing the risk associated with a threat or vulnerability by implementing direct
risk or competing controls
Accept the Risks are accepted when the effort to address, transfer or mitigation has exceeded
risk the impact of the risk on the network
Risk
Eliminating the cause and consequences of risk
Avoidance
Risk Managing the risk by a risk mitigation plan which prioritizes the risks, implements and
Planning maintains the controls for the risks throughout the risk management lifecycle
Research and
Vulnerability research and finding the controls to rectify them
Acknowledgment
A risk treatment can change the likelihood for occurrences of risk by considering the options
and detailed designs required to select the appropriate risk treatment step. Risk treatment
involves a series of options for mitigating the risks, assessing the options and preparing and
implementing the action plans. The risk with the highest rate is dealt with first. The options
available according to the type and nature of the risks are:
• Avoid: Avoiding the factor that enhances the risk factor of any process in the business or
finding an alternative that goes well with business needs.
• Reduce: Finding ways to reduce the likelihood rate of risk to an acceptable level.
• Share or Transfer: Transferring the risk factor to a third party, so they manage the risk
levels.
• Accept: The risk factor should be at an acceptable level.
The steps taken in risk treatment differ from case to case. Stakeholders and process owners
mutually decide these steps. Key points while considering risk treatments are:
• Implement an appropriate risk treatment option.
• Adequate resources are available while implementing the risk treatment plan.
• The risk treatment plan should reduce the risk factor to a certain acceptable level.
• If there are risks to be handled immediately, remedial actions are taken for those risks.


Rislc Traclcing & Review
Risk Tracking Risk Review
.J The risk tracking phase identifies the .J The Review phase evaluates the
chance of a new risk occurring performance of the implemented risk
.J The tracking phase ensures management strategies
appropriate controls are .J Risk reporting ensures management
implemented to handle risks is aware of the top risks, enabling
.J Risk tracking also includes them to plan to reduce the risk
monitoring the probability, impact, appropriately
status and exposure of risk
An effective risk management plan requires a tracking and review structure to ensure effective
identification and assessment of the risks as well as the use of appropriate controls and
responses. Perform regular inspections of policies and standards, as well as review them
regularly to identify the opportunities for improvement. The monitoring process assures there
are appropriate controls in place for the organization's activities and that the procedures are
understood and followed. The tracking and review process should determine the measures
adopted, the procedures adopted, and information gathered for undertaking the assessment
was appropriate.

Enterpri se network risk management integrates mitigation techniques in a systematic approach

to reach the goals and objectives to satisfy business requirements
e Identify and understand the current risks
It identifies the staff,

e Develop procedures to combat the network risks
tools, skill set and
other resources
required to: e Mitigate the network risks
e Develop a risk assessment and risk management pol icies,

procedures and checklists
According to the Enterprise Risk Management Framework (ERM), a risk is the possible event
that can have a negative impact on an enterprise. The impact will be on any of the following:
the resources of the enterprise, i.e. Human and revenue, facilities by the enterprise, its clients,
and market value. Financial organizations describe ERM as a combination of risks based on
credit, interest, liquidity, market, and operational.

Enterprise Risk Management

Framework (E )
• ----------------------------------------------------------------------
Th e risk management framework defines th e implementation
Activities activities specific to how an organization handles risk
•-------------------------------------------------------------------
Th e Enterprise Risk Management Framew ork provides a
structured process integrating information security and
Structured Process
risk management activities
•----------------------------------------------------------------
ERM frameworks identify, analyze and perform the
following actions:
Actions e Risk avoidance by aborting the actions that lead to risk
e Risk reduction by minimizing the likelihood or impact of risk
e Provides risk management process standards
ERM provides a framew ork for risk management, which t ypically invol ves identifying events
that are relevant to the organization's objectives. The ERM framework provides an organized
process combining information security and risk management events.
ERM frameworks identify, analyze and perform the following actions:
• Risk avoidance by aborting the actions that lead to the risk.
• Reduction of risk by reducing the likelihood or impact of the risk.

• Standardizes th e risk management process.
ERM is the risk based approach to manage an enterprise. ERM invol ves addressing the needs of
various stakeholders w ho w ant to know about the broad spectrum of risks fac ed by the
organization to ensure th ey can easily and appropriately manage. The key activities invol ved in
managing enterprise-level risk i.e., th e risk resulting from the operation of an information
system are:
• Classification of th e information system.

• Selection of appropriate security controls.
• Refin e the selected security control set based on th e risk assessment.
• Maintain the document for all selected security controls in th e system security plan.
• Implementation of th e security controls.

• Security controls assessment.

• Determining agency-level risk and risk acceptability.
• Authorizing information system operation.

• Monitoring security controls on a continuous basis.

Integrate the enterprise risk management w ith the organization's performance management
Communicat ing the benefits of risk m anagement
Defining the roles and responsibilities in the organizat io n to manage the risk
Standardize the risk reporting and escalating process
Setting a standard approach to manage risks in the organization
Assists the resources in managing the risks
Sets the scope and application of risk management in the organization
M andates periodic review and verification for improvements of t he ERM
Organizations manage risks and have a number of departments or risk functions that help in
identifying and managing risks. A common goal or the challenge of ERM is improving the
capability and coordination, while integrating the output to provide a unified picture of ri sk for
stakeholders and improving the organization's ability to manage the risks effectively. The
Enterprise Risk Management Framework has the following additional goals:
• Convey the organization's policies, approach and attitude towards risk management.
• Ensure that organization should meet risk reporting commitments.

NIST Risk Management

Frameworlc
■ NIST Risk Management Framework is a structured and continuous process which integrates information
security and risk management activities into the system development life cycle (SDLC)
■ Categorize: Define criticality/sensitivity of information system

according to potential worst-case, adverse impact to
mission/business
■
guidance and supplement controls as needed based on risk
assessment
Implement: Implement security controls within enterprise
.·:• . ◄ Monitor ◄ ..
architecture using sound system engineering practices; apply
security configuration changes Security Life Cycle
■ Assess: Determine security control effectiveness (i.e. controls
implemented correctly, operating as intended, meeting
■
security requirements for information system)
Authorize: Determine risk to organizational operations and
assets, individuals, other organizations, and the Nation; if
acceptable, authorize operation
. ► . ► ..
■ Monitor: Continuously track changes to the information
system that may affect security controls and reassess control
effectiveness
http://csrc.nist.gov
NIST Risk Management Framework is a structured and continuous process which integrates
information security and risk management activities into the system development life cycle
(SDLC). The NIST risk management framework follows a security life cycle, which involves six
stages. The framework's six stages are:
• Categorization of Information System:

This is the initial stage of the NIST risk management framework which involves defining
criticality or sensitivity of the information system according to the potential worst-case.
This shows the adverse impact to mission or business.
• Selection of Security Controls:

Initially categorize the information system, and then select the baseline security controls
under a NIST Risk Management Framework. Apply tailoring guidance and supplement
controls if needed based on risk assessment.
• Implement Security Controls:

Implement security controls within the enterprise architecture using sound system
engineering practices. Apply security configuration settings.
• Assess Security Controls:

Determine security control effectiveness that is the controls implemented correctly and
effectively, operating as intended, and meeting security requirements for information
system.

• Authorize Information System:
Determine risk to organizational operations and assets, individuals, other organizations,

and the nation if acceptable, authorize the operation.
• Monitor Security State:

Continuously track changes to the information system that may affect security controls
and reassess control effectiveness.
Source: http://csrc.nist.gov

COSO ERM Fra111.ework C ND

0 COSO ERM framew ork defines essential components, suggests a common
0
language, and provides clear direction and guidance for enterprise risk
management.
COSO framework emphasizes that ERM involves those elements of the

management process that enable managementto make genuine risk-based
0 decisions 0
Obj ective of the framew ork
...
~
0
==
GI
E
"'
.::
..
GI
~
0
~GI
Control ctivities
C
0
Q.
Info at ion & omm unic tion
E
8 M oni oring
http://www.coso.org
COSO ERM framework defines enterprise risk management as a process, effected by an entity's
board of directors, management and other personnel, applied in a strategy setting and across
the enterprise. It is designed to identify potential events that may affect the entity, and manage
risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of
the entity's objectives. The framework defines essential components, suggests a common
language, and provides clear direction and guidance for enterprise risk management.
COSO framework emphasizes that ERM involves those elements of the management process
that enable management to make genuine risk-based decisions.
Objectives of the COSO Framework

The framework has four objective categories, which portray the ability to completely focus on
enterprise risk management. The categories include
• Strategic objectives of an ERM are high level and aligned with an entity's mission.
• Operation objectives refer to the effective and efficient use of resources.

• Reporting objectives surround an entity's need for reliabl e reporting.
• Compliance objectives align with an entity's need to comply with applicable laws and
regulations.

The categorization of entity objectives allows a focus on separate aspects of enterprise risk
management. The categories overlap and a particular objective can fall into more than one
category as well as address different entity needs and may be the direct responsibility of
different executives.
Components of Enterprise Risk Management Framework

Enterprise risk management consists of eight interrelated components, which arise from the
way management runs an enterprise and are involved in the management process.
The components of ERM are:
• Internal Environment: It contains the tone of an organization and sets the basis for the
processes such as viewing and addressing by an organization. This includes the risk
management philosophy and risk appetite, integrity and ethical values and the
environment in which they operate.
• Objective Setting: A framework should define objectives before management can identify
potential events affecting them. Enterprise risk management ensures that management
has in place a process to set the objectives that support and align with the organization's
mission and are consistent with its risk appetite.
• Event Identification: The organization should identify the internal and external events
affecting their completion of objectives and differentiate the risks from opportunities. The
channel supports the opportunities to the management strategy or objective-setting
processes.
• Risk Assessment: Risk assessments include analyzing the risks by considering their
probability and impact as a basis for determining the process to manage them. Risk
assessments should be on an inherent and a residual basis.
• Risk Response: Management selects the risk responses avoiding, accepting, reducing, or
sharing risk by developing a set of actions to align risks with their risk tolerance and risk
appetite.
• Control Activities: Every organization has policies and procedures which are established
and implemented to ensure an effective execution of the risk responses.
• Information and Communication: Enterprises should identify, capture, and communicate

relevant information in a detailed process and timeframe that can allow people to carry
out their responsibilities. Effective communication also occurs in a broader sense, flowing
down, across, and up the organization.
• Monitoring: The organization should monitor their risk management process and modify
them if necessary. Enterprises can complete monitoring through on-going management
activity, separate evaluations, or both.

Relationship between Objectives and Components:

There is a direct relationship between objectives, which are the organization's goals and the
enterprise risk management components, which are the important features needed to achieve
those goals. Components are criteria for effective enterprise risk management that function
properly if there are no material weaknesses and if the organization succeeds in bringing down
the risks within its appetite.
Source: www.coso.org

.J COBIT is an IT governance
framework and supporting
toolset that allows managers to
bridge the gap between control Plan and
Organise
requirements, technical issues
and business risks
Monitor and Acquire and

.J COBIT emphasizes regulatory Evaluate Implement
compliance, helps organizations
to increase the value attained
Deliver and
from IT, enables alignment and Support
simplifies implementation of
the enterprise's IT governance
and control framework
http://www.isaca.org
Copyright © by EC-Geuncil. All Rights Reserved. Reproduction is Strictly Prohibited.
COBIT is a business framework for IT governance and management toolset enabling managers
to bridge the gap between control requirements, technical issues and business risks. The
framework offers globally accepted principles, practices, analytical tools and models to help
increase the trust in, and value from, information systems.
COBIT emphasizes regulatory compliance, helping organizations increase the value attained
from IT, enables alignment and simplifies the implementation of the enterprise's IT governance
and control framework.
COBIT helps enterprises of all sizes to:

• Maintain high-quality information to support business decisions.
• Achieve strategic goals and realize business benefits through the effective and innovative
use of IT.
• Achieve operational excellence through reliable and efficient application of technology.
• Maintain IT-related risk at an acceptable level.
• Optimize the cost of IT services and technology.
• Support compliance with relevant laws, regulations, contractual agreements and policies.

The COBIT Framework is based on five key principles for the governance and management of
enterprise IT that include:
• Meeting Stakeholder Needs
• Covering the Enterprise End-to- End
• Applying a Single, Integrated Framework
• Enabling a Holistic Approach
• Separating Governance from Management
Source: http://www.isaca.org

Rislc Management Information

Systems ( IS)
.J RMIS is a management informatio n system allowing the storage, management, analysis and the
ability to retrieve the risk information for an organization's network
.J Organization's incorporate the risk management framework with the RMIS to optimize the risk
management process
Network security professionals use RMIS to:
U Assess the risk and its adversary U Generating different types of reports
- J
J Data can be efficiently managed and
'.J Target specific risk factors
analyzed with limited resources
RMIS is a medium which stores, manages, analyzes, and retrieves the risk information of an
organization network from a single system. The system assists in consolidating property values,
claims, policy, and exposure information to enable the user to monitor and control the overall
cost of risk. RMIS not only provides a means to examine the organization's network but also
addresses the risks.
The organization needs to incorporate the risk management framework with the RMIS to get
optimum results as these systems act as risk management instruments in the organization.
Network security professionals use RMIS to do the following:
• Assess the risk and its adversary.
• Generating different types of reports.
• Target specific risk factors.
• Data can be efficiently managed and analysed with limited resources.
The main objective of RMIS is to combine information and store it in one place. This assists risk
managers in making many critical decisions. The three main advantages of RMIS are:
• Better dependability of data as it reduces data redundancy and data errors.
• Helps reduce the cost factor in an organization due to better risk management through
RMIS.

• RMIS in compliance with the company standards, helps them to implement risk
management policies resourcefully.
RMIS generates reports on various aspects and these reports enable the organization to have a
consolidated view of the network risks and manage them. Types of RMIS reports generated are
dependent on the type of request sent. The RMIS generates the following types of reports:
• Standard Reports: RMIS generates standard reports as a response to common queries.

These reports do not contain categorical data.
• Ad-hoc Reports: The system also generates the ad hoc reports as a response to special
queries. They contain categorical data.

Aon Enterprise Risk Management INFORM

http://www.aan.cam http://www.informappliCDtians.com
STARS RIMS Travelers e-CARMA

https://www.stars-web.com https://www.travelers.com
RiskEnvision RMIS Insights

http://www.ebix.com https://rmisinsights.com
~
Riskonnect RMIS j~ Enterprise Risk Management
http://riskonnect.com http://www.emrisk.com
LogicManager's Risk Management Webrisk Risk Management

Information System (RMIS) Information System
www.logicmanager.com www.effisoft.com
Aon Enterprise Risk Management
Source: http://www.aon.com
Enterprise Risk Management (ERM) provides a framework to understand and respond to
business uncertainties and opportunities with relevant risk insight delivered through common,
integrated risk identification, analysis and management disciplines. ERM enhances
organizational resiliency by improving decision making, strengthening governance and
supporting a risk intelligent culture.
STARS RMIS
Source: https://www.stars-web.com
STARS RMIS supports comprehensive risk management, enterprise risk management (ERM),
claims management, compliance and safety management and peer benchmarking.
RiskEnvision
Source: http://www.ebix.com
RiskEnvision offers a web-based total risk management and claim administration solution.
RiskEnvision supports risk management and claims administration functions including pa yment
processing, reserve management, form letters and correspondence, policy management, diary,
reporting, and more for Auto, GL, Product, Property, and Worker Compensation lines of
insurance coverage in a user-friendly application, with minimal maintenance overhead.

Riskonnect RMIS
Source: http://riskonnect.com
A risk management software platform, which enables customers and risk professionals to
automate their entire risk management process. It is an approach towards claims, litigation,
exposure, policy management and more with technology.
LogicManager's Risk Management Information System (RMIS)
Source: www.loqicmanaqer.com
LogicManager's Risk Management Information System accomplishes policies and reduces

claims and track litigation with risk management techniques.
INFORM
Source: http://www.informapplications.com
INFORM provides a set of reporting tools and data intake tools for both basic and complex
needs. The reporting tool provides the platform of Bl Intelligence based reporting solution from
very basic to very complex needs.
Travelers e-CARMA
Source: https://www.travelers.com
Travelers e-CARMA is a risk management information system that helps users to manage loss
costs. The main activities of Travelers e-CARMA include:
• Analyses data loss
• Keep up with claim activity
• Discover loss trends
RMIS INSIGHT
Source: https://rmisinsights.com
RMIS INSIGHT simplifies sharing, comparing, and acting on RMIS data analytics. It supports both
Claim and Policy Analytics.
Enterprise Risk Management
Source: http://www.emrisk.com
Enterprise Risk Management provides business key support and guidance in computer security
risk assessment and the management of technology risk.
Enterprise Risk management helps:
• Identify potential risks
• Evaluate them
• Provide recommendations to mitigate the identified risks

Webrisk Risk Management Information System
Source: www.eftisoft.com
Webrisk RMIS helps risk managers manage their daily operations easier, and achieve
sustainable results. Features of Webrisk RMIS include:
• Business unit management
• Risk Mapping by axes of anal ysis
• Asset evaluation for renewals and on-line renewal data gathering
• Property and fleet management
• Geolocation of sites and risks
• Prevention management
• Policy program management
• Incident and claim management and notification
• Sophisticated ad hoc reporting

Enterprise Network Risk

Management Policy
.J Ent erprise net w ork risk management policy assists in developing and establishing essential processes
and procedures to address and minimize information secu rity risks
.J It outlines different aspects of risk and identifies people to manage the risk in the o rganization
,..
~ bjectives:
Equip the organization with U Manage t he risks with Accomplishes t he strategic

the required skills to identify adequate risk mitigation and operational goals of
and treat risks techniques the organization
...J Provide a consistent risk ...J Combat the existing and ...J Facilitates with assistance
management framework emerging risks in taking strategic
management decisions
J Provide the overall direction J Integrate operational risks
and purpose of performing into the risk management J Meets legal and regulatory
risk management process requirements
An enterprise network risk management policy is a written statement created to protect an

organization's information assets from accidental or malicious threats. The organization should
ensure they include the network risk management policies in their risk management policy and
that it should compl y with the security policies of the organization.
The policy will develop and establish essential procedures and processes to address and
minimize information security risks. The policy will protect the Confidentiality, Integrity , and the
Availability of a company's IT assets. The Enterprise network risk management policy addresses
information security issues and their impact. It also suggests measures to keep them secure
from both internal and external risks.
The risk management policy also outlines different aspects of risk and identifies people to
manage the risk in the organization. Risk management is the process of balancing operational
and economic costs for protecti ve measures while achieving the objectives and business goals.
The policy should have characteristics including dynamic, real and applicable, built to achieve
long term organizational goals, and is easy to maintain.
The risk management security policy addresses the following issues related to the security of an
organization:
• Internal controls
• Risk acceptance policy
• Risk Assessment

• Risk Mapping
• Contingency Planning
• Incident Response
• Business asset valuation
• Mission Impact Assessment

• Audit and assessment policy
• Disaster recovery/ business continuity policy
• Key indicators to monitor the effectiveness of control

Organizations should consider certain objectives while developing a new risk management
policy that are in line with their work and also help earn profits. The purpose of a risk
management policy is to offer better risk management through identification, management,
and acceptance across all segments of an organization. Some of the most common objectives
are:
• Should meet legal and regulatory requirements.
• Assists strategic management decisions.
• Accomplish organizational strategic/ operational goals.
• Integrate operational risks in to risk management.
• Combat existing and emerging risks.

• Manage the risks with adequate risk mitigation techniques.
• Provide the overall direction and purpose for performing risk management.
• Provide a consistent risk management framework.

• Equip the organization with the required skills to id entify and treat risks.

Best Practices for Effective

Implementation of Risk Management
Track and monitor internal and external risks of the organization at regular intervals
~ Establish a risk management policy for the organization
V Implement a framework for risk assessment and mapping
Use ERM for decision making
Incorporate ERM into the strategic planning process
Identify the potential risks to the network
Prioritize the risks based on its impact on the enterprise network
Specify the responsibilities for risk managers with their respective domains
Regularly review and update the risk management policy
Effective risk management depends on the implementation of predefined or planned proposals.

Therefore, it is crucial to consider some best practices for implementing the plan:
• Enlist various improvement options.
• Identify the threats and risks arising from user errors and analyze the risks caused 1n
normal and fault conditions.
• Always make sure the risk assessment 1s conducted by experienced and trained
professionals.
• Always identify the risk in its initial stage in order to provide a quick response.
• Proper metrics are chosen in order to measure the effectiveness of a risk management
system.


Vulnerability Management CND

~ Vu lnerability M anagement is a
continuous information security
risk process which includes
identifying, assessing, classifying, Asset
Discovery
remediating, and mitigating
vulnerabilities
A w ell planned and implemented

vul nerabil ity management
process plays a vital role in the
organization's risk management
U It provides a comprehensive
approach tow ards m itigating risks Verification Reporting
on the organization's system and
netw ork
u It is a superset of the
vul nerability assessment process
Vulnerability Management Phases
Vulnerability management deals with the continuous process of recogn1z1ng, evaluating,

categorizing, removing and diminishing vulnerabilities. Vulnerability management may be done
with the help of a v ulnerability scanner by searching for vulnerabilities in a system.
Vulnerability management should be implemented in every organization as it evaluates and

controls the risks and vulnerabilities in the system. The management process continuously
examines the IT environments for vulnerabilities and risks associated with the system. The
management process may be defined as:
• Draft vulnerability management policy.

• Identify the existing vulnerabilities.
• Evaluate the vulnerabilities, according to their priorities and provide required actions.
• Reduce the impact of the v ulnerability on the system.

• Continue the process of evaluating the vulnerabilities and risks.
There are six levels in the vulnerability management phases. Every process concentrates on
improving the security risks of the network.

The six levels in vulnerability management include:

• Discovery (Mapping): A phase in which the network assets are identified, considered and
evaluated.
• Asset prioritization (and Allocation): Risks are compared against a predefined set of
features and assigned a priority.
• Assessment (Scanning): Scan and evaluate th e systems for vulnerabilities.
• Reporting (Technical and Executive): Reports the results achieved for the different
vulnerability management processes.
• Remediation (Treating risks): Reduce th e risks in the vulnerability and remove the root
cause.
• Verification (Rescanning): Continuous monitoring of the network to check for new

vulnerabilities.

Discovery - Identify the

Components of a Network
Discovery using Qualysguard Vulnerability Management
Map R..utta: M.1pn.,mc.he-re
.J In this phase, all the I .1 'Bili ,~ ...

network components and f 1::;;: :N Tui.u - - - -• - ~ ~ ~ ~ ~ - - + ~. Ill -=
assets are identified • 10,to.G.10
.....~ ~ . C O t l l
e
• 10.10.10.)t •
.J Network discovery will •

........wlll...~ -
10.10.10.)1
......)?.Wlf!At'~C.,._ • .•.. ---!"- • ..!.
help you detect rogue • 10,10.10.M

• .,
......
4N.►-wlll41~(-
devices on t he network • 10.10.10.40

•
dl'l(..«),wlfl . . . . . .( -
.-•·... -...-~
• . ! .. ~- •
• 10.10.10.41
thP"'l,WII!~<- •
.
- -~. --~- - .
.J Provides a hacker's view
of the network
•
•
lo.10.IOA?
~"""-41~(-
1°'10.10A>
dl'qt-0,~(-
10.10.10-4)
•
- .......
--
--
d'q)-<U.Ul.4l~-
~I.'«"-» ~~
• 10.10.IOM
• Pon ~., ~,• ~"" c.w-
• ~0.10.10.•1 •
An inventory detailing the assets is created and later identifies the host details in order to
identify vulnerabilities. An automated scheduled check for vulnerabilities is performed.
The basic steps in the Discovery phase are:
• Identifies all the hosts (including rogue devices) 1n the network and assigns the host
according to the business needs.
• Provides a graphical representation of the hosts in the network.

• Performs a risk-based approach in ranking the remedial efforts.
• Identifies services, ports, etc. running on each identified device.

• Selects preferred hosts for scanning or reporting.
You can use automated network discovery tools to identify the network components, for
example, you can use Qualysguard Vulnerability Management to perform network discovery.

This tool will help you:
• Mapping the network:
Provides a graphical host explaining the details of the network.
• Assign each asset to the business:
Assign the identified assets, according to the business needs. Help 1n categorizing the
approaches and reducing the effect of a vulnerability in the network.
• Identify the ports, OS, services and certificates on each device:
Provides details regarding the identified operating system, open ports available and the
certificates installed on each device.

Asset Prioritization - E•r.:!iluate the

Importance of each component
C:)UALVSCUARIY
.J Asset prioritisation helps

create a customized list of
what to tackle first, second, ~ tNWllhlnuos 33%
third and so on ,
5
Thrut Anaty1t1 Report

U Identify the assets which are
more critical to the business
U Identify the value for each

specific asset ro,.,1 Hoses
476
Criticality of the assets lmp,)(t fd Hosts

10
depend on the business
impact
I I I • • I
Classify the identified assets, according to the business needs. Classification helps in identifying
the high business risks in an organization. Prioritize the rate assets based on the impact of their
failure and on the reliability of those assets in the business. Prioritization helps:
• Evaluating and deciding a solution for the consequence of the assets failing.
• Examining the risk tolerance level.
• Organizing the methods for prioritizing the assets.

Vulnerability Assessment/Scanning CND
The Netw ork Vulnerability Assessment is performed to identify the security

vulnerabilities in the network
It involves scanning, investigating, analyzing and reporting the vulnerabilities

concerning the level of risk
The risk based vulnerability assessment can help identify, classify and analyze
th e vuln erabilities comprehensively and finding out solutions to mitigate th em
Regular network vulnerability sca ns must be conducted to identify issues in

th e network
A vulnerability assessment is the process of identifying vulnerabilities in network components,

including the operating system, web applications, web server, etc. It helps identify the category
and criticality of the vulnerability in an organization. The organization rates the vulnerabilities
and prioritizes them design methods to remedy the situation accordingly. The assessment
method helps measure the effectiveness of those remedies.
The ultimate goal of v ulnerability scanning includes scanning, exam1n1ng, evaluating and
reporting the v ulnerabilities in the network. It helps minimize the levels of risk to the
organization. There are many steps involved in a vulnerability assessment:
• Classify the network or system resources.
• Prioritize the importance of each resource.

• Identify the possible threat to each resource.
• Identify the possible measures for each threat.
• Identify the methods required to reduce the impact of any attack.

Vulnerability scans when performed at regular intervals are beneficial in locating any issues and
in selecting an appropriate security control to mitigate those issues. Doing this on a regular
basis, reduces the risk to a great extent.
There are automated tools available for v ulnerability scanning, including Nessus, SAINT,
OpenVAS, and Nikto.

Advantages of a Vulnerability
Assessment
D Identify known security issues before

6 Provides the opportunity to address
potential attackers find the " the issues and avoid serious damage
vulnerability and exploit it to the organization's assets
iJ Assists in updating or creating a Identifies rogue machines on the

detailed structure of the network and avoids unnecessary
organization's network risks to the organization
Iii Helps create an inventory of network

resources which are useful when
m~
Assists organizations in generating a
blueprint of its overall security
tracking systems posture
fJ Reduces liability and protects assets

m Compliance with all security
requirements
Organizations perform a network vulnerability assessment in order to detect and eradicate

vulnerabilities in the network. It manages the risk to the organization. All network components
are assessed against possible vulnerabilities during regular intervals. A vulnera bility assessment
will help:
• Identify issues on systems that security controls are unable to identify.
• Alerts security managers when an attack occurs.

• Provides additional assurance to security managers on the state of the security system.

Requirements for an Effective

Network Vulnerability Assessment
Consider the following for an effective vulnerability assessment:
Ability to identify the assets that require a vulnerability scan
Check the vulnerability scanning tools for any false positives
Select the assessment tools which will cause the least network disturbance
Maintain a change control system during the vulnerability scan, to keep track of all activities
Effective assessment tools include features such as trending, reporting and remediation
tracking
Conducting a vulnerability assessment at regular intervals is required for an effective network

vulnerability assessment. To conduct a vulnerability assessment more effectively,
administrators need to consider the following points:
• Identify what assets of the network should be assessed for vulnerabilities. Identify the
assets and evaluate its criticality is important to minimize any potential risks to the assets.
• Check the vulnerability scanning tools for false positives wh en receiving the assessment
results. Id entified vulnerabiliti es may be a false positive. It is very important to validate
the identified v ulnerability as genuine. To do this, perform a vulnerability assessment with
a variet y of tools. Do not depend on a single tool for th e vulnerability scanning
assignment.
• Choose assessment tool s which cause minimal network disturbances . Vulnerability
assessment tools can create a serious impact on netw ork performance during an
assessment. Choose onl y the appropriate tool s to get the job done and those which do
not cause additional issues with network performance.
• Use a change control system to keep track of all th e activities during a vulnerability scan.
• Only consider assessment tools with key features such as trending, reporting and
remediation tracking.

Network Risk and Vulnerability M anagement
Types of Vulnerability
Assessments
Understand t he design of the network and the systems befo re co nducting a vulnerab ility
assessment
Network performance ca n be degraded or even stop fu nctio ning due to vul nerability
assessments
---·
Internal vulnerability assessments
helps identify vulnerabilities within External vulnerability assessments
the network including password examine an organization's network
complexity, antivirus protection, security from the outside
and other potential weaknesses
,-----. External Vulnerability

Assessment
Example: Internal and External

Vulnerability Assessments
Internal vulnerability examples: External vulnerability examples:
..... Ineffective Procedures: Ineffective e FTP Anonymous Access: A perimeter

security configuration procedures in a security review to check if the server
network permit s anonymo us access to accounts
e Old Passwords: Accou nts with for t erminated employees
passwords older than one month e Email Relay: Checks the server for open
e Old Patch Levels: Avai lable patches and relay emails
updates
•••••••••••• ••••••••••••

There are two types of network vulnerability assessments:
• Internal Vulnerability: Examines the security of the internal network.
• External Vulnerability: Examines the security of the servers facing the Internet.
A complete understanding of the design of the network and the system is required before
performing a vulnerability assessment. There are instances where the vulnerability assessment
may affect the network, causing a performance degradation or even preventing it from
functioning properly.
Internal Vulnerability Assessment

An internal vulnerability assessment recognizes the vulnerabilities in the network. This includes
password complexity, antivirus protection used, etc. An internal assessment evaluates the
network for the presence of internal vulnerabilities. Conduct a vulnerability assessment on
every critical device to identify all possible vulnerabilities, which an attacker will exploit.
Internal assessments create a report based on the vulnerabilities detected in the network.
The internal vulnerability assessment includes:
• Host and service discovery: Discovering all accessible systems and services running. This
includes live host detection, service enumeration and application fingerprinting.
• Vulnerability identification and verification: Vulnerability scans are performed on a

discovered host and the services in order to identify any vulnerabilities present.
External Vulnerability Assessment

An external vulnerability assessment evaluates the security profile of an organization from the
perimeter of the network. An external vulnerability assessment assists in the identification of
the vulnerabilities in the network.
The following actions are performed during an external vulnerability assessment:
• Find all hosts on the network.

• Fingerprint their operating systems.
• Detect open ports on the system.
• Map the ports to various network services.
• Detect the version of all the running services.
• Map the service version to the discovery of any security vulnerabilities.

• Verify if the service is vulnerable to an attack or if it has been patched.

Examples of Internal Vulnerabilities

• Ineffective Procedures: Ineffective security configuration procedures in a network.
• Old Passwords: Includes passwords older than one month.
• Old Patch Levels: Old versions of patches and updates.
• Unnecessary Services: Multiple ports open indicating the presence of unnecessa ry server
services.
Examples of External Vulnerabilities

• FTP Anonymous Access: A review of the perimeter security, whether the server permits
terminated employee accounts anonymous access to files and services .
• E-mail Relay: Checking whether the email server allows open email relaying.

Steps for an Effective External

Vulnerability .Assessment
Execute t he fol lowing steps to conduct an effective external network vu lnerability assessment:
1. Find the live hosts on a network
2. Perform OS Fingerprinting on the detected hosts
3. Detect open ports on the target system
4. Map open ports and running services
5. Find the version of all the running services
6. Map the service version with the security vu lnerabilities which are
associated
7. Check if the service is vulnerable or if it has been patched
The process of a vulnerability assessment undergoes the following four stages:
1. Plan and configure the vulnerability assessment

2. Setting up the tasks to run and generate the reports
3. Resolve the vulnerabilities

4. Maintain a security baseline for the network
Guidelines for an effective External Vulnerability Assessment

• Regularly perform an external v ulnerability assessment. The assessment includes all the
devices in the network, including new ones. Vulnerabilities detected in one device or a
system does not conclude the entire network is corrupt. However, the need to optimize
the network security increases.
• Assess and analyze the hardware manufacture, procurement, storage, and installation.
Find the devices that are non-functional or non-compatible with the infrastructure. Detect
all the open ports and interfaces and take action accordingly.
• Avoid conducting a vulnerability assessment on a particular device or a system. The

vulnerability assessment should be applicable for all the devices in the network.
Determine the status of the services running on the system. Unpatched applications can
be vulnerable to attacks. Patch any application or service that is not patched and requires
an update.

• Map the network infrastructure, connecting the hardware together to boost the network
and application performance.
Typical tasks executed for an effective External Vulnerability Assessment are:

• Collect all information related to a network.
• Collect and document everything, including all the information available on the public
facing network. This allows authorities to detect any possible way an attacker may
infiltrate a network.
• Conduct network application probing and scanning.
• Conduct OS fingerprinting and vulnerability detection to locate the vulnerable hosts.
• Evaluate the findings and reports for a detected vulnerability to perform the necessary
actions.
• Identify all the weak user authentication systems.

Vulnerability Assessment
Phases
..J Vulnerability assessments are conducted in phases
A phase-based vulnerability assessment helps identify the possible improvement areas and any
potential vulnerabilities
Networl< Vulnera15ilit'l - Host.vulnerabili~

Assessment Assessment
.i
w Identify and analyze the .i
w Use industry best e Use industry best
existing network practices, tools and practices, tools and
security policy guides to perform a guides to perform a host-
.i network-based based vulnerability
w Check whether the
vulnerability assessment assessment
policies are in
compliance with the e Every existing host on
security requirements the network must be
considered for
e Check whether they are
assessment
developed using the
correct risk assessment
procedures
A vulnera bility assessment is a highly complex procedure for administrators, depending on the
version and the configuration of the network setup. The network environment is dynamic and
an administrator may implement th e vulnerability assessment phases below.
• Policy Identification:
In this phase, the administrator is required to understand the security policy of the
organization. Based on the security policy identification, they will determine if the policy is
in adherence with the current network infrastructure. After reviewing th e organization's
policy, the administrator will able to detect the location(s) where v ulnerabilities exist and
what t ype of vulnera bility assessment is required to be performed.
• Network Vulnerability Assessment:

The administrator has to determine the non -functional or suspicious network devices that
can compromise the normal function of the system. In this phase, the administrator
investigates and analyzes th e risk associated with the det ected v ulnerability and takes the
appropriate action. With the help of certain network sca nning and vulnerability tools the
administrator will assess:
• Security control checks.
• Identifying, analyzing and prioritizing network threats.
• Password analysis of network devices.

• Determining the network strength.

• Host Vulnerability Assessment:
Involves assessing the system or the account of a local user. In this phase, the
administrator checks the configuration settings for the system. They detect the accounts
with weak or old passwords, suspicious files in the system, modifications in the system
settings, etc. The main advantage of a host vulnerability assessment is that it allows the
administrator to assess every file present in the system.

Network Vulnerability
Assessment Tools
o..tcio.nl Sc.a,,. ~ ~ Aw-. Kl'!Ow'ldge8.- U..
=. Scans .....
- ■ ;. iii
l'ii,.f &.f. L,w , ::c- y u - ' . J
..----
- Q II Q I II -
I'~
u - I ..
1 -
:
_,~-
1911 _ _ , _ _ _ 1
' --
._
-- ... -
-~
l«tt ._..... . . . . . •.IOICI t •
- ·--
----
--
.,~ ...... - ·------
--
Network Vulnerability Assessment using QualysGaurd Network Vulnerability Assessment using Nessus
{https://www.qualys.com) {https://www.tenable .com)
& . ...
:=-9!.- .
··--
-- : - --··-
------ --
...
't,
--
V .., U
~
•••
•• •••• •
~..-
--
~
o~ -
··-
·=-
•-:::
• :=-
.·=-=-
-
- '... ....
• a.--
--· ·----. ---
-·-------i----,
_
....
..,, __...,.___
- -·
• ----
.
-- -
-·
...
_
=--1CD1.,._,oma,,,_■.,..-,....,
....,. ·-·
__
... . ~~----
·-..... ----
_,... -·--
--.. ..........
.._
_.... •..•
·--··- •·.
_ - l ~ -~
- --- ,........
-- -•i.t.,.... ---
..._._......... ••
- -- = -
-~-: -= .--=
-- 0 ·-- -- .
-__...........
- -·...... ..•.
---
___......... ·-
.. ..
Network Vulnerability Assessment using GFI LanGuard Network Vulnerability Assessment using OpenVAS
(http://www.gfi.com) (http://www.openvas. arg)
Copyright© by EC-Co■ncil. All Rights Reserved. Re production is Strictly Prohibited .
QualysGaurd
Source: https://www.qualys.com
Qualysguard helps in protecting the IT infrastructure in accordance with the company policies
and procedures. It identifies the internal threats and develops methods required to protect the
network. Features of Qualysguard network vulnerability tool are:
• It identifies the operating system, open ports, active services running on a system.
• Examines the network continuously for any changes.
• Provides an approach in order to prioritize the remediation steps.
• Assists with scanning the internal network for vulnerabilities.
• Provides reports to the user in order to understand the security of the network.
Nessus
Source: www.tenable.com
A vulnerability sea nner that sea ns the following types of vulnerabilities:
• Hackers getting access to important data in the system.
• Misconfiguration.
• Password attack.

• Denial of service against the TCP/IP stack.
• Preparation of PCI DSS audits.
Features of Nessus include:
• Scanning provides the real time values and no need to wait for the scanning to be
completed in order to view the results.
• Provides the same user interface for all operating systems, including Mac, Windows, and
Linux.
• Scanning continues in the server even if the UI is disconnected.
• Provides a scan template that creates scan policies for auditing the network.
GFI LanGuard
Source: www.g[i.com
GFI LanGuard scans your operating systems, virtual environments and installed applications
through vulnerability check databases such as OVAL and SANS Top 20. GFI LanGuard enables
you to analyze the state of your network security, identify risks and address how to take action
before it is compromised.
A proper network analysis to determine the state of your network is another essential step to
reduce the risks to the network, determine its degree of exposure, and address how to take
action before it is compromised.
GFI LanGuard is able to scan for over 60,000 vulnerabilities across your network, including
virtual environments, mobile and network devices.
OpenVas
Source: http://www.openvas.org
OpenVAS provides a comprehensive and powerful vulnerability scanning and vulnerability

management solution. OpenVAS receives support and contributions from many individuals and
organizations, adding to the quality and reliability of the solution: penetration testers, power
users, security researchers, academia etc.

Additional Vulnerability
Assessment Tools
Acunetix Online Vulnerability
Retina CS
http://www.beyondtrust.com Scanner (OVS)
http://www.ocunetbc.com
Core Impact Professional Security Manager Plus

http://www.coresecurity.com http://www.monogeengine.com
MBSA Nexpose
http://www.mkrosoft.com I I:": .... . J I http://www.ropidl.com
Shadow Security Scanner SAINT

http://www.safety-lob.com http://www.sointcorporotion.com
Nsauditor Network Security AlienVault Unified Security

Auditor Management™ (USM)
http://www.nsauditor.com https://www.alienvault.com
Retina CS
Source: http://www.beyondtrust.com
Retina CS provides organizations with context-aware vulnerability assessment and risk analysis.
It identifies security exposures, analyzes business impact, plans and conducts remediation
across disparate and heterogeneous infrastructure. Features of Retina CS include:
• Discover network, web, mobile, cloud and virtual infrastructure
• Profile asset configuration and risk potential
• Pinpoint vulnerabilities, malware and attacks
• Analyze threat potential and return on remediation

• Remediate vulnerabilities via integrated patch management (optional)
• Report on vulnerabilities, compliance, benchmarks, etc.
• Protect endpoints against client-side attacks
Core Impact Professional

Source: http://www.coresecurity.com
Core impact professional helps:
• Leverage true multi-vector testing capabilities across network, web, mobile, and wireless

• Test with 25% more unique Common Vulnerability Exploits (CVE)
• Validate patching efforts to ensure vulnerabilities were remediated correctly
MBSA
Source: http://www.microsoft.com
MBSA identifies missing security updates and common security misconfigurations. MBSA
includes a graphical and command line interface that can perform local or remote scans of
Microsoft Windows systems.
Shadow Security Scanner
Source: http://www.safety-lab.com
Shadow security scanner provides a secure, prompt and reliable detection of a vast range of
security system holes. It analyzes the data collected, locates vulnerabilities and possible errors
in server tuning options and suggests possible solutions.
Nsauditor Network Security Auditor
Source: http://www.nsauditor.com
Nsauditor Network Security auditor scans networks and hosts for vulnerabilities, and provides
security alerts. It reduces the total cost of network management in enterprise environments by
enabling IT personnel and systems administrators to gather a wide range of information from
all computers in the network, without installing server-side applications on these computers
and it creates a report of potential problems found.
Acunetix Online Vulnerability Scanner {OVS)
Source: http://www.acunetix.com
Acunetix Online Vulnerability Scanner acts as a virtual security officer. It helps you scan
websites, including integrated web applications, web servers and any additional perimeter
servers for vulnerabilities. And allowing you to fix them before hackers exploit the weak points
in your IT infrastructure.
Security Manager Plus
A network security scanner, that proactively reports on network vulnerabilities and helps
remediate them by ensuring compliance. Security Manager Plus protects the network from
security threats and malicious attacks using vulnerability scanning, open ports detection, patch
management, Windows file/folder/registry change management and vulnerability reporting
capabilities.

Nexpose
Source: http://www.rapid7.com
Nexpose provides assessment solutions for your physical, virtual, mobile, and cloud
environments. It supports the entire vulnerability management lifecycle, including discovery,
detection, verification, risk classification, impact analysis, reporting and mitigation.
SAINT
Source: http://www.saintcorporation.com
SAINT uncovers areas of weakness and recommends fixes. SAINT scanner includes:
• Identify vulnerabilities on network devices, operating systems, desktop applications, Web

applications, databases, and more.
• Detect and fix possible weaknesses in the network's security before they can be exploited
by intruders.
• Anticipate and prevent common system vulnerabilities.
• Demonstrate compliance with current government and industry regulations such as PCI
DSS, N ERC, FISMA, SOX, GLBA, and H IPAA.
• Perform configuration audits with policies defined by FDCC, USGCB, and DISA.
AlienVault Unified Security Management (USM)
AlienVault USM provides built-in vulnerability assessment with the essential capabilities you
need for complete security visibility and threat intelligence.

Choosing a Vulnerability
Assessment Tool
Administrators should consider the following factors while choosing a

vulnerability assessment tool:
e Vulnerability scan ners can not identify vul nerabilities w hen its plug-in is outdated
e Choose a scan nerwith an auto-updatefeature
e Check t he tool's accuracy and capability in identifying critical vulnerabilities
e A vulnerability sca nner should be capable of producing a report of the scan ned and
detected vulnerabilities
e A tool with a back-end database assists ad ministrators with performing assessments
There are various vulnerability assessment tools available in th e market. Multiple tools should
be identified as several different products are needed to evaluate the network environment.
Evaluate each product based on the quality and speed of updates, compatibility with the
environment, support for cloud services, compliance, prioritization, active and passive
detection, authenticated and unauthenticated scanning, remediation guidance and vendor
support.
The selection of an appropriate vulnerability assessment is done based on the how it works, key
features such as expertise, accuracy, reliability, scalability and reporting.
The follow ing points will help make the best selection:
• Scanners will find the vulnerabilities at a faster rate with the help of updated plug-ins.
• Scanners w ith an auto-update feature are best suited for vulnerability scanning .
• The identified vulnerability accuracy will be concentrated more than the amount of
vulnerability checks which are completed .
• The scan report w ill provide all th e details so any problems can be examined and solved.
By comparing the scan results, vulnerability trends will be understood.
• Check if th e tool is compatible w ith the applications, operating systems and infrastru cture
components.
• Distinguish between authenticated and unauthenticated sea nning .

• What solutions does the tool provide after vulnerabilities are identified?
• Can security managers identify the issues with the configuration?

Choosing a Vulnerability Assessment Tool:

Deployment Practices and Precautions
Netw o rk operators should consider th e follow ing issues before conducting a vulnerability assess ment:
Deployment Practices Precautions
Place a vul nerabi lity scanner in front A risk assessment along with ca reful
of the firewall planning are necessary before
conducting a vulnerability
Consider including a port sca n in the assessment
vulnerability assessment
It is importantto safeguard the
It is recommendable to keep archived assessment results by encrypting
logs of all vulnerability assessments them to prevent unauthorized
and compare them with the latest access
resu lts
Policies and procedures should be
Correctly interpret t he assessment defined and in place for the use of
resu lts to identify valid vu lnerabilities the vulnerabi lity assessment tools
and fix them
The following are the re commended deployment practices and precautions that are taken
while selecting a vulnerability assessment tool:
Practices
• Location of the Scanner: The scanners are placed inside or outside the firewall and must
be monitored separately as th ey perform differ ent actions.
• Scanning Port-Range: All the ports should be examined for vulnerabiliti es. Open ports are
more susceptibl e to attacks. Scanning should include every port even those which are not
specifi ed.
• Create a Baseline: Every scan result should be logged to compare th e results from
previous scans . Logging is important as it helps check th e effectiveness of the remedies
applied after each scan .
• Correct Interpretation: Th e vulnerability scan results should be interpreted correctl y as

the rem edy methods are impl emented based on th e results of the scan.
Precautions
• Risks in Scan Process: High alert should be given to enabling plug-ins as th ey may affect
the scan process. Network performanc e may be affected as many network requests and
traffic is gen erated during the scan process.

• Securing Scanning Results: If the results of the scan are disclosed, attackers will have an
easier time exploiting the vulnerabilities in the network. Take precautions with the results
and properly handle them.
• Proper Policies and Procedures: Proper policies and procedures should be implemented
while performing a scan. Proper vulnerability tools should be used to maintain the
security of the network.

Report the vulnerabilities discovered to the security team, auditors and management
Reports include a prioritization matrix for all discovered assets and vulnerabilities
Reports include a risk summary, consolidated vulnerability list, exploit results and
network device details
Reports summarize the assets discovered and the exposure of each based on the following
criteria:
e Geographic location e Goal category
e Business unit e Compliance area
Vulnerability Management
Report Examples
............
_ _
CORE INSIGHT
Oocembot 25
.,. ~ ,,,lc!nJO.ct~
\llftflblty Soorecso
........,_,.
Gil t: ski
-*~-
-- ·- --~ - o-
-·- ..,.., ---
1:---- •--
o-
.____
---
Result.$
_.....,_..,r,.. o --
-- -- •--
-- ----
0 • ~ - , U.ZIO ~
• l ..... .W.NI ....

• l- ~ 41.)H' :,.._
• ~M2 1'.1.. ~
• • - 1 J.tU ~
•-- ••
f.ucutiw Aepon
~"°"''""'-1111
"'
--...
-l°'il-1
•• ...,...._..,. ,., •U G
---
•u o
* CORE INSIGHT
r·.. • lll:-"7"l •~ D
' •• .....,c.$-••~l
..., 8,tf£RPA1SE
I-· I -· I-· -·
"'"
•> D
••
• lJf 0 1.~TOCTAI L$
..........
u ..
·-• - ·~-
.. .......,
... ~,-s,,,
•
·-· ■ -·- •
=--- ·--··- _,.....__
·--· ·- ..ti_,
•l'> ...• • - -
~-""'""'-"""- ..... ---

--
g
g
·-- ----
,_,l_
~
...
■ »-••
o:t_,., , •U O -- g
g
·-- ·--·--
I"'.
■ •U O
g • - 0 - O•g - .. -
■
__..,.,
1.111:-•~l <UII
•U OD
■
■ 18-llpl -I D
, I -- '1# 0
• - - - -- - - - - -
http://www.coresecurity.com
https://www.qualys.com

The important goals in creating a report are to provide a brief summary of what vulnerabilities
exist in the network. Reporting enables security managers to prioritize and suggest proper
remediation actions to deal with them.
The report should contain the following details regarding the vulnerabilities found:
• Geographic Location
• Business unit
• Goal Category
• Compliance area
The components of the report include:
• Network assets included in the report
• Graphs and charts showing the status of the security
• Analysis of the trend in the network
• Details on the identified network
Typical Anatomy of a Vulnerability Report:

• Header
• Summary
• List of vulnerabilities - For each vulnerability, provide the following:
• Unique tracking number
• Risk level
o High: Immediate action
o Medium: Action required
o Low: Action recommended
► Brief description for each risk level identified
• Appendices -At a minimum the following two should be included:
• Vulnerability details
• Assessment setup

It is an action taken to preventvulnerabilitiesfrom exploitation
Reduces the risk by taking other actions, instead of correcting a discovered

vulnerability
For example,
e Installing a web application firewall is a mitigation action for a discovered
web application vulnerability, instead of fixing the vulnerability
Mitigation involves minimizing the risk of a vulnerability by performing certain actions.

Mitigation may be improved by recognizing and categorizing the risks in accordance with the
business operations. Mitigation measures can eliminate or reduce the risk of a vulnerability
completely. Administrators should use appropriate mitigation strategies and techniques based
on the vulnerability encountered.
Some examples of mitigation actions are:
• Installing a web application firewall to mitigate discovered web application vulnerabilities.

• Organizing a transit access control list -Allowing only authorized traffic to pass through
the access points or by allowing the traffic at access points according to certain policies
and procedures.
• Provide spoofing protection:
• Unicast reverse path forwarding (URPF): It protects the packets in the network from
spoofing. A proper URPF mode should be configured before enabling this feature.
• IP source guard (IPSG): It prevents IP traffic on non-routed, layer 2 interfaces by

classifying packets.

Remediation is the process of correcting a discovered vulnerabi lity
Remediation Steps: Patch Report

e Ensure whether the vulnerability found is a ..........,
wy QwflTtal!q
false positive or a rea l vulnerability lout "°'11 A-.111Mf ~ -ltlllMt
---
eCltJr l'NoNllgOI P411CbH PMCMS Aclclrtu,td
Id on; 0111oncn•
e Develop a remediation plan to fix the 149 14 156
identified vulnerability
► E.g. Applying appropriate patches to fix
the vulnerability
e Remediate a vulnerability by executing the
+- __steps in a remediation plan _________ •
,.,.,. ..
Remediation plan should include:
e Actions for fixing, mitigating or accepting
vulnerabilities U _,,..._llb.\'laf Wl!Qll$4 Wtl'ldooo$71,1t,i,o1n"'bll S ...,_T__ ") ~T;:,,o,,,QII.._AJP~ ...... •--
~ on > ►I ,_
e
--.. 1 ., "- X l • l 4 alH I ..... 1 M
Mode of remediation (automatic or manual)
e Action for mitigating any remaining Remediation using Qualys Vulnerability Management (VM)
vulnerabilities
e Justification for accepting any vulnerability
Remediation is the process of fixing the identified vulnerabilities. Administrators should create
a remediation plan and implement it to eradicate the discovered vulnerabilities. They should
have a phased remediation strategy to address the vulnerability landscape. Remediation may
range from applying technical security measures at the host level all the wa y up to the network
level.
The remediation steps include:

• Confirm the created remediation is not based on a fal se positive.
• Create a prioritized list for the remediation.
• Create a remediation plan to repair the vulnerability.
• Remediate the vulnerability by implementing steps in the remediation plan.
Certain deadlines are set in order to complete the remediation process. The remediation
timeframe should be in accordance with the identified risk level.
Guidelines for remediation include:

• Proper tools should be implemented for the vulnerabilities and the organization should
approve the tools before they are implemented.
• Remediation should improve the efficiency of the process. Automation of the process
improves the functioning of the process.

Typical remediation tasks include:

Action Plan:
• Budget
• Resources
• Priority
• Timing
• Immediate
• 30 Days
• 6 Months
• Future
Typical Actions:
• Patch
• Upgrade
• Configuration Standards Rollout [by Role]
• Infrastructure Refresh
• New Deployment

Perform another scan to ensure the vulnerability is fixed after the remediation process
Verifying the fixes ensures compliance with security
The verification should not damage any other network devices, services or applications
Verifying the remediation ensures the vulnerabilities have been solved and fixed appropriately.
After the remediation process concludes, scan for the vulnerability again. Perform an unlimited
scan for all vulnerabilities which were originally discovered. Your vulnerability assessment will
close upon verification of a successful remediation. Verification should not lead to the
malfunction of any other network devices, services or applications. The vulnerability scan
reports obtained after the fixes were verified ensures compliance with security provisions.

Perform another scan to ensure the vulnerability is fixed after the remediation process
Verifying the fixes ensures compliance with security
The verification should not damage any other network devices, services or applications
Verifying the remediation ensures the vulnerabilities have been solved and fixed appropriately.
After the remediation process concludes, scan for the vulnerability again. Perform an unlimited
scan for all vulnerabilities which were originally discovered. Your vulnerability assessment will
close upon verification of a successful remediation. Verification should not lead to the
malfunction of any other network devices, services or applications. The vulnerability scan
reports obtained after the fixes were verified ensures compliance with security provisions.

Data Backup and Recovery
Module 13

Module 13

Module 13: Data Backup and Recovery
Exam 312-38

Understanding data backup Explaining the Network Attached Storage

(NAS) backup technology and its advantages
Discussing the data backup plan
Determining the appropriate backup method
Determining the appropriate backup medium
for data backup II Discussing the selection of an appropriate
location for a backup
Understanding RAID backup technology and
its advantages II Understanding f ull, differential, and
incremental backup types
Describing various RAID levels and their use
II Discussing the selection of an appropriate
Discussing the selection of an appropriate
backup type
RAID level
II Articulate the recovery drill test on backup
Understanding the Storage Area Network
data
(SAN) backup technology and its advantages
II Explaining data recovery
Data loss is a maJor risk facing organizations today. Loss of critical data can incur a lot of
damage to the organization. Any organization that encounters a severe data loss has a higher
probability for facing serious issues later. It is important to perform regular backups of the
important data.
This module describes a detailed process for data backup and recovery. A network
administrator is required to perform data backups for the organization on a regular basis. This
module will help plan and perform data backups for the organization.

Data is the heart of any organization; data loss can be very

costly as it may have financial impact to any organization
Backup is the process of making a duplicate copy of critical

data that can be used to restore and recovery purposes when
a primary copy is lost or corrupted either accidentally or on
purpose
Data backup plays a crucial role in maintaining business

continuity by helping organizations recover from IT disasters
such as hardware failures, application fail ures, security
breaches, human error or deliberate sabotage, etc.
All regulatory compliance such as COBIT, SSAE SOCI I, PCI-DSS,

HI PPA, SOX, Fl NRA, Fl SMA, EU General Data Protection
Regulation (GDPR), etc. require businesses to maintain data
backups of critical data of a specified duration
Data backup is the process of copying or storing important data. The backup copy will help you
restore the original data when data is lost or corrupted. Backup is a mandatory process for all
organizations. The process of retrieving the lost files from the backup is known as restoring or
recovery of files.
The main aim behind data backup is to protect data and information and recover the same
after data loss. Data backup is mainly used for two purposes: To reinstate a system to its
normal working state after damage or to recover data and information after a data loss or data
corruption.
Data loss in an organization affects the financial, customer relationship and company data. Data
loss in personal computers may lead to a loss of personal files, images and other important
documents sa ved in the system.
There are several reasons for data loss:

• Human error: Deletion of data purposefully or accidently, misplacement of data storage
devices and errors administering databases.
• Crimes: Stealing or making modifications to critical data in an organization.
• Natural causes: Power failures, sudden software changes or hardw are damage.
• Natural disaster: Floods, earthquakes, fire etc.

There are many benefits for performing a data backup:
• Offers access to critical data even in the event of a disaster, giving peace of mind in the
workplace.
• Backup of critical data prevents the organization from losing its business. Helps them
retrieve data anytime.
• Data recovery helps organizations recover lost data and helps maintaining their business.
It is recommended that every organization perform a data backup on a regular schedule to run
their business successfully and efficiently.
To avoid severe damage to the organization's assets, it is important to design a strategy for a
successful data backup process. This data backup strategy will act as a blue print while working
on the data backup process for the entire organization moving forward. Certain companies also
create a data backup policy that is required while implementing the backup strategy.

1. Identifying the critical business data 2. Selecting the backup media
3. Selecting a backup technology 4. Selecting the appropriate RAID levels
5. Selecting an appropriate backup method 6. Selecting the backup types
7. Choosing the right backup solution 8. Conducting a recovery drill test
An ideal backup strategy includes steps ranging from selecting the right data to conducting a
drill test data restoration. Although the backup strategy might differ among the organization, it
is important to consider the features below before drafting a backup strategy:
• The backup strategy should have a data recover feature from any external device. These
devices may include servers, host machines, laptops, etc.
• If the data loss is due to a natural disaster, the backup strategy should not be restricted to
only a certain number of incidents. The strategy should also cover the methods for
recovering the data after a natural disaster has occurred.
• The strategy should include the steps to recover the data at the earliest stage.
• The lower the cost for data recovery, the more financial benefit to the organization.
• Auto recovery options should be included in the backup strategy as well, as they reduce
the chances of human-error during the recovery process.

Identify Critical Business Data CND
Always backup the fil es the organization creates or modifies
This includes :
► Accounting files
► Databases or any business related data
► The operating system files purchased with t he computer, CDs,

software, etc.
► Important office documents, spreadsheets, etc.
► Software downloaded {purchased) from the Internet
► Contact Information (email address book)
► Personal photos, music, and videos
► Any other file that is critical
Every organization has an abundance of data. An organization should identify critical data or
files that require backup. The criticality of the data is based on the importance it serves to the
organization. It requires analyzing and deciding which information is more important to the
organization functioning properly. The critical data consists of revenue, emerging trends,
market plans, database, files including documents, spreadsheet, e-mails, etc. Loss of such
critical data can affect the organization immensely.
Determining what is included in the most critical data:
• Organize a business impact analysis to determine the critical functions and data in an
organization. They need to identify processes and functions that depend and co-exist with
the critical data.
• Examining the documents and implementing them 1n order to recover critical business
functions.
• Create business teams to evaluate the impact of what data damage would do to the
business.
• Provide adequate employee training covering the strategies and plans for recovery.

Selecting the Bacltup Media CND
Data backups consume a large amount of storage space as a result select the best backup method to
meet the organization's requirements
Choose
your backup media
based on these
factors
Speed
Choosing the best backup media is a common concern within most organizations. The selection
of the wrong media device leads to the segregation of data to many different media devices.
With a better well thought out plan, selecting the proper media will enable a better level of
data backup.
Once the data is identified, it is important to choose the correct backup media to store the
data. Backup media selection depends on the type and amount of data the backup will consist
of. At times, data backup consumes a large amount of space and as a result attention is
required while selecting the best backup media for the situation and to fulfill the needs of the
organization.
Choosing the best backup media is based on the following factors:

• Cost: Organization should have backup storage mediums that best fits within their
budget. Backup media should have more storage space than the data that will be
contained on it.
• Reliability: Organizations must be able to rely on the data stored on the backup media
without fail. Organizations must select the media that is highly reliable and not
susceptible to damage or loss.
• Speed: Organizations should select backup mediums which require a reduced amount of
human interaction during the backup process. Speed becomes a concern if the backup
process cannot be completed while a machine is idle.

• Availability: The unavailability of the backup medium poses as an issue after a data loss or
data damage. Organizations should decide on a medium that is available all the time.
• Usability: Organizations should select the media that is easy to use. An easy media type
has great flexibility during the backup process.

Media Capacity Advantages Disadvantages Illustrations
• Several manual disk

swaps may be required
Optical Disks
•
~~
Affordable, easy to due to the limited data
(CD, DVD, ~200 GB
store and transport capacity
Blu-ray)
• Recording and verifying 2YP
backup is slow
• Relatively high
storage capacity than
Portable
using optical disks
hard
No limit • Ideal for the home or
• More expensive than
drives/USS DVD backups
sma II office
flash drives
• Recording backup is
fast
• Backup media for

enterprise level • Expensive
Tape drives No limit
• Easy to store and
transport
Examples of media used for data backup are:
Optical Disks (DVD, Blu-ray)

DVD recordable disks can store up to 8.55 GB and are readily available. DVD's store more data
and available at affordable rates, in bulk if need be. However, DVD's are not used as much as in
the past, as external hard drives are available at reasonable prices and can store more data
than DVD disks.
Blu-ray is compatible for use with both PC and consumer electronic environments. The data
encoding feature in a Blu-ray allows more data storage.
• Advantages:
• Less expensive and easy to store.
• Disadvantages:
• Slow data storage.
Portable Hard drives/USB Flash Drives

Portable hard drives are considered a better medium for data backup when compared to a DVD
or Blu-ray. They are available in high capacities and may be used for the smaller backup
requirements. Flash drives are available in different sizes and have the ability to store large
backup files.

Another hard drive option available is RAID. It contains two or more hard drives. The second
drive may be used to copy data stored in the first drive. This process allows important data to
be preserved. Any change in the data will be automatically reflected in all other drives as well.
• Advantages:
• High storage capacities.
• Very high speeds.

• Disadvantages:
• Expensive compared to DVD/ Blu-ray.
• Recommended less for small backups.
Tape Drives
The Tape drive is considered the best source of media for data backup. It facilitates data backup
at the enterprise level. Tape drives are used for storing programs and data.
• Advantages:
• Easy to store and transport.
• Requires no user intervention

o Tape backup is completely automatic.
• Disadvantages:
• Very expensive for home users.
• Home computers require additional hardware and software updates to use.

ID (Redundant Array Of
Independent Disks) Technology
. ■ •••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••
.
: ~
j A method of combining multiple hard drives into a single unit and writing data across several
j disk drives that offers fault tolerance (if one drive fails, the system can continue operations)
·······································································································································
.·····································································································································•.
Placing data on RAID disks enables input/output (1/0) operations to overlap in a balanced way,
j improving the system performance, simplifying the storage management and protecting from
.: data loss
·······································································································································
........................................................................................................................................
~ ~
: RAID represents a portion of computer storage that can divide and replicate data among several (
( drives working as secondary storage (
: :
.
·······································································································································
.······································································································································ .
Ij Increases fault tolerance and multiple disks increase the mean time between failures (MTBF)
!.
·······································································································································
Copyright© by EC-GIUDCil. All Rights Reserved. Reproduction 1s Strictly Proh ibited.
Many organizations depend on RAID technology for handling their critical backup needs.
Especially with the increases in data flow and data volume. Organizations are expanding their
networks in order to improve their productivity in the market. However, this additional increase
can ca use network bottlenecks. The probability of losing data due to a disaster, threats,
mistakes and hardware failure hamper an organization's ability to grow. RAID technology
overcomes these situations providing an option for data availability, high performance, efficient
and accessible recovery options without a loss of data.
Understanding RAID technology

RAID technology is a method of storing data in different places on seve ral disks. Storing the
data on multiple disks improves the performance of the 10 operations. RAID technology,
functions by implementing multiple hard disks into one logical disk. It allows storing the same
data in a balanced way across an array of disks. The effective implementation of this technology
helps address the complex issues for fault tolerance. The data organized in RAID levels depends
on the RAID storage techniques and installation methods used. Usually the implementation of
RAID is done on a server. Personal computers do not necessarily need this technology, they can
still setup and utilize it in a smaller environment than an enterprise.
For RAID to function effectively, it has six levels: RAID 0, RAID 1, RAID 3, RAID 5, RAID 10, and
RAID 50. Each level of RAID has the following features:
• Fault-tolerance: Fault tolerance is if a disk fails to work, other disks will continue to
function normally.

• Performance: RAID achieves high performance during read and write processes across
multiple disks.
• Competence: This is defined by the amount of data stored. The storage capacity of the
disks depends on the particular RAID level chosen. The storage capacity does not need to
equal the size of the individual RAID disks.
All the RAID levels depend on the storage techniques below:
• Striping: Data striping divides the data into multiple blocks. These blocks are further
written across the RAID system. Striping improves the data storage performance.
• Mirroring: Data mirroring makes image copies of the data and simultaneously stores this
data across the RAID. This affects fault tolerance and data performance.
• Parity: Parity uses a striping method to calculate a parity function of a data block. During
drive failure, the parity recalculates the function using the ch ecksum method.

Advantages/Disadvantages of
_._. ._. _ ID Systems
ADVANTAGES DISADVANTAGES
e RAID offers hot-sw apping or hot plugging e RAID is not compatible w ith some
i.e. system component replacement hardware components and software
(i n case a drive fails) without affecti ng systems e.g.: system imaging programs
network functionality
e RAID data is lost if important d rives fai l
e RAID supports disk striping resulting in an one after another e.g.: in case of RAID 5
improvement of read/write performance where a d rive is exclusive for pa rity
as the system completely utilizes the cannot recreate t he first drive if a
processor speed second drive fails too
e Increased RAID parity check that prevents e RAID cannot protect t he data and offer
a system crash or data loss performance boosts for all applications
e Increased data redundancy helps restore e RAID should be maintained by

the data in an event of a drive failure commercial consultants
e RAID increases system uptime e RAID configuration is difficult
Before RAID technology w as introduced, many organizations used a single drive to store data .
RAID technology is found across all storage devices in an organization. RAID has advantages and
disadvantages depending on the RAID level implemented.
Advantages of RAID Systems

1. Performance and Reliability: RAID technology increases th e performa nee of reading and
writing the data on disks. The speed of th e process is much faster than using a single drive
as storage. It improves the performance by distributing th e 1/ 0. Th e RAID controll er
distributes data over several physical drives making sure not to overburd en a singl e drive
in the RAID syst em. RAID sustains th e reliability of data even if a disk fail s. The fail ed
compon ents can be replaced in a RAID system w ithout shutting th e system dow n. This
feature is called Hot-Swapping. The repla cem ent process does not affect how the other
disks function or th e netw ork.
2. Parity Check: Parity check is a process w here the RAID syst em compares th e data stored
in the crash ed syst em w ith th e data stored in th e other disks. This check process is
accomplished on all the drives. The parity check is performed after first mirroring the
data . Regularly performing parity ch ecks detects the probability of a syst em crash,
preventing a loss of data.
3. Data redundancy: Failure of a disk can occur at any tim e. Data redundancy is important
for th e organization. RAID provides enhanced data redundancy in case of a hardw are
failure.

4. Disk Striping: Disk striping improves the read/write performance of the data. The data is
divided into small chunks and spread amount multiple disks. Depending on the RAID level
implementation, the data is divided in bytes, bits or blocks. Data reading and writing can
be done simultaneously on a RAID system.
5. System uptime: This is a metric that detects the reliability and stability of a computer.
System uptime defines the time the system can be left unattended without any
assistance. Configuring RAID on a system helps enhance system uptime. A high system
uptime in an organization signifies their productivity is high.
Disadvantages of RAID Systems

1. Writing Network drivers: RAID technology is designed so can be widely used on servers.
The major disadvantage of RAID technology is the writing of all the network drivers. RAID
technology is complex and this process can be time consuming.
2. Non-compatible: Different systems support different types of RAID drives. Certain

hardware or software components may not be compatible with the RAID drive configured
on the server. This non-compatibility may lead to the RAID not functioning properly. The
compatibility between the RAID drives, hardware and software must be checked prior to
configuring the system. RAID can protect data for all the applications available on the
network.
3. Loss of data: The RAID drives function in the same environment. The drives can become
non-functional due to mechanical issues. The potential data loss increases in if the disk
failure occurs one after another. When two drives fail at the same time, recovering the
data from the disk becomes difficult.
4. Time consuming in rebuilding: Drive capacity has increased much more than the transfer
speed. Recovering data from large storage capacity drives can be time consuming. In such
scenarios, rebuilding a failed disk can also be time consuming. Increasing the number of
drives won't help increase the data transfer speed.
5. Economically high: Implementation of RAID technology can be economically high.

Organizations need to hire consultants to sustain its performance. It also requires external
RAID controllers and hard drives to function correctly and this adds to the overall cost to
the organization.

Configuration
Network Connection to Host Dat a
RAID Journal, SDRAM

RAID
Transacti on,
Controlle r DIMM
SAN/NAS/l-lost and Error Log
Firmware
Interface File
~.............:;,.·... _; ..........................
~
~-..."'. ...............;...................·~
. - - - - - -_,.__ _______
Multiport
Memory
Control ler
Backup Control
Processor
V
Processor RAID Control Processor
SAS/SATA Interfaces NAND

A
y FLASH
~
~ Battery Backup or Ultracapacitor
Unit
: SATA/SAS Expander
~~ -~
Primary RAID Memory Cache
ID Storage Architecture
(Cont'd)
Manages the array of physical disk drives and presents Cache is used to write the data in transition, A RAID
them to the computer as if t hey are logical units system uses a cache to speed up 1/0 performance on
the storage system
IDE, SATA or SCSI Interface nvSRAM

Internal drives are connected using these interfaces; nvSRAM is the fastest non-volatile RAM in the industry
Connection to the server is also t hrough one of these with 20 ns read and writes access time
interfaces
Multlport Memory Controller NAND Flash Memory

Provides access to a bank of memory, helps achieve Provides non-volatile storage for the RAID system's
high efficiency with random address accesses primary cache
SDRAM Disk
Dynamic Random Access Memory (DRAM) that is The hardware presents the RAID to the host system as a
synchronized with the clock speed the CPU single and large disk

The RAID architecture depends on two principles: Redundancy and Parallelism providing a wide
range of storage facility options with better performance and freedom from disk failures. The
wide demand of the Internet has caused an increase in the use of RAID systems because of its
high data storage capabilities and management systems. There are many implementations
available for RAID depending on the application and these implementations depend on factors
like: parallelism, duplication, and redundancy.
In RAID architecture, the switch receives the data from servers connected to the network. The
switch sends the data to the processor at a later stage. The processor transfers the received
data to the RAID controller. The RAID controller may be implemented either as hardware using
a RAID-on-Chip (ROC) or in software. The ROC can contain the 1/0 interfaces, processor, host
interface and memory controller. The ROC is installed directly in a motherboard using an
expansion card or in an external drive enclosure.
Configuration
Network Connection to Host Data
RAID Journa l,
<(·•···
RAID -E········
Controll er
Transaction, ...C·····.
SAN/NAS/Host and Error Log
Fi rmw are
Interface File
.
'IIU
.
: :
. Multiport
~-············ ....-~......................... ~---~··············y··················· Memory
Controller I
Backup Control
Processor
Processor RAID Control Processor

111[ •••••
SAS/SATA Interfaces NAND
FLASH
SAS/SATA SAS/SATA SAS/SATA

Battery Backup or Ultracapacitor
HDD or SSD
Unit
SATA/SAS Expander
SAS/SATA SAS/ SATA

HOD or SSD HDDorSS
FIGURE 13.1: RAID storage architecture
The RAID storage architecture outlines how the RAID server functions. The processor controls
the entire function of the drive arrays and interfaces. It provides flexible and high performance
functions. The architecture in the figure above shows a RAID system can depend on HDDs as
well as SSDs. The processor requires DRAM and NANO flash memory. The installation of NANO
flash memory provides non-volatile storage to the primary RAID memory cache.
A battery backup or an ultra-capacitor unit in the primary RAID memory cache is helpful when
the RAID Control Processor goes suffers from a power failure. In this scenario, the battery
backup independently copies the DRAM's contents to the NANO flash memory. A battery
backup is an inexpensive alternative during a power loss. The architecture shows the
requirement of non-volatile memory in the RAID controller firmware, RAID Journal, transaction
and the error log file.

The major components of a RAID architecture include:
• RAID Controller: This is either hardware or software based and contains hard disk drives
or solid state drives as a single logical unit. A RAID controller has permission to access
multiple copies of files present on multiple disks, thereby preventing damage and
increases the scope of system performance. In a hardware RAID, a physical controller
manages the RAID array with a controller in the form of a PCI card that supports SATA or
SCSI. A software RAID works similarly to a hardware RAID, except they provide less
performance when compared to the former.
• Primary RAID Memory Cache: The RAID controller has direct access to the cache memory,
enabling faster read and writes access to the storage system. The cache is used to store
the changing data. Cache memory is bigger in size and uses high speed SDRAMs. A normal
cache memory has a write cache and a separate read cache. The read cache decreases the
latency for the read process. The write cache memory consists of two types:
• Write-through mode: Writes data directly to the disk after the host sends the data,
bypassing the cache memory. The host sends the next data item after receiving a
confirmation the writing process completed.
• Write-back mode: Data sent from the host is written to the cache memory. The host
may perform other actions while the RAID controller transfers data from the cache to
the disk drive. The RAID controller acknowledges the write process to the host soon
after writing the data to the cache. Issues may arise if a RAID controller sends an
acknowledgement before the data has been completely written to the disk.
• IDE, SATA, or SCSI interface: IDE, SATA, or SCSI are device cables that transmit signals to
read/write to and from the drive. These are mostly used for connecting drives internally.
Also, servers are connected using these interfaces.
• IDE: Integrated Drive Electronics (IDE) allows the connection of two devices per
channel. Normally used for internal devices as the cables are large and flat.
• SATA: Serial ATA deals with hot plugging and serial connectivity. The hot plugging
technique may be used to replace computer components without the need to shut
down the system. SATA enables only one connection per connector and it is not
flexible for industrial purposes.
• SCSI: Small Computer System Interface (SCSI) allows multiple devices to be connected
to a single port at the same time. SCSI uses a parallel cable for attaching internal and
external devices.
• nvSRAM: Non-Volatile SRAM, nvSRAM has a faster read and write process due to the
presence of a standard asynchronous SRAM interface. nvSRAM enables adequate data
storage capabilities without the need for a battery during shut down. nvSRAM finds its
best use in applications that require high speed and non-volatile storage at a low cost
such as the medical industry. nvSRAM backups the data even in the event of a power
failure.

• Multiport Memory Controller: A MPMC provides access to memory for up to eight ports.
A memory controller can be present as a separate chip or as integrated memory.
• NANO Flash Memory: Flash memory is a storage medium designed from electrically
erasable programmable read - only memory (EEPROM). NANO and NOR are two types of
flash memory. The main aim of NANO flash memory is to reduce the cost and increase the
capacity. NANO flash memory does not require power to retain the data. NAN D flash
memory has improved its read-write cycles with reduced voltage demands.
• SDRAM: Synchronous dynamic random access memory or synchronous DRAM is memory
that is synchronized with the clock speed of the processor. This increases the number of
instructions the processor can perform. SDRAM speed is measured in Mega Hertz (MHz).
The memory is divided into several sections called banks that allow the device to operate
on several memory access commands simultaneously.

ID Level 0: Dislt Striping CND

RAID Level 0 split s data into blocks and written evenly across multiple hard drives
It improves 1/0 performance by spreading the 1/0 load across many channels and disk
drives
Data recovery is not possible if a drive fails
It requires a minimum of two drives
It does not provide data redundancy
RAID 0
,· ---- . ----. ---- . ---- . ---- . ---- . ---- . ---- . ---- . ----. ---- . ---- . ---- . ----. ---- . ---- . ---- . ----. ---- . ---- . ---- . ----. ---- . ----,
' '
:' :'
' '
' '
' '
' '
DiskO Disk 1
Copyright © by EC-CODICIi. All Rights Reserved. Reproduction is Strictly Prohibited.
Depending on the requirement of your organization, you can choose any RAID level available.
RAID levels have a foundation for performance, fault tolerance or both.
RAID 0 deals with data performance. In this level, data is broken into sections and is written
across multiple drives. The storage capacity of RAID 0 is equal to the sum of the disk's capacity
in the set. RAID 0 does not provide fault-tolerance. Failure of one disk can lead to the failure of
all the disk in a level 0 volume. The probability for recovering data from a RAID level 0 is
minimal at best.
The data distribution in a RAID Level 0 is equal among all the disk sets, resulting in high
performance. With concurrent high performance, the throughput of the read and write
operation on multiple disks is equal to the throughput of the array of disks. Increased
throughput is an advantage for RAID 0, considering data recovery is unavailable. Software and
hardware RAID controllers support RAID 0, helping to boost server performance.
Example: Assume that the IT infrastructure has a hard disk with high performance. The data in
the hard disk is transferred at a very high speed. All the large and critical files are stored in this
disk. However, if this disk fails the entire content s of the files w ill be affected, leading to
unavailability of the data . It is advisable to not store any critical data in a RAID level 0.

Advantages of RAID Level 0

• Read and Write Performance: RAID level O has very good read and write performance.
The performance is even greater if the controller supports independent reads and writes
to different disks in the array.
• Cost: RAID level O is cost effective compared to the other RAID levels.
• Implementation: Is easy to implement as the data is divided in a sequential set of blocks.

There is no storage loss as the max capacity is used.
Disadvantages of RAID Level 0

• No redundancy: With no data redundancy, data loss is greater.
• Non-critical data: Data that is not critical to the organization can be stored on RAID level
0. This level does not use mirroring. If the critical data is lost on a RAID Level O recovery is
not possible.
• Unreliable: If one disk fails, the entire network will be affected.

ID Level l: Disk Mirroring CND

(el'lifio."d l,;1_,, Ddc•der
.J Multiple copies of data are written to multiple drives at the same time
.J It provides data redundancy by duplicating the drive data to multiple drives
.J If one drive fails, data recovery is possible
.J It requires a minimum of two drives
RAID 1
....••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••u..
.. ..
. .
DiskO Disk 1
Copyright© by EC-CODICIi. All Rights Reserved. Reproduction is Strictly Prohibited.
A typical RAID 1 contains an exact copy of the data on two or more disks. RAID 1 writes data on
multiple drives and multiple mirror drives at the same time. Failure of one drive does not affect
the data on the other drives. This allows data retrieval from the mirror drive. Similar to RAID 0,
RAID 1 provides no parity, stripping or spanning of disk space across multiple disks. RAID 1 can
be used in accounting, payroll and other financial applications.
RAID 1 is suitable in environments where read performance matters more than the write
performance. RAID 1 has improved read performance since the data in the disk can be read at
the same time simultaneously.
RAID level 1 provides data reliability, since failure of one disk can still provide access to the
same data mirrored on the other disks. In a RAID 1 hardware implementation, a minimum of
two disks is required. In a software RAID 1, data can be copied to a volume of the disk. RAID 1
reduces the total capacity by half.
Example: If a RAID 1 server with two 4TB drives is configured, the storage capacity will be 4TB
not 8TB.
The drive that accesses the data first will service the request. The write throughput in RAID 1 is
always slower because every drive needs to be updated. The slowest drive will limit the
performance. It is only has fast as its slowest drive. RAID 1 will continue to function as long as
there is at least one drive working.


• High read performance: Because there are two disks, the read performance is higher in a
RAID Level 1 system. Data can be read simultaneously while being written on the other
disk. The redundancy feature is excellent.
• Compatible: RAID 1 is compatible with hardware and software RAID systems, including
controllers.
• Reliable: The mirroring feature in a RAID 1 ensures the data will be available. Making it
more reliable than a RAID level 0.

• Capacity: RAID Level 1 undergoes duplexing, which is the need for twice the a mount of
disk space for storage.
• Hot-swapping unavailable: If a disk fail s to run, it cannot be replaced while the server is
still in operation. This is called hot swapping. RAID level 1 does not provide the hot
swapping feature.

RAID Level 3: Disk Striping

with Parity
..J Data is striped at the byte level across multiple drives. One drive per set is taken up for parity
information
..J If a drive fails, data recovery and error correction is possible using the parity drive in the set
..J The parity drive stores the information on multiple drives
r ·············..1
: Parity :
I.. ·····························r·····························I·································r·················:Generation r········ ......... ··1
: : : !...••••••••••••••., :
: : : :
: : : :
AP
BP
Cp
Dp
Disk4
DiskO Disk 1 Disk2 Disk 3
Copyright© by EC-CllUDCil. All Rights Reserved. Reproduction is Strictly Prohibited.

RAID -.,.- I . I • '' •• ' I -
- I • • I •• '• • -. I - e tore
-
the data. To implement a RAID level 3 system, a minimum of three disks is required. The data is
stored on multiple drives at the byte level. This RAID level dedicates one drive to store the
parity information. The byte level division allows the drives to work simultaneously. At any time
either a read operation or a write operation can take place. RAID 3 is a good choice for
specialized databases or single-user systems.
The RAID level 3 has a high transfer data rate along with data security. It can perform data
recovery and error correction by calculating an exclusive OR (XOR) of the information recorded
on the parity drive.

• High throughput: RAID level 3 provides high throughput for read and write operations for
large data transfers.
• Resistant: This RAID level is resistant to disk failure and breakdown.

• Complexity: Installation and configuration of a RAID level 3 system is very complex. It
requires a larger amount of resources to implement.
• Slow performance: Random operations affect the performance, reducing the speed.

ID Level 5: Block Interleaved

Distributed Parity
The data is striped at the byte level across mu ltiple drives and the parity information is distributed
among all t he member drives
The data writing process is slow
This level requires a minimum of three drives to be setup
RAID S
A1
=~
DiskO Disk l Disk2
RAID -,- ... - -.,-, ., -, . ' . ..

,,- -,- . " ith a
distributed parity. The parity information is distributed among all the drives, except one drive.
... . ..-
Copyright© by EC-Cuuncil. All Rights Reserved. Reproduction is Strictly Prohibited.
The data chunks in a RAID level 5 system are larger than the regular 1/ 0 size, but they can be
resized. To prevent data loss after a drive fails, data can be calculated from the distributed
parity.
The RAID 5 needs at least three disks, but for better performance, more than three disks can be
used. RAID 5 is not a good choice for write operations on the system. If a disk fails, it takes a
long time to rebuild the RAID 5 array. Wh en the array is being built again, the performance can
degrade making it v ulnerable to additional disk failure. This level offers significant read
performance as the disks satisfy th e data requests independently.
RAID 5 is found most often in file and application servers, database servers, web, e-mail, and
news servers.

• Read data: Among all the levels of RAID, level 5 has the highest read data transaction
rates.
• Withstand failure: The RAID 5 level can withstand the failure of a single drive, without
affecting the loss of data.
• Hot swapping: In case of a disk failure, the fail ed disk can be replaced with a new one,
without a server shutdown.


• Slow write operation: Servers built using RAID 5 suffer performance issues with write
operations and these can eventually be affected with reduced speed.
Example: Employees accessing a database on a RAID 5 server will reduce the production time of
the server.

ID Level 10: Blocks Striped

and Mirrored
a ,_
RAID 10 is a combination of RAID 0 (Striping Volume Data) and RAID 1 (Disk M irroring)
, _ a_n_d_re es_a_t _le_as_t _fo_u_r _d r_iv_e_s_
_q_u_ir_ to_i_
m_pl_e_
m_en
_t_ _ _ _ _ _ _ _ _ _ _ _ __
It has same fault tolerance as RAID level 1 and the same overhead fo r the m irroring as Raid 0
~
• - - - - - -
. /----------------------------
It stripes the data across mirrored pairs. The mirroring provides redundancy and improved
perform ance. The data striping provides maximum performance
RAID l+O
RAIDO
............................................................................. ''.'' ....... ..
.
r··················· ... ·r ..............................................···r..···••u•.•.••••••••••• ·;
RAID 1 RAID 1
! : : :
.......... ►
DiskO Diskl Disk2 Disk3
Copyright© by EC-Cuuncll. All Rights Reserved. Reproduction is Strictly Prohibited.
RAID Level 10 includes disk striping and mirroring in a nested hybrid RAID level. It is a
combination of RAID level 1 and RAID level 0. It is also called as "stripe of mirrors". The level
can symbolically be represented as RAID l+0 or RAID 10. RAID 10 includes the mirroring of RAID
1 without the parity and striping of RAID 0. The performance of RAID 10 is higher than a RAID 1.
RAID level 10 has the same fault tolerance as RAID level 1. It requires a minimum of four drives
for its operation. RAID 10 is a great choice for database servers, web servers, email, etc. and
can be used on hardware or software RAID implementations.

• High operations: With a combination of RAID Level 1 and 0, it provides high 1/0
operations.
• Better throughput: Compared with other RAID levels, RAID 10 provides better throughput
and higher latency.
• Efficient write operations: The write operations of this level are efficient and 1s often
implemented on database servers and other servers performing write operations.

• Expensive: RAID 10 is expensive compared to other RAID levels, as it requires twice as
many disks.

ID Level 50: Mirroring and Striping

across Multiple ID Levels
RAID SO is a combination of RAID O striping and the distributed parity of RAID 5
.
.
It is more fault tolerant than a RAID 5 but uses twice t he parity overhead I.,
'
A minimum of 6 drives are required for setup. A drive from each segment can fa il and the array will
recover. If more than one drive fai ls in a segment, the array will stop f unctioning
This RAID level offers greater reads and writes compared to a RAID 5 and the highest levels of redundancy
and performance
RAID 5+0
RAID O
RAIDS ; ; RAIDS
r························r··· .................. ··1 =....................... ··-r·· .................. ····1
~
DiskO Diskl Disk2 Disk 3 Disk4 Disk s
Copyright© by EC-COUDCII. All Rights Reserved. Reproduction is Strictly Prohibited.
RAID level SO includes mirroring and striping across multiple RAID levels. This level is a
combination of the block level striping of level O and the distributed parity of level 5. The
configuration of RAID level SO requires a minimum of six drives. This level undergoes a hot
swapping process when a disk fails.
RAID SO is an improvement over RAID 5, specifically for its write operation and fault tolerance.
RAID level SO can be implemented on servers that run applications requiring high fault
tolerance, capacity and random access performance. This level offers data protection and faster
rebuilds compared to a RAID 5 system. When one disk fails in a segment, it only affects that
segment and not the entire array. Only that segment is rebuilt. The rest of the array functions
normally.
Advantages
• Security: The data stored in a RAID SO is more secured than 1n a RAID 5. With a larger
storage capacity, this level offers more than RAID 5.
• Non-degradable: With the use of a minimum of six drives in the configuration
environment, failure of one disk does not impact the server function configured on this
level.
• Read and write performance: The read and w rite performance of RAID level SO is far
better than RAID level 5.
Disadvantages
• Controller: Only a sophisticated controller can handle RAID level SO.

Selecting Appropriate ID
Levels
. .. . Fault Large Data Data
RAID Disk Ut1hzat1on I f 1/0 Rate . b"I" Key Problems
To erance Trans ers Ava, 1a 1 1ty
Single drive Data Lost when

Single Disk Fixed 100% No Good Good
MTBF disk fails
Poor MTBFof Data Lost when

RAIDO Excellent 100% Yes Very Good Very Good
drive any disk fails
Use double
RAID 1 Moderate 50% Yes Good Good Good
the disk space
Data Lost when

RAID3 Good - Very Good Yes Very Good Good Good
any disk fails
Lower throughput
RAID 5 Good - Very Good Yes Good - Very Good Good Good
with disk failure
Use double
RAID 0+1 Moderate 50% Yes Good Very Good Good
t he disk space
Very expensive,
RAID l+o Moderate 50% Yes Very Good Very Good Very Good
not scalable
RAID30 Good - Very Good Yes Very Good Excellent Excell ent Very expensive
RAID SO Good - Very Good Yes Good - Very Good Excellent Excellent Very expensive
Selection of any RAID level should be based on the needs of the organization and the features
offered by each level.
There are several points to consider while selecting RAID levels:
• Application performance needs: Not all RAID levels are useful for all applications and data
needs. Choose an appropriate RAID level according to other factors like 1/ 0 need, storage
capacity, fault tolerance etc.
• Capacity: Each RAID level offers different amounts of storage capacity. The choice of a
RAID level depends on the capacity required. For example, if 30 drives are needed, a RAID
SO or 60 is the better choice. Three segments of 10 drives each. Could do a RAID 5 but the
rebuild process would be tedious, among other problems. One drive is lost to parity for
each segment. There would only be 27 drives available towards the capacity
requirements. Capacity is lost but perform a nee is gained.
• Cost: Both performance and capacity cost money. Weigh the options between
performance and capacity. Capacity can be lost and performance gained. Losing a small
amount of capacity may be worth it for the gains in performance. This all depends on the
where the RAID system will be utilized. Have to strike a balance between both capacity
and performa nee and what works best for the organization.
• Availability needs: Choose a RAID level that matches the availability requirements for the
organization.

The following table will help you in selecting an appropriate RAID for your organization:
Fault Large Data

RAID Disk Utilization 1/0 Rate Data Availability Key Problems
Tolerance Transfers
Single drive Data Lost when

Single Disk Fixed 100% No Good Good
MTBF disk fa ils
Poor MTBF of Data Lost when

RAID0 Excellent 100% Yes Very Good Very Good
drive any disk fails
Use double
RAID 1 Moderate 50% Yes Good Good Good
the disk space
Data Lost when

RAID3 Good - Very Good Yes Very Good Good Good
any disk fa ils
Lower throughput
RAIDS Good - Very Good Yes Good - Very Good Good Good
with disk failure
Use double
RAID 0+1 Moderate 50% Yes Good Very Good Good
the disk space
Very expensive,
RAID l+0 Moderate 50% Yes Very Good Very Good Very Good
not scalable
RAID 30 Good - Very Good Yes Very Good Excellent Excellent Very expensive
RAID 50 Good - Very Good Yes Good - Very Good Excellent Excellent Very expensive
TABLE 13.1: Selecting appropriate RAID levels

Hardware RAID Software RAID
J The hardware RAI D uses a disk controller Runs directly on the server using server
and a redu ndanta rrayof drives to safegua rd resources
against data loss and improves read/write
U Relying on a host system's CPU f or t he
operational performance
processing and implementation
J Advantages:
Advantages:
e Fault tolerance
e Low Cost, less complicated to set up
e Data protection and performance
e Only a standard controller is required
e Easy to implement
U Disadvantages:
e No utilization of the host's CPU
e No hot-swapping
e Hot-swapping is supported
e Slower than a hardware RAID
J Disadva ntages
e Expensive configuration req uiring additional
hardware and RAID controller
Choosing between a hardware and software RAID depends on the requirements of the
organization as well as the need of the IT infrastructure. Th e organization should consider th eir
budget before selecting a specific RAID t ype, as hardware costs more than a software-based
RAID system.
Hardware RAID
This is where the processing is done, such as on a motherboard or a RAID expansion card. In a
hardware-based RAID, logical disks are configured and mirrored on the hardware. A physical
controll er is located on the PCI bus and it manages the application data and operating
system(s). The controller prevents the drives from data loss and enhances the read -write
operations.
RAID levels 0, 1, 3 and 5 are compatible with a hardware RAID. A hardware RAID provides
efficient and non-stop recovery from media failure. Performance based advantages are much
higher with a hardware RAID. For example, the implem entation of RAID level 5 w ill enhance the
data throughput as compared to a softw are-based RAID. Multiple controllers can be added in to
improve the read-write performance and total storage capacity.
A hardw are RAID can be implemented w hen there is a compl ex and critical setup or with large
databases.

• Advantages:
1. Write-Back mode: A typical hardware controller has a battery backup unit (BBU). The
hardware RAID can work in write-back mode because of the BBU feature. If there is a
power failure while writing data to a drive, the data will not be lost or deleted.
The BBU plays a very important role in write-back mode.
2. Hot-swapping: Many controllers in a hardware RAID support hot swapping. The disk
can be replaced while the server is still running, this does not affect the production of
the organization.
3. Higher throughput: With the availability of a BBU, a hardware RAID offers higher read
and write throughput, increasing the overall performa nee of the RAID level.
4. Rebuild: Rebuilding disk sets can be easier, with the availability of a BBU. A BBU
speeds up the rebuild process, decreasing the total amount of time it takes to rebuild.
5. Overhead: Hardware RAID requires external hardware to function. It does not affect
the overhead of the CPU or RAM on the host machines.
6. Boot loader: A hardware RAID can recover from a boot loader failure.
• Disadvantages:
1. Expensive: Hardware RAID requires an external RAID card or external hardware for
the implementation. This adds to the overall cost of the implementation, making it
more expensive.
Software RAID
Software RAID uses software instead of hardware for its implementation. Unlike a hardware
RAID that uses a controller, software RAID uses system processors and other applications to
work. Software RAID is implemented in the operating system or at the kernel level. The
performance of a software RAID depends on the CPU performance. Software RAID relies on a
standard host adapter and executes all 1/0 commands using mathematical calculations. RAID
levels 0, 1 and 5 are compatible with a software RAID.
• Advantages:
1. Cost-effective: Software RAID is part of the operating system. There are no additional
items needed increasing the cost for its implementation. It is more cost-effective than
a hardware RAID implementation.
2. Simplicity: A software RAID does not need a hardware controller. There are no
complexities for its implementation.
3. Duplexing: Duplexing in a software RAID requires only a standard controller for the
process.

• Disadvantages:
1. Performance: The performance of a software RAID depends on the CPU usage, as it

uses the CPU cycle of the host machine. The software RAID performance is lower than
that of a hardware RAID.
2. Boot loader failure: The software RAID requires an operating system to function. If
the boot loader fails it will lower disk performance.
3. Compatibility: Certain software and operating systems may not be compatible with
the RAID levels. This causes an issue with the disk array.
4. Advanced features unavailable: Software RAID does not offer hot swapping or a drive
swapping feature.

Do not replace a failed drive with a drive from

Zero out all replacement drives prior to using them
another RAID system
If there are any unusual mechanical noises from the Take and keep a valid backup before performing a
drive, immediately turn it off and get assistance software or hardware change
Label the drives with t heir respective positions in Never run volume repair utilities on suspected bad
the RAID array drives
Never run volume repair utilities when:

Never use defragmentation utilities on suspected 8 Power loss situation of RAID array
bad drives 8 File system looks suspicious
8 Data is inaccessible after power is restored
The following are the additional best practices for selecting and using RAID:
• Always select a RAID level that can handle the workload.

• Always be cautious about the storage capacity while selecting a RAID level.
• Do not lose the balance between cost and performance.
• Always ensure the chosen RAID level is according to the needs of the organization.
• Avoid replacing a failed drive that was a part of a previous RAID system.
• Always seek assistance if there are any unusual noises from the system.
• Label hard drives with their respective RAID array positions.
• Always select a RAID group according to logical unit numbers, accommodated by the
server.
• Avoid making any changes to the data in a RAID.
• Always use hard drives of equal sizes in RAID groups.

r---·---·--------·--------·---······---······---·················-----·-
''
''
..J A SAN is a specialized, dedicated and discrete high ''
'' •~ •l"'"""'l
speed network that connects storage devices ' : Oients : Clients :
'' i .•..•..•..•..•..•..•..•k ·····················:
(disks, disk arrays, tapes, servers, etc.) with a high '
''
speed 1/0 interconnect (Fibre Channel, SAS, ''
''
''
~ Communication
Ethernet, etc.) '' ( LAN ",. Infrastructure Layer
''
''
A
'
. ''.''.''.''.''.'' .. ' .. ' .. ' .. ' ..'ii' .. ' .. ' .. ' .. ' .. ' .. ' .. ' .. ' .. ' .. '' ..
i u ,
..J SANs are preferred in large scale enterprises ''
because of the reliable data transfer and the

''
'' 1
flexibility to scale
''
''
! [ ,, ,
'' a :s I
~
1-eeJ
~
I 1--el
''
..J A SAN supports data archival, backup, restore,

'
''
''
''
Appl1~~'.~~-~-~~r. . . . .: i~~~-·· · ~~r.~.~~-~-~-~Jers
transfer, retrieval, migration and mirroring from ''
: y
one storage device to another ' ... - -····- ···•- "'- ··• · "'•-·q, , - · . •....
..J The Communication Infrastructure Layer provides

the physical connections to the network devices .,
'••-......._ _ ,,,/
..J The Management Layer organizes the

connections, storage elements and computer ,__::.·.::·si~~~g~i~v~?
i---------------··:.:.-.-.:-~:'.::'.:::-.:.".'::~t.::~:.·.-:: _-_,::_
systems ' .
t}.:J
...I The Storage Layer hosts the storage devices "-"'
Disk Systems RAID Tape Drive
·-----·------------·----------------------------------------------------·'
Copyright © by EC-GIUDCil. All Rights Reserved. Reprod uction 1s Stri ctly Prohibited.
A Storage Area Network (SAN) is a high performance network that interconnects storage
devices with multiple servers. The role of a SAN is to transfer stored resources available on the
common network and reorganize them on an independent and high performance network. This
helps the servers to share the storage across the network. Primarily, a SAN enhances storage
devices like, tape drives, disk drives, file servers, RAID, etc. Implementation of a SAN makes disk
maintenance controllable and easier. The implementation of SAN needs a cable, switch and
host bus adapters. Each storage system on the SAN must be interconnected and in case of
physical interconnection, the bandwidth level should be such that it supports high data
activities.
We know that systems in the network connect to the storage devices. But, to assure that all
systems in the network should be connected to every storage device available on the network,
implementation of a SAN is needed. SAN allows these systems to take the ownership of the
storage devices; systems can exchange the ownership of the storage devices among
themselves.
Understanding Storage Sharing

The working of storage area network depends on client server communication. Every
organization has multiple servers that are connected to the systems.
Example: If computer A needs a data from computer B, it will need a copy of data from the
server, to which computer B is connected to. This can be done through, file transfer, inter-
process communication and backup. Even though the data is transferred from computer B to

computer A, there can be a probability that computer A may face the situation of untimely data
errors, an expensive transferring process taking place between two servers or any other
operational process. To resolve this issue, SAN architecture will be the perfect solution towards
it. In SAN architecture, all servers are connected to storage devices like, tape drive, RAID, disk
systems, etc. through a fiber channel. Thus, instead of computer A communicating to computer
B for data, it can directly get a copy of it from the storage devices connected to the servers. For
this process to be successful, data storage devices act as a common access point for all the
servers.
SAN storage sharing eliminates the scheduling of the data transfers among the servers. It
reduces the cost of data transfer among the servers. Storage devices help timely transfer of
data. SAN storage offers only block level operations that do not provide file abstraction.
However, if the file systems are structured on top of storage area network, file access 1s
provided which is known as a SAN file system.
Now-a-days, in large organizations, SAN is a storage pool for the servers that are connected via
a network. The fiber channel is now replaced by iSCSI which has become the choice of many
mainstream organizations. Whatever, be the size of the organization, SAN has become a
consolidation of workloads in the network.
Types of SAN
1. Virtual Storage Area Network (VSAN): VSAN designed by Cisco is a logical partitioning
that is within the physical storage area network. VSAN allows the allocation of some or
entire storage network to logical SANs. VSAN is mainly used in cloud computing and
virtualization environment. It can be used to build a virtual storage.
The working of VSAN is similar to traditional SAN, since it has a virtualized environment,
the addition or relocation of end users can take place. This will not affect or change the
physical layout of the network. Implementation of VSAN enhances the security of the
entire network.
2. Unified SAN: Unified SAN is also known as network unified storage or multiprotocol
storage. It allows the applications and files to perform actions through a single device. It
handles data storage and block based input/output operations. It merges files and block
based access in a single storage network. Unified SAN is cost effective as it saves the
expense of hardware requirements. Storing the combined modes in a single device,
unified SAN is easily manageable. Although it is advisable to deploy the critical
applications on block-based storage systems.
3. Converged SAN: A converged SAN uses a common network arrangement for network and
SAN traffic. This reduces the cost and complexity of the SAN technology. Converged SANs
depend on 10 Giga bit Ethernet and network ports.

LAN-free and server-free data

movement
Sto rage consolidation
LAN-free and server-free

Backup
Ease of data sharing
High availability server

Improved backup and clustering
recovery
Data integrity and a decrease

Reliable and secure in the load on the LAN
centralized data storage
Disaster tolerance
High performance and low
latency
With the rise in technology and an increase in data, organizations need a storage device that
can fulfill and handle their needs. The SAN advantages below, help determine the benefits of
deploying in an IT infrastructure.
SAN Advantages
1. Capacity: SAN performance is directly proportional to the type of network. A SAN allows
unlimited sharing of data regardless of the storage capacity. The SAN capacity can be
extended limitlessly to thousands of terabytes.
2. Easy sharing: SAN data is easily shared between systems as it maintains isolated traffic.
The traffic does not interfere with the normal user traffic, increasing data transfer
performance.
3. Security: If a SAN is configured correctly, the data is secured. Chances of device intrusion
is minimal.
4. Productive: A SAN is scalable, adding a new disk to the network does not stop the SAN's
productivity. When adding a new hard disk, a reboot or shut down is not required.
5. Availability of applications: The algorithms in the SAN storage array offers data
protection. This results in application availability at all times.
6. Fast backup: The data mirror copy can be created instantly. These mirror images can be
used as a backup whenever required.

7. Bootable: A SAN can run a server without a physical disk and it can be booted by the SAN.
This feature permits access to all the page files and applications.
8. Distance connectivity: For better security, plan to keep storage devices in an isolated
location. A SAN has a feature where it can connect devices up to a distance of ten
kilometers.
9. Recovery: A SAN is the most reliable data recovery option. If the servers are offline a SAN
remains available.
10. Effective utilization: A SAN is an appropriate option for storage space compared to local
disks. If a system requires more storage, a SAN dynamically allocates the space. This
process is similar to virtual machines.
The implementation of a SAN is beneficial to an organization. Especially, when considering the
limitations caused by budget constraints, availability and employee expertise.
SAN Disadvantages
1. Very costly: The implementation of a SAN can cost more than the available budget
limitations. A SAN is an investment and only implement if it meets the goals of the
organization.

In a SAN infrastructure, the backup proxy server runs on a separate physical machine
Use a backup proxy server or a media server as backup software
When using a third party backup software, run multiple backups the software supports
When performing a full image backup consider putting the backup on a SAN volume rather than
storing it on a local disk
Do not only keep the most recent backup or overwrite any previous backups
When running host-level backups, periodically run guest- level backup s at the same t ime
Use an individual backup agent on each virtua l machine to avoid data inconsistency and
repl ication during the backup process
Secure the data from accidental or malicious disclosure using encryption, whether the data is in
transit or at rest
When transferring data through a switch, use a fiber channel (FC) SAN to rapidly transfer the data
between storage devices and servers
Additional best practices for an effective design, implementation and performance of a SAN:
• The implementation of SAN technology should incorporate future enhancements in the

storage plan for the organization.
• Requires additional attention during the design phase.

• Select topologies that could enhance the performance.
• Always implement smaller SANs for better management.

• Always label the fiber switches as this makes it easier to locate and differentiate between
switch types.
• Always prepare cable connection documentation for the SAN network.

SAN Data Storage and Backup

Management Tools
Cisco Prime Data Center Network

OpStor
http:// www.manageengine.com Manager
http:// www.cisco.com
SanTool
Brocade
http://www.santools.com
http:// www.brocade.com
Amanda Nagios
http:// www.amonda.org https://www.nagios.org
Symantec Storage Foundation IBM's SAN

Basic http:// www--03.ibm.com
http://www.symantec.com
Net backup EMC NetWorker

www.veritas.com http:// www.emc.com
Opstor
OpStor helps reduce the clutter of point products in storage by providing deep insight into
backup and maintenance schedules. It also provides a detailed server, client, node, disk and
plug-in report for single and multiple-node configurations of an EMC Ava mar backup server.
Brocade
Source: http://www.brocade.com
The Brocade data center fabric supports controller-based network virtualization architectures
such as VMware NSX and the Brocade BGP-EVPN Network Virtualization controller-less
architecture. Brocade BGP-EVPN Network Virtualization eliminates the need for an external
controller by leveraging open standards-based protocols to enable workload agility,
segmentation and security within and across data centers.
Amanda
Source: http://www.amanda.org
AMANDA, the Advanced Maryland Automatic Network Disk Archiver, is a backup system that
allows the administrator of a LAN to set up a single master backup server to back up multiple
hosts to a single large capacity tape or disk drive. Amanda uses native tools (such as GNUtar,
dump) for backup and can back up a large number of workstations running multiple versions of
Unix/ Mac OS X/Linux/Windows.

Symantec Storage Foundation Basic
Source: http://www.symantec.com
The Symantec Storage Foundation Basic provides a complete solution for heterogeneous online
storage management. It is designed for heterogeneous online storage management of edge-tier
workloads with up to four file systems, four volumes and two processor sockets per system.
NetBackup
Source: www.veritas.com
NetBackup reduces complexity and makes data protection as manageable as possible for
limited staff. NetBackup provides a single solution for the entire enterprise, available on a
converged platform and built to require minimal administration in even the largest, most
dynamic environments.
Cisco Prime Data Center Network Manager
The Cisco Prime Data Center Network Manager (DCNM) is designed to efficiently implement,
visualize and manage the Cisco Unified Fabric. It includes a comprehensive feature set, along
with a customizable dashboard that provides enhanced visibility and automated fabric
provisioning for dynamic data centers.
SanTool
Source: http://www.santools.com
SANtools provides software and consulting services for manufacturers, OEMS and resellers of
storage peripherals, subsystems and SAN and NAS appliances.
Nagios
Source: https://www.naqios.org
Nagios provides complete monitoring of SAN solutions - including disk usage, directories, file
count, file presence, file size, RAID array status and more.
IBM's SAN
IBM SAN products and solutions provide integrated SMB and enterprise SAN solutions with
multi-protocol local, campus, metropolitan and global storage networking.
EMC NetWorker
Source: http://www.emc.com
The EMC NetWorker unifies and automates backup to tape, disk-based and flash-based storage
media across physical and virtual environments for granular and disaster recovery.

Network Attached Storage (NAS) ( ND
0 0
NAS is a file-based data storage service and a dedicated computer appliance shared over the network
NAS is a high performance file server optimized for storing, retrieving and serving files
NAS servers contain proprietary or open-source operating systems optimized for file serving
0 0
e Users w ith different operating systems can share e Applications that use a majority of the data
files with no compatibility issues transfer bandwidth will greatly reduce network
e A NAS can be connected to a LAN using the plug performance
and play feature e Data transfer is inefficient as it uses TCP/IP
e Minimal administration required unlike Unix or NT instead of a specialized data transfer protocol
file servers e The storage service guarantee cannot be trusted
e Centralized usage, reduced cost for backup and for mission critical operations
maintenance compared to a SAN
e Administrators must set user quotas for storage
e Faster response than Direct Attached Storage (DAS) space
Advantages
Network attached storage (NAS) is a storage device that is connected to a network. It stores
and retrieves data from a centralized location. NAS provides a dedicated shared storage space
for a local area network. Implementing a NAS eradicates the server file sharing process on the
network. The NAS contain s one or more storage devices which are logically arranged. NAS
offers file storage through a standard Ethernet connection.
NAS devices do not use an external device management and they are operated through a web-
based utility. Since it resides on every node on the LAN, it has its own IP address. NAS is similar
to a file server. NAS devices are scalable, vertically as well as horizontally. Implementing a NAS
is accomplished using large and clustered disks.
NAS has evolved from supporting virtualization to data replication and multiprotocol access. A
clustered NAS is one such example of the NAS evolution. In a clustered NAS infrastructure,
access is provided to all files, irrespective of their physical location. It does not require a full
source operating system like Windows. Certain devices run on the stripped down OS like
FreeNAS or any other open source solutions.
NAS devices are in high demand in small enterprises due to the effective, low cost and scalable
storage capacity. They are classified into three types based on the number of drives, drive
capacity and scalability.

High-end or Enterprise NAS

This type of NAS is used mainly in business environments where scalability is a concern.
Enterprise NAS provides the ability to increase the amount of storage space and the redundant
power supply.
• Small - Business Level NAS or Mid-market NAS: Mainly used in business environments
requiring one hundred terabytes (100 TB) of data.
• Low-end or Desktop NAS: Usually used by small business users or home users who
require only local storage space.
NAS Advantages
1. Accessibility: A NAS system stores data as files and is compatible with CIFS and NFS
protocols. Multiple users can access the files simultaneously using an Ethernet network.
Computers in a shared network can access the data either through a wireless or a wired
connection.
2. Storage: NAS deployment in the network increases the a mount of storage available to the
other systems. A NAS system can store up to 8 TB. NAS acts as the best source for storing
large applications or video files.
3. Efficient and Reliable: NAS assures an efficient transfer of data and reliable network
access. If a system in a network fails, the function of the other systems is not affected. A
NAS server can also be created giving users to ability to access large files or applications.
4. Automatic backup: Certain NAS devices are configured with an automatic backup feature.
The data is available on the user's system as well as on the server hard drive. Changes
made on the user's system are reflected on the server hard drive as well. Automatic
backup is not time consuming and is an assurance for the security of the data.
Disadvantages
1. Consumption: NAS shares the network with other host machines and this tends to
consume a larger amount of network bandwidth. For remote NAS systems, the data
transfer performance will depend on the available bandwidth. It is advisable to avoid
storing data bases on network attached storage, as the server response time fluctuates
depending on the bandwidth.
2. Network congestion: During a large backup, the process can affect the function of the IP
network and may lead to network congestion.

NAS Implementation Types:

Integrated NAS System
U An integrated NAS system has th e NAS head and storage in single enclosure, maki ng it a self-
contained environm ent
U The NAST head is responsible f or the conn ectivity betw een the 1/0 requests and the clients
lJ Storage may include a wide range of disks, ranging from low-cost ATA to high performa nce SSDs and
low-end single enclosure devices and high-end exte rnally connected storage solutions
<........................,
'<.........
'0
Ill
<.......................,,_·,- - - + IP Network < .....................> ::c
GI
Ill
~
z
Storage
<........................ :
-
Clients and Servers Integrated NAS System
The integrated NAS system includes all the NAS components in a single frame. To provide
connectivity to all cli ents, th e NAS head connects to th e IP network. An integrated NAS fram e
may vary from a low-end device to high-end solutions containing external storage arrays.
Low-end devices focus more on data storage rather than disaster recovery or performance.
These are primarily used in small organizations where the amount of storage space available
may be increased. Increasing the amount of space also increases the management overhead
because of the increased number of devices being used.
High-end devices provide additional amounts of storage space and high scalability.
Advantages
• Easy to implement
• Uses simple tools
Disadvantages
• Limited capacity and performance
• No performance upgrade

Integrated NAS System

Examples
Synology DiskStation 0S1513+ WO My Cloud EX4 LaCie Sbig NAS Pro
USB20
Pogoplug Series 4 Asustor AS-602T Buffalo TeraStation 52000N (2TB)
Synology DiskStation DS1513+
Source: https://www.synoloqy.com
The Synology DiskStation DS1513+ offers massive dynamically scalable storage space, stellar
performance, a robust Web interface and it supports a vast quantity of useful features for
home, small and medium business applications.
WD My Cloud EX4
Source: www.wdc.com
The WD My Cloud EX4 offers data redundancy, Windows Server integration and an excellent set
of personal cloud features. It is affordable and very easy to use. It is not the fastest NAS, nor
does it include many advanced features, but the WD My Cloud EX4 still combines great ease of
use into an affordable personal cloud system that is excellent for a connected home.
LaCie Sbig NAS Pro
Source: www.lacie.com
The LaCie Sbig NAS Pro offers super-fast performance and has an excellent drive bay design.
The NAS server is also easy to use and can scale up its storage space dynamically.

Pogoplug Series 4
Source: https://pogoplug.com
Features of Pogoplug Series 4 include:
• Automatic, remote backup for computers and mobile devices
• Continuous backup on the go
• Access the backups from anywhere
• Powerful
• Secure, easy sharing

Asustor AS-602T
Source: https://www.asustor.com
ASUSTOR NAS devices provide optimal data protection through RAID technology. Support a
diverse array of automatic backup solutions, guaranteeing the security of data. Seamless cross-
platform file sharing allows to easily connect to the NAS device no matter what OS is used such
as Windows, Mac OS or Unix-based.
Buffalo Terastation 5200DN (2TB)
Source: www.buffalotech.com
TeraStation 5200 is a high performance 2-drive network storage solution ideal for businesses
and demanding users requiring a reliable RAID based NAS and iSCSI storage solution for larger
networks and business critical applications.

NAS Implementation Types:

Gateway NAS System
J The gateway NAS System contains storage arrays and a separate NAS head
J Separate administration of the NAS head and storage enab les maintenance to be less comp lex
U The storage array and NAS head can be scaled up independently making a gateway NAS more
scalable when compared to an Integrated NAS
<······································~
_-,·
:
·
:..
:
:
. .
:
:
..
:
:
"---"'
Disk Systems
<·········1 '0
Fiber Channel
ra SAN Switches
CII
<·····································: ) IP Network <···············:> ::c ~······ Fiber Channel t---+~
~ RAID
z
Fiber Channel
<·········1 . .
······>~ _,
<······································'
··.·L;•
:
:
;
;
SAN Switches
Tape Drive
Clients and Servers
A NAS gateway is considered a NAS appliance attached to an already existing SAN. In this NAS
implementation, a SAN deals with the storage and a NAS gateway deals with a section of the
block storage capacity. File-based storage is used in a gateway implementation.
The drawbacks of a gateway NAS implementation are:
• The NAS hardware is comparatively more costly than other file servers.
• Difficult for users to manage the block-level storage of the SAN, which is attached to the
NAS's overhead.
• The NAS GUI 1s entirely different from that of a SAN, making it difficult for users to
manage.
The gateway NAS system includes an independent NAS Head and multiple storage arrays.
Gateway NAS requires additional management functions compared to an Integrated NAS.
Gateway NAS provides high sca lability as the NAS head and storage arrays scale up according to
the requirements of the organization. A gateway NAS w hen combined with a SAN, provides a
large amount of storage capacity.
Increase scalability by adding more NAS heads, making it difficult to determine the network
requirements for the gateway environment. A fiber channel SAN may be used for the
connection between the gateway NAS and the storage system.

Advantages
• Ability to use available SAN storage.
• Upgrades front-end and back-end separately.
Disadvantages
• The capacity depends on the storage space available on the NAS system.

- 0 X
~=======================:---___/
A foeen¥. · Fr~A:=,:s-9::.:_
+-
.10-.:_F.:..:._
C fi D 192.168.0.64
X
<Ci r. =
I (Y-\ FreeNAS"
~ ~ !Al ii ~ " +t 11D • Ei' .. II
Account Tasks 1-letwortc Storaoe Oirecto,-y Sha rino Services Plugin s Jails Reportin~ YliUird 5 UJ)1)0rt Guide Alt rt
expand all collapse all S,,,$tem
I• El Account l1nform11tionl Genenil Boot Advanced Ematl System Dataset Tu.nab!u Update CAs Certificatu Support
• . SySUl'I'\
[!. ~ Ta:;k~ System Information
..: ~<t. Networ k
Ir
♦ ~ Storaoe Hostn;im c frecnas.loc.al I I
ldit
♦ IJ Directory Service
• ~ Sh aring Ouild FrecttA$·9.l O·RELEASE (2def9c:8)
.. ef Service;
ft Plugin s Platform Jntcl(R) Corc(TM) iS-.:590 C9U@ 3.30GHz
• llD Jails
~ Reportil'l9
Ii Guide Systtm Time Hon Apr 11 02:38:01 POT 2016
ft Wizard
Iii Oisc>lay System Processes Uptime 2:38AM up 2: 51, O users
Iii ShclJ
Load Avl!!ra9c 0 .30, 0 .37, 0 .33
,C Loo Out
~:} Reboo t
@) Shutdown
I f reeNAS~ 0 7 016 1X systems
FreeNAS is an operating system that is installed virtually on any hardware platform, to share
data over a network. It is the simplest way to create a centralized and easil y accessible location
for data. FreeNAS with ZFS protects, stores and backups all the data. FreeNAS is used
everywhere, for the home, small business and the enterprise. FreeNAS features are:
• Web Interface: Simplifies administrative tasks. Every aspect of the FreeNAS system can be
managed from a web interface.
■ File Sharing: SMB/ CIFS (Windows File shares), NFS (Unix File shares) and AFP (Apple File
Shares), FTP, iSCSI (block sharing).
• Snapshots: Snapshots of the entire file system can be made and saved at any time. Access
files as they were when the snapshot was made.
• Replication: Employ the replication feature to send snapshots over the network to
another system for true off-site disaster recovery.
Source: http://www.freenas. orq

Selecting an Appropriate
Backup Method
Select the backup method based on the cost and ability according the organization's
requirements
,.. ~
,.. ~
Hot Backup (Online) Cold Backup (Offline) Warm Backup (Nearline)

► Backup the data when the ► Backup the data when the ► A combination of both a hot
application, database or application, database or and cold backup
system is running and system is not running
Advantages:
available to users (shutdown) and is not
available to users ► Less expensive than a hot
► Used when a service level backup
down time is not allowed ► Used when a service level
Advantage:
down time is allowed and a ► Switching over the data
full backup is required backup takes less time
► Immediate data backup Advantage: compared to a cold backup
switch over is possible but more time than a hot
► least expensive
backup
Disadvantage: Disadvantage:
Disadvantage:
► Very expensive ► Switching over the data
backup requires additional ► It is less accessible than hot
t ime backup
' lo..
-..;;- - '
~ lo.. ~
Organizations can choose any backup method depending on their budget and IT infrastructure.
The different types of data backup methods are:
Hot Backup
A Hot backup is a popular type of backup method used. It is also called as dynamic backup or
active backup. In a hot backup, the system continues to perform the backup process even if the
user is accessing the system. Implementation of a hot backup in an organization, avoids
downtime. However, changes made to the data during the backup process is not reflected in
the final backup file. Also, while the backup is in process, users may find the system is running
slow. A hot backup is an expensive process.
Cold Backup
A Cold backup is also called an offline backup. The cold backup takes place when the system is
not working or is not accessible by users. A cold backup is the safest method of backup as it
avoids the risk of copying the data. A cold backup involves downtime as the users cannot use
the machine until the process is back online. A cold backup is not as expensive as a hot backup.
Warm Backup
A Warm backup is also called a nearline backup. It will have connectivity to the network. In a
warm backup, the system updates are turned on to receive periodic updates. It is beneficial
when mirroring or duplicating the data. The warm backup process can take a long time and the
process can be conducted in intervals that can last from days to weeks.

Onsite Data Backup Offsite Data Backup Cloud Data Backup
► Storing backup data at onsite ► Storing backup data in remote ► Storing backup data on storage
data storage only locations in fire-proof, provided by an online backup
indestructible safes provider
Advantage:
Advantage: Advantages:
► Onsite backup data can be
easily accessible and restored ► Data is secured from physical ► The data is encrypted and free
security threats such as f ire, from physical security threats
► Less expensive
floods, etc.
Disadvantage: ► Data can be accessed from
Disadvantage: anywhere
► Data loss risk is greater
► Problems with a regular data Disadvantages:
backup schedule
► No direct control of the backup
data
► More time to backup
Onsite data backup

This type of backup is performed within the organization. Onsite backup uses external devices
such as a tape drive, DVD, hard disk, etc. The choice of external storage will depend on the
amount of data to be backed up.
• Advantages:
• Provides immediate access to data.
• Less expensive.
• Media used for onsite backup is readily available and cost s less.
• Faster recovery.
• Enhanced scalability.
• Internet access is not required.
• Disadvantage:
• Requires direct human interaction to perform the backup.
• Susceptible to theft or natural disasters.

Offsite data backup

In an offsite backup, the backup is done at a remote location. It either stores the data on
physical drives, online or third party backup service. Storing the data online helps have an
updated data backup available.
• Advantages:
• Implementing offsite backup creates multiple copies that can be stored 1n multiple
locations.
• Human error is minimal as the backup process is automated.
• Data retention is unlimited.

• Disadvantages:
• It is expensive, requiring a third party service.
• Requires an Internet connection and the bandwidth consumption will be higher.
• The process is lengthy and time consuming.
Cloud data backup

A Cloud backup is also known as online backup. It involves storing the backup on a public
network or on a proprietary server. Usually a third party service provider hosts the proprietary
server. The backup process in a cloud data backup works according to the requirements of the
organization. If the organization needs the backup on a daily basis, the proprietary server will
run a daily backup. Usually any non-critical data is archived using a cloud data backup.
• Advantages:
• Cloud data backup is efficient as the technology implemented is disk-based backup,

virtualization, encryption, etc.
• Many proprietors provide data monitoring and create reports for the organization.
• The data in a cloud backup is easily accessed and the data can be accessed through
the Internet.
• Disadvantages:
• Data recovery can be time consuming.
• Cloud data backup proprietors do not give any assurances or guarantees concerning
the completion of the backup. It is the responsibility of the organization to check if the
backup process was successful.

Full/Normal Data Backup Differential Data Backup Incremental Data Backup
All th e system data is copied All th e data that has been Only th e files that have
to the backup media changed since the last full been changed or created
backup is copied to the after th e last backup are
backup media copied to the backup media
•·····••► •·····••►
Full Backup Full Backup
Incremental 3
300MB
Differential 3
......- ...... ····---••« - - --
A
Differential 2 ~ Incremental 2
10GB
0~ 1 _,, ~ _
10GB -''1='- -- ·---·-·" " . .

Sunday Monday Tuesday Wednesday Sunday M onday Tuesday Wednesday
An appropriate backup type is the one that does not add a major impact to the bandwidth,
cost, time required and the resources of the organization. The three most common backup
types are full , differential and incremental.
Backup Types:
• Full Backup: Is also called a normal backup. The full backup occurs automatically
according to a set schedule. It copies all the files and compresses th em to sa ve space. A
full backup provides efficient data protection to the copied data.
• Incremental Backup: Backups onl y the data that has changed since the last backup. The
last backup can be any t ype of backup. Before an incremental backup can be performed,
the syst em should be backed up using a full or normal backup.
Example: Assume a full backup of a system is schedule for Sunday and from Tuesday to
Saturday, an incremental backup is scheduled . Once the full backup is perform ed on
Sunday, the incremental backup on Monday w ill onl y backup th e changes that occurred
on Sunday. This process w ill continue until Saturday.
• Differential Backup: Differential backup is the combination of a full backup and an

incremental backup. A differential backup backs up all the changes made since the last full
backup.
Example: Considering th e above example, assume full backup is sch eduled for Sunday and
then a differential backup is scheduled to run until Saturday. Once th e full backup is

completed on Sunday, the differential backup will occur on Monday and the data that was
changed will be backed up. This sounds a lot like an incremental backup. However, on
Tuesday, the backup will be for the changes made on Sunday and Monday. Then on
Wednesday, it will contain the changes from Sunday, Monday and Tuesday.

Backup Types: Advantages and

Disadvantages
Type Advantages Disadvantages
.J Backup process is slow

Full Backup .J Restoration is f ast
.J High storage requi rements
Faster than a full backup

0 Restoration faster than an Restoring data is slower than using a
Differential
incremental backup full backup
Backup
Reduced amount of storage than a Slower than an incremental backup
full backup
.J Fastest method
Incremental .J Slowest restore speed compa red to
.J Least amount of storage space
Backup other backup types
com pared to the oth er backup types
Compare the advantages and disadvantages for each backup type and then sel ect the t ype best
suited for the organization.
Full Backup
• Advantages:
• It is easy to restore, the process requires a file name and a location .
• Maintains different versions of the data.

• Disadvantages:
• A tim e-consuming process because each file is backed up every time a full backup is
performed.
• Very large storage requirements.
Incremental Backup
• Advantages:
• Fast er than a full backup.
• Uses storage space efficiently, there is no data duplication.

• Disadvantages:
• Data restoration is time consuming and a complex process, first a full backup is done
of and then an incremental backup afterwards.
Differential Backup
• Advantages:
• Faster than a full backup.
• Uses storage space more efficiently than a full backup, the backup onl y contains the
changes made at regular intervals.
• Data restoration is faster than an incremental backup.

• Disadvantages:
• Slower than an incremental backup.
• Restoration process is slower than a full backup.

Choosing the Correct Backup

Solution
~ Does it meet the organization's recovery requirements including RTO and RPO?
~ Is data restoration reliable and easy to perform?
~ Is data stored offsite in case of a disaster?
~ Does it comply with the organization's disaster recovery plan?
~ Is the data secure and encrypted?
~ What are the labor and maintenance requirements?
~ When will the data be backed up?
~ How much does the solution cost, including labor, maintenance and support?
Choosing an appropriate backup solution is essential for efficient and effective backups. Data
loss is avoidable to an extent with excellent backup solutions.
Consider the following items before selecting a backup solution:
1. RTO and RPO standards: RTO and RPO should be the main parameter of your disaster
recovery plan. RTO is Recovery Time Objective and is the duration required to restore the
data. RPO is Recovery Point Objective and is the interval that passes before data quality is
lost.
2. Data restoration: The data restoration process should be easy and reliable. The longer the
restoration process, the higher the productive loss. Look for a backup solution that offers
an efficient and quick data restoration process to your organization.
3. Off-site storage: It is necessary to identify if the solution stores the data off-site. If the
backup solution does not offer an off-site storage solution, the security of the data is not
guaranteed and the backup can get affected from unwanted occurrences.
4. Security: It is the responsibility of the backup solution vendor to provide proper security
to the data. The solution should consist of an encryption feature, acting as add-on security
to the data.
5. Solution know-how: Understand how the backup solution functions. Understand how
long a backup takes to complete, the maintenance required, additional costs,
implementation in the organization infrastructure, cost and etc.

Data Backup Software:

AOMEI Backupper
AOMEI is a specia lized

Windows backup solution
supporting the following
types of backup functions :
e File Backup
e System Backup
e Disk Backup I
13,ll<i8
e Partition/Volume Backup
e Automatic/Schedule
Backup
e Incremental &
Differential Backup
e Backup to a NAS
http://www.bockup-utility.com
AOMEI Backupper is available backup and recovery software helping those with little to no
knowledge on backup and recovery processes. The main functions of software are:
• Backup all critical data on a regular basis.
• Reduces the time required for backing up data through incremental and automatic
backups.
• Backup the entire hard disk or partitions.
• Creates a system image to keep Windows and applications safe.
AOMEI backs up files, folders, hard disk drives, partitions and applications . If there is a loss of
data, it will restore the files. It includes a disk imaging and cloning tool to create an exact image
of the hard disk and operating system. The backup t y pes supported by AOMEI include:
• File, System and Disk
• Partition/Volume
• Automatic/ Schedule
• Incremental/ Schedule
• Backup to a NAS
Source: http://www.backup-utility.com

Genie Backup Manager Home NTI Backup Now

http://www.genie9.com http://www.nticorp.com
PowerBackup
00 Norton Ghost
http://www.symontec.com http://www. cyberlink.com
Backup4all
BullGuard Backup
http://www.backup4all.com
http://www.bullguard.com
TurboBackup Handy Backup

http://www.ft/es tream.cam http://www.handybackup.com
...., Active Backup Expert

http://www.backuptool.com
SyncBackPro
http://www.Zbrightsparks.com
Genie Backup Manager Home
Source: https://www.qenie9.com
Genie Backup Manager Home is a tool that provides full control of backup procedures. The
main features of Genie Backup Manager Home are:
• Full featured backup product
• Security
• Recover the entire system in case of a disaster
• Resource friendly
• Access backups without the need for additional software
• Full control over the backup procedure
• Track the backup anywhere
Norton Ghost
Norton Ghost 15 backs up an entire syst em or specific files and folders while saving recovery
points to offsite locations using FTP.

BullGuard Backup
Source: http://www.bullguard.com
BullGuard Backup is an online backup solution for keeping electronic valuables safe.
Turbo Backup
Source: http://www.[ilestream.com
TurboBackup provides an option to create multiple backups of shared documents to more than
one destination. It also offers the ability to back up and retain different versions of the same file
to protect documents from accidental loss.
Active Backup Expert

Source: http://www.backuptool.com
The Active Backup Expert (ABE) is a software that backs up important files on a Windows
platform.
Active Backup Expert advantages:
• Zip and Cab format.
• Hard disk, network, CD-RW, CD-R, DVD, floppy, FTP server and other device support. Can
choose any drive in the system to store the backups.
• Full, Incremental and Differential backup modes.
• Basic backup projects.
• Strong encryption.
• Set-and-forget.
• Backup management.
NTI Backup Now
Source: http://www.nticorp.com
NTI Backup Now backs up and restores files and folders on your Windows PC.
Features:
• Enhanced performance for faster backups.
• Incremental drive image backup for a complete system backup and restore.
• Support for Microsoft Volume Shadow Copy Service (VSS).
• Customized description fields in a backup job.
• Create a bootable image restore CD/ DVD.
• Restore from a particular point in time.

PowerBackup
Source: http://www.cyberlink.com
PowerBackup provides support for the following types of data backup:
■ Full.
• Differential.
• Incremental.
Backup4all
Source: http://www.backup4all.com
Backup4all is a backup program for Windows that protects data from partial or total losses. It
automates the backup process, compresses the data to save storage space (using standard zip
format) and encrypts the backup to protect it from unauthorized use.
Handy Backup
Source: http://www.handybackup.com
Handy Backup is a program designed for an automatic backup of critical data virtually to any
type of storage media including CD/DVD-RW devices and remote FTP servers. This tool creates
a reserve copy of valuable data. Special add-ons provided enable MS Outlook, system registry
and ICQ files to be backed up.
SyncBackPro
Source: http://www.2briqhtsparks.com
SyncBackPro is used to backup, synchronize and restore data files. It is used by individuals,
small businesses and mission critical organizations including law enforcement agencies,
hospitals and government departments.

Synchronize! Pro X Tri-BACKUP

http:// www.qdea.com http:// www.tr~dre.com
; iBackup
http://www.ibackup.com
p
.. .
71
llfiOOnaOil
Chronosync
http:// www.econtechnologies.com
Roxio Retrospect SilverKeeper

http://www.retrospect.com
http:// www.lacie.com
SuperDuper Carbon Copy Cloner

http://www.shirt-pocket.com http:// www.bombich.com
Data Backup3 Copycat x

https:// www.prosofteng.com https://secure.subrosasojt.com
Synchronize! Pro X
Source: http://www.qdea.com
Synchronize! Pro is a tool for high-end server backup solutions because it can reliably handle
millions of files on disks containing terabytes of data. Synchronize! Pro X actions can be scheduled
when changes occur, at night or at any preset time, once or periodically, without anyone present.
Pa sswords can be supplied automatically for file server connections.
iBackup
Source: http://www.ibackup.com
iBackup backups and restores user data, system and applications settings such as System
Preferences, Mail, iPhoto, iTunes. It can also use third party application settings from any Mac
to another Mac.
Roxio Retrospect
Source: http://www.retrospect.com
Retrospect backup and recovery software is mainly used at m edical offices, law firms, banks,
auto r epair shops, restaurants, departments in large corporations, universities, government
offices and many others.

SuperDuper
Source: http://www.shirt-pocket.com
SuperDuper has a user friendly interface to create a fully bootable backup.
Data Backup3
Source: https://www.prosofteng.com
Data Backup3 is a backup software solution that backs up, restores, and synchronizes important
files with minimal effort.
Tri-BACKUP
Source: http://www.tri-edre.com
Tri-BACKUP protects the data from a single copy on an external drive to a set of actions that
back up on different types of media. Each is then kept in different locations for maximum
security (including backups on the Internet).
Chronosync
Source: http://www.econtechnoloqies.com
ChronoSync can synchronize backups and create a bootable backup for almost anything a Mac
can be connected to: external drives, NAS drives, other Macs, PC's or anything else that can be
mounted as a volume.
SilverKeeper
Source: http://www.lacie.com
SilverKeeper provides the use of a USB drive or FireWire to create a complete backup. This tool
provides the function for verifying the backup is complete by comparing the source and
destination. It keeps a status log recording the details of the backup.
Carbon Copy Cloner
Source: https:1/bombich.com
Carbon Copy Cloner is a cloning and backup utility. With this software, the data and the
operating system's data is preserved on a bootable volume.
Copycat X
Source: https:1/secure.subrosasoft.com
SubRosaSoft CopyCatX™ is an easy-to-use and fast utility for duplicating volumes, cloning drives
or recovering intermittent/mechanically unsound drives.

Conducting a Recovery Drill Test CND

A recovery drill t est is an integral part of a data backup plan
Periodically cond uct a data recovery d rill t est
Advantages:
e Ensuring data recovery is efficient and the data backup plan is effective
e Addresses any issues which may be encountered during an actual recovery
e If t he system is not functioning according to the data backup pla n, changes can be implemented
in the recovery process
While 80% of organizations create a disast er r ecovery plan, only 40% create any plans for
testing it.
The organization needs to perform these data drills often to check if the recovery process is
effective according to backup plans created . These drills further help locate the areas of
improvement in the recovery plans. The challenges performing these drills are:
• Whether the drills are conducted periodically.
• Whether issues found in one test is addressed and resolved by the team .
• Whether there are any changes in the recovery plans.
• Was the drill test perfect?
• Whether the right person is addressing the issues the drill test identified.
The purposes for conducting a recovery drill test are:
• Check if the recovery plans meet the company's requirements.
• Provide a level of expertise to th e team who is conducting the tests for the recovery plans.
• Detect what areas of the recovery plan r equire improvement .
An organization performs a drill test to validate it has a foolproof and updated DR plan. It is
advised to perform a recovery drill test at least once or twice a year, depending on th e size of
the organization .

Remember the items below for a successful recovery drill test:

1. Regular Testing: For a successful DR plan, a recovery drill test should be performed
regularly. Before proceeding with the test, it is important to go through the DR blueprint.
2. Broadcasting to users: Before performing a recovery drill test it is important to inform all
employees, stakeholders and vendors of the organization. Organizations should brief
employees on the necessary actions to take when there is a data breach or disaster. This
is also covered in the incident response plan.
3. Testing applications: Apart from system testing, application and user account testing
should also be performed. Any user account without a password should be immediately
corrected.
4. Pen Tester: If a user can access the files and folders in the system without administrator
privileges, it means that any user can. Organizations should have a pen tester check for
any vulnerabilities in the network. If a vulnerability is detected it must be documented
and a solution provided.
Performing a drill test:
Before beginning the recovery drill test, organizations should set certain goals:
1. An internal DR team or a third party can conduct the drill test.
2. Maintain a record of the analysis.
3. Reconfirm the disaster plan is realistic and is parallel to current technology.
4. The DR plan should be accessible to more than one person.

A DR plan for any organization is successful only when the drill test confirms the resources are
secure and not vulnerable.

Dat a recovery is a process f or the recovery of data that may have been
accidentally/intentionally deleted or corrupted
Deleted items include files, folders and partitions from electronic storage media (hard
drives, removable media, optical devices, etc.)
A majority of data that is lost is recoverable. There are situations where the damage to
the data is permanent and irreversible and cannot be recovered
When attempting to recover data from a target, use several different data recovery tools
Data loss is a primary concern for any organization. Data recovery refers to the restoration of
data from devices or from a backup. The process of data recovery varies depending on how the
data was lost, the data recovery software and the device where the data will be restored.
Information stored on storage devices such as a flash drive, a hard disk, DVD, etc. can be
recovered. Users should not write or save over any data stored on the affected media.
Improperly trained users should not perform data recovery. The disaster recovery plan should
mention the individual/team responsible for recovery of data in the organization. Data recovery
software can assist with retrieving the data usually with great results.
The correct knowledge and the proper use of tools help in the recovery process.
Probability of recovering the data:
Data recovery will not always be successful. If a system is too corrupt and/or damaged,
recovery may not be possible and fail. The probability of recovering the data depends on the
cause of the loss. The common causes for data loss are:
1. File Deletion: If a file is deleted, it will remain in the storage space until it has been
overwritten. This can happen if the OS reuses the disk space. Even if the change is minor it
can make the chances of data recovery negligible. Windows operating systems have a file
deletion algorithm on NTFS formatted disks and the data can be recovered using this
algorithm.

2. File Corruption: If an operating system is corrupted, the data can be recovered using the
partition table. If the partition table is corrupt, it can be repaired using data recovery
software.
3. Physical Drive Damage: Physical damage to a hard drive or an external drive can cause a
larger amount of data loss compared to a file corruption. Recovering data from a
damaged device requires a specific level of expertise. When recovering from corrupt
physical devices, the environment where the recovery process takes place must be free of
pollutants. This process often occurs in a clean room. Dust particles can make the
recovery difficult if not impossible. Having a certified clean room to recover the data is
recommended. When recovering data from damaged drives, the drive is either rebuilt or a
disk image is created. This process can be very expensive, depending on how extensive
the damage.
Points to remember:
1. Be cautious when plugging in an external device to the system. The device may be
corrupt, which will result in corruption of the files or the system.
2. Never overwrite the data on the same storage location where the data was lost.
3. Create multiple backups and store them in different locations.

4. Data recovery is not 100% perfect every time.

Windows Data Recovery Tool:

Recover My Files
Recover M y Files data recovery software recovers deleted files emptied from t he
Windows Recycle Bin. These files could be lost because of a hard d rive format or
install. This softwa re also recove rs files removed by a virus, Trojan infection o r an
unexpected system shutdown orfa ilure
Select the drive to recover:

Recover F1le9; Re,cover .'t Drive
-
El ".."o.... 11
~-...
-
LoSL Otkiled, Ac~@tll# lorrriat, Iii t,,ow.it •'1 ?$ Gt Al,._ (St
~ t o m Rfcycle ti.11, WlncSo.s~.
Ftoma prograniuash Systtfll ltStote j c, ...... •5l9:)Ge ,ms AJAM
~
Co!Np OfffilSU19dtfl't' ltltM
E-•-J
ii " --
1•S2G8 1trrs ussr.ir11 Ii...,,..
http://www.recovermyfiles.com
Recover My Files recovery software recovers data lost from the Windows recycle bin, hard
drives, files and data lost due to a virus or malware. The recovery of the data depends on the
file content. The Recover M y Files recovery tool uses two mechanisms:
• Lost file: This mechanism searches for deleted files. Unfamiliar file types cannot be added.
The file name searched is found in the 'deleted files' and not in the 'lost file', as deleted
files are stored on the disk and not destroye d.
• Lost drive recovery: This mechanism helps recover files that were stored on old drives.
Source: http://www.recovermyfiles.com


EASEUS Data Recovery Wizard
EaseUS Data Recovery Wizard does a good job with disk data recovery, fo rmat recovery,
deleted files recovery or data lost from a partition loss, damage, crash, infection and
unexpected shutdown
These are recovery modes for the disks

- Ease Data Recovery Wizard
data recovery program: [IIIIC:o,i,...1<.a ..1:a..,lrwlCMl•--To,..,.,aort
0 Deleted File Recovery is designed to

recover deleted files
0 Complete Recovery recovers formatted

drives
0 Partition Recovery recovers data from C...US 0..• ~ Wlt.,d

Oll•R«:"'1 W\1" IMlpf )'WIONCOWtclli(•M l o ~ ~ - pa,tl&IOII IOH
deleted, lost or damaged partitions ........ c,. . . . . •I.Kk. .u.
O Other Data Loss Cases recovers lost data

from software crashes, viruses, infections
and for other unknown reasons.
http://www.easeus. cam
EaseUS data recovery wizard is a tool that recovers lost data or files from iOS, Android,
removable media and hard drives in the event of an unexpected error.
EaseUS features:
• Retrieve deleted, formatted and inaccessible data.
• Retrieve all deleted files like images, documents, videos etc.
• Retrieve data from a PC, laptop, hard drive etc.
• Retrieve data from deleted, lost or hidden partitions.
• Provides technical assistance to customers.
• Retrieve data after the computer faces an issue booting.
Source: http://www.easeus.com


PC INSPECTOR File Recovery
0
PC INSPECTOR File Recovery4.x is a data rescue program su pporting the FAST
12/16/32 and NTFSfiles systems
0 0
-" .
Features:
0 Locates drives automatically even if Oi, ~
the boot sector or file system is

damaged Q
"""".... ,,...,
._.., •1 11SflOI)
.......... o-c
...
tt1•t8)
J -
.r,,
I,
...,.._,.,..£1131'GIIJ
.J
Recovers files with the original t ime
.
Q
and date including network drives
"
■
~
0 Supports saving recovered data "
G Recovers files, even when a header
entry is no longer available
P..uflfo!Mtp
http://www. pcinspeetor. de
PC Inspector File Recovery deals with the recovery of data supporting FAT 12/ 16/32 and NTFS
file systems. PC Inspector automatically locates deleted files or damaged recovered fil es along
with the date and time. Recovers files even in the absence of a header entry.
The software supports: Files with .JPG, .TIF, .BMP, .GIF formats and many types of memory
cards such as CompactFlash, SmartMedia etc.
Source: http://www.pcinspector.de

Advanced Disk Recovery Total Recall

http://www.systweak.com http://www. totalreca/1. com
Stellar Phoenix Windows Data

Handy Recovery
http://www.handyrecovery.com Recovery
http://www.stellarinfo.com
R-Studio Pandora Recovery

http://www.data-recovery-software.net http://www.pandorarecovery.com
Data Recovery Pro Get DataBack

http://www.paretologic.com http://www.runtime.org
Recuva MiniTool Power Data Recovery

https://www.pirijorm.com https://www.powerdatarecovery.com
Advanced Disk Recovery
Source: http://www.systweak.com
Advanced Disk Recovery used to recover accidentally deleted data. It is possible to restore
every type of file and folder stored on a Windows PC and from multiple storage devices.
Handy Recovery
Source: http://www.handyrecovery.com
Handy Recovery™ is used to restore files accidentally deleted from hard drives, all types of
USB/ eSATA devices and memory cards.
The tool recovers:
• Files damaged by virus attacks, power failures and software faults.
• File deleted by a program that does not use the Recycle Bin or if the Recycle Bin was
emptied containing the file.
R-Studio
Source: http://www.data-recoverv-softwa re. net

R-Studio is a data recovery tool uses advanced file recovery and disk repair technology in order
to recover files.

Data Recovery Pro
Source: http://www.paretologic.com
Data Recovery Pro scans for deleted email messages and recovers emails. It can even recover
deleted email attachments and partial files due to bad sectors. It has the ability to retrieve
missing files from many peripheral storage devices, including iPod Shuffle, iPod Nano, and iPod
Classic.
Recuva
Source: https://www.piriform.com
Recuva recovers pictures, music, documents, videos, emails or any other file type lost
accidently from a Windows system, recycle bin or a memory card.
Total Recall
Source: http://www.totalrecall.com
Total Recall Data Recovery Software obtains lost data back from hard drives, RAID, photos,
deleted files, iPods, even removable disks connected via Firewire or USB is supported by Total
Recall.
Stellar Phoenix Windows Data Recovery
Source: http://www.stellarinfo.com
Stellar Phoenix Windows recovery software recovers photos, images, songs, movies, and other
multimedia files deleted or lost due to corruption or formatting of hard drives, memory cards,
or external storage.
Pandora Recovery
Source: http://www.pandorarecovery.com
Pandora Recovery allows finding and recovering deleted files from NTFS and FAT-formatted
volumes, regardless of their type. Pandora Recovery scans the hard drive and builds an index of
existing and deleted files and directories (folders) on any logical drive on the system with
supported file format.
GetDataBack
Source: http://www.runtime.org
GetDataBack software allows easy and fast recovery of data with NTFS, FAT and EXT formats.
Features of Get Data Back include:
• Recover the drive's data
• Restore the file names and directory structure
• Safe, read-only design
• One easy click, it is simple, simpler, simplest

• Lightning fast operation
• Supports all hard drives, SSD, flash cards, USB
• Newly redesigned and rewritten, usi ng the newest technologies
• Supports NTFS, FAT12, FAT16, FAT32, EXT, EXT2, EXT3, EXT4
MiniTool Power Data Recovery
Source: https ://www. po werdata recovery. com

MiniTool Power Data Recovery program helps recover deleted, lost and damaged files from
Windows.

DiskWarrior Data Rescue

ht tp://alsaft.com http://www.prosafteng.com
AppleXsoft File Recovery for Mac Stellar Phoenix Mac Data Recovery
http://www.applexsaft.com http://www.stellarinfa.com
Disk Doctors Mac Data Recovery . - - ,.,L FileSalvage

http://www.diskdoctars.net -<C~ http://subrosasaft.com
1- R-Studio for Mac ~ TechTool Pro

~'i'~
-
http://www.r-tt.com L!L-~ http://www.micramat.com
Disk Drill EaseUS

http://www.cleverjiles.com http://www.easeus.com
DiskWarrior
Source: http://alsoft.com
DiskWarrior will recover documents, photos, music and any other files from a Mac system.
AppleXsoft File Recovery for Mac
Source: http://www.applexsoft.com
AppleXsoft File Recovery scans and recovers damaged or deleted files from any t ype of storage
drive, including all hard disks, external hard drives and SSD. It supports various digital
removable media such as a SD card, CF card, CD/ DVD, USB drive, etc.
Disk Doctors Mac Data Recovery
Source: http://www.diskdoctors.net
Disk Doctors Mac Data Recovery software recovers lost and deleted data from HFS+ and HFSX
file systems on Mac OS. Disk Doctors Mac Data Recovery software helps recover lost data with
simplicity matching the Mac OS.
R-Studio for Mac
Source: http://www.r-tt.com
R-Studio for Mac recovers files from HFS/ HFS+ (Macintosh), FAT/ NTFS/ReFS (Window s),
UFS1/ UFS2 (FreeBSD/ OpenBSD/ NetBSD/ Solaris) and Ext2/ Ext3/ Ext4 FS (Linux) partitions. In

addition, raw file recovery (scan for known file types) can be used for heavily damaged or
unknown file systems. R-Studio for Mac also recovers data on disks, even if their partitions are
formatted, damaged or deleted.
Disk Drill
Source: http://www.cleverfiles.com
Disk Drill can scan and recover data from virtually any storage device - including internal Mac
hard drives, external hard drives, cameras, iPods, USB flash drives, Kindles and memory cards.
Data Rescue
Source: http://www.prosofteng.com
Data Rescue is hard drive recovery software that can recover your photos, videos and
documents from:
• Crashed, corrupted or non-mounting hard drives.
• Accidentally reformatted hard drive or reinstalled OS.
• A previous deletion, damaged or missing files

Stellar Phoenix Mac Data Recovery
Use Mac data recovery software to restore documents, photos, music or videos lost due to
deletion from any HFS, HFS+, FAT, ExFAT and NTFS format based file systems.
File Salvage
Source: http://subrosasoft.com
FileSalvage can recover files from a normal Mac OS hard drive, USB key, PC disk, Linux disk,
FAT32 disk, FLASH card, scratched CD, Digital Camera, iPod and almost any other media or file
system that can be recognized in a Mac OS.
TechTool Pro
Source: http://www.micromat.com
Tech Tool Pro's data recovery routines consist of three parts:
• Protection: Recover files/folders based on previously saved Directory Backup files.
• Drives: Recover files/folders based on scavenged directory data.
• Trash: Recover deleted files based on the Trash History.

SeagateRAID Data Recovery Kroll Ontrack

http://www.seagate.com http://www.krollontrack.com
Disk Internals Salvage Data Recovery

http://www.diskintemols.com http://www.salvogedoto.com
Stellar Phoenix RAID Recovery Gillware Data Recovery

http://www.stellorinfo.com https://gillwore.com
~
Power Data Recovery j~ Datalech Labs
http://www.powerdatarecovery.com http://www. datatechlob.com
ReclaiMe Free RAID Recovery DTI Data

http://www.freeraidrecovery.com http://dtidatarecovery.com
Seagate RAID Data Recovery
Source: http://www.seaqate.com
Seagate Recovery Services can successfully recover data from the very earliest to most recent
NAS, SAN, and Server RAID configurations on the market.
Disk Internals
Source: http://www.diskinternals.com
Disk Internals recover all types of RAID arrays. It supports all configurations of RAID arrays,
including RAID 0, 1, 5, 0+1, and JBOD (span), and supports dedicated RAID controllers and
native RAID chipsets embedded into motherboards produced by Intel, NVIDIA, and VIA.
Stellar Phoenix RAID Recovery
Stellar Phoenix RAID Data Recovery Software recovers lost or inaccessible data from RAID 0, 5
or 6 hard drives. The tool has a full range of advanced features for recovering files, photos,
videos, documents and emails from Windows hard drives, external media and RAID servers.
Power Data Recovery
Source: http://www.powerdatarecovery.com
Power Data Recovery is able to recover lost RAID data.

ReclaiMe Free RAID Recovery
Source: http://www.freeraidrecovery.com
ReclaiMe Free RAID Recovery is designed for recovering RAID configuration parameters like:
• Disk order
• Block size
• Start offset and others
Kroll Ontrack
Source: https://www.krollontrack.com
Krolltrack software allows recovery of data from RAID storage.
Salvage Data Recovery
Sou re e: https ://www.salvaqedata. com
Salvage Data Recovery centers specialize in recovering all types of files and RAID servers.
Gillware Data Recovery
Source: https:1/qillware.com
RAID data recovery is done by recovering data from individual failed disks and then
reassembling it based on the type of RAID system.
DataTech Labs
Source: https:1/datatechlab.com
DataTech Labs is a nationwide leader in professional data recovery services. This software deals
with deleted files, crashed hard drives or a failed RAID.
DTI Data
Source: http://dtidatarecovery.com
DTI Data Recovery can restore or recover RAID 5, SAN, NAS, Snap Server and many others.

Kroll Ontrack SAN Data Recovery .-

11 01, -
Datarecovery.com's SAN Recovery
http://www.datorecovery.com
http://www.krollontrock.co. uk
DriveSavers SAN Data Recovery DTI DATA RAID SAN Restoration

http://www.drivesaversdatarecovery.com http://dtidotorecovery.com
I Data Recovery Group CBL SAN Data Recovery

http://www.datarecoverygroup.com http://www. cbldatorecovery. com
.~~ Geeksnerds SAN Recovery Stellar SAN Data Recovery

. http://www.geeksnerds.co.uk http://www.stel/ardatarecovery.co. uk
EaseUS UFS Explorer

http://www.easeus.com http://www. ufsexplorer. com
Kroll Ontrack SAN Data Recovery
Source: http://www.krollontrack.co.uk
The Kroll Ontrack can be used to restore the original data on a SAN's shared pool storage
architecture.
DriveSavers SAN Data Recovery
Source: http://www.drivesaversdatarecovery.com
DriveSa vers can be used to recover data from all operating systems and all types of high-
capacity storage environm ents including SAN, NAS, RAID, tape and multi -disk servers.
Data Recovery Group
Source: http://www.datarecovervqroup.com
Data Recovery Group is a data recovery service used for recovering data from Desktop Drives,
Laptop Drives, Ext ernal Drives, Servers, Netw ork Attached Storage Devices (NAS), Storage Area
Network Devices (SAN), Flash Drives and Camera Media.
Geeksnerds SAN Recovery
Source: http://www.qeeksnerds.co.uk
Geeksnerds offers data recovery services for SAN devices. It recovers data from almost all
manufacturers of SAN devices.

Datarecovery.com's SAN Recovery
Source: https:1/datarecovery.com
Datarecovery.com's SAN services recover or restore your SAN without the expensive downtime.
DTI DATA RAID SAN Restoration
Source: http://dtidata recove rv. com
DTI Data Recovery can restore or recover your RAID 5, SAN, NAS, Snap and many others.
CBL SAN Data Recovery
Source: http://www.cbldatarecovery.com
CBL provides data recovery services for a failed Storage Area Network (SAN), disk drives 1n
laptops, desktops, servers, RAID arrays and tape cartridges.
Stellar SAN Data Recovery
Source: http://www.stellardatarecovery.co.uk
Data Recovery Services by Stellar facilitates secure data recovery for all hard drives, RAID, SSDs,
SAN/ NAS and for encrypted drives.
UFS Explorer
Source: http://www. ufsexplore r.com
UFS Explorer is used for data recovery from distributed SAN systems.

DataRecoveryGroup ReclaiMe NAS Data Recovery

ht tp:// www.datarecaverygraup.cam http://www.reclaime.com
Krollontrack NAS Data Recovery ZARX

http://www.krollontrack.co.uk http:// www.z-c-recavery.cam
Runtime Software's NAS Data

Uneraser
Recovery http:// www.diskinternals. cam
https://www.runtime.org
DIV DataRecovery iRecover Seagate Rescue Data Recovery

http://www.diydatarecovery.nl http://www.seagate.cam
UFS Explorer DriveSavers

http://www.ufsexplarer.com http://www.drivesaversdatarecavery.com
DataRecoveryGroup
Sou re e: http://www. data recoveryqrou p. com
The Data Recovery Group routinely recovers data from:
• Single or multiple disk failure
• Failed software or operating system upgrades
• Mechanical failure (clicking and buzzing)
• Virus attack
• System crash
• Accidental deletion of data or reformat of NAS volume
• Physical damage (fire, water, smoke, etc.)
• Power surge causing physical or logical corruption
• Data could not be viewed due to security syst em failure
Krollontrack NAS Data Recovery
Source: http://www.krollontrack.co.uk
Kroll Ontrack provides data recovery services for fail ed and damaged DAS, SAN and NAS storage
systems.

Runtime Software's NAS Data Recovery
Source: https://www.runtime.org
NAS Data Recovery is capable of recovering the entire content of the broken NAS. NAS Data
Recovery works for all XFS or EXT-formatted single-drive, RAID-0, RAID-1, or RAID-5 NAS
stations from manufacturers such as Buffalo, Seagate, Western Digital, D-Link or Iomega.
DIV DataRecovery iRecover
Source: http://www.diydatarecovery.nl
iRecover is used to recover data from hard disks, memory cards, RAID arrays and Network
Attached Storage (NAS) devices.
UFS Explorer
Source: http://www. ufsexplore r.com
UFS Explorer is capable of restoring lost data from a NAS. Use UFS Explorer RAID Recovery for
recovery and reconstruction of a RAID will be helpful in the event when the NAS disks are
organized in a RAID system.
ReclaiMe NAS Data Recovery
Source: http://www.reclaime.com
The ReclaiMe software recovers data from a NAS, hard drives, memory cards, USB drives and
RAID arrays.
ZARX
Source: http://www.z-a-recovery.com
ZAR X NAS data recovery provides data recovery for Windows and Linux.
Uneraser
Source: http://www.diskinternals.com
Disklnternals Uneraser recovers lost data, undelete deleted files and documents and recovers
entire folders. It uses a unique signature scan algorithm to locate and successfully recover
supported documents(*) stored on formatted disks and memory cards.
Seagate Rescue Data Recovery
Source: http://www.seaqate.com
Seagate Rescue Data Recovery involves recovery of a RAID controller failure, lost RAID
configuration, accidental reconfiguration and re-initialization of the RAID array, missing RAID
partitions, reformatted RAID partitions, virus damage, natural disaster, human error and drive
failures.

Drive Savers
Source: http://www.drivesaversdatarecovery.com
DriveSavers recovers data from NAS devices that have failed mechanically. It provides
unparalleled data recovery and digital forensic services for all NAS systems.

□ The backup is used when the primary data source is accidentally

/intentionally lost or corrupted
□ Data backup plays a crucial role in maintaining business continuity
□ Select a backup solution which best suits the organization's requirements
□ Organizations are adopting SAN/NAS devices as one of the options for their data
backup process
□ A majority of lost data situations is recoverable. In some cases, the damage is

permanent and the data cannot be recovered
Copyright © by EC-Council. All Rights Reserved . Reproduction is Strictly Prohibited.
In this module, the importance of performing regular backups of an organization's critical data
was covered. The module also talked about how to plan and execute a data backup for the
organization and provided comprehensive guidelines for selecting the appropriate method,
type, media and software for according to the backup plan. By completing this module, you
now have the skills to effectively and efficiently design and execute a backup plan for your
organization.

Network Incident Response
and Management
Module 14
Network Incident Response and Management
Network Incident Response

and Manage111.ent
Module 14

Module 14: Network Incident Response and Management
Exam 312-38

Understanding Incident Handling and

Describing Incident Handling and
Response {IH &R)
Response {IH&R) process
Discussing the roles and
Understanding forensic investigation
responsibilit ies of Incident Response
Team (IRT)
Identifying the people involved in
forensics investigation
Describing the role of first responder
Explaining forensics investigation
Describing first response activities for
methodology
network administrators
Organizations must deal with various security incidents which may compromise their network,
data or physical security. These security breaches decrease an organization's brand value and
cost the company millions of dollars. These negative repercussions often are responsible for the
loss of prospective customers. A proper incident handling and response management plan will
help an organization handle and recover from security incidents . This saves an organization
from financial loss and reputation damage.
This module focuses on incident response and management. It will teach you the various steps
invol ved in incident r esponse and the management required to deal w ith problems. This
module also describes the importance of the first respond er in an incident response and
management process.

Incident handling and response (IH&R) is a process of taking organized and

careful steps when reacting to a security incident
Involving a sequence of steps beginning when an incident is first identified

and reported
IH&R processes differ from organization to organization according to their

business and operating environment
The Incident Response Team (IRT) works on an incident response plan

when dealing with a security incident
Incident handling and response is a set of procedures, actions and measures taken against an
unexpected event occurrence. The purpose of incident handling and response is to quickly and
efficiently recover from a security incident. It is required to identify any attacks which have
compromised personal and/or business information.
Incident response is required to:
• Protect systems: Protect the computers used either by an organization or an individual

from future incident attacks.
• Protect personnel: Protect the personal information and data stored in the compromised
system.
• Deal with legal issues: To efficiently handle legal issues to stop future incidents.
• Efficiently use the resources: Ensures organizational resources are used efficiently by
legitimate users.
Incident handling and response involves three major actions:
1. Incident analysis: The detection and confirmation of incidents.
2. Reporting Incident: Reporting the incident to management, in-house staff or an external

IRT.
3. Incident response: A series of steps to contain, investigate, eradicate and recover from
security incidents.

Incident handling and response {IH&R) goals and advantages:

• Goals:
• To detect if an incident occurred and if it 1s an actual security incident or a false

positive.
• To maintain or Restore Business Continuity.

• To reduce the impact of an incident.
• To analyze the cause of an incident.

• To prevent future attacks or incidents.
• To improve security and incident response.
• To prosecute illegal activity

• Advantages of Incident Handling and Response:
• Equips the organization with safe procedures to be followed when an incident occurs.
• Saves time and effort, which is otherwise wasted when fixing an encountered incident.
• Helps the organization learn from past experiences, and then recover from losses
more quickly.
• The skills and technologies required to tackle an incident are determined in advance.
• Saves the organization from legal consequences arising from a severe incident.
• Helps determine similar patterns in incidents and handle them more efficiently.

Incident Response Team Members:

Roles and Responsibilities
Depending on the organization, an in-house or an external IRT team will hold different titles,
roles and responsibilities for an incident response.
A individual or group of individuals from a management team who has

Management leadership and decision-making authority
Information An individual from the information security team who has experience in
Security Team discovering and containing incidents
An individual who is aware of the information system and network areas. They
IT Staff may be system or network administrators
Physical An individual who is responsible for the physical security and identifying the
Security Staff extent of any damage
Attorney An individual responsible for providing legal advice
HR An individual responsible for handling employee issues who were involved in

Representative an incident
An IRT is responsible for handling and responding to security incidents. The IRT 1s broadly
classified into in-house IRT (internal) and External IRT.
Internal IRT
An internal IRT offers its incident response services to its own organization.
National IRT
A national IRT focuses on providing its complete services for its nation. For example: The Japan
Computer Emergency Response Team Coordination Center (JPCERT/ CC).
Coordination centers
Work across various IRTs to coordinate and facilitate incident handling. They do this for any
particular country, state, research network, or entities.
Analysis centers
The main aim of an analysis center is to find out the latest trends and patterns occurring 1n
incident activities and for creating data points across various sources. This information helps
predict future activities and/ or provides a warning when present activities match up to the
previous determined characteristics.

Vendor teams
Vendor teams coordinate with the organizations who report and track vulnerabilities. There are
also vendor teams that provide incident handling services internally for their particular
organizations.
Incident response providers

Incident response providers grant assistance regarding incident handling services to paid
clients.
Incident Response Plan

The IRT team creates an incident response plan before handling and responding to the
incidents. An Incident Response Plan (IRP) is a set of guidelines which are required when
responding to an incident in a dedicated and formal manner. The plan contains the elements
required for executing the incident response effectively. These plans include response
instructions for any detected incidents. The IRP includes the company requirements such as
size, structure and functions. The plan identifies the resources required for managing the
incidents.
• An IRP should include:

• Aim of incident plan
• Objectives and approaches

• Methodology to incident response
• Standards to assess incident response efficiency
• Observing the current status of incident response

• Components of an IRP:
• Name and contact information of the incident response team

• System details such as data flow diagrams and network diagrams of the incident
• The complete process required while recording and handling an incident
• Report security incidents to the Information Security and Policy (ISP), who appoints a
security analyst to handle the incident
• Respond to the incident in a timely manner

The IRT team works on the pretext of the first responder of the incident. Typical roles and
responsibilities of IRT members may vary based on the organization's incident handling and
response activities.
• Management: In an organization, management is the top-most authoritative decision
makers. It may include a single entity or a group of entities who are required to make
decisions during the time of an incident. Management should be the first entity aware of

when an incident occurs. The management decide the steps to be taken after the
detection of an incident is confirmed.
• Information Security Team: The team consists of the group of individuals who have the
skills to detect and analyze security incidents. They can easily identify the nature,
category, and scope of the incident.
• IT Staff: IT Staff are the individuals who are either a system or a network administrator.
They detect the incident by analyzing network traffic, system logs, service packages and
patches, etc. and report it to management or IRT. They can execute first response step to
avoid further damage.
• Physical Security Staff: The Physical security staff contributes to the handling and
response to physical security incidents. They can also be a first responder to a physical
security incident. The staff actively report the occurrence of the physical security incident
such as fire, theft, damage, and unauthorized access to management.
• Attorney: Attorney is a legal advisor for the organization. An attorney plays a major role in
dealing with making sure any evidence collected is admissible in a court of law. They can
also help an organization recover from a financial loss due to an incident.
• HR Representative: An internal employee may be involved in a security incident. In these

situations, HR becomes involved when the IRT detects an internal employee is involved in
the security incident. HR provides IRT with a best possible solution for dealing with any
employee involved in an incident.

Incident Response Team Members:

Roles and Responsibilities (Cont'd)
~---------.......
PR specialist An individual responsible for conveying company details after an incident
Financial
An individual who assesses the financial loss to a company from an incident
Auditor
An individual responsible for all actions of the JR Team and JR Function. They may be
IR Officer an executive level employee, such as a CJSO, or another corporate representative
An individual who receives the initial IR alerts and leads the JR Team in all the IR
IR Manager activities
A group of individuals who make decisions on the classifications and the severity of
IR Assessment the incident identified. The team is comprised of representatives from IT, Security,
Team Application, Support and other business areas.
An individual responsible for the remediation and resolution of the incident which
IR Custodians occurred. They are made up of technical experts and application support
re resentatives
PR Specialist
This department serves as a primary contact for the media and informs the media about an
event. They update the website information, monitor media coverage, and are responsible for
stakeholder communication including:
• Board
• Foundation personnel
• Donors
• Suppliers/ vendors
Financial Auditor
The Financial Auditors are the individuals who assess the financial loss of the organization after
an incident. It is the responsibility of the auditor to include each and every loss which occurred
as a result of the incident. The Auditor is responsible for reporting the financial imbalance in the
organization's account.
IR Officer
The IR officer is an individual who oversees all the incident response activities in an
organization. IR officers are an executive employee who is responsible for how the IR Team
functions. Every action conducted by the IR Team is reported back to the IR Officer who further
reports to the management of the organization.

IR Manager
The incident manager must be a technical expert who understands security and incident
management. The Incident Manager focuses on the incident and analyzes how to handle it
from a management and a technical point of view. They are responsible for the actions
performed by the incident analysts and report the information to the incident officer.
IR Assessment Team
They are the individuals who prioritize the occurrence of an incident on the amount of loss it
caused to the organization. The team comprises individuals from various domains such as, IT,
security, application support and other business areas.
IR Custodians
They are either technical experts or application support representatives. The role of IR
custodians comes into picture during a time of an application incident. To provide a remedy of
the incident, IR custodians create an action framework which is further shared to the
management.

A First Responder is an individua l w ho arrives first to t he crime scene and brings the incident
to the attention of others
They cou ld be an end user, network adm inistrator, law enforcement officer and/ or an
investigation officer.
The first response includes t he following roles and responsibilities: (depending on w ho is t he

first responder)
I Reporting the incident N Identifying the crime scene VII Documenting all the find ings
Preserving temporary and fragile

n Alerting the management and
incidence response teams V
Collecting the complete
information about the incident
VIII evidence
Packaging and transporting the

m Containing intrusion VI Protecting the crime scene IX electronic evidence
The term first responder refers to the people who arrive first at the crime scene and gain access
to the victim's computer system after the incident report. A first responder may be a user,
network administrator, law enforcement officer, or investigation officer. They are responsible
for protecting, integrating, and preserving any evidence obtained from the crime scene.
The time gap between the occurrence of an incident and transference of evidence is an
important aspect in incident response. It is the responsibility of the first responder to keep up
the reliability and liability of the evidence. The method accepted by any first responder is very
important in preserving the evidence and finding the attackers. The first responder needs to
have a dedicated and well-organized plan when responding to any type of incident. It is the first
responder who collects the initial information, determines the extent and impact of the attack
or incident. This allows other people involved in handling the incident to determine other
courses of action which may be required for investigating the incident.
An experienced first responder can easily apply good forensic techniques when they respond to
an incident in the initial stages. They can predict the extent to which any change in the evidence
may affect the further investigation. This proficiency is an extra add-on in maintaining the
availability, integrity and reliability of the evidence. The first responder needs to always
understand the importance of their role as it highly affects the security and efficiency of the
organization.
The role of any first responder is to prioritize according to the severity of the incident, gather
evidence for the incident which has occurred, and conduct fewer experiments on the suspected
devices. This will ensure enough data is provided for the other investigators to solve the issue.

Also, the first responders should be trained to gather evidence without changing any of the
services running at that moment. Evidently, this is a critical task for the first responders as they
have to gather evidence before it is lost.
It is not mandatory that every evidence gathered may lead to a complete investigation of the
incident. However, first responders need to have the complete picture of the methods used in
handling the incident in the initial stages, as different incidents require different methods of
approach.
First Response Rule

• Under no circumstances should anyone, except the forensic analysts, make any effort to
collect or recover the data from any computer system or electronic device that holds
electronic information.
• Remember, any information present inside the collected electronic devices 1s probable
evidence and should be treated accordingly.
• Any attempts to retrieve data by unqualified individuals should be avoided. These

attempts could either compromise the integrity of the files or result in the files being
inadmissible in legal or administrative proceedings.
• The workplace or office must be secured and protected to maintain the truthfulness and
quality of the crime scene and the electronic storage media.

Network Administrators as First

Responder
..J Network administrators spend a lot of time in network environments and are familiar
with the network traffic, performance and utilization, network topology, location of
each system, security policy, etc .
..J They play a key role as a first responder when security incidents occur. They can detect
the source of the incident and determine the systems which are affected.
If they are not aware of the incident response procedures, any response to the incident
will be delayed. This can and most often does increase the potential impact and
evidence is more often than not corrupted and/or lost
Network administrators generally act as first responders to many security incidents in an

organization. The main responsibilities of the first responder include finding the source of the
incident and preventing the infection from spreading to other systems. The role as a first
responder can be hectic. However, the decision taken by any first responder can prevent an
attack going haywire.
It is the network administrator who has the knowledge of network topology, network traffic,
important assets and information system of the organization. They can easily detect the type of
incident, severity, and location in an organization. They are expected to be completely
equipped with all the tools and knowledge required for dealing with an incident as a first
responder. This is a major reason why network administrators must have good knowledge
regarding incident response and forensic investigation procedures. Ultimately, a first responder
is responsible for gathering all the information and preventing evidence tampering. This is to
ensure any evidence collected can be useful during legal proceedings.
Responsibilities of a network administrator as a first responder include:

• Monitor network and systems for intrusions.
• Identify all vulnerabilities in the network and systems.
• Create a set of rules and procedures in order to handle incidents.

• While handling an incident, they must have knowledge regarding legal proceedings.

What Should You l{now? CND
You should review the organizational incident response plan, which contains the
following :
. ··•..
................ ~.. ~ Names and contact informat ion of t he local IRT \
.......................................................................................................................................................··································
·•
.-·····································............................................,..... ,..... ,........................................................................................

··...
················~·.. ~ Escalation proced ures
·• .......................................................................................................................................................................................··
················~·..···~ Procedures for reporting and handling a suspected incident ..\

·• ......................................................................................................................................................................................•·
······"····"····--····.......................................................................................................................................................
··..\
•················➔-. ~ Containment actions for various types of Incidents
v•••0♦•••••••♦♦♦ o♦•O♦♦ o♦♦ O♦oo♦OO••••••••••••••o♦o ♦•ooOo ♦••••••••••••••••••••••••••••••••••••oo••-♦ oo••-♦ oo••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••OO·••••
An organization should have an incident response plan which includes a set of procedures and
actions required when responding to security incidents. The administrator must review the
incident plan of their organization and suggest or implement changes to the incident response
plan as required.
A typical incident response plan includes:
• Contacts of IRT: Contact information for the IRT team. It will help a first responder to
immediately contact the IRT team when an incident occurs. Having IRT immediately on
the location of the incident will help minimize any delay in responding to an incident.
• Escalation Procedures: First responders must know who to contact and report the
incident to. There will be certain escalation procedures for the first responder which will
help th em report the incident without any delay.
Administrators collect and document certain information before escalating the incident. It
includes:
• IP address and physical location of the affected systems

• Type of data on the systems
• Timeline of activities the system/ user went through before the incident
• How the incident was detected

• Number of users affected

• Procedure for reporting and handling an incident: Network administrators must be

aware of reporting and incident handling procedures.
• Containment actions: The incident response plan includes containment actions for all
types of security incidents. Different containment actions are required for different types
of incidents. Network administrators should be aware of containment actions for various
types of security incidents. It helps to prevent further damage to an organization.
Network administrators ensure evidence is not tampered with or completely lost during
containment activities.

First Response Steps by

Network Administrators
Avoid Fear, Control access

Uncertainty Incident Communicate Contain the to the
and Doubt Assessment the Incident Damage suspected
(FUD) device
Do not change Restrict yourself

Disable Virus Record Your prepare the
the state of from doing
Protection Actions information about
the suspected the
the suspected
device investigation
device
The biggest challenge facing an organization is the unavailability of a first response after the
incident has occurred. Lack of knowledge or skills required for a first response will only make
things worse for the organization.
If the first responder is not adequately trained or not aware of first repose procedures, they will
not be able to:
• Provide the expected first response to an incident.

• Escalate the incident properly.
• Contain the incident properly.

Avoid Fear, Uncertainty and

Doubt (FUD)
If you have discovered an incident, do not panic
Do not perform actions which will damage the integrity of the

evidence
Escalate and consult with management or in-house computer

forensics investigation team quickly
FUD is not a new concept for organizations. Any incident can create an environment of fear and
anxiety among the team. A security incident outbreak is often very stressful, combined with lots
of doubt and uncertainty. The decisions made in fear and anxiety will worsen the situation.
Usually, small-sized companies do not have an incident response team. In such scenarios, the
first responders usually lack the confidence required in dealing with an incident.
Providing a first response in fear or uncertainty can forego certain important and resourceful
information related to the incident. If this happens, it can mislead the investigation team,
causing delays in finding the reason the incident occurred. A decision made while panicking can
affect the evidence quality.
You should be proactive and confident while providing a first response to an incident. If you are
unsure about the decision to make during a first response, you should consult with top
management, the information security team or the in-house IRT.

Make an Initial Incident

Assessment
If you found any indications of a security incident on your network
► Check whether it is an actual incident or a false positive
► Identify the type and severity of the security incident
Types of Incidents Description

Unauthorized Access An attacker gains unauthorized access to system resources
Denial of Service (DoS) An attack resu lting in the unavailability of services for authorized network users
Malware (e.g. virus, worm, Trojan horse, keyloggers, spywares, rootkits, backdoors,
Malicious Code
etc.) infecting operating systems and/or applications
Improper Usage Individuals in the organization using system resources against acceptable usage policies
Scans/Probes/Attempted Activities undertaken by attackers to identify open ports, protocols, services, etc. for later
Access exploit of an information system
Multiple Component An incident which encompasses two or more incident types mentioned above
The network administrator should conduct an initial assessment upon the occurrence of an
incident which has been identified. An initial assessment helps you determine the following
points:
• Source of the incident.

• Whether the incident occurred is a false positive or an actual incident.
• Able to decide the severity of the incident further helping to take immediate actions and
minimizing the risk.
• Note down all the actions performed during the occurrence of the incident.
An initial assessment provides an outline for the type of attack that occurred. The information
recorded in this stage is useful in containing the damage and avoiding risk. Further handling of
the incident depends on the facts developed in the initial assessment phase.
Administrators should record information such as:

• Features of the incident
• Date and time the incident occurred
• Incident indication list
• Impact scope of the incident
• Nature of the incident or the t ype of attack

Low-Level Incidents Middle-Level Incidents High-Level Incidents
The least-severe incidents that Comparatively more serious Should be handled immediately
are supposed to be handled than low level incidents and after the incident
within one day after the incident thus should be handled the
► Denial of Service attacks
occurs same day the event occurs
► Suspected computer break-in
► Loss of personal password ► In-active external/internal
unauthorized access to systems ► Computer virus or worms of
► Unsuccessful scans and probes highest intensity; e.g. Trojan,
► Violation of special access to a back door, etc.
► Request to review security logs computer or computing facility
► Changes to system hardware,
► Presence of any computer virus or ► Unauthorized storing and firmware, or software without
worms processing data authentication
► Failure to download antivirus ► Localized worm/virus outbreak ► Destruction of property
signatures
exceeding $100,000
► Computer virus or worms of
► Suspected sharing of the comparatively larger intensity ► Personal theft exceeding
organization's accounts
$100,000 and illegal electronic
► Breach of the organization's
► Minor breaches of the acceptable usage policy fund transfer or download/sale
organization's acceptable usage
policy
Severity of an incident is an important measure of th e impact on the security of an

organization. It determines th e urgency in handling an incident, level of expertise required 1n
handling th e incident and th e extent of the response.
Severity of an incident is det ermined by :
• Impact of the incident: Determines the extent of the damage or impact of the incident on
the organization.
• Criticality of the service: Determines the level of dependency of other services on the
affected service.
• Confidentiality of the information : The severity of the information stored in the incident
service.
• Probability of spread: The rate at which other systems or services are affected by the
incident.
Organizations categorize th e severity of incidents as:
• High - Level Incidents:
• The incident has more chances of affecting a large number of syst ems or services in an
organization.
• The impact of th e incident may lead to a financial crisis .
• Affects the major functioning and operations of the organization.

• Medium-Level Incidents:
• The incident has a chance of affecting at least half of the systems or services 1n an
organization.
• Affects a non-critical system or service.

• Disrupts the normal working of the organization.
• The incident has a tendency in propagating to other systems or service.
• Low-level Incidents:
• Affects only a few systems or services in an organization.
• Less chance of affecting the functional and operational aspects in an organization.

• No chance of propagating to other systems or services.

If you suspect a security incident has occurred, you should be able to quickly
identify who must be contacted inside and/or outside of an organization
You should quickly communicate the breach to the in-house IRT Team or
Management
Your quick response will minimize the extent of the damage
Incident response plan will include procedures and point of contact for communication of
incidents. It may include:
• Clear idea of who to contact
• The contact team or person should be an expert in handling the incident

• A dedicated team for contacting any external team for incident handling
They contact these people or teams through phone, SMS, e-mail mentioned for immediate
communication.

Contain the Damage:

Avoid Further Harm
■ Whether to disconnect the suspected device from the network or let it stay connected with the
-
network. This must be decided by the forensic examiner or incident response team
■ Both course of action may have adverse side effects on the forensics investigation
► If you disconnect the device from the network when an attack is in progress, the forensic
investigator may not find any evidence when it would have been found if connect ed
► If you allow the device to stay connected to the network, it may cause f urther harm t o your
network, as the attack proceeds and is successful
■ You should coordinate with the forensic investigation team to find any evidence and at
the same time you should ensure it will not cause any further harm
Administrators have to take appropriate care while containing the incident. The process for
containing the incident may take on different approaches for different types of incidents.
Common actions that help administrators avoid furth er harm to the organization:
• Prioritizing components.
• Figuring out the sensitive data, hardware and software.

• Do not notify all employees regarding the incident.
• Distinguish the instances wherein the incidents need to be handled offline or online.
• Determine all the areas that are more likely for attack and implement methods to prevent
it.
• Build a new system with all services and requirements with new administrative and
service account passwords.

Control Access to Suspected

Devices
Secure the device physically that seems to be compromised or can become

potential evidence
Keep the device under observation until a forensics expert arrives at

the location
Secure any and all supporting devices such as mobiles, CDs, DVDs, flash
media, cables, etc., attached or found near the suspected device
Control access to the device or devices by keeping them under lock

and key
The administrators should understand the importance of securing the evidence during their
first response. They should implement and execute certain preventive measures to control
access to a suspected device:
• Secure the device: The administrators should securely maintain the devices that were
compromised or was the source of the incident. These devices can be potential evidence
during the time of an incident investigation.
• Scrutiny of devices: Administrators should keep the devices under observation and should
not tamper with the devices until the forensic team arrives. Tampering with the devices
can lead to loss of evidence thus affecting the incident investigation.
• Secure supporting devices: Apart from the suspected device, administrators should also
gather all the other devices or media that were found near the suspected devices. Leaving
any such evidence behind can change the course of an investigation action plan.
• Control access to the device: No other user or employee should have the access to the
suspected or the evidence device.
The scrutiny of the devices depends on the first responder, any damage or tampering with the
devices can affect the investigation procedure. If the premises can be locked down, the first
responder should lock the premises, until the arrival of the forensic team.

Collect and Prepare Information

about Suspected Device
Note down all Information related to the suspected device
It will help the investigator with the forensics investigation
.J You want to note the following information:
► Who, what, when and how the problem was discovered
► IP address
► System time
► System Name
► Services or applications running on the system
► Any other relevant information about the crime
Administrators should collect and prepare any and all information relevant to the incident
during their first response. Gathering firsthand information during this time is useful in the
forensics investigation. It will be helpful for investigators if the first responder documents the
changes the affected system went through from the time the incident occurred until the arrival
of the forensic team. If the system is still on, administrators should note down all the
information gathered related to the incident. This information can help the forensic team
during their investigation.
• Who, what, when and how the problem was discovered: By notating this information it
will help the investigator investigate the initial findings of the incident.
• IP address: An investigator is required to keep records of all IP addresses for all the
affected machines. Such machines should not be connected to the network to avoid,
rep Iication of data.
• System time: Knowing the system time when the incident occurred is vital to an
investigator. Using this information, they can monitor the changes the system is going
through across the entire timeframe.
• Running services or applications: Incidents can be caused because of running applications

or services on the system. It is necessary to keep a record of the services and applications
as a result.

• Any other relevant information about the crime: An administrator must save any findings
relevant to the incident. If any handwritten notes were found near the suspected device,
the first responder should preserve the note and record the content as a copy, per the
incident response procedures.

0 Note down all actions you have taken upon discovering the incident
0 It must be done for an actual attack as well as any false positives
The information you should take note of:
► Date/ time of action
► Witnesses to support your action
The logs of the first responder should be in a descriptive manner. The responder should record
the actions in a series. If the actions are not in chronological order, it confuses the investigator.
Responders should avoid writing any speculations in their record. Only facts should be notated.
As these are the most vital to uncovering the incident.
For example, do not document the action as, "The web browser started rece1v1ng various
po pups after the attack". An ideal record of the action should be, "Unknown po pups were
displayed on a Google Chrome browser for thirty minutes after the incident occurred" .
If a network device or an external drive is also affected, the responder should note down the
serial number or part number of the device. The first responder should also record the
statements of the users whose system were affected by the incident.

Restrict Yourself from Doing

Investigation
Evidence collection is a major part of uncovering an incident. Even though

you may succeed in locating potential evidence, it will no longer be
admissible in court
The integrity of the evidence is of utmost importance. If not collected

properly it could be lost or even destroyed during evidence collection if not
handled properly
A result of not doing this properly could very well put you in the direct line
of fire regarding legal punishment
First responders should not involve themselves in the investigation of the incident. If the first
responder is not well-versed in the forensics investigation process or not trained on forensics
investigation techniques, any attempt towards performing forensics can and most often leads
to damage of any potential evidence. Even though the first responder might be aware of the
reason for the incident, they should not proceed on their own. First responders should wait till
the time they are authorized by the forensic team or management.
Even though the first responder carried out the forensics investigation and collected the
evidence, the integrity of the evidence will no longer be valid in the court. This is because a first
responder is not an expert with performing a forensics investigation. There is a chance the
integrity of the evidence will be lost or tampered with. The evidence collected will no longer be
accepted in court as it is not collected by an expert forensics investigator who normally ensures
the evidence is collected in a forensically sound manner. Moreover, if first responders do so,
the organization will be authorized to take legal action against the first responder.

Do Not Change the State of

Suspected Device
Don't change the state of the suspected device
For example,
► If the suspected device is ON, then leave it ON
► If the suspected device is OFF, then leave it OFF
Changing the state may destroy any valuable evidence
Tampering with the state of the suspected device is not advisable to the first responder.
Altering the state of a system leads to massive changes in the evidence collected. Actions like
system restart and system shutdown force the system to make internal changes thereby
making it difficult for the investigators to properly investigate the incident. Any changes made
to the state of the suspected device create adverse effects on the quality of evidence or can
completely destroy the evidence. Make sure as a first responder you always leave the system in
the same state as when the incident occurred.
For example, if the suspected device is ON, the first responder should not turn it off, till the
time advised by the forensic investigator. If the suspected device is in a shut-down state, the
first responder should not turn it on.

Disable Virus Protection CND
Antivirus software can access files or change its time/date

stamp values during its automated scanning process
Some antivirus software can automatically delete suspected

files, hacking tools, etc. present on the device
It may have adverse effects on the forensic investigation
Anti-virus software installed on a suspected system may create problems when collecting
evidence during a forensics investigation. Antivirus software running on the system may delete
or change the state of the evidence as it accesses each file and alters its timestamp. At times, it
can even remove the files which are potential evidence. Hence, security experts suggest that a
first responder should disable the virus protection systems as soon as they confront an incident.

Incident Handling and Response

Process
Preparation for Detection Classification

Incident and and
Handling Analysis Prioritization
and Response
Notification Containment
Eradication
Forensic Post-incident
and
Investigation Activities
Recovery
.. .
Preparation for
····"' .
--- --- . --- . --- . --- . --- -- -- -- -- -- -- _._.. --- . --- . --- . --..
::
OtL:C
f.1923 7
I ad ........... ➔
22 C
~ ::•:
~ . ., "-_ ■
. . ........................, _--=:!
_ ·=
I H
· -=-·-:.I
ffl I
::,.•:
::•:
::•: .---.---.-- y ·-----------. .'~- ---- ---- -- "' -- . --- . --- -- '
---
Administrator Suspects an Incident
.-------·- ..:
::•: ..:
........... '
'
•
)( NO ::•: :' :'
Close Incident ,(
Report
.................... . :: ..: .. : '
C 5 I
. .....................~................~
'
'
:'
,
•:
::, ; "==~==-i :
::•: E) V
..i ~ :
,................
.
--·- ------
:: ''
ITDep.Send ....•: .: :. 7
• '
r········· ➔ ,;
·'
8 """"'""""""""""""""""""""JI '==:::.:
'<==.I
::•:
::•: :_ -";:
__=._=__=._=__=.;:::
, _=_.=__=__=_-=-~---: . ~
v
""":=:'!"""""""~~
;
E\.._ac
•J:F C
II ell, r I! .. ::,.
::•:
::
•:
ResoMd?
')( No
,;
::•:
············vl ··--··---·---------··············· J ~ .~~ ....
..::•: .:' r - - -lnddent
" - - - - ,. .:: .:'
::•: l .__.... <·······························=
,;
:
::
::•: A
v - - 1.
---·
V ~ YEi ( V r---~
Close Incident ,( .......... . . ~••~~ • ~ .. •.. •.. i.·'
Report , ............. ➔
.. I :
. ' ..............................................:!c_ !'
- --. ---. --- . --- -- -- -- -- ---------. ---. --- . -- - . ------- ----------

Incident Handling and Response Process differs from organization to organization according to
their business and operating environment. A framework is defined that can be utilized to create
a sound incident handling response for your organization.
Every incident handling and response process clearly defines some of these rules. Some of them
are:
• Restore the normal state of the system in the shortest possible time
• Minimize the impact of the incident on other systems
• Avoid further incidents

• Identify the root cause of the incident and try to rectify it in less time
• Assess the impact and damage of the incident and try to recover the corrupted or deleted
data
• Update security policies and procedures as needed

• Collect evidence to support the succeeding investigation
Determining the Need for Incident Handling & Response (IH&R) Processes
Organizations determine the need of an incident handling and response (IH&R) process based
on the current security scenario, risk perception, business advantages of having such processes,
legal compliance requirements, other organizational policies, previous incidents, etc.
Cyber-attacks have increased in number as well as in diversity, and have become more
damaging and disruptive. Since these types of attacks can be harmful and can gather all the
personal and business sensitive data, it has become necessary to effectively and timely respond
to these incidents.
The incident handling and response {IH&R) process will allow the organization to design
preventive activities based on the results of risk assessments, but cannot prevent the
occurrence of all incidents. IH&R processes are necessary for detecting the incidents, reducing
any loss and destruction, mitigating the exploited weaknesses, and restoring IT services.
Inputs, complaints and queries from all the stakeholders involved in the organization's business
processes affect the decision to establish an IH&R process. The organization's IRT development
project team, executive manager, head of the information security department or any other
person exclusively designated by the management can initiate the IH &R process.
The main purpose of incident response management and process is to:
• Protect systems:
It is difficult to place high levels of security and special access controls on various
computing resources due to high costs and other constraints. The best strategy for
computer systems and network protection is to quickly detect and recover from the
security incident. An efficient incident response procedure ensures that critical business
operations run as they would normally before, during and after an incident.

• Protect personnel:
A swift incident response helps in ensuring that no physical damage occurs to human
resources due to any workplace incident.
• Efficiently use resources:

The resources available for handling an incident used by both technical and managerial
personnel are always limited. The best way to utilize these resources is to respond to the
incidents as quickly as possible. Information gained from the incident handling process
helps prevent incidents or better handle future incidents and implement strong security
for systems and data.
• Address legal issues:

Incident response is also necessary for legal compliance with different laws and acts such
as the Health Insurance Portability and Accountability Act (HIPAA) and the Federal
Information Security Management Act (FISMA). Efficient incident procedures ensure that
the organization remains safe against legal and public liabilities.
It is necessary to adhere to the legal principles and practices while responding to incidents.
According to the US department of justice, it is illegal to use certain monitoring techniques for
identifying the incident. The procedures to respond to an incident should guarantee non-
violation of legal statutes.
Defining the IH&R Vision

The IH&R vision includes the purpose and scope of the planned incident handling and response
capabilities. This vision features a set of instructions to detect, manage and respond to an
incident. It defines the areas of responsibility and the procedures for handling various security
incidents.
The vision includes the preparation of proper documentation and outlines a well-defined
approach for handling incidents by taking the necessary preventive actions against any
potential threats that may affect the information system. The incident response plan covers:
• How information passes to the appropriate personnel?

• How to assess an incident?
• Incident containment and response strategy.
• How to restore systems and resources in case of an incident?

• Documentation of the incident.
• Preservation of the evidence.

• How to report the incident to the appropriate personnel?

Key elements in the IH&R vision statement include:
• What incident handling and response capability is it aiming to protect?

• What are the short and long term goals of an incident handling and respon se team?
• What are the services that an incident response team will offer?
• How will lH&R capabilities ensure business continuity?

• What are the required resources and how can the cost be justified with an effective
return-on-investment?
Communicate the vision to all stakeholders and make sure it is published in an easily accessible
repository after appropriate approvals.

Preparation for Incident

Handling and Response
This is the in it ial phase involving the establishment and training of an incident response team as well as
acquiring all the necessary tools and resources
Per the results of a risk assessment, t he organization minimizes the occurrence of certa in incidents t hrough
the selection and implementation of specific controls
There may still be a residual risk after implementing t he controls, which is why organizations must be
notified when incidents occur. Because detecting security breaches will still be required
Preparing to Handle Incidents

The following are a list of tools and communication resources an incident handler needs:
On-call Issue tracking Encryption Secure

information system software storage facility
Contact Incident reporting Smartphones War room

information mechanisms
Preparation for Incident

Handling and Response (Cont'd)
,.................................'ii
Established IH&R ,~ . ~~ ... ... ... ..), Determine the Need For Incident
Implement IH&R Plan
Pracesses? Handling & Response (IH&R) Processes
YES ~ ~
Determine the Need for Changes in Evaluate the c.. rent Security
IH&R Processes
Define IH&R Vision ·➔ Posture
t ) ( NO
Obtain Management Approvals and Additional Controls
Evaluate Current IH&R Processes
Funding Required?
v
Determine Changes in IH&R Develop IH&R Plan, Core Policies, Obtain Management Approvals and
Processes and Procedures Funding
Update the Existing IH&R Pracesses Define Incident Handling Criteria

Harden Information System
Security ]
t
Create IRT Team and Organize • ..........................!
Resources

Preparation for Incident Handling and Response

Preparation is the readiness to respond prior to an actual occurrence of an incident event.
Requirements for preparation include:
• Establishing a reasonable group of defense/controls depending on threats posed on:

• Open systems that are vulnerable to attacks
• Secured systems with no incident response
• Systems dealing with incidents that are to be secured

• Developing a group of methods to deal with incidents:
• Measures to be considered in different situations by the staff
• Contact information
• Keeping information from other neighboring organizations
• Assigning people to participate in the incident response effort
• Determine risk levels and limits

• Acquiring resources and people to solve problems:
Monetary resources are required for hardware, software, training, and special equipment
for analysis and forensics. Examples of resources include: PDAs, safe vaults, IDS software,
and database server software.
• Developing an infrastructure that supports incident response:

Overall business strategy should be developed to incorporate mechanisms into processes
in order to respond to incidents:
• Line of authority and management are to be in place

• Defenses/controls specifically matching the resources of the network are to be chosen
• Incident response procedures are to be well followed
• Resources should be provided with proper finances

• Maintenance of contact details
• Evidence of incident responses are to be stored
• Proper addressing of legal issues

• System administrators are responsible for the preparation stage. Their responsibilities
include:
o Ensuring password policies
o Disabling default accounts
o Configuring appropriate security mechanisms

o Executing and enabling system logging and auditing

o Patch management
o Ensuring proper backups
o Ensuring the integrity of file systems
o Identifying abnormal behavior in the system

Detection and Analysis
End users receive indications and
D precursors of an incident and report this to

the help desk and/or IRT department B The recorded information is then sent to the
IRTteam
The IT department is alerted from the security

The help desk validates the received complaint
control systems and coordinates with IRT for
using the guidelines for incident detection
further investigation
If the incident is valid, the help desk notates all

details of the incident such as date, time The IRT team performs an analysis and will
II occurred, who reported the incident, systems

affected, log files, error messages and other
important details related to the discovery
make a decision whether an incident response
is required
Copyright© by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited .
Detection and Analysis

(Cont'd)
• ,. y
Reopen Previously Closed

Incident
- :.-
'v
-
NO )( If
a ose Incident
Report
<····················· ............... Incident Requires a
Response?
~ ~ YES
If "# YES
lnddent Was Closed ......................:>-L__a_eope11
_ ...!"!!!:
•~ lli~o1111
I IF 7
_ __J
~ly-Clclled
Previously?
~ )( NO
11'Dllpl.D 1 1 S ltyMlda .......... ········>L a-d/Updatiethelncident

__ _,!l~ d!..,__ _J
<··········································'
;
"'
I IF 7
. -
~ -.,
Close Incident
Report
NO )(
<···················· ............... .
If Response is
Required?
V'...........................................
YES
:)-.
~

Detection is identification of various types of security incidents for an organization. After an

incident is detected and confirmed. The first responder collects the information and all details
of the incident and communicates to IRT. For a meaningful incident response, detection and
analysis of the incident is critical.
Sometimes it is useful to use certain detection software to detect security incidents. It may
include IDS, antivirus, integrity checking software, etc. However, there are certain incidents that
are clearly noticeable, so specific software is not required to detect them.
Some of ways for identifying the incident are as follows:
• Detection of anomaly in data packets sent across the network through the alarm
generated by the IDS and firewall
• Displaying of antivirus alert while scanning a computer system
• System and network logs show repeated, unsuccessful login attempts.
• Data is unexpectedly corrupted or deleted.
• Unusual system crashes can indicate attacks. Attackers or intruders can damage the
system that contains data important to the network.
• Audit logs show suspicious activity on the systems or network.

• System and security log files, log suspicious activity either on the network or security
devices.
• Staff identifies unusual or suspicious activity on the computer system.
• Staff identifies content on a colleague's computer that violates the organization's security
policy.
• Receiving of phishing emails or the company's website is defaced.
• History of activities during non-working hours shows that unauthorized access to systems
has occurred
• Social engineering attempts
Incident analysis is performed after detection of an incident. Incident analysis may vary
depending on the incident discovered.
Steps involved in incident analysis are:
• Analyzing every anomaly found
• Auditing anomalies and maintaining a copy of compromised files for analysis
• Documenting the incident information for clear understanding
The information collected in this phase includes:
• The date and time the incident occurred as well as detection.
• Details of the person who reported the incident.

• Details of the incident, including:

• Description of the incident.
• Details on the systems effected.
• Backup information such as error messages, log files, etc.
• Forward the recorded information to the IRT.

The IRT performs an analysis and decides whether an incident response is required.

The structured approach is required

to respond to the incident in a
-
Evaluat e Incident Details and
Correlate with Indicators
proper way
y'
e The IRT manager should classify and
Classify Incidents Based on
prioritize the incident s based on the Incident Record
level (high, medium, or low level)
YES ~
e The incident with high priority Other Organizational <I:........................ Incident Falls Outside
Departments Purview
should be attended first
\ )( NO
'ii
fi Prioritize the Incident
Classification and Prioritization

(Cont'd)
The IRT evaluates the incident details and correlates these with any
Indicators
The IRT classifies the incidents based on their severity and potential
targets
Classify the incident based on such factors like nature of the incident,
critical systems impacted, number of system impacted, legal and
regulatory requirements
If the incident is outside their review, the IRT will contact any and all
departments
The IRT prioritizes the incident based on the current and potential
technical effects of the incident on systems effected
J1

The IRT evaluates the incident details obtained in an incident detection and analysis phase and
correlates it with indicators. An IRT classifies and prioritizes a security incident based on the
following factors
• Nature of the incident
• Incident severity and potential targets
• The criticality of the systems being impacted
• Current and potential technical effect of the incident and the criticality of the affected
resources
• Number of systems impacted by the incident
• Incident falls outside the IRT's purview
• Legal and regulatory requirements
Upon detection of an incident, the IRT should categorize it appropriately based on its type,
severity, and impact. Incident classification helps the IRT in taking appropriate necessary
responses. Incident classification is done based on an incident categorization and incident
severity rating.
Incident categorization
Incident categorization helps the IRT team keep incidents under a certain single category which
provides better coordination and consistent incident handling and responses.
Incident severity rating
A Severity rating adds a sense of urgency to the detected incidents.
Incident classification helps the IRT quickly respond to incidents by avoiding any Operational
mix-up.
According to the NIST, incidents can be categorized into seven categories. The NIST taxonomy
for incident categorization is shown below:
Federa l Agency Incident Cat egories
Cateoorv Name Description Reportino TimeFrame

CAT O Exercise/ Network This catec;iory is used during state, federal, Not Applicable; this category is for
Defense Testing national, international exercises and approved each agency's internal use during
activity t esting of internal/external network exercises.
defenses or responses.
CAT 1 •unauthorized In this eateoory an individual oains logical or Within one (1) hour of
Access physical access without permission to a federal discovery/detection.
agency network, system, application, data, or
other resource
CAT 2 · oenial of service An attack that successfully prevents or impairs Within two ( 2) hours of
(DoS) the normal authorized functionality of netw orks, discovery/detection if the
s ystems or applications by exhaustino successful attack is still onooing
resources. This activity includes being the victim and the agency is unable to
or partiapating in the Dos. successfully mitigat e activity.
CAT3 " Malicious Code Successful installation of malicious sortware Oaily
( e.o ., virus, w orm, Trojan horse, or ot her Note: Within one (1) hour of
code·based malicious entity) that infects an discovery/detection if w idespread
operating system or application. Agencies are across agency.
NOT required to report maliaous logic that has
been s uccessfully Quaranrined by antiv1rus (AV)
softw are.
CAT 4 "Improper Usaoe A person violates acceptable computing use Weekly
policies.
CAT 5 Scans/ Probes This category includes any activity that seeks to Monthly
/ Attempted Access access or identify a federal aoency computer, Note: If system is classified,
open p orts, prot ocols, service, or any r eport within one (1) hour of
combination for later exploit. This activit y does discovery.
not directly result in a compromise or denial of
service.
CAT6 Investigation unconfirmed incidents that are potentially Not Applicable; this cateoory is for
malicious or anomalous activity deemed by the each aoency·s use to cat eoorize a
r eporting entity to w arrant further review. potential inc:ident that is currently
being investigated.
" Defined by NIST Spec,al Publ/CaC/OfJ 800-61
FIGURE 14.1: Incident categorization according to NIST

According to FIRST, incidents can be categorized as shown in the figure below:

Incident Category Description

Denial of service DOS or DDOS attack.
Forensics Any forensic work to be done by CSIRT
Compromised Attempted or successful destruction, corruption, or disclosure of sensitive corporate
Information information or Intellectual Property.
Compromised host (root account, Trojan, rootkit), network device, application, user
Compromised Asset account. This includes malware-infected hosts where an attacker is actively controlling the
host.
Theft / Fraud / Human Safety / Child Porn. Computer-related incidents of a criminal
Unlawful activity
nature, likely involving law enforcement, Global Investigations, or Loss Prevention.
Reconnaissance or Suspicious activity originating from inside the Company corporate
Internal Hacking
network, excluding malware.
Reconnaissance or Suspicious Activity originating from outside the Company corporate
External Hacking
network (partner network, Internet), excluding malware.
A virus or worm typically affecting multiple corporate devices. This does not include
Malware compromised hosts that are being actively controlled by an attacker via a backdoor or
Trojan. (See Compromised Asset)
Email Spoofed email, SPAM, and other email security-related events.
Consulting Security consulting unrelated to any confirmed incident.
Sharing offensive material, sharing/possession of copyright material.
Deliberate violation of InfoSec policy.
Policy Violations
Inappropriate use of corporate asset such as computer, network, or application.
Unauthorized escalation of ~vileges or deliberate attempt to subvert access controls
FIGURE 14.2 : Incident categorizat ion accord ing to FIRST
Incident severity rating:

The severity rating assists the IRT in categorizing incidents. Impact and Likelihood are the
elements which form the building blocks for severity ratings. The following matrix is
constructed using these two elements:
LIKELIHOOD
IMPACT
Rare Unlikely Possible Likely Almost Certain
Catastrophic Medium Medium High

Major Low Medium Medium High
Moderate Low Medium Medium Medium High
Minor Low Medium Medium Medium
Insignificant Low Low Medium

TABLE 14.1: Severity rating matrix
Advantages of an effective incident classification

• Every incident is correctly forwarded to the respective department.
• Enhances response times as the incidents are routed to the respective department.
• Aids in the development of an effective knowledge base.
• Increased customer satisfaction.

Incident Prioritization
■ Prioritizing the handling of the incident is critical for the
process
■ Incidents should not be handled on a first-come, first-serve
ba sis
■ Prioritize the incidents based on two factors
• Current and potential technical effect of the incident
• Criticality of the affected resources
•
After classifying the incidents, the IRT should prioritize the incidents. The high impact incidents
which could severely sabotage an organization's network should be attended first and their
effects mitigated in the early stages.
The IRT should consider two basic elements in prioritizing incidents:

1. Impact: Gives an account of how severe an incident can be on the organization. It is
measured in terms of the number of systems, impacted by the incident which in turn
increases the number of employees being idle which directly affects the organization
productivity.
2. Urgency: Is usually defined in terms of service level agreement (SLA). If an incident is

raised within an organization, it should be resolved at the earliest opportunity.
The values for impact and urgency can vary from organization to organization. But generally, we
can have three levels, which are high, medium, and low, both for Impact and urgency .

The IRT should construct an impact urgency matrix based on three levels of high medium and
low as follows:
Impact >
High Medium Low
Urgency '1,,
High
Medium
Low
TABLE 14.2: Impact urgency matrix
The priorities should be addressed by the IRT in the following order:
1. Red
2. Light yellow
3. Dark yellow
4. Light green
5. Dark green

Notification and Planning CND
Communication plays a
major role in a swift ....,.._MPS•a...lllltl ........ b 25 Ill ,, a
respo nse to an incident
It helps in reducing t he
impact of an incident by
Approval for
Notification
...............
)( NO
►
facilitating a better
coordination between j ¥ ' YES
different stakeholders Notify the Required
555¥■■
affected by the incident
■ The incident response team

)( NO
should discuss the incident External Support
Required
with the legal
representative w hen a ;~ YES
'y
law suit against the
attackers is required C 91 I wl ft&
Notification and Planning

(Cont'd)
The IRT notifies management regarding the incident and its effects
The IRT requests the approval from management to disclose the incident information
to stakeholders and any others affected based on the severity of the incident
If the IRT receives an approval, the details of the incident are disclosed
If management does not approve the disclosure, then the IRT team plans to proceed
with the incident handling process
The IRT checks whether external support is required to handle the case
If external support is required, the IRT team will contact external agencies for their input
The IRT along with any external agencies, the IT department and management must plan
the incident handling and response procedure

An organization which is suffering from a security incident needs to notify the appropriate
internal and external IRT to minimize any repercussions of the security event.
The IRT's role in the notification and planning includes the following:
• Notifying management: It is the responsibility of the IRT to notify management about the
incident which occurred. The management should also be informed about the effects the
incident caused.
• Broadcasting the incident: Before broadcasting any information about the incident, the
IRT should have documented approval from the management. The incident information
should not be hidden from the stakeholders and other people. People that are likely to be
affected by the incident need to be informed about the incident.
• Disclosing the details of incident: Apart from broadcasting about the incident, the IRT
should also seek approval for disclosing the details of the incident. Disclosing the details
of an incident is important, as certain stakeholders of the organization are required to be
kept in loop.
• Approval denied: If management does not give their approval for disclosing the incident
details, the IRT should proceed with the procedure of incident handling.
• External support: Before proceeding with the in-depth investigation of the incident, the
IRT checks if external support is required to handle the case.
• External support required: If external support is required, the IRT contacts external
agencies for input.
• IRT and external support: Once the external support joins the investigation of th e
incident, the IRT and the management team proceeds with handling the incident and
response plan .

The IRT, technical, management and the legal team prepares a containment
strategy to control the effects of the incident and requests input from the external
support agencies (if required)
Once containment strategy is prepared, the IRT checks if the incident is actually
contained or not
The IRT checks the type of response required to contain the incident. The
containment task is then assigned to the correct team
If the incident is not contained, the IRT will review and update the containment
strategy and follow the same processes again
If the incident is contained, the IRT will escalate the containment task and move
to the next level of the incident handling and response process
Return to
Decide a Containment Strategy External Suppo rt Inputs Containment
Strategy
~----------------------------------------~'
'
Technical Response
Required?
. .. .. .. .. . ... . ...!
.., YB
► Task is Assigned to Technical
Team
...
:
i........ ,
:
Escalate the Containment Task
---- : '
~
NO )( i ''
''
i )( NO
V '' _.-1-
y ' YES ''
Management Response .......................!:> Task is Assigned to Management
-~·········>·..······➔ Incident Contained?
Team
Required?
NO )( j
'Ii/
y ' YES
Legal Response .......................:?" Task is Assigned to Legal Team ··~'····•"*'
Required? ''
,_ -- -- -- -- --- . --- . --- . --- . --- -- -- -- -- -- --- .''
NO )( i
'<I
Provide Initial Response And
Close the Case

The IRT plays a significant role in reducing an incident's magnitude or complexity in preventing
further damage to the organization. Containment focuses on limiting the scope and extent of
an incident. The aim of the containment stage is to reduce any losses and/or damages from
attacks, by eliminating the threat sources. If the systems, networks, or workstations are
compromised by a security incident, the IRT has to determine whether to shut down the
system, disconnect the network, or continue with operations in order to monitor the system's
activities. The response to all of these situations depends on the type and magnitude of the
incident.
The common techniques used in the containment phase are:

• Disabling of specific system services:
• Disable system services temporarily in order to reduce the impact of the incident and
to continue system operations.
• When an unknown vulnerability affects a computer, it 1s then removed from the

network until the problem is rectified.
• Changing the passwords and disabling the account.
• Change passwords on all the systems which interact with the affected system, so
there are no more infections.
• Complete backups of the infected system:
• Back up data on the affected systems to reduce the damage during an incident
response. Use a system backup for further investigation of the incident.
• Temporary shutdown of the compromised system:
• If the compromised computer systems have no alternate options to handle the

situation, then shut down temporarily. This shutdown limits the damage caused by the
incident and gives extra time to analyze the problem.
• System restoration:
• Replace the recovered computers with a trusted and clean backup copy.
• Identify the incident sources such as vulnerabilities, threats, access paths, etc. and
patch everything before restoring the system.
• Maintaining a low profile:
• When detecting network-based attacks be careful to not tip off the intruder. Because
the intruder might do more harm to other systems in the network and/or erase
everything they can to remove the chance of being traced. Maintain standard
procedures, including continuing to use the intrusion detection systems and the latest
antivirus and anti-spam software.

Guidelines for Incident

Containment
e Compromised code can undermine security,

6 A team must be dedicated to containing any
maintain a level of caution
type of security issue
e Data must be forensically backed up to a
8 The affected area(s) must be contained and
proper storage device
secured to avoid having things changed
e Data should be stored in a safe location 6 Information must be review ed from the start
e System and router logs must be acquired and of the identification phase
review ed
8 Honey pots also play a vital role in enhancing
8 If operations are continued, any and all risk security
must be identified
8 Avoid conventional methods to trace, this
8 Administrators and system owners must be tends to alert the attackers
informed and kept current on the information
6 Standard procedures should be followed
concerning the security incident
6 System alteration has the potential to be
8 Establish a strong password policy and then
risky unless a complete backup is first done
change all passwords following this new or
updated policy
6 Records should be maintained for every action

taken
The main purpose of the containment strategy is to control the effects of the attack and restore
the information system to its normal state. This is vital so that business continuity of an
organization is maintained. A few key considerations for an IRT in this crucial stage are:
• Compromised code: A compromised code can lead to a data breach increasing the
chances of an intrusion. It is important for the IRT to be cautious while working with the
compromised code. A minor mistake can lead to the replication of the code and can
furth er affect the network and functioning of the organization.
• Safe storage: Data should be stored in a safe location so that any intrusion or external
threat does not affect or alter it.
• Acquiring logs: The IRT team must actively acquire and retrieve all th e system and router
logs before, during and after the time of incident. This will help the team analyze the
changes the network or system went through that caused the incident to occur.
• Identifying risk factors: It is important to identify the various risks if operations are
continued.
• Informing administrators and system owners: The IRT should communicate among the
administrators and system owners about the latest security threats that can affect the
system . This helps to implement preventive measures, avoiding the occurrence of a major
incident.

• Strong password policy: After the incident handling is successful, users must change their
passwords. Administrators must implement a strong password policy among the
organization.
• Maintaining records: it is important to maintain records of every action performed by the

user or the system owners. Auditing and monitoring must be a key event performed by
administrators on a timely basis.
Organizations face a lot of problems when incident containment guidelines are not in place. For
example, an organization which is not well-prepared, gets infected and then attacked by
malware, cannot handle the situation as effectively as an organization that follows incident
containment guidelines. Sometimes this lack of preparedness will allow malware to spread like
wildfire. In these cases, people act haphazardly to find solutions for such incidents, and nobody
has any ideas on how to deal with it. This delay in finding a solution can bring an organization's
network, information systems, business, and reputation to the ground. Without proper
guidelines in place, network administrators implement stopgap actions trying everything they
can to find the appropriate solution. This can cost the organization huge amounts of money and
time. This situation can be avoided if an organization follows certain guidelines:
• Dedicated team: A team must be dedicated to handle any type of security issue. This
team acts as a first responder during the time of an incident. Technical experts are
required for this team.
• Securing the affected area: In order to avoid any new changes being affected, the
affected area must be secured. Review the information at the beginning of the
identification phase.
• Installation of Honey pots: Honeypots are invisible traps that play a vital role in enhancing
security. Implementing honey pots in the network will help system administrators track
the attacker instantly, with no data loss.
• Avoid conventional methods: Refrain from using conventional tracking methods when
trying to identify the attacker. This will not help the investigation. It is important the team
is updated on the new methods available. Attackers know the conventional tracking
methods and what to look for. The last thing you want is for them to know you are looking
for them.
• Follow standard procedures: Documented procedures are required and management, the
IRT, and administrators must follow them.

Investigation is a process of gathering evidence related to an incident from systems and networks
Organizations have to discover computer security incidents in a reasonable amount of time, in

order to have enough time to decide if an investigation is required
The urgency in making a decision helps the investigators to determine the seriousness of the
security issue and contain it
The purpose of the investigation process is to identify the incident, attacker, attack time, and
mitigation steps to prevent a future occurrence
The forensic investigation and the containment process run at the same time
An experienced incident handler and/or computer forensic investigator supervises the collection
of all the evidence
Data collection involves two unique forensic challenges: Gathering data exceeding computer
storage capacity and collecting data to ensure integrity
Forensic Investigation
(Cont'd)
Host-based evidence: Host-based evidence consists of logs, records, documents, and any
other information available on the system
Network-based evidence: Network-based evidence consists of information gathered from

IDS logs, pen-register/trap and traces, router logs, firewall logs, and authentication servers
Other evidence: Other evidence that contains information and evidence gathered from
the people
The incident handler creates a chain of custody document, which includes the detailed
information about the evidence. This document includes items such as the model number, serial
number, IP address, time of collection, etc. It also includes information about the people involved
in the collection and evidence handling such as the name, designation, department, contact
numbers, etc.
Copyright © by EC-Council. All Rights Reserved . Reproduction is Strictly Prohibited.

Incident handling helps organizations contain security events, but a computer forensic
investigation lets investigators find the root cause of the security issue. Forensic investigation is
the process of gathering evidence related to an incident from the systems and networks. The
main goal of any of the computer security forensic investigation is to identify the incident, the
time of the incident, the perpetrator of the incident, and steps to mitigate future occurrences.
Forensic investigation is carried out in parallel with the containment process.
Role of Forensic Analysis in an Incident Response

Forensic analysis includes an evaluation and in-depth investigation of data related to before
and after cyber-attack periods.
• Forensic analysis helps in determining the exact cause of an incident.
• It helps in generating a timeline for the incident, which will correlate different incidents.
• It helps balance operations and the security required according to the organization's
budgetary constraint.
• Forensic analysis of the affected system helps determine the nature and impact of the
incident.
• It helps to mitigate loss caused by a breach and to begin the recovery process.
• It helps in tracking the attackers of the crime or incident.
• It extracts, processes, and interprets factual evidence proving the attacker's actions in
court.
• It saves the organization money and time by conducting a damage assessment of the
victimized network.
• It also saves organizations from legal liabilities and lawsuits.

During a forensics investigation, investigators work on collecting different types of evidence,
such as system based, network based, etc. It depends on what type of security incidents the
investigator is dealing with.
Host-based evidence
Host-based evidence is the evidence gathered from the compromised system. It may include
collecting volatile or non-volatile information such as:
• Logs, records, documents, and any other information stored in a computer system.
• The date and time of the system.

• The present applications executing on the system.
• The present network connections identified.
• Open sockets or ports currently available.

• Applications listening on open ports.
• The state of the network interface.

Network-based evidence
Network-based evidence is the information gathered from the network resources, such as:
• IDS logs: Intrusion Detection System (IDS) logs helps in identifying the unusual level of
attacks, concerted attack, unusual protocol and port combination.
• Router logs: Router logs helps in identifying the number of systems connected to the
specific router.
• Firewall logs: Firewall logs displays the active and inactive sessions of a host machine.
• Monitoring logs: It collects the information of the systems in a network. Any suspected
activity of a host machine can be analyzed through monitoring logs.
• Wiretaps: Wiretap gathers metadata of the device where the monitoring device is being
placed.
• Pen-register/trap and traces: The logs of pen-register records routing information of the
devices.
• Authentication servers: Logs generated in authentication servers helps the administrators

to identify any unknown entity trying to access the network.
Other Evidence
Other evidence may consist of:
• Gathering and validating personal files, documents related with incident.
• Interviewing employees, witnesses, and character witnesses.
• Documenting the information gathered.

The incident handler creates a chain of custody document which includes detailed information
about evidence such as the model number, serial number, IP address, time of collection, etc.,
and information about all the people involved in collection or evidence handling such as the
name, designation, and contact numbers, etc.

Some examples where network forensics must be considered are:
Data collection from remote Analysis of IDS and

network services firewall logs
Capturing and Backtracking of

analyzing network network packets and
traffic using sniffers TCP connections
Analysis of logs generated by Analysis of computer network

network services and artifacts on forensically
applications acquired hard disks
Network forensics is a method of sniffing, recording, acquiring, and analysis of network traffic
and event logs in order to investigate a network security incident. Usually, network forensics
involves a pro-active investigation as it deals with network traffic that contains dynamic
information.
Network forensics aims to enhance security and provide evidence for legal issues. Information
is collected from the network traffic (such as packet sniffing) and remote network services
(such as ftp servers, websites etc.) acting as a source for network forensic evidence.
Network forensics can reveal:

• Source of security incidents and network attacks
• IP addresses, protocols, encrypted or unencrypted messages etc.
• Path of the attack

• Intrusion techniques used by attackers
Network forensics has certain limitations due to privacy laws and other t y pes of legal
restrictions.

People Involved in Forensics

Investigation
0 Attorney
Expert Witness O Gives legal advice
Offers formal experienced
testimony in court
0 Photographer
Photographs the crime scene
Evidence Manager 0 and the evidence gathered
Manages the evidence so it is
admissible in court
Q Incident Responder
Responsible for the
measures and actions taken
Evidence Documenter 0 during an incident
Documents all the evidence and
the phases present in the
investigation process
0 Decision Maker
Authority responsible for the
policy or procedure taken during
Evidence Examiner/Investigator 0 the investigation process
Examines the evidence acquired 0
and sorts the useful evidence Incident Analyzer
Analyzes the incidents based
on their occurrence
Based on the requirement of the organization, the primary users of forensic tools and
techniques fall under three groups:
• Investigators: Responsible for investigating incidents.
• IT Professionals: Includes technical staff and administrators.
• Incident handlers: Responds to different computer security incidents.
A detailed discussion of the people involved in a computer forensics team is as follows:

• Attorney: Helps in giving legal advice about how the investigation should be carried out,
and the legal issues that should be followed in the computer forensics investigation
process.
• Photographer: Photographs the crime scene and the evidence gathered. They must be
certified for evidence photography. By photographing all the evidence found at the crime
scene, will record the key evidence in the forensics process.
• Incident Responder: Responsible for the measures taken when an incident occurs. The
incident responder is responsible for securing the incident area and collecting the
evidence that is present at the crime scene.
• Decision Maker: Authority responsible for the policy or procedure taken during the
investigation process. Based on the incident t ype, a decision maker decides the policies
and procedures and adapts them while handling the incident.

• Incident Analyzer: Analyzes the incidents based on their occurrence. They examine the
incident with regard to its type, how it affects the system, different threats, and
vulnerabilities associated with it, etc.
• Evidence Examiner/Investigator: Examines the evidence acquired and sorts which is

useful. Examine and sort the evidence according to its relevancy to the case. By
maintaining an evidence hierarchy, the evidence examiner will prioritize the evidence
properly.
• Evidence Documenter: Documents all the evidence and the phases present in the
investigation process. The evidence documenter gathers information from all the people
involved in the forensics process and documents it in an orderly fashion, from the incident
occurrence to the end of the investigation. The documents contain the complete
information about the forensics process.
• Evidence Manager: Manages the evidence so it is admissible in a court of law. They have
all the information about the evidence, for example, evidence name, evidence type, time,
and source of evidence, etc. They manage and maintain a record of the evidence that it is
admissible in a court of law.
• Expert Witness: Offers a formal opinion as testimony in a court of law. Expert witnesses
authenticate the facts and witnesses during a complex case. Expert witnesses are often
called to cross-examine other witnesses and evidence, as a normal witness may be
influenced by various factors.

Typical Forensics Investigation

Methodology
Obtain Search Evaluate and Collect

Warrant Secure the Scene the Evidence
Secure Acquire Analyze

the Evidence the Data the Data
j[;1n1•11 f
Assess Evidence Prepare the Testify as an
and Case Final Report Expert Witness
The forensic investigation methodology includes a series of steps that are followed to carry out
a successful forensic investigation. It guides the investigator in the collection of potential
evidence concerning the security incident and makes sure it is admissible in a court of law. A
t ypical forensics investigation methodology includes the following steps:
1. Obtain a search warrant: Investigators obtain a search warrant before investigating any
suspects. The warrant proves beneficial for the investigator.
2. Evaluate and secure the scene: Investigators evaluate and secure the scene before
collecting the evidence. Tampering or damaging the devices can affect the evidential
proof against the suspect.
3. Collect the evidence: Investigators collect all the evidence discovered from the scene. The
investigators must not neglect any of the supporting items related to the incident which
can act as evidence and be helpful in a court of law.
4. Secure the evidence: The investigator securely stores the evidence collected. Loss of
evidence will weaken the case against the suspect.
5. Acquire the data: It is important to acquire the affected data. This will help the
investigator find the reason for the intrusion.
6. Analyze the data: Analyzing the data also includes monitoring the target's activity before,
during and after the incident. The Anal ysis phase is the most important phase, as the
investigator gathers more evidence through the monitoring of logs.

7. Assess Evidence and Case: Once the investigator has done the analysis, it is important to
gather the evidence and assess.
8. Prepare the final report: The final report will include detailed information about the
actions taken by the investigator and the suspect/ attacker.
9. Testify as an expert witness: The investigator will testify as an expert witness confirming
the facts of the case.

)( NO External NO )(
.... .............> Perpetrator .. ... ...... ........... ....:;:.. Investigation .... .. ... \
Identified? Required?
jV' YES
C I 7%11
NO )(
law Enforcement
Required?
~........... ... -.w.._a. Uz 1 •
Create a Chain of Custody

D I
; -
YES "#
l". i
Liaimn With Third Party law Perpetrator
11• 7$5 I Identified?
ft t.11P1<tflllLl•I-
l )( NO
Create a Forensic lnWIStiption

I purl
ManapmentReceives Close the E--....,_,---_ _ _ _~: .. .... ... ... ... ... ... ... ..... ;
.._ •
I • , I rt Investigation
A forensic investigation involves using various processes, tools and techniques to gather
valuable information. The forensics investigation team analyzes the evidence to identify the
real cause and nature of the incident and trace the perpetrators after the collection and
protection of the evidence. The team documents and submits the results of the forensic
analysis to management.
If the perpetrator is identified in an investigation report, management then decides whether

law enforcement is required to prosecute the perpetrator, or the organizational disciplinary
team should handle the case. If there is the need for law enforcement, then management or a
designated authority contacts a third party law enforcement agency. If the attacker is not
identified, then management decides whether to close the investigation or to pass it to an
external investigation agency for further investigation. If the third party investigators are able
to investigate the incident and identify the attacker, it will be reported to management.
Management makes further decisions regarding the prosecution of attacker. If the third party
investigators also fail to identify the perpetrator, the IRT or management will recommend an
update in the IH&R processes that enable them to carry out successful investigations in the
future.
Organizations need to notify external law enforcement and investigation agencies if the
incident is severe and affects the employees, customers, and the general public. If the incident
has caused severe damages and financial losses, the organization should report the incident to
law enforcement agencies and file a case against the attackers. These agencies can be local or
national law enforcement agencies, security agencies, cyber experts, etc.

Eradication and Recovery C ND
~
'l
-l The eradication stage removes or Eliminate Components of
the Incident
~·······························
eliminates the root cause of the
incident
-l Vulnerability analysis is
)( NO
performed in this stage Incident is Eliminated? .. •·· •·· •·· •l> Escalate the Problem
-l It lists countermeasures to ~ y l YES
thwart f urther damage thereby )( NO

Data is Lost?
secu ring t he organization's assets
vi -.//
..., yes
Recover Data from Backup
v
··········:>- RestartSenricesandProcesses •·························l>•
Eradication and Recovery

(Cont'd)
If the incident is eliminated, the

IRT checks for any potential
IRT checks whether the incident data loss
is eliminated
The IRT eliminates all

components of the incident by
The IRT restarts the services using various techniques
and processes
In case of data loss, the data is

If the incident is not eliminated, recovered using a data backup
the IRT escalates and eradicates
the problem

Eradication and Recovery

(Cont'd)
The possible countermeasures include:
D Using antivirus software

Updating security policies and
procedures
Changing the passwords of the

Installing t he lat est patches
compromised systems
Policy compliance checks

m Eliminating the intruder's access and
identifying any changes
Independent security audits Reinstalling compromised systems
Disabling unnecessary services lliJ Rebuilding systems
The eradication and recovery from a security incident generally depends on its extent.
Sometimes it is easy to contain and recover from a malware attack but in some cases, it is quite
difficult and takes more time to recover if it has infected more systems in the network. In this
case, the organization needs to furth er harden, monitor, and validate all computer and
information systems against all future threats. The extent of damage to the network may be
unknown in this case . Therefore, there is no other alternative than building the whole network
again from scratch. This is something an organization will w ant to avoid at all costs. Eradication
and recovery is vital to the success of an organization .
Eradication and recovery also depends on how effectively the attack is contain ed during the
containment phase. This phase is capable of:
• Handling the problem

• Solving the problem
• Taking the necessary steps to prevent the problem from occurring again
Recovery also determines the course of action for an incident.
Determining the cause and symptoms

The data and information regarding the type of incident w hich is gathered during the
containment phase, is useful in the eradication phase. This information will help determine the
cause and symptoms of the incident and help in determining a suitable r ecovery method.

Improve defenses
Various kinds of protection tools and techniques such as firewalls, routers, and router filters
should be used to strengthen the security of the organization. It is also important to configure
network security devices and applications to block identified attack paths. Patch all the
identified vulnerabilities to stop further exploitation.
In extreme cases, change network component addresses for devices which face the public. This
will help ensure any established attack paths are removed.
Vulnerability analysis
Vulnerability analysis is necessary as it provides important information about the vulnerable
points and areas present in the system. It reduces the damage caused by the incident and
safeguards the organization, as it carries out its normal operations.
The following countermeasures prevent organizations from further security threats. The IRT
should implement these countermeasures in their eradication and recovery phase.
• Organization's priorities: Identifying the organization's top priorities, such as restoring
the system to normal operations, ensuring data integrity, determining the impact of
evidence, gathering evidence, and/or avoiding public disclosure.
• Examining the incident: Examining the nature, severity and cause of the incident.
• Antivirus software: Usage of antivirus software on the system prevents intrusion to the
system, which in turn prevents data loss.
• Installing the latest patches: Installation of the latest patches hardens system security.
However, before installing patches on host machines, administrators should check the
patches using a test machine.
• Security audits: Timely independent security audits conducted to detect all suspected
activities.
• Disabling any unnecessary services: Administrators should disable services users do not
use. Intrusion can be done through non-working services on a host machine.
• Updating security policies and procedures: Administrators should regularly update

Security policies and procedures.
• Changing passwords: It is important for users to change the passwords on their systems.
The passwords must follow a strong password policy deployed by the administrators.
• Eliminating the intruder's access paths: After the removal of the external threats, it is
also necessary to eliminate the intruder's access path by changing the information
system.
• Reinstallation: A system that was infected by an intrusion should undergo a fresh

installation of the operating system and all the services.
• Restoring: Compromised or infected systems should be restored with an installation of

secure software.

• Corrective actions: Corrective actions reduce vulnerabilities in the system, making them
less vulnerable to intrusion.
• Network-based countermeasures: Network based countermeasures secure network
devices in the network.

Eradication and Recovery -

Systems Recovery
J Recovering a system from an incident J Verify the successful operation of the

generally depends on the extent of the system
security breach
J Use network loggers, system log files and
J In the recovery step, an affected system is potential back doors to monitor the
restored to normal operation system
J The computer systems and networks are J Actions performed in the recovery stage
monitored and validated are:
J The recovery stage determines the course e Rebuilding the system by installing a
of action for an incident new OS
J Run a vulnerability assessment and e Restoring user data from trusted

penetration testing tools to identify backups
possibly vulnerabilities which exist in the
system and/or network
e Examine the protection and detection
methods
J Determine the integrity of the backup file
by attempting to read its data e Examine the security patches and
system log information
Recovering a system generally depends on the extent of the security breach. In the recovery
step, restoration begins for the affected systems in normal operation. When a computer
security incident occurs, the IRTs should decide whether to restore the existing system or
completely rebuild the system. Utilizing system backups to rebuild the compromised system.
The systems recovery steps are:
• Determine the course of action:

Strategies for system recovery are determined according to the impact of the incident.
Select the appropriate strategy after considering the availability of resources, the
criticality of affected systems, and the results of a cost-benefit analysis.
• Monitor and validate the systems:
Monitoring and system validation ensures that the recovered systems are sanitized of any
incident causes and are operating in normal conditions. Validation also involves checking
the integrity of the restored information from a backup. Conduct regular vulnerability
assessments and penetration testing to monitor the system's behavior and the possible
vulnerabilities which may exist in the system or network. Monitor the system for potential
back doors, which can result in the loss of data or another incident.
A restoration process is only successful when the backup files are properly stored and
preserved. The amount of data recovery, safety and preservation mainly depend on the
techniques used in the recovery process. During this process, the integrity of the data can be

damaged, which can be determined using a backup file integrity check. This operation verifies
the success of the operation and the normal condition of the system. Harden the network
monitoring using network loggers, system log files, and potential back doors to check for any
missed vulnerabilities.
Some of the actions to perform in the recovery stage are:
• Rebuilding the system by installing a new OS.
• Restoring a user's data from trusted backups.
• Examine protection and detection methods.

• Examine security patches and system log information.

The incident response team documents

all activities while handling and
responding to an incident
Dr u I 1
D C
Incident damage and recovery costs
play an important role in legal actions
against the perpetrator(s)
n; C -
·-
Review/Update Incident
.,,,,_
Communicate with all
When both the documentation and

recovery phases are complete, review
the process
Close the
Investigation
It is a good habit to learn from past mistakes. The IRT as well as the organization can learn a lot
from its past security mistakes and vulnerabilities. Incident handling involves more than
effectively handling an incident, it also involves the process of learning and improving.
Organizations who conduct a meeting with their staff after an incident, know the lessons
learned have found them to be beneficial. This learning process also involves the policies which
were responsible for the security failure. An update or review of al I the security policies will
help the organization build a robust network that is highly difficult to penetrate.

Post-Incident Activities -
Incident Documentation
The incident response team will document all the various processes while handling and responding to an
incident
The documentation must provide the description of the security breach and details of all actions which took
place such as: who handled the incident, when the incident handling took place and all the reasons why the
incident occurred
Document all the steps and conclusion statements, immediately after completing the forensic process
The document must be organized properly, examined, reviewed and vetted by the management and legal
counsel
The best way to prosecute the offender(s) is through proper documentation
The prepared document should be:
Concise and Clear Standard Format Editors

Prepare the reports in Maintain a standard Ensure that the forensic
such a way that It Is format making the report reports are edited
writing scalable, which properly
saves time and enhances
accuracy
The evidence gathered as well as the documents prepared should be safeguarded during the
protect evidence phase.
Document the steps and conclusions during the investigation process as soon as possible. The
document prepared should be:
• Concise and clear:
Prepare the reports so that everyone can understand them. Avoid using shortcuts while
preparing the reports.
• Standard format:
Maintain a standard format that makes report writing scalable, saves time, and supports
accuracy. Organize the response process by generating forms, outlines, and templates and
support the storage of the data related to the incident.
• Error-free:
Accept the help of technical editors to read the forensic reports. Editors provide their
support in developing error-free reports.

Post-Incident Activities - Incident

Damage and Cost Assessment
- -
0 0
The t wo most importa nt types of evidence t hat are required for legal prosecution are
incident damage and cost
0 0
Costs due to loss of confidential information
Legal costs
Costs Labor costs

include:
System downtime cost
Installation cost
Incidents cause extensive damage in organizations, resulting in huge losses that range from the
loss of business to the loss of a customer's goodwill. Sometimes, reports of incidents result in
losing prospective customers. Most importantly, lost confidential information can cost an
organization millions of dollars, because customers file lawsuits over the organization's
negligence handling the personal information of customers. An organization can estimate their
internal losses, which provide an idea on the actual asset losses. The estimation of losses is the
sum of all the damage costs as well as the cost to recover from the incident. Incident damage
and recovery costs play an important role in legal actions against perpetrators.
Incident damage includes:
• The loss of confidential information.

• Legal costs for investigating the case, lawyer's fees, etc.
• Costs pertaining to analyzing the incident, recovering, and installing software and
hardware.
• Loss and costs due to system downtime.

• Implementing costs.
• Repairing and replacing damaged systems and physical security costs.
• Costs due to damage of the organization's reputation, and the loss of customer trust.

Post-Incident Activities - Review

and Update the Response Policies
When both the documentation and recovery steps

are complete, review the process
Discuss the successfully implemented steps and

mistakes with your team
To reduce the impact of an incident and assist in

the handling of future incidents, review the
response and update all your security policies
The steps that prevent future incidents are as follows:
• Consider additional security policies that prevent incidents.

• Update the policies and procedures regularly.
• Examine th e appropriateness of the incident response .
• Examine whether the organization's computer systems are:
• Regularly patched
• Properly locked dow n

• Protected with encrypted passwords
• Updated w ith the latest antivirus software
• Set w ith email policies

Use th e lessons learned from the incident for future incident response efforts.

Training and Awareness

0 Training and awareness provides skills required to implement incident handling
0
policies
Practical training removes developmental errors, improves procedures, and reduces

the occurrence of miscommunication
Well-trained members can prevent an incident or limit the resulting damage

0 0
Security awareness and training should include:
1 Design and plan the awareness and training program
2 Development of the awareness and training materials
3 Implementation of the awareness and training programs
4 M easuring the effectiveness of the program and updating it
Training and Awareness

(Cont'd)
Training should be conducted at specified intervals and include:
e The incident handling location

e Pre-assignment plans to handle emergency situations for all employees
e Recognition and operation of utility shut-off devices
The awa reness campaign is designed for several purposes, such as:
e Knowledge and participation

e A plan's strategies
e Contingency arrangements

Training and awareness not only enhances employee's security knowledge, but also helps
change the lackadaisical attitude towards security in organizations overall. The human factor in
security affects much more than any software or hardware enhancement ever could. Training
provides a great deal of understanding of the policies implemented in the organization, which
also increases the security. A security awareness program is a two-way information flow where
the use of various types of communication media take place such as audio, video, text, and
practical training sessions.
The important elements in security training and awareness programs are:

• Plan and design the training and awareness program.
• Update and analyze the efficiency of the training program.
• Implement the training and awareness program.

• Build training and awareness study material.
A comprehensive training program for all employees is necessary after updating the plan. The
purpose of conducting training and exercises is to ensure that first responders have a necessary
level of preparedness and updated training material that involves quality control steps.
Conduct training at specified intervals including:
• Identifying the incident handling location.

• Identifying pre-assignment plans to handle emergency situations by all employees.
• Recognizing and operating the utility shut-off devices.
Conduct internal and external awareness campaigns to:
• Generate awareness among all the parties.

• Provide knowledge and encourage all the parties to participate in the events.
• Know about the plan strategies.

To generate awareness among employees:
• Training is necessary to create awareness and preparedness among the staff and team
members.
A training and awareness program educates people on how to handle computer-related
incidents. It provides skills required to implement incident handling policies. Give training to all
teams regarding their roles, responsibilities, and specific tasks. There is a need for specific skills
during the recovery process. Training and awareness are necessary for general incident
handling operations, the level of importance, incident handling know -how etc.
Practical training removes developmental errors, improves procedures, and reduces

miscommunication. Well-trained members can significantly limit the damage. A training
program's effectiveness increases only when there is a proper planning, implementation
strategy, maintenance, and periodic evaluations of the program.

Some of the important points that constitute a training and awareness program's success are:
• Identify the scope, goal, and objective of the program.

• Identify the training staff.
• Identify the people to be trained.
• Inspire employees and management to adhere to security awareness.

• Effectively manage the program.
• Program maintenance.
• Continuous evaluation and enhancement of the program.

□ Incident handling and response is a process of taking organized

and careful steps toward reacting to a security incident
□ Network administrators play key roles as a first responder
□ A quick response to an incident minimizes the extent of damage
□ A first responder esca lates a security incident to the information security team,
dedicated in-house or external IRT team
□ Network administrators coordinate with the forensics investigation team to locate

potential evidence and ensure no further harm will come to the organization
In this module, you learned how important it is to provide timely responses to incidents. The
timely response prevents major losses to the organization. Network administrators play vital
roles in providing a timely response for incidents as a first responder. The IRT team's
investigation works with the initial information provided by the first responder concerning the
incident. The module also provided an overview of the entire process for incident handling and
response which the IRT follows and implements, for successful handling, eradication,
containment, investigation, and recovery from all types of security incidents.

References
References
Module 01: Computer Network and Defense Fundamentals
1. Ms. Mousami Pawar (Dec 5, 2014), Network Security, from http://www.slideshare.net/mousmip/network-security-
fundamental.
2. Internet and Internet Communication(s) (June 2012), from https:// ccdcoe.org/ cycon/ 2012/ workshops/ Internet_
Internet_ Comms.pdf.
3. John E. Canavan, Fundamentals of Network Security, from

http://www.as kcypert. org/sites/defau lt/fi Ies/Canavan _J.E._Fu nda menta Is_of_network_security_(2001) (en) (218s).pdf.
4. DoDD 8570.1: Blue Team, from https://www.sypriselectronics.com/information-security/cyber-security-

solutions/computer-network-defense/.
5. Mariusz Stawowski (ISSA Journal October 2007), The Principles of Network Security Design, from http://www.clico.pl/
services/ Principles_Network_Security_Design.pdf.
6. Diane Teare, Designing for Cisco Internetwork Solutions (DESGN), from http://portal.aauj.edu/ portal_resources/
downloads/ networking/ designing_network_security_cisco_press.pdf.
7. Types of Network, http://www.codesandtutorials.com/networking/basics/computer_network-types.php.
8. Department of Defense (March 9, 2001, Support to Computer Network Defense (CND), from
https ://info. pubIicintel ligence .net/DoD-SupportCN D. pdf.
9. Computer Network Defense, from https://www.safaribooksonline.com/library/view/cyber-warfare-

2nd/9780124166721/xhtml/CHP01l.html.
10. Computer Network Defense (CND), from https://www.techopedia.com/definition/27906/computer-network-defense-cnd.
11. Computer security, from https://en.wikipedia.org/wiki/Computer_security.
12. What is Information Security? From http://demop.com/articles/what-is-information-security.pdf.
13. Computer network operations, from https://en.wikipedia.org/wiki/Computer_network_operations.
14. Margaret Rouse,(Feb 2015), authentication, from http://searchsecurity.techtarget.com/definition/authentication .
15. 5 Core Principles of Information Assurance (May 23, 2011),

https://onlinebusinesscertificates.wordpress.com/2011/05/23/5-core-principles-of-information-assurance/.
16. NSA(CSS), Information Assurance, from https://www.nsa.gov/ia/_files/support/defenseindepth.pdf.
17. Trusted Information Sharing Network for critical infrastructure protection (June 208), from
http://www.qcert. org/sites/defa ult/fi Ies/pub Ii c/ documents/au-b p-d efence_in_depth-e ng-2 008. pdf.
18. physical security, from http://searchsecurity.techtarget.com/definition/physical-security.
19. Vanessa Frias-Martinez, Joseph Sherrick,Salvatore J. Stolfo, Angelos D. Keromytis, A Network Access Control Mechanism
Based on Behavior Profiles, from https:// www.cs.columbia.edu/ ~angelos/ Papers/ 2009/acsac09.pdf.
20. Ajay Yadav (April 1 2013), Network Design: Firewall, IDS/IPS, from http://resources.infosecinstitute.com/network-design-
firewall-idsips/.
21. Tony Bradley, Proxy Server, from http://netsecurity.about.com/cs/generalsecurity/g/def_proxy.htm .
22. Hardening (computing), from https://en.wikipedia.org/wiki/Hardening_(computing).
23. Packet Filtering, from https://www.techopedia.com/definition/4038/packet-filtering.
24. Margaret Rouse(March 2001), Common Criteria (CC) for Information Technology Security Evaluation, from
http ://whatis.tech target.com/definition/Comm on-Criteria-CC-for-Inform ati on-Tech n ol ogy-Secu rity-Eva Iu atio n.
25. GERALD J. POPEK AND CHARLES S. KLINE, Encryption and Secure Computer Networks, from http://
www.cs.swarthmore.edu/ ~newhall/readings/popek.pdf.
References Page 1207 Certified Network Defender Copyright © by EC-Cll■Cil

References
26. Feb 2008, Password management , from http://www.infosec.gov.hk/english/technical/files/password. pdf.
27. Deb Shinder (August 28, 2001), Understanding and selecting authentication methods, fromhttp://www.techrepublic.com/
article/ understanding-and-selecting-authentication-methods/.
28. network configuration management (NCM), from http://searchnetworking.techtarget.com/definition/network-

configuration-management.
29. Network Security Audit - Multi platform consolidation with security event corelation, from
http://www.enforcive. com/network-security-audit.
30. Frederick M. Avolio (July 2007), Producing your network security policy, from https://www.watchguard.com/docs
/whitepaper /securitypolicy_wp.pdf.
31. STANDARD OPERATING PROCEDURES, http://www.fao.org/docrep/w7295e/w7295e04.htm.
32. Padmavathy Ramesh (July 2002), Business Continuity Planning, fromhttp://www.tcs.com/ SiteCollectionDocuments/
White%20Papers/Business%20Continuity%20Planning.pdf.
33. Configuration Control, from http://www.chambers.eom.au/glossary/configuration_control.php.
34. Relevant Incident Response, from https://books.google.co.in/ books?id=61JxGXfLWkYC&pg=PA234&Ipg=

PA234&dq=Conducting+forensics+activities++on+incidents&source=bl&ots=pjOtZSKdDK&sig=lLH6RbO1tlhHSOS8ehOs9xH
KUU4&hl=en&sa=X&ved=0CDUQ6AEwBGoVChMlxofau8OcyQIV0m2OCh2O5Akh#v=onepage&q=Conducting%20forensics%
20activities%20%20on%20incidents&f=false.
35. August 2000, Security Culture: a handbook for activists, from http://www.animalliberationfront.com/ALFront/ELF/sec-
handbook.pdf.
36. Jennifer Pfeffer (7/11/2016), What Does a Network Administrator Do? A Behind-the-Scenes Look, from http://
www.rasmussen.edu/ degrees/ technology/ blog/what-does-a-network-administrator-do/.
37. Protecting Data in a Network Environment, from

https://docs.oracle.com/cd/B12037_01/network.101/b10777/protnet.htm.
38. Architecture Overview, http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safe_wp.htm#wp42293.
39. Nimmy Reichen berg (September 26, 2013), Four Tips for Designing a Secure Network Perimeter, from
http://www.secu ritywee k. com/four-tips-design i ng-secu re-network-perimeter.
40. http://secnetpal.com/network-security/prevention-detection-response-trin ity-network-securitypart-1. html.
41. http://seen etpa I.com/network-security/prevention-detection-res ponse-tri nity-network-secu ritypa rt- 2. htm I.
42. Incident Response Plan, from http://www.comptechdoc.org/independent/security/policies/incident-response-plan.html.
43. 6 November, 2015, Responding to Network Attacks and Security Incidents, from http://www.tech-faq.com/responding-to-
network-attacks-and-security-incidents.html.
44. The Difference Between Events, Alerts, and Incidents, from https://danielmiessler.com/study/event-alert-incident/.
45. Vulnera bilities, Threats, and Attacks, from http://www.lovemytool.com/files/vulnerabilities-threats-and-attacks-chapter-

one-7.pdf.
46. Responding to Network Attacks and Security Incidents, from http://www.tech-faq.com/responding-to-network-attacks-

and-security-incidents.html.
47. Red Team/Blue Team, Capture the Flag, and Treasure Hunt: Teaching Network Security Through Live Exercises, from
http://ictf.cs.ucsb.edu/pdfs/2003_WISE_iCTF.pdf.
48. Cyril Onwubiko (13th December 2011), Computer Network Defense Approaches, from http://www.research-series.com/
cyril/ Approaches%20in%20security%20defense.pdf.
49. personal area network (PAN), from http://searchmobilecomputing.techtarget.com/definition/personal-area-network.
50. Personal area network, from https://en.wikipedia.org/wiki/Personal_area_network.
51. The CentOS Project, from https://www.centos.org .
52. TCP/IP Overview and History, from http://www.tcpipguide.com/free/t_TCPIPOverviewandHistory.htm.
53. THE TCP/IP PROTOCOL SUITE, from http://www.exa.unicen.edu.ar/catedras/comdat1/material/TP1-Ejercicio5-ingles.pdf.
54. What is TCP/IP?, from http://www.uic.edu/depts/accc/network/ftp/v452.html#whatis.

References
55. The Internet Transport Protocols: TCP, from http://eee.guc.edu.eg/ Courses/ Networks/
NETW901%20Local%20Area%20Networks/Lectures/TCP.pdf.
56. half-duplex and full-duplex Ethernet vs Switches and Hubs, from http://queryd.com/questions/full-duplex.html.
57. Media session framework using a control module to direct and manage application and service servers, from
http://www.google.co.in/patents/US7185094.
58. Transmission Control Protocol, from https://en.wikipedia.org/wiki/Transmission_Control_Protocol.
59. TCP Operation, from http://www.freesoft.org/CIE/Course/Section4/7.htm.
60. TCP Basic Operation: Connection Establishment, Management and Termination, fromhttp://www.tcpipguide.com/ free/
t_TCPBasicOperationConnection Esta blishmentManagement. htm.
61. Explain TCP and UDP operations, from http://www.examcollection.com/certification-training/ccnp-explain-tcp-and-udp-

operations.html.
62. Basic TCP operation, from https://niktips.wordpress.com/2012/06/06/basic-tcp-operation/.
63. Transmission Control Protocol, from https://en.wikipedia.org/wiki/Transmission_Control_Protocol .
64. TCP Connection Establishment Process: The "Three-Way Handshake", fromhttp://www.tcpipguide.com/ free/
t _TCPCon nection Establish mentProcessTheThreeW ayHa n d sh.htm.
65. Kartik Krishnan (2004), User Datagram Protocol (UDP):, from

http ://www4. n csu. ed u/~kksiva ra/sfwr4c03/I ectu res/lectures.pdf.
66. UDP - User Datagram Protocol, from http://ipv6.com/articles/general/User-Datagram-Protocol.htm.
67. UDP Overview, History and Standards, from http://www.tcpipguide.com/free/t_UDPOverviewHistoryandStandards.htm.
68. The Transmission Control Protocol (TCP), from

htt ps ://books .googl e.co.in/books ?id=Ts4SKa6q LLYC&pg=PA169&1 pg=PA169&d q=TCP+operation &sou rce=bl&ots=zs LXi kzE
Ms&sig=UkSA7bvWnG-
tyyMJ8Tp4AjiPGSg&hl=en&sa=X&ved=0CBsQ6AEwADgKahUKEwidjsz035vJAhUVkl4KHWjDBW8#v=onepage&q=TCP%20ope
ration&f=false.
69. UDP Operation, from http://www.tcpipguide.com/free/t_UDPOperation.htm.
70. Explain UDP operations, from http://ccieordie.com/l-1-f-explain-udp-operations/.
71. Nick (August 20, 2014),CCIE Written Blueprint: 1.1.f Explain UDP operations, from https:// www.geekynick.co.uk/1-1-f-
explain-udp-operations/.
72. UDP Operations, from http://www.hackandtinker.net/2014/12/17/udp-operations/.
73. IP header, from https://en.wikipedia.org/wiki/lP_header.
74. IP Internet Protocol, from http://www.networksorcery.com/enp/protocol/ip.htm.
75. Himanshu Arora (26 March 2012), Protocol Header Fundamentals Explained with Diagrams, from
http://www.thegeekstuff.com/2012/03/ip-protocol-header/.
76. Internet Addressing and Routing First Step, fromhttp://www.ciscopress.com/ articles/ article.asp?p=348253&seqNum=4.
77. Internet Protocol IP Datagram, Fragmentation and Reassembly, from http://user.it.uu.se/~rmg/teaching/lP.pdf.
78. IP Packet Structure, from http://www.freesoft.org/CIE/Course/Section3/7.htm.
79. INTERNET PROTOCOL DARPA INTERNET PROGRAM PROTOCOL SPECIFICATION ( September 1981), from
https://tools.ietf.org/html/rfc791.
80. Tech Info - IP Message Formats, from http://www.zytrax.com/tech/protocols/tcp.html.
81. IP Datagram General Format, from http://www.tcpipguide.com/free/t_lPDatagramGeneralFormat.htm.
82. IP Datagram Options and Option Format, from

http://www.tcpipguide.com/free/t_l PDatagramOptionsandOptionFormat. htm .
83. 1Pv4 Packet Header, from http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/ip-packet.html.
84. IP (Internet Protocol), from https://www.lri.fr/~fmartignon/documenti/reseauxavances/2-IP-Martignon.pdf.
85. Vangie Beal, IPng - 1Pv6 (Internet Protocol Version 6), from http://www.webopedia.com/TERM/I/IPng.html.

References
86. IPv6, from https://en.w ikipedia.org/wiki/IPv6.
87. IPv6, from http://www.internetsociety.org/what-we-do/internet-technology-matters/ipv6.
88. What is IPv6?, from https://support.apple.com/en-us/HT202236.
89. Kaushik Das, IPv6 - The Next Generation Internet, from http://www.ipv6.com/articles/general/ipv6-the-next-generation-
internet.htm.
90. Kaushik Das, A Beginner's Look into IPv6, from http://ipv6.com/articles/general/1Pv6-Beginners_Look.htm.
91. IPv6 Tutorial, from http://www.tutorialspoint.com/ipv6/.
92. Frequently asked questions on IPV6, from https://www.google.com/intl/en/ipv6/faq.html.
93. TCP/IP v4 and v6, from https://technet.microsoft.com/en-us/network/bb530961.aspx.
94. IPv6 packet, from https://en.wikipedia.org/wiki/IPv6_packet.
95. IPv6- Headers, from http://www.tutorialspoint.com/ipv6/ipv6_headers.htm.
96. Kaushik Das, IPv6 Header Deconstructed, from http://ipv6.com/articles/general/1Pv6-Header.htm.
97. IPv6 Datagram Main Header Format, from http://www.tcpipguide.com/free/t_lPv6DatagramMainHeaderFormat.htm.
98. October 2006, IPv6 Extension Headers Review and Considerations, from
http://www.cisco. com/en/US/tech n ol ogi es/tk648/tk872/tech nol ogi es_white_pa per0900a ecd8054d 37d. htm I.
99. Internet Protocol, Version 6 (IPv6) Specification, from https://tools.ietf.org/html/rfc2460.
100. IPv6 Internet Protocol Version 6, from http://www.networksorcery.com/enp/protocol/ipv6.htm.
101. IPv6 Datagram Header Format, from http://www.omnisecu.com/tcpip/ipv6/ipv6-datagram-header-format.php.
102. IP V6 Header, from http://euclid.nmu.edu/~rappleto/Classes/CS442/Notes/1Pv6_Header.html.
103. IPv6 transition mechanism, from https://en.wikipedia.org/wiki/IPv6_transition_mechanism .
104. April 21, 2009, IPv6 Transition Mechanisms and Strategies http://www.rmv6tf.org/wp-content/uploads/2012/11/Chuck-
Sellers-090421-1Pv6-Transition-Mechanisms-Sellers1.pdf.
105. Making the Transition From IPv4 to IPv6 (Reference), from https://docs.oracle.com/cd/E19683-01/817-0573/transition-
10/index.html.
106. Basic Transition Mechanisms for IPv6 Hosts and Routers, from https://tools.ietf.org/html/rfc4213.
107. Transition Mechanisms, from http://portalipv6.lacnic.net/en/transition-mechanisms/.
108. Kaushik Das, IPv6 Transition Technologies, from http://ipv6.com/articles/gateways/1Pv6-Tunnelling.htm.
109. Todd Lammie, CISCO Certified Network Associate Study Guide, 5th Edition, from http://www.cs.rpi.edu/ ~kotfid/nel/
CCNA_chapter2.pdf .
110. Dynamic Host Configuration Protocol, from https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol.
111. Vangie Beal, DHCP - Dynamic Host Configuration Protocol, from http://www.webopedia.com/TERM/D/DHCP.html .
112. What is DHCP?, from https://kb.iu.edu/d/adov.
113. DHCP (Dynamic Host Configuration Protocol), from http://searchunifiedcommunications.techtarget.com/definition/DHCP.
114. What is DHCP?, from http://whatismyipaddress.com/dhcp.
115. Dynamic Host Configuration Protocol (DHCP), from https://www.freebsd.org/doc/hand book/network-dhcp.html.
116. Configure DHCP options, from ftp://ftpl.digi.com/support/documentation/appnote_dhcpoptions.pdf.
117. Dynamic Host Configuration Protocol for IPv6 (DHCPv6), from https://www.rfc-editor.org/rfc/rfc3315.txt.
118. DHCP Message Format, from http://www.tcpipguide.com/free/t_DHCPMessageFormat.htm.
119. Dynamic Host Configuration Protocol, from http://www.tarunz.org/~vassilii/TAU/protocols/dhcp/frame.htm.
120. Dynamic Host Configuration Protocol (DHCP) Message Format), from http://www.omnisecu.com/tcpip/dhcp-dynamic-host-
configuration-protocol-message-format.php.
121. DHCP Header (RFC 2131), from https://www.securitywizardry.com/packets/pdf/dhcp_header.pdf.

References
122. MARSHALL BRAIN & STEPHANIE CRAWFORD, How Domain Name Servers Work, from
http://computer.howstuffworks.com/dns. htm.
123. How the Domain Name System (DNS) works, from https://www.bytemark.co.uk/support/document_library/dnsworks/.
124. March 28 2003, How DNS Workshttps://technet.microsoft.com/en-in/library/cc772774(v=ws.10).aspx.
125. Srikanth Ramesh, How Domain Name System (DNS) Workshttp://www.gohacking.com/how-dns-works/.
126. How Anonymous plans to use DNS as a weapon, from http://arstechnica.com/business/2012/03/how-anonymous-plans-to-

use-dns-as-a-weapon/.
127. What is DNS?, from https://in.godaddy.com/help/what-is-dns-665.
128. Domain Name System, from https://en.wikipedia.org/wiki/Domain_Name_System.
129. Vangie Beal, DNS- Domain Name System, from http://www.webopedia.com/TERM/D/DNS.html.
130. DNS message format, from http://www.comptechdoc.org/independent/networking/terms/dns-message-format.html.
131. DNS Packet Structure, from http://www.ccs.neu.edu/home/amislove/teaching/cs4700/fall09/handouts/project1-

primer.pdf.
132. DNS header, from http://www.networksorcery.com/enp/protocol/dns.htm.
133. DNS Message Header and Question Section Format, fromhttp://www.tcpipguide.com/free/

t_DNSMessageHeaderandQuestionSectionFormat.htm.
134. DNS QUERY MESSAGE FORMAT, from http://www.firewall.cx/networking-topics/protocols/domain-name-system-dns/160-

protocols-dns-query .html.
135. DNS Messages, from http://www.zytrax.com/books/dns/ch15/.
136. DNS Protocol, from https://technet.microsoft.com/en-us/library/dd197470(v=ws.10).aspx.
137. DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION, from https://www.ietf.org/rfc/rfc1035.txt.
138. Domain Name System (DNS), from http://www.rhyshaden.com/dns.htm.
139. Internet Control Message Protocol (ICMP), from http://www.erg.abdn.ac.uk/users/gorry/eg3567/inet-pages/icmp.html.
140. ICMP, Internet Control Message Protocol, from http://www.networksorcery.com/enp/protocol/icmp.htm.
141. Swayam Prakasha, Internet Control Message Protocol (ICMP) Explained, from
http://www. Ii nuxuser. co. uk/featu res/intern et-control-message-protocol-i cm p-expla in ed.
142. INTERNET CONTROL MESSAGE PROTOCOL, from https://tools.ietf.org/html/rfc792.
143. Internet Control Message Protocol (ICMP), from https://www.techopedia.com/definition/5362/internet-control-message-

protocol-icmp.
144. ICMP (Internet Control Message Protocol), from http://searchnetworking.techtarget.com/definition/lCMP.
145. Internet Control Message Protocol, from https://en.wikipedia.org/wiki/lnternet_Control_Message_Protocol.
146. ICMP Common Message Format and Data Encapsulation, from http://www.tcpipguide.com/ free/
t_lCMPCommonMessageFormatandDataEncapsulation.htm.
147. ARP Caching, http://www.tcpipguide.com/free/t_ARPCaching.htm.
148. Address Resolution Protocol (arp), from http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/arp.html.
149. Jhemphill (February 18, 2008), ARP cache: What is it and how can it help you?, from https://www.petri.com/csc_arp_cache.
150. Address Resolution Protocol (ARP), from http://searchnetworking.techtarget.com/definition/Address-Resolution-Protocol-

ARP.
151. ARP - Address Resolution Protocol, from http://ipv6.com/articles/general/Address-Resolution-Protocol.htm.
152. Address Resolution Protocol, from https://en.wikipedia.org/wiki/Address_Resolution_Protocol.
153. ARP Message Format, from http://www.tcpipguide.com/free/t_ARPMessageFormat.htm.
154. DRAFT: 1Pv6 Address Allocation and Assignment Policy, from https://www.ripe.net/publications/docs/draft-ipv6-address-
allocation-and-assignment-policy.

References
155. 1Pv6 Address Allocation and Assignment Policy, from https://www.apnic.net/docs/drafts/ipv6-address-policy-v006.
156. 1Pv6 Address Allocation and Assignment Policy, from https://www.arin.net/policy/archive/ipv6_policy.html.
157. APNIC Internet Number Resource Policies, from https://www.apnic.net/policy/resources.
158. Internet Resource Management at ICANN and Regional Internet Registries from https://www.ntt-
review.jp/archive/ntttechnical .php?contents=ntr201003gls.html.
159. Nathali Trenaman {24 April 2012), ipv6 addressing plan fundamentals, from http://www.slideshare.net/ripencc/ipv6-
addressing-plan-fundamentals.
160. Draft: PA/Pl Unification 1Pv6 Address Space - New Policy Text, from https://www.ripe.net/pub1ications/docs/ripe-
documents/other-documents/draft-pa-pi-unification-ipv6-address-space-new-policy-text.
161. 1Pv6 Address Assignment Example, from https://networklessons.com/ipv6/ipv6-address-assignment-example/.
162. Subnetwork, from https://en.wikipedia.org/wiki/Subnetwork.
163. Vangie Beal, subnet mask- subnetting, from http://www.webopedia.com/TERM/S/subnet_mask.html.
164. subnet mask, from http://searchnetworking.techtarget.com/definition/subnet-mask.
165. What is a Subnet Mask?, from https://www.iplocation.net/subnet-mask.
166. Subnet mask, from http://www.computerhope.com/jargon/s/subnetma.htm.
167. Internet Protocol Tutorial - Subnets, from

http://com pn etworking. about. com/od/worki ngwith i pad dresses/a/su bnetmas k. htm.
168. Subnets and Subnet Masks, from https://technet.microsoft.com/en-us/library/cc958832.aspx.
169. Subnet Mask, from https://www.techopedia.com/definition/5563/subnet-mask.
170. IP Address Alocation, from https:// books.google.co.in/ books?id=TzGxd32TKsoC&pg=PA180&1pg=

PA180&dq=IP+Address+Allocation+Structure&source=bl&ots=zYIDfSlm89&sig=3Z3NhLB6KBkF15dhEfe4QSt9QZA&hl=en&s
a=X&ved=0ahU KEwjcka Dhg5_JAhVEGY4KHSoq D_kQ6AEIQjAG#v=onepage&q=I P%20Add ress%20Allocation%20Structure&f
=false.
171. 1Pv6 address, from https://en.wikipedia.org/wiki/1Pv6_address.
172. IP Version 6 Addressing Architecture, from https://tools.ietf.org/html/rfc4291.
173. 28th March 2003, 1Pv6 Address Types, from https://technet.microsoft.com/en-us/library/cc757359{v=ws.10).aspx.
174. 1Pv6 Addressing Architecture, from https://sites.google.com/site/amitsciscozone/home/important-tips/ipv6/ipv6-

addressing-architecture.
175. 1Pv6 Addressing Overview, from http://docs.oracle.com/cd/E23823_01/html/816-4554/ipv6-overview-10.html.
176. Kaushik Das, 1Pv6 Addressing, from http://ipv6.com/articles/general/1Pv6-Addressing.htm.
177. 1Pv6 - Address Types & Formats, from http://www.tutorialspoint.com/ipv6/ipv6_address_types.htm.
178. IPv6 address format, from http://computernetworkingnotes.com/i pv6-featu res-concepts-and-configurations/ipv6-add ress-

types-and-formats. htm I.
179. Carla Schroder (Sep 20, 2006), Understand 1Pv6 Addresses, fromhttp://www.enterprisenetworkingplanet.com/ netsp/
article.php/3633211/Understand-1Pv6-Addresses.htm.
180. 1Pv6 Addressing, from https:// www.cisco.com/ en/ US/ technologies/ tk648/ tk872/
technologies_white_paper0900aecd8026003d.pdf.
181. Preparing an IPV6 Address Plan Manual, from http://www.ipv6forum.com/dl/presentations/1Pv6-addressing-plan-

howto.pdf.
182. Automatic Tunneling https:// books.google.co.in/ books?id=4LMIZi2ODFkC&pg=PA256&1pg=

PA256&dq=IPv4+Compatible+IPv6+Address&source=bl&ots=3qlOwSgO6a&sig=7Mi6nhQLos2mlDuKWDiC4AA8axQ&hl=en
&sa=X&ved=0ahUKEwiq4ofM9p7JAhUNGo4KHbOGDPl4ChDoAQhHMAk#v=onepage&q=IPv4%20Compatible%20IPv6%20A
ddress&f=false.
183. IPV4/ IPV6 Addresses, from https:// books.google.co.in/ books?id=Ts4SKa6qLLYC&pg=PA159&1pg=PA159&dq=

IPv4+Compatible+IPv6+Address&source=bl&ots=zsLY9klGIA&sig=cdKclaunEnEjb6FipbMW7xOdsXM&hl=en&sa=X&ved=0ah
UKEwiq4ofM9p7JAhUNGo4KHbOGDPl4ChDoAQhEMAg#v=onepage&q=IPv4%20Compatible%20IPv6%20Address&f=false.

References
184. 1Pv6 Tunneling part 2: 1Pv4-Compatible 1Pv6 Tunnels, from http://resources.intenseschool.com/ipv6-tunneling-ipv4-

compatible-ipv6-tunnels/.
185. IPV4 Mapped - IPV6 Addresses https:// books.google.co.in/ books?id=FbYjJjZNA5gC&pg=PA123&1pg=

PA123&dq=IPv4+Compatible+IPv6+Address&source=bl&ots=51GkDJx_TJ&sig=qylzYAjtSwFTrzGJ391o7bpm5wl&hl=en&sa=X
&ved=0ah UKEwiq4ofM9p 7JAh UNGo4KHbOG DPl4ChDoAQg7 MAY#v=onepage&q=I Pv4%20Compatible%201 Pv6%20Address
&f=false.
186. 1Pv6 Automatic 1Pv4-Compatible Tunnels, from http://www.cisco.com/c/en/us/td/docs/ios-

xml/ios/interface/configuration/15-sy/ir-l5-sy-book/ip6-auto-comp-tun.pdf.
187. Using 1Pv4-Compatible Address Formats, from https://docs.oracle.com/cd/E19683-01/817-0573/transition-4/index.html.
188. 1Pv6/1Pv4 Address Embedding, from http://www.tcpipguide.com/free/t_lPv6IPv4AddressEmbedding-2.htm.
189. ISC DHCP Enterprise Grade Solution for Configuration Needs, from https://www.isc.org/downloads/dhcp/.
Module 02: Network Security Threats, Vulnerabilities, and Attacks
190. Tom Cross (DEC 11, 2012), 5 Key Computer Network Security Challenges For 2013, from
http://www.forbes. com/sites/ci ocent ra 1/2012/12/11/5-key-co m puter-n etwork-secu rity-ch a11 enges-for-2013 /.
191. Vulnerabilities, Threats and attacks, from http://www.lovemytool.com/files/vulnerabilities-threats-and-attacks-chapter-

one-7.pdf.
192. CALYPTIX ( JUNE 17, 2015), Top 7 Network Attack Types in 2015,from http://www.calyptix.com/top-threats/top-7-network-
attack-types-in-2015-so-far/.
193. Global Application & Network Security Report 2014-2015, http://bacher.at/assets/Produkt-Forum/2014-12-Radware-

SecurityReport2014-15. pdf.
194. Threat, from https://www.techopedia.com/definition/25263/threat.
195. Rick Lutkus (May 29, 2015), Information Security Threat: Technological Exploits, from
http://www. lawtech nol ogytod ay .o rg/2015 /05/i nformati on-security-th re at-tech n ologi ca 1-expl oits/.
196. Kuna I Thakur, Vishal Shirguppi, Justin Francis, Sazia Ali, Packet Sniffing, from http://www.slideshare.net/superfun/packet-
sniffers?qid=25ccf028-6c61-4cf2-89a0-e86bd6c8b021&v=qf1&b=&from_search=2.
197. Prabhakar mateti, Port Scanning, from http://www.slideshare.net/amiable_indian/port-scanning?qid=32f4f55f-9818-4622-

a2cd-a303d8a45943&v=qf1&b=&from_search=2.
198. CCNA Security: Common Network Attacks, from https://www.certificationkits.com/cisco-certification/ccna-security-

certification-topics/ccna-security-describe-security-threats/ccna-security-common-network-attacks/.
199. Choosing an internal domain, from http://www.opendium.com/node/40.
200. CCNA Security: ACLs for Telnet, SNMP and DDOS Attacks, from https://www.certificationkits.com/cisco-certification/ccna-
security-certification-topics/ccna-security-cisco-routers-and-acls/ccna-security-acls-for-telnet-snmp-and-ddos-attacks/.
201. Angry IP scanner Introduction, from http://angryip.org/documentation/.
202. Review of Engineer's Toolset vl0 from SolarWinds, fromhttp://www.computerperformance.co.uk/ HealthCheck/

engineers_toolset.htm.
203. What is dnswatch.exe?, from http://www.freefixer.com/library/file/dnswatch.exe-107887/.
204. Joseph Caudle (12 February 2015),Top DNS Lookup Tools, from http://blog.dnsimple.com/2015/02/top-dns-lookup-tools/.
205. SpiderFoot from http://www.spiderfoot.net/info/.
206. SpiderFoot -features, from https://whois.arin.net/ui.
207. Ethical hacking and Countermeasures: Attack Phase, Booklhases, Book 1, from https://books.google.co.in/
books?id=iC9TCwAAQBAJ&pg=PA28&1pg =PA28&dq=attack+system+using+network+range&
source=bl&ots=ym748JDTp0&sig=QbSq6XmVEVKL9aq3fLMDwbB48Bc&hl=en&sa=X&ved=0ahUKEwiKzJq85LzKAhUNJl4KHal
qCHYQ6AEIGzAA#v=onepage&q=attack%20system%20using%20network%20range&f=false.
208. traceroute, from http://whatis.techtarget.com/definition/traceroute.
209. (24 Jul 2016), CountryTraceRoutevl.27, from http://www.portablefreeware.com/?id=2344.

References
210. Create network diagrams and export them to Microsoft Visio, from http://www.solarwinds.com/network-topology-
mapper.aspx.
211. Eric Vanderburg, Ethical Hacking, from http://www.slideshare.net/evanderburg/ethical-hacking-chapter-6-port-scaning?
qid= 4a45cl7f-2e 2a-4 f 4 f-bffb-86a 39d6df5d8&v=qfl&b=&from_search =5.
212. Facts About Port Scanning, from http://whatismyipaddress.com/port-scan.
213. Port Scanning Techniques, from https://nmap.org/book/man-port-scanning-techniques.html.
214. The Hidden Threat:Misconfigured Access Points, from http://files.moonblink.com/solutionbrief-hidden-threat-of-

misconfigured-aps.pdf.
215. Luiz Firmino {5th October 2011), Cyber Defense Misconfigured AP Attack, from
http://luizfirmino.blogspot.in/2011/10/m isconfigured-ap-attack. html.
216. Unauthorized Association Detected, from

http://www. cisco. com/c/en/us/td/docs/wireless/mse/3350/52/wl PS/configuration/
guide/msecg_wlPS/msecg_appA_wlPS.html#wp1166633.
217. Luiz Firmino {5th October 2011), Cyber Defense Unauthorized Association, from
http ://1 uizfi rm in o. blogspot. i n/2011/10/una uth ori zed-a ssoci ati on. htm I.
218. Windows 10 Help, from http://windows.microsoft.com/en-in/windows/set-computer-to-computer-adhoc-

network#lTC=windows-7.
219. ad-hoc network, from http://searchmobilecomputing.techtarget.com/definition/ad-hoc-network.
220. Know the Risks of Ad Hoc Wireless LANs, from http://www.airdefense.net/eNewsletters/adhoc.shtm.
221. Darren Miller (24 Jan. 2013), The Dangers Of Ad-Hoc Wireless Networking, from http://www.windowsecurity.com/
whitepapers/Wireless_Security/Dangers-Ad-Hoc-Wireless-Networking.html.
222. How to Avoid Public WiFi Security Risks, from http://usa.kaspersky.com/internet-security-center/internet-safety/pub1ic-

wifi-risks#.Vq8gXpp97cs.
223. Hot-Spotter Tool Detected (Potential Wireless Phishing), from http://www.cisco.com/c/en/us/td/docs/

wireless/mse/3350/5-2/wlPS/configuration/guide/msecg_wlPS/msecg_appA_wlPS.html#wp1164345.
224. Types of Wireless Network Attacks: Jamming, from http://www.spamlaws.com/jamming-attacks.html.
225. Wireless jamming model, from https://www.nsnam.org/wiki/Wirelessjamming_model.
226. June 14, 2007, Wireless Security, http://fci-h.blogspot.in/2007/06/wireless-security.html.
227. WarDriving, a definition, from http://www.wardriving.com/about.php.
228. Michael Kassner March 9, 2008),How to prevent automatic association with ad hoc networks, from
http://www.tech republic. com/blog/mobile-enterprise/how-to-prevent-a utom ati c-associ ati on-with-a d-hoc-n etwor ks/.
229. Wired Equivalent Privacy (WEP), from http://searchsecurity.techtarget.com/definition/Wired-Equivalent-Privacy.
230. Advanced IP Scanner 2.4.2601, from http://www.pcadvisor.co.uk/download/kids-education/advanced-ip-scanner-242601-

3329806/.
231. MYLES GRAY(JUNE 17, 2015 ), Scanning for network vulnerabilities using nmap, from http://www.mylesgray.com/security/.
232. scanning-for-network-vulnerabilities-using-nmap/.
233. Eddie Sutton, Footprinting: What is it and How Do You Erase The, from http://www.infosecwriters.com/
text_resources/pdf/Footprinting.pdf.
234. Free online network tools, from http://centralops.net.
235. DNS, Network and IP Tools, from https://network-tools.webwiz.co.uk.
236. Lei Han (April 2006), A Threat Analysis of The Extensible Authentication Protocol, from
http://people .scs. ca rl eton. ca/~ba rbea u/H onou rs/Lei_ Han. pdf.
237. RADIUS Vulnerabilities, http://books.gigatux.nl/mirror/wireless/0321202171/ch131evlsec4.html.
238. Chameleon WiFi Virus Spreads Like a Cold, from https://blog.malwarebytes.org/online-security/2014/03/chameleon-wifi-

virus-spreads-like-a-cold/.

References
239. darkAudax {20 January 11, 2010), Tutorial : Simple WEP Crack, from http://www.aircrack-
ng.org/doku.php?id=simple_wep_crack.
240. Cracking WPA2-PSK Passwords Using Aircrack-Ng, from http://null-byte.wonderhowto.com/how-to/hack-wi-fi-cracking-

wpa2-psk-passwords-using-aircrack-ng-0148366/.
241. What are crackers and hackers?, from http://www.pctools.com/security-news/crackers-and-hackers/.
242. Phreak, from http://searchsecurity.techtarget.com/definition/phreak.
243. Angry IP Scanner, from http://angryip.org/.
244. Solarwinds, from http://www.solarwinds.com/application-server-management-software.aspx.
245. Advanced IP Scanner, from http://www.advanced-ip-scanner.com/.
246. Visual Ping Tester , from Professional Source: http://www.pingtester.net.
247. Ping Scanner Pro, from http://www.digilextechnologies.com.
248. Nmap, from https://nmap.org/download.html.
249. OpUtils, from https://www.manageengine.com/products/oputils/.
250. PingMonitor, from http://www.niliand.com/ping-monitor.php.
251. Pinglnfo View, from http://www.nirsoft.net/utils/multiple_ping_tool.html.
252. Pinkie, from http://www.ipuptime.net/pinkie/.
253. DIG, from http://www.kloth.net.
254. DNSWatch, from http://www.dnswatch.info.
255. myDNSTools, from http://www.mydnstools.info/.
256. DomainTools, from http://www.domaintools.com/#.
257. Professional Toolset, from http://www.dnsstuff.com/.
258. DNS Query Utility, from http://www.dnsqueries.com.
259. DNS Records, from http://network-tools.com.
260. DNS Lookup, from https://www.ultratools.com.
261. DNSData View, from http://www.nirsoft.net/utils/dns_records_viewer.html.
262. Path Analyzer Pro, from https://www.pathanalyzer.com/download.opp.
263. Visual Route, from http://www.visualroute.com/.
264. Network Pinger, from http://www.networkpinger.com/.
265. Magic NetTrace, from http://www.tialsoft.com.
266. GEOSpider, from http://www.oreware.com.
267. 3D Traceroute (obsolete), from http://www.d3tr.de.
268. vTrace (obsolete), from http://vtrace.pl.
269. AnalogX HyperTrace, from http://www.analogx.com/contents/download/Network/htrace/Freeware.htm.
270. Trout, from http://www.mcafee.com/in/downloads/free-tools/trout.aspx#.
271. Network Systems Traceroute (obsolete), from http://www.net.princeton.edu.
272. Roadkil's Trace Route, from http://www.roadkil.net.
273. PingPlotter, from http://www.pingplotter.com.
274. NetScanTools Pro, from http://www.netscantools.com/nstpromain.html.
275. SuperScan, from http://www.mcafee.com/in/downloads/free-tools/superscan3.aspx.
276. Network Inventory Explorer, from http://www.lO-strike.com.

References
277. PRTG Network Monitor, from http://www.paessler.com.
278. Global Network Inventory Scanner, from http://www.magnetosoft.com.
279. Net Tools, from http://mabsoft.com.
280. SoftPerfect Network Scanner, from https://www.softperfect.com/products/networkscanner/.
281. IP-Tools, from http://www.ks-soft.net/ip-tools.eng/index.htm.
282. Advanced Port Scanner, from http://www.advanced-port-scanner.com/.
283. Mega Ping, from http://www.magnetosoft.com/product/megaping/download.
284. CurrPorts, from http://www.nirsoft.net/utils/cports.html.
Module 03 Network Security Controls, Protocols, and Devices

285. Catherine Paquet (5-2-2013), Network Security Concepts and Policies, from
http://www.ciscopress.com/articles/article.asp?p=1998559&seq N um=3 .
286. Network Protocol Analyzers (image), from

htt ps ://www .googl e. co.in/search ?q =protocol+a na lyze r+i n+n etwork&b iw= 1366&bi h=66 7&sou rce=I nm s&tbm= isch&sa =X&v
ed=0CAYQ_AUoAWoVChMl5uj7jlL2xwlVgkiOCh0qlA8Q#tbm=isch&q=protocol+analyzer+deployment+in+network&imgrc=u
KRmsGmxsJ0GOM%3A .
287. Mark Ciampa, Integrated Network Security from

https://books.google.co.in/books?id=VWsJAAAAQBAJ&pg=PA224&1pg=PA224&dq=lntegrated+Network+Security+Hardwar
e&source=bl&ots=xU0PgM6dF&sig=fRSvp3TAv3QczJJolcM77KLITqQ&hl=en&sa=X&ved=0CB0Q6AEwAGoVChMlv7LE-
pr2xwlVTBmOCh0lhAiC#v=onepage&q=lntegrated%20Network%20Security%20Hardware&f=false .
288. Mark Ciampa, What is Access Control ? from

htt ps ://books .googl e. co.in/books ?id =Cl HYW Brg9JQC& pg= PA334& Ipg=PA3 34&dq= network+a uthenticati on+a uth orizati on+i
dentification,access+control&source=bl&ots=fcJ_MQSFl_&sig=7UlqcZQwgA3o2N41Da0KM-
drOCo&hl=en&sa=X&ved=0CDoQ6AEwBWoVChMlyJr276bnxwlVUE-
OCh052gaj#v=onepage&q=network%20authentication%20authorization%20identification%2Caccess%20control&f=false.
289. Access Control Principles, from https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_Access_Control-

Access_Control_Principles.html.
290. Ravi S. Sandhu and Pierangela Samarati (September 1994), Access Control: Principles and Practice, from
http://www. profsa nd hu. com/jou rna Is/comm un/i94ac(org). pdf.
291. Security Controls, from https://access.redhat.com/documentation/en-

US/Red_Hat_Enterprise_Linux/3/html/Security_Guide/sl-sgs-ov-controls.html.
292. Access Control Categories, from

https ://en.wikibooks.org/wiki/Funda mentals_of_lnformation_Systems_Security/Access_Control_Systems#Access_Control_
Categories.
293. Access Control Models, from https://en.wikipedia.org/wiki/Computer_access_control#Access_control_models.
294. 7-6-2016, Access Control Types, from

https ://en.wikibooks.org/wiki/Fundamentals_of_lnformation_Systems_Security/Access_Control_Systems#Access_Control_
Types.
295. Access Control List, from https://en.wikipedia.org/wiki/Access_control_list.
296. Access Control Lists, from https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx.
297. Margaret Rouse, Role-based Access control, from http://searchsecurity.techtarget.com/definition/role-based-access-

control-RBAC.
298. Attribute based Access control, from https://en.wikipedia.org/wiki/Attribute-based_access_control.
299. 6-5-2015, Attribute based Access control (ABAC)- Overview, from http://csrc.nist.gov/projects/abac/.
300. Sybase Info center archive, from

http ://i nfocenter.sybase. com/ archive/ind ex. jsp ?topic=/com. sybase. help.ase_ 15. 0.sag 1/htm I/sagl/sag1556. htm.
301. Definition of Policy based Access control, from http://hitachi-id.com/concepts/pbac.html.

References
302. Choosing a secure and memorable password, from

htt ps ://en.wiki ped ia. org/wiki/Password#Choosing_a_secure_and_memorable_password.
303. Memory card, from https://en.wikipedia.org/wiki/Memory_card.
304. Smart card, from https://en.wikipedia.org/wiki/Smart_card.
305. Biometrics, from https://en.wikipedia.org/wiki/Biometrics.
306. 12-2008, Implement access control systems successfully in your organization from
http://search itch an n el. tech target .com/feature/The-importance-of-access-control.
307. 6-5-2015, Access control policy and implememtnation guides, from http://csrc.nist.gov/projects/ac-policy-igs/index.html.
308. Vincent C. Hu, David F. Ferraiolo, D. Rick Kuhn (September 2006), Assessment of access control systems, from
http://csrc.nist.gov/publ ications/nistir/7316/N ISTI R-7316.pdf.
309. Margaret Rouse, Network Access control {NAC), from http://searchnetworking.techtarget.com/definition/network-access-

control.
310. Network Access control, from https://en.wikipedia.org/wiki/Network_Access_Control#Controversy
311. 2011, Network access control and network security standards, from
http://www. ncsi. com/N SAtcl 1/presentations/tu es day/basics/serrao_ha nna. pdf.
312. Andrew plato, Implementing network access control products: how to prep your clients, from
http://search itcha nn el. techta rget .com/tip/Im pl em enti ng-network-access-control-prod u cts-H ow-to-prep-your-clients.
313. Deb Shinder (28-8-2001), Understanding and selecting authentication methods, from
http://www.tech republic. com/ article/understanding-an d-sel ecti ng-a uthe nti cation-met hods/.
314. Margaret Rouse, Two-factor authentication (2FA), from http://searchsecurity.techtarget.com/definition/two-factor-

authentication.
315. Multi-factor authentication, from https://en.wikipedia.org/wiki/Multi-factor_authentication.
316. Fingerprint recognition, from https://en.wikipedia.org/wiki/Fingerprint_recognition.
317. Retinal Scan, from https://en.wikipedia.org/wiki/Retinal_scan.
318. Iris Recognition, from https ://en.wikiped ia .org/wiki/1 ris_recognition.
319. Vein Recognition, from http://findbiometrics.com/solutions/veinrecognition/.
320. Facial recognition system, from https://en.wikipedia.org/wiki/Facial_recognition_system.
321. Margaret Rouse, Voice recognition (speech recognition), from http://searchcrm.techtarget.com/definition/voice-

recognition.
322. Deb Shinder (28-8-2001), Understanding and selecting authentication methods, from
http://www.tech republic. com/ article/und erstanding-a nd-sel ecti ng-a uth enti cat ion-met hods/.
323. Joseph Migga Kizza, Mandatory access control, from

https://books.google.co.in/books?id=d2CYBgAAQBAJ&pg=PA199&1pg=PA199&dq=centralized+authorization&source=bl&o
ts=xOR_lzZaBh&sig=uGAw_WpDELsvHSflPLbFZ8-
avvQ&hl=en&sa=X&ved=0ahUKEwjqh5jGzbzKAhUSl44KHYDrAc04ChDoAQgnMAl#v=onepage&q=centralized%20authorizati
on&f=false.
324. Hash Function, from https://en.wikipedia.org/wiki/Hash_function.
325. Margaret Rouse, Hashing, from http://searchsqlserver.techtarget.com/definition/hashing.
326. Robert Uzgalis(1995), Advantages of Hash search, from http://www.serve.net/buz/Notes.lst.year/HTML/

C6/rand.016.html.
327. Hashing, from http://www.webopedia.com/TERM/H/hashing.html.
328. Margaret Rouse, Digital Signature, from http://searchsecurity.techtarget.com/definition/digital-signature.
329. 9-1-2014, Non-repudiation and Digital signature, from http://resources.infosecinstitute.com/non-repudiation-digital-

signature/.
330. Vangie Beal, Digital Certificate, from http://www.webopedia.com/TERM/D/digital_certificate.html.

References
331. Margaret Rouse, Digital Certificate, http://searchsecurity.techtarget.com/definition/digital-certificate.
332. Digital Certificates, from https://technet.microsoft.com/en-us/library/cc962029.aspx.
333. PKI Components, from http://www.idcontrol.com/pki-usb-token/pki-components.
334. Network Security Policy, from https://en.wikipedia.org/wiki/Network_security_policy.
335. Proxy Server, from https://en.wikipedia.org/wiki/Proxy_server.
336. Proxy server, from http://whatis.techtarget.com/definition/proxy-server.
337. Jason Spidle, Advantages of using Proxy server, from http://science.opposingviews.com/advantages-using-proxy-server-

4226.html.
338. Advantages of using Proxy server from https://www.locaproxy.com/advantages_of_using_a_proxy_server.php.
339. Proxy switcher, from http://proxyswitcher.net/.
340. Tor (anonymity network), from https://en.wikipedia.org/wiki/Tor_(anonymity_network).
341. Alan Henry (22-7-2011), Cyberghost VPN is a free anonymous VPN, from http://lifehacker.com/5823586/cyberghost-vpn-
is-a-free-anonymous-vpn-that-protects-your-surfing-from-prying-eyes.
342. Honeypot, from https://www.techopedia.com/definition/10278/honeypot.
343. 2-2008, Honeypot security, from http://www.infosec.gov.hk/english/technical/files/honeypots.pdf.
344. Margaret Rouse, Honeypot, from http://searchsecurity.techtarget.com/definition/honey-pot.
345. Honeypot (computing), from https://en.wikipedia.org/wiki/Honeypot_(computing).
346. http://www.th estu dymateriaI. com/presentation-seminar/electron ics-presentation/256-honeypots. htm I?sta rt=6.
347. Ryan Mohammed (21-3-2001), Sogtware engineering, from http://imps.mcmaster.ca/courses/SE-4C03-

01/papers/Mohammed-honeypots.html.
348. Intrusion detection systems from https://en.wikipedia.org/wiki/lntrusion_detection_system.
349. Margaret Rouse, Intrusion detection from http://searchmidmarketsecurity.techtarget.com/definition/intrusion-detection.
350. Margaret Rouse, Intrusion prevention, from http://searchsecurity.techtarget.com/definition/intrusion-prevention.
351. Intrusion detection system, from https://en.wikipedia.org/wiki/lntrusion_prevention_system.
352. Packet analyzer, from https://en.wikipedia.org/wiki/Packet_analyzer.
353. Margaret Rouse, Network analyzer, from http://searchnetworking.techtarget.com/definition/network-analyzer.
354. Roger Grimes (28-6-2004), network protocol analyzers, from http://windowsitpro.com/hardware/6-network-protocol-

analyzers.
355. Raksha, Sahana, Sai Janaki, Shruti (7-11-2009), Network protocol analyzers, from
http://www.sl id es ha re.net/ sou rav894/ network-protocol-analyzer.
356. Wireshark training, from https://www.wireshark.org/docs/.
357. Margaret Rouse, Content filtering(lnformation filtering) from http://searchsecurity.techtarget.com/definition/content-

filtering.
358. Benefits of having a content filtering policy, from http://www.simplewallsoftware.com/tips/benefits-of-having-a-content-

filtering-policy.
359. Sandra 4211 (4-5-2010), Security guide to network security fundamentals, from
http://www.sl id es ha re.net/Sand ra4211/secu rity-gu ide-to-n etwork-secu rity-fu n dam enta ls-th i rd-edition.
360. Margaret Rouse, Pretty good privacy (PGP), from http://searchsecurity.techtarget.com/definition/Pretty-Good-Privacy.
361. How PGP works, from http://www.pgpi.org/doc/pgpintro/.
362. Pretty good privacy, from https://en.wikipedia.org/wiki/Pretty_Good_Privacy.
363. S/MIME, from https://en.wikipedia.org/wiki/S/MIME.
364. S/M IM E, from http://whatis.techtarget.com/defin ition/S-M IM E-Secure-M ulti-Purpose-1 nternet-Mail-Extensions.

References
365. De Clerq, Secure mail using SMIME, from http://flylib.com/books/en/2.244.l.106/1/.
366. Competing technologies, from http://ntrg.cs.tcd.ie/mepeirce/Dce/99/ssl/other.htm.
367. Margaret Rouse, S-HTTP from http://searchsoftwarequality.techtarget.com/definition/S-HTTP.
368. Secure Hypertext transfer protocol, from https://en.wikipedia.org/wiki/Secure_Hypertext_Transfer_Protocol.
369. HTTPS, from https://en.wikipedia.org/wiki/HTTPS.
370. Srikanth Ramesh, what is Secure Socket layer (SSL), and how it works, from http://www.gohacking.com/secure-sockets-
layer-ssl/.
371. Secure Electronic transaction, from https://en.wikipedia.org/wiki/Secure_Electronic_Transaction .
372. Margaret Rouse, Secure electronic transaction (SET), from http://searchfinancialsecurity.techtarget.com/definition/Secure-

Electronic-Transaction.
373. What is SET?, from http://teaching.shu.ac.uk/aces/ict/de/what_is_set.htm.
374. what is SSL?, from http://info.ssl.com/article.aspx?id=10241.
375. What is SSL and what are SSL certificates, from https://www.digicert.com/ssl.htm.
376. Margaret Rouse, Secure Socket layer, from http://searchsecurity.techtarget.com/definition/Secure-Sockets-Layer-SSL.
377. How does SSL work, from https://www.entrust.com/ssl/.
378. Transport layer security, from http://etutorials.org/Networking/802.ll+security.+wi-

fi+p rotected+access+a n d+802. l li/Pa rt+I I+The+ Design+of+W i-Fi+Secu rity/Cha pter+9.+Upper-
Layer+Auth enticati on/Trans port+Layer+Security+TLS/.
379. Margaret Rouse, Transport layer security (TLS), from http://searchsecurity.techtarget.com/definition/Transport-Layer-

Security-TLS.
380. Transport layer security, from https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_record.
381. Paul Szymanski(22-6-2007), What is Transport layer security, from http://www.networkworld.com/article/2303073/lan-

wan/what-is-transport-layer-security-protocol-.html.
382. IPsec, from https://en.wikipedia.org/wiki/lPsec#Modes_of_operation.
383. Margaret Rouse, IPsec, from http://searchmidmarketsecurity.techtarget.com/definition/lPsec.
384. Barracuda nextgen firewall F, from

https://techlib. barracuda.com/display/bngv52/how+to+create+an+ipsec+vpn+tunnel+between+the+barracuda+ng+firewal
l+and+a+pfsense+firewall.
385. Point-to-point protocol, from https://en.wikipedia.org/wiki/Point-to-Point_Protocol.
386. Point-to-point protocol, from https://utem-wan.wikispaces.com/Point-to-Point+Protocol+(PPP).
387. Margaret Rouse, PPP(Point-to-point protocol) http://searchnetworking.techtarget.com/definition/PPP.
388. Network hardware tools, from www.flukenetworks.com .
389. Threat Track, from www.sunbelt-software.com .
390. WebTitan, from http://www.webtitan.com/ .
391. Cyberoam, from http://www.cyberoam.com/webfiltering.html .
392. Barracuda Web Security Gateway, from https://www.barracuda.com/products/webfilter.
393. Two factor authentication tools, from http://precisebiometrics.com/two-factor-authentication/.
394. Proxy switcher, from https://www.proxyswitcher.com/.
395. Proxy workbench, from http://proxyworkbench.com/.
396. Cyberghost http://www.cyberghostvpn.com/en_gb/advantages.
397. Cyberghost VPN, from http://www.cyberghostvpn.com/en_gb?utm_expid=85864364-20.eNBY82NRQSTe-

9mpnQtJw.O&utm_referrer=https%3A%2F%2Fwww.google.co.in%2F.
398. Ufasoft tools, from http://ufasoft.com/.

References
399. Sockschain 4.221 from http://ufasoft.com/socks/.
400. Portswigger web security, from https://portswigger.net/.
401. Proxifier, from https://www.proxifier.com/.
402. Chares from, http://www.charlesproxy.com/.
403. Fiddler, from http://www.telerik.com/fiddler.
404. Proxy, from http://www.analogx.com/contents/download/Network/proxy/Freeware.htm.
405. Protoport proxy chain, from http://www.protoport.com/index.proxy.
406. Proxycap, from http://www.proxycap.com/.
407. Youngzsoft, from http://www.youngzsoft.net/.
408. Desaster/kippo, from https://github.com/desaster/kippo.
409. Glastopf, from http://glastopf.org/.
410. Thug, from http://buffer.github.io/thug/.
411. Argos, from http://www.few.vu.nl/argos/.
412. Hihat, from http://hihat.sourceforge.net/.
413. Honeybot, from http://www.atomicsoftwaresolutions.com/.
414. Honeyd, from http://www.citi.umich.edu/u/provos/honeyd/.
415. Honeyperl, from http://sourceforge.net/projects/honeyperl/.
416. UK Honeynet project tools http://www.ukhoneynet.org/tools/.
417. Softperfect network protocol analyzer, from https://www.softperfect.com/products/networksniffer/.
418. Gigamon, from http://www.nextgigsystems.com/aggregation_switches/gigamon.html.
419. Commview, from http://www.tamos.com/products/commview/.
420. Etherdetect packet sniffer, from http://www.etherdetect.com/.
421. Etherscan analyzer, from http://etherscan-analyzer.en.softonic.com/.
422. Viavi products, from http://www.viavisolutions.com/en-us/all-products/o.
423. Justsniffer, from http://justniffer.sourceforge.net.
424. Microsoft network monitor, from https://www.microsoft.com/en-in/download/details.aspx?id=4865.
425. Optiview, from http://www.flukenetworks.com/enterprise-network/network-monitoring/optiview-xg-network-analysis-

ta blet.
426. Content control software, from https://en.wikipedia.org/wiki/Content-control_software.
427. Netsentron, from http://www.netsentron.com.
428. Netnanny, from https://www.netnanny.com/products/netnanny.
429. Symantec web gateway, from http://www.symantec.com/web-gateway.
430. Dansguardian, from http://dansguardian.org/?page=download.
431. OpenDNS, from https://www.opendns.com.
432. Cyberoam Web filtering(site not working), from http://www.cyberoam.com/webfiltering.html.
433. lboss cyber security, from http://www.iboss.com.
434. Web filter lite, from https://www.untangle.com/shop/web-filter-lite.
435. Safesquid, from https://www.safesquid.com.
436. Handy Filter, from http://www.handyfilter.com.
437. Qustodio internet filter, from https://www.qustodio.com/en/internet_filter_software.

References
Module 04: Network Security Policy Design and Implementation
438. Andy Scott, How to create a good information security policy, from http://www.computerweekly.com/feature/How-to-
create-a-good-i nform ation-security-pol icy.
439. Security Policy, https://www.google.co.in/

url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&cad=rja&uact=8&ved=0ahUKEwj5ou7gj_HJAhUTBo4KHfgiDKYQFggyMAl&u
rl=http%3A%2F%2Fwww.sis.pitt.edu%2Fjjoshi%2FIS2820%2FSpring06%2Fchapter04.doc&usg=AFQjCNF1nWlp6vfAjT3EB49
AOqD5AMxYxQ&bvm=bv.110151844,d.c2E.
440. Types of Security Policies, from http://www.helpwithassignment.com/blog/it_security_assignment_help/.
441. Scott hebert, Security policies, from http://slaptijack.com/information-systems/security-policies/.
442. Dec 02, 2004, Understanding physical security: definition, forms, and importance, from
http://resources.i nfoseci nstit ute. com/physica 1-secu rity-pol icy-can-save-com pa ny-thousa n ds-d ol Iars/.
443. Password Policy, from http://www.comptechdoc.org/independent/security/policies/password-policy.html.
444. Configuring Password Policies, from https://technet.microsoft.com/en-us/library/dd277399.aspx.
445. Jethro Perkins (16th October 2015), Policy IT User Accounts, from
http://www.lse .ac. uk/i ntra net/LS EServices/policies/pdfs/school/useAccPo I.pdf.
446. IS&T Policies: User Accounts Policy, from https://ist.mit.edu/about/policies/useraccounts.
447. POLICY ON USER ACCOUNTS, from http://www.xavier.edu/policy/documents/User-Account-Policy.pdf.
448. Joshua Cormas, Network Security Policy in the Work place, from
htt ps ://www .googl e.co.in/url ?sa=t&rct=j&q =&esrc=s&so urce=web&cd =9&cad= rja&ua ct=8&ved =0a hUKE wi L8ZW 4zu 7JAh W
RW44KHeUiADIQFghTMAg&url=https%3A%2F%2Fwww.iup.edu%2FWorkArea%2FDownloadAsset.aspx%3Fid%3D195254&
usg=AFQjCN Egz0pzRkn H9ddG6UysN H131p7k2g&bvm=bv .110151844,d.c2E.
449. March 2007, Network and Server Security Management Policy, from
http://www.rye rs on. ca/policies/administration/n etworksecu ritypol icy.htm I.
450. Mike Chapple, Wireless networking security policy, from http://searchsecurity.techtarget.com/tip/Wireless-networking-

security-policy.
451. Incident Response Plan, from http://www.comptechdoc.org/independent/security/policies/incident-response-plan.html.
452. incident response plan (IRP), from http://searchsecurity.techtarget.com/definition/incident-response-plan-lRP.
453. Vangie Beal, router, http://www.webopedia.com/TERM/R/router.html.
454. Router Security Policy, from http://www.murchison.net/techno/router-secpol.html.
455. Switch, from http://searchtelecom.techtarget.com/definition/switch.
456. Switch security tips, from http://searchsecurity.techtarget.com/tip/Week-47-Switch-security-tips.
457. ISO/IEC 27033:2010+ Information technology - Security techniques - Network security, from
http://www.iso27001security.com/html/27033. htm I.
458. Information technology - Security techniques - Network security-, from

https ://webstore.iec.ch/preview/info_isoiec2 7033-1%7Bed2.0% 7Den.pdf.
459. The IT Security Policy Guide, from http://www.instantsecuritypolicy.com/lntroduction_To_Security_policies.pdf.
460. Network security policyhttp://en.wikipedia.org/wiki/Network_security_policy .
461. Catherine Paquet (Feb 5, 2013), Network Security Concepts and Policies, from http://www.ciscopress.com/
articles/article.asp?p=1998559&seqNum=3 .
462. security policy, from http://searchsecurity.techtarget.com/definition/security-policy.
463. Ladan Kianmehr, Deborah Becker, Ali Kama Ii, Saint Joseph, The importance of written security policy for any network
connection from, http://proc.isecon.org/2011/pdf/1774.pdf.
464. Catherine Paquet (Feb 5, 2013) ,Network Security Concepts and Policies, from
http://www.ciscopress.com/articles/article.asp ?p=1998559&seqNu m=3.
465. Courtney Hamby (Sep 11, 2013), Advantages Of Network Security, from
http ://info. ava la nwi re less.com/blog/bi d/334529/ Advantages-Of-N etwork-Secu rity.

References
466. Rob McMillan (14 April 2014), Information Security Program Management Key Initiative Overview, from
https ://www .gartner.com/doc/2708617/information-security-program-management-key.
467. Information Security Program September 2013, Management Standard, from

http://www.cio.ca.gov/Government/lT_Policy/SIM MS305_A. PDF .
468. Oct 20, 2012, Information Security Management System ISO/IEC 27001 :205 Introduction and Requirements, from
http://www.sl id es ha re.net/ Control Case/isms-prese ntation-oct-20 2012 ?qi d=bS f12 936-0a7 d-4dad-9e6e-
2b68c654397 b&v=& b=& from search=9.
469. ISO/IEC 27001:2013 Information technology - Security techniques - Information security management systems, from
http://www.iso27001security.com/html/27001. htm I.
470. Global Information Assurance Certification Paper, from http://www.giac.org/paper/gsec/1811/develop-good-security-

policies-tips-assessment-enforcement/102142.
471. Dancho Danchev, Building and Implementing a Successful Information Security Policy, from http://
www.windowsecurity.com/ pages/ security-policy.pdf.
472. end user policy, from http://searchmobilecomputing.techtarget.com/definition/end-user-policy.
473. USER POLICY, from https://www-als.lbl.gov/index.php/user-information/user-policy.html.
474. User account policy, from https://en.wikipedia.org/wiki/User_account_policy.
475. Information Technology (IT) Policy Making, from http://www.catea.gatech.edu/training/ela/policy/indexl.php.
476. IT Policies Every Small Business Should Have, from http://www.corpcomputerservices.com/articles/it-policies-small-

business.
477. Muhanned Wajahat Rajab (Jun 30, 2013),Physical Security, from http://www.slideshare.net/wajraj/physical-security-
presentation-23717721 ?qid=f4e0b456-8a7 4-42a 7-9543-d03f369c2a 72&v=&b=&from_search=2.
478. 30 July 2013, Types of Security Policies in IT, from http://itil-v3-exam-question-papers.blogspot.in/2013/07/types-of-

security-policies-in-it.html.
479. Dr. AMAN JANTAN (2012), INFORMATION SECURITY AND ASSURANCE, from http://www.scribd.com/doc/96301211/Eisp-
lssp-SysSp#scribd.
480. By Bradley Mitchell, Acceptable Use Policy - AUP, from

http://compnetworking.about.com/od/filetransferprotocol/a/aup _use_pol icy.htm.
481. Acceptable use policy, from http://en.wikipedia.org/wiki/Acceptable_use_policy.
482. Leminhvuong (Oct 13, 2009), Physical Security, from http://www.slideshare.net/leminhvuong/module-10-physical-

security?qid=f4e0b456-8a 74-42a7-9543-d03f369c2a72&v=&b=&from_sea rch=6.
483. physical security, from http://searchsecurity.techtarget.com/definition/physical-security.
484. Computer security, from https://en.wikipedia.org/wiki/Computer_security.
485. What is Data Validation?, from http://www.wisegeek.com/what-is-data-validation.htm.
486. Session (computer science), from https://en.wikipedia.org/wiki/Session_(computer_science).
487. https ://en.wikiped ia .org/wiki/Session_( com puter_science).
488. Password Policy Guidelines, from http://hitachi-id.com/password-manager/docs/password-policy-guidelines.html.
489. Sarah Granger (OS Jul 2011), The Simplest Security: A Guide To Better Password Practices, from
http://www.syma ntec. com/ connect/articles/si m pl est-secu rity-gu ide-better-passwo rd-practices.
490. April 23, 2009, New Guidelines For Organization-wide Password Management, from
http://www.sci enceda i ly. com/rel eases/2009/04/090423105900. htm.
491. Jethro Perkins (16th October 2015), Policy IT User Accounts, from https://hipaa.wisc.edu/docs/accountCreation.pdf.
492. Mark Ciampa (Jan 29, 2010), Security+ Guide to Network Security Fundamentals, 3rd Edition,
http://www.slideshare.net/itsec/ch08-authentication ?qid=30418012-le73-4fe0-a249-
8b397fb3b055&v=&b=&from_search= 13.
493. Kristine Buyers (May 8, 2015), Backup and Recovery Tip: Determine Backup Policies and Procedures, from
http://go. dewpoi nt. com/on point/d eterm in i ng-ba cku p-pol i ci es-a nd-proced ures-for-backup-and-recovery.

References
494. Data Security, from https://itservices.uchicago.edu/page/data-security.
495. The Unicode Consortium Policy on Handling of Confidential Data, from http://unicode.org/policies/
confidential_data_policy.html.
496. Information Security and Compliance at Michigan Tech, from http://security.mtu.edu.
497. Email Security Policies, from http://ptgmedia.pearsoncmg.com/images/157870264X/samplechapter/157870264X.pdf.
498. What should be in a corporate email security policy?, from https://www.theemaillaundry.com/email-security-policy/.
499. Sample internet usage policy, from http://www.gfi.com/pages/sample-internet-usage-policy.
500. April 15, 2001, Employee Internet Usage Policy, from http://www.workforce.com/articles/employee-internet-usage-policy.
501. Server Documentation Policy, from http://www.comptechdoc.org/independent/security/policies/server-documentation-

policy.html.
502. Remote Access Policy, from http://doit.maryland.gov/ support/documents/ security_guidelines/

remote_access_policy.pdf.
503. Remote Access Policy, from http://nics.appstate.edu/standards/remote-access-policy.
504. January 21, 2005, Remote Access Policies Examples, from http://technet.microsoft.com/en-
in/library/cc776865(v=ws.10).aspx.
505. Wireless Use Policy, http://www.comptechdoc.org/independent/security/policies/wireless-policy.html.
506. incident response plan, from http://www.comptechdoc.org/independent/security/policies/incident-response-plan.html.
507. incident response plan, (IRP) from http://searchsecurity.techtarget.com/definition/incident-response-plan-lRP.
508. KELLI K. TARALA, Encryption Policy, from http://www.auditscripts.com/samples/encryption-policy.pdf.
509. Fundamentals of Information Systems Security/Access Control Systems, from

http://en.wikibooks.org/wiki/Fundamentals_of_lnformation_Systems_Security/Access_ Control_Systems.
510. Vincent C. Hu, David F. Ferraiolo, D. Rick Kuhn, Assessment of Access Control Systems, from
http://csrc.nist.gov/publ ications/nistir/7316/N ISTI R-7316.pdf.
511. Controlling Access to a Computer System, http://docs.oracle.com/cd/E23824_01/html/821-1456/concept-28.html.
512. Access control and authentication isn't as simple as setting up user IDs and passwords, from
http://sea rchsecu rity. techta rget. com/magazi neContent/1 nterview-CISO-expla ins-enterprises-access-control-policies.
513. Trunk Port, from https://www.techopedia.com/definition/27008/trunk-port.
514. authentication, authorization, and accounting (AAA), from http://searchsecurity.techtarget.com/definition/authentication-

authorization-and-accounting.
515. Ganesh Dutt Sharma (June 26, 2010), Firewall Security Policy, from http://securityworld.worldiswelcome.com/firewall-
security-policy.
516. Do you need an IDS or IPS, or both?, from http://searchsecurity.techtarget.com/Do-you-need-an-lDS-or-lPS-or-both.
517. Virtual Private Network (VPN) Policy, from www.cpcstech.com/pdf/virtual_private_network.pdf.
518. Virtual Private Network (VPN) Policy, from http://www.iit.edu/ots/virtual_private_network_vpn_policy.shtml.
519. VPN Access & Usage Policy, from http://its.truman.edu/documentation/index.asp?docld=172.
520. Virtual Private Network (VPN) Policy, from http://www.colby.edu/administration_cs/its/policies/its-vpn-policy.cfm.
521. Ivy Wigmore (October 2012), BYOD (bring your own device), from http://whatis.techtarget.com/definition/BYOD-bring-
your-own-device.
522. Tony Bradley (Dec 20, 2011), Pros and Cons of Bringing Your Own Device to Work, from http://www.pcworld.com/
article/246 7 60/pros_and_cons_of_byod _bring_your_own_device_. htm I.
523. Nov 25, 2002, DMZ Policy and Guidelines, from http://www.nesnip.org/pdf/dmz.pdf.
524. DMZ Guidelines, https://informationsecurity.wustl.edu/information-technology-professionals/policies/dmz-guidelines/.
525. Jonathan Gana KOLO, Umar Suleiman DAU DA, Network Security: Policies and Guidelines for Effective Network
Management, from http://ljs.academicdirect.org/A13/007_021.htm .

References
526. Catherine Paquet (Feb 5, 2013), Network Security Concepts and Policies, from http://www.ciscopress.com/
articles/article.asp?p=1998559&seqNum=3.
527. Role-based Training, from http://www.nativeintelligence.com/ni-role/.
528. Role-based Security Awareness Training, http://www.globallearningsystems.com/products/individual/role-based-training/.
529. Your guide to the Payment Card Industry Data Security Standard (PCI DSS), from
http://www.westpac.com .au/docs/pdf/bb/Guide_to_payment_card_i ndusl. pdf.
530. content filtering (information filtering), from http://searchsecurity.techtarget.com/definition/content-filtering.
531. Electronic Communications Privacy Act (ECPA), from http://epic.org/privacy/ecpa/.
532. Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C. § 2510-22., from
https://it.ojp.gov/default.aspx?area=privacy&page=1285.
533. The Foreign Intelligence Surveillance Act of 1978 (FISA), from https://it.ojp.gov/default.aspx?area=privacy&page=1286.
534. FISA 101: Why FISA Modernization Amendments Must Be Made Permanent, from http://www.justice.gov/archive/ll/.
535. S. 1927 (110th): Protect America Act of 2007, from https://www.govtrack.us/congress/bills/110/s1927/text .
536. Fact Sheet: The Protect America Act of 2007, from http://georgewbush-whitehouse.archives.gov/news/releases/
2007/08/20070806-5.html.
537. Protect America Act of 2007, from http://sourcewatch.org/index.php?title=Protect_America_Act_of_2007.
538. Search & Seizure Law, from http://public.getlegal.com/legal-info-center/search-seizure-law/.
539. Understanding Search-and-Seizure Law, from http://www.nolo.com/legal-encyclopedia/search-seizure-criminal-law-

30183.html.
540. Rule 41. Search and Seizure, from http://www.law.cornell.edu/rules/frcrmp/rule_41.
541. Search and Seizure and the Fourth Amendment, from http://criminal.findlaw.com/criminal-rights/search-and-seizure-and-
the-fourth-amendment.html.
542. What is the Privacy and Civil Liberties Oversight Board?, from http://www.pclob.gov/.
543. Privacy and Civil Liberties Oversight Board, from https://www.federalregister.gov/agencies/privacy-and-civil-liberties-

ove rsight-boa rd.
544. Router Policy, from http://www.murchison.net/techno/router-secpol.html.
545. Internet Usage Policy, from https://www.nibusinessinfo.co.uk/content/sample-acceptable-internet-use-policy.
546. Acceptable-Use Policy, from https://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&ved=OahUKEwi_-

tGjqLHMAhUGkpQKHSbVCTYQFggzMAQ&url=https%3A%2F%2Fwww.sophos.com%2Fen-
us%2Fmedialibrary%2FPDFs%2Fother%2Fsophosexample1Tacceptableusepolicy.ashx&usg=AFQjCNHZ3XE4z86-
FpLicbleljhk8Bkltg&bvm=bv.120853415,d.dGo&cad=rja.
547. User-Account Policy, from https://technology.cca.edu/policies/user-account-policy.
548. Information Security Policy, from

https://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=4&ved=OahUKEwjU9sG2zLrMAhVBHaYKHSnMBgQ
QFghJMAM&url=https%3A%2F%2Fwww.igt.hscic.gov.uk%2FKnowledgeBaseNew%2FNHS%2520CFH_Corporate%2S20lnfoS
ec%2520Policy%2520Template%25202007.doc&usg=AFQjCNE6Auqc333eqVbpz9cuU0n8HAnyMA&bvm=bv.121070826,d.d
GY&cad=rja.
549. Firewall-Management Policy, from https://www.royalholloway.ac.uk/it/tos/policies/firewallpolicy.pdf.
550. Special-Access Policy, from http://www.utmb.edu/lnfoSec/Policies/ps/PS123_SpecialAccess.pdf.
551. Network-Connection Policy, from http://www.salford.ac.uk/_data/assets/pdf_file/0005/516542/Network-Security-and-

Connection-Policy.pdf.
552. Business-Partner Pol icy, from http://www.transfieldservices.com/pdf/Business_Pa rtners_Pol icy_TM C-0000-LE-0013 .pdf.
553. Email Security Policy, from http://www.itdonut.co.uk/it/staff-and-it-training/your-it-policies/sample-email-use-policy.
554. Passwords Policy, from http://www.cpcstech.com/pdf/password_policy.pdf.

References
555. Physical Security Policy, from http://modgov.sefton.gov.uk/moderngov/Data/Cabinet%20Member%20-

%20Corporate%20Services%20(meeting)/20080305/Agenda/ltem%2004A.pdf.
556. Server Security Policy, from http://www.cpcstech.com/pdf/server_security_policy.pdf.
557. Information Protection Policy, from http://csirt.org/sample_policies/index.html.
558. Remote Access Policy, from http://csirt.org/sample_policies/index.html.
559. Bring Your Own Device (BYOD) Policy, from

htt ps ://www .googl e. co.in/u rl ?sa=t&rct=j&q =&esrc=s&so u rce=web&cd =7&cad= rja&ua ct=8&ved =0a h UKE wj4jsb Pi LvMAh VE
JaYKHek2AjlQFghYMAY&url=https%3A%2F%2Fwww.citrix.com%2Fcontent%2Fdam%2Fcitrix%2Fen_us%2Fdocuments%2Fp
roducts-solutions%2Fdeveloping-your-byod-
policy.docx&usg=AFQjCNHfZr1Kk8qymdPyluwibL6IKYyoRA&bvm=bv.121070826,d.dGY.
560. Software/Application Policy, from

https://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=4&ved=OahUKEwiJp-
qzjLvMAhUGF6YKHXJUBq4QFggvMAM&url=http%3A%2F%2Fg3ctoolkit.net.s3-website-us-west-
2.amazonaws.com%2Fia%2FSecPol%2FwmspDownloads%2FSoftware_Policy.doc&usg=AFQjCNFXg3-
uGadtd5Lpiq_WRxWcd lplNQ&bvm=bv.121070826,d .dGY&cad=rja.
561. Data Backup Policy, from https://www.royalholloway.ac.uk/it/tos/policies/backuppolicy.pdf.
562. Confidential Data Policy, from https://computing.wayne.edu/docs/u.p.2007-02-confidential-info.pdf.
563. Data Classification Policy, from http://www.awphd.org/presentations/HIPAAproject/reference/DataClassification.pdf.
564. Wireless Network Policy, from http://its.fsu.edu/About-Us/IT-Policies-Guidelines/Wireless-Communications-Policy.
565. User-Access Control Policy, from

https://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=OahUKEwjXkoqqrrvMAh
Wi5KYKHY7ZCTsQFggiMAE&url=http%3A%2F%2Fg3ctoolkit.net.s3-website-us-west-
2.amazonaws.com%2Fia%2FSecPol%2FwmspDownloads%2FIT_Access_Policy.doc&usg=AFQjCNGJH2eJKwLuXomf9LhBFEYt
lNWzRw&bvm=bv.121070826,d.dGY.
566. Switch Security Policy, from

htt ps ://www. cs .stonybroo k. ed u/sites/d efa u lt/fi les/wwwfi les/dru pa lfi Ies/bas icpage/Router_Security_ Policy. pdf.
567. Intrusion Detection and Prevention Policy, from http://dii.vermont.gov/sites/dii/files/pdfs/lntrusion-Detection-and-

Prevention-Policy.pdf.
568. Personal Device Usage Policy, from

http://content. ma as360. com/www/images/silverStri pe/b rea ki ngbl ackberry/wp_ m aas360_ breaking_blackberry_Persona ID
eviceUsage.pdf.
569. Encryption Policy, from

http://www. bu ryccg. n hs. u k/Lib ra ry/Your_I oca I_n hs/CCG Pia nspol i ciesa nd re ports/Encryption%2 0pol icy%20CCG%2 01%203
%2014.pdf.
Module 05: Physical Security
570. IT Secuirty, from http://www.polyu.edu.hk/~ags/itsnews0511/security.html.
571. Tom Eston (Dec 1, 2008), Physical Security Assessments, from http://www.slideshare.net/agentOxO/physical-security-
assessments-presentation.
572. Selvadurai Jeyarajah, Computer Security, http://www.doc.ic.ac.uk/~nd/surprise_95/journal/vol2/sj1/article2.html.
573. PHYSICAL SECURITY TECHNOLOGY, from http://www.perpetuitytraining.com/physicalsecurity.html.
574. Michael Betancourt, Security Challenges for the New Paradigm, from
https://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=OahUKEwiRoOzfs87KAhWHt44KHX41DyEQ
FggbMAA&url=http%3A%2F%2Fwww.eecs.ucf.edu%2F~turgut%2FCOURSES%2FEEL6788_AWN_Spr11%2FLectures%2FSecu
rityChallenges.ppt&usg=AFQjCNEkelSU19Pry3weQl27MtQT1N3V0A&bvm=bv.113034660,d.c2E&cad=rja.
575. anoir2014 (Apr 8, 2014), Understanding Security Layers, from http://www.slideshare.net/anoir2014/98-367-lesson-1-slides.
576. Lisa Phifer, Removable storage device endpoint security and control, from
http://sea rchsecu rity. techta rget. com/ m agazi neContent/Rem ova ble-storage-d evi ce-en d point-security-and-control.

References
577. Alan Calder, Steve Watkins, IT Governance: An International Guide to Data Security and 15027001/15027002, from
https://books.google.co.in/books?id=OctwCgAAQBAJ&pg=PA194&Ipg=PA194&dq=failure+of+supporting+utilities&source=
bl&ots=b6cDcmMH5i&sig=LRTS-tSiJniQ5_rzy_9SGFiZfdA&hl=en&sa=X&sqi=2&ved=0ahUKEwje_537yOUAhURA44KHcN-
Cw4Q6AEILjAE#v=onepage&q=failure%20of%20supporting%20utilities&f=false Peter H. Gregory, IT Disaster Recovery
Planning For Dummies, from https://books.google.co.in/books?id=YC49DXW-
_60C&pg=PA137&Ipg=PA137&dq=mantrap+diagram+representation&source=bl&ots=vtplq0ypDb&sig=Ob9Ikbltsu0a2mg0
aeV-
zst0RXw&h l=en&sa=X&sqi=2&ved=0ah UKEwipuJ nfzOUAhVMj44KHWhbA0YQ6AEILTAD#v=onepage&q=mantrap%20diagra
m%20representation&f=false.
578. Dhani Ahmad (Mar 17, 2015), Physical security, from http://www.slideshare.net/emolagi/physical-security-45924353.
579. Tom Rubenoff (March 1, 2014), from http://hubpages.com/technology/How-to-Create-a-Basic-Mantrap-System.
580. HD X-Ray Inspection Systems, from http://www.us.anritsu-industry.com/x-ray-inspection.aspx.
581. Material Measurement Laboratory, from http://www.nist.gov/mml/mmsd/security_technologies/diet-conceal.cfm.
582. Access Control: Models and Methods (NOVEMBER 28, 2012), from http://resources.infosecinstitute.com/access-control-
models-and-methods/.
583. Access Control Methodologies (10/12/04), from http://www.jblearning.com/samples/076372677X/chapple02.pdf.
584. Microsoft Tech Net (March 28, 2003), Authorization and Access Control Technologies, https://technet.microsoft.com/en-
us/library/cc782880(v=ws.10).aspx.
585. https://technet.microsoft.com/en-us/library/cc782880(v=ws.10).aspx.
586. Jeff A Sandine (January 20, 2009), What is the Difference Between Tailgating and Piggybacking Through an Access
Controlled Secure Door?, from http://ezinearticles.com/?What-is-the-Difference-Between-Tailgating-and-Piggybacking-
Through-an-Access-Controlled-Secure-Door?&id=1902821.
587. Mohd Hamizi (May 21, 2015), ensuring physical and data security, http://www.slideshare.net/pdawackomct/3-ensuring-
physical-and-data-security.
588. Deb Shinder (July 16, 2007), 10 physical security measures every organization should take, from
http://www.techrepublic.com/blog/10-things/10-physical-security-measures-every-organization-should-take/.
589. Hudson K., Ruth A., Microsoft Corporation, Securing Network Cabling, from http://flylib.com/books/en/2.902.1.22/1/.
590. Mani Rathnam (Feb 1, 2015), Hardware Security, from http://www.slideshare.net/manirathnam39/hardware-security.
591. Securing Network Devices, from

http://etutoria Is. org/N etworki ng/Cisco+Certified+Secu rity+P rofessi on al+Certification/Pa rt+I+ Introd uction+to+N etwork+Sec
urity/Chapter+2+Securing+the+Network/Securing+Network+Devices/.
592. Cisco CCNA Introduction to Security, from https://www.certificationkits.com/cisco-certification/cisco-ccna-640-802-exam-

certifi cati on-guide/ ci sco-ccna-i ntrod ucti on-to-security/.
593. lrsandi Hasan (Sep 24, 2014), Network Fundamentals, from http://www.slideshare.net/kazhuyo/ccna-rsnb-chapter-11.
594. Physical Security Handbook (April 2000), from http://download.cabledrum.net/wikileaks_archive/file/uscs-physical-

security-handbook.pdf.
595. Security Awareness Training, from https://www.securityinnovation.com/training/information-security/physical-security-

training/.
596. Laptop & Mobile Device Physical Security Dos & Don'ts!, from https://www.it.umass.edu/support/security/laptop-mobile-
device-physical-security-dos-donts.
597. Physical Security "Dos" & "Don'ts" (September 9, 2014), from http://www.informationsecuritybuzz.com/news/physical-
security-dos-donts/.
598. Faheem UI Hasan (Nov 6, 2009), Physical Security Assessment, from http://www.slideshare.net/faheemi07/physical-
security-assessment.
599. Davidcurriecia (Jan 5, 2009), Employee Security Awareness Program, from

http://www.sl id es ha re.net/ david cu rri ecia/Em pl oyee-Secu rity-Awa ren ess-Progra m.
600. John Parmigiani, HIPAAs Security Regulations, from http://slideplayer.com/slide/683018/.

References
601. Physical Security Audit Checklist (January 16, 2013), from http://locknet.com/lockbytes/excerpts/physical-security-audit-
checklist/.
602. John Kirtland, from http://www.computerweekly.com/opinion/Challenges-and-benefits-of-physical-lT-security.
603. Vijay Luiz( Aug 3, 2015), Physical security challenges when vendors are on site, from
htt ps ://www. Ii nked in. com/pulse/physi ca 1-secu rity-cha 11 enges-when-ve ndors-site-vijay-1 uiz.
604. Understanding Security Layers, from http://www.slideshare.net/anoir2014/98-367-lesson-1-slides.
605. E-commerce: Security Challenges and Solutions, faculty.kfupm.edu.sa/COE/sadiq/richfiles/rich/ppt/security.ppt.
606. Ztrace Gold, from http://www.ztrace.com/zTraceGold.asp.
607. Prey, from http://preyproject.com.
608. Absolute LoJack, from http://lojack.absolute.com/en.
609. Laptopcop, from http://www.laptopcopsoftware.com.
610. Gadgettrak, from http://www.gadgettrak.com.
611. DellTM ProSupport Laptop Tracking & Recovery, from

http://www. del I. com/ content/topics/gl oba I. as px/services/p rosu pport/com putra ce ?c=us&I =en&cs=0.
612. LocateMyLaptop, from http://locatemylaptop.com.
613. TrackMyLaptop, from http://trackmylaptop.net.
614. My Laptop Tracker, from http://www.mydevicetracker.com/laptop_tracking_software.asp.
615. Locate Laptop Desktop Security, from http://www.unistal.com/laptop-tracker.html.
616. Laptop Security Tool: EXO5, from http://www.exo5.com/.
617. Ztrace Gold, from http://www.ztrace.com/zTraceGold.asp.
618. Prey, from http://preyproject.com.
619. Absolute LoJack, from http://lojack.absolute.com/en.
620. Laptopcop, from http://www.laptopcopsoftware.com.
621. Gadgettrak, from http://www.gadgettrak.com.
622. DellTM ProSupport Laptop Tracking & Recovery, from

http://www. de II.com/content/topi cs/gl oba I. aspx/services/prosu pport/com putra ce ?c=u s&l=en &cs=0.
623. LocateMyLaptop, from http://locatemylaptop.com.
624. TrackMyLaptop, from http://trackmylaptop.net.
625. My Laptop Tracker, from http://www.mydevicetracker.com/laptop_tracking_software.asp.
626. Locate Laptop Desktop Security, from http://www.unistal.com/laptop-tracker.html.
Module 06: Host Security
627. Christofer Hoff( 28-5-2007), Network security is dead, from http://rationalsecurity.typepad.com/blog/authentication/.
628. Host Security, from https://web.nsrc.org/workshops/2015/pacnog17-ws/raw-attachment/wiki/Track2Agenda/host-

security.pdf .
629. 5-5-2016, Security Baselines and Operating system, Network and application hardening from
http://www.techotopia.com/index.php/Security_Baselines_and_Operating_System,_Network_and_Application_Hardening
630. Host based security practices, from https://csguide.cs.princeton.edu/security/host.
631. 27-5-2009, Log review and management https://www.owasp.org/index.php/Log_review_and_management.
632. Randy Smith, Windows Security log events, from

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx.

References
633. Description of security events in Windows 7 and server 2008 R2, from https://support.microsoft.com/en-us/kb/977519.
634. Controlling access to files and folders, from https://technet.microsoft.com/en-us/library/cc938434.aspx.
635. Setting access controls on files, folders, from https://technet.microsoft.com/en-us/library/dd277411.aspx.
636. Use access control to restrict who can use files, from https://technet.microsoft.com/en-us/library/bb456977.aspx.
637. Access control, from https://technet.microsoft.com/en-us/library/cc770749.aspx.
638. Enisa, from https://www.enisa.europa.eu/activities/cert/support/chiht/tools/iss-realsecure.
639. File system security, from http://cs.brown.edu/cgc/net.secbook/se01/handouts/Ch03-FilesystemSecurity.pdf.
640. Security at LSU, from https://grok.lsu.edu/Article.aspx?articleid=8033.
641. Using Microsoft Windows Encrypted File System (EFS), from http://infosec.wfu.edu/files/2013/02/EFS.pdf.
642. 7-3-2014, How to Stop and Disable Unwanted Services from Linux System, from http://www.tecmint.com/remove-
unwanted-services-from-linux/.
643. Host Security, from http://www.linuxsecurity.com/docs/SecurityAdminGuide/SecurityAdminGuide-4.html.
644. Emmett Dulaney, Linux: Host-Security Review, from http://www.dummies.com/how-to/content/linux-hostsecurity-

review.html.
645. Updating and Patching Unix/Linux OSes, from https://itservices.uchicago.edu/page/updating-and-patching-unixlinux-oses.
646. Jered Heeschen(22-6-2016), Check Linux file permissions with Is, from
https://www.rackspace.com/knowledge_center/article/checking-linux-file-permissions-with-ls.
647. Lenny zeltser, Critical Log Review Checklist for Security Incidents, from https://zeltser.com/security-incident-log-review-
checklist/.
648. Vivek Gite(17-7-2006), Linux Log Files Location And How Do I View Logs Files on Linux?, from
http://www. cyberciti. biz/faq/1 in ux-1 og-fi les-locati on-a nd-how-do-i-view-1 ogs-fi Ies/.
649. Yves Lacombe(16-8-2011), Top 10 tips to secure your email server, from https://www.vircom.com/top-10-tips-to-secure-
your-email-server/.
650. Ray Zadjmool(8-7-2003), 10 Steps to a Secure FTP Server, from http://www.windowsecurity.com/articles-

tutorials/misc_network_security/Secure_FTP_Server.html .
651. Chris Cox, Hardening your router in 9 easy steps, from http://searchnetworking.techtarget.com/tip/Hardening-your-router-
in-9-easy-steps.
652. Sean Wilkins(24-1-2012), Basic Switch Security Concepts and Configuration, from
http://www.pearson itcertification .com/articles/article.aspx?p=1829347 .
653. Shelley Bard, Week 47: Switch security tips, from http://searchsecurity.techtarget.com/tip/Week-47-Switch-security-tips.
654. 3-10-2005, Host Definition, from http://www.linfo.org/host.html.
655. Threats and Countermeasures, from https://msdn.microsoft.com/en-us/library/ff648641.aspx#c02618429_005.
656. Connor Tyger (1-12-2014), Computer Security Threats, from

htt ps ://www .googl e. co.in/url ?sa=t&rct=j&q =&esrc=s&so urce=web&cd =5& cad=rja&ua ct=8&ved =0a hUKE wi eiee Uqtj KAh UL
Tl4KHX-
2DvlQFggxMAQ&url=https%3A%2F%2Fwww.iup.edu%2FWorkArea%2FDownloadAsset.aspx%3Fid%3D195230&usg=AFQjC
NFPNWopl U_M r2Ms3Oq Bf971EJALLQ.
657. Stephen F. Delahunty, Network Security-The Internal Threat, from

https://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=OahUKEwii8M_BstjKAhVR
Go4KHWoGAWMQFggbMAA&url=http%3A%2F%2Fwww.delahunty.com%2Fcv%2Fpaper_SecuritylT.doc&v6u=https%3A%2
F%2Fs-v6expl-
v4.metric.gstatic.com%2Fgen_204%3Fip%3D183.82.41.51%26ts%3D1454392565584314%26auth%3Dmgujewiz53vddt2qsbl
6xlpe6qwfjqsn%26rndm%3D0.4459258206188679&v6s=2&v6t=2030&usg=AFQjCNGW2Qyjrqj-lepFvT9KgtvA_tE-1 w.
658. Michael Lawrence, The Disadvantages of Unpatched Computers on a LAN, from

http://sma 11 business.ch ron. com/disa dva ntages-u npatched-computers-la n-67 316. htm I.
659. Vulnerabilities, Threats and attacks, from http://www.lovemytool.com/files/vulnerabilities-threats-and-attacks-chapter-

one-7.pdf.

References
660. Mindi McDowell, Brent Wrisley, and Will Dormann (19-5-2010), Risks of File-Sharing Technology, from https://www.us-
cert.gov/ncas/tips/ST05-007.
661. Top 10 internet threats, from

http://www.norman.com/home_and_small_office/security_center/internet_security_tips/internet_security_tips_top_10_i
nternet threats.
662. Internet Security FAQ, from http://www.kaspersky.co.in/internet-security-center/internet-safety/faq.
663. Nate Lord (28-9-2015), What is Social Engineering? Defining and Avoiding Common Social Engineering Threats, from
https://digitalguardian.com/blog/what-social-engineering-defining-and-avoiding-common-social-engineering-threats.
664. Bogdan Sergiu Dragos (17-12-2012), Blended Threat Concept in Web Applications - DefCamp 2012, from
http://www.sl id es ha re. net/DefCa mp/bl ended-threat-con cepti nweba p pl i cati ons-15670548?qid=c5 lb0e9a-cade-4587-9 729-
e299bf5a27 d3&v=d efa ult&b=&from_search= 1.
665. Margaret Rouse, Blended Threat - Gemischte Bedrohung, from http://www.searchsecurity.de/definition/Blended-Threat-

Gemischte-Bedrohung.
666. Blended Threat, from https://www.techopedia.com/definition/39/blended-threat.
667. 23-2-2015, Email and Security, from https://www.princeton.edu/itsecurity/email-and-security/.
668. Dmitry D. Khlebnikov(13-1-2015), Host-based Security, from http://www.slideshare.net/secdevmel/hostbased-

security?qid=a0eb059d-2aae-4ca6-a8d9-cd98617846f2&v=qf1&b=&from_search=6.
669. Jarno Niemela(2-1-2014), Host security, from http://www.slideshare.net/JarnoNiemela/host-security-

29634407?qid=aOeb059d-2aae-4ca6-a8d9-cd98617846f2&v=qf1&b=&from_search=5.
670. What are network services?, from http://www.hcltech.com/technology-qa/what-are-network-services.
671. Arvind Krishna(14-7-2003), Steps to a secure operating system, from

http://www. compute rworld. com/ arti cl e/2571939/ secu rityO/ste ps-to-a-secu re-operating-system. ht m I.
672. Joe Lee(15-5-2015), Operating System Hardening - Working with Services, from
https://www.grandmstramrod.co.uk/operating-system-hardening-working-with-services/.
673. NTFS - New Technology File System, from http://ntfs.com/.
674. How to Track Firewall Activity with the Windows Firewall Log, from http://www.howtogeek.com/220204/how-to-track-
firewall-activity-with-the-windows-firewall-log/.
675. 5-2015, Sysadmin, from http://www.netwrix.com/download/documents/sysadmin_magazine_may.pdf.
676. Getting Started with using the Microsoft Baseline Security Analyzer (MBSA), from
http ://technology. p itt. ed u/security/getting-started-with-using-the-mi crosoft-basel ine-secu rity-a n alyze r-m bsa.
677. Windows Registry, from http://pcsupport.about.com/od/termsr/p/registrywindows.htm.
678. Using sysinternals tools like a pro, from http://www.howtogeek.com/school/sysinternals-pro/lesson4/all/.
679. User management, from https://www.bluecoat.com/sites/default/files/documents/files/User_Management.8.pdf.
680. Managing User Accounts and Parental Controls, from http://www.gcflearnfree.org/windows7/5.
681. Margus Saluste(24-12-2015), User management in Windows, from https://www.winhelp.us/user-management-in-

windows.html.
682. Host Based Security Best Practices, from https://csguide.cs.princeton.edu/security/host.
683. Understanding Patch and Update Management: Microsoft's Software Update Strategy, from
https://msdn.microsoft.com/en-us/library/cc768045.aspx.
684. Christopher Budd(4-5-2006), en Principles of Microsoft Patch Management, from https://technet.microsoft.com/en-

us/library/cc512589.aspx.
685. Update Management, from https://technet.microsoft.com/library/bb466251.aspx.
686. Jason Chan(31-1-2004), Essentials of Patch Management Policy and Practice, from
http://patchmanagement.org/pmessentia ls.asp.
687. Cristian Florian(25-11-2010), 5 Benefits of Automating Patch Management, from http://www.gfi.com/blog/5-benefits-

automating-patch-management/.

References
688. Margaret Rouse, patch management, from http://searchenterprisedesktop.techtarget.com/definition/patch-management.
689. Earl Follis, The business case for automated patch management tools, from
http://sea rchsecu rity. techta rget. com/feature/The-business-case-for-automated-patch-management-too Is.
690. Windows Update: FAQ, from http://windows.microsoft.com/en-in/windows/turn-automatic-updating-on-off#turn-

automatic-updating-on-off=windows-7.
691. Software reviews, from http://patch-management-software-review.toptenreviews.com/.
692. Patch Management, from http://www.labtechsoftware.com/~/media/8a9926b8d9b6456a8205f1e84002b294.pdf.
693. Disable Unnecessary System Services Locally, from https://technet.microsoft.com/en-us/library/dd277425.aspx.
694. Margus Saluste, 27-4-2016, Local Security Policy in Windows, from https://www.winhelp.us/local-security-policy-in-
windows.html.
695. Securing your windows network, from http://www.howtogeek.com/school/windows-network-security/lesson4/.
696. Protect my PC from viruses, from http://windows.microsoft.com/en-lN/windows-8/how-protect-pc-from-viruses.
697. How To Protect your Windows computer from viruses, Correctly!, from http://www.softwarecandy.com/shop/free-
tips/how-to-correctly-protect-your-windows-computer-from-viruses.
698. Best antivirus, from http://www.pcadvisor.co. uk/test-centre/security/best-antivirus-for-pc-laptop-2016-uk-free-sum mary-

3263332/.
699. Margaret Rouse, Spyware, from http://searchsecurity.techtarget.com/definition/spyware.
700. Vangie Beal, Spyware, from http://www.webopedia.com/TERM/S/spyware.html.
701. Windows Defender in Windows 10, from https://www.microsoft.com/en-us/download/details.aspx?id=48730.
702. Anti Spyware, from http://filehippo.com/software/antimalware/antispyware/.
703. 22-3-2015, The 3 Biggest Threats to Email Security, from https://www.virtru.com/blog/the-four-biggest-threats-to-email-

security/.
704. How to disable a pop-up blocker, from http://www.geeksquad.com/do-it-yourself/tech-tips/disable-pop-up-blocker.aspx.
705. Amy Echeverri and Sadequl Hussain, Windows Logging Basics, from https://www.loggly.com/ultimate-guide/windows-
logging-basics/.
706. 29-9-2015, Computer Security and Intrusion Detection(IDS/IPS), from

http://www.sl id es ha re.net/AA KASH PAN CHAL2/computer-security-an d-i ntrusion-detection i dsips.
707. Margaret rouse, intrusion detection (ID), from http://searchmidmarketsecurity.techtarget.com/definition/intrusion-

detection.
708. Intrusion detection system, from https://www.paloaltonetworks.com/resources/learning-center/what-is-an-intrusion-

detection-system-ids.html.
709. Welcome to OSSEC's documentation, from http://ossec.github.io/docs/.
710. An Introduction to AlienVault Unified Security Management, from https://www.alienvault.com/resource-

center/videos/an-introduction-to-alienvault-unified-security-management.
711. AlienVault Unified Security Management, from https://www.alienvault.com/docs/data-sheets/AV-USM.pdf.
712. Telmo Sampaio (15-3-2016), What is an endpoint Access Control List (ACLs)?, from https://azure.microsoft.com/en-
in/documentation/articles/virtual-networks-acl/.
713. 3-7-2014, What's New in NTFS for Windows Server, from https://technet.microsoft.com/en-us/library/dn466520.aspx.
714. NTFS Permissions, from http://www.ntfs.com/ntfs-permissions.htm.
715. Jim Boyce (11-6-2002), Learn the basic differences between share and NTFS permissions, from
http://www.tech republic. com/ arti cl e/1 earn-the-bas ic-d ifferences-between-s ha re-a nd-ntfs-perm issions/.
716. William R. Stanek, File and Folder Permissions, from https://msdn.microsoft.com/en-us/library/bb727008.aspx.
717. Filesystem Security, from http://cs.brown.edu/cgc/net.secbook/se01/handouts/Ch03-FilesystemSecurity.pdf.

References
718. Advantages and disadvantages of EFS and effective recovery of encrypted data, from
https://www.elcomsoft.com/WP/advantages_and_disadvantages_of_efs_and_effective_recovery_of_encrypted_data_en.
pdf.
719. Vivek gite(21-9-2006), Linux Set or Change User Password, from http://www.cyberciti.biz/faq/linux-set-change-password-
how-to/.
720. Creating User Accounts, from http://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/creating-user-accounts.html.
721. Data Encryption, Cryptography and Authentication, from

http://www.Ii nuxsecu rity. com/docs/Security Adm i nG ui de/SecurityAdm i nG ui de-9.htm l#ss9 .1.
722. 7-3-2014, How to Stop and Disable Unwanted Services from Linux System, from http://www.tecmint.com/remove-
unwanted-services-from-linux/.
723. Running Services, from https://access.redhat.com/documentation/en-

US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sl-services-running.html.
7 24. http://ptgmed ia. pea rson cmg. com/i m ages/97801323 66755/down loads/013 23667 54_Jang_book. pdf.
725. Michael Jang(2006), Linux patch management, from https://www.linux.com/learn/tutorials/309527-understanding-linux-

file-permissions.
726. Permissions, from http://linuxcommand.org/lts0070.php.
727. Emmett Dulaney linux: host-security review, from http://www.dummies.com/how-to/content/linux-hostsecurity-

review .html.
728. Korbin Brown(2-6-2014), The Beginner' s Guide to iptables, the Linux Firewall, from
http://www. h owtogee k. co m/177 621/th e-begi nners-gu id e-to-i pta bles-th e-1 in ux-fi rewa 11/.
729. Michael Boelen(21-8-2014), Linux security: Reviewing log files http://linux-audit.com/linux-security-reviewing-log-files/.
730. Ramesh natarajan(l-8-2011), 20 Linux Log Files that are Located under /var/log Directory, from
http://www.th egee kst uff.com/2011/08/1 in u x-va r-1 og-fi les/.
731. /var, from http://www.tldp.org/LDP/Linux-Filesystem-Hierarchy/html/var.html.
732. 3-5-2016, Information Assurance, from

https://www.nsa.gov/ia/_files/factsheets/Hardening_Network_lnfrastructure_FS.pdf.
733. James Michael Stewart, Web Server Isolation Domain, from http://searchenterprisedesktop.techtarget.com/tip/Web-
Server-lsolation-Domain.
734. Server Hardening, from http://www.serverhardening.com/.
735. Margaret rouse, application security, from http://searchsoftwarequality.techtarget.com/definition/application-security.
736. Data Security, from https://www.techopedia.com/definition/26464/data-security.
737. 24-5-2015, Data Security, from https://www.owasp.org/index.php/Data_Security.
738. Margaret Rouse(October 2014), data loss prevention (DLP), from http://whatis.techtarget.com/definition/data-loss-
prevention-DLP.
739. Michael Avdeev and John Callaghan (14-8-2013), Best Practices for Implementing Data Loss Prevention (DLP), from
http://www.sl id esha re.net/sa rfa razch ougu Ie/isaca-webi na rd Ipaug82013fi na 1-vl 28451 ?related= 1.
740. Symantec Data Loss Prevention, from https://www.symantec.com/products/information-protection/data-loss-prevention
741. Mcafee total protection for data loss, from http://www.mcafee.com/in/products/total-protection-for-data-loss-

prevention.aspx.
742. Forcepoint, from http://www.websense.com/content/data-security-suite-features.aspx.
743. Palisade DLP, from http://palisadesystems.com/products/palisade-dlp.
744. Trustwave, from https ://www.trustwave.com/Products/Content-Security/Data-Loss-Prevention/.
745. Digital guardian, from https://digitalguardian .com/products/digital-guardian-platform/discovery-data-loss-prevention.
746. PixAlert Critical Data Auditor, from http://www.dev.pixalert.com/sensitive-data-security.html.
747. Safetica, from https://www .safetica.com/solution/data-lea k-prevention.

References
748. lnterguard, from https://interguardsoftware.com/data-loss-prevention.html.
749. GTB Enterprise data loss prevention, from http://www.gtbtechnologies.com/en/products/the-gtb-data-loss-platform.
750. Trend Enterprise Data Protection, from http://www.trendmicro.co.in/in/enterprise/data-protection/endpoint/.
751. Cisco Data Loss Prevention tool, from http://www.cisco.com/c/en/us/products/security/email-security-

appliance/dlp_overview.html.
752. Watchguard, from https://www.watchguard.com/wgrd-products/security-modules/dlp.
753. Email Data Loss Prevention, from http://www.baesystems.com/en/product/email-data-loss-prevention.
754. Email data loss prevention, from http://www.dlpsoftware.com/.
755. Microsoft baseline security analyzer 2.3, from https://www.microsoft.com/en-in/download/details.aspx?id=7558.
756. Process monitor 3.3, from https://technet.microsoft.com/en-us/sysinternals/processmonitor.
757. Host based intrusion detection system, from https://www.alienvault.com/solutions/host-intrusion-detection-system.
758. Tripwire, from http://www.tripwire.com/it-security-software/scm/file-integrity-monitoring/.
759. AIDE, from http://aide.sourceforge.net/.
760. Prelude SIEM, from https://www.prelude-siem.org/.
761. Proventia desktop endpoint security, from http://www-935.ibm.com/services/th/en/it-services/proventia-desktop-

endpoint-security.html.
762. Cisco security agent, from http://www.cisco.com/c/en/us/products/collateral/security/security-

agent/product_bulletin_c_25-458614-00.html.
763. Endpoint security. From http://www.checkpoint.com/products-solutions/endpoint-security/.
764. Mcafee host intrusion prevention, from http://www.mcafee.com/in/products/host-ips-for-desktop.aspx.
765. Buck-security, from http://buck-security.sourceforge.net/buck-security.html .
766. Xmodulo, from http://xmodulo.com/set-password-policy-linux.html.
767. Process Monitor v3.3, from https://technet.microsoft.com/en-us/sysinternals/processmonitor.
768. Desktop central, from https://www.manageengine.com/products/desktop-central/windows-patch-management.html.
769. Patch Manager, from http://www.solarwinds.com/patch-manager.aspx.
770. GFI Languard, from http://www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard.
771. Symantec Patch Management Solution, from https://www.symantec.com/products/threat-protection/endpoint-

ma nagement/patch-management-solution.
772. Batchpatch, from https://batchpatch.com/download .
773. Shavlik Patch, from http://www.shavlik.com/support/patch/downloads/.
774. 2-2014, Shavlik patch, from http://rs.shavlik.com/documents/Patch/ug_patch_2_0.pdf.
775. Kaseya, from http://www.kaseya.com/products/vsa.
776. App-Care, from http://www.labtechsoftware.com/corporate-it/solutions/security/app-care.
777. Lu mension, from https ://www.lumension.com/vulnerability-management/patch-management-software .aspx.
778. AVG protection pro, from http://free.avg.com/in-en/free-downloads.
779. Norton security standard, from https://in.norton.com/.
780. Avast pro antivirus, from https://www.avast.com/en-in/pro-antivirus.
781. McAfee Security Scan Plus, from http://home.mcafee.com/downloads/free-virus-scan.
782. Avira, from http://www.avira.com/en/avira-free-antivirus.
783. Quick Heal Total Security, from http://www.quickheal.co.in/download-free-antivirus.
784. Kaspersky Anti-Virus, from http://www.kaspersky.com/free-virus-scan.

References
785. Panda Antivirus, from http://www.pandasecurity.com/india/.
786. G DATA Antivirus, from https://www.gdatasoftware.com/onlineshop/g-data-antivirus.
787. Trendmicro, from http://www.trendmicro.com.
788. Spyware blaster 5.5, from http://www.brightfort.com/?#jc_redirect.
789. Spybot +AV, from https://www.safer-networking.org/.
790. Spyware terminator, from http://www.spywareterminator.com/Default.aspx.
791. Superantispyware, from http://www.superantispyware.com/.
792. Microsoft Security Essentials, from https://www.microsoft.com/en-in/download/details.aspx?id=520l.
793. BitdefenderlNTERNET SECURITY 2016, from http://www.bitdefender.com/solutions/internet-security.html.
794. G DATA Internet Security, from https://www.gdatasoftware.com/onlineshop/g-data-internetsecurity.
795. Fire eye email security, from https://www.fireeye.com/products/ex-email-security-products.html.
796. Mx guard dog, from https://www.mxguarddog.com/.
797. Symantec Email security cloud, from https://www.symantec.com/products/threat-protection/email-security-cloud.
798. Spam filter, from http://www.spamfighter.com/SPAMfighter/Product_lnfo.asp.
799. Avast anti spam, from https://www.avast.com/en-in/f-anti-spam.
800. OSSEC, from http://ossec.github.io/.
801. Tripwire, from http://www.tripwire.com/it-security-software/scm/file-integrity-monitoring/.
802. Intrusion Detection with Tripwire, from http://www.akadia.com/services/tripwire.html.
803. Intrusion Prevention System Software Blade, from https://www.checkpoint.com/products/ips-software-

blade/index.html#.
804. Mcafee host intrusion prevention, from http://www.mcafee.com/in/products/host-ips-for-desktop.aspx.
805. Anvi Folder Locker, from http://www.anvisoft.com/folder-locker.html.
806. Cryptainer, from http://www.cypherix.com/cryptainerle/.
807. Axantum, from http://www.axantum.com/AxCrypt/.
808. Keepass, from http://keepass.info/download.html.
809. Stefan Hetzl, Steghide, from http://www.securityfocus.com/tools/581.
810. Open Puff 4.00, from http://embeddedsw.net/OpenPuff_Steganography_Home.html.
811. Stunnel, from https://www.stunnel.org/downloads.html.
812. Cryptoforge, from http://www.cryptoforge.com/encryption-software.htm.
813. Buck Security, from https://github.com/davewood/buck-security.
Module 07: Secure Firewall Configuration and Management
814. Sandiegopchelp (Apr 15, 2008), Firewall Limitations, from http://www.sandiegopchelp.com/firewall-limitations/.
815. Network Security, from http://nptel.ac.in/courses/Webcourse-

contents/llT%20Kharagpur/Computer%20networks/pdf/M8L3.pdf.
816. Fl REWALLS, from http://mercury.webster.edu/aleshunas/COSC%205130/Chapter-22.pdf.
817. Donald Stoddard, Thomas M. Thomas (Feb 8, 2012), from

http://www.ciscopress.com/articles/article.asp ?p=1823359&seqNu m=7 .
818. Habtamu Abie (January 2000), An Overview of Firewall Technologies, from http://heim.ifi.uio.no/~abie/fwt.pdf.
819. JEFF TYSON, How Firewalls Work, from http://computer.howstuffworks.com/firewalll.htm.

References
820. How does a firewall work?, from http://www.bullguard.com/bullguard-security-center/pc-security/computer-security-

resources/how-does-a-firewall-work.aspx.
821. An Introduction to Firewalls, from http://www.firewallinformation.com/.
822. Amandeep Kaur (Aug 26, 2010), from http://www.slideshare.net/adkpcte/firewall-presentation.
823. Firewall Defaults and Some Basic Rules, from http://www.downloads.netgear.com/docs/utm_qsgs/utm_fw.pdf.
824. Create A Basic Firewall (Packet Filter) Rule in Astaro Security Gateway (5 Nov 2015), from https://www.sophos.com/en-
us/support/knowledgebase/115155.aspx.
825. Understanding Firewall Rules, from https://technet.microsoft.com/en-us/library/cc730951.aspx.
826. Firewall detection, from http://www.bullguard.com/bullguard-security-center/pc-security/computer-security-

resources/firewall-protection.aspx.
827. How Firewalls Protect Your PC, from http://www.comodo.com/resources/home/how-firewalls-work.php.
828. Security News, from http://www.pctools.com/security-news/what-does-a-firewall-do/.
829. G.KRISHNAM RAJU, S. L. N. REDDY http://www.scribd.com/doc/22594454/ADVANTAGES-OF-FIREWALL.
830. Vangie Beal, firewall, from http://www.webopedia.com/TERM/F/firewall.html .
831. Michael Cobb, What is firewall?, from http://searchsecurity.techtarget.com/definition/firewall .
832. Firewall Rules, from http://documentation.netgear.com/dg834n/enu/202-10197-02/Firewall.5.4.html.
833. Firewall Rule Basics, from https://doc.pfsense.org/index.php/Firewall_Rule_Basics.
834. Sandra4211 (May 4, 2010), from http://www.slideshare.net/Sandra4211/sygate-personal-firewall-pro-user-guide.
835. Frederic Avolio, from http://www.cisco.com/c/en/us/about/press/internet-protocol-journal/back-issues/table-contents-

1/ipj-a rch ive/articl e09186a 00800c85a e. htm I.
836. Per Thorsheim, COMPARING FIREWALL TECHNOLOGIES, from http://www.ittoday.info/AIMS/DSM/84-10-26.pdf.
837. Karen Scarfone, Paul Hoffman, Guidelines on Firewalls and Firewall Policy, from
http://cs re. nist .gov/pu bl i cations/nistpu bs/800-41-Revl/sp800-41-revl. pdf.
838. Network Design: Firewall, IDS/IPS (APRIL 10, 2013), from http://resources.infosecinstitute.com/network-design-firewall-
idsips/.
839. Firewall Technologies, from

https ://www.novelI.com/documentation/n bm37/?page=/documentation/n bm37/over/data/ae70nts. html.
840. David W Chadwick, Network Firewall Technologies, from

http://www.itsec.gov.cn/webporta I/download/2004_network_fw_tech. pdf.
841. Habtamu Abie (January 2000), An Overview of Firewall Technologies, from

http://publications.nr.no/directdownload/publications.nr.no/3149/Abie_-_An_overview_of_firewall_technologies.pdf.
842. Network address translation, from http://en.wikipedia.org/wiki/Network_address_translation.
843. Firewall (computing), from http://en.wikipedia.org/wiki/Firewall_(computing).
844. Controlling Traffic and the OSI Reference Model, from

http://etutoria Is. org/N etworki ng/Ro uter+fi rewa Il+secu rity/Pa rt+I +Secu rity+Overvi ew+a nd+ Fi rewa 11 s/Chapter+ 2.+I ntrod ucti
on+to+ Fi rewal Is/Control Ii ng+Traffic+a nd+the+OSI+ Refe re nee+ ModeI/.
845. Margaret Rouse, packet filtering, from http://searchnetworking.techtarget.com/definition/packet-filtering.
846. IP Packet Filtering, from https://technet.microsoft.com/en-us/library/cc957881.aspx.
847. Packet Filtering, from http://docstore.mik.ua/orelly/networking_2ndEd/fire/ch08_01.htm.
848. Application firewall, from http://en.wikipedia.org/wiki/Application_firewall.
849. Packet Filtering, from http://www.techopedia.com/definition/4038/packet-filtering.
850. All About Firewalls, from http://firewall-review.narod.ru/circuit_level_gateway.html.
851. Circuit-Level Gateway, from http://www.techopedia.com/definition/24780/circuit-level-gateway.

References
852. The Network Encyclopedia, from http://www.thenetworkencyclopedia.com/entry/circuit-level-gateway/.
853. All About Firewalls, from http://firewall-review.narod.ru/application_gateway.html.
854. Application Layer Filtering - Firewall Advanced Security, from http://www.internet-computer-

security.com/Firewall/Application-Layer-Filtering.html.
855. Deb Shinder (15 Jan. 2004), from http://www.windowsecurity.com/articles-

tutorials/firewal ls_and_VPN/Application_Layer_Filtering.html.
856. Rajesh K (June 13, 2009), Network Security, from http://www.excitingip.com/205/what-are-packet-filtering-circuit-level-

application-level-and-stateful-multilayer-inspection-firewalls/.
857. Proxy Services, from http://docstore.mik.ua/orelly/networking_2ndEd/fire/ch05_03.htm.
858. Network Address Translation, from http://docstore.mik.ua/orelly/networking_2ndEd/fire/ch05_04.htm.
859. Virtual Private Networks, from http://docstore.mik.ua/orelly/networking_2ndEd/fire/ch05_05.htm.
860. Firewall Security, from http://www.ipcopper.com/firewalls.htm.
861. Gregg, Certified Ethical Hacker, from

htt ps ://books .googl e. co.in/books ?id =Gyf0Wq3T_rkC& pg= PA384&1 pg= PA384&dq= How+to+preve nt+hac ke r+bypa ss i ng+th e
+firewall?&source=bl&ots=xa4WbdoJrd&sig=MrmLDB60fkRzaMr0Pe9fA7vpQhg&hl=en&sa=X&ved=0CFAQ6AEwCGoVChMI
16m7qpj2xwlViY-
OCh2EjA2U#v=onepage&q=How%20to%20prevent%20hacker%20bypassing%20the%20firewall%3F&f=false.
862. Alfred Basta, Nadine Basta, Mary Brown, Computer Security and Penetration Testing, from
https://books.google.co.in/books?id=Eg_TCQAAQBAJ&pg=PA185&1pg=PA185&dq=How+to+prevent+hacker+bypassing+the
+firewall?+attacks&source=bl&ots=yjTdm30Ezd&sig=E11Kblcyw_HUe_naP-
6WRPy2PV0&hl=en&sa=X&ved=0CCgQ6AEwAjgKahUKEwj7tcLWnvbHAhWCTl4KHV3FBSQ#v=onepage&q=How%20to%20pr
event%20hacker%20bypassing%20the%20firewall%3F%20attacks&f=false.
863. Adam Gowdiak (29-30th May 2003), Techniques used for bypassing firewall systems, from
https://www.terena.org/activities/tf-csirt/meeting9/gowdiak-bypassing-firewalls.pdf.
864. Evasion (network security), from https://en.wikipedia.org/wiki/Evasion_(network_security).
865. Wing (December 13, 2013), How to Protect Networks against Advanced Evasion Techniques(AET), from
http://secu ritywi ng. com/how-to-protect-networks-against-a dva n ced-evasi on-techniques/.
866. Vijay Kumar (02.17.12), BASIC HACKING SKILLS, from https://basichackingskills.wordpress.com/2012/02/17/firewall-how-it-

works/.
867. Nmap Reference Guide, from https://nmap.org/book/man-bypass-firewalls-ids.html.
868. Olli-Pekka Niemi, Protect Against Advanced Evasion Techniques, from

http://www. we btoria Is. com/main/resource/pa pe rs/M cAfee/pa per29/protect-against-adv-evasion-techniques. pdf.
869. Oriyano, CEH: Certified Ethical Hacker Version 8 Study Guide, from https://books.google.co.in/books?id=aKw-
BAAAQBAJ&pg=PA385&1pg=PA385&dq=How+attacker+bypasses+firewall+%22process%22&source=bl&ots=CylwzzYIFz&sig
=VfrscKnlD4Jk4BpkFlfldFPehUs&hl=en&sa=X&ved=0ahUKEwiowYrFyKvJAhXCU44KHeg4Dc4Q6AEIPjAG#v=onepage&q=How
%20attacker%20bypasses%20firewall%20%22process%22&f=false.
870. IP address spoofing, from https://en.wikipedia.org/wiki/lP_address_spoofing.
871. Margaret Rouse, IP spoofing (IP address forgery or a host file hijack), from
http://searchsecurity.techtarget.com/defi nition/1 P-spoofing.
872. What is IP Spoofing?, from https://www.iplocation.net/ip-spoofing.
873. Farha Ali, IP Spoofing, from https://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_10-4/104_ip-

spoofing.html.
874. Spoofing Attack: IP, DNS & ARP I Veracode, from http://www.veracode.com/security/spoofing-attack.
875. IP address spoofing (August 2016), from http://ccm.net/contents/41-ip-address-spoofing.
876. IP Spoofing, from https://www.techopedia.com/definition/3993/ip-spoofing.
877. Source routing, from https://en.wikipedia.org/wiki/Source_routing.
878. Loose Source Routing, from https://en.wikipedia.org/wiki/Loose_Source_Routing.

References
879. Understanding IP Source Route Options (2012-10-05), from

https://www.juniper.net/documentation/en_US/junosl2.l/topics/concept/reconnaissance-deterrence-attack-evasion-ip-
source-route-understand ing. html.
880. The Dangers of Source Routing, from http://www.enclaveforensics.com/Blog/files/dbe04629c14a2d07495a38bbf2fc98d9-

5.html.
881. Firewall/IDS Evasion and Spoofing, from https://nmap.org/book/man-bypass-firewalls-ids.html.
882. Ryan Dube (April 23, 2009), How to Bypass Firewalls & Get Into Blocked Websites in School or at Work With FreeProxy
(Windows), from http://www.makeuseof.com/tag/how-to-get-into-blocked-websites-in-school-with-freeproxy/.
883. How to Bypass Web Content Filters, from https://www.untangle.com/inside-untangle/bypasswebfilters/.
884. @breenmachine (November 2, 2015), from http://foxglovesecurity.com/2015/11/02/hack-like-the-bad-guys-using-tor-for-

firewall-evasion-and-anonymous-remote-access/.
885. Proxy server, https://en. wikipedia.org/wiki/Proxy_server#Bypassing_filters_and_censorship.
886. ICMP tunnel, from https://en.wikipedia.org/wiki/lCMP_tunnel.
887. Daniel St0dle (May 26. 2005), Ping Tunnel, from http://www.mit.edu/afs.new/sipb/user/golem/tmp/ptunnel-
0.61.orig/web/.
888. Matt Schulz (August 21, 2009), TUNNELING IP TRAFFIC OVER ICMP, from http://hackaday.com/2009/08/21/tunneling-ip-
traffic-over-icmp/.
889. Hans IP over ICMP, http://code.gerade.org/hans/.
890. ICMP Attacks (MARCH 12, 2014), from http://resources.infosecinstitute.com/icmp-attacks/.
891. Configuring ICMP Message Tunneling for MPLS (2012-02-21), from

https://www.juniper.net/documentation/en_US/junos12.1/topics/usage-guidelines/mpls-configuring-icmp-message-
tunneling.html.
892. Configuring firewalls to prevent users bypassing filtering, from https://community.jisc.ac.uk/library/janet-services-

documentation/configuring-firewalls-prevent-users-bypassing-filtering.
893. Firewall Architectures, from http://www.s-w-r.com/Firewall/link5.html.
894. FIREWALL ARCHITECTURES, from http://www.invir.com/int-sec-firearc.html.
895. Bastion host, from http://en.wikipedia.org/wiki/Bastion_host.
896. Firewall Deployment for Multitier Applications (April, 2002), from http://zeltser.com/multi-firewall/.
897. FIREWALLS, from http://mercury.webster.edu/aleshunas/COSC%205130/Chapter-22.pdf.
898. http://books.google.co. in/books ?id=i pvoml8c9zcC&pg=PA25&1 pg=PA25&dq=M ulti-

homed+firewal l+architecture&source=bl&ots=3 E-
Q8RRoS9&sig=KbpZfz1RrZmRAn3a5_QtlQB6CJ4&hl=en&sa=X&ei=ZfOXVM-
cEMeTuAT8ylLgDg&ved=OCF8Q6AEwCg#v=onepage&q=Multi-homed%20firewall%20architecture&f=false.
899. John R. Vacca, Scott Ellis, Firewalls: Jumpstart for Network and Systems Administrators, from
https://books.google.co.in/books?id=ipvoml8c9zcC&pg=PA25&1pg=PA25&dq=Multi-
homed+firewall+architecture&source=bl&ots=3E-
Q8RRoS9&sig=KbpZfz1RrZmRAn3a5_QtlQB6CJ4&hl=en&sa=X&ei=ZfOXVM-
cEMeTuAT8ylLgDg&ved=OCF8Q6AEwCg#v=onepage&q=Multi-homed%20firewall%20architecture&f=false.
900. CBK Telecommunications and Network Security - Firewall architecture (Wednesday, 13 June 2012), from
http://www.secu ritya re na. com/ciss p-crux/7 4-cb k-tel ecom mun ications-a nd-n etwork-secu rity ?start= 10.
901. Firewall Design, from http://www.diablotin.com/librairie/networking/firewall/ch04_02.htm.
902. Firewall Facts, from https://sites.google.com/a/pccare.vn/it/security-pages/firewall-facts.
903. Choosing the Right Firewall Topology, from http://www.firewallhelp.com/firewall-topology.html.
904. Network Defense: Perimeter Defense Mechanisms, from https://books.google.co.in/books?id=hbQIAAAAQBAJ&pg=SA2-

PA6&1pg=SA2-
PA6&dq=choosing+a+firewall+topology&source=bl&ots=aROyXQPofa&sig=bOmdGdPBs190ixEkZAJ_N3599Pg&hl=en&sa=X
&ved=OahUKEwi_mlCCoK3JAhVRTo4KHelZAQIQ6AEIQDAJ#v=onepage&q=choosing%20a%20firewall%20topology&f=false.

References
905. Firewalls, Tunnels, and
906. Network Intrusion Detection, from http://cs.brown.edu/cgc/net.secbook/se01/handouts/Ch06-Firewalls.pdf.
907. Unified Threat Management, from http://chimera.labs.oreilly.com/books/1234000001633/ch14.html#url_filtering-idl.
908. Krzysztof Zagrodzki (30 Aug. 2002), from http://www.windowsecurity.com/articles-

tutorials/firewalls_and_VPN/A_firewall_in_an_lT_system .html .
909. Compliance Component (06/08/2004), from http://archive.oa.mo.gov/itsd/cio/architecture/domains/security/CC-

FirewallEnvironmentsARC.pdf.
910. John Wack, Ken Cutler, Jamie Pole, Guidelines on Firewalls and Firewall Policy, from
http://ithandbook.ffiec.gov/med ia/27459/nis-guide_on_firewall_and_fi rewa ll_pol_800_41. pdf.
911. Laura Pelkey (11/16/12), 3 Steps to a Successful Firewall Implementation, from http://blog.icorps.com/bid/138231/3-
Steps-to-a-Successful-Firewall-lmplementation.
912. Firewall implementation: Perimeter security placement and management, from

http://search networking.tech target. co m/tutoria I/Fi rewa 11-i m plem entati on-Peri meter-secu rity-p la cement-and-
ma nagement.
913. Edward Tetz, Network Firewall Implementation, from http://www.dummies.com/how-to/content/network-firewall-

implementation.html.
914. Firewall implementation, from https://community.jisc.ac.uk/library/advisory-services/firewall-implementation.
915. Scott Hogg (Jul 31, 2011), Firewall Administration Techniques and Tools, from
http://www. n etworkworl d. com/arti cle/2220307/ cisco-su bnet/cisco-su b net-fi rewa 11-a dministration-techniques-and-
tools.htm I.
916. Ethan Banks (11/12/2013), Firewall Administration For Sysadmins: A Primer, from
http://www.networkcom puti ng.com/ca reers/fi rewa 11-a d min istration-sysa d mi ns-primer/2 09 6601244.
917. Ethan Banks (11/12/2013), Firewall Administration For Sysadmins: A Primer, from
http://www.networkcom puti ng.com/networki ng/fi rewa II-ad ministrati on-for-sysad mins-pa rt-2-key-con ce pts/a/d-
id/1234542?.
918. Linda Musthaler (Sep 11, 2009), Top 5 best practices for firewall administrators, from
http://www.networkworl d. com/arti cl e/2247110/network-security/top-5-best-p racti ces-for-fi rewa 11-a d min istrators. htm I.
919. basic types of firewalls, from http://www.vesaria.com/Firewall/FAQ/sec19.php.
920. Network packet, from https://en.wikipedia.org/wiki/Network_packet.
921. Firewalls, from http://www.cs.fsu.edu/~breno/CIS-5357/lecture_slides/class16.pdf.
922. John Wack (Fri Feb 3 08:10:14 EST 1995), Little Protection from Insider Attacks, from
http://www.vtcif.telstra .com .au/pub/docs/security/800-10/ node42. html.
923. Nathan Einwechter (14 Feb 2002), The Enemy Inside the Gates: Preventing and Detecting Insider Attacks, from
http://www.syma ntec. com/ connect/articles/en emy-i nsi de-gates-preventing-a nd-d etecting-i nsi der-attac ks.
924. Deb Shinder (16 March 2011), Protecting Against Insider Attacks In Todays Network Environments, from
http://www.win dowsecu rity.com/arti cles-tutori aIs/misc_network_security/Protecti ng-Aga i nst-1 nsi der-Attac ks-Todays-
Network-Envi ron ments. htm I.
925. LamonteCristo (Dec 2 '12), How to setup an internal firewall, from

http://security. stackexcha nge. com/ qu estio ns/17218/h ow-to-setup-a n-i nterna 1-firewa 11.
926. Dave Piscitello, Firewall Best Practices - Egress Traffic Filtering, from http://securityskeptic.typepad.com/the-security-
skeptic/firewall-best-practices-egress-traffic-filtering.html.
927. Creating an External Access Rule, from http://wiki.ipfire.org/en/configuration/firewall/rules/external-access.
928. System Administration Guide: Security Services, from http://docs.oracle.com/cd/E19683-01/817-0365/concept-

4/index.html.
929. Laura Taylor,(July 5, 2001), Read your firewall logs, from http://www.zdnet.com/news/read-your-firewall-logs/298230.
930. Overview of the Windows Firewall Security Log File in Windows XP (2015-04-29), from
http://ecross. mvps. org/howto/overvi ew-of-t he-wind ows-fi rewa 11-secu rity-1 og-fi Ie-i n-wi n dows-xp. htm.

References
931. Viewing the Firewall Log, from http://technet.microsoft.com/en-us/library/cc753781(v=ws.10).aspx.
932. Windows Server 2003/2003 R2 Retired Content, from http://technet.microsoft.com/en-us/library/cc787462(v=ws.10).aspx.
933. Anand Sastry, Firewall logging: Telling valid traffic from network 'allows' threats, from
http://sea rchsecu rity. techta rget. com/tip/Firewa 11-1 ogging-Tel Ii ng-va Iid-traffic-from-network-a 11 ows-th reats.
934. Kevin Beaver, from http://searchsecurity.techtarget.com/tip/Firewall-best-practices.
935. Securing Your Network (June 2003), https://msdn.microsoft.com/en-us/library/ff648651.aspx.
936. Manage Firewall Administrators, from https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/device-

management/manage-firewall-administrators.html.
937. Configuring Firewall Rules (January 20, 2009), https://technet.microsoft.com/en-us/library/dd448559(v=ws.10).aspx.
938. Anand Deveriya (Dec 1, 2005), from http://www.ciscopress.com/articles/article.asp?p=426638&seqNum=3.
939. Deb Shinder (July 20, 2007), from http://www.techrepublic.com/blog/10-things/10-ways-to-monitor-what-your-users-are-

doing-with-company-computers/.
940. 5 Critical Rules for Firewall Management, from https://www.secureworks.com/resources/wp-five-rules-for-firewall-

management.
941. Vinod Mohan, Best Practices for Effective Firewall Management,

http ://web .swcd n. net/creative/pdf/Wh itepa pers/Best_Practices_for_Effective_Fi rewa 11 _Ma nagem ent. pdf.
942. Managing Firewall Access Rules, from

http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-
1/user/guide/CSMUserGuide_wrapper/fwaccess.html.
943. Skybox Security, from http://www.skyboxsecurity.com/content/skybox-solutions-firewall-management.
944. Intel Security (Aug 30, 2013), Five Website Security Do's and Don'ts for Online Merchants, from
https://blogs.mcafee.com/business/five-website-security-dos-and-donts-for-online-merchants/.
945. The Do's and Don'ts of Firewall Audit Tools, from https://www.firemon.com/dos-and-donts-of-firewall-audit-tools/.
946. Neil Reiter (May 10, 2010), from http://www.csoonline.com/article/2125166/network-security/firewall-audit-dos-and-don-

ts.html.
947. AdventNet ManageEngine Firewall Analyzer4, from

https ://download. manageengi ne .com/products/firewall/Fi rewallAnalyzer_ UserGuide .pdf.
948. AdventNet ManageEngine Firewall Analyzers, from

http://www. zm a. com. ar/ conten idos/images/image/Firewa I1%20Ana lyzer/Docu mentos/Fi rewa IIAnalyzer_UserG uid e. pdf.
949. http://nmap.org/nsedoc/scripts/firewalk.html.
950. File firewalk, from https://nmap.org/nsedoc/scripts/firewalk.html.
951. Irene Abezgauz (Thu, 18 Aug 2005), from http://seclists.org/pen-test/2005/Aug/224.
952. Firewalk, from http://www.vulnerabilityassessment.co.uk/firewalk.htm.
953. Firewalk - Firewall Ruleset Testing Tool (October 15, 2008 ), from http://www.darknet.org.uk/2008/10/firewalk-firewall-
ruleset-testing-tool/.
954. FTester - Firewall Tester and IDS Testing tool (July 19, 2007), from http://www.darknet.org.uk/2007/07/ftester-firewall-
tester-and-ids-testing-tool/.
955. Joel Snyder (Feb 5, 2007), How we tested Check Point firewall, from
http://www.networkworld.com/article/2303641/network-security/how-we-tested-check-point-firewall.html.
956. G. Ziemba (October 1995), Security Considerations for IP Fragment Filtering, from https://www.rfc-
editor.org/rfc/rfc1858.txt.
957. Wingate, from http://www.wingate.com.
958. Sonic WALL, http://www.sonicwall.com.
959. McAfee Next Generation Firewall, from http://www.mcafee.com.
960. Barracuda Firewall, from https://www.barracuda.com.

References
961. WatchGuard's Next-Generation Firewall, from http://www.watchguard.com.
962. Cisco ASA, from http://www.cisco.com.
963. NetScreen Firewall, http://www.juniper.net.
964. Sophos UTM, http://www.sophos.com.
965. Cyberoam Firewall, from http://www.cyberoam.com.
966. Comodo Internet Security Pro 7, from http://www.comodo.com.
967. Kaspersky Internet Security, from http://www.kaspersky.com.
968. Total Defense Internet Security Suite, from http://www.totaldefense.com.
969. Bitdefender Internet Security, from http://www.bitdefender.com.
970. Private Firewall, from http://www.privacyware.com.
971. Outpost Firewall Pro, from http://www.agnitum.com.
972. ZoneAlarm Pro Firewall, from http://www.zonealarm.com.
973. Norton Internet Security, from http://in.norton.com.
974. Windows 8 Firewall Control, from http://www.sphinx-soft.com.
975. McAfee Internet Security, from http://home.mcafee.com.
976. Firewall Analyzer, from http://www.manageengine.com/products/firewall/.
977. Check Point's Next Generation Firewall, http://www.checkpoint.com.
978. FortiGatem, http://www.fortinet.com.
979. Jason Anderson (March 15, 2001), An Analysis of Fragmentation Attacks, from http://www.ouah.org/fragma.html.
980. Tiny Fragment Attack, from https://definedterm.com/a/definition/5029.
981. Tiny Fragment Attack (March 2007), from http://connection.ebscohost.com/c/reference-entries/31670720/tiny-fragment-

attack.
982. I. Miller (June 2001), Protection Against a Variant of the Tiny Fragment Attack, from https://tools.ietf.org/html/rfc3128.
983. SonicWALL, from http://www.sonicwall.com.
984. CheckPoint' Next Generation Firewall, from http://www.checkpoint.com.
985. FortiGate, from http://www.fortinet.com.
986. McAfee Next Generation Firewall, from http://www.mcafee.com.
987. Barracuda Firewall, from https://www.barracuda.com.
988. WatchGuard's Next-Generation Firewall, from http://www.watchguard.com.
989. Cisco ASA, from http://www.cisco.com.
990. NetScreen Firewall, from http://www.juniper.net.
991. Sophos UTM, from http://www.sophos.com.
992. Cyberoam Firewall, from http://www.cyberoam.com.
993. Comodo Internet Security Pro 7, from http://www.comodo.com.
994. Kaspersky Internet Security, from www.kaspersky.com.
995. Total Defense Internet Security Suite, from http://www.totaldefense.com.
996. Bitdefender Internet Security, from http://www.bitdefender.com.
997. Private firewall, from http://www.privacyware.com.
998. Outpost Firewall Pro, from http://www.agnitum.com.
999. ZoneAlarm PRO Firewall, from http://www.zonealarm.com.

References
1000. Norton Internet Security, from http://in.norton.com.
1001. Windows 8 Firewall Cont rol, from http://www.sphinx-soft.com.
1002. McAfee Internet Security, from http://home.mcafee.com.
Module 08: Secure IDS Configuration and Management
1003. Chris McNab, Network Security Assessment, from

https ://www.trustmatta.com/downloads/pdf/Matta_l P_Network_Scan ning. pdf.
1004. Przemyslaw Kazienko & Piotr Dorosz (7-4-2003), Intrusion Detection Systems (IDS) Part I, from
http://googleweblight.com/?I ite_url=http://www.wi ndowsecurity.com/articles-
tutorials/intrusion_detection/1 ntrusion_Detection_Systems_l DS_Part_l_ network_intrusions_ attack_sym ptoms_IDS_tasks
_and_lDS_architecture.html&ei=wjgGk8gA&lc=en-lN&geid=7&s=l&m=328&ts=1443607601&sig=APONPFmMHyzAy-
6SXYxgKzR70YUCJw_i ng.
1005. Patrick Harper, Secure IDS deployment best practices, from http://searchitchannel.techtarget.com/tip/Secure-lDS-
deployment-best-practices .
1006. Edward Yakabovicz, Intrusion detection system deployment recommendations, from

http://sea rchfi nan cia lsecu rity.techta rget. com/ti p/1 ntrusion-d etection-system-d ep Ioyment-reco mm en dati ons .
1007. K.Rajasekhar, B.Sekhar Babu, P.Lakshmi Prasanna, D.R.Lavanya, T.Vamsi Krishna (12-2-11), An Overview of Intrusion
Detection System Strategies and Issues, from http://www.ijcst.com/vol24/1/krajasekhar.pdf.
1008. IDPS technologies: an overview, from http://ids.nic.in/TNL%20Mar%202009/IDPS/IDPS.pdf.
1009. Margaret Rouse, intrusion detection (ID), from http://searchmidmarketsecurity.techtarget.com/definition/intrusion-

detection.
1010. 27-2-2012, What it is Network intrusion detection system?, from http://www.combofix.org/what-it-is-network-intrusion-

detection-system.php.
1011. How Intrusion Detection Works, from http://www.spamlaws.com/how-intrusion-detection-works.html.
1012. Robert L. Barnard, Intrusion Detection Systems, from

http ://books .googl e. co.in/boo ks ?id=jo5AN oqS2 MMC& pg=PAl&I pg=PAl&d q=Intrus ion+d etecti on+fu nctions&sou rce=bl &ot
s=40qoXTh7F0&sig=qkGHE9miEjvFCWK5x3OFFrYBKqY&hl=en&sa=X&ei=IS1HVKaUNZeMuATOzlLgCw&ved=0CCwQ6AEwAjg
K#v=onepage&q=lntrusion%20detection%20functions&f=false.
1013. Gary C. Kessler(26-7-2016), An Overview of Cryptography, from http://www.garykessler.net/library/crypto.html.
1014. IDS Introduction, from

http://etutoria Is.org/N etworki ng/Router+firewa Il+secu rity/Pa rt+VI l+Detecti ng+a nd+ Preventing+ Attacks/ Ch apter+16.+ Intru
sion-Detection+System/lDS+lntroduction/.
1015. How an Intrusion Detection System in a Firewall Works, from http://anti-virus-software-review.toptenreviews.com/how-

an-intrusion-detection-system-in-a-firewall-works.html.
1016. Deb Shinder(13-7-2005), SolutionBase: Understanding how an intrusion detection system (IDS) works, from
http://www.tech republic. com/ article/solution base-understanding-how-a n-i ntru si on-detection-system-ids-works/.
1017. J. Forlanda(3-2-2010), Intrusion Detection Systems: How They Work, from http://www.brighthub.com/computing/smb-
security/articles/65416.aspx
1018. Randy Weaver and Dean Farwood, Guide to Network Defense and Countermeasures, from
htt ps ://books .googl e.co.in/books ?id =qbwu j_ Um h9YC&pg= PA270&1 pg= PA270&dq= Examining+ Intrusion+ Detection+System
+Components&source=bl&ots=WfGd_NXJSY&sig=S6De3 koOOOSbZNy30dRIP-
ZCcls&hl=en&sa=X&ved=0CDIQ6AEwAmoVChMI0_H9sMygyAIVTlmOCh32VQut#v=onepage&q=Examining%201ntrusion%20
Detection%20System%20Components&f=false
1019. Pastore M., Dulaney E, Intrusion Detection Systems, from http://flylib.com/books/en/4.213.1.49/1/.
1020. Intrusion detection systems, from https://www.ipa.go.jp/security/fy11/report/contents/intrusion/ids-meeting/idsbg.pdf.
1021. Fredrik Valeur, Giovanni Vigna, Christopher Kruegel and Richard A. Kemmerer (9-2004), Comprehensive Approach to
intrusion detection alert correlation, from
http://www.cs.ucsb.edu/"'Vigna/publications/2004_va leur_vigna_kruegel_kemmerer_TDSC_Correlation. pdf.

References
1022. Nazir Ahmad(l 7-11-2012), Intrusion detection systems, from http://www.slideshare.net/King8117/intrusion-detection-

systems-15218543.
1023. Karen Scarfone and Peter Mell (Feb 2007), Guide to Intrusion Detection and Prevention Systems, from
http://cs re. nist .gov/pu bl i cations/nistpu bs/800-94/SP800-94. pdf.
1024. Przemyslaw Kazienko & Piotr Dorosz(15-6-2004), Intrusion Detection Systems (IDS) Part 2 - Classification, from
http://www.windowsecurity.com/articles-tutorials/intrusion_detection/lDS-Part2-Classification-methods-techniques.html.
1025. Misuse detection, from http://en.wikipedia.org/wiki/Misuse_detection.
1026. Pedro A. Diaz-Gomez, Dean F. Hougen, misuse detection: An Iterative Process vs. A Genetic Algorithm Approach, from
http://www.cameron.edu/~pdiaz-go/lter_ GAsMisUseF .pdf.
1027. Jie Lin, Intrusion detection, from http://www.csee.wvu.edu/~cukic/CS665/ID.ppt.
1028. Kanika, Urmila(June 2013), Security of Network Using Ids and Firewall, from http://www.ijsrp.org/research-paper-
0613/ijsrp-p18150.pdf.
1029. Shiv Shakti Srivastava, Nitin Gupta, Saurabh Chaturvedi, Saugata Ghosh(2011), A survey on mobile agent based intrusion
detection system, from http://www.ijcaonline.org/isdmisc/number6/isdm137.pdf.
1030. Growing information-part-2, from

https://books.google.co.in/books?id=t7RDjagG1FAC&pg=PA671&1pg=PA671&dq=IDS+structure+%22Centralized+System%2
2&source=bl&ots=l5Wi16m-
Ox&sig=Th2mSUAzLzXkVBcDsOslKP8aWvU&hl=en&sa=X&ved=0CBwQ6AEwAGoVChMlz_ab8vrByAIV116OCh0jxQVx#v=one
page&q=IDS%20structure%20%22Centralized%20System%22&f=false.
1031. Saidat Adebukola Onashoga, Adebayo D. Akinde and Adesina Simon Sodiya(2009), A Strategic Review of Existing Mobile
Agent Based Intrusion Detection Systems, from http://iisit.org/Vol6/IIS1Tv6p669-6820nashoga623.pdf.
1032. http://www.syma ntec. com/ connect/arti cles/introd u ction-d istributed-i ntrusi on-detection-systems.
1033. Nathan Einwechter(8-1-2002), An Introduction To Distributed Intrusion Detection Systems, from

http://dspace.thapa r.edu :8080/dspace/bitstrea m/10266/3447/1/601303024_Roh in iRajpal.pdf.
1034. Advances in enterprise information technology security, from

https ://books.google.co. in/books ?id=fWW9AQAAQBAJ&pg=PT117&lpg=PTll7 &dq=on+the+fly+processing+in+ids&source=
bl&ots=FppvuTYevR&sig=jtwXhq6ncgMEPhi7hBy9DDrgZRA&hl=en&sa=X&ved=0CDQQ6AEwA2oVChMl8J2WqOnByAIVi7-
OCh0o_wV7#v=onepage&q=on%20the%20fly%20processing%20in%20ids&f=false.
1035. Julie J.C.H. Ryan(May 2002), Intrusion Detection, from http://www.seas.gwu.edu/~jjchryan/VAIDS051402.pdf.
1036. Computer security handbook, from

https://books.google.co.in/books?id=yKQ6AwAAQBAJ&pg=PT1090&1pg=PT1090&dq=lnterval+based+in+ids+%22Batch+Mo
de%22&source=bl&ots=Q-YyUovj-
U&sig=U31mjE5UlnUE2JR38VwQVF8rYKg&hl=en&sa=X&ved=0CDMQ6AEwBmoVChMl7fSLgvbByAIVRT6OChlHUQKr#v=one
page&q=lnterval%20based%20in%20ids%20%22Batch%20Mode%22&f=false.
1037. Hudson K., Ruth A. Intrusion Detection Systems, from http://flylib.com/books/en/2.902.1.51/1/.
1038. Cisco Network-Based Intrusion detection-Functionalities and Configuration, from

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Data_ Center/ServerFarmSec_2-1/ServSecDC/8 _NI DS.pdf.
1039. Intrusion detection system https://en.wikipedia.org/wiki/lntrusion_detection_system.
1040. Manish Kumar, Dr. M. Hanumanthappa, Dr. T. V. Suresh Kumar(July 2011), Intrusion Detection System - False Positive Alert
reduction technique, from http://searchdl.org/publ ic/journals/2011/IJ NS/2/3/104.pdf.
1041. 20-6-2015, Intrusion Detection, from https://www.owasp.org/index.php/lntrusion_Detection.
1042. Kevin Timm(l0-9-2001), Strategies to Reduce False Positives and False Negatives in NIDS, from
http://www.syma ntec. com/ connect/articles/strategies-reduce-false-positives-and-fa lse-negatives-n ids.
1043. Tu Hoang Nguyen, JiaWei Luo and Humphrey Waita Njogu(2014), Improving the management of IDS alerts, from
http://www.sersc. o rg/jou rna ls/lJ SIA/vol 8_ no3_2014/38. pdf.
1044. Intrusion Detection Systems, from http://www.scribd.com/doc/7148986/lntrusion-Detection-Systems.
1045. Network Security Center Netsec, from http://www.netsec.org.sa/int_det.htm.
1046. Detecting signs of intrusion, from http://ptgmedia.pearsoncmg.com/images/020173723X/samplechapter/allench6.pdf.

References
1047. Vangie Beal (15-7-2005), Intrusion Detection (IDS) and Prevention (IPS) systems, from
http://www. weboped ia .com/DidYou Know/Computer_Science/intrusion_detection_prevention .asp.
1048. Intrusion Detection Systems, from https://www.ischool.utexas.edu/~netsec/ids.html#plac.
1049. Riggs C, Network Perimeter Security: Building Defense In-Depth, from http://flylib.com/books/en/4.426.l.54/1/.
1050. Intrusion detection system, from http://en.wikipedia.org/wiki/lntrusion_prevention_system.
1051. Steve Piper(2011), Intrusion prevention systems for dummies, from http://www.bradreese.com/sourcefire-ips-for-
dummies.pdf.
1052. What is an intrusion prevention system?, from https://www.paloaltonetworks.com/resources/learning-center/what-is-an-

intrusi on-preventio n-system-i ps. htm I.
1053. 24-7-2013, How Intrusion Prevention Systems (IPS) Work in firewall?, from
http://community.s piceworks .co m/topi c/362007 -h ow-intrusion-preventi on-systems-i ps-work-i n-fi rewa 11.
1054. Joel Snyder, Do you need an IDS or IPS, or both?, from http://searchsecurity.techtarget.com/Do-you-need-an-lDS-or-lPS-
or-both.
1055. Ron Lepofsky(23-2-2011), Intrusion Detection: Why do I need IDS, IPS or HIDS, from
http://www. networkworl d. com/arti cl e/2228598/security/i ntrusion-detect ion--why-do-i-need-ids--ips--o r-h ids-. htm I.
1056. Ed Sale, Intrusion Detection and Intrusion Prevention, from

http://www.cs.unh.edu/~it666/readi ng_l ist/Defense/ids_vs_idp. pdf.
1057. Jennifer J. Minella, DS vs. IPS: How to know when I you need the technology, from
http://sea rchsecu rity. techta rget. com/ti p/1 DS-vs-1 PS-How-to-know-when-you-need-the-tech no logy.
1058. 18-3-2014, Security: IDS vs. IPS Explained, from http://www.comparebusinessproducts.com/fyi/ids-vs-ips.
1059. R. Kabila(2008), Network Based Intrusion Detection and Prevention Systems in IP-Level security protocols, from
http://waset.org/publications/14713/network-based-intrusion-detection-and-prevention-systems-in-ip-level-security-
protocols.
1060. Jonathan Lister, What are the Advantages & Disadvantages of an Intrusion Detection System?, from
http://www. ehow. com/I ist_ 73 553 52_types-systems-av ai Iable-protect-networks. htm I.
1061. 1-1-2007, Wireless Intrusion Detection and Prevention Systems Analyst Report, from
http://www. i nformati onweek. com/wh itepa per/M obi Iity/Wi rel ess-Secu rity/wi rel ess-i ntrusi on-detection-and-prevention-
systemwp 1213893028282.
1062. 6-4-2011, IPS [Intrusion Prevention Systems], fromhttp://bastiol-1-2007,nnux.wordpress.com/2011/04/06/ips-intrustion-

prevention-systems-your-2nd-line-of-defense/.
1063. Mohseen mohammed, Al-sakib khan pathan, Automatic Defense Against Zero-day Polymorphic Worms in Communication
Networks, from
http://books.google.co.in/books?id=DtYnAAAAQBAJ&pg=PT87&lpg=PT87&dq=Wireless+IDPS,+Security+Capabilities&sourc
e=bl&ots=-
NAAM8Ms7Q&sig=sZugNlrbt81z8Dr4wB2CSPAodto&hl=en&sa=X&ei=5fpJVl7ZLZPx8gWhyoHAAw&ved=0CFQQ6AEwCQ#v=
onepage&q=Wireless%201DPS%2C%20Security%20Capabilities&f=false.
1064. Brad reese(l0-9-2008), Intrusion detection systems vs. network behavior analysis: Which do you need?, from
http://www. n etworkworl d. com/arti cl e/2346145/ cisco-su bnet/intrusi on-d etectio n-systems-vs--n etwork-behavior-a na lysis--
wh ich-do-you-need-. htm I.
1065. Margaret Rouse, network behavior analysis (NBA), from http://searchsecurity.techtarget.com/definition/network-

behavior-analysis.
1066. Jack TIMOFTE and Praktiker Romania(2007), Securing the Organization with Network Behavior Analysis, from
http://www.economyinformatics.ase.ro/content/EN7/JTimofte.pdf.
1067. Guideline on intrusion detection and prevention systems, from

http://www.ncb.mu/English/Documents/Downloads/Reports%20and%20Guidelines/Guideline%20on%20lntrusion%20Det
ection%20and%20Prevention%20Systems.pdf.
1068. ldps technologies: an overview, from http://ids.nic.in/tnl%20mar%202009/idps/idpsbody.html.
1069. 1-3-2007, intrusion detection and prevention systems, from http://seclists.org/isn/2007/Mar/5.

References
1070. Chris Martin, Intrusion Detection and Prevention Systems in the Industrial Automation and Control Systems Environment,
from https://ics-cert.us-cert.gov/sites/default/files/pcsf-arc/intrusion_detection_prevention_systems-martin.pdf.
1071. Rebecca Bace and Peter Mell(19-8-2001), Intrusion Detection Systems, from http://cryptome.org/sp800-31.htm.
1072. Honey pots, honey nets, and padded cell system, from http://www.idc-
online.com/technical_references/pdfs/data_communications/Honey_Pots_Honey_Nets_Padded_Cell_system.pdf.
1073. Carol V. Brown, Heikki Topi, IS Management Handbook, from

htt ps ://books .googl e. co.in/books ?id= k_ eE4Oa7yAoC& pg= PA395&1 pg= PA39 5&d q= Hon ey+Pot+%26+ Padded+Cel I++Systems
&source=bl&ots=Yyn2CZJsFv&sig=MElgPyh9kBP _G_pB0s2Em_28YA0&hl=en&sa=X&ved=0ahUKEwib_Zb7rbrJAhXBno4KHcT
nCd4Q6AEILjAD#v=onepage&q=Honey%20Pot%20%26%20Padded%20Cell%20%20Systems&f=false.
1074. What is a honeypot how is it different from a honeynet, from https://www.coursehero.com/file/p1q27mr/What-is-a-

honeypot-How-is-it-different-from-a-honeynet-Honey-pots-are-decoy/.
1075. Michael E. Whitman, Herbert J. Mattord, Principles of Information Security, from

https://books.google.co.in/books?id=uSGkAwAAQBAJ&pg=PA393&1pg=PA393&dq=Honey+Pot+%26+Padded+Cell++System
s&source=bl&ots=FeqAfoHW6T&sig=Vbv872JCfyitjL_5xZPXg65oWhU&hl=en&sa=X&ved=0ahUKEwib_Zb7rbrJAhXBno4KHcT
nCd4Q6AEIPjAG#v=onepage&q=Honey%20Pot%20%26%20Padded%20Cell%20%20Systems&f=false.
1076. James Michael Stewart, Ed Tittel & Mike Chapple, Cissp Study Guide, from
https://books.google.co.in/books?id=458urJ6_9iYC&pg=PA49&1pg=PA49&dq=Honey+Pot+%26+Padded+Cell++Systems&so
urce=bl&ots=kkG5LmwjEt&sig=T5QBe7RGRai3oihmglzv7r2kpYA&hl=en&sa=X&ved=0ahUKEwib_Zb7rbrJAhXBno4KHcTnCd
4Q6AEIRzAl#v=onepage&q=Honey<'/420Pot%20%26%20Padded%20Cell%20%20Systems&f=false.
1077. Nessus Professional Data Sheet, from http://www.tenable.com/data-sheets/nessus-data-sheet.
1078. About OpenVAS Software, from http://www.openvas.org/software.html.
1079. Security focus tools, from http://www.securityfocus.com/tools/category/7.
1080. What is SysChk?, from http://www.syschk.com/SysDoc.htm.
1081. HoneyDrive, from http://bruteforce.gr/honeydrive.
1082. 14-8-2008, Sebek, from http://www.honeynet.org/project/sebek.
1083. What is kojoney?, from http://kojoney.sourceforge.net.
1084. KFSensor, from http://www.keyfocus.net/kfsensor.
1085. What is HIHAT, from http://hihat.sourceforge.net.
1086. 14-8-2008, HoneyBow, from https://www.honeynet.org/project/HoneyBow.
1087. 14-8-2008, Honeyd, from https://www.honeynet.org/project/Honeyd.
1088. Honeyd development, from http://www.honeyd.org.
1089. Metasploit: put your defenses to the test, from http://www.rapid7.com/products/metasploit.
1090. AIDE, from http://aide.sourceforge.net.
1091. 2-8-2016, security onion, from http://blog.securityonion.net.
1092. Mcafee host intrusion prevention system, from http://www.mcafee.com/in/products/host-ips-for-desktop.aspx.
1093. Next Generation Intrusion Prevention System (NGIPS), from http://www.sourcefire.com/products/next-generation-

network-security.
1094. Strata Guard IDS/IPS, from http://www.data-alliance.com.my/?page_id=245.
1095. Intrusion Prevention System, from http://www.cyberoam.com/ips.html.
1096. IBM Security Network Protection, from http://www-03.ibm.com/software/products/en/network-ips.
1097. Intrusion Detection System (IDS), from http://www.alienvault.com/solutions/intrusion-detection-system.
1098. AlienVault Unified Security Management https://www.alienvault.com/products.
1099. Prelude SIEM, from https://www.prelude-ids.org.
1100. Monley, from http://www.monkey.org.

References
1101. Metaspoilt, from http://www.metasploit.com
1102. Tripwire, from http://www.tripwire.org .
1103. Suricata IDS http://suricata-ids.org.
1104. Symantec Data Center Security: Server,from http://www.symantec.com/en/in/critical-system-protection.
1105. Network Behavior Analysis, from https://www.flownba.com/en/article/network-behavior-analysis.
1106. Behavioural monitoring tool, from https://www.alienvault.com/solutions/behavioral-monitoring.
1107. NetFlow Analyzer, from http://www.manageengine.com/products/netflow/network-behavior-analysis-using-advanced-

security-analytics-module.html.
1108. VM vulnerability management, from https://www.qualys.com.
1109. Tenable network security, from www.tenable.com.
1110. OpenVAS, from http://www.openvas.org.
1111. Core security, from www.coresecurity.com.
1112. Core impact, from http://www.coresecurity.com/core-impact-pro.
1113. Rapid 7, from www.rapid7.com.
1114. Nexpose, from http://www.rapid7.com/products/nexpose/capabilities.jsp.
1115. GFI security, from www.gfi.com.
1116. GFI languard, from www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard.
1117. Microsoft Baseline Security Analyzer 2.3, from www.microsoft.com/en-in/download/details.aspx?id=7558.
1118. Secunia, from http://secunia.com.
1119. Personal software inspector, from http://secunia.com/vulnerability_scanning/personal.
1120. nipper - network infrastructure parser, from http://sourceforge.net/projects/nipper/.
1121. Dranzer, from http://www.cert.org/vulnerability-analysis/tools/dranzer.cfm.
1122. iScanner, from http://sourceforge.net/projects/iscanner/.
1123. Snort, from https://www.snort.org/downloads.
1124. Metaspoilt, from http://www.metasploit.com.
1125. Katana : Multi-Boot Security Suite, from http://sourceforge.net/projects/katana-usb.
1126. Distributed Aide Runtime Controller, from http://nixbit.com/cat/system/monitoring/distributed-aide-runtime-controller/.
1127. SysChk, from http://www.syschk.com/.
1128. EagleEyeOS Professional, from http://eagleeyeos-professional.software.informer.com.
1129. EagleEyeOS One, from http://eagleeyeos-one.software.informer.com.
1130. Afick, from http://afick.sourceforge.net.
1131. TRIPWIRE FILE integrity monitoring, from http://www.tripwire.com/it-security-software/scm/file-integrity-monitoring.
1132. HoneyDrive, from http://sourceforge.net/projects/honeydrive.
1133. Specter IDS, from http://www.specter.com/default50.htm.
1134. The Honeynet project, from http://www.honeynet.org.
1135. HoneyC, from http://sourceforge.net/projects/honeyc.
1136. Prelude, from https://www.prelude-ids.org.
1137. Ossec, from http://www.ossec.net.

References
1138. P Raju (March 27th, 2013), Different Types of VPN Protocols, from http://techpp.com/2010/07/16/different-types-of-vpn-
protocols/
1139. VPN Consortium, January 2003, Definitions and Requirements, from http://www.hit.bme.hu/~jakab/edu/litr/VPN/vpn-
technologies.pdf.
1140. VPN Technologies, from http://www.cisco.com/cfen/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14106-

how-vpn-works.html#vpn_tech.
1141. Firewalls and Virtual Private Networks, from http://www.wiley.com/legacy/compbooks/press/0471348201_09.pdf.
1142. How the VPN Concentrator Works, from http://networkingtechnicalsupport.blogspot.in/2012/05/how-vpn-concentrator-

works.html.
1143. Cisco VPN Concentrator 3000, from http://www.nta-monitor.com/wiki/index.php/Cisco_VPN_Concentrator_3000.
1144. What is VPN Concentrator?, from http://wiki.answers.com/Q/What_is_VPN_Concentrator.
1145. lnternetworking Fundamentals, http://www.orbit-computer-solutions.com/Remote-access-VPNs.php.
1146. JEFF TYSON & STEPHANIE CRAWFORD, How VPNs Work, from http://computer.howstuffworks.com/vpn3.htm.
1147. JEFF TYSON & STEPHANIE CRAWFORD, How VPNs Work, http://computer.howstuffworks.com/vpn4.htm.
1148. Chris Partsenidis, Hardware vs. software VPNs: Choose the right enterprise solution, from
http://sea rchenterprisewa n.techta rget. com/tip/Ha rdwa re-vs-software-VPN s-Choose-th e-right-enterp rise-solution.
1149. Martin Heller (Aug 8, 2006), What you need to know about VPN technologies, from
http://www.computerworld.com/s/article/9002090/What_you_need_to_know_about_VPN_technologies.
1150. How Virtual Private Networks Work, from http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-

ike-protocols/14106-how-vpn-works.html.
1151. Denial of Service Attack detection techniques, from https://www.evernote.com/shard/s9/note/blla8c31-8651-4d74-acf9-

1fblb3c0f090/wishi/crazylazy#st=p&n=blla8c31-8651-4d74-acf9-1fblb3c0f090.
1152. SSL VPN Security, from http://www.cisco.com/web/about/security/intelligence/05_08_SSL-VPN-Security .html.
1153. SSL VPN (Secure Sockets Layer virtual private network), from searchsecurity.techtarget.com/definition/SSL-VPN.
1154. VLAN Trunking Protocol, from http://en.wikipedia.org/wiki/VLAN_Trunking_Protocol.
1155. What is VLAN Trunking Protocol (VTP), from http://www.omnisecu.com/cisco-certified-network-associate-ccna/what-is-

vlan-trunking-protocol-vtp.php.
1156. VTP Version 2, from http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-

2_52_se/configuration/guide/3560scg/swvtp.html#wp1035121.
1157. VLAN Trunking Protocol (VTP), from

http://etutorials.org/Networki ng/lan+switchi ng/Chapter+8. +Virtual+LANs+VLANs/VLAN+Trunki ng+Protocol+VTP/.
1158. What is VLAN Trunking Protocol (VTP) Pruning, from http://www.omnisecu.com/cisco-certified-network-associate-

ccna/what-is-vlan-trunking-protocol-vtp-pruning.php.
1159. Configuring VTP, from http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-

2_53_se/configuration/guide/2960scg/swvtp.pdf.
1160. Aaron (February 21, 2013), GRE over IPSec VPN Tunneling, from http://www.ccnpguide.com/gre-over-ipsec-vpn-tunneling/.
1161. Overview of GRE, from http://www.juniper.net/techpubs/en_US/junos12.1/topics/concept/gre-tunnel-

services.html#jd0e31
1162. 07/15/2016, How to configure a GRE tunnel, from https://supportforums.cisco.com/document/13576/how-configure-gre-

tunnel
1163. Mark Shea (Nov 12, 2010), How to Set Up VPN in Windows 7, from http://www.pcworld.com/article/
210562/how_set_up_vpn_in_windows_l.html.
1164. FAHMIDA Y. RASHID (MAY 30, 2013), How to Set Up a VPN in Windows 7, from http://www.pcmag.com/article2/
0,2817,2419612,00.asp.

References
1165. Fahmida Y. Rashid (03/06/2013), A guide to setting up a VPN in Windows 7, from http://www.itproportal.com/2013/
06/03/a-guide-to-setting-up-a-vpn-in-windows-7/.
1166. Jeff Tyson, How Virtual Private Networks Work, from http://www.communicat.com/wp-
content/uploads/2013/04/how_vpn_work.pdf.
1167. Martin Heller (02 Oct 2006), 10 tips to secure client VPNs, from http://www.computerworld.com/s/
article/9003 779/10_tips_to_secure_ client_V PNs?taxon omyl d =16& page Number= 1.
1168. (SEPTEMBER 11 2009), What Is VPN Encryption?, from http://www.thewhir.com/article-central/what-is-vpn-encryption.
1169. JEFF TYSON & STEPHANIE CRAWFORD, How VPNs Work, from http://computer.howstuffworks.com/vpn7.htm.
1170. Strong Authentication for SecureVPN Access Solving the Challenge of Simple and Secure Remote Access, from
http://ca co mvi p. ca. com/fr/~/media/Fi Ies/wh itepa pers/strong-a uth enticati on-fo r-secu re-vpn-access-wp. pdf.
1171. Azhar Shabbir Khan, Bilal Afzal BPLS VPNs with DiffServ- A QoS Performance study, from http://hh.diva-
portal.org/smash/get/diva2:400278/FULLTEXT01.pdf.
1172. QoS, from http://www.voip-info.org/wiki/view/QoS.
1173. Waheed Warden (2003-12-01), SSL VPN Deployment Considerations, from http://archive.networknewz.com/networknewz-
10-20031201SSLVPN DeploymentConsiderations.html.
1174. Paul Ferguson, What Is a VPN? - Part I - The Internet Protocol Journal - Volume 1, No. 1, from
http://www.cisco.com/web/about/ac123/ac147/ archived_issues/i pj_l-1/what_is_a_vpn. htm I.
1175. FAHMIDA Y. RASHID (AUGUST 7, 2015), The Best Free VPN Services of 2015, from http://www.pcmag.com/article2/
0,2817,2390381,00.asp.
1176. Alan Henry (3/20/14), What's The Best VPN Service Provider?, from http://lifehacker.com/whats-the-best-vpn-service-
provider-1547612561.
1177. Mike Bedford (22 Jun 16), The best free VPN services of 2016 in the UK, from
http://www. pea dvisor. co. u k/featu res/i nte rnet/349 7781/best-free-vp n-se rvi ces-of-2014/.
1178. FIREWALLS, from http://mercury.webster.edu/aleshunas/COSC%205130/Chapter-22.pdf.
1179. February 2008, VPN SECURITY, from http://www.eetimes.com/document.asp?doc_id=1275828.
1180. Gabriel Knight June (26, 2013), Virtual Private Network: The Advantages of the VPN, from
http://www. bandwidth place. com/vi rtu a1-private-n etwo rk-th e-adva ntages-of-the-vpn-a rti cle/.
1181. Top 5 benefits using a VPN, from https://www.cactusvpn.com/vpn/top-5-benefits/.
1182. May 22, How the VPN Concentrator Works, from http://networkingtechnicalsupport.blogspot.in/2012/05/how-vpn-
concentrator-works.html .
1183. Cisco VPN Concentrator 3000, from http://www.nta-monitor.com/wiki/index.php/Cisco_VPN_Concentrator_3000.
1184. What is VPN Concentrator?, from http://wiki.answers.com/Q/What_is_VPN_Concentrator.
1185. Puneet Mehta, How does the VPN concentrator work?, from http://searchnetworking.techtarget.com/answer/How-does-
the-VPN-concentrator-work.
1186. Understanding the VPN 3000 Concentrator, from

http://www.ciscomax.com/datasheets/VPN3000/Understanding%20the%20Cisco%20VPN%203000%20Concentrator.pdf.
1187. Concentrator NAT and PAT, from

http ://books .googl e. co.in/boo ks ?id =Qi3 cDn FEe zwC&pg= PA12 4&1 pg= PAl 24&d q =function s+of+VP N+con ce ntrator&source=
bl&ots=wsPgwOT9SY&sig=2Tc7ilwlmVtcU-
UWhW7DwGX6KQ&hl=en&sa=X&ei=bK0mVOadG4KNuAS4zoKAAQ&ved=0CBsQ6AEwADgU#v=onepage&q=functions%20of
%20VPN%20concentrator&f=false.
1188. July 28, The Pros and Cons of Using a Virtual Private Network, from http://www.thrivenetworks.com/blog/2011/07/28/the-
pros-and-cons-of-using-a-virtual-private-network/.
1189. Lisa Phifer, What are the differences between a site-to-site VPN and a VPN client connecting to a VPN server?, from
http://search networking.tech target. com/ answer/What-a re-the-d iffe re nces-between-a-s ite-to-s ite-VP N-a n d-a-VP N-cl ient-
con n ecti ng-to-a-VP N-serve r-Wh.

References
1190. CONFIGURING SITE TO SITE IPSEC VPN TUNNEL BETWEEN CISCO ROUTERS, from http://www.firewall.cx/cisco-technical-
knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html.
1191. Sean Wilkins (MARCH 10, 2015), A Guide To Enterprise VPN Solutions, from http://www.tomsitpro.com/articles/enterprise-
vpn-solutions,2-885-2.html.
1192. Introducing additional Nokia Security (Nokia IP VPN), from https://books.google.co.in/

books?id=IEeR9s4gL2oC&pg=PA23&1pg=PA23&dq=nokia+VPN+products&source=bl&ots=6UZnXE69aY&sig=ge9AmKIWA2b
A-lk-8O23oh-lNdo&hl=en&sa=X&ved=0ahUKEwir0-
OR3brKAhXVB44KHbSGCU4Q6AEIRjAl#v=onepage&q=nokia%20VPN%20products&f=false.
1193. VPN Haus {Mar 20, 2012), SOME VPNS STILL FACE COMPATIBILITY, CONNECTION ISSUES, from http://vpnhaus.ncp-
e.com/2012/03/20/some-vpns-still-face-compatibility-connection-issues/.
1194. VPN Selection from, https://books.google.co.in/

books?id=4YvNBQAAQBAJ&pg=PA212&1pg=PA212&dq=factors+considered+in+selecting+appropriate+VPN&source=bl&ots
=JZj8MW6hKt&sig=AmBFl6TlZHGIQcFU983Yh6H6w61&hl=en&sa=X&ved=0ahUKEwjXtZ_ZXrzKAhVSA44KHUB48YkQ6AEIOjA
F#v=onepage&q=factors%20considered%20in%20selecting%20appropriate%20VPN&f=false.
1195. February 20, 2015, How to Choose a VPN Provider?, from https://privatoria.net/blog/how-to-choose-a-vpn-provider/.
1196. How to Choose the Best VPN Service for Your Needs, from http://www.howtogeek.com/221929/how-to-choose-the-best-
vpn-service-for-your-needs/.
1197. December 13, 2012, 5 things to look for when choosing a VPN Provider, from https://vpnreviewer.com/5-things-to-look-
when-choosing-vpn-provider.
1198. Karen Scarfone, Four criteria for selecting the right SSL VPN products, from
http://sea rchsecu rity. techta rget. com/featu re/Fou r-criteri a-fo r-sel ecting-th e-right-SSL-VP N-prod ucts.
1199. VPN Tunneling, from http://compnetworking.about.com/od/vpn/a/vpn_tunneling.htm.
1200. VPN Consortium, January 2003, VPN Technologies: Definitions and Requirements, from
http://www.hit.bme.hu/~jakab/edu/1 itr/VPN/vpn-technologies. pdf .
1201. Andrew Tarantola {3/26/13), VPNs: What They Do, How They Work, and Why You're Dumb for Not Using One, from
http://gizmodo. com/5 99019 2/vpns-what-they-d o-h ow-they-work-and-why-you re-du m b-for-n ot-usi ng-one.
1202. ENIGMAX (APRIL 15, 2012), How To Make VPNs Even More Secure, from https://torrentfreak.com/how-to-make-vpns-
even-more-secure-120419/.
1203. WHAT IS VPN TUNNELING?, from https://www.ivpn.net/what-is-a-tunnel
1204. Usman Javaid on December 02, 2011, What Is VPN & Tunneling; How To Create And Connect To VPN Network [Beginner's
Guide], from http://www.addictivetips.com/windows-tips/what-is-vpn-how-to-create-and-connect-to-vpn-network/.
1205. WHAT IS VPN TUNNELING?, from http://www.dslreports.com/faq/5318.
1206. Virtual private network, from http://en.wikipedia.org/wiki/Virtual_private_network.
1207. Tunneling protocol, from http://en.wikipedia.org/wiki/Tunneling_protoco.l
1208. Margaret Rouse, tunneling or port forwarding, from http://searchenterprisewan.techtarget.com/definition/tunneling.
1209. Definition of: tunneling protocol, from http://www.pcmag.com/encyclopedia/term/53236/tunneling-protocol.
1210. Networking - What are voluntary and compulsory tunnels?, from http://www.careerride.com/Networking-voluntary-and-
compulsory-tunnels.aspx.
1211. Tunneling, from http://www.tech-faq.com/tunneling.html.
1212. AN INTRODUCTION TO VPN TUNNEL (Nov 21, 2011), from http://www.vpntunnel.co/an-introduction-to-vpn-tunnel.
1213. PPTP, from http://www.techterms.com/definition/pptp.
1214. Windows Server 2003/2003 R2 Retired Content, from http://technet.microsoft.com/en-in/library/cc739465(v=ws.10).aspx.
1215. Point-to-Point Tunneling Protocol, from http://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol.
1216. Point-to-Point Protocol, from http://en.wikipedia.org/wiki/Point-to-Point_Protocol.
1217. Password Authentication Protocol, from http://en.wikipedia.org/wiki/Password_authentication_protocol.
1218. B. Lloyd, W. Simpson {October 1992), from http://tools.ietf.org/html/rfc1334#page-3.

References
1219. Abdulrahman Abdullah Alhajj, Abdulrahman Khalid Abumurad, Cryptanalysis of Microsoft's Point-to-Point.
1220. Tunneling Protocol (PPTP), from http://www.just.edu.jo/~tawalbeh/cpe542/project/r2.pdf
1221. PPTP - Point to Point Tunneling Protocol (June 25, 2016), from
http://compnetworking.about.com/od/vpn/1/aa030103a.htm.
1222. K. Hamzeh, G. Pall, W. Verthein, J. Taarud, W. Little, G. Zorn(July 1999), Point-to-Point Tunneling Protocol (PPTP), from
http://www.ietf.org/rfc/rfc2637. txt.
1223. Layer 2 Tunneling Protocol, from http://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol.
1224. Layer Two Tunneling Protocol and Internet Protocol Security, from http://technet.microsoft.com/en-
us/library/cc958047.aspx.
1225. Layer 2 Tunnel Protocol, from http://www.optimumdata.com/shop/files/cisco/3600/3600_Layer_2_Tunnel_Protocol.pdf.
1226. W. Townsley, A. Valencia, A. Rubens, G. Pall, G. Zorn, B. Palter(August 1999), Layer Two Tunneling Protocol "L2TP", from
https://www.ietf.org/rfc/rfc2661.txt.
1227. Secure Socket Tunneling Protocol, from http://en.wikipedia.org/wiki/Secure_Socket_Tunneling_Protocol .
1228. Ricky M. Magalhaes (17 April 2007), from http://www.windowsecurity.com/articles-tutorials/firewalls_and_VPN/Secure-

Socket-Tunneling-Protocol.html .
1229. Virtual Private Network Topology, from https://bto.bluecoat.com/packetguide/9.2/deploytopos/vpn.htm.
1230. VPN network topologies, from

http://pic.dhe.ibm.com/infocenter/tivihelp/v30rl/i ndex.jsp?topic=%2 Fcom .ibm. lfs_admin .doc_l.1%2Ftopics%2Ftask_vpn_
topologies.htm.
1231. VPN Topologies Guide, from http://www.internet-computer-security.com/VPN-Guide/VPN-Topologies.html.
1232. Advantages and Disadvantages of Hub-and-Spoke Operations, from

http://aviation knowledge. wikidot.com/aviation :advantages-and-disadva ntages-of-hu b-and-spoke-opera.
1233. Configuring IPCop Firewalls, from https://www.safaribooksonline.com/library/view/configuring-ipcop-

fi rewalls/9781904811367/ ch03s06. htm I.
1234. VPN Topologies Guide, from http://www.internet-computer-security.com/VPN-Guide/VPN-Topologies.html.
1235. Penna Sparrow, Mesh Topology: Advantages and Disadvantages, from http://www.ianswer4u.com/201l/05/mesh-
topology-advantages-and.html#axzz3ElkXi5M9.
1236. Penna Sparrow, Star Topology: Advantages and Disadvantages, from http://www.ianswer4u.com/2011/05/star-topology-
advantages-and.html#axzz3ElkXi5M9.
1237. Roy Hills {17 January 2003), NTA MONITOR UDP BACKOFF PATTERN FINGERPRINTING WHITE PAPER, from
http://www.fi Iewatch er. com/p/i ke-sca n-1.9p0. tgz.1240159/share/d oc/i ke-sca n/u dp-backoff-fi ngerprinting-pa per. txt. htm I.
1238. ike-scan - IPsec VPN Scanning, Fingerprinting and Testing Tool, November 20, 2008, from
http://www.darknet.org.uk/2008/11/ike-scan-ipsec-vpn-scanning-fingerprinting-and-testing-tool/.
1239. February 2008, VPN SECURITY, from http://www.infosec.gov.hk/english/technical/files/vpn.pdf.
1240. Threat Free Tunneling: Securing the VPN Traffic, from

http://www.cyberoam.com/downloads/Whitepaper/SecuringYourVPN. pdf.
1241. Virtual Private Network, from http://www.biohealthmatics.com/technologies/networks/vpn.aspx.
1242. Martin Heller, 10 tips to secure client VPNs, from http://www.computerworld.com/s/

article/9003 779/10_tips_to_secure_ client_VP Ns?taxon omyl d=16& pageN umber= 1.
1243. 28 FEBRUARY 2013, How to Set up an L2TP/1Psec VPN Server on Windows, from
http://www.elastichosts.com/support/tutorials/windows-l2tpipsec-vpn-server/.
1244. Network Defense: Security and Vulnerability Assessment, from http://books.google.co.in/books?id=bRCij3idUZYC&pg=SA4-

PA7&lpg=SA4-PA7&dq=PPP-SSH,+VPN&source=bl&ots=5bCyHitUZJ&sig=E8JljncQZCw6qYAP7kShaoVj4-
s&hl=en&sa=X&ei=6UkqVOGeApHJuASZ-ILYCw&ved=0CBsQ6AEwADgU#v=onepage&q=PPP-SSH%2C%20VPN&f=false.
1245. Jordan Sissel(5-ll-2012), Disabling battery/power management in Ubuntu, from

http://www.semicomplete.com/articles/ppp-over-ssh/.

Certified Network Defender (CND)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Certified Network Defender (CND)

Uploaded by

Copyright:

Available Formats

EC-Co ,/

Certified Network Defender

EC-COUNCIL OFFICIAL CURRICULUM

Instructions for Downloading your CND Electronic

Certified Network Defender Copyright © by EC-Cll■Cil

Instructions to Download Digital Copy of your Class

THIS IS TO ACKNOWLEDGE THAT

HAS SUCCESSFULLY COMPLET ED A COURSE ON

AT AN EC-COUNCIL ACCREDITED TRAIN IN G CENTER

CERTIFICATE Nl.11\IBER DATE

Step 1: Complete the official training.

Step 2: Visit: https://aspen.eccouncil.org. If you have an account already, skip to Step 5.

Step 5: Login using your Username and Password.

Evaluadon Code: ***CND-*********

Certified Network Defender Copyright © by EC-Cll■Cil

Readers are encouraged to report errors, om1ss1ons and inaccuracies to EC-Council at

If you have any issues, please contact support@eccouncil.org.

Certified Network Defender Copyright © by EC-Cll■Cil

Certified Network Defender Copyright © by EC-Cll■Cil

01 Computer Network and Defense Fundamentals 01

03 Network Security Controls. Protocols. and Devices 152

04 Network Security Policy Design and Implementation 253

05 Physical Security 348

06 Host Security 418

07 Secure Firewall Configuration and Management 565

11 Network Traffic Monitoring and Analysis 908

12 Network Risk and Vulnerability Management 976

14 Network Incident Res~onse and Mana ~e_

Certified Network Defender Copyright © by EC-Cll■Cil

Welco111.e to Certified Network

Certified Network Defender

Module 00 Page I Certified Network Defender Copyright © by EC-Cll■Cil

Copyright© by EC-Co■ncil. All Rights Reserved. Reproduction is Strictly Prohibited.

Student Lab Manual/

Copyright© by EC-Co■ncil. All Rights Reserved. Reproduction is Strictly Prohibited.

Module 00 Page II Certified Network Defender Copyright © by EC-Cll■Cil

Network Security Threats, Vulnerabilities, and

Network Security Controls, Protocols, and

Network Security Policy Design and

I 5 Physical Security 12 Network Risk and Vulnerability Management

6 Host Security 13 Data Backup and Recovery

Copyright© by EC-Co■ncil. All Rights Reserved. Reproducti on is Strictly Prohibited.

EC-Council Certification Program CND

Certified Secure Computer EC-Council Disaster Recovery

Certified e-Business EC-Council Certified Secure

EC-Council Certified EC-Council Certified Security

Certified Network You are Licensed Penetration Tester

Certified Ethical Certified Chief Information

Computer Hacking Forensic Master of Security Science

Copyright© by EC-Co■ncil. All Rights Reserved. Reproducti on is Strictly Prohibited.

Module 00 Page Ill Certified Network Defender Copyright © by EC-Cll■Cil

Certified Network Defender

CND Certification Track

Attend the Certified Network Start ~-·

Copyright© by EC-Co■ncil. All Rights Reserved. Re producti on is Strictly Prohibited.

~ Exam Title: Certified Network Defender

Number of Questions: 100

Passing Score: 70%

This is a difficult exam and requires extensive knowledge of CND M odules

Copyright© by EC-Co■ncil. All Rights Reserved. Re producti on is Strictly Prohibited.

Module 00 Page IV Certified Network Defender Copyright © by EC-Cll■Cil

······························ ... ... .. . ... .. . .. . .. . .. . .. . .. . '••···························

Copyright© by EC-Co■ncil. All Rights Reserved. Re producti on is Strictly Prohibited.

Evaluadon Code: *CND-*******