Professional Documents
Culture Documents
Certified Network Defender (CND)
Certified Network Defender (CND)
,, I
,, .1:,,r.'
'
' i '' .,,,."·'·' '
f
•''
" '
'
,/,
if '.~I
' "" .,;
,/
' '
,, l,·II
,,_. ,,
,I' ,'' ,,,.,, I '
,,
',,:
'
II I: ,,,
':,
'
iI \ , ',:' (
•
~-.\ ;
',/' ',
\
', .
•• ~ ':;(,,
•
' ',,,
"
·-:::
'II,, •
•
'
" '
Step 1:
Visit: https://aspen.eccouncil.org. If you have an account already, skip to Step 4.
Step 2:
Click Register and fill out the registration form. Click the Register button.
Step 3:
Using the email you provided in Step 2, follow the instructions in the auto-generated
email to activate your EC-Council Aspen Portal account.
Step 4:
Login using your Username and Password.
Step 5:
Once successfully logged in, click eBooks icon under the Learning Resources section. It
will open the Academia page.
Step 6:
Enter the access code below in the Access Code field and click the Submit button.
Access Code:
Step 7:
If your Access Code is valid, scroll down and you will be able to view instructions on how
to access the Electronic Courseware, Lab Manuals, and Tools.
Support:
E-mail support is available at academia@eccouncil.org.
System Requirements:
The Academia page contains details about system requirements and how to download
the e-courseware.
EC-Council
IN STRUCTOR NA.\(£
-~
You can verify authenticity of this certificate by visiting
Sanjay Bavisi, President https:/faspen.eccoundl.orgNerifyEval.aspx
Step 3: Click Register and fill out the registration form. Click the Register button.
Step 4: Using the email you provided in Step 3, follow the instructions in the auto-generated
email to activate your EC-Council Aspen Portal account.
Step 6: Click the Class Eval icon in the Student Services section.
Step 7: Enter the Evaluation Code (see the code below) in the Evaluation Code field and click
the Submit.
Step 8: Fill in the Course Evaluation Form. *Note: All fields on this form are mandatory. Click
the Submit Classroom Evaluation button.
Step 9: On the Course Evaluation Submission page, click the Download Certificate of
Attendance button to download your certificate of attenda nee.
EC-Council
Copyright © 2016 by EC-Council. All rights reserved. Except as permitted under the Copyright
Act of 1976, no part of this publication may be reproduced or distributed in any form or by any
means, or stored in a database or retrieval system, without the prior written permission of the
publisher, with the exception that the program listings may be entered, stored, and executed in
a computer system, but they may not be reproduced for publication.
Information has been obtained by EC-Council from sources believed to be reliable. EC-Council
uses reasonable endeavors to ensure that the content is current and accurate, however,
because of the possibility of human or mechanical error we do not guarantee the accuracy,
adequacy, or completeness of any information and are not responsible for any errors or
omissions or the accuracy of the results obtained from use of such information.
The courseware is a result of extensive research and contributions from subject matter experts
from the field from all over the world. Due credits for all such contributions and references are
given in the courseware in the research endnotes. We are committed towards protecting
intellectual property. If you are a copyright owner (an exclusive licensee or their agent), and if
you believe that any part of the courseware constitutes an infringement of copyright, or a
breach of an agreed licence or contract, you may notify us at legal@eccouncil.org. In the event
of a justified complaint, EC-Council will remove the material in question and make necessary
rectifications.
The courseware may contain references to other information resources and security solutions,
but such references should not be considered as an endorsement of or recommendation by
EC-Council.
Foreword
The computer network has become more and more complex over the past few years and so has
the threats to its security. The Certified Network Defender (CND) course has focused on helping
the administrator to understand how to effectively deal with such issues that challenge the
security of a network.
This course presents a defensive stand to network security. It enhances the skills of a network
administrator so as to analyze the internal and external network security threats, how to
proactively minimize their effect by developing necessary security policies, designing a defense
strategy, implementing the security mechanisms, and by responding to security incidents in a
timely manner.
The course covers all major domains in such a manner that the reader will be able to appreciate
the way network security mechanisms have evolved over time; as well as gain insight into the
fundamental workings relevant to each domain. It is a blend of academic and practical wisdom,
supplemented with tools that the reader can readily access and obtain a hands-on experience.
The emphasis is on understanding various network security elements, updating the already
deployed security mechanisms, spotting any known or possible vulnerabilities, and hardening
security implementations using various tools. You will read about the defense mechanisms that
are most widely used such as the firewalls, IDS, digital signatures, the secure configuration of
various every-day applications, and a comprehensive set of policies that are to be enforced in
the network to secure it from network breaches.
This courseware is a resource material. Any network administrator can tell you that there is no
one straight methodology or sequence of steps that you can follow while securing a network.
There is no one template that can meet all your needs. Your network defense strategy varies
with the type of network, the security mechanisms you chose to deploy, and the resources at
your disposal. However, for each stage you choose, be it training your staff on security
awareness, identifying network threats, implementing packet filtering, deploying a honeypot,
troubleshooting the network, configuring a digital signature, securing wireless networks, you
will find something in this courseware that you can definitely use.
Finally, this is not the end. This courseware is to be considered as a 'work-in-progress', as it is
updated by adding value to it over time. You may find some aspects detailed, while others may
be in brief. The yardstick that is used in this respect is simple- "does the content explain the
point at hand?" It would be great to hear the views of the reader with respect to viewpoints
and suggestions. You can send your feedback so that this courseware can be a more useful one.
Table of Contents
Module Number Module Name Page No.
00 Student Introduction I
.J Name
.J Company Affiliation
.J Title/ Function
-
.J Job Responsibility
.J Networking related
•
experience
.J Expectations
'
'°' Identity
~ =:
11111111 Card
Course Reference
Evaluation Materials
1 Computer Network and Defense Fundamentals 8 Secure IDS Configuration and Management
I 7
Secure Firewall Configuration and
Management
14 Network Incident Response and Management
X
Pass : ../J
YI Y
CND
--- Certification
Achieved
~
Exam Code: 312-38
~
Availability: ECC Exam Portal
The training center / instructor will advi.se you about the exam schedule and
voucher details
Class Building
Phones
Hours Hours
Parking Restrooms
.:.
..
....
~- -. :....
..
.
. ..
Smoking Meals Recycling ...:
. ~
.
:...
: ' i
:. ....._ _ . .
Inst ructors WILL NOT be able to demonst rate ALL t he tools in this
class
The students are required t o practice with the tools not demonstrated
in the class on their own
•
Ubuntu Linux
1'
a-
Windows 10
A
-
Windows
Serve):.2008
NST Machine
A
--
OSSIM Machine
1'
!........................................... t. . . . . . . . . . . . . . . . . . . . . v..........................................J
Y.........................................
••••
__,
Windows
Server2012
Check if your machine has the following OSes installed (Fully Patched)
e ••
OSSIM as VM
•
Ubuntu Linux
1'
a-
Windows 10
A
-
Windows
Serve):.2008
NST Machine
A
--
OSSIM Machine
1'
!........................................... t. . . . . . . . . . . . . . . . . . . . . v..........................................J
Y.........................................
••••
__,
Windows
Server2012
Check if your machine has the following OSes installed (Fully Patched)
e ••
OSSIM as VM
The module briefs you on the basic concepts of computer network fundamentals, including
t ypes of networks, network topologies, network models, and various protocols used in
computer networking.
This module will also introduce you to the fundamental concepts on computer network
defense. The module introduces you to different concepts about Computer Network Defense
(CND) including CND attributes, different layers of CND, CND process, etc. The aim of this
module is to provide students a brief overview of basic networking concepts and help you
understand w hat CND comprises. These CND fundamentals are addressed and th en elaborated
on separately using subsequent modules to attain defense-in-depth (DID) network security.
A computer network is a group of computers connected to each other for easy sharing of
information and resources. The computers share information using a data path. A commonly
known computer network is the internet. Features of computer networks include:
• Allows sharing of resources from one computer to another.
• Allows storing files and oth er information in one computer and other computers accessing
those files and information.
• Any device conn ected to a computer can access the files and information stored 1n
another computer via the network.
OSI model comprises of seven layers, of which t he top 4 layers are used w hen a
message transfers to or from a user and the lower t hree layers are used w hen a
message passes t hrough the host computer
OSI MODEL
Data Unit Layer Function
7. Application Network process to application
Open System Interconnection (OSI) is a reference model that defines the communication of
data over the netw ork. It is a framework that portrays the flow of data from one device to
another over th e network. The OSI model classifies the communication between two end -
points into seven different groups of layers. The logic behind this division is that the
communicating user provides functions of each of the seven layers. The communication
between t w o users occurs as a downw ard flow of data through the layers of the source
computer. Then, it tra verses across the network and flows upwards through the layers of the
destination computer.
• Provides a clear understanding regarding the communication over the netw ork .
• Displays th e working of software and hardware.
Host Host
••
◄••································
• •
• •
T
Presentation ◄••······························• Presentation m
::::,
•• • Q.
I
r+
•
T
Session
-••
Session
•• 0
m
I
::::,
Q.
◄••······························•
•
•
•••
• T
◄••······························•
-------.---- .-~
Transport Transport
••
•
Node ••
~-----'-----~• ••
•••• .......
••
n~
~--··• \•• -·
Q,)
::::,
(I)
Q.
••
t ••
•••
~••••• Protocol Interface
Each layer in the OSI model has different levels of generalization and performs a distinct
function. The principle involved in developing the seven layers of OSI model is as follows:
• Each layer needs to meet a different concept or overview. Thus creating each layer
depends on the level of abstraction.
• All the functions should not be present in the same layer. Selection of layers depends on
the number of functions performed.
.J TCP/ IP model is a fra mew ork fo r the Intern et Protocol suite of computer network protocols that
define the communication in an IP-based network
Handles high-level protocols, issues of Fil e Transfer (TFTP, FTP, NFS), Em ail
representation, encod ing, and dialog (SMTP), Rem ote Login (Telnet, rlogin),
control
Application Layer Network Managem ent (SNMP), Name
Managem ent (DNS)
Defines how to transmit an IP datagram to Ethernet, Fast Ethernet, SLIP, PPP, FOOi,
the other devices on a directly attached Network Access Layer ATM, Frame Relay, SMDS, ARP, Proxy
network ARP, RARP
The TCP/ IP protocol is a four-layered protocol developed by the Department of Defense (DOD).
Each layer in this model performs a different function and the flow of data occurs from layer 4
to 1 (from the sending machine) and from layer 1 to 4 (in the destination machine). The TCP/ IP
model describes the end-to- end communication between two machines and thereby
determining the addressing, routing and transmission of the data. The four layers in the TCP/ IP
model include:
• Application layer (Layer 4): Provides data access to applications.
• Transport layer (Layer 3): Manages host-to-host interactions .
• Internet layer (La yer 2): Provid es internetworking.
• Network Access layer (Layer 1): Provides communication of data present 1n the same
netw ork.
It performs internetworking by sending data from the source network to the destination
network. The functions performed by the Internet layer are as follows:
• Packet routing
The Internet layer is wholly responsible for managing the TCP/IP protocol framework. In this
protocol, the sequence of the packets received at the destination network differs from the
sequence of the packets sent from the source network. IP, ICMP, ARP, RARP are the protocols
used in this layer.
• It functions independently.
• It consists of many routing protocols.
• Initiates a connection between two computers.
• Disadvantages of TCP /IP model:
• Complex to setup.
OSI Model
The main aim behind implementing the OSI model is to standardize and ease the
communication between the communicating parties using certain standard protocols. It
generalizes the communication between the computers in terms of layers. The OSI model has
seven layers. In this model, a layer serves the layer above it that brings to a conclusion the
working of each layer depends on the layers below it.
TCP/IP Model
TCP/ IP remains as the basic protocol for communication. The TCP/ IP protocol finds its
application either in an intranet or in an extranet. TCP/ IP consists of four layers, out of which
the upper layers manage the assembling of the packets in the original message and the lower
layers manage the address part of each packet and forwards it to the right destination.
These networks may differ in many ways. For example: by size, by functions, by the
geographical distance. The services provided by th e networks differ according to the layout of
the networks.
The networks that differ by size depend on the area occupied by the network and the number
of computers present in the network. The computers in a netw ork can vary from one single
computer to millions of computers. The different networks are based on the size of the area
they cover:
• Local Area Network (LAN)
• Wide Area Network (WAN)
• Metropolitan Area Network (MAN)
• Personal Area Network (PAN)
• Campus Area Network (CAN)
■ Global Area Network (GAN)
Local Area Network (LAN)
The LAN consists of computers and its related devices that share information over the same
communication line. The LAN may extend only within an office building or home. The LAN can
handle hundreds of users. The two commonly used LAN technologies are Ethernet and Wi -Fi.
There are virtual LANs that enable the network administrators to provide a netw ork connection
to a group of nodes. LAN enables the use of many application programs and the users can
achieve those applications by simply downloading it from the LAN. Wireless LANs are becoming
much more popular. This is due to more flexibility and a cost which is less when compared to
wired-LANs.
Computer
••
••
•
••••
•• • ••• Computer
•••
••••
• •• ••
• •• ••
• ••
•
•
Computer Computer
• Advantages:
• Allows sharing of printers between the computers at home or office.
• LAN provides the users the privilege to work from any system in the LAN.
• Allows storage of files in a single folder and sharing it between the users on the
network.
• Disadvantages:
• As it provides file sharing facility, it requires separate security measures to restrict
access to certain files and folders.
• Any small issue in the file server can affect all the users on the server machine.
Wide Area Network {WAN)
The WAN is spread over a larger geographical area and is more far-reaching than a LAN. WANs
usually connect the nodes in the network using leased telecommunication lines. These lines
assist in carrying the information efficiently across the various computers in the network. WANs
can connect different LANs in a network. Most often, public networks are connected to the
wide-area network. The LANs connect to WANs for quick and secure transfer of data. However,
WANs requires a group of authorities to manage.
• Features of WAN:
• WAN networks generally provide larger and dedicated network services. It always tries
to meet the services according to business requirements.
• The WANs has a lower data transfer rate when compared to the transfer rate of LAN.
•• ..••
···-~
•••
•••
• ••• ·····
WAN _ _
~~
• Advantages:
• A WAN connects places that are geographically apart from each other without a high
cost and a difficulty in implementation.
• Disadvantages:
• Very complex in structure.
• Provides only lower bandwidth and has a higher risk of losing the connections.
MAN
• Advantages:
• The links connecting the computers in a MAN have a much higher bandwidth allowing
for the easy sharing of data.
• Allows multiple users to share the data at the same speed.
• Disadvantages:
• Requires the need of installation before deploying it for the first time.
• Costly when compared to LANs.
Types of Networlts
(Cont'd)
......
tlf?:fflM\\\\
•
: Transmission of data through
•
: short-range radio waves
....••...•........••...•.,• ..•....•...••...••...••
•
•• ••■ Wireless enabled
•
••
. . devices
·-=::a..
FE
I D
• Cost-effective.
• Resistant to failure.
• The campus area network is highly flexible to the changes of an evolving network.
A GAN enables transfer of data from one point to another even when they do not connect
directly with each together. The points can connect using a central server or each point can
pass the data from one point to another till it reaches the destined point.
The GAN supports mobile communication for a number of wireless LAN's. Broadband GAN is
the most commonly used GAN. The BGAN uses portable terminals to connect the computers
located at different locations to the internet.
• Advantages of GAN:
• GAN allows the interconnection of multiple networks and it enables proper sharing of
data without tampering with it.
• Enables the storage of files in a central server, thereby allowing easy access of files
across different networks.
• GAN enforces security towards accessing of these files by imposing access restrictions.
U Network topology is a specification that deals with a network's overall design and
flow of data in it
Types of Topology
e Physical Topology - Physical layout of nodes, workstations and cables in the network
e Loglcal Topology -The way information flows between d ifferent components
N etworlt Topologies
(Cont'd)
r ' ,. ,.
' '
'ii
-- ~ ::;ver iii Iii c:: :{ ··
.....•····~ ··•......
/ . ._ ·•.....
..._....
iii
I
---......
···w1
-
- -
Unear Bus Mesh Topology Star Topology
..r:::::=======------:=======~"" "'-:;;==========::·-.:'":::::=========~·
r "
lj••
.. ij•••• •· Se
··········~
·•••••••
Ner
Router
·········• ~
._
Internet
ii Ii)
. . . .'-l. . . . . a · .
~
Ring Topology Tree Topology
Printer ~
The logic of connecting computers over the network is possible using topologies. The topology
defines the structure of a network and determines the physical or logical layout of the network.
The physical topology defines the structure of the components of the computer systems,
whereas the logical topology defines the method of the flow of data in the network between
the computers.
Various topologies available are:
Star Topology
Star topology consists of a central node (hub) connected to other computers in the network
using a cable. Each node or computer in the network connects individually to the central node.
Adding nodes to the star network is an easy task. Any damage to the connection between any
node and the central node does not affect the working of the other nodes in the network. But,
any damage to th e hub can affect the star structure.
Here, the central node or hub acts as the server and the attached computers act as the clients.
All data to the respective nodes passes through the central node or hub. The hub acts as the
intersection for connecting all nodes present in the star network. The hub can connect to the
hubs of other networks and act as a repeater or a signal booster. The computer nodes connect
to the hub using unshielded twisted pair Ethernet cable. The following factors determine
whether the hub is active or passive:
• The central node or hub performing processes like data amplification, regeneration, etc.
• The central node regulates the movement of the data.
5l•• ••
. $l
•• •
•• ••
Node •• : Node
• •
• ••
- ~--···
,r ...... n
• ••
••
• •••
•• ••
• •• ••
• •
~ i:,
( ~ (~
Node Node
• Advantages:
• Enables centralized management of the network through the central node or hub.
• Enables easy addition and removal of other computer nodes to the star network.
• Failure of one computer node does not make any impact on the rest of the nodes in
the network.
• Enable easy detection of failures and errors in the network. This allows for finding
better methods to sol ve the issue.
• Disadvantages:
• Usi ng routers or switches as the central node increases the cost of implementing the
network.
• The addition of new nodes to the network depends on the capacity of the central
node.
Bus Topology
Here, a single cable handles all the computers in the network. The si ngle cable carries all the
information intended for all nodes in the network. Any damage to the connection between any
node and the main cable can affect the passage of data over the cable.
In the bus topology, the network broadcasts the signal sent by any node. The broadcasting of
the signal allows the signal to reach all the nodes attached to the cable. The node having an IP
and MAC address the sa me as given in the signal accepts those, while the other nodes reject
those signals. Every cable in the bus network has a terminator attached to the both ends of the
cable. Th e t erminator helps in preventing the signals from bouncing. They capture th e signals
reaching the end of the cable. Signal bouncing can cause the signals to bounce back in the
direction from where it came. If two signals bounce back at the same time from opposite
directions, this can ca use the col Iision of the signals.
There are two t ypes of bus topologies: Linear and Distributed bus topology. In linear bus
topology, there is only a single line attached to the two end points. In a distributed bus
topology, it can have more than one linear pattern attached to the network.
.>l •• -~•• ~ ••
• ~
• • •
•
•••••••••••• •• • •
•••••••••••
• •• ••
••• • •
. • •
•• • ••
•• •• ••
••••••••••••• •• •• •••••••••••
•• • ••
•• -
• $l ~ ~
Node Node Node
• Advantages:
• Disadvantages:
• Any issue in the main cable can affect the whole network.
• As all nodes receive the signal sent from the source, it affects the security of the
network.
Ring Topology
A Ring topology connects all nodes in the network. The data circulates in the network until the
intended recipient accepts the data. Any damage to any of the nodes can affect the whole ring
network. The data travels on the network in one direction. The sending and receiving of data
takes place with the help of a TOKEN. In the concept of a TOKEN, the data are sent from the
source and includes another piece of information and then passes the TOKEN to the next node.
Each node checks if the signal is for itself. If yes, it receives the signal and passes the empty
TOKEN to the network. Or else, the node passes the TOKEN to the next node. Only those nodes
having the TOKEN can send data. Other nodes need to wait until they receive the empty
TOKEN. Usually, schools, offices, small buildings make use of RING topology.
Node
,~....
•• •• ~
••••
Node ••• Node
•
- f~
r~
•
.• ~
( ~
••• ••
•
••
Node •
·-♦8
•
..•• -~••..
•• ~
•••
Node
• Advantages:
• Disadvantages:
• Slow process as the signals need to pass through each node in the network.
• Any issue in any one of the nodes can affect the entire network.
• Needs a high amount of wired environment for connecting the network nodes, which
increase the cost of implementation.
Mesh Topology
All the nodes or computers in the network connect with each other. The design confirms the
passage of data between every computer even in the failure of any one computer. Each node in
the network sends data to other nodes as well as passes the data from other nodes. However,
the mesh topology does not find much use in organizations due to its huge cost for
implementation and widely used in wireless networks.
Node Node
-~ -....................... ~ >}
••• •••
• ••
•• • •••
••• •• •
j~•• •;
••• •••
•• • •• • •• •
•• •
-
•••
-
Node
~ ...................... -~
(~
Node
~
<"
• Full Mesh Topology: All the nodes connect with each other in the network. If any node
failure occurs, the full-mesh topology can redirect the traffic from that particular node to
another node.
• Partial Mesh Topology: Here, only very few nodes connect to all nodes in the network,
while other nodes connect only to one or two other nodes. Due to this fashion of
connecting to very few nodes, the partial-mesh topology is far less costly and minimizes
the redundancy of many connections.
Mesh topology uses either of the two technologies: Routing or flooding. In the routing process,
the topology makes the message transmit through a path between the nodes. In order to
ensure continuous transmission of data between the nodes, the topology needs to ensure that
all connections between the nodes are proper and not broken.
• Advantages:
• Disadvantages:
• Consumes more time for set-up and needs more administrative attention.
Tree Topology
The tree topology consists of a combination of a bus topology and a star topology. Similarly, the
tree topology consists of a main cable line attached to a star network. In the tree topology,
many star topologies connect to the central transmission cable. Another name of the model is
"extended star topology".
• Advantages:
• Tree topology finds its usage in scenarios where it is difficult to implement the star
and bus topology.
• Design of the star topology in the layout enables an easy management of the nodes.
• Failure of one of the star networks does not affect the working of the other networks.
• Disadvantages:
• Any damage to the main transmission cable can damage the whole topology or
network.
• Even though the tree topology enables easy expansion of the network, it becomes
difficult for the network as a whole to manage the entire nodes and segments.
• The rate of expansion depends solely on the type of main cable used.
Hybrid Topology
The hybrid topology combines the characteristics of two topologies together. These are mainly
used in Wide area networks. The organization implements a hybrid topology according to the
requirements of the organization. For example, if one section of an organization needs bus
topology while another section needs ring topology, the organization can implement both these
topologies using a hybrid topology. They combine multiple topologies into a single large
topology.
• Advantages:
• Provides error detection and correction without affecting the working of the other
section of the network.
t Network :~rface Card ~ It allows the computers to connect and communicate with the network
~ It is used to connect segments of a LAN. All the LAN segments can see all the packets
Hub
~ It is similar to hub. However no equipment in the LAN segment can see the packets
Switch 1111119' except the target node
Router ~ It receives data packets from one network segment and forwards it to another
• Advantages:
• A network interface card does not have to be fixed with a physical cable.
• The NIC is used to send the data as well as receive the data.
Repeater
Repeaters are network devices that are generally used for the restoration or the repetition of a
signal. Repeaters can restore analog and digital signals misled due to transmission loss.
Repeaters can only amplify the analog signals, whereas with a digital signal a repeater can
restore the signal to its original quality. Repeaters can also pass the data between various
subnetworks carrying different protocols.
• Telephone Repeater: Help in increasing the telephone signal range in the telephone lines.
The repeater locates its applications in the trunk lines carrying long distance calls. The
telephone signal lines made of a pair of wires, consists of an amplifier circuit that use
power from direct current (DC) to increase the power of the alternating current (AC)
audio signal on the line.
• Optical Communications Repeater: These mainly increases the signal strength of the fiber
optic cable. These cables carry digital information in the form of short pulses of light. The
light is made up of particles called photons.
• Radio Repeater: Increase the signal strength of the radio signals. The radio repeater
amplifies and retransmits the radio signals using the radio receiver connected to a radio
transmitter.
A normal LAN implementation usually limits the physical size of the single cable segment
according to the physical medium and the techniques used for transmission. The repeaters play
an important role in constructing a network that exceeds the size of the single, physical, cable
segment. The LAN implementation determines the number of repeaters that can be used. The
repeaters used between two or more cables require the need of the same physical layer
protocol in order to send the signals over all the cable segments.
• Advantages of Repeaters:
• Repeaters are the devices that augment the traffic on the network and sometimes
transmit errors. There is a limit on the number of repeaters used across a network.
• Users cannot monitor or inspect the repeaters through an inaccessible area and these
devices do not have the facility to separate or filter the traffic.
• Repeaters can augment the traffic on the network and have a restriction of the
quantity deployed across a network.
Hub
A hub is a network device used to connect multiple network devices or segments of a LAN. The
main activity of the hub is to forward the data arriving from one device to another device or
port. The hub requires fiber optic Ethernet cables in order to connect various devices. Some
hubs even work as a repeater that helps in amplifying the signals. The hub remains a common
point of connection for many devices in the network. It can contain multiple numbers of ports.
Upon the arrival of a packet at any port, other ports maintain a copy of the packet, thus
enabling all LAN segments to view packets. A hub provides a sequence of ports to connect the
network cables. The smallest hub can connect four computers to a network and with an extra
port to uplink to other hubs in the network. Hubs vary according to their size and have ports up
to 12, 16, and 24 in number.
• Types of hubs include:
• Passive Hubs: Passive hubs do not intensify the signal strength of the data prior to
transferring the data packets, but act as a means to transfer data between the devices
in the network.
• Active Hubs: Active hubs strengthen the signal prior to transferring it to other devices
in the network like the repeater. It has multiple ports and is called as multiport
repeater.
• Intelligent Hubs: Intelligent hubs are business critical hubs providing additional
features. It behaves like a stack with units added to the top to minimize space.
• Switching Hubs: Switching hubs view the destination address of every data packet
before transferring them to the specified destination port.
• Repeater Hubs: Repeater hubs relay the inbound traffic. However, active (or
switching) hubs transmit the data that is addressed for that specific host, i.e. sniffer
software is proved to be safe. Performance is also improved. Certain hubs offer
security at the MAC level (such that it connects only the identified MAC addresses to
specified ports). The present day hubs can also build VLANs (virtual LANs) that
assemble specific ports into a virtual network, which is not transparent to other ports.
• Advantages:
• Every port can make maximum use of the bandwidth without the use of CSMA/CD.
• Hubs organized by SNMP provide tools and statistics for better management.
• Makes use of the available cables along with other network elements.
• Hubs help to route the network traffic and prevent the crashing of networks. It can
also combine the relatively slow Ethernet devices with those of higher speeds. This
facilitates the addition of a variety of devices variant in speed.
• Disadvantages:
• Data transfer rates decrease substantially with the increase in devices connected.
Server
PC MAC
PC HUB PC
Switches
A networking switch is the fundamental device in a wired or wireless LAN. It receives signals
from each terminal on the network through Ethernet cables in a wired network and through
antenna emitting radio waves in a wireless LAN. In both the cases, the networking switch sends
traffic across the LAN, permitting the computers to communicate with each other and share
resources. All computers residing in the LAN should contain a NIC. This card allocates a
distinctive MAC address to the machine in which it is setup. A wired NIC incorporates an
Ethernet cable, which extends to a port on the back of the networking switch. If the NIC is
wireless, the card will attribute a small antenna as a replacement for an Ethernet port. The
antenna sends signals to the wireless networking switch, which also hosts an antenna rather
than ports. Whether wireless or wired, the networking switch acts as a relay, analyzing traffic
packets as they arrive from the various machines and sending the packets to the destination
MAC address.
A transmission mode is the term used to define the direction of a signal or flow of information
between two interconnected devices. Simplex mode, half-duplex mode and full-duplex mode
are types of transmission modes. Information flows only in one direction in simplex mode, i.e.,
from sender to receiver. In half-duplex mode, data flow to and from but only in one direction at
a time. Both stations can send and receive the data, but not at same time. The full-duplex mode
transmits data in both directions at the same time.
• Switch Functions:
A networking switch functioning in full-duplex mode implies a machine on the LAN that
can receive and send data simultaneously. This is quicker than a networking hub, an
alternating device that serves the same function as a switch, but functions in half-duplex
mode, allowing each machine to send or receive at any given time. Another discrete
difference between a networking switch and hub is that the switch sends traffic packets
only to destination addresses. On the other hand, a networking hub sends all traffic on
the network to all nodes. The filters within each machine make the decision regarding
rejection or acceptance of the packets. This practice makes the network vulnerable to
eavesdropping. Network switches are low-priced devices, but price may vary based on a
number of ports. For those who are using a cable modem or a DSL service, a broadband
router with a switch inbuilt along with a firewall can replace the stand-alone networking
switch.
• Advantages:
• Networking switch is not infallible, as an attacker can mislead it into employing packet
sniffers.
How a switch w orks
•.............····)
: °I
I: t_ • i!
•• ••
' ::::::::::·:::::·~~
Oat.i is sent
by one node
:.................,._
_ __, ''ti- - -- =
.•• .;••
!
•
• !•
'-:::::::::::::::::::<
Data is forwarded only
to the destination node
Routers
Routers are more complicated devices than the other devices like repeaters and bridges.
Routers can access the addresses of the network layer and have embedded software that helps
them in identifying the exact destination address. It looks from the multiple paths available
between the addresses and checks the channel that is appropriate for the transmission of data.
• Router Functions:
Router function in the physical, data link, and the network layers of the OSI model.
Routers transmit packets among several interconnected networks. They send packets
from a network to the other important destinations in a network. A packet sent from one
destination to the other travels through the router initially and then moves to the other
destination in a network. The destination router in turn transmits the packet until it
reaches the final destination. Routers behave as stations on the network, although
irrespective of stations to which they belong, routers contain addresses and connect to
more than two networks simultaneously.
When a router receives a packet in an interconnected network, it reads the address and
sends the packet to the destination address. However, if it does not find the
corresponding address in the network, it has the capability of forwarding the packet to
the next connected network based on the best options available. After identifying the
appropriate route for the packet to transmit, the router transmits the packet along the
accurate network to other networks. If it finds as inappropriate, it sends the packets to
the surrounding network or the adjacent router to select the next best path.
A router maintains a routing table to maintain the paths through which the routing occurs
and also minimizes excess costs for routing across the network. Static routing is a type of
routing where the network administrator monitors the entire routing processes. Routing
includes many concepts such as least-cost routing, which shows the economic paths
allotted for routing, i.e., selects the available shortest path. Shortest in terms of routing
also implies a path that is secure and fast. Some routers also route packets across the
network, which use more than one protocol.
Routers can associate with different networks such as LAN and WAN to broadcast the
data. They are the devices that prevent the collisions of data during a broadcast.
Sometimes, routers also act like other devices such as bridges, which can broadcast
packets for a single protocol or a group of protocols. When a router receives packets from
a multi-protocol router, it checks the packets (if packet matching with the protocols are
configured) and then sends the packets depending on the addresses of the network layer.
Routing includes concepts such as least-cost routing, which shows the paths allocated for
routing and sends data in the shortest path available.
• Advantages:
• The security issues that routers face are that routers do not have security controls that
are very efficient, which leads to compromising of the system.
• Routers cause long delays in initializing the sessions for protocols such as FTP.
• Check the following aspects before starting the transmission through routers:
• Internal addresses.
• External addresses.
• Routers lead to overhead, as they are not capable of separating the sent packets.
~ Ring
• , ••• ;-r
.F.':".. .:•
..... ·• .....
Router
•· .,
...
.
...
.... ·····"······:········'······ ·•• ..... . ---~-.-----.
Router
...... :
• ..• •
.
•
..• ....... ~ Ring ,,..~... . ..
..• ,_,..
.
Ring · · • • • • • ·:
...• ..•.....
... .••
Bus
.
:.
.•
....
....,• ............................... '
- ~
........: •
.•• '
e,■ ■ ■ ■ ■ ■ ■ ' ■ ■ ■ ■ ■ ■ •
•
•·
•
.
•■• ■■■■■ I • • • •
Router .: .: .: Router
~
•
Bridges
A bridge filters the traffic at the network boundaries. Bridges read the MAC address of each
frame (data packets) and forwards data to the addressed destination device. Bridges are logical
devices that can maintain each segment's traffic separately. By segmenting the traffic, bridges
prevent network congestion and segregation problems in the network traffic. Bridges operate
in the data link layer of the OSI model. It maintains a database of MAC addresses located in a
segment and permits only specific data frames addressed to that location while blocking
unauthorized frames from entering a segment. When a data frame reaches a bridge for
transmission, the bridge generates the signals and also finds the address of the destination, and
then sends the duplicate to only the appropriate network segment.
Bridges contain a table called a 'look up' table that hosts various physical addresses of all the
workstations linked to it. The table is an indicator as to which segments each workstation
belongs. When a bridge comes across a packet of data, it checks the address and finds the
matching corresponding addresses present in the table. After tallying, it traces out as to which
network segment the packet belongs to and sends the packet to the appropriate segment.
Bridges use the MAC address to make decisiqns on relaying network packets. They also act as
filters determining if they have to relay the packets to a segment or not.
• Transparent Bridging:
Bridges build a routing table to find whether a packet's destination address is matched
with the routing table. If the address does not match, then the packet moves to all the
devices in the network except the source to identify the correct destination for the
packet. A system with a transparent bridge must satisfy three criteria:
• Each station should forward the frame from one station to another.
• Loop Problem:
Transparent bridges work efficiently if the redundant bridges do not exist in the network.
If there are two LANs and are connected via two bridges, then a potential loop exists in
the network.
• Source Bridging:
The packets will have path information inserted into them in order to know the route.
Like switches, bridges are also efficient in learning the MAC address of all the connected
clients, peripherals, and the servers. Traditional bridges provide connectivity from a single
workgroup to another workgroup. The multiport bridges connect two network segments
with each other. Bridges inspect the information from the data link layer with a network
signal. Bridges are fitted with network filters, which help them to read the source address,
packet size, or type of protocol. These devices are simple to install on the network and are
efficient to regulate the traffic.
-···••►
:••··
D
:: ~~
__,
...
~-::= ..-:.
◄.....................
Gateways
Gateways act as an entry point for other networks that try to connect to an internal network.
In the same way, they act as an exit point for an internal network that tries to make a
connection to external networks. A gateway can be a workstation or server that makes a two-
way communication between networks and expands its area. Application and transport layers
of the OSI model support gateways. They are capable of connecting devices that have different
protocols and environments. They convert protocols that are different by assigning matching
protocols to the packets and are called a protocol translator. If the gateways have to connect or
communicate between two different network architectures then they restructure and convert
the data from one environment to the other environment. Gateways are task specific. They
cannot filter data and sometimes they can transmit malicious packets without filtering. There
are two types of gateways:
• Transport Gateways:
• They are capable of connecting different devices with the connection oriented
transport protocol.
• Application Gateways:
• They are intelligent components that can understand the format/contents of the data
and then permits transmission.
Domain Name System (DNS) is a distributed hierarchic database that maps URLs
to IP addresses
~ .... ································9 ··
The domain name system (DNS) converts the host names and internet domains to IP addresses
and vice-versa. The domain naming system finds its application in TCP/IP network. The DNS
services convert the DNS name entered by the user to its corresponding IP addresses. For
example, the DNS service converts the domain name www.Example.com to the IP address:
192.105.232.4
• Forward DNS lookup: These are requests containing names and resulting in an IP address.
• Reverse DNS lookup: These are requests containing IP addresses and resulting in names.
The DNS consists of a database present in various computers. The databases consist of names
and IP addresses of the hosts and domains. The clients in these scenarios are web browsers.
When the web browsers send in requests such as an internet host name, DNS resolver
determines the servers IP address using the DNS server. The DNS resolver actually forwards the
request to several other DNS servers if it does not achieve the desired mapping from the
requested DNS server.
QR
Byte0 Byte 1 Byte2 Byte 3
OQuery
Ver. H. Len. TOS Packet Length 1 Response
AA 1 = Authoritative Answer
TC 1 = Truncation
RO 1 = Recursion Desired
Source Port Destination Port RA 1 = Recursion Available
DNS packet header format consists of three sections namely IP header, UDP header and DNS
data. Each section has different fields and different uses as described below:
• IP Version (4 bits): There are two types of IP packet and addressing 1Pv4 and 1Pv6. This bit
specifies the current IP protocol version. Always set the value as 4.
• Header Length (4 bits): Length of the IP header where header represents 32-bit words
along with IP options if any. The minimum value of the IP header is 5.
• Type of Service (TOS) (8 bits): Provides quality of service features. First three bits are for
IP precedence, 4 bits for TOS and last one-bit left alone (not used).
• Total Length (16 bits): Specifies the length of the IP datagram 1n bytes. It includes the
length of the header and the data.
• Identification (16 bits): Identifies the fragments of one datagram from those of another.
• Time-To-Live (TTL): It defines the lifetime of the IP datagram in the internet system. The
TTL field is initially set to a number and decremented by every router. When the TTL
reaches zero, it discards the datagram (Packet).
• Protocol (8 bits): Identifies the next encapsulated protocol that sits above the IP layer.
• Header Checksum (16 bits): Identifies the errors during IP datagram transmission and
calculated based on the IP header.
• Source/ Destination port numbers: DNS servers listen on port 53. The first packet of
any exchange always includes 53 as the UDP destination port. The source port is the
random port that varies considerably.
• Query ID: Unique identifier also termed as transaction ID, created in the query packet
that is left intact by the server sending the reply. It helps in matching the answers with the
awaiting questions.
• QR (Query / Response): Set to "O" for a query by a client, "1" for a response from a
server.
• Opcode: Set by client to "O" for a standard query.
• TC (Truncated): Set to "1" in a server response if the answer cannot fit in the 512-byte
limit of a UDP packet response. Indicates the message was truncated.
• RD (Recursion Desired): Set in a query and indicates the query should be pursued
recursively. This is set to 1 if it wishes the server to perform the entire lookup of the name
recursively, or O if it just wants the best information the server has.
• RA (Recursion Available): A bit that is set (1) or cleared (O) in a response indicating that
recursion is available.
• Z (Reserved): This is reserved and must be zero.
• Question record count: Indicates the number of DNS queries in the questions section.
• Answer count: Set by the server, these provide various kinds of answers to the query
from the client.
• Authority count: Indicates the number of name server records in the authority record
section.
• Additional record count: Indicates the number of resource records In the additional
records section.
• DNS Question/Answer data: Holds the question/answer data referenced by the count
fields above.
FTP
Telnet
(File Transfer Protocol)
SMTP HTTP
(Simple Mail Transfer Protocol) (Hypertext Transfer Protocol)
Functions of TCP
• TCP acts as an interface between the application and the internet protocol.
• TCP identifies the cases of packet loss and duplication due to network congestion, traffic
load balancing and other irregular activities in the network.
TCP always uses an acknowledgement for every packet sent and received. In this technique, the
receiver needs to respond using an acknowledgment to the data it receives. The sender
maintains a record of the packets it sends and keeps a timer in order to manage the packet
transmission. The timer helps in cases where the packets are lost. The acknowledgement
technique actually confirms the arrival of each packet of data in the correct order.
TCP Services
TCP is a connection oriented protocol that enables flow control and consistent data delivery
services. Consistent data delivery services are mandatory for applications such as file transfers,
database services and other services. TCP depends on IP for consistent delivery of packets.
The application layer is responsible for handling the TCP connection between the two hosts
over the network. TCP provides the following services to the application layer:
• Simplex transmission: Only one user can transmit data at a time and only in one direction.
Both parties involved in the transmission need to use the same frequency. For example, in
TV and radio, the signals transmit only in one direction (from transmitter site to several
receivers.)
Most of the TCP connections are duplex which means that it allows the data to flow in both
directions. Simplex mode, full-duplex mode and half-duplex modes are different types of
transmission modes that determine the flow of information between two communicating
devices.
TCP Operation
The overall operation of the TCP describes the method of how the Transport Control Protocol
manages the connections between two communicating parties. The TCP provides functions
such as data handling, flow control and reliability in data transmission. These functions are
possible only in the presence of a proper and consistent connection. The criteria to identify the
two communicating parties are as follows:
• Sender's IP address
• Receiver's IP address
rI IP
Header I IP
Header
-f Data
J
i
' "
Frame Frame Data Fram• Frame Frame Data
Frame
Header Traller Helder Traller
"
Source Destination
A consistent TCP connection can be established using sliding window, sequencing numbers and
acknowledgements and synchronization.
• Sliding Window: The TCP segment has a flag Window size that represents the size of the
data that it can receive. Window size zero means that it cannot accept any data from the
sender. The window size consisting of non-zero value means that it is ready to accept data
from the sender. The sender needs to maintain a window size that represents the
unacknowledged data and the size of the data it can send to the receiver.
Usable window
• •
10 11 12 113 14 15 I16 17 1s I 19 20 ... .
• The window size of the receiver is 6 which means the receiver can accept 6 bytes of
data.
• Here, 13 to 15 bytes did not receive any acknowledgement from the receiver.
4 •,◄••·/
Host A Three-Wav
•-►~
- • ---1~
Host B
lo · O·O· 2 ·21
· ◄••············
Handshake' ·····• 10· 0 · 0 · 3-21
·
•••• •• •• (Seq=300
ack=lOl
•••• ••
•• •• ctl=SYN,ack)
•• •••
SYN Received ,· ,I.' ••••
Established
(Seq=lOl
ack=301
•••••••••••••••••••••••••• •>
ctl=ack) , ,~
Time Time
• Client sends a request to the server with an SYN flag set in order to establish a connection.
• Server accepts the request and sends an acknowledgement to the client along with the
SYN flag.
• The client receives the SYN + ACK flag from the server and sends ACK to the sender.
Thus, the above steps establish the connection between the client and the server. They can
easily send data as they are aware of the sequence and acknowledgment numbers of each
other.
2
1
TCP Checksum (16 bits) Urgent Pointer (16 bits)
6 ...................................-··-··-··-··-··-··-··-··-··-··-··-··-··-·· ..................................................··-··-........... -.. - .---·-··-··-··-··-··· ........................ .
16 [
•
17 i
•
18 [
•
19 i■
0-31 Bits
The TCP breaks the data into packets and adds a header to every data packet creating a TCP
segment. The TCP segment undergoes an encapsulation process into an IP datagram. The TCP
segment consists of the TCP header and the data. The TCP header consists of ten mandatory
fields and an optional extension field. The data section follows the TCP header. The data section
consists of the data payload for the application. This header does not specify the length of the
data section. Subtracting the combined length of the TCP header and the encapsulating header
from the total IP datagram length, provides the length of the data section. Various fields
present in the IP segment header section are as follows:
• Source port (16 bits): Numerical value that indicates the source port.
• Destination port (16 bits): Numerical value that indicates destination port.
• Sequence number (32 bits): It is the first data octet in the segment. The sequence number
becomes ISN in the presence of SYN and the first data octet will be ISN+l.
• Acknowledgment number (32 bits): Once the ACK bit is set, this field constitutes of the
next sequence number that the sender is actually expected from the receiver and sends
these bits after establishing connection between two hosts.
• Header length (4 bits): It is the bit number that indicates the number of 32 bit words in
the header. Another name for header length is Data Offset field.
• Reserved (6 bits): Used for future use. It should be initially set to zero.
• Control bits (6 bits): The control bits handle the connection establishment, data
transmission and connection termination. The control bits in TCP header include:
• PSH: Push Function. Whenever TCP receives a request to push data from the
application, TCP need to just send the accumulated data without any intervention.
• RST: Reset the connection. The Reset request forces the TCP to drop the connection
instantly. The RST forces both the parties involved in the data transmission to break
the connection that can lead to loss of data.
• Window (16 bits): You can set more than one control bit simultaneously. Number of
octets the receiver wants to accept. This begins with the packet in the acknowledgement
field.
• Checksum (16 bits): Header and the data are covered. Here the system calculates the
checksum by attaching a pseudo header before or in front of a TCP segment.
• Urgent (URG) pointer: This field shows the data meant for quick transmission. Moreover,
it points to the position where the urgent data actually ends.
• Options: Systems can deliver the options at the end of the header, but it should
implement them completely and must have a length that is a multiple of 8-bits. The three
different options include:
• End of option list: This list gives the end of option list. Instead of using at the end of
each option individually, it displays as the final option. This option comes into picture
only when the end of the option does not coincide with the end of the TCP header.
• No operation: This option clearly specifies the boundaries between multiple options
and between other options. For instance, it aligns at the beginning of a subsequent
option on a word boundary. There is no assurance that a sender will use this option.
So, the receiver should be prepared to process the option even if it does not begin the
subsequent option on a word boundary.
• Maximum segment size: It is the maximum segment size that TCP can receive and the
size is sent at the beginning of the connection establishment process.
• Padding: Indicates that the TCP header ends and data begin at a 32-bit boundary. It
consists of all zeros.
# of Bits 16 16 16 16 16
UDP is a connection-less oriented protocol that provides low latency and less tolerating a
connection between the applications on the Internet. Unlike TCP, UDP does not promise any
consistent availability of data using acknowledgement and sequence numbers. The data passes
over the network as datagrams. UDP offers two services, Port numbers in order to determine
the different user requests and the checksum in order to confirm the receipt of the data. The
broadcasting of messages requires the need of UDP.
Applications like gaming, video applications use UDP for a reliable data transmission. The data
transmission using UDP may lead to packet loss, but does not affect the quality of the data
transmitted over the network. Forward error correction is a technique that assists in improving
the audio and video signals. UDP uses the lossless transmission mechanism for the transmission
of large files. The lossless transmission mechanism helps in the retransmission of lost data
packets, thereby increasing the data transfer rate. A UDP header format includes:
#ofBits 1 16 l 16 16 16 16
• Source Port: Refers to the port number of the port. This determines the location to send
the reply packet. If the server host is the source host, then the port number can be a well-
known port number, whereas, if the source port is the client, then the port number can
be ephemeral port number.
• Destination Port: Refers to the packets from a client. Same as the destination port, if the
destination port is a client, the port number can bean ephemeral port number, whereas if
the destination port is a server, the port number can be any well-known port number.
• Length: The length field determines the length of the UDP header as well as the UDP data.
The minimum specified length is 8 bytes.
• Checksum: The checksum performs the error-checking of the data and the header. It uses
the standard internet checksum algorithm and verifies whether the correct destination
receives the packet according to the IP address, port number and protocols specified in
the header.
UDP Operation
The primary operation of UDP is to collect the data from the higher layer protocols and place it
in UDP messages to forward the UDP datagrams to the internet protocol for transmission. UDP
provides a checksum capability that helps in detecting the errors in the data transmission,
ensures the proper transmission of the UDP message and detects whether the message
reached the exact destination or not. The basic steps that are involved in the transmission of
data using UDP are as follows:
• UDP Message Encapsulation: Encapsulates the received message into the Data field of a
UDP message. It occupies the headers of the UDP message, source port, the destination
port and checksum value may be calculated.
. ....·····
...·•··..······.... .:.· ..·...•···
. .
: ..· . .
: ..·
: •..
- TCP UDP
:•·
. ··•. ....
·•..... .•·...•···
··•...··. ..··..•·
.............. ......
... .. :. ..·····
.. •·· •
: ·• ..
• UDP:
• Unreliable: UDP does not confirm the arrival of packets at the destination. It does not
attempt in retransmitting the lost packets or does not follow the concept of
acknowledgement.
• Not ordered: UDP does not confirm the sequence of the arrival of the packets at the
destination.
• Datagrams: UDP handles packets individually and deals with them only after its arrival
at the destination.
• Connection-less oriented: Does not create any session between the hosts.
• Broadcasts: UDP can send packets or broadcast the packets to multiple devices.
0-31 Bits
IP Version iHeader lenglh
(4 bits) I (4 bits)
.........
;o:M
-··- ..
Identification (Fragment ID) (16 bits) R ; F ;F FragmentOffset (13 bits)
4; 4 S
.. .....
, , ,,, ·········································-········································
6 7
j Time-to-live {TTL) • · · : :
: (8 bits)
!-···· ................................ ..
8; 8
Source IP Address (32 bits)
"'
-
2 , 12 13 14 15
>a,
ID . . .
"i·•r••-•••••-•••••-•••••-•••••-•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••-••••••••••••••••••••••••••••••••••••••••••••••••••••••·•••••••••••••••••••••••••••••••••••••••••. -
:
6 . ··-··-··-··-··-··-··-··-··-··· ....................................... ···-·· ... -··-··-··-··-.. -··-··-··-...··-··-·· .....................................•........ ···-··-··-··-....................:
:
....'. 16 \. 17 \. 18 ;- 19 i:
~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . " ' ' " " ' ' " ,:. . ' " " ' ' " " ' ' " " ' ' " " ' ' " . . . . . . . . . . . . . . . . . . . . . . . .=. . . . . . . . . . . . . . . . . . . . . . . . . " ' " ' " ' ' " " ' " ' " ' ' " " ' . . ., . . ' " " ' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .;
0 -31 Bits
IP is a network layer protocol present in the TCP/IP communications protocol suite. The data is
always sent as packets or data grams in networking. IP provides a unanimously defined address
that eliminates the need to create a connection before sending data. IP also provides a
datagram service that carries information or data to the destination without much guarantee
regarding the confirmed arrival of these packets at the destination. The packets can be lost on
the way to the destination or can arrive at the destination in a completely or partially damaged
form.
There are two versions of IP available: Internet protocol version 4 (IPv4) and Internet protocol
version 6 (1Pv6}. The commonly used version is IPv4 represented using a 32-bit address. The
IPv6 is an improved version of IPv4 and represented using a 128-bit source and destination
address. The IP header is an introduction to the IP packet that contains information like IP
version, Source IP, destination IP, TTL, etc. The header normally is responsible for holding data
required to traverse the data over the internet. The IP header has the same format as that of a
data.
• Header Length (4 bits): Length of the IP header where header represents 32-bit words
along with IP options if any. The minimum value of the IP header is 5.
• Type of Service (TOS) (8 bits): Provides quality of service features. First three bits are for
IP precedence, 4 bits for TOS and last one-bit left alone (not used).
• Total Length (16 bits): Specifies the length of the IP datagram in bytes. It includes the
length of the header and the data.
• Identification (16 bits): Identifies the fragments of one datagram from those of another.
• Time-O-Live (TTL): It defines the lifetime of the IP datagram in the internet system. The
TTL field is initially set to a number and decremented by every router. When the TTL
reaches zero, it discards the datagram (Packet).
• Protocol (8 bits): Identifies the next encapsulated protocol that sits above the IP layer.
• Header Checksum (16 bits): Identifies the errors during IP datagram transmission and
calculated based on the IP header.
• Source IP Address (32 bits): This field represents the IP address of the sender.
• Destination IP Address (32 bits): This field represents the IP address of the receiver
(destination).
• Options (variable in length): This is an optional field. List of options that are applicable for
the active IP datagram.
• Data (variable in length): This field contains the data from the protocol layer that handed
over the data to the IP layer.
■ The IP packet has a protocol field that specifies whether a segment is TCP or UDP
IP Header
: :
4-bit I 3-bit Header ! 8-bit Type of 16-bit Total Length (In bytes)
Version : Length j Service {TOS)
Protocol Field
3-bit .....................................................
Data
The protocol field in the IP header determines the services available in the next higher levels in
the protocol stack. The protocol field is eight bits in length and includes 256 protocols. Multiple
higher layer protocols can use IP (multiplexing). "Assigned Numbers" specifies the values for
various protocols. Protocol and some common values (1 octet) are as follows:
• 4 (0x04) IP over IP
I Pv6, also called IPng or next generation ■ I Pv6 features t hat provide a platform for
protocol, provides a base for enhanced growth of IT development:
Internet functionalities
: Expandable address space (large and diverse)
The most important feature of I Pv6 is and routing capabilities
that it can store larger address space in
: Scalable to new users and services
comparison to I Pv4
: Auto configuration ability (plug-n-play)
I Pv6 contains both addressing and
controlling data or information to route : Mobility (improves mobility model)
packets for next-generation Internet
; End-to-end security (high comfort factor)
.. •
,.
, ;
;
Better Authentication and privacy checks
Internet protocol version 6 is the most recent version of the internet protocol. The internet
protocol version 6 provides a mechanism for identifying the computers in the network and
performs routing of the traffic across the internet. To meet the increasing requirements,
Internet Engineering Task Force (IETF) started a working group called Internet Protocol next
generation (IPng) to make research, experiments and recommendations for finding a new
generation protocol for IP. It eventually found the specification for internet protocol, version 6
(1Pv6) described in Internet standard document RFC 2460. Experts consider IPv6 as a
replacement to IPv4. The IPv6 uses a source and destination address in order to carry data
packets over the network, which is the same as in IPv4. IPv6 has a very large address space and
consists of 128 bits as compared to 32 bits in IPv4.
• It has a new format for packet header to minimize packet-processing problems with
overhead routing entries. Routers can efficiently and easily process IPv6 headers.
• IPv6 have globally identified unique addresses with efficient, hierarchal and routing
infrastructure that relies on prefix length rather than address classes. This allows the
backbone routers to create small routing tables.
• 1Pv6 simplifies host configuration with stateless and stateful address configuration for
network interfaces.
• In 1Pv6, hosts on a link are capable of automatically configuring themselves with a link
called link-local addresses by responding to the prefixes mentioned by the local routers.
When the host sends a link local address request to a local router for connecting to that
network, it then responds to the request by sending its configuration parameters. This
lets the host to configure automatically with the available router. 1Pv6 is even capable of
configuring itself, even though there are no routers.
• 1Pv6 has an inbuilt security feature called integrated internet protocol security (IPsec). It is
a set of internet standards based on cryptographic security services providing
confidentiality, data integrity and authentication.
• 1Pv6 supports unicast and multicast communication along with a new communication type
called anycast. In the anycast communication method, only the specific associated
address in a network receives the messages.
• 1Pv6 provides better support for quality of service (QoS) with proper management of
network traffic.
1Pv6 Header
..............................................................................................................................................................................................................
Source IP Address
~ ................... "' ... '" ... '" "' '" "' '" "' '" "' '" "' ...................... ,...................... , "' "' "' '" "' '" "' "' "' "' "' '" ... '" ............. ,.................................. ,'
Destination IP Address
·- .. -.. -.. -.. -.. -..... -.. -.. -.. -.. -.. -.. -.. -............................................. ···- .. -··· .. -..... -··· .. -..... -..... -..... -.......................................... '' .......... -··- .. -..... -..
0 -31 Bits
The 1Pv6 is four times larger than 1Pv4. However, the header of 1Pv6 is only two times larger
than the 1Pv4. The 1Pv6 header consists of one fixed header and zero or more extension
headers. The extension headers consist of information that assists the routers in determining
the flow of a packet.
The 1Pv6 is 40 bits long and the fields in the fixed header consist of:
• Version (4 bits): Specifies the version of the internet protocol.
• Traffic class (8 bits): identifies the data packets that belong to the same traffic class and
distinguishes the packets with different priorities.
• Flow label (20 bits): This field avoids reordering of data packets and maintains the
sequential flow of data packets belonging to the communication.
• Payload length (16 bits): It informs the router about the length of the data which is
present for a particular packet in its payload.
• Next header (8 bits): Identifies the type of header following the 1Pv6 header and located
at the beginning of the data field (payload) of the 1Pv6 packet.
• Hop limits (8 bits): Replacement of time-to-live field in 1Pv4. Identifies and discards the
packets that are stuck in an indefinite loop due to any routing information errors. When
the counter reaches zero, it discards the packet.
• Source IP address (128 bits): 1Pv6 address of the sending host.
• Destination IP address (128 bits): 1Pv6 address of the receiving host (Destination).
Extension Header
The fixed header consists of only required information. The information that is rarely used or is
not required is always put between the fixed header and the upper layers of the extension
header. Each extension header requires the need of a distinct value in order to identify the
extension headers.
The 1Pv6 header points to the first extension header. Now, consider there are more than one
extension header. Then, the extension header points to the next extension header. The last
extension header points to the upper layer header. The sequence of the extension headers are
as follows:
IPv6 header
Hop-by-Hop Options header
Destination Options header1
Routing header
Fragment header
Authentication header
Encapsulating Security Payload header
Destination Options header2
Upper-layer header
The extension headers are arranged in a linked list manner represented using one header after
the other.
ii ICMP is an error-reporting protocol used for diagnostic purposes, generating error messages
when there is problem in the delivery of IP packets
■ ICMP does not overcome t he unreliabil ity issues of IP instead, it reports the fai lure of
data transmission to sender
ICMP is an error reporting protocol used by networking devices like routers in order to send
error messages. ICMP relays query messages by locating its application. ICMP is not a transport
protocol that sends data between two communicating systems. Network administrators
troubleshooting internet connections mainly use th ese. ICMP transmits messages as datagrams
and consists of an IP header that encapsulates the ICMP data. The IP packets contain ICMP in
the IP data field. The ICMP messages can also contain the IP header of the original message that
assists the end system in understanding why and which packet failed. The 1Pv4 or 1Pv6 is
followed by the ICMP header and id entifies itself as protocol number 1.
• The checksum that identifies the errors originated during tran smission.
The ICMP data and th e IP header follow the three fields in th e ICMP protocol.
Code Field
Type 3: Destination Unreachable
0 Echo Reply
1 Un.assigned Codes
2 Un.assigned 0 Net Unreachabl e
3 Destination Unreachable 1 Host Unreachabl e
4 Source Quench 2 Protocol Unreachable
5 Redirect 3 Port Unreachabl e
6 Alternate Host Address 4 Fragmentation Needed and Don •t Fragment was Set
7 Unassigned 5 Source Route Failed
8 Echo 6Destination Network Unknown
9 Router Advertisement 7 Destination Bost unknown
10 Router Solicitation 8 Source Host Isolated
11 Time Exceeded 9 Conmunication with Destination Network is
12 Parameter Probl em Administrativel y Prohibited
13 Timestamp 10 CommJ.nication with Destination Bost is
14 Timestamp Reply 15 Infoi::mation Request Administratively Prohibited
16 Information Reply 11 Destination Network Unreachable for Type of Service
17 Address Mask Request 12 Destination Host Unreachabl e for Type of Service
18 Address Mask Repl y 13 CommJ.nication Administratively Prohibited
19 Reserved (for Security) 14 Bost Precedence Viol ation
20-29 Reserved (for Robustness Experiment) 15 Precedence cutoff in effect
30 Traceroute
31 Datagram conversion Error
32 Mobile Host Redirect Type(8 bits) :. Code(8 bits) .; Cllecksum(16 bits)
33 IPv6 Where-Are-You ............ ......................................................................
,
34 IPv6 I-Am-Here
35 Mobile Registration Request Parameters
36 Mobile Registration Reply
37 Domain Name Request Data .....
38 Domain Name Reply
39 SKIP
40 Photuris
41-255 Reserved
ICMP messages consist of an IP header that encapsulates the ICMP data. ICMP transmits the
data as datagrams. ICMP packets are IP packets with ICMP in the IP data portion. ICMP
messages also contain the entire IP header from th e original message, so th e end system knows
which packet fail ed.
The structure of an ICMP message consists of three fields that have the same size and the same
meaning in all ICMP messages. The va lues in the fields are not the same for each ICMP message
type. The unique part contains fields that are specific to each type of message. The common
message format is the same for ICMPv4 and ICMPv6.
• Type: This field identifies the ICMP message type. For ICM Pv6, values from O to 127 are
error messages and values 128 to 255 are informational messages. The length of this field
is 1 byte. The types are defined as:
Type Name
0 Echo Reply
1 Unassigned
2 Unassigned
3 Destination Unreachab l e
4 Source Quench
5 Redirect
6 Alternate Host Address
7 Unassigned
8 Echo
9 Router Advertisement
10 Router So l icitation
11 Time Exceeded
12 Parameter Problem
13 Times tamp
14 Timestamp Reply
15 Information Request
16 I nformation Repl y
17 Address Mask Request
18 Address Mask Reply
19 Reserved ( for Security)
20-29 Reserved (for Robustness Experiment)
30 Traceroute
31 Datagram Conversion Error
32 Mobile Host Redirect
33 Pv6 Where- Are - You
34 IPv 6 I - Am- Here
35 Mobile Registration Request
36 Mobile Registration Reply
37 Domain Name Request
38 Domain Name Reply
39 SK I P
40 Photuris
41 255 Reserved
TABLE 1.1: ICMP types
• Code: This field identifies the subtype of message within each ICMP message Type value.
For each message, the field allows defining of up to 256 subtypes. The length of this field
is 1 byte. The t ypes are defined as:
Code Name
0 Net Unreachable
1 Host Unreachable
2 Protoco l Unreachable
3 Por t Unreachable
• Checksum: The length of this field is 2 bytes. This 16-bit checksum field is calculated in a
manner similar to the IP header checksum in 1Pv4. It provides error detection coverage for
the entire ICMP message.
• Data: This field includes the specific fields used to implement each message type. The size
of this field is variable.
.
Parameters
.•........................•........•...•.•....•..•...•....•...........................
Data .....
I• •••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••
•
.••
-------······································································:
FIGURE 1.22: ICMP message format
.J ARP is a stateless protocol used for translating IP addresses to machine addresses (MAC)
~ ARP request is broadcast over the network, whereas the response is a unicast message to the requester
.J The IP address and MAC pair is stored in the system, switch, and/or router's ARP cache, through which
the ARP reply passes
ARP_REQUEST
ARP Cache Table
Hello, I need the MAC address of 192.168.168.3
I wantto connectto f·································································>
--
192.168.168.3, but I
need MAC address IP 10: 192.168.168.1
MAC: 00-14-20-01-23-45
i -- ---
IP 10 : 194.54.67.10
....> . . . . .......L~.~!~:.'. ~.~.~~~.~t;~;~~;~!.~~~~.~~.~~~
I I ;
:
.. ➔ ~
~~t
IP 10: 192.168.168.2
MAC: 00-14-20-01-23-46
MAC: OO:lb:48:64:42:e4 : ARP_REQUEST
'=.' 1'. L..~~1.,~'.!.~~~.~.~~.~.~.~~.~.~~.~~~~~~~.~:~~~:~.~~~·.. ·>
! (.__ARP_REPLY I am.192.168.168.3. MACaddress is 00-14-2<Hl1-23-47 ...............
IP 10: 192.168.168.3
·. ...................................................................................................... >
Connectio n Established MAC: 00-14-20-01-23-47
The address resolution protocol deals with converting the IP address to a physical address (Mac
address). The component address resolution refers to identifying the IP address of a computer
in a network. ARP is RFC 826 and its Internet Standard is STD 37. The protocol operates below
the network layer as a part of the interface between the OSI network and OSI link layer. 1Pv4
supports ARP when it is used over Ethernet.
The address resolution protocols are mainly a request and reply protocol and captured by the
line protocol. The address resolution protocol links only within the limits of the boundaries and
does not perform any communication across the internetwork nodes. The ARP maintains a
table known as ARP cache that keeps track of the Mac addresses and its corresponding IP
address. However, there are certain rules in maintaining the MAC addresses and IP addresses in
the table that enables the conversion from one form to another.
Working of ARP
The term address resolution refers to the process of finding an address of a computer 1n a
network. The process of ARP is as follows:
• A client process sends a request to the server process to find a physical host or MAC
address that matches with the IP address.
• The server sends the message to all connected computers on the network to identify the
network system for which the address was required.
• After finding the requested MAC address, the server sends a response to the client
process with the requested MAC address.
• Static ARP Cache: These address resolutions are manually added to the cache table for a
device and they are kept in the cache on a permanent basis. To manage static entries, use
tools such as the ARP software utility.
• Dynamic ARP Cache: These hardware/ IP address pairs are added to th e cache by the
software itself because of successfully completed past ARP resolutions. They are kept in
the cach e only for a specific period and are then removed.
Hardware Type:
Byt e 0 Byte 1 Byt e2 Byte 3 1 = Et hernet
- - 2 = Experimental Ethernet
Hardware Type Protocol Type
3 = Amateur Rad io AX.25
4 = Protean ProN ET Token Ring
Hardwa re Length Protocol Lengt h Operation (1 for Request, 2for Re ply)
5 = Chaos
6 = IEEE 802 Ne tworks, etc.
Sender's Hardware Address (First 4 Bytes of Ethe rne t Add ress)
Protocol Type:
,, 1Pv4 = Ox0800
Sender's Hardware Address (last 2 Bytes of Sender's Proto colAddress(First 2 Bytes of IP
Ethe rne t Add ress) Add ress)
I Pv6 = 0x86DD
Hardware Length:
Sender's Protocol Address (Las t 2 Bytes of IP Target's Hardware Address (2 Bytes of Ethernet 6 for Ethernet
Add ress) Address, Null in ARP Request)
Protocol Length:
4 for 1Pv4
Target's Hardware Address (Last4 Bytes of Ethernet Address, Null in ARP Request)
Operation Code:
• Hardware Type: This field identifies the type of hardware used for the local network
transmitting the ARP message. The size of this field is 2 octets and the value of this field
for Ethernet is 1.
• Protocol Type: This field specifies the network protocol for the intended ARP request. The
value of the field for 1Pv4 is 0x0800 and I Pv6 is 0x86DD. The permitted length of this field
is 2 octets.
• Hardware Length: This field specifies the length (in octets) of a MAC address in fields 5
and 7 of the ARP packet. For Ethernet, the value of this field is 6.
• Protocol Length: This field specifies the length (in octets) of the protocol addresses 1n
fields 6 and 8 of the ARP packet. The address length for 1Pv4 is 4.
• Operation: This field specifies the operation that the sender is performing. The value for
ARP request is 1 and for ARP reply is 2.
• Sender's Hardware Address: This field contains the MAC address of the device sending
the message such as the IP datagram source device on a request and the IP datagram
destination on a reply.
• Sender's Protocol Address: This field contains the IP address of the device sending this
message.
• Target Hardware Address: This field contains the MAC address of the intended receiver.
In an ARP request, this field is ignored (zero). In an ARP reply, this field indicates the
address of the host that originated the ARP request.
• Target protocol address: This field contains the IP address of the device of the intended
destination.
Ethernet is the most commonly used LAN technology. It is a link layer protocol that determines
the data transmission between the network devices present in the same network. It uses a bus
or star topology and 10 BASE-T maintains a data transfer rate of 10 Mbps. Ethernet formed the
basis for the IEEE 802.3 standard that determines the physical and lower software layers. The
data transmission occurs in two units: packets and frames. The frame includes information like
payload of the data and the physical or Mac address of the sender and the receiver. Every
frame wraps itself in a packet that contains several bytes of information required for
establishing the connection. It is preferred mostly since, it is easy to install, less expensive and
allows high-speed data transfers. It monitors network traffic using CSMA/CD (carrier sense
multiple access / collision detection). Ethernet most commonly uses 100 BASE-T that provides
transmission speed up to 100 megabits per second. The Gigabit Ethernet provides a
transmission speed of about 1000 Mbps and GigaBit Ethernet provides a transmission speed of
about 1 Gbps. Other common LAN types include:
• Fast Ethernet
• Token Ring
• LocalTalk
• Data terminal equipment (DTE): The DTE represents the source or the destination of the
data frames. The DTE's are devices like: workstations, file servers, print servers, etc.
• Data communication equipment (DCE): The network device that is responsible for
receiving and passing the frames across the network. The DCE includes devices like
repeaters, switches and routers.
The Ethernet finds its main application in wired networking, although the wireless networking
seems to take the place of the wired network. Experts say that the 802.11 ac provides more
internet speed than 1Gb Ethernet. The important thing about wired networking is that it has
less impact due to interference and is more secure than wireless networking.
FOOi
e Secondary ring: Acts as backup and takes the position of Transfers data at the rate of 100Mbps
primary ring in case of network failure
FDDI is an optical standard used for transferring data by means of fiber optic lines in a LAN up
to 200km. The data transmission occurs at the speed of l00Mbps through a fiber optic cable
and uses a token ring to determine which workstation can transfer data at the specified time.
FDDI uses a fiber optic cable wired in a ring topology. It uses a token passing access method
(Please refer "token ring" topic) that provides equal responsibilities and privileges to all the
computers connected to the network.
A normally operating FDDI ring passes the token to all the network devices, whereas an
abnormal operating FDDI ring circulating the token to the devices connected to the ring
becomes invisible abruptly after a certain period, indicating a network issue. Furthermore, you
can set the priority levels using FDDI i.e., server is allowed to send a huge volume of data
frequently compared to the client systems.
It consists of two rings, one is primary and the other is secondary. Primary ring carries data
between the systems, whereas secondary ring acts as a backup to the primary ring. When this
primary ring fails to operate in the network, the secondary ring comes into picture and
performs all the operations usually carried out by the primary ring. This method transmits data
at high speed, but with Fast Ethernet allows transfer of huge amounts of data at l00Mbps, all
at a very low cost. However, organizations a re now using Gigabit Ethernet, which transfers
data at the rate of l000Mbps. The latest version of FDDI is FDDl-2, which supports voice and
multimedia communication to extensive geographical areas.
A local area network that consists of computers connected in a ring or bus topology and uses a
token to manage the transmission of data between the two computers. The presence of a
token can avoid the chances of a collision between the data transferred between the
computers. The possession of the token will allow the network nodes the right to transmit the
data, if any node receives the token, it captures the data and alters it with 1 bit of token, thus
adding the data packets that it wants to transmit to th e next node. Token ring allows the users
to send the data only after arrival of token to their respective location, thus, preventing data
collision between the workstations who want to send messages at th e same time. The
maximum size of token ring packet is 4500 bytes.
• Inserting a token to a frame changes the token bit from Oto 1 in th e frame.
• Each computer checks with the frame and examines whether the destination address
matches. If it does, then that computer simply copies the message and changes the token
bit to 0.
• The frame deletes the information after computer with the destination address copies the
information.
• The frame passes through the network as empty frame and 1s now ready to accept
another data.
The components of a token ring frame are as follows:
Frame control Includes Mac access control information for all the
computers and end station information for onl y one
computer
Source address Specifies the address of the computer that sends the
frame
Frame status Includes the current status like if information copied etc.
TABLE 1.3: Components of token ring
e 168.192.0.1
---- 23.255.0.23
192.165.7.7
/J.~1.11
.111
IP address refers to a number assigned to the computers transmitting data over the network
and uses internet protocol for data transmission. The IP addresses consist of the following: host
identification and location addressing. The assigned addresses make it easier to identify the
computers in the network. The address normally consists of 32 binary bits divided into two
parts: host part and the network part. The format of an IP address consists of the 32 bit
numeric address written as four numbers separated by periods. Each number can range from 0
to 255. An example of an IP address is as follows: 1.160.10.240. The IP address can be either
static or dynamic. The static IP address does not change and is permanent. The dy namic IP
address changes every time a computer accesses the internet.
aim of ICANN is to ensure that all the users have valid addresses. ICANN does not look
after Internet content control, data protection, or unsolicited mail, but ICANN Is
responsible for the management of the new gTLDS (generic Top Level Domains).
• Making the Address Space Friendly: In order to make the address space friendly, it is
necessary to make the address familiar and short. The information in the Internet includes
of only two symbols: "1" and "0 11 • These describe the two possible states: On/Off. The
basel0 number system is user-friendly. Imagine that a computer's address is
4,27,28,123,12. It is easier to remember the binary equivalent of that address in the Base2
system: 10010000, 11111010, 01010101, and 10111011.
Classful IP Addressing
ll (j
IP addresses is divided into NOTE:
5 major classes in classful IP
All the hosts residing on a network can share same
addressing scheme
network prefix but should have a unique host number
It was the first addressing Hosts residing on different networks can have same host
scheme of Internet that number but should have different network prefixes
managed addressing through
classes A, B, C, D, and E Two-Level Internet Address Structure:
OR
e Second part represents a
specific host on the network
~--------~~--------~
[ Network Prefix
'--------------"-......__________,
I Host Number ]
I------::==========!
(j r '
~(j - ~1
~====================---
Copyright© by EC-Co■ncil. All Rights Reserved. Reproduction is Strictly Prohibited.
Classful IP addressing is the Internet's first addressing scheme that managed addressing
through classes, primarily A, B, and C. First standardized in September 1981, the Internet
protocol (IP) specifies that each computer should have a unique, 32 -bit address number to use
the IP-based internet. Systems conn ected to more than one network interface would require a
unique IP address for each network. Classful addressing divides the IP address into two parts.
The first part identifies the network on which the host resides and the second part identifies
the specific node or host on a network. Classes of an address determine parts belonging to the
network address and parts belonging to the node address.
[ Network Number
OR
I Host Number
l
[ Network Prefix
I Host Number
Starts with binary address 1110, decimal number can be anywhere between 224-239
Supports multicasting
Starts with binary address 1111, decimal number can be anywhere between 240-255
Reserved for experimental use
Address Classes
(Cont'd)
Table showing number of Networks and Hosts:
Size of Host
Size of Network Number of Addresses Per
Class Leading Bits Number Bit Field
Number Bit Field Networks Network
Clas.s A 1/2 8 24 Used for Unicast addressing for very la rge size organizations
Clas.s C 1/8 24 8 Used for Unicast addressing for small size organizations
Address classes play an important role in Internet routing. Internet designers have divided the
IP address space into different address classes to provide support for network requirements
and size such as class A, class B, class C, class D and class E.
Class A
IP address class defines IP address for large networks. The binary address starts with 0. The
decimal number is in between 0-127 and mostly used by international companies. From the 32-
bit address, the Class A address uses the leftmost 8-bits for identifying networks. The first 8 bits
identify the network and the remaining 24 bits specify hosts residing in the network. In the
recent years, class A networks are referred as "/S's" or "S's". Total of 126 (27-2)/8 networks can
be defined in Class A network. Two classes are less because in the "class A" network as
mentioned 0.0.0.0 is the default IP address and 127.0.0.0 is a loop back address. This network
supports a maximum of 16,777,214 networks in a host and 231 (2,147,483,648) individual
addresses. It contains 232 {4,294,967,296) addresses of IPv4 address space, which amounts to
50% of the total IPv4 unicast address space.
0 RouterA
10.10.0.0
I
r______________ JI ______________ ,
I I
v v
Switch
10.10.0.1 10.10.0.2
I
...
I
10.10.0.3
FIGURE 1.24 : Class A net w ork
Class B
Use class B addresses in medium-scale networks. It uses the leftmost 16-bits of this class and
the binary address starts with 10. The decimal number is from 128 to 191. The first 16 bits (two
octets) identify the network and the remaining 16 bits specify the hosts residing in the network.
Q RouterB
128.28.0.0
I
I
r-----------------------------,
I
I
I
v v
...,_,."switch Switch
128.28.0 .1 128.28.0 .2
I
...
I
128.28.0.3
FIGURE 1.25: Class B net w ork
In the recent years, class B networks are referred as "/16s" as they have 16 bits network prefix.
About 16,384 (214) / 16 networks can be defined in class B network where 65,534 (216 -2) hosts
are created per network and 230 (1,073,741,824) individual addresses. When calculated this
amounts to 25% of the total IPv4 unicast address space.
Class C
Class C addresses have a 24-bit network prefix. The binary address of Class C starts from 110.
The decimal number can be anywhere between 192 and 223. Class C addresses represent small
businesses. It uses the first 24 bits (three octets) for identifying the network, while the rest of
the 8 bits help in identification of the host on the network.
@ RouterC
192.28.0 .0
I
I
,-----------------------------,
I
I
-}
Switch Switch
192.28.0.2
I
...
I
Subnet mask provides information about the division of bits between subnet ID and host ID as
well as the host ID containing the routing traffic. It is a 32-bit binary number. Subnet mask
separates the IP address into two components, namely network address and host address. Use
subnet calculator to retrieve the subnet mask information. The Subnet mask performs bitwise
AND operation on the netmask to identify the network address of a particular IP address.
Subnet mask bits was defined by setting network bits to all "l"s and setting host bits to all "O"s.
Subnet masks are expressed using dot-decimal notation like an address.
Every host on the TCP/ IP network requires a Subnet mask. Use a default subnet mask for the
class based network ID's and use custom subnet masks when subnetting and supernetting 1s
configured.
It Subnet Mask
Total # bits for
IP. Address Class
Network 10/.Host ID Second
First Octet Third Octet Fou rth Octet
Octet
TABLE 1.4: Default subnet masks for Class A, Class Band Class C networks
Class B address with 5 bits allocated to subnet ID and remaining 11 left for host ID
Subnet mask= / 21
Prefix length notation: llllllll.llllllll.11111000.00000000
Subnetting allows you to divide a Class _J For example, Consider class C Address
A, B, or C network into different logical
IP Address: 192.168.1.12
subnets
11000000.10101000.00000001.00001010
To subnet a network, use some of the
bits from the host ID portion, in order Subnet mask: 255.255.255.0
to extend natural mask 11111111.11111111.11111111.00000000
,
,,
, ' '''
l ...~
These three extra bits from host ID
portion allows you to create eight
,,,, ', subnets
Three-Level Subnet Hierarchy
~ ---,
Subnet
Network Prefix Host Number
Number
The traditional internet designers have not foreseen the rapid growth of the internet and the
change it has brought in as a communication system. Today, organizations are facing many
problems with allocation of IP addresses, as the IP address space, especially 1Pv4 as it is in the
depletion stage. This problem has occurred due to early decisions made by the internet
designers in the formative stage. In the early evolution stage of internet, organizations were
allocated address space based on their request rather than on their requirements. This has led
to eventual depletion of IP address space. Many organizations that predicted the future of
networking had invested in the internet, but organizations, which ignored the significance of
the internet, later realized and obtained addresses but had to face problems with address
shortage issues. Emerging organizations that are in the evolving stage have to face address
storage problems due to premature depletion of 1Pv4 address space.
In order to overcome the problems of IP address space depletion, one can perform IP
subnetting. Subnetting allows organization's network divided into two level structure, hosts and
subnets. An organization's system administrator divides the host network, specifically the
internal network, into two segments in order to make it unavailable to the external networks.
The main advantage of subnetting to the organization is that they can divide the classful host
number into a subnet id and host id based on their preferences and requirements.
,;.
141
-
• 14 • 192 • 2
=
NetlD HostlD
141
• 14
JI • 192 • 2
Size SubnetlD HostlD
FIGURE 1.28: Tw o-level and Three-level subnetting
Routers use an extended network prefix to transmit the traffic between subnet devices.
Extended network prefixes include the network prefix number and subnet ID.
In classful IP addressing, the router uses the first octet of an IP address to determine the
address class, related network number and host number. In subnetting, as the division of
address is arbitrary in nature, it becomes difficult for the router to determine the process of
dividing it into subnet and host ID. Subnet mask provides information about the division of bits
between subnet ID and host ID as well as the host ID containing the routing traffic. It is a 32-bit
binary number.
Subnetting allows the division of Class A, B, and C network numbers into smaller segments.
Variable length subnet mask (VLSM) allows two or more subnet masks in the same network.
VLSM effectively uses IP address space in a network. VLSM provides flexibility to a network
administrator to divide a network as per the requirement and preference of the organization
and create subnets, sub-subnets and sub-sub-subnets.
Class A and B addresses are in Supernetting combines various Also known as Classless Inter-Domain
depletion stage Class C addresses and creates a Routing (Cl DR), invented to keep IP
addresses from exhaustion
0. •••
e ••
II g ... .·••••••
..........•····
Class C provides only 256
hosts in a network out of
which 254 are available for
use
e
It applies to Class
C addresses
Supernet mask is
reverse of subnet
mask
••• •••
••
Host ID
'
M Zero bits
Supernet address: A
xxxxxxxx . xxxxxxxx . xxxxoooo . 00000000
l 1-
1This byte is divisible by 2m
Copyright© by EC-Co■ncil. All Rights Reserved. Reproduction is Strictly Prohibited.
With the growth of internet, classful addressing is a big problem for many organizations.
Problems with classful addressing are a lack of flexibility in dividing addresses for an internal
network, improper distribution of allocated address space that requires a router to create more
and more routing table entries. Subnetting solves these problems to a certain extent, but IPv6
addressing brought 128-bit addressing system to eliminate addressing issues appropriately. This
new system eliminates the need for address classes and creates a new addressing scheme to
match the growing demand of internet users. This system advocates on creating a new classless
addressing scheme known as Classless Inter-Domain Routing (CIDR). This system uses a concept
of subnetting as a base and takes it a step further. Subnetting divides a single network into
subnets whereas CIDR applies the subnetting principle to large networks. It aggregates
networks into larger supernets with a concept known as supernetting.
• Advantages of CIDR:
With CIDR, organizations can allocate address space efficiently as per their requirement
and preference. In classful addressing, there are class A, B, and C networks. Class A
network has around 16,277,214 addresses per network, class B network has 65,534 and
class Chas only 254 addresses. There is disproportion of address classes in this addressing
system. CIDR eliminates the problem with class imbalances and routing entries by creating
small entries for large networks.
Network prefixes based on CIDR helps the router in determining the dividing point
between net ID and host ID. Subnetting requires a subnet mask to determine the network
ID and host ID. CIDR does not support a 32-bit binary subnet mask. Instead, CIDR uses "/"
slash notation known as CIDR notation along with prefix length to show the network size.
• Supernetting Example:
213.2.96.0: 11010101.00000010.01100000.00000000
213.2.97.0: 11010101.00000010.01100001.00000000
213.2.98.0: 11010101.00000010.01100010.00000000
213.2.99.0: 11010101.00000010.01100011.00000000
Supernetmas k: 255.255.252.0
Supe rnetaddress: 213.2.96.0/ 22
11010101.00000010.01100000.00000000
Supernet address: A
M Zero bits
1Pv6 is capable of providing a large address space of 128 bits for increasing demands of internet
users. It has a new format for packet header to minimize problems with overhead routing
entries. 1Pv6 has globally identified unique addresses with efficient, hierarchal and routing
infrastructure that relies on prefix length rather than address classes. This allows the backbone
routers to create small routing tables. 1Pv6 simplifies host configuration with stateless and
stateful address configuration for network interfaces. In 1Pv6, hosts on a link are capable of
automatically configuring themselves with a link called link-local addresses by responding to the
prefixes mentioned by the local routers. The host sends a link local address request to a local
router for connecting to that network, which then responds to the request by sending its
configuration parameters. This lets the host configure automatically with the available router.
1Pv6 is capabl e of configuring itself, even though th ere are no routers. 1Pv6 supports unicast and
multicast communication along with a new communication t ype called anycast.
• Unicast Address: It is used to identify a single node in the network. The four different
categories of Unicast address are:
• Link-local addresses not meant for routing, but confined to a single network segment.
• Unique local addresses. These assist in private addressing and also avoids the chances
of collision betwee n t wo subnets.
• Multicast Address: IPv6 packets sent to a multicast address identifies the group of
interfaces, usually on different nodes. Only those hosts which are members of the multi-
cast group can receive the multi-cast packets. The IPv6 multicast is a routable address and
the routers forward these multicast packets to all the members of the multicast groups.
The IPv6 notation includes eight groups of hexadecimal quartets separated by colons. An
example for IPv6 is: 2001:cdba:0000:0000:0000 :0000:3257:9652. The groups of zeroes in IPv6
address may be reduced to zero or removed. For example:
• 2001:cdba:0000:0000:0000:0000:3257:9652
• 2001:cdba:0:0:0:0:3257:9652
• 2001:cdba::3257:9652
The IPv6 addresses use Classless Inter Domain Routing (CIDR) notation. The subnet using the
IPv6 protocol consists of a group of IPv6 addresses having the size value in the power of two.
The initial bits in the IPv6 address forms the network prefix. The bits in the network prefix uses
a forward slash ('/ '). For example: 2001:cdba:9abc:5678::/ 64 represents the address
2001:cdba:9abc:5678.
1Pv6 addresses, with inserted 1Pv4 addresses, are universal Unicast addresses that have the binary
prefix000
One of the changeover techniques to 1Pv6 permits a means for nodes and routers to dynam ically
create 1Pv6 tun nels, allowing broadcast of 1Pv6 packets over an 1Pv4 infrastructu re
Nodes that implement t his method are allocated an unusual 1Pv6 address, w hich transports an 1Pv4
address in its 32 least major bits. This type of address is called an 1Pv4-compatible 1Pv6 address; its
format is shown below :
0
Prefix
0000 : 0000 : 0000 : 0000 : 0000 : 0000 : 143.23.234.211
The 1Pv4 address used inside an 1Pv4-compatible 1Pv6 address must be a public, globally routable 1Pv4 address
1Pv4 compatible addresses obtained from 1Pv4 public addresses allow connecting 1Pv6 hosts
over th e 1Pv4 internet infrastructure. The 1Pv6 address encapsulates within the I Pv4 header that
eliminates the use or addition of 1Pv6 routers.
The 1Pv4 compatible 1Pv6 allows the 1Pv6 devices to insert 1Pv4 addresses in the 1Pv6 address
through the 1Pv4 connect ed network. Th e 1Pv4 compatible 1Pv6 has a different address format
with th e first 96 bits set to all zeroes, followed by a dotted decimal 1Pv4 address.
0
( Prefix )
The host or router at each end of an 1Pv4-compatibl e tunnel must support both the 1Pv4 and
1Pv6 protocol stacks . 1Pv4-compatible tunnel s must configure between border-routers or
between a border-router and a host . Using 1Pv4 -compatible tunn els is an easy method to create
tunn els for 1Pv6 over 1Pv4, but the techniqu e does not scal e for large netw orks.
CNDTRIAD
Computer network defense (CND) involves protecting, monitoring, analyzing, detecting and
responding to unauthorized activities on the network and confirms the overall (Defense-in-
depth) security of the network. Different types of unauthorized or illegal activities may include
interrupting, damaging, exploiting or restricting access to networks or computing resources and
stealing data and information from them.
CND is part of Computer Network Operations (CNO) which deals with the overall network
security achieved through detection, prevention, analysis, and response to various network
attacks.
Integrity:
i ~ . . . . 9.'.~.~~!.~?.~!* ~.:.i.~!~~.~~·····>I
Authori zed User ~
Ensures information is not modified or tampered by unauthorized ~ :
~ Server
parties
Ma n i n the Mi ddle
Availability:
Ensures information is available to authorized parties without
any disruption
-~
f':. liiiiiServi ces unavailable to authorized use~
Non-repudiation:
Ensures that a party in a communication cannot deny sending the
~~·········:~~~.~~~'.?.~~~~'.~~~~?~~~........... ,
User denies transaction
message User
Server
Authentication:
Ensures the identity of an individual is verified by the system or
~~
Authori zed User
.A\)se<, ~',
0 ( \'Lei--~
i>-"'t<' \e< ~
,~~(\':, .-~ ---
I
o"" i:Jl•••••· • -
~ ······ Server
service
Unauthorized User
CND employs an Information Assurance (IA) principle which enforces taking appropriate
countermeasures and response actions upon the threat alert or detection. Network operators
should consider information assurance principles to evaluate if the data is sensitive or not, and
to handle the situations when security implications occur on the network. This assists them in
identifying network security vulnerabilities, monitoring the network of any intrusion attempts,
or malicious activity, and defending the network by mitigating vulnerabilities.
CND should address the following Information Assurance (IA) principles to achieve a defense-in-
depth network security
• Availability: Availability is the process of protecting the information systems or networks
that hold the sensitive data to make them available for the end users whenever they
request access.
• Confidentiality: Confidentiality allows only authorized users to access, use or copy
information. Authentication works closely with confidentiality, if the user is not
authenticated, they will not be granted access to confidential information. If a non-
authorized user accesses the protected information, it implies that a breach of
confidentiality has occurred.
• Integrity: Integrity protects the data and does not allow modification, deletion or
corruption of data without proper authorization. This information assurance principle also
works closely with Authentication to function properly.
CND is t he co mbined use of technology, operations, and people invo lved in achieving
defense-i n-depth network security
Attack
Attack
..•...........................
Operations
Attack
People
• Proxy servers: The main aim in placing a proxy server in the network is to conceal the
original IP address from the attackers and thereby increasing the level of security in the
network. The proxy servers can also execute the user requests at a faster rate by the
method of caching.
• Antivirus protection: The main aim in implementing anti-virus in the system is to secure
the data and systems from viruses, botnets, Trojans, etc. These malware programs can
actually gain the username and passwords of the user on the victim machine or
compromise the data contained in a system. The anti-virus can alert the user regarding
the presence of any malware program in the system.
• Product evaluation based on common criteria: The main aim in implementing the product
evaluation is to ensure that the IT products meet the security standards required for
deployment in the networks. The IT products need to meet the common criteria defined
for each specific product. Meeting the common criteria ensures the security of the IT
products deployed in the network.
• Passwords security: The main aim in implementing the password security is to ensure
complete security of the passwords from all types of password attack. It protects the
passwords from brute-force attack and eavesdropping mechanisms. The password
security mechanism persuades the user to use long and complex passwords. It also brings
in certain mandatory policies that each user needs to follow while creating passwords,
thereby minimizing the chances of an attack on passwords.
• DMZ (demilitarized zones): The main aim in implementing the DMZ is to ensure the
security of an organization's local area network from an untrusted network. The
demilitarized zone can provide an extra layer of security to the network and prevent the
attackers from accessing the internal servers and data through the internet.
• Network logs audit: The main aim in implementing the network logs audit is to monitor
the activities of a network. The review of network audits can actually increase the security
of the network.
Performing following operations helps organizations to maintain the security of their assets
• Creating and enforcing security policies: Network operators need written security policies
to monitor and manage a network efficiently. These policies set appropriate expectations
regarding the use and administration of information assets on a network. Security policies
describe what to secure on the network and the ways to secure them.
• Planning business continuity and disaster recovery: There are various threats and
vulnerabilities to which business today is exposed, such as natural disasters, acts of
terrorism, accidents or sabotage, outages due to an application error, hardware or
network failures. Planning business continuity and disaster recovery is the act of
proactively working out a way to prevent and manage the consequences of a disaster,
limiting it to a minimum extent.
• Ensure that the professionals they hire are prepared to conduct forensic activities.
• Ensure that their policies contain clear statements about forensic considerations.
• Create and maintain procedures and guidelines for performing forensic activities.
• Ensure that their security policies and procedures support the use of forensic tools.
• Providing security awareness and training: Some of the threats to network security come
from within the organization. These inside attacks can be from uninformed users who can
do harm to the network by visiting websites infected with malware, responding to
phishing e-mails, storing their login information in an unsecured location, or even giving
out sensitive information over the phone when exposed to social engineering. Network
managers should make sure that the company's employees are not making costly errors
that can affect network security. They should institute company-wide security-awareness
training initiatives including training sessions, security awareness website(s), helpful hints
via e-mail, or even posters. These methods can help ensure employees have a solid
understanding of the company security policy, procedures and best practices.
•I
I
•
I
I
•I
I
•
I
I
• • • •
•I
I
•
I
I
•
I
I
•
I
I
• • • •
Security Network End Users Informed
Analysts Technicians Leadership
Network defense relies on the people involved in network operations. People are a crucial
element of any organization's network security approach. The degree to which people
embodies a culture of security will significantly influence that organization's ability to protect
key assets. The people involved are responsible for maintaining, repairing and managing
network and computer systems to improve their performance. They explore and solve network
problems logically and consistently. They monitor the network for vulnerabilities before an
outsider can exploit it. These people make use of CND technologies and operations to design
and implement robust and secure the network.
• Network Security Engineer: The network security engineer mainly develops the
countermeasures required for any cyber related issues in an organization. They monitor
and manage the IT issues.
• Security Architects: The security architect supervises the implementation of the computer
and network security in an organization. They need to find methods to implement the
network and computer security in an efficient manner.
• Security Analysts: The security analyst maintains the privacy and integrity of the internal
network in an organization. They need to evaluate the efficiency of the security measures
implemented in an organization.
• Network Technicians: The network technician manages the hardware and software
components of an organization. They fix and repair the issues related to these
components.
• End Users: The end user refers to the people who use the end product deployed by an
organization. The end user can access the developed products through Desktop, Laptop,
iPads, Smart Phones, etc.
A Blue team is an internal security t eam who help in building a strong Computer Network
defense (CND) for the Network. Blue team is a part of the Red/ Blue t eam exercise to defend
the network. The Blue team defends the network from both real and red t eam attacks . Blue
team security professionals have direct access to the network. The Blue Team is responsible for
detecting th e attacks and, in a limited form, for protecting th e hosts . They identify known
vulnerabilities on systems and do not address the requirements for an overarching security
infrastructure. The goal of the Blue Team is to detect th e attacks and execute some counter-
measures to slow down or confuse the attackers.
• Blue team protects the network against the attacks by the red t eam.
• Blue team must gain know ledge of the threat actor's Tactics, Techniques and
Procedures (TTPs) and prepare counter approaches to defend the network.
• Find the operational readiness and incident response capabilities of the network using
various tools and techniques.
• Assess the ability of internal network defenses in eliminating attacks from advanced
threat actors.
• Advantages of Blue Teaming:
• Blue team members gain complete knowledge of the existing network defense.
• Forming Blue teams helps by improving the training for network defenders to protect
the network.
Network Defense-In-Depth
■ DID is achieved by ensuring security at each of the network layers
Defense in depth is a security strategy in which several protection layers are used throughout
an information system. Defense-in-depth involves implementing security controls at different
layers of network stack. It imposes a complex defense layered structure thereby making it
difficult for the attackers to penetrate into the system and achieve their goal.
This strategy uses the military principle that it is more difficult for an enemy to defeat a
complex and multi-layered defense system than to penetrate a single barrier. Defense in depth
helps to prevent direct attacks against an information system and its data because a break in
one layer leads the attacker only to the next layer. If a hacker gains access to a system, defense-
in-depth minimizes any adverse impact and gives administrators and engineers time to deploy
new or updated countermeasures to prevent a recurrence of intrusion or stop an intrusion
from going any deeper.
• Policies, Procedures, and Awareness: This is the first level of countermeasures that every
organization must design and implement. It includes enforcing security policies to avoid
misuse of resources or restrict unauthorized operations on the organization's resources.
• Physical: It involves ensuring security of organization assets from various physical threats.
11 E)Application Security
RR ; ; Im :
1~r. I Work
Stations
~--• □
Intranet -
Servers
..i... D
......... . ••• • ··►=.:-• ... D
Internet
..: -
e Perimeter
Security •
Internal Network
Security ~--- □
0 Security Policies, Procedures, and
-
Awareness Q Data Security
e Physical Security Organization Network
The first line of defense against attacks is the firewall, which can be configured to allow/deny
traffic. Installing and configuring the Next-Generation firewalls with capabilities such as
application control, identity awareness, IPS, web filtering, and advanced malware detection can
increase complexity for the attacker to bypass them.
IDS/IPS is the second line of defense mechanism for a network even though it is included in the
firewall as first line of defense. Having your IPS properly optimized and monitored is a good way
to detect and block attackers that get past the first castle defense.
The network administrator should consider the following factors while developing and
designing a secured network:
• Protecting the network from attacks that come from the internet.
• Protecting public servers such as web, e-mail and DNS servers.
• Developing guidelines for the administrators to handle the network in a secure manner.
• Enabling intrusion detection and logging capabilities.
Network designers need to take care of certain policies that help in the careful and efficient
management of the organization. The policies created should follow the company standards
and should include criteria like number of human resources needed, cost for securing the
network etc. The network designer can proceed with the network design after the creation of
these policies.
The CND process specifies the prevention, detection and response actions to security incidents
in order to ensure complete computer network defense. It should be a continuous process. The
following phases of the CND process assist network administrators in implementing network
security effectively:
• Detecting: It involves determining and identifying any abnormalities and their location in
the network. It includes identifying w hat is abnormal to the network.
• Analyzing: It involves actions, w hich includes confirming the incidents, finding their root
causes, and planning a possible course of actions for an incident. It includes deciding
wh ether th e incident is actual security incidents or a false positive.
• Responding: It involves a set of actions taken to mitigate the impact of an attack on the
netw ork. It includes incident response, investigation, containment, and eradication steps
for responding to the incidents .
•••••••••
■
Access Control J••••••••••► ___ F
_ire
_w_a1_1 _ _
■
■
Preventive
■
······••►
■
■
Admi.ssion Control J••••••••••►"==_ _NA_c_&_N_AP_ _
••• ■
Approaches ■
•••••••• Cryptographic Applications •• • •• • •• •► IPSec & SSL
•
• ■
'0:::::---------
••
••••••••• Biometric Security ········••► Biometrics
........
•
••
► Fault Finding
_J...•:·····•• ►
•
Prot ocol Analyzer
······••►
Traffic M onitors
•
••
Retrospective •
...
:·····•• ► , _ CSIRT __J
Approaches
•• ■) . . . . . . . .
••
•
•• -------- =·····•• ► -
Security Forensics
J . CERT
:......... f
- Post Mortem Analysis
········••► Legal/Risk Assessor
There are three main classifications of security defense techniques used for identification and
prevention of threats and attacks in the target network.
• Preventive Approach: The preventive approach basically consists of methods or
techniques that can easily avoid the presence of threats or attacks in the target network.
The preventive approaches mainly used in the network are as follows:
•••••••••
■
Access Control J••••••••••► ___ F
_ire
_w_a1_1 _ _
■
■
Preventive
■
······••►
■
■
Admi.ssion Control J••••••••••►"==_ _NA_c_&_N_AP_ _
••• ■
Approaches ■
•••••••• Cryptographic Applications •• • •• • •• •► IPSec & SSL
•
• ■
'0:::::---------
••
••••••••• Biometric Security ········••► Biometrics
........
•
••
► Fault Finding
_J...•:·····•• ►
•
Prot ocol Analyzer
······••►
Traffic M onitors
•
••
Retrospective •
...
:·····•• ► , _ CSIRT __J
Approaches
•• ■) . . . . . . . .
••
•
•• -------- =·····•• ► -
Security Forensics
J . CERT
:......... f
- Post Mortem Analysis
········••► Legal/Risk Assessor
There are three main classifications of security defense techniques used for identification and
prevention of threats and attacks in the target network.
• Preventive Approach: The preventive approach basically consists of methods or
techniques that can easily avoid the presence of threats or attacks in the target network.
The preventive approaches mainly used in the network are as follows:
Denial-of-Service
Brut e-Force
Ot hers
Brow ser
ShellShock
SSL
Botn et
Backdoor
http://www.calyptix.com
According to the latest Threat Report from McAfee Labs, the statistics for the most common
network attacks detected are shown in the chart. The chart aggregates data from the
company's network of millions of sensors across the globe. According to the report, Denial of
Service attacks (DoS) top the list and is the most targeted attack towards the organization's
network. DoS attacks are very common, accounting for more than one -third of all network
attacks reviewed in the report. Attempts of brute forcing passwords are also significantl y
performed to gain unauthorized access to network resources. Browser-based attacks target end
users who are browsing the Internet. The attacks may encourage them to unwittingly download
malware disguised as a fake software update or application. Malicious and compromised
websites can also force malware onto visitor's systems. Attackers are also exploiting
vulnerabilities found in Bash, a common command -line shell for Linux and Unix systems in order
to install malware that sends spam campaigns and DDoS attacks. SSL attacks aim to intercept
data that is sent over an encrypted connection. A successful attack enables access to the
unencrypted information. SSL attacks account for 6% of all network attacks analyzed.
Source: http://www.calyptix.com
'
This module discusses the various network threats, vulnerabilities, and attacks that an attacker
can carry out to compromise network security. The module will teach you the different types of
network threats, why they arise, possible ways through which they come from, etc. The module
also discusses the different level of attacks that are carried out against the network and the
types of vulnerabilities that exist in the network.
Essential Tern1.inologies
-- -~
I
Attack
: An assault on the
.derived
system security
.
from an
intelligent threat
I ..
: An attack is any
action•violating
securi!Y
•
Copyright© by EC-Coaacil. All Rights Reserved. Reproduction is Strictly Prohibited.
In the field of information security, Internet and computer security people often use the
following terms interchangeably: threats, vulnerabilities and attacks. Many people confuse
these terms. However, they are different and have a distinct meaning even though they are
interrelated. Therefore, it is necessary to understand and differentiate between them.
Threat
Threat is a potential occurrence of an undesired event that can eventually damage and
interrupt the operational and functional activities of an organization. A threat can affect the
integrity and availability factors of an organization. The impact of threats is very high and it can
affect the existence of the physical IT assets in an organization. The existence of threats may be
accidental, intentional or due to the impact of some other action.
Vulnerability
Vulnerability is the existence of a weakness, design, or implementation error that, when
exploited, leads to an unexpected and undesired event compromising the security of the
system. Simply put, a vulnerability is a security loophole that allows an attacker to enter the
system by bypassing various user authentications.
Attack
An attack is an action taken towards breaching an IT system's security through vulnerabilities.
In the context of an attack on a system or network. It also refers to malicious software or
For example,
• Buffer overflows
• Cross-site scripting
• SQL injection
• Canonicalization attacks
The attacks on the network are increasing at a fast rate. Constant attacks in the network is a
major issue in the computing world. Organizations are raising funds for securing the network
security. Network security concerns affect the availability, confidentiality and integrity of the
information present in an organization. Attackers are exploiting loopholes existing in security
related technologies. Administrators need to be more vigilant toward the newer attacks that
can occur in the network. Network administrators need to categorize the type of attacks
occurring in the network.
Designing and implementing a network is an easy task, but, maintaining the security of the
network is a difficult task. Attackers are using various exploitation tools to gain access to the
network and its resources.
The organization's network can also be at risk for different types of attacks from the inside. The
employees of an organization can at times pose a threat to the security of the company's
network. Insider threats can be more dangerous than external ones.
Attackers perform network attacks to take control of a computer, for curiosity and excitement,
for publicity and fame, for financial gains, to spy or corporate espionage, get information about
the organization and to disrupt the proper working of an application or service.
The organization needs to implement tasks that monitor and identify the attacks in the network
on a daily basis. The sharing of information and resources across the computers in a network
can attract intruders wanting to gain access to that information. The organization may consider
taking certain protective steps to prevent any kind of unauthorized access to its network.
Administrators can locate the various areas of continuous attacks, thereby assisting the
organization in planning for security.
End-user carelessness
End user carelessness creates a huge impact to network security. Human behavior is more
susceptible to various types of attack and tend s to lead to more serious attacks on the network
including data loss, information leakage, etc. Intruders gain sensitive information through
various social engineering techniques. If users share account information or login credentials,
this leads to the loss of data or exploitation of the information. Connecting systems to an
unsecure network can also lead to attacks from a third party.
External
Arise from individuals w ho do not have direct access
Threats to t he netw ork
Unstructured
Arise from unskilled individuals who attack t he netw ork
Threats out of cu riosity
Structured
Arise from individuals who are highly motivated and
Threats
technically competent
• Internal
• External
Internal Threats
Around 80% of the computer and Internet-related crimes are insider attacks. These are
performed by insiders within the organization such as disgruntled employees, negligent
employees, etc., and harms the organization intentionally or unintentionally (by accident). Most
of these attacks are performed by privileged users of the network.
The reasons behind insider attacks could be revenge, disrespect, frustration, or lack of security
awareness. Insider attacks are more dangerous compared to external attacks because insiders
are familiar with the network architecture, security policies and regulation s of the organization.
Additionally, the security inside is not has strong because organizations focus on protection
from external attacks.
External Threats
External attacks are performed by exploiting v ulnerabilities already existing in the network. The
attacker does it for the sake of curiosity, financial gain or reputation damage to the target
organization. External attackers can be any user who is well -versed with attacking techniques or
a group of users who work together to support a cau se or political motive, by competitor
companies to create corporate espionage, by countries for surveillance, etc. Attackers
performing external attacks have a predefined plan, use specialized tools and techniques to
successfully penetrate the network.
The external attack depends on which weakness exists and then it is exploited to perform the
attacks. These attacks are performed without the assistance of insider employees. Some of the
external attacks include application and virus -based attacks, password -based attacks, instant
messaging-based attacks, network traffic-based attacks, and operating system based attacks.
External threats are classified into two types. They are a structured and an unstructured
external threat.
External
.•
:•
• ~
Unstructured Threat
.........................••
D
Threat : • •
• ••
•
•• •••
.•
••
• •
.. ............................................
• •
·-·······
•
• •• •• ••
•
•• ••
..........
- · .• .
____._....................... .
••
•
••
••
D
•
••
♦
Internal Threa t
•••••••••••••••••••••••••• •
Structured Threat
-
Int ernal Network
Compromised Host
Loss of Privacy
Data Loss/Theft
Disruption of Business
Any type of attack on a business can bring the entire business process to a standstill. The
breach in security leads to a loss of critical business and user information.
Loss of Productivity
An exploited business network has to undergo a lot of production losses. The loss incurred due
to an attack has to be recovered either through data backups or the user has to rework the
data. Recovery of data after a network attack is a time-consuming process.
Loss of Privacy
Due to a leak of all the confidential data, the organization has to face heavy losses of their
private data, which also leads to legal issues for them.
Theft of Information
An attack on the network leads to a raid of the information by attackers. A raid of personal and
professional information of the company's employees through such attacks affects those
employees directly. If the attacks get into a customer database, then their customers are
affected and this leads to huge problems.
Legal Liability
A case can be filed against the attackers. These laws differ between countries. With proper
evidence of the incident an organization can file a legal lawsuit if their security is breached. The
same is true for customers. If their private and personal information is stolen, such as credit
card numbers, social security numbers and addresses are stolen, depending on the
circumstances, they may also have the right to bring a lawsuit against the company.
Vulnerabilities Description
TCP/IP protocol
J HTTP, FTP, ICMP, SNMP, SMTP are inherently insecure
vulnerabilities
Vulnerabilities Description
,_
System account vulnerabilities e Arising from setting weak passw ords to system accounts
I
Copyright© by EC-Coaacil. All Rights Reserved. Reproduction is Strictly Prohibited.
Vulnerabilities Description
Lack of Continuity
e Lack of continuity in implementing and enforcing the security
policy
Technological vulnerabilities
A technological vulnerability exists due to the inherent weakness in the operating system,
printers, scanners or other networking equipment. Attackers can detect loopholes in protocols,
like, SMTP, FTP and ICM P. Attackers detect the lack of authentication in networking equipment
like switches and routers leading to an intrusion. Regular security audits by the network
administrator or information security officer will help keep track of any irregular activities on
the network.
Configuration vulnerabilities
Configuration v ulnerabilities exist due to the misconfiguration of computing and network
devices. It exists when an administrator configures a user account or the system services
insecurely, leaving th e default settings, improper password management, etc.
Reconnaissance Access
Attacks Attacks
Organizations are facing challenges in maintaining the security of their network, as the number
of attacks on a network is growing day by day. Attackers or hackers are finding new ways of
getting into networks. The motive behind the attacks differ from based on the objective of
each attacker. Some attackers want to steal the hardware and software, while others perform
actions that reduce the bandwidth of the network resources and others are after customer
data. The network administrator on the other hand needs to be highly efficient in identifying
these attacks and have knowledge on what each of these different types of attacks are.
Reconnaissance attacks
The reconnaissance attack refers to a technique in which the attackers gather information
about the network and organization, helping them perform attacks easier. Gathering
information about a network allows attackers to recognize any potentia I weaknesses it may
have.
Access Attacks
After gaining information about the target network, attackers then try to gain access by using
various exploitation techniques. These are the attempts made towards gaining access to the
system or network. This is called an access attack and it includes gaining unauthorized access,
brute force, privilege escalations, man-in-the-middle, etc.
Denial-of-service
In the denial-of-service attack, attackers attempt to deny certain services available to
customers, users and/or the organization. The DoS attack does not lead to any loss or theft of
any information, but can affect the organization financially due to the downtime. The DoS
attacks affect the files and other sensitive information stored in a system, as well as affect the
working of any website. Websites are brought down using this method.
Malware attacks
Malware attacks affect the system or network either directly or indirectly. They cause an
adverse impact on how the network functions. Malware is a program or a file that poses a
threat to a computer system. The different types of malware include Trojans, Viruses and
Worms.
Reconnaissance Attaclts C ND
J Attackers gain the network information e TCP and UDP Services Running
using different techniques such as : e Access Control Mechanisms and ACL's
e DNS Footprinting
e IDSes Running
e System Enumeration
In Reconnaissance attacks, attackers make an attempt to discover all the possible information
about a target network, including information systems, services and v ulnerabilities which may
exist in the network.
The major objectives of a reconnaissance attack include collecting the target's netw ork
information, syst em information, and the organizational information. By carrying out
reconnaissance at various netw ork levels, the attacker gains information such as netw ork
blocks, network services and applications, system architecture, intrusion det ection syst ems,
specific IP addresses, and access control mechanisms. With a reconnaissance attack, the
attacker collect s information such as employee names, phone numbers, contact addresses,
designation, and w ork experience, etc. Which leads to social engineering and other phases of
the intrusion into the corporate netw ork.
utilities to perform illegal activities such as stealing sensitive data, attacking other systems,
sending forged emails from the system and deleting data.
Active reconnaissance attacks mostly include port scans and operating system scans.
Here, the attacker uses tools to send packets to the target system. For example, the
traceroute tool helps gather all the IP addresses for the routers and firewalls. The attacker
also gathers more information regarding the services running on the target system.
Passive reconnaissance attacks use the method of gaining information from the traffic.
Here, the attackers perform sniffing that helps them gain all the details regarding the
weaknesses in the network. The attackers use various tools to gain information about the
target.
Reconnaissance Attacks:
ICMP Scanning
An Attacker sends an ICMP ECHO request to detect live hosts in a netw ork
"
Zenmap - clllll
Sei n !ools frofile !::!elp
http://nmap.org
During ICMP scanning, the attacker sends ICMP packets to the system to gather all necessary
information about it. ICMP scanning helps an attacker determine what hosts are running in a
network. They are detected by pinging them with the help of scanning tool s such as NMAP.
NMAP uses the -P option to ICMP-scan in parallel, which can happen very quickly.
The Internet Control Message Protocol (ICMP) scanning technique works on one host system at
a time. It sends ICMP ECHO Requests to a single host using the ping utility or third party tool s. If
the host is live, it will return an ICMP ECHO Reply. This technique also locates the active devices
or determines if ICMP is passing through a firewall.
Reconnaissance Attacks:
DNS Footprinting
ONS records
'J An attacker gathers DNS information t o determine name class type dat a time to llve
yahoo.com 1H SCA server: nsi.vahoo,com · - (00,30,00)
the key hosts in the network and perform social emall: hostmaster~ ahoo-lnc.com
serial: 20t 50'I0J04
engineering attacks refresh: 3600
retry: JOO
'J They use DNS interrogation tools to perform DNS e:icpire: 1814400
mirim...,, HI: 600
Footprinting yahoo.com Ul A 98.US..25 3.109 !SOOS {00:30 :00)
yahoo.com m A 206..190,36.4S · - (00,30,00)
'J DNS records provide important information about yahOo.oom lt4 A. 98.139. 183. 24 lSOOS (00:30:00)
yahoo.com 1t4 MX preference: 1 !SOOS (00:30:00)
the location and type of servers e!llchan9(l: mtas.amo.yahOo<t'ls..Mt
yahoo.com m MX preference: 1 1800S ( 00:30 :00)
e:icchan9@: mta6.amo.yalx>octls.ttet
yahoo.com m MX preference: 1 1800s ( 00:30 :00)
SOA Indicate aut hor ity f or domain 253.13$.9$.in-addr..a,w IN NS 1'1$1.y,lhOQ.COtn 172$00$ (2.00:00:00)
2.53.138.9S.khl d4'.a rpa m NS Ml.yahoo.com 172800S {2.00:00:00)
http://centralops.net
Copyright© by EC-Coaacil. All Rights Reserved. Reproduction is Strictly Prohibited.
DNS footprinting reveals information about DNS zone. DNS zone data includes the DNS domain
names, computer names, IP addresses, and much more about a particular network. An attacker
uses the DNS information to determine key hosts in the network, and then performs social
engineering attacks to gather even more information.
When the attacker queries the DNS server using the DNS interrogation tool, the server responds
with a record structure that contains information about the target DNS. DNS records provide
important information about the location and t ype of servers.
An attacker uses Nmap to extract information such as live hosts on the network, services (application name
and version), type of packet filters/firewalls, operating systems and OS versions
I Hosls
1: S.~e
I- I
Nmap OutpUI Ports/ Hosul Topology HostOetaitsl Suns~ I Hosls II S.~e Nmap OutpU1 Ports/ Hosts I Topology I HostOetailsl Scans 1
............
I_See http://nmap.org/ nsedoc/ scripts/ http•methods . html
hosts) l _http•tit le : 115 Windo~s
lni tiatina Par allel ONS r esolution Of 1 host. a t 16:59 135/tcp U'1)< ftiCl"OSOft NindOWS RPC
Completed Porollcl ONS rc$olution ol 1 host . ot 16:59, H9/tcp ncu,ios·nn
e .e5s elaosed
Ini tiating SYN Stealth Scan at 16:59
Scannine 192.168.8.89 [65535 por-tsJ
• 445/tcp
49488/tcp open asrpc
49489/tcp open .....,,
netbioS•SSl'I
Nicrosoft Nindows RPC
Nicrosoft "indows APC G
Discover ed open por t 445/ tcp on 192. 168.0.89
Oiscoverc-d open port 21/ tcp on 192 .168.t.89
Discover ed open por t 135/ tcp on 192.168.0.89
Discovered open port 139/ tcp on 192. 168.0.89
Discovered open por t 88/ t cp on 192.168. 0 .89
49418/tcp open H'1)<
49411/tcp open • srpc
49412/tcp open
49413/tcp open urpc
49414/tcp open OS'1><
.....,, KiCl"OSOft NindOWS RPC
Nicrosoft "indows AP(
Nicrosoft Nindows RPC
Nicrosoft Nindows RPC
Nicrosoft "indows APC
Discover i!d open port 49414/ tcp on 192 . 168 .0. 89 M,C Address; 80:15:50:88:.38:02 (Hicr osoft)
Discovered open port 49411/tcp on 191 . 168 .t . 89 Uo exact OS m.atches for hon (If you know wnet OS is
Discovered open por t 49409/ tcp on 192.168 .0.89 '-' runnine on i t, see http ://nftap .ore/ subllit / ).
Discovered open port 49413/ tcp on 192 . 168 .0 . 89 TCP/ I P f i nger print:
Discovered open por t 49412/ tcp on 192.168.0.89 .Qii.SCAtl (V• 6 •48'XE •4M>• 8/ 39XOT• 21'5CT• 1"'1.J• 31129'PV• "'°5• 1.'5
Discover td open port 49418/ tcp on 192.168 .0. 89 DC:~:v»i:001550$1
.::.-
Fifttr Hosts I
Oiscoverc-d open port 49498/ tcp on 191.168 .t . 89 v ~
http://nmap.org
V
Nmap is a network discovery and security-auditing tool and is one of the most popular tool s
attackers use for network discovery. An attacker mostly uses the Nmap utility to extract all the
necessary information from the target.
Attackers use Nmap to determine what hosts are available on the network, what services
(application name and version) those hosts are offering, what operating systems (and OS
versions) they are running, what type of packet filters/firewalls are in use, and dozens of other
characteristics.
Network administrators also find this tool useful for security auditing ta sks such as network
inventory, managing service upgrade schedules, and monitoring host or service uptime.
Source: http://nmap.org
Reconnaissance Attacks:
Port Scanning
Attackers may use various techniques to find o pen po rts o n the t arget
Attackers use NMAP to perform port sca nning
~ Zenmap -
·] ,...... - ... . Sc!n ! ools trofdt ~ Ip
E"P19Z.168-0.97
l,11rgct
-
.:] Profile I l• I I....
!~ C.:ncd
01 1 "Mt, •I 1,,u
1e U. t,e,- el ......
OS ◄ Host . = -~ ·v nmap 192.168.0.9-7 H ~ ~ eteils]
Sf-J . . a,1.lM,,,91 C l - - U )
Dhco-... -
OI.-.:•- -
Oioc,_..., -
,_..,.o.., H,, ........•1,
- " M1,u,.., IN,IM , t
-•
...-t inn. . .., .... . .....w
"' 192.168.0.9-7
St a rting Ur:ap 6 .48 ( h ttp : //n.11&p. org ) at 2814· 02•24 18 :45
Initi~tine ARP Pine S<an at 10:45
Tin~
Ot.K,.._ -
IIIKtw...a -
-_ . , u..-1~.., 1§11 . .. ....w
IO,tt•• en lfl,l. .. t t i
Scanni na: 192 .168 .0 ,97 (1 oor-t )
Oi ....• - - - -i,,.. '" ,. ......... , Coni,l eteCI ARP Pi ng Son at 10 :45, 0. 84s elai,sea (1 total nosts)
n,u... - ,,,.,......,,
ot.K•-
llh•• -- - -
01,.., . -... -
_ ', ,t~tc.
_., _,_,u, ..,......, ... .... w
1"1, I M ,._W
Initiating Parallel OHS resol ut i on of 1 host . at 18:45
Coripl ctcCI Para llel ONS r-esot uti on of 1 host . at 10:45, 0 .04s elat>se<1
Oiuc,.,..,.. _,.-,_ -~- '" •.. ••• ••••'
fil":'~-:..U•Z: =~';:-:_..:~.;.i;~ It )oJ t,,•. ,,_ .--Jntf'CI
Initiating XK,1,S Sca n at 10 :45
Scanni ng 19 2. 168 .8 .9 7 ( 1800 ports )
Oiu•- - - • . ., ,• .,. •11 • M . . . ....w
C:_l_.. ... f.,...,.n $ u ,i O<t l •. ,.. t.l.$o'lt • I • - C l - tfl d ...., • • CoriplctcCI XAAS S<an at 10 : 45, 21. 39$ c l .,D$CCI (1008 t otol ports )
- . k_. ~ • ui. ..... . ,, uriap scan r epor t for 19 2,168,0 , 97
f•ll•t t • rc.Mlhc • - • •
-•• lo _. (•.--~ I•••"'•)• Failed to f"C!.:Ol ve "nmai:>" .
...,... -- -·
- - - - -STU(
l"l)lltl
- . .Sf•YI((
,11t-... """ Host i s up (8 .88s latency) .
n,t.p - _.,. AU 1000 scanned por t s on 192 . 168.9 .97 arc opcn lf ilt er eCI
.. . . - -~,·-,0. .
It♦, .... _ ..... MM Address· 4 :0 E (Dell )
l~tU- _.IC
, ,,.,. .....
,., ... _ ...-u,,......
·""
,...,,.,._ -
~rt._. _ _l.,. 11 . .
A£M g:;t :1 lils ~ h-qm: C: \Pro er~11 File s (x86)\ lir:~p
Nnao door · 1 l P address ( 1 hOst up ) s canned i n 23.94 seconos
Raw i,acket!.: se~t : 2001 ( S8. 82SKB) I Revel : 1 (288)
--
'-C lll<• - • - •. .l -
!lftJI._
'l'tl-1H• -_ _
j- _,.,
I
I'¥ ♦er:eu• • • t 0oll)
L Filter Hosts I
Port scanning is the process of ch ecking what services are running on the target computer by
sending a sequence of messages in an attempt to break in. Port scanning involves connecting to
or probing TCP and UDP ports on the target system to determine if the services are running or
are in a list ening state. The listening state provides information about the operating system and
the application currently in use. Sometimes, active services that are list ening may allow
unauthorized users access to misconfigured systems or software that is running w ith
vulnerabilities. Port scanning t echniques help to id entify and list all the open ports on a
targeted server or host .
Attackers use various port scanning utilities tool s such as NMAP, Netscan Tools Pro, SuperScan
and PRTG Netw ork monitor to detect open ports on th e target . These tool s help an attacker
probe a server or host on th e target network for open ports. Open ports are the doorways
through w hich malware get on a system.
Reconnaissance Attacks:
Social Engineering Attacks
Social engineering is the art and science of convincing (tricking) people to provide personal or
business information. This is one way an intruder chooses to step into an organization.
Intruders gain unauthorized access through developing trust relationships with employees.
Social engineering refers to the method of influencing and persuading people to reveal
sensitive information in order to perform some malicious action. With the help of social
engineering tricks, attackers can obtain confidential information, authorization details, and
access details of people by deceiving and manipulating them. They can find out what people are
on vacation or going on vacation. Where they work, the security measures in place or simply
listening to the employees talk about their work day.
Attackers can easily breach the security of an organization using social engineering tricks. All
security measures adopted by the organization are in vain when employees get "social
engineered" by strangers. Some examples of social engineering include unwittingly answering
the questions of strangers, replying to spam email, and bragging in front of co-workers. Even
answering questions on a phone call can lead to social engineering. Employees must be trained
properly to recognize these tricks and taught how to counter them when necessary.
Prior to performing a social engineering attack, an attacker gathers information about the
target organization from various sources such as:
• Official websites of the target organization, where they reveal employee IDs, names, and
email addresses.
• Advertisements of the target organization through the type of print media required for
high-tech workers trained in oracle databases or UNIX servers.
• Biogs, forums, etc. in which employees reveal basic personal and organizational
information.
After gathering enough information about the target organization, an attacker tries to perform
a social engineering attack through various approaches such as impersonation, piggybacking,
tailgating, reverse social engineering, and so on.
Despite having security policies in place, attackers can compromise an organization's sensitive
information by means of social engineering as it targets the weakness of people.
Social engineering attacks are classified into two t ypes. They are either human-based or
computer-based. In human-based attacks, th e physical presence of intruders is required to
extract personal information from the targeted people. In computer-based attacks, intruders
extract the user's credential s remotely by operating on other systems.
e Using common passwords will make a system or application vulnerable to cracking attacks.
The most common passwords used are: passw ord, pa$$w 0rd, root, administrator, admin,
Test, guest, qwerty or personal information such as name, birthday, names of children etc.
- e Attackers start with cracking passwords and tricking the network device to believe
they are valid users
Password attacks are performed to gain unauthorized access or to get control over a target
computer system. Attackers perform password attacks to steal secrets, make slight
modifications to websites, steal credit card details, get privileges, etc. Generally, passwords are
used to authenticate users with a system. Attackers try to gain these user passwords with
different techniques and authenticate with the system to enjoy the privileges the normal user
has. Attackers perform different techniques to crack the passwords of servers and routers and
get access to the targeted resource.
H,INld It w orks like a dictionary attack, but adds some numbers and
Attack symbols to t he w ords from t he dictionary and t ries to crack the
passw ord
An attacker may use different types of techniques to crack passwords. Those are:
Dictionary Attack
The dictionary attack is an attempt to crack a user's password by making a guess. Attackers can
guess passwords using a manual or an automated approach. This attack tries to match the most
occurring words or commonly used words in day to day life. The most common passwords
found are password, root, administrator, ad min, demo, test, guest, qwerty, pet names, date of
birth, children names, addresses and hobbies.
Most of users create passwords with the names of birds, famous names and places, etc. These
types of passwords are detected by dictionary attacks. Attackers prepare a dictionary of the
most commonly used words that are likely to be used as a password and use all the possible
entries to break the password. Dictionary attacks are relatively faster than brute force attacks.
Most networks are not configured with lengthy and complex passwords. So it is easy for
attackers to guess weak passwords and gain access to a network. Passwords that are not case
sensitive are easily guessed by attackers. For example, LAN manager authentication is case
insensitive. So the attacker doesn't need to consider whether the password is uppercase or
lowercase. There are many tools that automate the process instead of typing password after
password.
Hybrid Attack
It works like a dictionary attack, but adds numbers and sy mbols to the words and tries to crack
the password. These attacks generalize common things people do to make their passwords
hard to guess. The hybrid attacking tool starts guessing a dictionary term and creates other
guesses by appending or prepending the characters to the dictionary term. It appends or
prepends with dates, numbers, alphanumeric characters, etc., to break the password.
Birthday Attack
The birthday attacks use techniques that solve a class of cryptographic hash functions. The
birthday attack falls under the section of brute-force attacks. The logic of a birthday attack
depends on the birthday problem that is explained as follows: A probability problem that states
if there are 23 people in a room, the probability of at least two people having the same date of
birth is more than 0.5. Attackers try to get the birth date of the target employee to crack the
password. It is because some users create passwords with th eir birth date. Attackers use
different methodologies such as probability analysis to get birth dates.
Similarly, in a birthday attack, it is likely to achieve equal values when different input values are
applied to a hash function. The attack depends on the occurrence of the number of collisions
that can occur when applying different values to a hash function.
= (. ____ r _e,_n~
e t Passwords Email Traffic
~rough so,t{\"q, .
~ .•• : :
..•• ..·•
·•... .... ••
··· ··········
Sniffing involves capturing, decoding, inspecting and interpreting the information inside a
packet on a TCP/IP network. The purpose is to steal information, usually user IDs, passwords,
network details, credit card numbers, etc. Sniffing is generally referred to as a "passive" type of
attack, where the attacker can be silent/invisible on the network. This makes it difficult to
detect, and it is a dangerous type of attack. The TCP/IP packet contains vital information
required for two network interfaces to communicate with each other. It contains fields such as
source and destination IP addresses ports, sequence numbers and the protocol type.
There are three ways to sniff a network:
Internal sniff
A person (who may be an employee of the firm) who is already hooked up to the internal LAN
can run tools to directly capture network traffic.
External sniff
A hacker outside the target network can intercept packets at the firewall level and steal the
information.
Wireless sniff
Regardless of where the hackers are located on the network being sniffed , wide usage of
wireless networks has made it easy to sit near the network and penetrate it to get information.
Access Attacks:
Man-in-the-Middle Attack
_J In this attack, the intruder sets up a station in between the client and server
communication system to intercept messages being exchanged
...
QI -
-
Interception of t he TCP connection allows
"'....
V -
an attacker to read, modify, and insert
...."'"' -
fraudulent data into t he intercepted
6 _ MITM
Z - Connection communication
C: -
.!!! -
u -
....
In t he case of an http transaction, t he TCP
connection between the client and t he
server becomes the target
A man-in-the-middle attack (also known as MiTM) is a type of attack in which attackers intrude
into an existing connection between two systems to intercept the messages being exchanged
and to inject fraudulent information. It involves snooping on a connection, intruding into a
connection, intercepting messages, and modifying the data. It is basically a type of
eavesdropping attack where communication between two parties is monitored or modified by
a third unauthorized party. With the help of a MiTM attack, an attacker can exploit the real-
time processing of transactions, conversations or transfer of other data. MiTM is a form of a
session hijacking attack.
• Login functionality
• Unencrypted
Access Attacks:
Replay Attack
!..J A replay Attack is an extension of the man in the middle attack t hat occu rs after a tw o-w ay co mmunication
is intercepted
!..J An attacker captures the data to obtain usernames and passw ords
!..J Packets and authentication tokens are captured using a sniffer
!..J After the relevant info is extracted, t he tokens are placed back on t he netw ork to gain access
'llo,,-.
•••: Site
•• ♦ •• ♦♦ e· ~<.I'
e • •• ••
••
"e,'(
(;
"T- •• ♦
~-a,:,.. ..
te.9 • •• • •
A ♦ ••
• •• • •
~
···e -~
''Se . •• •• ~~ •• (\'>~ •••
'Sfo •••• •••• •• ~ •••• e,s9o ·••
i"'ti,ql':
de:,O'
r~.... • ..•·c,e<-Je<'(
••••
••• •·
•••• •••
1,:··
..... • •••
Attacker
The replay attack is an extension of the M ITM attack in which the attacker replays the
information gained from the communication between two parties. The attacker gains the token
used for validating the users accessing the webserver by eavesdropping. And later replays the
token to the server after modifications or deletions thereby gaining access to the session. The
attacker then sends the server response to the user.
In the replay attack, the attacker eavesdrops on the confidential information such as credentials
or Session ID or any key that the attacker can later use with the receiver in the pretext of the
sender. It is one of form of a MiTM attack.
For example, suppose user A sends a secret key to user B as a part of an identity verification.
Then attacker C performs eavesdropping and gains the required information. Attacker C can
later use this secret key to send information to user B in the pretext of user A. Then user B
accepts the message as it is properly encrypted.
To perform the replay attack, the attacker needs to get an intermediary control between the
sender and the receiver or achieve an access to the local machine of the sender. Packets are
captured using a sniffer. After the relevant information is extracted, the packets are placed
back on the network.
There are many ways to prevent the occurrences of any replay attack. The sender and the
receiver can use one-time passwords that expire after a certain period of time. The receiver can
validate the sender by matching the password provided by the sender. Even when the attacker
gets the one-time password and initiates a connection with the receiver, the receiver might
send another one-time password different from what the attacker gathered. The attacker sent
the one-time password he previously gathered and it does not match the password sent by the
receiver. Timestamping is another method used to avoid replay attacks. Users can neglect the
messages sent a very long time ago.
~
Original Connection
············ O·········································································►
(I I' :················ ➔
•
•
•
•
•
Victim Sniff MITM / Replay : Web Server
••••·•••••••••••••➔ ••••••••••••••••••••
Traffic
Attacker
Access Attacks:
Privilege Escalation
An attacker can gain access to a network using a non-admin user account leading to gaining
administrative privileges
An attacker performs a privilege escalation attack which takes advantage of design flaws, programming
errors, bugs, and configuration oversights in the OS and software application to gain administrative
access to the network and its associated applications
These privileges allows an attacker to view private information, delete files, or install malicious
programs such as viruses, Trojans, worms, etc.
Attacker User
I can access the network using John's user
account but I need "Admin" privileges?
In a privilege escalation attack, the attacker gains access to the network and the associated
data and applications by taking advantage of defects in the design, software application, poorly
configured operating systems, etc. Once an attacker has gained access to a remote system with
a valid user name and password, they will attempt to increase their privileges. The attacker
uses a method of escalating the user account to another increased privileges, such as
administrator privileges.
An attacker does privilege escalation to perform unauthorized access and privileged operation
on the network or system. An admin account can access more and do more in a network than a
regular user. Basically, privilege escalation takes place in two forms. There is vertical privilege
escalation and horizontal privilege escalation.
DNS (Domain Name Server) poisoning is the unauthorized manipulation of IP addresses in the domain naming server
cache
The DNS holds domain name translations of the IP addresses for network devices
A corrupted DNS redirects a user request to a malicious website to perform illegal activities
□
==
,~ ~ ..1
r~ ss~··1
r~~~ ..i
~ ························:>
Googk!>
Yahoo
8.8.8.8
.......................;:,..
Ill Google
Ill
Servers
.ollllllllil.'1..lilal!-
~ DNS ._a_ing_,______,
User .___ ___.
l~
l~'¾~~..I
···································
...........;:,..
Ill
User
Malicious Servers
Ill Google Servers
DNS poisoning is a process in which the user is misdirected to a fake website by providing fake
data to the DNS server. The website looks similar to the genuine site, but it is controlled by the
attacker. It is also called a DNS spoofing attack in which the attacker tries to redirect the victim
to a malicious server instead of the legitimate server. The attacker performs this type of attack
by manipulating the DNS table entries in the DNS system. Suppose the victim wants to access
the website 123.com, the attacker manipulates the entries in the DNS table in such a way that
the victim is being redirected to the attacker's server instead. This can be done by changing the
IP address of 123.com to the attacker's malicious server IP address. The victim connects to the
attacker's server without their knowledge. Once the victim connects to the attacker's server,
the attacker can compromise the victim's system and steal data.
Access Attacks:
DNS Cache Poisoning
DNS cache poisoning refers to altering or adding forged DNS records into the DNS resolver cache so that a DNS
query is redirected to a malicious site
If the DNS resolver cannot validate that the DNS responses are coming from an authoritative source, it will cache
the forge d DNS entries locally and serve this forged DNS to users when someone makes the same DNS request
What Is the IP
address of
www.xsewrlty.com
-
Fake Website Attacker Rogue DNS
The DNS system uses cache memory to hold the recently resolved domain names. It is
populated with recently used domain names and respective IP address entries. When the user
request is received, the DNS resolver first checks the DNS cache; if the domain name that the
user requested is found in the cache, then the resolver sends its respective IP address quickly.
Reducing the traffic and time of for DNS resolving.
Attackers target the DNS cache and make changes or add entries to it. The attacker replaces the
user-requested IP address with the fake IP address. Then, when the user requests the domain
name, the DNS resolver checks the entry in the DNS cache and picks the matched (poisoned)
entry. The victim is redirected to the attacker's fake server instead of the authorized server.
Address Resolution Protocol (ARP) is a protocol used for mapping an IP address to a physical machine address wh ich is recognized in
the local network
ARP spoofing/poisoning involves sending a large number of forged entries to the target machine's ARP cache or overloading a switch
Hey 10.1.1.1
are you there? Uslf B
Switch broadcasts ARP : The legitimate user responds to
request onto the w ire : the ARP request
-
ARP r equest and reply to the user A by spoofing the Informati on for IP address
user B's MAC address 10.1.1.1 is now being sent to
MAC address 9:8:7:6:5:4
Attacker
Copyright© by EC-Coaacil. All Rights Reserved. Reproduction is Strictly Prohibited.
ARP poisoning is an attack in which the attacker tries to associate their own MAC address with
the victim's IP address so that the traffic meant for that IP address is sent to the attacker. ARP
(Address Resolution Protocol) is a TCP/ IP protocol that maps IP network addresses to the
addresses (hardware addresses) used by the data link protocol. Using this protocol, you can
easily get the MAC address of any device within a network. Apart from the switch, the host
machines also use the ARP protocol for getting MAC addresses. ARP is used by the host
machine when a machine wants to send a packet to another device and it has to mention the
destination MAC address in the packet sent. In order to write the destination MAC address in
the packet the host machine should know the MAC address of the destination machine. The
MAC address table (ARP table) is maintained in several places even in the operating system.
ARP resolves IP addresses to the MAC (hardware) address of the interface to send data. If the
machine sends an ARP request, it normally considers that the ARP reply comes from the right
machine. ARP provides no means to verify the authenticity of the responding device. In fact,
many operating systems implement ARP so trustingly that devices that have not made an ARP
request still accept ARP replies from other devices.
An attacker can craft a malicious ARP reply that contains an arbitrary IP and MAC address. Since
the victim's computer blindly accepts the ARP entry into its ARP table, an attacker can force the
victim's computer to think that the IP is related to the MAC address they want. An attacker can
then broadcast their fake ARP reply to the victim's entire network.
Access Attacks:
DHCP Starvation Attacks
Dynamic Host Configuration Protocol (DHCP) is a configuration protocol that assigns valid IP addresses to the host systems
out of a pre-assigned DHCP pool
DHCP starvation attack is a process of inundating DHCP servers with fake DHCP requests and using all the available IP
addresses
This results in a denial-of-service attack, where the DHCP server cannot issue new IP addresses to genuine host requests
New clients cannot get access to the network, resulting in a DHCP starvation attack
,<[••••••••••••••••••••••••••••• ■ • • • • • ............................ ·►
DHCP Scope
...
.... 1• Ill • ~
~
•••
10.10.10.1
•
.··~ ....!'---IP'
• A
~
•
·..• 10.10.10.2
-:-•I A _..._ c.r: ••
<, ••
~"'°7 •· ,.,,.-.,
~I ♦
.,.. ■••
••
1'.. ■
':I ,:'\
A,.
r. ·.
•
~ ♦
••
r.·•
',J'. ■
~ ;,,.--■ 10.10.10.3
~')..•· '°'~-·
'l:J,'. e • •
~~ • -:1 ■ ~ -- !!I • • ~. • ;o. . ·9: .
User
s.\ • :v • ,;."':i■•
z,:
.:." i:
:J:
JI:
~ : i ~ ~.... ~/ -. ~; -._
~• ~.S>-~• ~•.,•. "°':.o•■ ~Y6~••- DHCP Server 10.10.10.4
» ■ v- ■ ':"! . ,.. . 45, ■
User will be unable to .:,·.· S,·.· ~.. ;; ■ :::i : 't• ~. •. 'P- •. ? ·.
·~ .• ~o/.• ;,. .;;: D • ~. •. ~ • ~~-. P.,._•. Serverruns out oflP 10.10.10.5
get the valid IP address e,'?" •• -.. : . ~·: ~- i:-: • ~ - ~ -- ?,I';. .....> ••
:i.\
b,V ♦
•
4'~♦•• ~■ • ""' .
Gt ■ ,. •
N ■
~ .
~• "" •
"'- ■
:;, •
,t,.__•♦ 'fo:,0~♦
• add resses to aIIocate
(.;"Ii ...
'b~ •
~ -· ~ -- 'i : ,!=
i:! ·: .:e~
.,~• . .,o.. .,.
.. -~ -.
~.~-. .,,· ••
~. to valid users
~'.t-.•.
_..., .
~.•
~ ·
1~ .•-
.., .
.;;:
J.
GI •
e:
i .
.:o~
~- -•
=o·.
~ -• ..>... -~,l.
~·
"t"- ••
• _t,."1 •
-.:.- .• ~V •• ;t .• ,. •
v . u . 'i•. & •
-v•. ••
•
•
•• "'~ •• -.:.0
~:
... •
:t •. <II( .
::E . ~ . " . ~ . ••
I', . ~ . . ,,, . • 10.10.10.254
• • ~ - ~ - ►• .,... 7'.: ♦ • •
•• •• ~ . <. ~ .. -Z • ~ · •• ••
~................. , .................................... , .............. .. ,1>... ........................................... , . • • • • • • • • • • ,
In a DHCP starvation attack, an attacker floods the DHCP server by sending a large number of
DHCP requests and uses all the available IP addresses that the DHCP server can issue. As a
result, the server cannot issue any more IP addresses, leading to a denial of service (DoS)
attack. Because of this issue, valid users cannot obtain or renew their IP addresses, and thus fail
to access their network.
In a DHCP starvation attack, the attacker can broadcast a number of DHCP requests with
spoofed MAC addresses. Sending many DHCP requests can consume the address space in the
DHCP server. The DHCP starvation attack is similar to the Synchronization (SYN) flood attack.
The victim network suffers a starvation of DHCP resources as the attackers are continuously
broadcasting fake DHCP requests. The attackers can also place a rogue DHCP server in their
system and respond to the DHCP requests from the victims or users. In the DHCP starvation
attack, the attacker continuously sends many DHCP requests with fake MAC addresses. These
request IP addresses from the DHCP server. The attacker continues the process until their
request has completely utilized the space available in the DHCP server, disabling the victim
from gaining an IP address. An attacker broadcasts DHCP requests with spoofed MAC addresses
with the help of tool s such as Gobbler.
Port security is a method used in preventing the DHCP starvation attack. It limits the number of
MAC addresses that can access the port. Only those MAC addresses having permission to
access the port can send forward the packets. DHCP snooping is another method available in
preventing the DHCP starvation attack. It filters the untrusted DHCP messages. The DHCP
snooping is a Cisco catalyst switch feature that determines the port that can respond to the
DHCP requests.
Access Attacks:
DHCP Spoofing Attack
■ DHCP servers assign IP addresses to the clients dynamically
■ An attacker places a rogue DHCP server between the client and the real DHCP server
■ Whenever a client sends a request, the attacker's rogue server intercepts the communication and acts as a valid
server by replying with fake IP addresses
IP Address: 10.0.0.20
Subnet Mas k : 255.255.255.0
Defa ult Routers : 10.0.0.1
DNS Servers: 1 92.168. 1 68 .2,
192. 1 68 .168.3
Leas e Ti me: 2 days
A DHCP Spoofing attack is also known as a rogue DHCP server attack. In a rogue DHCP server
attack, an attacker will introduce a rogue server in the network. This rogue server has the ability
to respond to client's DHCP discovery requests. Though both the servers respond to the
request, i.e., the rogue server and the actual DHCP server, the server that responds first will be
taken by the client. If the rogue server gives the response earlier than the actual DHCP server,
the client takes the response from the rogue server instead. The information provided to the
clients by this rogue server can disrupt their network access, causing a DoS.
The DHCP response from the attacker's rogue DHCP server may assign the IP address of an
attacker as a client's default gateway. As a result, all the traffic from the client will be sent to
the attacker's IP address. The attacker then captures all the traffic and forwards this traffic to
the appropriate default gateway. From the client's viewpoint, they think that everything is
functioning correctly. This t ype of attack cannot be detected by the client for a long period of
time.
Instead of using the standard DHCP server, the client can use a rogue DHCP server. The rogue
server directs the client to visit fake websites for the purpose of gaining their credentials.
To mitigate a rogue DHCP server attack, set the interface to which that rogue server is
connected to as untrusted. That action will block all ingress DHCP server messages from that
interface.
Access Attacks:
Switch Port Stealing
0 0
It is a MITM technique used to perform packet sniffing by exploiting the switch ports of a user
Attackers flood the switch ports with forged packets that contain victim's host spoofed MAC as source
address and attacker's MAC as destination address
This allows the switch port to send the traffic to the attacker instead of the intended recipients
0 0
~ ~ .................~;:::-::~..►
Broadcasts ARP ~
• ••••••r;~.u.'7~ ••••••••••••••••••••••••••• ~~
--~
l,.....,_,l l I I '
l I I }
Host C
Attacker
Copyright© by EC-Coaacil. All Rights Reserved. Reproduction is Strictly Prohibited.
Switch port stealing is a sniffing technique used by an attacker who spoofs both the IP address
and MAC address of the target machine. Using a port stealing attack, attackers steal traffic
destined to a specific port of an Ethernet switch. It allows an attacker to sniff the packets that
were originally destined for another computer.
An attacker takes advantage of a switch's incapability of updating its address table dynamically.
Ethernet switches learn and maintain information about who is connected to the port. This
information includes IP and Mac addresses of the computers connected to the network. The
switch is supposed to update this information dynamically. However, the switch is still static in
a real network environment. For example, if computer connected to a particular port is moved
to another port, the switch's address table entry will still point to the same computer only.
A MiTM technique is used to perform packet sniffing by exploiting the switch ports of a user.
Attackers flood the switch ports with forged packets that contain the attacker's MAC address as
the source address which is identical to the victim's host spoofed MAC and destination
addresses. This allows the switch port to send traffic to the attacker instead of to the intended
recipients.
Access Attacks:
MAC Spoofing/Duplicating
_J A MAC duplicating attack is launched by sniffing a network for MAC addresses of clients,
which are actively associated with a switch port and re-using one of those addresses
_J By intercepting the network traffic, the attacker replicates a legitimate user's MAC
address to receive all the traffic intended for the specific user
_J This attack allows an attacker to gain access to the network by faking another person's
identity, who is already on the network
My MAC address
Switch Rule: Allow access to the network
Is A:B:C:D-.E only if your MAC address is A:B:C:D:E
r-°"l. r::::l!!I • • r
Legitimate User Sw itch •
: At tacker sniffs the network for MAC addresses
: of the currently associated users and then
No! My : uses that MAC address to attack other users
MAC Address Is
A:B:C:D:E .
: associated t o the same switch port
Attacker Internet
Note: This technique w orks on Wireless Access Points with MAC filtering enabled
Spoofing attacks allow attackers to spread malware, bypass authentication checks, or steal
sensitive information. The attacker pretends to be a legitimate user on a network and gets
access to restricted resources in order to perform malicious activities.
MAC duplicating refers to spoofing the MAC address with the MAC address of a legitimate user
on the network. It involves sniffing a network for the MAC addresses of legitimate clients
connected to the network. In this attack, the attacker first retrieves the MAC addresses of
clients who are actively associated with the switch port. Then the attacker spoofs their own
MAC address with the MAC address of the legitimate client. If the spoofing is successful, the
attacker can receive all the traffic destined for the client. An attacker gains access to the
network and will take over someone's identity who is already on the network.
The DoS attack makes resources unavailable Using this technique, an attacker can:
for genuine users by sending a large number
of service requests or exploiting e Consume the device's processing
vulnerabilities power w hich allow attacks to go
unnoticed
Techniques used by an attacker is sending
malicious packets and exploiting already
existing programming, logical, and e Cause the admin to take more time to
application vulnerabilities investigate a large number of alarms
Organizations deploy IDS central logging e Fill up disk space providing no space or
servers exclusively to store IDS alert logs of all disrupt logged processes
systems in a centralized manner
Denial-of-service (DoS) is an attack that prevents authorized users from accessing a computer
or network. DoS attacks target the network bandwidth or connectivity. Bandwidth attacks
overflow the network with a high volume of traffic using existing network resources, depriving
legitimate users of these resources. Connectivity attacks overflow a computer with a large
amount of connection requests, consuming all available operating system resources, so that the
computer cannot process legitimate user requests.
Consider a company (Target Company) that delivers pizza upon receiving a telephone order.
The entire business depends on telephone orders from customers. Suppose a person intends to
disrupt the daily business of this company. If this person came up with a way to keep the
company's telephone lines engaged in order to deny access to legitimate customers, the Target
Company would lose business.
DoS attacks are similar to the pizza company situation. The objective of the attacker is not to
steal any information from the target. It is to render its services useless. In this process, the
attacker compromises many computers (called zombies) and virtually controls them. The attack
involves deploying the zombie computers against a single machine to overwhelm it with
requests and finally crash the target in the process.
Distributed Denial-of-Service
Attack (DDoS)
An attacker uses botnets for exploiting vulnerabilities
DDoS attack involves a multitude of compromised
which exist in the target system and convert it to a
systems attacking a single target, thereby causing a
bot master. Doing this will infect it with malware or
denial of service for legitimate users
even take control of other systems on the network
Handler
Compromised PCs (Zombies)
Copyright© by EC-Coaacil. All Rights Reserved. Reproduction is Strictly Prohibited.
The services under attack are those of the "primary target," while the compromised systems
used to launch the attack are often called the "secondary target." The use of secondary targets
in performing a DDoS attack provides the attacker with the ability to wage a larger and a more
disruptive attack, while making it more difficult to track them.
As defined by the World Wide Web Security FAQ: "A Distributed Denial-of-Service (DDoS) attack
uses many computers to launch a coordinated DoS attack against one or more targets. Using
client/server technology, the perpetrator is able to multiply the effectiveness of the denial-of-
service significantly by harnessing the resources of multiple unwitting accomplice computers,
which serve as attack platforms."
If left unchecked, more powerful DDoS attacks could cripple or disable essential Internet
services in minutes. DDoS attacks can be very dangerous because they can quickly consume the
largest hosts on the Internet, rendering them useless. The impact of DDoS includes loss of
goodwill, disabled network, financial loss, and disabled organizations. They are also used as
decoys. Attacks use DDoS attacks to crash systems, while they then attack the real target.
Administrators are busy with the DDoS and may not notice the real attack until it is too late.
Ma lware are softwa re programs or malicious codes that install on a system without the user's
knowledge
It disrupts services, damages syste ms, gathers sensitive information, etc.
Examples of malware include Virus, Troja n, Adware, Spyware, Rootkit, Backdoor, etc.
Virus Spyware
A virus is a self-replicating program t hat attaches itself to Spyware is a piece of software code that extracts the user
another program, computer boot sector, or a document information a nd sends it to attackers
Trojan Rootkit
A program that appears to be good o r useful software but Rootkit is a malicious software program that conceals
contains hidden and harmful code certain activities from detectio n by the operating systems
Adware Backdoor
Adware is a software program that tracks t he user's Backdoors are programs that allow attackers to bypass the
browsing pattern for marketing purposes and to display authentication checks, such as ga ining administrative
advertisements privileges without passwords
Malware
Malware is a piece of malicious software that is designed to perform activities as intended by
the attacker without user consent. It appears in the form of an executable code, active content,
scripts or other forms of software. The attacker compromises system security, intercepts
computer operations, gathers sensitive information, modify, delete or add content to a
website, take control of a user's computer, etc. It is used against government agencies or
corporate companies to extract highly confidential information.
Virus
A virus is a type of program that can duplicate itself by making copies of itself. The major
criteria for categorizing a piece of executable code as a virus is that it replicates itself through
hosts. A virus can only spread from one PC to another when its host is taken to the uncorrupted
computer. For example, by a user transmitting it over a network or executing it on a removable
media. Viruses can spread the infection by damaging files in a file system. Viruses are
sometimes confused as worms. A worm can spread itself to other computers without the intent
of the host. A majority of PCs are now connected to the Internet and to local area networks,
increasing their spread. The virus spreads through the computer by itself and infects the file
from one computer to another computer using a host. It reproduces its own code while
enclosing other executables and spreads throughout the host. Some viruses reside in the
memory and may infect programs through the boot sector. A virus can also be in an encrypted
form infecting files in a symbolic form.
Armored Virus
An armored virus is a type of computer virus that is specifically coded with different
mechanisms to make its detection difficult. It fools antivirus programs, making them believe
the armored virus is located somewhere else in memory and making it difficult to detect and
remove. There is another kind of armor that is implemented with complicated and confusing
code, whose purpose is to hide the virus from being detected as well as develop a
countermeasure. This mechanism makes it difficult for researchers to disassemble the virus.
Therefore, it propagates longer before researchers find a countermeasure. It affects target
users similar to a normal virus.
Trojan
A Trojan is a malicious program that masquerades as legitimate software. A Trojan horse attack
is termed as a serious threat to system security. A victim may be under attack from the trojan,
but they could also be used as an intermediary to attack others (without the knowledge of the
victim). Most Trojans consist of two parts: server and a client. A server is a program that gets
installed on the infected system. The client is also a program that is located on the attacker's
computer. Both the server and client are used to establish a connection between the attacker
and a victim's system via the Internet.
In the computer world, a Trojan can be described as a hateful security-breaching program that
is impersonates an application and is illegal. For example, if the user downloads what appears
to be a movie or a music file and then clicks on the file to open it, the file will instead unleash a
dangerous program that erases the disk.
Trojan horses can also access the programs remotely. It can delete files, send files to the
intruder, modify the files, installs other programs that provide unauthorized network access
and execute privilege-elevation attacks. A Trojan horse can attempt to exploit a vulnerability to
increase the level of access beyond that of the user running the Trojan horse. If a Trojan
compromises a system in a shared network, the attacker records user names and passwords or
other sensitive information as it navigates across the network.
Adware
Adware is a software program that tracks the user's browsing patterns for marketing purposes
and displaying advertisements. It collects the user's data, such as what types of Internet sites
the user visits in order to customize the adverts that are relevant to the user. Legitimate
software is embedded with adware programs to generate revenue. Adware is considered as a
legitimate alternative provided to customers who do not wish to pay for software. Software
developers look to adware as a way to reduce development costs and increase profits. It
enables software developers to offer software at no cost or at a reduced price. Software
developers are motivated to design, maintain and upgrade their software product and generate
revenues using adware. It has become a large platform with millions of users and has attracted
attackers looking to perform attacks through exploiting adware.
Legitimate adware requests a user's permission before collecting user data. If a legitimate
adware is used and you remove or uninstall it, the ads should disappear. Further, there is an
option to disable ads by purchasing a registration key. When user data is collected without a
user's permission, it is malicious and termed as spyware. It should be avoided for privacy and
security reasons. Malicious adware gets installed on a computer using cookies, plug-ins, file
sharing, freeware and shareware. It consumes more bandwidth, exhausts CPU resources and
memory. Attackers perform spyware attacks and collect information from the target user's hard
drive, the websites visited or keystrokes t yped in order to misuse and perform fraud.
Common adware programs include toolbars on a user's desktop or those that work in
conjunction with the user's web browser. Adware performs advanced searching of the web or a
user's hard drive and may provide better organization of bookmarks and shortcuts. Adware
typically requires an Internet connection to run. There is more advanced adware that includes
games and utilities that are free to use but users need to watch advertisements until the
program opens. For example, while watching "YouTube videos", users need to wait until the ad
is completed before watching the video.
Spyware
Spyware is a piece of software code that extracts the user's information and sends it to
attackers. It enables pop-up advertisements to appear, modifies computer settings, redirects
users to fake webpages or changes the home page of the browser. Users are not really aware of
spyware being installed on their computer. Most of the time, spyware is used to track cookies
and display unwanted pop-up ads. Its presence is hidden from the user and it is difficult to
detect. Keylogger is a type of spyware used by attackers to record keystrokes entered by the
user.
Spyware infects a user's system when they visit a fake website containing malicious code which
is controlled by the spyware author. This malicious code forces the spyware download and its
installation. It also gets infected by manipulating loop holes in the browser or software, by
binding itself with trusted software, etc. Once the spyware is installed, it monitors the user's
activities on the Internet. It gathers information such as usernames, passwords, bank account
details, credit card numbers, etc., and sends it to the attacker.
When a system is infected by spyware, its performa nee degrades. It disables the software
firewall, antivirus software, reduces browser security settings and makes it more vulnerable to
attacks. Applications will freeze, failure to boot, etc. Spyware that interferes with networking
software makes it difficult to connect to the Internet. It steals information from users by
utilizing the target computer's memory resources and bandwidth allocated for an Internet
connection. Since spyware uses memory and system resources, there are chances of system
crashes.
Rootkits
Rootkit is a software program that hides its activities from detection and performs malicious
activities to get privileged access to a target computer. It hides the fact that the operating
system is compromised by the attackers. A successful rootkit can potentially remain in place for
years if it remains undetected. Rootkits are used to hide viruses, worms, bots, etc., and it is
difficult to remove them. Malware that is hidden by rootkits are used to monitor, filter or steal
sensitive information and resources, change the configuration settings of the target computer
and other potentially unsafe actions.
Rootkits are installed by attackers after gaining administrative access either by manipulating a
vulnerability or cracking a password. The attacker gets full control over the target system, they
can modify files and existing software that detects rootkits.
Rootkits are activated each time the system is rebooted. It gets activated before the operating
system completes booting. So it is difficult to detect the presence of a rootkit. Rootkits install
hidden files, processes, hidden user accounts, etc., in the system's operating system to perform
malicious activities. It intercepts the data from terminals, keyboard and network connections
and allows the attacker to extract sensitive information from the target user. Rootkits gather
user's sensitive information such as usernames, passwords, credit card details, bank account
details, etc., in order to misuse the information to commit fraud or other illegal activities.
Backdoors
Attackers create backdoors to compromise the security of the target systems and gain access to
a network illegitimately. Attackers insert small programs that bypass the authentication check
such as gaining administrative privileges without passwords. The attacker installs programs and
controls the victim's computer remotely. Attackers use backdoors to get access to a network
and keep returning by using the same exploit.
It is difficult for the system administrators to block access to attackers using backdoors. Even if
the system administrator detects a backdoor attack and changes the password, the attacker is
still able to get access to the resources of the infected system. If the attacker believes that
system administrator detected access, then they can simply choose to locate another
vulnerability to avoid being detected. Backdoors are not logged and appear as if no one is
online, while the attacker continues to use the infected machine.
Password cracking is a common type of backdoor attack used to breach network security and
systems connected to the network. Accounts that are unused or not used frequently are
exploited by attackers to perform backdoor attacks. Password crackers detect the accounts
with weak passwords and create an access point by changing the password. System
administrators are not able to identify fragile accounts because the accounts with modified
passwords do not appear and they believe that everything is operating normally. System
administrators find it difficult to determine which accounts are not used in order to lock them.
Logic Bomb
A logic bomb is a piece of software code that performs a malicious action when a logic
condition is satisfied. For example: Crashing a program on specific date using. When a logic
bomb explodes, it is designed to display an unauthentic message, delete data or completely
reformat hard drives, send sensitive information to untrusted parties, disable a network for a
certain length of time and cause harm to the target computer. Malicious software such as a
virus, use logic bombs to spread before being noticed.
Logic bombs are used to demand money for software by developing a code that makes the
software a trial version. After a specific number of days, the user has to pay a specified amount
to continue to use the software. Logic bombs are used to blackmail target users. If the demand
is not met, the logic bomb explodes into the computer network and corrupts, deletes data or
performs malicious activities as intended by attackers.
Attackers use the combination of spyware and a logic bomb to steal the identity of a target
user. Spyware allows attackers to install keyloggers secretly and capture the keystrokes. A logic
bomb is designed to wait until the targeted user visits a website requiring a login with their
username and password. It then triggers the logic bomb to execute a key logger to capture the
user credentials and send it to the remote attacker.
Botnets
A botnet is a collection of compromised computers connected to the Internet to perform a
distributed task. Attackers distribute malicious software that turns a user's computer into bots.
A bot refers to a program or an infected system that performs repetitive work or acts as an
agent or as a user interface to control other programs. The infected computer performs
automated tasks without the user's permission. Attackers use bots to infect a large number of
computers. Cyber-criminals who control bots are called a botmaster. Bots spread across the
Internet and search for vulnerable and unprotected systems. When it finds an exposed system,
it quickly infects and reports back to the bot master.
Attackers use botnets to distribute spam emails, carry out denial-of-service attacks and
automated identity theft. A computer part of a botnet might slow down its performance.
Botmasters use infected computers to perform various automated tasks. They instruct the
infected systems to send viruses, worms, spam, spyware, etc. Botmasters steal personal and
private information from the target users such as credit card numbers, bank details, usernames,
passwords, etc. Botmasters launch DoS attacks on a specific target user and extort money to
regain control over the compromised resources. Bot masters use bots to boost web advertising
billings by automatically clicking on internet ads.
Bots enter a target system using a payload in a Trojan horse or similar malware. It infects the
target system through drive-by-downloads, or by sending spam mails that are embedded with
malicious content.
Ransomware
Ransomware is a type of malicious software that locks or encrypts valuable files available in the
victim's computer until a ransom is paid. Unlike other malware it does not hide, it displays a
message on the infected system that "your files are taken away for ransom and you need to pay
money in order to decrypt it". It redirects victims to different sites and provides information
regarding how to make payment to recover the data back. During payment, attackers often
collect credit card details that may result in further financial losses. Moreover, there is no
guarantee the data will be recovered, even if the payment is made.
Ransomware gets installed when a user clicks on a malicious link in an email attachment or
instant message or on a social networking site. It gets installed even when the user visits an
infected site or clicks on an infected pop-up advertisement. Ransomware demands are
displayed either in a text file or on a web page in the browser.
This type of malware takes advantage of a victim's embarrassment, surprise or fear to satisfy
the ransom demands. For example, attackers put time pressure on a victim stating that their
data gets destroyed every 30 minutes if they do not make a payment. If the payment is not
done within the time span, the files cannot be recovered. Other ransomware forces users to
purchase a product to recover the data back. Some ransomware tricks or embarrasses users to
pay the ransom by stating they have been watching illegal content and must pay a fine.
Polymorphic malware
Polymorphic malware is a destructive and intrusive malware code that changes its signature to
avoid pattern matching detection by a ntivirus programs. The functionality remains the same
even though its signature changes. For example, a spyware program working as a keylogger
continues to perform the same action, even if its signature changes. If a polymorphic malware
is detected and its signature is added to a downloadable database for an antivirus program, it
fails to detect the same malware with the modified signature.
Polymorphic malware code (payload) is encrypted in order to hide and make it difficult to read
by antivirus programs. Polymorphic behavior is gained by malware when the mutation engines
are bundled with another payload such as viruses, worms, or Trojans. It allows different
subversions of the same code but with the same functionality. It modifies the file names,
encrypts the data with variable keys, compresses the files etc.
This type of malware takes advantage of a victim's embarrassment, surprise or fear to satisfy
the ransom demands. For example, attackers put time pressure on a victim stating that their
data gets destroyed every 30 minutes if they do not make a payment. If the payment is not
done within the time span, the files cannot be recovered. Other ransomware forces users to
purchase a product to recover the data back. Some ransomware tricks or embarrasses users to
pay the ransom by stating they have been watching illegal content and must pay a fine.
Polymorphic malware
Polymorphic malware is a destructive and intrusive malware code that changes its signature to
avoid pattern matching detection by a ntivirus programs. The functionality remains the same
even though its signature changes. For example, a spyware program working as a keylogger
continues to perform the same action, even if its signature changes. If a polymorphic malware
is detected and its signature is added to a downloadable database for an antivirus program, it
fails to detect the same malware with the modified signature.
Polymorphic malware code (payload) is encrypted in order to hide and make it difficult to read
by antivirus programs. Polymorphic behavior is gained by malware when the mutation engines
are bundled with another payload such as viruses, worms, or Trojans. It allows different
subversions of the same code but with the same functionality. It modifies the file names,
encrypts the data with variable keys, compresses the files etc.
This type of malware takes advantage of a victim's embarrassment, surprise or fear to satisfy
the ransom demands. For example, attackers put time pressure on a victim stating that their
data gets destroyed every 30 minutes if they do not make a payment. If the payment is not
done within the time span, the files cannot be recovered. Other ransomware forces users to
purchase a product to recover the data back. Some ransomware tricks or embarrasses users to
pay the ransom by stating they have been watching illegal content and must pay a fine.
Polymorphic malware
Polymorphic malware is a destructive and intrusive malware code that changes its signature to
avoid pattern matching detection by a ntivirus programs. The functionality remains the same
even though its signature changes. For example, a spyware program working as a keylogger
continues to perform the same action, even if its signature changes. If a polymorphic malware
is detected and its signature is added to a downloadable database for an antivirus program, it
fails to detect the same malware with the modified signature.
Polymorphic malware code (payload) is encrypted in order to hide and make it difficult to read
by antivirus programs. Polymorphic behavior is gained by malware when the mutation engines
are bundled with another payload such as viruses, worms, or Trojans. It allows different
subversions of the same code but with the same functionality. It modifies the file names,
encrypts the data with variable keys, compresses the files etc.
This type of malware takes advantage of a victim's embarrassment, surprise or fear to satisfy
the ransom demands. For example, attackers put time pressure on a victim stating that their
data gets destroyed every 30 minutes if they do not make a payment. If the payment is not
done within the time span, the files cannot be recovered. Other ransomware forces users to
purchase a product to recover the data back. Some ransomware tricks or embarrasses users to
pay the ransom by stating they have been watching illegal content and must pay a fine.
Polymorphic malware
Polymorphic malware is a destructive and intrusive malware code that changes its signature to
avoid pattern matching detection by a ntivirus programs. The functionality remains the same
even though its signature changes. For example, a spyware program working as a keylogger
continues to perform the same action, even if its signature changes. If a polymorphic malware
is detected and its signature is added to a downloadable database for an antivirus program, it
fails to detect the same malware with the modified signature.
Polymorphic malware code (payload) is encrypted in order to hide and make it difficult to read
by antivirus programs. Polymorphic behavior is gained by malware when the mutation engines
are bundled with another payload such as viruses, worms, or Trojans. It allows different
subversions of the same code but with the same functionality. It modifies the file names,
encrypts the data with variable keys, compresses the files etc.
This type of malware takes advantage of a victim's embarrassment, surprise or fear to satisfy
the ransom demands. For example, attackers put time pressure on a victim stating that their
data gets destroyed every 30 minutes if they do not make a payment. If the payment is not
done within the time span, the files cannot be recovered. Other ransomware forces users to
purchase a product to recover the data back. Some ransomware tricks or embarrasses users to
pay the ransom by stating they have been watching illegal content and must pay a fine.
Polymorphic malware
Polymorphic malware is a destructive and intrusive malware code that changes its signature to
avoid pattern matching detection by a ntivirus programs. The functionality remains the same
even though its signature changes. For example, a spyware program working as a keylogger
continues to perform the same action, even if its signature changes. If a polymorphic malware
is detected and its signature is added to a downloadable database for an antivirus program, it
fails to detect the same malware with the modified signature.
Polymorphic malware code (payload) is encrypted in order to hide and make it difficult to read
by antivirus programs. Polymorphic behavior is gained by malware when the mutation engines
are bundled with another payload such as viruses, worms, or Trojans. It allows different
subversions of the same code but with the same functionality. It modifies the file names,
encrypts the data with variable keys, compresses the files etc.
This type of malware takes advantage of a victim's embarrassment, surprise or fear to satisfy
the ransom demands. For example, attackers put time pressure on a victim stating that their
data gets destroyed every 30 minutes if they do not make a payment. If the payment is not
done within the time span, the files cannot be recovered. Other ransomware forces users to
purchase a product to recover the data back. Some ransomware tricks or embarrasses users to
pay the ransom by stating they have been watching illegal content and must pay a fine.
Polymorphic malware
Polymorphic malware is a destructive and intrusive malware code that changes its signature to
avoid pattern matching detection by a ntivirus programs. The functionality remains the same
even though its signature changes. For example, a spyware program working as a keylogger
continues to perform the same action, even if its signature changes. If a polymorphic malware
is detected and its signature is added to a downloadable database for an antivirus program, it
fails to detect the same malware with the modified signature.
Polymorphic malware code (payload) is encrypted in order to hide and make it difficult to read
by antivirus programs. Polymorphic behavior is gained by malware when the mutation engines
are bundled with another payload such as viruses, worms, or Trojans. It allows different
subversions of the same code but with the same functionality. It modifies the file names,
encrypts the data with variable keys, compresses the files etc.
This type of malware takes advantage of a victim's embarrassment, surprise or fear to satisfy
the ransom demands. For example, attackers put time pressure on a victim stating that their
data gets destroyed every 30 minutes if they do not make a payment. If the payment is not
done within the time span, the files cannot be recovered. Other ransomware forces users to
purchase a product to recover the data back. Some ransomware tricks or embarrasses users to
pay the ransom by stating they have been watching illegal content and must pay a fine.
Polymorphic malware
Polymorphic malware is a destructive and intrusive malware code that changes its signature to
avoid pattern matching detection by a ntivirus programs. The functionality remains the same
even though its signature changes. For example, a spyware program working as a keylogger
continues to perform the same action, even if its signature changes. If a polymorphic malware
is detected and its signature is added to a downloadable database for an antivirus program, it
fails to detect the same malware with the modified signature.
Polymorphic malware code (payload) is encrypted in order to hide and make it difficult to read
by antivirus programs. Polymorphic behavior is gained by malware when the mutation engines
are bundled with another payload such as viruses, worms, or Trojans. It allows different
subversions of the same code but with the same functionality. It modifies the file names,
encrypts the data with variable keys, compresses the files etc.
This type of malware takes advantage of a victim's embarrassment, surprise or fear to satisfy
the ransom demands. For example, attackers put time pressure on a victim stating that their
data gets destroyed every 30 minutes if they do not make a payment. If the payment is not
done within the time span, the files cannot be recovered. Other ransomware forces users to
purchase a product to recover the data back. Some ransomware tricks or embarrasses users to
pay the ransom by stating they have been watching illegal content and must pay a fine.
Polymorphic malware
Polymorphic malware is a destructive and intrusive malware code that changes its signature to
avoid pattern matching detection by a ntivirus programs. The functionality remains the same
even though its signature changes. For example, a spyware program working as a keylogger
continues to perform the same action, even if its signature changes. If a polymorphic malware
is detected and its signature is added to a downloadable database for an antivirus program, it
fails to detect the same malware with the modified signature.
Polymorphic malware code (payload) is encrypted in order to hide and make it difficult to read
by antivirus programs. Polymorphic behavior is gained by malware when the mutation engines
are bundled with another payload such as viruses, worms, or Trojans. It allows different
subversions of the same code but with the same functionality. It modifies the file names,
encrypts the data with variable keys, compresses the files etc.
This type of malware takes advantage of a victim's embarrassment, surprise or fear to satisfy
the ransom demands. For example, attackers put time pressure on a victim stating that their
data gets destroyed every 30 minutes if they do not make a payment. If the payment is not
done within the time span, the files cannot be recovered. Other ransomware forces users to
purchase a product to recover the data back. Some ransomware tricks or embarrasses users to
pay the ransom by stating they have been watching illegal content and must pay a fine.
Polymorphic malware
Polymorphic malware is a destructive and intrusive malware code that changes its signature to
avoid pattern matching detection by a ntivirus programs. The functionality remains the same
even though its signature changes. For example, a spyware program working as a keylogger
continues to perform the same action, even if its signature changes. If a polymorphic malware
is detected and its signature is added to a downloadable database for an antivirus program, it
fails to detect the same malware with the modified signature.
Polymorphic malware code (payload) is encrypted in order to hide and make it difficult to read
by antivirus programs. Polymorphic behavior is gained by malware when the mutation engines
are bundled with another payload such as viruses, worms, or Trojans. It allows different
subversions of the same code but with the same functionality. It modifies the file names,
encrypts the data with variable keys, compresses the files etc.
This type of malware takes advantage of a victim's embarrassment, surprise or fear to satisfy
the ransom demands. For example, attackers put time pressure on a victim stating that their
data gets destroyed every 30 minutes if they do not make a payment. If the payment is not
done within the time span, the files cannot be recovered. Other ransomware forces users to
purchase a product to recover the data back. Some ransomware tricks or embarrasses users to
pay the ransom by stating they have been watching illegal content and must pay a fine.
Polymorphic malware
Polymorphic malware is a destructive and intrusive malware code that changes its signature to
avoid pattern matching detection by a ntivirus programs. The functionality remains the same
even though its signature changes. For example, a spyware program working as a keylogger
continues to perform the same action, even if its signature changes. If a polymorphic malware
is detected and its signature is added to a downloadable database for an antivirus program, it
fails to detect the same malware with the modified signature.
Polymorphic malware code (payload) is encrypted in order to hide and make it difficult to read
by antivirus programs. Polymorphic behavior is gained by malware when the mutation engines
are bundled with another payload such as viruses, worms, or Trojans. It allows different
subversions of the same code but with the same functionality. It modifies the file names,
encrypts the data with variable keys, compresses the files etc.
This module discusses three important elements of network security, controls, protocols, and
devices. The module will make teach you the various network security controls, including
authentication, authorization, encryption and access controls. It also provides the necessary
information on the different security protocols that should be implemented to secure the
network. The module also discusses various security perimeter appliances commonly deployed
in the network to defend against possible attacks.
..♦
..
. .• • •. - ·
••
..
· • • • ••••••••••••
.-· .-·
:· •••••
...
••• :
·.. :
. . . . .. .
...
[ii) Accounting
Authentication
Access Control
Security Policy
Authorization
Identification Cryptography
···.......... ...-·:>; ·........................ _.cci'~yright © by EC-Co■ncil. All Rights .d!?s•iiri,:~i(R~ product1on is Strictly Prot,ib1ted.
: : • .. ·•. : : : : ·.. •,. :
Network security controls are used to ensure the confidentiality, integrity, availability of the
network services. These security controls are either technical or administrative safeguards
implemented to minimize the security risk. To reduce the risk of a network being compromised,
an adequate network security requires implementing a proper combination of network security
controls.
These network security control s include:
• Authentication
• Authorization
• Accounting
• Access Control
• Identification
• Cryptography
• Security Policy
These controls help organizations with implementing strategies for addressing network security
concerns. The multiple layers of network security controls along with the network should be
used to minimize the risks of attack or compromise. Th e overlapping use of these controls
ensures defense in depth network security.
It refers to a
It refers to a specific resou rce It checks the It represents the
particula r user or access control action t aken by
t hat the user wants
process which rule for specific t he o bject on t he
to access such as a
wants to access file or any restrict ions subject
the resource
hardware device
~ Subject ~ .......... • • • • • • • • • • .~
Ill.
Ref erence M onitor , . •• •• •• •• •• •• .. ..........
Ill.
~ Object '
Authent.ication Authorization
The follow ing terminologi es are used to define access control on specific resources:
Subject
A subject may be defined as a user or a process, w hich attempts to access the objects. Further,
subjects are those entities that perform certain actions on th e system.
Object
An object is an explicit resource on which access restriction is imposed. The access controls
implemented on the objects further control the actions performed by the user. For example:
Files or hardware devices.
Reference Monitor
It monitors the restri ctions imposed according to certain access control rul es. Reference
monitor implements a set of rules on the ability of the subject to perform certain actions on the
object.
Operation
An operation is an action performed by the subject on th e object. A user trying to delete a file is
an example of an operation. Here, the user is the subject, delete refers to the operation and file
is the object.
Authorization
System Database
Administrator
•
••
•
•
Authentication •• Access Control
•••
Access control principles deal with restricting or allowing the access controls to users or
processes. The principle includes the server receiving a request from the user and
authenticating the user with the help of an Access Control Instruction (ACI). The server can
either allow or deny the user to perform any actions like read, write, access files etc.
Access controls enable users to gain access to the entire directory, subtree of the directory and
other specific set of entries and attribute values in the directory. It is possible to set permission
values to a single user or a group of users. The directory and attribute values contain the access
control instructions.
Access control function uses an authorization database, maintained by the security admin, to
ch eck the authorization details of the r equesting user.
• General steps in Access Control:
• Step 1: Users have to provide their credentials/identification while logging into the
system.
• Step 2: The system validates users with the provided credentials/identification such as
password, fingerprint, etc. with the database.
• Step 3: Once the identification of the user is successful, the system provides the user
an access to use the system.
• Step 4: The system then allows the user to perform only those operations or access
only those resources for which the user is authorized.
• Permission: Permissions set for the target explains the actions allowed or denied for
those targets.
~
•
Personnel Controls/Procedures
Personnel controls determine the methods by which the employees may handle the security
principles. Personnel controls specify the steps taken in the case of any non -compliance issue.
The change of security determines the steps taken right from the hiring of an employee until
the employee leaves or shifts in any other department.
Supervisory Structure
Supervisory structure consists of members that are responsible for the actions performed by
the other employees in th e organization in context of security.
Testing
Testing of the access controls brings out the weaknesses in the network, checks if all the access
controls are working properly and evaluate the procedures and policies aligned for the proper
functioning of the organization.
Job Rotation
Job rotation improves error detection and fraud disclosures. Job rotation policy along with
separation of duties is a good administrative access control. However, job rotation prevents
employees to take up multiple roles at a time, which adds overhead to access control system.
One needs to be aware of the impact of job rotation on access control system.
Separation of Duties
Separation of duties comes into play when a single operation requires more than one person to
complete it. When one individual is responsible for completing a task it gives them more power
and the security risk is high. Whereas, if the same task is accomplished by a team of people,
proper checks and balances are maintained and there is less chance for errors.
Example: Having one security administrator for doing actual planning and another team of
security administrators implementing and testing will reduce the security risks and increase the
chances of finding errors.
Separation of duties can be applied to a single person. For instance, if a user having limited
access wants to perform a task requiring administrative privileges, User Account Control (UAC)
can give access once the appropriate privileges are supplied.
Information Classification
Implementing access control is impossible without Information classification. The information
can be classified as: public, private, secret, proprietary, confidential, etc.
• Categorize information
• Define the audit process
• Save information in a repository
• Give user training
Investigation
Investigate the logs for all doubtful activities and violations and make a report for further
actions. Investigate unexpected information system related activities. Study the investigations
periodically and make changes to access authorizations.
Motion
detect
Ors 1
/
,
I
I /
Fences
Appropriate physical access controls can reduce the chances of attacks and risks in an
organization. Maintaining physical access controls provide physical protection of the
information, buildings and all other physical assets of an organization.
Deterrence Controls
They are used to discourage the violation of security policies. It includes access controls such as
security guards, warning signs, etc.
Detection Controls
They are used to detect unauthorized access attempts. It includes access controls such as CCTV,
alarms, etc.
An access control point can be a physical barrier such as a door or parking gate, where
electronic access control is placed; users must enter their credentials before they get access.
Using a PIN for authentication, checks the identity of a user. For example, in an office, the
employee must place an access card to the card reader to be able to access the premises.
Technical access controls the subject's access to an object. It involves implementing technical
access controls for restricting access to devices in an organization to protect the integrity of
sensitive data.
The components of technical access control include:
System Access
System access deals with restriction of access to data according to sensitivity of data, clearance
level of users, user rights, and permissions.
Network Access
Network access control offers different access control mechanisms for network devices like
routers, switches, etc.
Encryption and Protocols
Encryption and protocols protect the information passing through the network and preserves
the privacy and reliability of the data.
Auditing
Deals with tracking the activities of the network devices in a network. This mechanism helps in
identifying th e weaknesses in the network.
Firewalls
Firewalls are implemented to filt er unwanted traffic and prevent attacks on the network.
Antivirus Software
Antivirus software is installed to prevent the system from malware infections.
Types of access control determine how a subject can access an object. The policies for
determining the mechanism, uses access control technologies and security.
• File and data ownership: Determines the access policies of the user.
• Access rights and permissions: Setting access privileges to other subjects by the
possessor.
The owner can provide or deny access either to any particular user or a group of users. The
attributes of a DAC include:
• Prevents unauthorized users to view details like file size, file name, directory path etc.
• The DAC uses access control lists in order to identify and authorize users.
• Disadvantages:
• It requires to maintain the access control list and access permissions for the users.
• Examples of DAC include UNIX, Linux, and Windows access control.
• Lattice-based access control: The lattice based access control defines the complex
controls required for multiple subjects and objects.
• MAC provides a high level of security as the network administrators determine the
access controls.
• Role Assignment: Assigning a certain role to a user that enables them to perform a
transaction.
• Role Authorization: User needs to perform a role authorization in order to achieve that
role.
• Transaction Authorization: Transaction authorization allows users to execute only those
transactions for which they are authorized.
Identification
Identification deals with confirming the identity of a user, process, or device accessing the
network. User identification is the most common technique used in authenticating the users in
the network and applications. Users have a unique user ID which helps in identifying th em.
The authentication process includes verifying a user ID and a password. Users need to provide
both the credentials in order to gain access to the network. The network administrators provide
access controls and permissions to various other services depending on the user ID's.
Authentication
Authentication refers to verifying the credentials provided by th e user w hile attempting to
connect to a network. Both wired and wireless netw orks perform authentication of users
before allowing them to access the resources in the network. A t ypical user authentication
consists of a user ID and a passw ord. The other forms of authentication are authenticating a
web site using a digital certificate, comparing th e product and the label associated with it. The
factors associated w ith the process of authentication are:
• Knowledge factors: The knowledge factors refer to the mandatory entities that a user
should know whil e trying to log into a syst em or network. For example, usernames and
passwords .
• Possession factors: The possession factors refer to the entities that a user should hold
while performing logging. For example: One-time password token, Employee ID cards, etc.
• lnherence factors: The inherence factors, mostly appl y to the biometric factors that the
users use for authentication. For example: retina scan, fingerprint scan, etc.
• Passwords
• Biometrics
• Token management
• Authorization
Authorization
Authorization refers to the process of providing permission to access the resources or perform
an action on the network. Network administrators can decide the access permissions of users
on a multi-user system. They even decide the user privileges. The mechanism of authorization
can allow the network administrator to create access permissions for users as well as verify the
access permissions created for each user. In logical terms, authorization succeeds
authentication. But, the type of authentication required for authorization varies. However,
there are cases that do not require any authorization of the users requesting for a service. For
example, no user authorization is needed when a user tries to access a web page from the
Internet.
Accounting
User accounting refers to tracking the actions performed by the user on a network. This
includes verifying the files accessed by the user, functions like alteration or modification of the
files or data.
Types of Authentication:
Password Authentication
In password authentication, users need to provide usernames and the passwords to prove their
identity to a system, application or network. The username and password are then matched
against the list of authorized users in the database/windows active directory. Once matched,
users can access the system.
The user password should follow standard password creation practices, including a mixture of
alphabet letters, numbers and special characters, having a length greater than 8 characters
(small passwords are easily guessed).
Types of Authentication:
Two-factor Authentication
Two-factor authentication involves using two different authentication factors out
of three (a knowledge factor, a possession factor, and an inherence factor) to
verify the identity of an individual in order to enhance security in authentication
systems
The two-factor authentication is a process where a system confirms the user identification in
two steps. The users may use a physical entity like a security token as one of the credentials
and the other credential can include security codes.
Advantage of two factor authentication includes decreasing the chances of identity theft and
phishing. However, there are certain drawbacks for this two-step process. There are situations
where the user will have to wait for the organization to issue the physical token to the user. The
delay in getting the token results in users waiting for a long time to access their private data.
Identity evaluation depends on Knowledge, Possession, and Inherent Factors. Out of these,
inherent factors are difficult to change as they depend on the characteristics of a human being.
There are many combinations available in the two-factor authentication. Commonly found are:
Types of Authentication:
Biometrics
.J Biometrics refers t o the identification of individuals based on t heir physical characteristics
Vein Structure
Voice Recognition
Recognition
Biometric is a technology which identifies human characteristics for authorizing people. The
most common used biometrics are fingerprint scanner, retina scanner, facial recognition, DNA,
and voice recognition.
• A software converts the scanned information into a digital form and compares against the
stored data
Biometric takes the current biometric data and compares it with the biometric data stored in
the database. If both data matches, then it confirms the authenticity of the user and allows
perm1ss1on.
• Retinal Scanning: Compares and identifies a user using the distinctive patterns of
retina blood vessels.
• Iris Scanning: Compares and identifies the images of the iris of one or both eyes of a
user. The iris pattern differs from one person to another.
• Vein structure Recognition: Compares and identifies the patterns produced by user's
veins. Each person has different patterns according to the flow of blood.
• Face Recognition: Compares and identifies a person depending on the facial patterns
from an image or a video source.
• Voice Recognition: Compares and identifies a person according to the voice patterns
or speech patterns.
• Advantages of Biometrics:
• It is difficult to tamper the biometric details like a password or username. They cannot
be shared or stolen using social engineering techniqu es. The biometric authentication
requires the presence of the user which reduces th e chances unauthorized access.
Types of Authentication:
Smart Card Authentication
..J Users have to insert their Smartcards into readers and their
Organizations use smart card technology to ensure strong authentication. The smart technology
can store password files, authentication tokens, one-time password files, biometric templates,
etc. Smart card technology finds its usage with another authentication token providing a multi-
factor authentication. This enables a better logical access security. Smart card technology finds
its application in VPN authentication, email and data encryption, electronic signatures, secure
wireless logon, biometric authentication.
Smart card consists of a small computer chip and stores personal information of the user for
identification. Smart cards are inserted into the machine for authentication along with
providing the Personal Identification Number (PIN). Smart cards also help in storing the public
and the private keys.
The main advantage of using a smart card is that it eliminates the risk of credentials being
stolen from a computer as they are stored in the card's chip itself. However, it only enables a
limited a mount of information to be stored in the card's microchip.
• Uses high ly secure technology: The smart card technology uses better encryption and
authentication methods, increasing the security of the card.
• Easy to carry: Smart cards are easy to carry and a user just needs to know the PIN of
the card.
• Reduces the chances of deception by users: The smart card enables users to store
information like fingerprint, other biometric details, thereby allowing organizations to
recognize their employees.
• Can be easily lost: Since the smart cards are small in size, the chances of losing it are
very high.
• Security issues: Losing a smartcard puts its owner's information and identity at great
risk.
• High cost for production of smart cards: As smart cards have microchips and other
encryption technologies; its production cost is high.
Types of Authentication:
Single Sign-on (SSO)
J It allows a user to authenticate themselves to multiple servers on a network with single password
without re-entering it every time
Advantages:
e Don't need to remember passwords of multiple applications or systems
e Reduces the time for entering a username and password
e Reduces the network traffic to the centralized server
e Users need to enter credentials only once for multiple applications
User
··r. ...............~ R APP SERVER
~.
1 . . . . .
..
►
. . . . . . . . . . . . . . . . . . IN,- EMAIL SERVER
.
.................... ~ DB SERVER
User Single Sign-on (SSO) Authentication
As the name suggests, it allows users to access multiple applications using a single user name
and password. The 550 stores the credentials of a user in an 550 policy server. An example for
550 is Google applications. Users can access all Google applications using a single user name
and password combination. Consider Google as a central service. The central service creates a
cookie for all users logging in for the first time in any of the applications present in the central
service. When a user attempts to access other applications of the central service, it eliminates
the need for the user to enter the credentials again due to the cookie w hich is already created .
The system checks the credentials using the cookie created.
• Advantages of SSO:
• Losing credentials have a higher impact as all the applications of the central service
become unavailable.
• There are many vu lnerability issues related with the authentication to all the
applications.
• It is an issue in multi-user computers and requires certain security policies
implemented to ensure security.
. . . . .
Au t horization for network access is done through Ill Users can access t he requested resource on behalf
single centralized authorization unit of others
It maint ains a single database for aut horizing all • Ill The access request goes through a primary
t he network resources or applications resource to access the requested resource
Ill It is an easy and inexpensive authorization
approach
. . .
Ill Each net work resource maintains it s authorization Unlike Implicit Authorization, it requires separate
unit and performs authorization at locally authorization for each requested resource
Ill It maintains its own database for authorization ii It explicit ly maintains aut horization for each
requested object
Network authorization can take different forms based on the organization's need.
Centralized Authorization
The need for centralized authentication came into existence when it became difficult to
implement the authorization process individually for each resource. It uses a central
authorization database that allows or denies access to users. The decision depends on the
policies created by the centralized units. This enables easy authorization for users accessing
different platforms. The centralized authorization units are easy to handle and have low costs.
A single database provides access to all applications, thereby enabling better security. The
centralized database also provides an easy method of adding, modifying, and deleting the
applications from the centralized unit.
Decentralized Authorization
The decentralized authorization maintains a separate database for each resource. The database
contains the details of all users permitted to access that resource. The decentralized
authorization process enables users to provide access to other users as well. This increases the
flexibility level of the users in using the decentralized method. However, certain issues related
to the decentralized authorization are cascading and cyclic authorizations.
Implicit Authorization
Implicit authorization provides the access to resources indirectly. The task is possible after the
user gets authorization for a primary resource through which the access to the requested
resource is possible. For example, the user requesting a web page has permission to access the
main page as well as all pages linked to the main page. Hence, the user is gaining an indirect
access to the other links and documents attached to the main page. The implicit authorization
provides a level of better granularity.
Explicit Authorization
The explicit authorization maintains separate authorization details for each resource request.
The explicit authorization technique is simpler than implicit technique; however, this technique
makes use of more storage space due to storage of all authorization details.
Authorization Principles
Assigning only limited access to users or groups Restricting permissions and privileges to the
for accessing resources of a computer like users by separating the administrator account
programs, processes or files to fu lfill their job and the user account.
responsibilities
Individuals or workgroups should not be in a
System administrator is responsible for assigning position to control all parts of a system
privileges to prevent the risks of information application
security incidents and to achieve better system
Provides security and reduces the risk of loss of
stability and system security
confidentiality, integrity, and availability of
enterprise information
a
Copyright© by EC-Co■ncil. All Rights Reserved. Re producti on is Strictly Prohibited.
Authorization principle describes in detail the access perm1ss1on levels of users. Enabling
authorization process ensures the security of the processes and resources. The process of
authorization should be based on the following principles:
Least Privilege
Least privilege provides access permissions to only those users who really need the access and
resources. The permission granted depends on the roles and responsibilities of the user
requesting the access. There are two underlying principles involved in the least privilege
method: Less right and Less risk. According to these principles, users need to complete the task
using the limited amount of resources in a limited amount of time provided to the users. This
approach reduces the unauthorized access to the system resources.
Separation of Duties
It involves the breaking authorization process into various steps. Different privileges are
assigned to each step for individual subjects requesting for a resource. It ensures that no one
individual has authorization rights to perform all functions and at the same time does not allow
access to all the objects to one individual. This division makes sure that one person is not
responsible for a larger process. For example, granting web server administrator rights to only
configure a web server without granting administrative rights to other servers.
J To encrypt data, an encryption algorithm uses a key to perf orm a transform ation on the data
';f'~"""'ff'' A ~
..J Symmetric Encryption
Encrypted File
-:, ..,
~
~
with FEK in
Header
=
Encryption
Encrypted FEK
Encryption is the practice of concealing information by converting plain text (readable format)
into cipher text (unreadable format) using a key or encryption scheme. Encryption guarantees
confidentiality and integrity of organizational data, at rest or in transit.
The encryption algorithm encrypts the plain text with the help of an encryption key. The
encryption process creates a cipher text that needs decrypting w ith the help of a key. The
process of decryption involves the same steps except for the usage of keys in the reverse order.
Common encryption algorithms used to encrypt data include RSA, MDS, SHA, DES, AES, etc.
The encryption process finds its application while transmitting data through a netw ork, mobile
phones, and wireless transmission and Bluetooth devices.
Sy111111etric Encryption
..J Symmetric encryption is the oldest cryptographic technique used to encrypt digital data in
order to ensure data confidentiality
..J It is called symmetric encryption as a single key is used for encrypting and decrypting the data
~ ............... .
l l
I :::~ I Encrypted Both sender and receiver share the Decrypted
Message
Mfi'llo
How ,ue
l_J Message same key to encrypt and decrypt data you?
···············- - -
Sender Receiver
(Sende r uses the secret key to encrypt the (Receive r decrypts the data using t he secret
confidential message and sends it to the receiver) key and reads the confidential message)
Symmetric encryption requires that both the sender and the receiver of the message possess
the same encryption key. The sender uses a key to encrypt the plaintext and sends the resulting
cipher text to the recipient, who uses the same key to decrypt the cipher text into plain text.
Symmetric encryption is also known as secret key cryptography as it uses only one secret key to
encrypt and decrypt the data. This kind of cryptography works well when you are
communicating with only a few people.
Because the sender and receiver must share the key prior to sending any messages, this
technique is of limited use for the Internet, where individuals who have not had prior contact
frequently require a secure means of communication. The solution to this problem is public-key
cryptography.
The symmetric key encryption can use stream ciphers or block ciphers. Stream ciphers encrypt
the bits of a message, one at a time whereas block ciphers encrypt blocks of bits.
• Advantages:
• The communicating parties need to share the key used for transmission of data.
etric Encryption C ND
C.crrifi~ letw.r, ~C11'"1ce,
0 .............................................. 0
.
v Public Key Privat e Key
l l
Rece iver selects a public and private
key and sends the public key to the
sender
p
Sender Receiver
Sender uses the public key to encrypt the Receiver decrypts t he data using the
0 message and sends it to the rece iver private key and re ads t he message 0
2. This public key is used to encrypt a message that is then sent to the intended recipi ent.
3. The receiver uses the private key to decrypt the message and read it.
No one but the holder of th e private key can decrypt a message composed with the
corresponding public key. This increases the security of the information because all
communications involve only public keys; the message sender never transmits or shares the
private keys. The sender must link the public keys with the usernames in a secured method to
ensure that unauthorized individuals claiming to be the intended recipi ent do not intercept
information. To meet the need for authentication, one can use digital signatures.
• Advantages:
• Disadvantages:
Hashing is a method to generate a fixed length string of random characters for a message using
an algorithm. It involves the conversion of the original message into a short-fixed length value
or a key that carries the original information.
• Secure storage of Passwords: Passwords are hashed before storing in the data base
Every time the user enters the password to login, it is first hashed and the generated
hash is matched with the hash stored in the database. If both the hashes match, the
user is granted access. Hashing secures passwords from attackers who gain access to
the database. The stored hash is useless until the attacker is able to generate the
password using a reverse algorithm.
• Monitoring File Integrity: Hashing helps identify if a downloaded file is tampered with.
A hash of the downloaded file is generated and matched with the one provided by the
website. If both hashes match, it is assumed that the file is in its original form.
• Monitoring Message Integrity: Hashing ensures that the transmitted messages are
not tampered with. An encrypted hash is sent along with the message to the receiver
who decrypts the message and hash, and generates a hash from the decrypted hash. If
the sent hash and the generated hash are same the message is assumed to have been
transmitted safely.
• MDS (Message Digest 5): Generates hashes of 128 bits in length, expressed as 32
hexadecimal characters.
• SHA (Secure Hashing Algorithm): Considered a more secure hashing algorithm. SHA
SHA-1 (generates hashes of 160 bits in length, expressed as 40 hexadecimal
characters.
• SHA-256 (generates hashes of 256 bits In length, expressed as 64 hexadecimal
characters.
• LIMITATIONS OF HASHING:
• As Hash is a fixed length string it may result in collision (generating same hash for
different data). Hash of smaller length is more prone to collision.
Algorithm Function
Hash Cod e
~ .
Publ!_< Key
Messace with Digital
Signature
..
"'
II
abed
Confidential ef~h
Messace ijl<J m
nop,
101
ii+ii+U,i Hashing
Algorithm
Hash Code Verification
Function
Confidential
M essage
Hash Code
The public key in a digital signature can be transmitted securely by sending it over a secured channel like SSL, but if the
sender wants to send his public key to more users, a number of these secured channels need to be created for each user
communication; this process will become quite tedious and unmanageable
The digital certificates are used to deal with security concerns about transmitting public keys securely to the receiver in
the digita I signature
The trusted intermediary solution is used to secure public keys, where the public key is bound with the name of its
owner
Owners of the public key need to get their public keys certified from the intermediary; the intermediary then issues
certificates called digital certificates to the owners which they can use to send the public key to a number of users
Private
Key
0
Signature Function
0
Verification Function
Sender >.. >... Receiver
Sender signs message digitally using his
private key and sends it to receiver
L.... F r ...~
Public key
Receiver extracts the public key from the
digitalcertificate and verifies the digitally
along with digital certificate Digital Certificate signed message from senderusing extracted
Digital Certificate
public key
Serial num : Rei:1resents the uni~ue certificate r: Provides the identity of the
identity • •• ••
Subject: Represents the owner of the certificate Valid from: Denotes the date from which the
which may l:ie a r1erson or an organization • •
Signature algorithm: States name of algorithm Valid to: Denotes the date t ill which the
used for creating the signature certificate is valid
Public key: Used for encrypting the message or Thumbprint: Specifies t he hash value for the
verifying the signature of the owner certificate, which is used for verifying the
certificate's integrity
Digital certificates allow the secure interchange of information between a sender and a
receiver. This enables the use of a public key by the sender to the receiver. The sender applies
for a digital certificate from the Certificate Authority (CA). The CA along with the encrypted
message and the public key provides other identity validating information. The receiver accepts
the encrypted message and uses the CA's public key to decode the digital certificate. This allows
the receiver to identify the digital signature and then obtain the sender's public key and other
identification details.
The digital certificate can hold information like the name of the sender who applied for the
certificate, expiration date, and copy of the sender's public key digital signature of the CA. The
receivers receiving the digital certificate can check the validity of the certificate using the
signature attached from the approved authorities using the private key of the authority. Each
operating system and web browser carry authorized certificates from the CA which enables
easy validation. The main aim in implementing a digital certificate is to ensure nonrepudiation.
Most of the SSL/TLS protocols use certificates in order to prevent attackers from changing or
modifying the data. The certificates find application in e-mail servers and code signing.
Public Key Infrastructure (PKI) is a set of hardware, software, people, policies, and procedures
required to create, manage, distribute, use, store, and revoke digital certificates
Components of PKI
Certification Validation
Authority (CA) Authority (VA)
Registration
•
..
- ( ) Public Key
Public Key
-. e
- () Determined
Authority (RA)
..
.fl- Certificate
Certificate
.fl.
..: . Result
t::.•
User applies for
issuing certificate
·.ft
~
e .
PKI is a comprehensive system that allows the use of public-key encryption and digital signature
services across a wide variety of applications. PKI authentication depends on digital certificates
(also known as public-key certificates) that CAs sign and provide. The digital certificate is a
digitally signed statement with a public key and the subject (user, company, or system) name
on it.
Public-key infrastructure is widely recognized as a best practice for ensuring digital verification
for electronic transactions. These are the most effective method for providing verification while
enabling electronic transactions. The digital signatures supported by PKI include the following:
Uses of PKI
PKI does not serve as a business function only; it provides the foundation for other security
services. The primary use of PKI is to allow the distribution and use of public keys and
certificates with security. The security mechanisms that are based on PKI include email, chip
card application, value exchange with e-commerce, home banking, and electronic postal
systems. PKI enables basic security services for varied systems that are as follows:
Network security policy is a document describing the various policies used to build the network
security architecture of the organization. The security policies generally examine the data
access, web browsing methods, and encryption processes. It also helps in restricting
unauthorized users and malicious users from the organization. A security policy should include
the type of services that are available and the probability of damage to these services. The
security policies decide the access permissions of users and security of the network. Security
policies enable permissions to only minimal level of resources that is enough in completing the
task by the user. Organizations need to monitor the policies and confirm they meet their
security needs.
It mo nitors and filters the incoming and outgoing traffic of the network and prevents
unauthorized access to private networks
It works at the network layer of the OSI model, or the IP layer of TCP/I P.
Modem
Internet
A firewall is a secure, reliable, and trusted device placed between private and public networks.
It helps in protecting a private network from the users of a different network. It has a set of
rules to trace the incoming and outgoing network traffic and is also responsible for allowing,
denying the traffic to pass through.
• Restrict the access of the hosts on the private network and the services of the public
network.
• Support network address translation, which helps in using the private IP addresses and to
share a single Internet connection.
It serves clients requests on behalf of actual severs, Network administrators should deploy a proxy server
I) thereby preventing actual servers from exposing
themselves to the outside world
to intercept malicious, offensive Web content,
computer viruses, etc. hidden in the client requests
Internet
Proxy Server
A proxy server is an application that can serve as an intermediary when connecting with other
computers.
A proxy server is used:
• To filter out unwanted content, such as ads or "unsuitable" material (using specia Ii zed
proxy servers).
I z
Hides IP Address, Location Improve Security mainly
& Other Information in business networks
3 4
The following are some more benefits of using a proxy server in the network
• Reduces the chances of the modifying cookies in the browser configuration and protects
from any kind of malware.
• Enables authentication for the proxy servers before it handles the user requests and
services.
Proxy Workbench is a proxy server that displays data passing through it in real time
It allows you to dril l into specific TCP/IP connections, view their history, save the data to a file,
and view th e socket connection diagram
-
......
file Yiew Iools .!:felp
Pro xy W o rkbench
Ill >
Memory: 36 KBytes ISockets: 4 E a ce:. O il I ' 10.us:o. u,; I , 1iiurnu. 011 I u
"
http://www.proxyworkbench.com
Proxy Workbench is a proxy server utility that displays the passage of data in real time. It allows
getting details like saving data, viewing history and viewing socket diagram of a socket
connection for a particular TCP/ IP connection. Socket connection diagram displays the graphical
history of all the previous events that took place in that socket connection.
• Advantages:
• Programmers
• IT training industry
Source: http://proxyworkbench.com
SocksChain Fiddler
http://ufasoft.com http://www.telerik.com
WinGate ProxyCap
http://www.wingate.com http://www.proxycap.com
Charles CCProxy
http://www.charlesproxy.com http://www.youngzsoft.net
Socks Chain
Source: http://ufasoft.com
Socks Chain is a program that allows working with any Internet service through a chain of
SOCKS or HTTP proxies to hide the real IP-address. Socks Chain functions as a usual SOCKS-
server that transmits queries through a chain of proxies. It allows using with client programs
that do not support the SOCKS protocol, but work with one TCP -connection, such as TELNET,
HTTP, IRC, etc.
Burp Proxy
Source: http://www.portswigger.net
Burp Suite Burp Proxy is an intercepting proxy server that operates as a man -in-the-middle
between your browser and the target application, allowing you to intercept and modify all
HTTP/ S traffic passing in both directions.
Proxifier
Source: https://www.proxifier.com
Proxifier allows network applications that do not support working through proxy servers to
operate through a SOCKS or HTTPS proxy and chains.
WinGate
Source: http://www.wingate.com
WinGate Proxy Server is an integrated Internet gateway and communications server which
meets the control, security, and communications needs of today's businesses. It provides the
flexibility to match the company's budget, irrespective of the size of the organization.
Charles
Source: http://www.charlesproxy.com
Charles is an HTTP proxy/ HTTP monitor/ Reverse Proxy that enables developers to view all
HTTP and SSL/ HTTPS traffic between their machine and the Internet. This includes requests,
responses and the HTTP headers (which contain the cookies and caching information).
Fiddler
Source: http://www.telerik.com
Fiddler is a proxy server that is compatible with any browser, system or platform.
• Web Debugging
• Performance Testing
• Security Testing
• Customizing Fiddler
AnalogX Proxy
Source: http://www.analoqx.com
AnalogX Proxy is a server that allows any other machine on the local network to route its
requests through a central machine. The protocols supported by proxy are HTTP (web), HTTPS
(secure web), POP3 (receive mail), SMTP (send mail), NNTP (newsgroups), FTP (file transfer),
and Socks4/4a and partial SocksS.
Source: http://www.protoport.com
Protoport Proxy Chain software enables users to build a chain of proxy servers from different
countries. The proxy server tool enables them to surf the internet anonymously.
ProxyCap
Source: http://www.proxycap.com
ProxyCap redirects computer's network connections through proxy servers. ProxyCap
determines the applications that can connect to the Internet through a proxy. ProxyCap
supports the SSH protocol, allowing the user to specify an SSH server as the proxy server.
CCProxy
Source: http://www.youngzsoft.net
CCProxy is a windows proxy server that assists users to build their own proxy server and to
share the Internet connection within the LAN. CCProxy can support broadband, DSL, dial -up,
optical fiber, satellite, ISDN, and DDN connections. CC Proxy Server can act as an HTTP, mail,
FTP, SOCKS, news, Telnet, and HTTPS proxy server. The functions provided by the CCProxy are:
Internet access control, bandwidth control, Internet web filtering, content filtering and time
control, web caching, online access monitoring, access logging and bandwidth usage statistics
functions.
It has no authorized activity, does not have any production value, and any traffic to it
is likely a probe or an attack
Honeypot
DMZ
Internal
Network
........ .
••
..•
• • • • • • • • • • • • ••
.
■ •••••••••••• ■■ •• • •••••
[C i
Firewall Packet Filter
Web Server
A honeypot is a computer system on the Internet intended to attract and trap people who try
unauthorized or illicit utilization of the host system. It is a fake proxy run in an attempt to frame
attackers by logging traffic through it, and then sending complaints to victim ISPs. Whenever
there is any interaction with a honeypot, it is most likely to be a malicious activity. Honeypots
are unique; they do not solve a specific problem. Instead, they are a highly flexible tool with
many different security applications. Some honeypots help in preventing attacks, others can be
used to detect attacks, while others can be used for information gathering and research. It
requires a considerable amount of attention to maintain a honeypot.
• Install a system on the network with no particular purpose other than to log all
attempted access.
• Install an older, unpatched operating system on a network. For example, the default
installation of WinNT 4 with 115 4 can be hacked using several different techniques. A
standard intrusion detection system can then be used to log hacks directed against
the system and further track what the intruder attempts to do with the system once it
is compromised. Install special software designed for this purpose, which will have the
advantage of making it appear that the intruder is successful without really allowing
them access to the network.
• Ensure that the attacker cannot easily delete system data intended to be 1n the
honey pot.
• Collect forensic information that can be used for the further investigation of the
attack.
• Pure Honeypots: The presence of pure honeypots makes it possible to track the
activities of an attacker in a complete manner. It places a small tap in between the
honeypot's link to the network.
The following are some security benefits of implementing Honeypots in the network:
• Detect Inside attacks: Honeypots help detect insiders (Employees) misusing the system.
• Reduce False Positive: Any connection to a honeypot is considered a hostile attack. Any
information sent from the honeypot represents an intrusion.
• Identify False Negatives: Since any activity with the honeypot 1s considered abnormal,
they help capture new attacks or activity against them easily.
• Data Collection: Honeypots collect little high value data. This little information 1s the
exact information presented in an easy to understand format.
• Resources: As honeypots capture less activity, they do not come across a resource
exhaustion issue.
• Encryption: Honeypots capture the activity even if they are encrypted.
• 1Pv6: Honeypots are capable to detect, capture, and log all IP activity.
• Incident response: Allows the organization to detect and prevent attacks by taking the
necessary steps
Kojoney HIHAT
http://kojoney.sourcejorge.net http://hihat.sourceforge.net
Glastopf HONEYBOT
http://glastopf.org http://www.atomicsoftwaresolutions.com
Canary HONEYD
https://canary.tools http://www.citi.umich.edu
Thug T-POT
http://bu/fer. github. io http://dtag-dev-sec.github.io
ARGOS Conpot
http://www.few.vu.nl https://pypi.python.org
Kojoney
Source: http://koioney.sourceforqe.net
Kojoney is a low level interaction honeypot that emulates an SSH server. The prerequisites
required for Kojoney are:
■ OpenSSL
• Python
• Sh or Bash (Bourne Again SHell)
• lope-Interfaces (included in the package)
• Twisted (included in the package)
• Twisted Conch (included in the package)
Glastopf
Source: http://glastopforg
Glastopf is a honeypot, which emulates thousands of vulnerabilities to gather data from attacks
targeting web applications. Glastopf follows a very simple principle: Send the correct response
to the attacker exploiting the web application.
Canary
Source: https:1/canary. tools
Canary honeypot mimics a production system when deployed. It helps an organization in the
early detection of network breaches.
Thug
Source: http://buffer.github.io
Thug is a low interaction honeyclient. The main aim behind Thug is to mimic the behavior of a
web browser in order to detect and emulate malicious contents. A honeyclient is a tool
designed to mimic the behavior of a user-driven network client application, such as a web
browser, and be exploited by an attacker's content.
Argos
Source: http://www.few.vu.nl
Argos's honeypot uses dynamic taint analysis to detect and analyze control flow attacks.
HIHAT
Source: http://hihat.sourceforge.net
The High Interaction Honeypot Analysis Toolkit (HIHAT) transforms arbitrary PHP applications
into web-based high-interaction honeypots. It provides a graphical user interface which
performs the process of monitoring the Honeypot and analyzing the acquired data.
HoneyBot
Source: http://www.atomicsoftwaresolutions.com
HoneyBot is a medium interaction honeypot for windows. A honeypot creates a safe
environment to capture and interact with unsolicited traffic on a network. HoneyBOT is an ideal
tool for network security research or as part of an early warning IDS.
HoneyD
Source: http://www.citi.umich.edu
HoneyD creates virtual hosts on a network. The hosts can be configured to run arbitrary
services, and their personality can be adapted so that they appear to be running certain
operating systems. HoneyD enables a single host to claim multiple addresses.
T-POT
Source: http://dtag-dev-sec.github.io
The main aim of implementing a T-POT is to create a system, whose entire TCP network range
as well as some important UDP services act as a honeypot, and to forward all incoming attack
traffic to the best-suited honeypot daemons in order to respond and process it.
Conpot
Source: https:1/ovpi.pvthon.orq
Conpot is an ICS honeypot that collect intelligence about the motives and methods of
adversaries targeting industrial control systems.
If found, t he IDS w ill alert t he netw ork admin istrator about the suspicious activities
IDS checks traffic for signatures that match known intrusion patterns, and t riggers an alarm when a
match is found
' .
i i i i
' '
·········~ .............. <·--
-
User Intranet IDS
Intrusion Detection System (IDS) performs an evaluation of the network traffic for illegal
activities and policy violations. Intrusion detection uses vulnerability assessment for ensuring
the security of the network. Features of Intrusion Detection include:
Firewalls prevent intrusions w ithin the network, but do not actually alert regarding the
intrusion or attack. IDS syst ems can monitor and identify the intrusions w ithin the netw ork as
well as signal an alarm to the netw ork administrator.
IPS is a network security appliance that combines functions of both a firewall and an IDS
Unlike IDS, an IPS is able to actively prevent/block detected intrusions on the network
··········~ ··············]······················
..
~
Firewall
Intrusion Prevention Systems (IPS) work similar to an IDS. Like an IDS, an IPS monitors the
network traffic for any intrusion or attack. IPS systems have the capability to carry out quick
action against any kind of intrusion. An IPS takes actions based on certain rules and policies
configured into it. In other words, the IPS system can identify, log, and prevent the occurrence
of any intrusions or attacks in the network.
• Unlike an IDS, the IPS systems can block as well as drop illegal packets in the network.
I
Snort AIDE
https://www.snort.org [_y_ '2:i http://aide.sourceforge.net
<..AC.
Snort
Source: https://www.snort.org
Snort is an open source network intrusion detection system, capable of performing real -time
traffic analysis and packet logging on IP networks. It can perform protocol analysis and content
searching/ matching, and is used to detect a variety of attacks and probes, such as buffer
overflows, stealth port scans, CGI attacks, SMB probes, and OS fingerprinting attempts.
Uses of Snort:
Suricata
Source: http://suricata-ids.org
Suricata is a Network IDS, IPS and Network Security Monitoring engine. The Suricata tool is
highly scalable that allows to run one instance which balances the load of processing across
every processor on which it is configured. The tool enables identifying thousands of files
passing through the network.
OSSEC
Source: http://www.ossec.net
OSSEC actively monitors all aspects of UNIX system activity with file integrity monitoring, log
monitoring, root check, and process monitoring. During the course of an attack, OSSEC alerts
through alert logs and emails and also exports alerts to any SIEM system via SYSLOG.
McAfee Host Intrusion for Desktop safeguards your business against complex security threats
that may be unintentionally introduced or allowed by desktops and laptops.
AIDE
Source: http://aide.sourceforqe.net
AIDE stands for Advanced Intrusion Detection Environment. It is a file and directory integrity
checker. It creates a database from the regular expression rules that it finds from the config
file(s). Once this database is initialized, it can be used to verify the integrity of the files. It has
several message digest algorithms that are used to check the integrity of the file. All of the
usual file attributes can also be checked for inconsistencies. It can read databases from older or
newer versions.
Next- Generation IPS
Source: http://www.fortinet.com
It is used for advanced threat protection by integrating:
Source: http://www.cvberoam.com
Cyberoam Intrusion Prevention System protects against network and application-level attacks,
securing organizations against intrusion attempts, malware, Trojans, Dos and DDoS attacks,
malicious code transmission, backdoor activity and blended threats. It can carry thousands of
automatically updated signatures, enabling protection against the latest vulnerabilities.
Source: http://www-03.ibm.com
IBM® Security Network Intrusion Prevention System stops constantly evolving threats before
they impact your business. It provides both high levels of protection and performance, while
lowering the complexity associated with deploying and managing a large number of point
solutions.
AlienVault Unified Security Management
Source: http://www.alienvault.com
AlienVault Unified Security Management analyzes system behavior and configuration status to
track user access and activity. It detects potential security exposures such as system
compromise, modification of critical configuration files (e.g. registry settings, / etc/ passwd),
common rootkits, and rogue processes. It identifies the latest attacks, malware infections,
system compromise techniques, policy violations, and other threats.
A network protocol analyzer is a computer hardware device or software that monitors and
analyzes data passing through a network. A network protocol analyzer can complement a
firewall, an anti-virus, and a spyware in a network. It analyzes the raw data in each packet and
identifies the content in each packet passing through the network. It reduces the probability of
occurrence of an attack in a network and also provides immediate response to an attack on the
network.
Features of a network protocol analyzer include:
~ ..·····•
'
•. • •................il:~..............111
j .··:
Packet Driver
Router /
.· : :
Ill
Switch Server Farm
0 ~ Analyzer Host
T
Packet capturing Function
Data Access
Network Decoding Engine
Consolidat ed +
Tool Farm Packets Analyzed
♦
•
~
~-
. r
~
•
Packets Displayed
The analyzer works on the host machine. After starting the analyzer in the promiscuous mode,
the NIC on the host captures all traffic passing through it. The analyzer then forwards the
captured traffic into the packet-decoder engine of the analyzer. Here, the decoder engine
monitors the behavior of the traffic and splits the packets into their respective layers. The
analyzer software will now verify these packets and later display the packet information on the
host screen of the analyzer. The analyzer also enables filtering of the packet depending on the
product capability.
The following are some benefits of using a Network Protocol Analyzer in the network:
• It can be used as a network troubleshooting and debugging tool. It helps in figuring out
the reason for performance issues, identifying protocol errors, reason for DHCP to stop
working, reason for virtual network not routing traffic correctly, and various other related
problems.
• It generates application statistics such as average HTTP traffic transaction time, DNS query
and SQL Server response time, retransmission rates, and top talkers and listeners on the
netw ork.
• It provides all th e current and latest updates of th e activities occurring in the network.
• It verifies the occurrences for any irregularity in the network traffic and checks if there is
any variation in th e features of a data packet.
• It records details that later assist in the forensic investigation of any incident. This
minimizes the risk of users gaining information related to any previous incident.
• Blocks all unwanted traffic in th e netw ork or in other words, blocking all traffic that is not
required for analyzing.
CommView Observer
http://www.tomos.com www.viavisolutions.com
Wireshark
Source: https://www.wireshark.org
Wireshark captures network packets and tries to display that packet data as detailed as
possible. It examines what's going on inside a network cable.
CommView
Source: http://www.tamos.com
CommView is a network monitor and analyzer designed for LAN administrators, security
professionals, network programmers, home user. It captures every packet on the wire to
display important information such as a list of packets and network connections, vital statistics,
protocol distribution charts, and so on. It allows examining, saving, filtering, import and export
captured packets, view protocol decodes down to the lowest layer with full analysis of over 100
supported protocols.
CAPSA
Source: http://www.colasoft.com
Capsa is a portable network analyzer application for both LANs and WLANs, which performs
real-time packet capturing capability, 24x7 network monitoring, advanced protocol analysis, in -
depth packet decoding, and automatic expert diagnosis. It gives quick insight to network
administrators or network engineers allowing them to rapidly pinpoint and resolve application
problems.
ETHERDETECT
Source: http://www.etherdetect.com
EtherDetect provides a connection-oriented view for analyzing packets more effectively.
Source: https://www.microsoft.com
The Microsoft Message Analyzer supports the latest protocol parsers for capturing, displaying,
and analyzing protocol messaging traffic, events, and other system or application messages in
troubleshooting and diagnostic scenarios.
Source: https://www.paessler.com
PRTG protocol analyzer allows you to use an unlimited number of NetFlow / flow sensors. Using
its built-in protocol analyzer, PRTG can monitor and classify network traffic by IP address,
protocol or user-defined, custom para meters.
Observer
Source: http://www.viavisolutions.com
Observer Analyzer delivers individual packet views and decodes over 740 primary protocols and
countless sub-protocols.
SoftPerfect
JUSTNIFFER
Source: http://iustniffer.sourceforqe.net
Justniffer is a network protocol analyzer that captures network traffic and produces logs in a
customized way. It can also emulate Apache web server log files, track response times and
extract all "intercepted" files from the HTTP traffic.
Network Probe
Source: http ://www. objectplanet. com
Network Probe is a network monitor and protocol analyzer to monitor network traffic in real -
time, and will help you find the sources of any network slowdowns.
.
( ] Firewall ( ] Firew all ~ Firewall
.
L LAN (Etherneti . . . J
................................................
.
........................
. . C LAN (Ethernet) J
......................................................
... .. ..
......................... f ............ ;:::::::r. ::::::::;.............. -~
O Qii.J Q~a
~
Content filters block deceptive web pages or emails. It protects the network from malware and
other systems that are unreceptive and interfering. A content filter allows the organization to
block certain web sites. Organizations can implement different types of Internet filtering:
• Browser-based filters
• E-mail filters
• Client-side filters
• Content-limited filters
• Network-based filtering
• Search engine filters
In the process of content filtering, it compares each character string in the web site in order to
screen it. Most of the organizations filter pornographic or violence related websites . Content
filtering can protect a network from all kinds of malware codes or other attacks that can make
massive changes in the system and network.
High-level of protection
Internet content filters normally provide protection from malware programs and software.
Highly flexible
It enables the organization to decide on the sites that need to be blocked. It also provides the
organization the ability to change the site blocking setting at any time.
Increased speed
Using Internet content filtering allows the organization to control the bandwidth of the Internet
connection by blocking sites. This in turn increases the speed of the Internet.
Netsentron iboss
http://www.netsentron.com http://ibosshome.com
Li DansGuardian
http://donsguardion.org
Handy Filter
http://www.handyfilter.com
~
1:r...
,1 OpenDNS Qustodio
https://www.opendns.com https://www.qustodio.com
Netsentron
Source: http://www.netsentron.com
Netsentron content filter is primarily used in schools and businesses. It stops all unauthorized
access to a network and also blocks pornographic, offensive, and unapproved websites. It also
provides the flexibility to work on files remotely.
Net Nanny
Source: https://www.netnanny.com
Net Nanny helps parents filter out the harmful content and other dangers of the Internet.
Various features of Net Nanny include:
• Compatible with Windows, Mac, Android, iPhone, iPod Touch, and iPad.
• Blocks pornography.
• Masks profanity before it appears on the screen.
• Controls access to set time limits on Internet usage.
• Sends alerts and reports to console or email.
• Creates user profiles to tailor protection to the individual family member's needs.
UTM is a netw ork security management solution which allows administrator to monitor and manage
t he organization's netw ork security t hrough a cent ralized management console
It provides firewall, intrusion detection, antimalware, spam filter, load balancing, content filtering, data
loss prevention, and VPN capabilities using a single UTM appliance
Advantages Disadvantages
e Reduced complexity e Single point of failure
e Simplicity e Single point of compromise
e Easy Management
VPN _ _ _ __.
IDS/ IPS
Unified Threat Management or UTM is a security management method that enables the
administrator to evaluate and examine security related applications and other components
through a single console. UTM helps in minimizing the complexity of the network by protecting
users from blended threats.
Advantages of UTM:
• Less cost: Reduces the cost of buying multiple devices. UTM needs only a single console
that can manage th e w hole network.
• Low maintenance cost: As only a single con sole is used, it needs little maintenance .
• Easy installation and management: UTM involves the use of only a single console that
requires minimum wiring and other installation requirements.
• Fully integrated: UTM is a complet e console that incorporates every feature required for
protecting a network.
Disadvantages of UTM:
• Less specialization: As UTM is a single console managing the whole security of the
network, there are chances of it missing out certain features required to maintain the
security. The case can be avoided by using dedicated devices for each feature.
• Single point-of-failure: UTM involves the use of a single console with all features included
in it. Failure of one feature can affect the performance of th e other features and the
working of the UTM as such.
• Possible performance constraints: The single console in UTM performs various tasks at the
same time. There are chances that all the tasks or features do not get the CPU time
adequately. This situation may lead to many attacks on the system.
SOPHOS @ ~ chGuard
F :::RTlnET. Security made simple.
i L Barracuda I I
Q~ Security ~
e ' I I'I I'
CISCO _
Fortinet
Source: https://www.fortinet.com
Fortinet helps in protecting the entire network from the endpoint to the cloud, delivering
industry-leading, end-to-end simplified security.
SOPHOS
Source: https://www.sophos.com
With SOPHOS UTM, it is easy to configure firewall rules that cover multiple destinations,
sources, and services. It also provides country blocking and intrusion prevention (IPS). It allows
control of web applications proactively or in real -time using the popular flow-monitor.
Watch Guard
Source: http://www.watchguard.com
Watch guard provides an all -in-one network security platform. It provides monitoring and
isolation of threats present in the console.
Dell
Source: https://www.sonicwall.com
UTM technology delivers comprehensive protection and simplifies security management, all
without affecting the speed of the network. It decontaminates VPN and wireless traffic and
ensures the integrity of all traffic passing through.
Barracuda
Source: https://www.barracuda.com
Barracuda Firewall provides comprehensive network security and optimization. It uses the
power of the cloud in innovative ways to deliver next-generation firewall and content-security
features without bogging down the network.
Source: https://www.paloaltonetworks.com
Palo Alto Networks is a network security appliance built around the next-generation firewall. It
easily integrates with every other security element. It is used for networking, security, content
inspection, and management.
McAfee
Source: http://www.mcafee.com
McAfee's network security solutions detect advanced targeted attacks and get actionable
threat information. It optimizes threat detection and response by closing the gap from malware
encounter to containment.
Cisco
Source: http://www.cisco.com
Cisco's security appliances provide zone-based firewall, IPS, Web threat protection and URL
filtering. It also involves application control, spam filter, gateway anti-virus, site-to-site VPN,
remote user VPN with Cisco.
..J Network Access Control, also known as Network Admission Control (NAC) are appliances or
solutions that attempt to protect the network by restricting the connection of an end user to the
network based upon a security policy
The pre-installed software agent may inspect several items before admitting the device and may
restrict where the device may be connected
Network Access Control (also known as Network Administration Control) deals with restricting
the availability of a network to the end user depending on the security policy. It mainly restricts
systems without antivirus, intrusion prevention software from accessing the network. NAC
allows you to create policies for each user or systems and define policies for networks in terms
of IP addresses.
• Checking if the end system has a configured firewall or Intrusion Prevention Software.
• Looking for any viruses on the network, and checking if the operating system is
updated.
• NAC helps in identifying users and devices on a network. Also determines whether
these users and devices are secure or not.
• Examines the system integration with the network according to the security policies of
the organization.
NAC helps in maintaining security policies for increased control of the network. An organization
must look into the threats to its network while considering the cost of implementing NAC.
Organizations need to have plans to rectify the faults in the policies while implementing a NAC.
Organizations may con sider the following points:
• Network Infrastructure: Incorporate network access control policies within the network
infrastructure.
• Management: Decides the priority of the policies, effect of policies on the organization
and managing the budget issues.
Bradford Networks'
ForeScout CounterACT™
https://www.forescout.com Network Sentry/NAC
https://www.bradjordnetworks.com
ForeScout CounterACT™
Source: https://www.forescout.com
ForeScout CounterACT provides real -time visibility of users, devices, operating systems and
applications connected to the network. CounterACT provides comprehensive network access
control capabilities to enforce network access and compliance policies, after discovering and
classifying devices.
Source: https://www.trustwave.com
Trustwave NAC enables granular control over network access and continuous monitoring of
corporate-sanctioned and bring-your-ow n-device (BYOD) endpoints. Thi s helps prevent th e
spread of malware and other threats that can harm infrastructure and make the business
vulnerable to attack and data loss.
The Cisco Network Admission Control System, composed of the Cisco NAC Manager and Server,
is a policy component of the Cisco TrustSec solution. Cisco NAC Appliance extends NAC to all
network access methods, including access through LANs, remote-access gateways, and wireless
access points. It also supports posture assessment for guest users.
PacketFence NAC
Source: http://packetfence.org
PacketFence effectively secures networks from small to very large heterogeneous networks.
PacketFence's operation is completely out-of-band which allows the solution to scale
geographically and to be more resilient to failures.
Source: http://www.arubanetworks.com
ClearPass solves today's digital workplace security challenges across any multivendor network
by replacing outdated legacy AAA with context-aware policies. It delivers visibility, policy
control and workflow automation in one cohesive solution.
It evaluates all networking layers - Ethernet, wireless, virtual, VPN and even the cloud to
illuminate, visualize, analyze and control all connected users and devices. It communicates with
user-driven devices such as laptops, desktops, Vol P phones, tablets, etc. to identify the user
currently using the device. Every decision Portnox NAC makes factors in the Device, Network
and Identity (DNI).
Computer sub netw ork is placed betw een the organization's private network, such as LAN,
and an outside public network, such as the Internet, and acts as an additional security layer
A DMZ is a small network which is placed between the organization's private network and an
outside public network. It prevents the outsider from getting direct access to the organization's
server. For example, if an attacker uses the public network to access the DMZ host and
penetrates it, then only the information on that host will be compromised. In this w ay, a DMZ
acts as an additional security layer for networks and lowers th e threat of intrusion in the
internal network. A DMZ contains the follow ing servers, which need to be accessible from
outside the network:
• Web servers
• Email servers
• DNS servers
Tw o basic methods of designing a network w ith a DMZ are using a single firewall (three legged
model) and using dual firewalls. It is also possible to extend these configurations according to
the network requirements.
• Single Firewall: In this model, the network architecture containing th e DMZ consists of
three network interfaces. The first netw ork interfa ce conn ects the ISP to the firewall
forming the external network, w hereas th e second interfa ce forms the internal net work.
Th e third interface forms th e DMZ. The firewall acts as the single point of failure and
should be abl e to manage all th e traffic to the DMZ.
• Dual Firewall: The dual firewall approach uses two firewalls to create a DMZ. The first
firewall allows only sanitized traffic to enter the DMZ and the second firewall double
checks it. The dual approach is the most secure approach in implementing a DMZ.
Any server that needs exposure to the public network can be placed in the demilitarized zone. It
is possible for the network administrator to place servers like web server, DNS server, e-mail
server, FTP server, in the DMZ and enable access for internal and external clients.
Advantages of DMZ:
• Separation of DMZ from LAN enables the high level protection of LAN.
• Provide an increased control of resources.
• It uses multiple software and hardware based products of different platforms in order to
provide an additional layer of protection.
• Provides a high level of flexibility for Internet-based applications like email, web services,
etc.
Private netwo rk w hich uses public netw orks, like the Internet to provide secured
connections to the employees working remotely
Uses public networks like telephone lines and assures secure transfer of data
between systems over an insecure network
A VPN uses public networks, such as the Internet, and assures secure transfer of data between
systems over them. Certain tunneling protocols employed by the VPN help to achieve
encryption, data integrity, and authentication. A VPN ensures scalability in organizing to
support new clients, organizations, and applications. It ensures solutions to business problems
with its embedded t echnology.
A VPN enables a virtual conn ection between users and the public netw ork. A packet that is
transmitted is encapsulated inside a new packet along w ith a new header. The header
facilitates packet traversal in the netw ork. The path through which the encapsulated packet
traverses is known as a tunnel. The encapsulated packet, after reaching the end point of the
tunnel is de-encapsulated so that the original packet is forwarded to the final destination .
The tunnel needs to carry the same tunneling protocols that operate at layer 2 - data link layer
or layer 3 - network layer of the OSI layer. Commonl y used tunneling protocols are: IPsec, PPTP,
L2TP and SSL.
~ RADIUS
I ~ Secure HTTP
I
~ TACACS+
I ~ HTTPS
I
f Kerberos
I f TLS
I
~ PGP
I ~ SSL
I
~ S/MIME
I ~ IPsec
I
There are various security protocols that work at network, transport and application layers.
These protocols help organizations in enhancing the security of their data and communication
against different types of attacks.
• The security protocols that work at the transport layer are as follows:
• Transport Layer Security (TLS): The TLS protocol provides security and dependability
of data between two communicating parties
• Secure Sockets Layer (SSL): The SSL protocol provides security to the communication
between a client and a server.
• The security protocols that work at the network layer are as follows:
• Internet Protocol Security (IPsec): The IPsec protocol authenticates the packets
during the transmission of data.
• The security protocols that work at the application layer are as follows:
• Pretty Good Service (PGP) protocol: The PGP protocol provides security to the data
through the method of encryption and decryption.
• Secure HTTP: Secure HTTP provides security to the data traversing through the world
wide web
• Hyper Text Transfer Protocol Secure (HTTPS): The HTTPS protocol ensures the
security of data in the network
• RADIUS: The RADIUS protocol provides security to the remote access servers to
communicate with a central server.
RADIUS RADIUS
Client Server
network
RADIUS: Accounting-Response
• ····················································
RADIUS stands for Remote Authentication Dial -In User Service. It was developed by Livingston
Enterprises as a networking protocol, which provides centralized authentication, authorization,
and accounting for remote access servers to communicate with a central server. RADIUS has a
client server model, which works on the application layer of the OSI model by using UDP or TCP
as a transport protocol. The RADIUS protocol is the de facto standard for remote user
authentication and it is documented in RFC 2865 and RFC 2866.
The RADIUS protocol is an AAA protocol that works on both, mobile and local networks. It uses
PAP, CHAP, or EAP in order to authenticate the users communicating with servers. The
components of a RADIUS AAA protocol are as follows:
• Access clients
• Access servers
• RADIUS proxies
• RADIUS servers
RADIUS messages are sent as UDP messages and allow only one RADIUS message in the UDP
payload section of the RADIUS packet. RADIUS messages consist of a RADIUS header and other
RADIUS attributes.
Router
- 1 /=\
.. ...... . 1....... . .
Corporate Netwak
1--:--i
1
Authentication of TACACS+
Consider the following example of authentication where a laptop user is conn ecting to a NAS
(router). The TACACS+ authentication involves following steps:
USER
USER
TACACS+ Authentication
RADIUS Authentication
Authentication req uest
.......................................................... ➔---
RADIUS TACACS+
........
Kerberos authentication protocol (KAP): KOC request .... .... Ticket
Ticket request
generatedand
1. User sends the credentials to the authentication server
- - - -·····...·······•:3 encrypted
using se rver
2. AS (authentication server) hashes the password of the secret k ey
user and verifies the credentials in the active directory
database. If the credential matches then AS (consists of
Ticket Granting Service ) sends back the TGS Session Key
and granting t icket to the user to create a session
Decrypt the
-----. ....·········....
•.• Tick et response
3. Once users are authenticated they send granting ticket to
ticket
response
k·············
request a service ticket to the server or TGS for accessing and forward
services the
ticket to Serve r
server
4. The TGS authenticates the TGT and grants a service ticket ·········
to the user. The service ticket consists of the ticket and a
session key ··········1.._ n_
1ck-et_ ...,I Decrypt the
··············· ·:l ticket and
5. The client sends the service ticket to the server. The .... confirm the
identity of
servers uses its key to decrypt the information from the client
TGS, and the client is authenticated to the server
• Step 4: The TGS authenticates the TGT and grants a service ticket to the user. The service
ticket consists of a ticket and a session key.
• Step 5: The client sends the service ticket to the server. The servers use its key to decry pt
the information from the TGS, and the client is authenticated to the server
..
Random Key A
• ...
File Encrypt ion Encrypted File
..J PGP is an appl ication layer
protocol which provides
cryptographic privacy and Enaypted File
authentication for netw ork ~ w ith user's public
~ key in Header
communication
Encryption Encrypted Key
..J It encrypts and decrypts FILE ENCRYPTION
ema il com munication as w ell
as authenticates m essages User's Private Key
with digital signatures and
encrypts stored fi les
Encrypted Key
Encrypted File
with User's Public
Key in Header
~
Encrypted File Decryption File
FILE DECRYPTION
PGP (Pretty good privacy) is an encryption and decryption computer program that is used to
provide confidentiality and validation while communication. PGP enhances the security of
emails.
Recipient uses th eir private key to decrypt the session key and to decrypt the entire message.
• Diffie-Hellma n Algorithm
PGP creates a hash code from the user's name and signature to encrypt the sender's private
key. The rec eiver uses the sender's public key to decrypt the hash code.
Public
-' \
.....,
Alice
Key
..
.
: e
L;: Encryption (DES) ................ . .......... ➔
.. . ...... . .·l',lfe'{;·agl!""·... ....
Eo.~!"f!led····"·
e Decryption (DES) ...~
~
····· ·····
A
Secret Key
Secret Key
~
! r:::l
Certifocate
Public::: ; ~ ~........ ~~- .... ...... ... _ _ _s_o_b _ _oli..,__,,
Private Key
Bob
MIME Encapsulation of
Application/Pkcs 7-mime Multipart/Encrypted
Encrypted Data
S/MIME is used to send digitally signed and encrypted messages. It allows you to encrypt the
email messages and then digitally sign them to ensure confidentiality, integrity and non-
repudiation for messages. It provides cryptographic security services such as:
• Authentication
• Message Integrity
• Non-Repudiation
• Privacy
• Data Security
S/MIME ensures e-mai l security and has been included in the latest versions of browsers. It
uses a RSA encryption method and provides details regarding including encryption and digital
signatures in the message.
S/MIME protocol needs to ensure that it gains a certificate from the CA or from a public CA. The
protocol uses different private keys for signature and for encryption.
_ _ 1 rr _ _ 1
•
Secure HTTP is an application layer protocol, It ensures secure data transmission of individual
used to encrypt the web communications messages while SSL establishes a secure
carried over HTTP connection between two entities ensuring
security of the entire communication
I
- It is generally used in situations where the
It is an alternate for the HTTPS (SSL) protocol
server requires authentication from the user
◄• ...................................................... ·• WWWServer
•i
: Encrypted and/or
Signed Messages
•i
: Encrypted and/or
Signed Messages
Secure HTTP ensures a secured interchange of data on the World Wide Web. It implements
application level security that offers encryption and digital signatures on th e message. S-HTTP
verifi es the user by using a certificate. S-HTTP provides many cryptographic algorithms and
modes of operations. The S-HTTP protocol uses client-server protocol to determine the security
conditions for a client-server communication. It allows the client to send a certificate in order to
authenticate a user. There are many web servers that support the S-HTTP protocol that allows
them to communicate without the need for any encryption.
G The connection is encrypted using Transport Layer Security (TLS) or Secure Sockets Layer(SSL) protoco~
It protects against man-in-the-middle attacks as data is t ransm itted over encrypted channel
It is a protocol used to ensure secure communication in the network. It uses protocols such as
TLS (Transport layer security) and Secure Sockets La yer (SSL) to ensure secure transmission of
data . HTTPS confirms the verification of the w ebsites and preserves the confidentiality and
reliability of the messages passed over the Internet.
HTTPS mainly uses SSL in order to protect the w ebsite making it easier for users to access the
website . SSL has the follow ing advantages:
• A certificate authority checks the owner of the certificate w hile issuing it.
TLS ensures secure communication between client-server applications over the internet
- . .
• Ensured confidentiality and reliability of data during communication between client and
server using symmetric cryptography.
• TLS Handshake Protocol: Provides security using authentication of client and server
before communication.
SSL is developed by Netscape fo r managing the security of a message transmission on the Intern et
It uses RSA asymmetric (public key) encryption to encrypt data transferred over SSL connections
Client Hello message (includes SSL version, randomly generated data, encryption algorithms,
..,.......................................................................................................................... .
session ID, key exchange algorithms, compression algorithms, and MACalgorithms)
.. Determines the SSL version and encryption algorithms to be used for the communication;
.
~.................................. ~-~~~~!.~~~~~!!~1
!?.~?~.~?!';!~~!~......................... · 9 ..
Verifies the Digital certificate; generates a random premaster secret (Encrypted with
The Secure Sockets Layer (SSL) is a protocol used to provide a secure authentication mechanism
between two communicating applications, such as a client and a server. The SSL requires a
reliable transport protocol, such as TCP, for data transmission and reception.
Any application -layer protocol that is higher than SSL, such as HTTP, FTP, and telnet, can form a
transparent layer over the SSL. SSL acts as an arbitrator between the encryption algorithm and
session key; it also verifies the destination server prior to the transmission and reception of
data. The SSL encrypts th e complete data of the application protocol to ensure security.
The SSL protocol also offers "channel security" with three basic properties:
• Private channel: All the messages are encrypted after a simple handshake 1s used to
define a secret key.
SSL uses both asy mmetric and symmetric authentication mechanisms . Public-key encryption
verifies the identities of the server, the client, or both . Once authentication has taken place, the
cli ent and server can create symmetric keys allowing them to communicate and transfer data
rapidly. An SSL session is responsible for carrying out the SSL handshake protocol to organize
the states of the server and clients, thus ensuring the consist ency of the protocol.
..:••••"
•
LAN- Internal IP
Internet
LAN - Internal IP '"":
..
··~.• -
..••
..•• Firew all
..••
··T =
·····~~@:; • - - -IPSec
- -Tunnel
- - - - -r••·i;_::,:!:J::ti
.• .•
.• .•
:
. .
.... External IP External IP
'\,,.
IPsec ensures secure communications over the Internet Protocol (IP) network. It works at the
application layer of the communications model. It makes use of cryptographic security services
to ensure secure communication. It allows authenticating the IP packets during communication
of data. IPsec finds its applications in Virtual Private Networks and remote user access. IPsec is
used between a pair of hosts, a pair of security gateways, or between a security gateway and a
host. The I Psec consists of two security services: Authentication Header (AH) and Encapsulating
Security payload (ESP). The AH allows authentication of th e sender, whereas the ESP allows
authentication of the sender as well as encry ption of the data.
It provides secure communication for netw ork-level peer authentication, data origin
authentication and ensures data integrity, data confid entiality (encryption), and repla y
protection
IPsec consists of two encryption modes, namely Transport and Tunnel:
..:••••"
•
LAN- Internal IP
Internet
LAN - Internal IP '"":
..
··~.• -
..••
..•• Firew all
..••
··T =
·····~~@:; • - - -IPSec
- -Tunnel
- - - - -r••·i;_::,:!:J::ti
.• .•
.• .•
:
. .
.... External IP External IP
'\,,.
IPsec ensures secure communications over the Internet Protocol (IP) network. It works at the
application layer of the communications model. It makes use of cryptographic security services
to ensure secure communication. It allows authenticating the IP packets during communication
of data. IPsec finds its applications in Virtual Private Networks and remote user access. IPsec is
used between a pair of hosts, a pair of security gateways, or between a security gateway and a
host. The I Psec consists of two security services: Authentication Header (AH) and Encapsulating
Security payload (ESP). The AH allows authentication of th e sender, whereas the ESP allows
authentication of the sender as well as encry ption of the data.
It provides secure communication for netw ork-level peer authentication, data origin
authentication and ensures data integrity, data confid entiality (encryption), and repla y
protection
IPsec consists of two encryption modes, namely Transport and Tunnel:
General ca 42%
31%
http://www.temperednetworks.com
Describing the characteristics of a good Describe the various types of a security policy
security policy Discussing the design of various security
Describing the typical content in a security policies
policy Understand the need to enforce and train on
Understanding the policy statement the security policy
Describing the steps for creating and Discussing various information security
implementing a security policy related standards, laws and acts
This module focused on designing and implementing security policies for your organization. The
module explains the need and importance of using security policies. It describes the content
and the steps involved in designing and implementing security policies. The module also
describes the considerations required when designing various security policies, which will guide
you on an effective policy design and implementation.
A security policy is a well documented set of pla ns, processes, procedures, standards, and guidelines
required to establish an ideal information security status for organizations
The security policy is an integral part of an infor mation secu rity management program for any organization
J To limit the organization's exposure to ..J To minimize the risk of a data breach
external information threats
..J To enhance the overall data and network
..J To outline senior management's security
commitment in maintaining a secure
environment
■■■■■■■■■■■
A security policy is a high-level document or set of documents describing the security controls
to implement in order to protect the company. It maintains confidentiality, availability,
integrity, and asset values. Security policies form the foundation of a security infrastructure.
Without them, it is impossible to protect the company from possible lawsuits, lost revenue, and
bad publicity, not to mention basic security attacks.
Policies are not technology specific and accomplish three things:
• They reduce or eliminate the legal liability to employees and third parties.
• They protect confid ential and proprietary information from theft, misuse, unauthorized
disclosure, or modification.
■ They prevent computing resource waste.
A security policy comprises objectives, rules for beha vior and requirements to secure the
organization's netw ork and computer systems. Security policies act as a connecting medium
between the objectives and security requirem ents, as well as to help users, staff, and managers
protect technology and information assets. The policy provides a baseline to acquire, configure,
and audit computer syst ems and networks.
A security policy defines a set of security tools for preventing attacks on the entire netw ork in
order to keep malicious users aw ay from th e organization and provide control over perilous
users w ithin th e organization.
The security policy should ensure confidentiality, privacy, integrity and availability of the
company's assets.
• It provides legal protection by defining what rules to use on the network, how to handle
confidential information and the proper use of encryption, reducing liability and exposure
of the organization's data.
• Security polices reduce the risk of damaging security incidents by identifying the
vulnerabilities and predicting the threats before they happen.
• They also comprise procedures and techniques to minimize the risk of an organization's
data leak or loss by adopting backup and recovery options.
• Risk mitigation: The risks involved from external sources is reduced by implementing and
deploying security policy. If an employee follows the policy exactly, it becomes nearly
impossible for an organization to lose its data and resources.
• Monitored and controlled device usage and data transfers: Even though policies are
being implemented thoroughly by employees, administrators should regularly monitor
the traffic and external devices used in the system. Monitoring and auditing of the
incoming and outgoing traffic should always be done on regular intervals.
• Better network performance: When security policies are implemented correctly and the
network is monitored regularly, no unnecessary loads exist. The data transmission speed
in the system increases, providing an overall performance enhancement.
• Quick response to issues and lower downtime: Policy deployment and implementation
enables faster response rates when resolving network issues.
• Reduction in Management stress levels: The role of management becomes less stressful
when policies are implemented. Every policy must be followed by every employee in the
organization. If this occurs, management will not need to worry about any malicious
attacks on the network.
• Reduced costs: If employees follow the policies correctly, the cost of each intrusion 1s
reduced as well as the impact on an organization.
Organizations use different terminologies while drafting a security policy. The implementation
of these terminologies depends on the severity and the level of the hierarchy they are a part of.
• Laws: Placed at the top of the hierarchy. These policies set which laws every individual in
the organization must follow. Organizations have the authority to take action against any
employee who fails to follow these laws.
• Policies: With the help of policies, an organization establishes the legal and internal
requirements of their network security. Management documents, reviews, and approves
these policies. A policy consists of different disciplines and procedures. The
documentation of a policy defines the security architecture for the organization. The
implementation of these policies set the standard for the organization and improves risk
management.
• Standards: Standards specify the method of policy implementation. Standards are derived
from policies and must be implemented by the organization. They are both voluntary
and/or mandatory depending on company policies. They bring consistency to the business
functionality. It is not feasible to change the company standards after a certain interval.
They also involve security controls related to technology, hardware and software.
Characteristics of a Good
Security Policy
Economically
Concise and Clear Usable
feasible
• ------- ■ --------
• -------■ --------
Based on
Procedurally
Comply to laws standards and
tolerable
regulations
1. Concise and clear: A security policy needs to be concise and clear. When they are, they are
very easy to deploy in the infrastructure. Complex policies become hard to understand
and employees may not implement them as a result.
2. Usable: Policies must be written and designed so they can be used easily across various
sections of the organization. Well-written policies are easy to manage and implement.
3. Economically feasible: Organizations must implement policies which are economical and
enhance the security of the organization.
• Defined Scope and Applicability: The scope identifies the items that must be covered,
hidden, protected or public and how to secure them. The network policy addresses a wide
range of issues from physical security to personal security.
• Enforceable by Law: The security policy must be enforceable by law and penalties
imposed if there is policy breach. Penalties for a violation must be addressed when the
policy is created.
• Recognizes Areas of Responsibility: The network policy must recognize various
responsibilities for employees, the organization and third parties.
• Sufficient Guidance: A good network policy must have proper references to other
policies, which help guide and redefine the scope and the objectives of the policy.
1. Security requirements
2. Policy description
Security Requirements
This statement features the requirements for a system to implement security policies. There
are four types of security requirements:
• Discipline Security
• Safeguard Security
• Procedural Security
• Assurance Security
It involves security policies stating what actions are taken on various components needing
to be secured. For example, computer security, operations security, network security,
personnel security, physical security, etc.
It involves security policies stating the protective measures required. For example,
protective measures for access control, malware protection, audit, availability,
confidentiality, integrity, cryptography, identification, and authentication.
It involves security policies used with the compliance of various standards, certifications,
and accreditations.
Policy Description
This statement mainly focuses on the security disciplines, safeguards, procedures, continuity of
operations, and documentation. Each subset of this policy describes how the system's
architecture elements will enforce security.
Concept of Operation
This concept defines the roles, responsibilities, and functions of a security policy.
It focuses on the mission, communications, encryption, user and maintenance rules, idle time
management, privately owned versus public domain, shareware software rules and a virus
protection policy.
] I ~
Document Control ··••► Overview ··••► Policy Statements
~
Roles and Where to Find
Distribution
Responsibilities More Information
• Overview of a security policy provides background information that the policy needs to
address.
• Version number ensures all changes/updates to the policy are tracked correctly.
• Glossary/Acronyms mention the different terms and abbreviations used in the policy.
..J A policy is only as effective as t he policy statements it contains. Policy st at ements m ust be
written in a very clear and formal style
..J Several good examples of a policy statement are:
All computers must have anti-virus All computer software must be purchased
protection activated to provide rea l-time, by the IT department in accordance with
continuous protection the organization's procurement policy
All servers must have the minimum A copy of all backup and restoration media
services configured to perform their must be kept with the off-site backup
designated functions media
An organization's security policy is said to be successful, if it consists of clear and concise policy
statements. A policy statement is an outline that defines the in -depth structure of the
organization's policy. Every policy draft should have a valid policy statement that defines the
organization's course of action during the time of a circumstantial situation. The policy
statement helps employees understand th e preventive measures they are permissible to take.
An example of an ideal policy statement is:
"All access to data will be based on a valid business need and is subject to a formal approval
process"
The above policy statement example cl early states employees can access data onl y on approval
from management. It can be concluded that if any employee does not adhere to th e policy
statement, the organization has the right to take required action.
1
Perform risk assessment
to identify risks to t he 2
Learn from standard
guidelines and other
3 management and
other staff in policy
organization's assets organizations
development
The security policy development team contains the 1ST (Information Security Team), Technical Writers, Technical Personnel,
Legal Counsel, Human Resources, User Groups and the Audit/Compliance Team.
The steps below are used to create and implement an effective security policy:
4. Penalties: Certain organizations have very strict policies. If an employee does not follow
these policies, severe actions can be taken against them. Organizations should always
mention the penalties that an employee will suffer if th ey do not follow the rules.
5. Final Draft: Once management approves the completed policy document, the document
is distributed among everyone in the organization.
6. Accepted by employees: Employees are required to accept all the policies set by the
organization. Employees can give their acceptance by reading the document carefully and
then signing it.
7. Deployment of policies: To enforce policies in the organization you may need additional
deployment tools.
8. Training the employees: Employees should be periodically trained on the organizational
policies. Even if the policies in the organization are functional for a long time, there are
employees who might be new. Bringing awareness to these employees is a very important
task.
9. View and Update: Even if an organization is in business for a long time, reviewing their
policies is still a requirement. With the introduction of new technologies and new security
breaches, updating policies are a necessity. Policies that no longer protect and the current
technology and/or scenarios are not useful to the organization.
V Is the policy a guideline for best practices or does it need to be based on a some standard ?
V How many people fall under the of the policy? Who are they?
V What is the least amount of information each employee must know to do their jobs?
Organizations should not deploy a policy without knowing the purpose first.
While documenting the policy, it should be noted that they run parallel with the
objectives of the organization. Implementation of the policy cannot be termed successful,
if it does not meet the organizational objectives.
• Is the policy a guideline for a better practice or does it needs to be based on a standard?
The purpose of introducing policies may differ. It is important to know why the policies
are being introduced in the first place. Usually certain policies are formed as per the
regulations by the government and some are implemented for the organization's personal
security.
• How many people fall under the purview of this policy? And who are they?
While designing a policy there are situations where only some employees or a particular
group needs to adhere to it. It is important to categorize these types of policies, which
leads to simplicity while implementing it in an organization.
All an employee should know regarding the policy is how the policy should be
implemented on a daily basis. The training session conducted for the employees should
inform them about the action taken against them in case of compliance.
• Do I really need all the details written into this policy, or is this better written in System
Specific Security Policies (SSSPs) for the IT professional?
Policies should be documented in a clear and concise language. The document should
include all the best practices an organization will undertake and those employees will
adhere to.
• What do the staff need to understand from the policy?
Management can keep the main objective clear when they write the policy with user
friendly language. For example, the policies have to be followed by everyone in the
organization. Management should arrange training sessions or workshops to help
employees who are not certain of any policy or they are not clear. With the introduction
of these policies, an organization makes it very clear to employees on the level of
awareness required for securing the data and resources in the network.
Compatibility level
Description about the
of the policy is
status of the policy
necessary
Applicability of
Consequences of
policy to the
non-compliance
environment
The security policy structure provides an overview of the functionalities of security aspects. The
security policy structure should ensure that the following is in place:
• The tasks and procedures involved in the policy and the ones that are not involved.
• End consequences will be encountered if the policy is not compatible with the
organization's standards.
The security policy must contain all the information that 1s required for a successful
implementation of the organizational work process.
• Develop policies that you plan to enforce: Not enforcing a policy is of no use. Real-time
implementation of all statements mentioned in the policy is necessary for limiting
network access.
• Explain the purpose of the policy: Based on the functions of the organization, develop the
policies for a specific network objective.
• Develop security policies that do not require updates too frequently: To avoid frequent
amendments, the overall network issues are to be pre-estimated.
• Make sure your policies are understood: Network policies should be straightforward, but
not too complicated.
• Include your policies as part of your security awareness training: At least one policy has
to be included in the security awareness training.
• Identify the basic risks that can be expected: The basic risk factors of the network are to
be pre-estimated by the network admin.
• Every company and client should identify its roles and responsibilities and its tasks should
be described in detail. That means the knowledge of the structure of the organization, the
responsibilities of individuals, the tasks performed by everyone in the organization and
who tackles the security policies is essential. It is important to make sure the policies
address the problems, requirements, and objectives of the organization. The
representation of each problem should be to the maximum extent. It should also include
data security, legal issues, and human resources. The development and operations of the
organization should be represented in the policies.
• The basic goals of the business are represented. Business knowledge is essential to
improve security and to build a good security policy. Consider an organization that needs
extensive auditing, monitoring and a recovery system that takes regular data backups.
This may not be the case for the rest of the company. Therefore, the policies of an
organization differ according to their requirements. Some policies may be cost effective,
whereas others may be expensive. That means that security policies are specific to each
organization.
• The next step in developing policies is to identify the security principles that represent the
company's security objectives. These goals are to be checked regularly and introduced
into the development process whenever necessary. The aim of security policies is to
describe the policies and principles of the organization with less technical details and in a
simple way.
• The assets and data that need security are recognized and categorized. The valuable data
is made the center of all the security policies. Data that has been identified as more
vulnerable to threats is secured. Cataloging the data and assets makes it easy for
management to make decisions with respect to its value and use. This helps to effectively
control resources.
• As the data is collected and analyzed, it should also be classified. Data is the center of
every policy that is developed. Data flow analysis is important to any and all issues related
to data. For example, during a transaction, data flows through the browser, the web, and
other media such as telephone lines, servers, and firewalls. The data is stored in
databases, on disks, tapes, or paper. If the flow of data is tracked through the media, it
can be determined where there are potential data vulnerabilities and data corruption
locations and control mechanisms can be implemented to prevent the vulnerabilities and
corruption.
• The expected risks are identified. Developing a profile for possible threats helps enable a
decision-making process for any threats within that area. The chance of risk associated
with issues and the amount of money needed to recover from that loss can be recognized.
The nature of threats differs depending on different areas. For instance, the result of
attacking financial transactions would be very different from an attack on an art website.
• The services that guard the system are to be identified. Once the data resources and flow
of data are identified, a risk profile is created. The security services that apply to that
particular area will be recognized and identified. The services for security include
responsibilities, authentication, accessibility, recognizing, integrity, secrecy, and non-
duplication. Knowledge of the security needs of a particular environment is essential for
choosing the security policy to be employed over that area.
After the security policy has been created, the most difficult part of the process is deploying it throughout the
organization
Review each policy and decide how it can be enforced w ithin the organization
i Ensure t hat appropriate tools and techniques are in place to conform to the policy
□
Develop a policy change plan for both the network and t he policy it self
Implementation of the security policy happens after it is built, revised, and updated. A proper
model and outline of the policies must be created. Suggestions from stakeholders must be
included to directly correlate it with the interests of the organization. After its completion, the
final version must be made available to all staff members so they may understand it. It must be
readily available at any time when needed. It must be placed on the internal network and
intranet. Proper training of the policies must be given to employees for their prompt
understanding and suggestions must always be taken into consideration. For effective
implementation, there must be a rotation of jobs, so that different people handle data. This will
help employees identify any limitations the security policy has. Company data is very critical. It
must not be given to everyone and must not be made public, so proper care must be taken.
There must be a proper security awareness program, cooperation and coordination among
employees.
Once the security policy is designed and developed, the next step in the process is the also the
hardest, deployment.
Guidelines for successfully implementing the policy:
• Ensure the security policy is backed by the organization's senior management team and is
officially adopted as company policy.
• Go through each policy and think about how it will be applied within the organization.
• Make sure the correct tools are available to conform to the policy.
• Create a plan to make any necessary changes to either the network or the policy.
• Work with the necessary departments within your company (Legal, IT, HR, etc.) to
establish procedures to support your policies.
• Make the security policy available to all employees having access to the information
assets the policy governs.
• The Information Security Officer or IT Security Program Manager are responsible for
implementing and managing the security policy.
• Ensure the organization is well equipped with the technology and tools needed to manage
the security policy properly.
• Make sure visitors are provided the Acceptable Use Policy in the event they are allowed to
use the company's network.
EI SP drives an organization's !..J ISSP direct s t he aud ience o n SSSP directs users w hile configuring
scope and provides direction the usage of t echnology or maintaining a system
to t heir security policies based systems w ith t he help
Examples of SSSP:
of guidelines
Examples of EISP: e DMZpolicy
6 Applicat ion Policy U Examples of ISSP:
I:! Encryption policy
e Net work and network
I:! Remote access and wireless
policies
e Acceptable use policy(AUP)
device secu rity policy
e Incidence Response plan
e Policies for secure cloud computing
e Security policy auditing
e Password policies
e Policies for Intrusion detection and
e Back up and restore policy prevention
I:! Policies for personal devices
e System security policy e Access control policy
e User account poli cies
e Policies for servers
e Internet and web usage
policies
In an organization, policies are crucial for information security planning, design and
deploy ment. These policies provide measures to handle issues and the technologies that could
help users accomplish their security goals. The policy also explains how the software or
equipment functions in the organization.
• Access
No Restrictions on Internet/Remote • Known dangerous services/attacks
blocked
• Policy begins with no restrictions
e Nothing is blocked
• Known holes plugged, known dangers
stopped
• Impossible to keep up with current
exploits; administrators always play
catch-up
• Everything is forbidden
• Provides maximum security while
allowing known but necessary dangers
Internet access policies define the restricted use of the Internet. It is important for employees
to know which of their actions is restricted while accessing the Internet. The Internet access
policy helps keep employees informed on what they can browse and what they cannot. An
internet policy includes guidelines for permissible use of the Internet, system security, network
setup, IT service, etc.
Internet access policies broken down into the four categories below:
1. Promiscuous Policy: This policy does not impose any restrictions on the usage of system
resources. For example, with a promiscuous Internet policy, there is no restriction on
Internet access. A user can access any site, download any application, and access a
computer or a network from a remote location. While this can be usefu I in corporate
businesses where people travel or work at branch offices need to access the
organizational network, it also opens the computer to threats such as malware, viruses
and Trojans. Due to free Internet access, this malware can come in the form of
attachments without the knowledge of the user. Network administrators must be
extremely alert while choosing this type of policy.
2. Permissive Policy: This policy begins wide-open and only known dangerous
services/attacks or behaviors are blocked. For example, in a permissive Internet policy,
the majority of Internet traffic is accepted, except for several well-known and dangerous
services/attacks. Because only known attacks and exploits are blocked, it is impossible for
administrators to keep up with current exploits. They are always playing catch-up with
new attacks and exploits.
3. Paranoid Policy: A paranoid policy forbids everything. There is a strict restriction on all
company computers, whether it is system or network usage. There is either no Internet
connection or severely limited Internet usage. Due to these overly severe restrictions,
users often try to find ways around them.
4. Prudent Policy: A prudent policy starts with all services blocked. The administrator
enables safe and necessary services individually. This provides maximum security and logs
everything, such as system and network activities.
An acceptable use policy defines the proper use of an organization's information, electronic computing
devices, system accounts, user accounts, and network resources
Design Considerations:
-
jlil
Should users read and copy files that
are not their own but are accessible?
-
jlil
Should users be allowed to share
accounts?
t, Should users modify files they have t, Should users make copies of system
write access to but do not own? configurations for personal use or
provide them to other people?
e Should users be permitted to use
.rhosts files? Even though the entries
are acceptable?
-
jlil
Should users have the ability to make
duplicates of copyrighted software?
Acceptable-use policies consist of rules decided by network and website owners. This type of
policy defines the proper use of computing resources. It states the responsibilities of users to
protect the information available in their accounts. The users must accept the policy
restrictions while accessing a computer on the network or the Internet. An AUP (Acceptable
Use Policy) covers principles, prohibitions, reviews and penalties and it prohibits the user from
using the corporate resources for personal reasons.
An AUP is an integral part of information security policies. Generally, organizations ask their
new members to sign an AUP before they are permitted to access the information systems. An
AUP should cover all major aspects about what users are permitted to do and what they are not
permitted to do in the IT infrastructure.
To ensure the AUP is followed properly, administrators conduct regular security audits.
Example: Many organizations restrict discussions on political or religious topics on sites or in
emails.
The majority of AUPs describe the penalties of a policy breach, those penalties range from
temporarily disabling the user's account to extreme measures such as legal actions.
The User Account Policy defines the creation process of user accounts and incl udes user right s and
responsibilities
Design Considerations:
Who (employees, spouses, children, company visitors, etc.) are permitted to use the
computing resources?
The User Account Policy is a document specifying the requirements for requesting and
maintaining an account on the organization's network. It mentions the processes for creation,
deletion and operating user accounts by defining the type of accounts created under a specific
network.
The user account policy defines the process of account authorization, user responsibilities as
well as Internet services for both internal and external users. In addition, it also defines the
creation of a userna me and password, encryption standards, t y pe of verifications in case the
user forgets their password and the devices utilized for accessing or linking to the account.
This policy also defines the necessary user age limit, profession and other criteria for creation
or classification of the account such as guest, internal, external, media, etc. It is essential for
large sites where users may t ypically have accounts on many systems. Some sites have users
read and sign an account policy. Software applications have users sign an EULA - End User
License Agreement as part of the account request process.
Example wording: "Employees shall onl y request / receive accounts on systems th ey have a tru e
business need to access. Employees may only have one official account per system and the
account ID and login name must follow the established standards. Employees must read and
sign the acceptable use policy prior to r equesting an account."
Network administrators have responsibilities wh en implementing a user account policy:
1. Types of accounts: As per the organization's policy, administrators are asked to create
two t ypes of accounts in th e network - Administrator account and Standard account. The
administrator account is for the network administrators only. It may or may not include
the top management of the organization. Standard accounts are for employees
irrespective of the department in which they are working.
2. Account Permissions: Administrators are required to set the level of permissions to every
employee in the organization. Even though a team leader may not have access to the
administrator privileges, the level of permission will differ with the reporting member of
this team. Administrators should assign the permissions according to the designation of
the employee. Permissions can also be set for a group. Everyone in the HR group has a
standard set of permissions.
3. Account auto-lock: An administrator sets a length of time an account will automatically
lock. If an employee has not reported to the office for three consecutive days, the auto
lock feature will enable and the account will be locked automatically. This feature
prevents anyone from forcing the login or attempting to login to the account when the
user is not there. This feature is present in mobile phones as well and it prevents others
from accessing the device without the log in code.
The User Account Policy should mention certain important characteristics, operations and
maintenance. The policy content should state the following:
• Are users allowed to share accounts or are they allowed to have multiple accounts on a
single host?
..J Remote Access Policy defines who can have remote access, access mediums, and remote
access security controls
Design Considerations:
What specific methods (such as cable modem/DSL or dial-up) does the company
support?
Are there any extra requirements, such as mandatory anti-virus and security software
on the remote system?
The Remote Access Policy document defines the acceptable guidelines for remote access to the
network and resources. A remote employee should follow the policy when connecting to the
internal network. The Remote Access Policy is helpful to organizations having a geographically
dispersed network. Implementing the remote access policy helps minimize potential damage
that can occur from unauthorized external network traffic. Implementing remote access
includes dial-in modems, frame relay, ISDN, DSL, VPN, SSH, Wi-Fi, etc.
Points to consider in the policy:
• User authentication: Organizations should have a strict user authentication policy for
remote users. The organization has the right to deny access to users having a weak
password or user credentials. The policy should also state the action taken against
employees if they share their remote credentials with others.
• Usage of network and network devices: The policy should restrict employees from
reconfiguring their network devices for the purpose of split-tunneling. This can make the
network vulnerable to intrusion. Employees should not perform any third party activities
on the organization's network and should not connect to any other third-party network.
• Antivirus and patches: The systems used by remote users should meet the organization's
requirement. Users should have an up-to-date anti-virus installed on their system. They
should proactively install updates for the antivirus and patches for the operating system.
• Access to data: Administrators should assign privileges to the remote user according to
their roles and responsibilities in the organization. Organizations should restrict users
from accessing confidential organization data remotely.
1. Ensure remote system has specified version of antivirus, firewall and malware
2. Predefine VPN tunnel's connection
Information Protection Policy defines guidelines for processing, storing and t ransmitting
sensitive information
Design Considerations:
What Is the process for removing sensitive information from storage media (paper shredding, scrubbing HDDs,
degaussing disks, etc.)?
The Information-Security policy is a document that guides employees to defend their data or
physical devices from unauthorized access. The main aim of the policy ensures the information
is not shared or modified by any external sources. The organization should define the level of
sensitive information. Organizations should make it a practice to ask new employees to sign the
information-security policy.
Lack of an information security policy can lead to vulnerabilities in the network and system.
With no information security policy in place, employees can knowingly or unknowingly share
the data to external sources.
The information security policy should be drafted based on the following points:
• The process and method of saving sensitive information. This can include data that 1s
either archived or encrypted.
• The policy should mention the location where the sensitive information is stored. The
authorized users should be asked to save the information in this location. Saving the data
at any other location can potentially cause data theft or exposure of information to other
sources.
Implementation of information security assures the data will be protected throughout the
functioning of the organization.
0 0
Firewall Management Policy defines access, management, and monitoring of
firew alls in t he organization
0
Design Considerations:
Who can see the firewall configuration rules and access lists?
A netw ork administrator's responsibilities w hen configuring firewall security policies are:
• Telnet access: Telnet is insecure by nature. Administrators should not allow Telnet access
for the secure functioning of the network.
• FTP connection: FTP connections should onl y be allowed if administrators have to upload
error logs for the vendor. In other scenarios, it is advisable to prohibit FTP.
• Refrain direct connection: Administrators should avoid setting up a direct connection
between an internal client and ext ernal service. If the organization needs a conn ection to
be established, it can be done through proxy servers.
Special Access Policy defines the terms and conditions of granting special access to
system resources
Regulating the special access policy allows certain employees to access the data in the network.
Before implementing a special -access policy in the network, an administrator should consider
the following items:
• Revoking Privileges: Users provided with special privileges should be notified of the
circumstances under which their privileges can be revoked.
Network Connection Policy defines the sta ndards for establishing the connection for computers,
servers, or other devices to the network
Design Considerations:
A network connection policy is drafted to secure the organization's network. The network
connection policy defines regulations to be followed and implemented on the systems, servers
and other electronic devices used in the organization. An effective network-connection policy
involves securing the devices from potential intrusion an organization can experience.
Business Partner Policy defines agreements, guidelines, and responsibilities for business
partners to run business securely
...................................... , ................................................................................, ............. .
Organizations working in partnership follow certain guidelines that are drafted under a
business-partner policy. It defines the guidelines partners are required to follow so they can run
their business securely. There can be geographical and cultural differences between the two
business partners, you need to be careful when drafting policies in these scenarios. Business -
Partner policies should address the following questions:
1. Need of Policy: The business partner policy defines the rules and regulations of the
respective organizations. Certain policies followed by employees in company A may not
necessarily be followed in company B. Organizations should work out a third way for
drafting the policy, so it does not affect how both companies function.
2. Security: Getting employees to follow common security rules is the biggest challenge
when drafting a business-partner policy. The policy should mention the common security
boundaries for both partners and how it will be regulated if employees do not follow it.
3. Resource sharing: Even though both organizations are in a partnership it does not mean
the companies will have access to each other's data. The policy should state the amount
of data that both parties can share and access. Data breaches either partner will result in
legal actions.
Email security policies are developed to ensure corporate email is used properly. A simple
personal email from a corporate account can result in unintended information disclosure.
Implementation of an email security policy lets the organization achieve:
1. Competitive accomplishment: Through an email security policy, organizations train their
employees in email etiquette. Including but not limited to, drafting effective emails,
learning about the reply in target duration, etc. This helps the organization maintain its
respective competition in the market.
2. Employee productivity: Email security policies state what the normal use of corporate
email is. This restricts employees from using emails for their personal use, increasing the
overall productivity of the organization.
3. Less employer liability: Organizations should state the consequences or the actions taken
against the employee if the normal use policies are not followed. The liability of the
employer is reduced as a result.
1. Email Use and Limitations: The policy should state the scenarios and domains where
employees cannot use their corporate email addresses. The email policy should mention;
in which scenarios an employee cannot use the corporate email address specifically. The
policy should also instruct employees not to open malicious attachments.
2. Defining extent of personal use: Policy should set boundaries for employees when using
corporate email for their personal use.
3. Monitoring of emails: If an organization will be reviewing the emails of all the employees,
it should be mentioned in the policy.
4. Duration of emails: Employees should be notified about the duration for keeping email in
their mailbox. Employees should be informed that the administrators will have the right
to archive emails after a certain period of time.
5. Encryption: In case of sensitive information being sent or received, employees should be
aware of the encryption policy of the organization.
6. Actions against compliances: The policy should clearly state the action taken against an
employee if they fail to follow the policy set by the organization.
Password Policy provides guidelines for using strong passwords for an organization's
resources
Design Considerations:
•'
''
''
'
' '''
••''
•
Complexity of password
• '
Password duration
A password policy is a set of rules to increase system security by encouraging users to employ
strong passwords when accessing an organization's resources and to keep them secure.
The purpose of the policy is to protect the organizational resources by creating robust
protected passwords.
The policy statement should include a standard practice for creating a robust password.
For example,
• The password should include both uppercase and lowercase letters, numerical digits and
special characters
• Special characters include(@,%,$,&,;)
• Passwords are case sensitive while the user name or login ID is not
• Password history: Unique passwords must be used while changing the old password.
Passwords cannot be reused.
• Maximum password age: 60 days
The policy includes the length of the password. The password length varies according to
the organization. The formation of a password includes
• Password duration
The policy suggests users change their passwords regularly usually every 90 or 180 days.
Changing a memorized password is hard for the user, but it is necessary to avoid
password stealing.
The password policy statement should include guidance or best practices on creating,
storing and managing passwords
• Employees should not communicate their password through e-mail, phone or IM's
even to the administrator.
• Do not leave the machine unattended. Always log off or lock the system when leaving
the desk.
• Keep different passwords for the operating system and frequently used applications.
The password policy should include a disclaimer, which should inform everyone on the
consequences of not following the guidelines stated in the password policy. The disclaimer
should involve all employees, including top management. Disclaimers can include verbal or
written warnings or termination.
Physical Security Policy defines guideli nes t o ensure t hat adequate physical security
measures are in place
Design Considerations:
e Is there a process to identify outsiders such as visitors, contractors, vendors, etc. before giving
them access to the premises?
e Are the badges, locks, keys and authentication controls audited on a regular basis?
Physical security is the security provided in terms of physical assets, which can be damaged
physically. In IT organizations where there is a huge a mount of physical assets present, the
assets are prone to damage during installations, during changing the assets from offshore to
local locations. Care must be taken in terms of how frequently the risks are being monitored
and analyzed, and the training provided to the people handling or working with the physical
assets must be monitored.
Designing a physical security policy helps an organization maintain certain norms, which can be
followed by the employees, reducing the probability of loss.
Informat ion system security policy defines guidelines to safeguard an organizat ion's information
systems from malicious use
Design
Considerations: Is t he operating system updated and pat ched regularly?
A BYOD policy provides a set of guidelines to maximize business benefits and minimize risks while
using an employee's personal device on an organization's network
~,
Design Considerations:
e What security measures are to be put in place for data and BYOD
devices?
Bring Your Own Device (BYOD) is a terminology used by organizations to motivate employees to
bring their own devices. As it is difficult for organizations to keep up with the changing pace of
technology, BYOD has been beneficial to employers. BYOD also has a disadvantage, if the device
is not fully tested and does not follow the policies it can be a threat to the IT infrastructure.
The existence of a BYOD policy is important. The policy provides a set of guidelines to maximize
business benefits and minimize the risks while using employee personal devices on an
organization's network.
Aspects of a BYOD policy:
1. Permissible devices: The policy should state the name of the devices an employee is
allowed to use. The list of devices may differ based on the designation of each employee
in the organization.
2. Permissible resources: The policy should clearly state the resources an employee can use
while using their own device. The policy should mention the actions taken if an employee
does not adhere to these policies.
3. Services to be disabled: Before an employee connects their device to the corporate
network, administrators should verify the services and the applications running on the
device. If certain services or applications are a source of vulnerabilities, administrators
should disable those services immediately.
4. Data Storage: It is necessary to document the location of data storage for BYOD.
Administrators should provide a separate location for data on employee devices. Storing
the data in existing drives can be a threat to the data. Administrators must provide a
separate drive to employees.
5. Security measures for data and BYOD device: Employees should be made aware of
threats and vulnerabilities while they use their devices in the corporate network. It is the
responsibility of the administrator to monitor these devices along with all corporate
devices.
While BYOD is emerging as a new trend in organizations, it is the responsibility of the
administrator to enforce the BYOD policy. A few administrator responsibilities associated with a
BYOD policy are:
1. List of devices: Administrators can prepare a list of devices and software in the BYOD
policy document. Items such as these listed below:
• Smartphones (with model number)
• Laptops (with model number)
• OS (with version)
• Any other process specific software or app
2. Resources to be accessed: Depending on the designation of the employee, administrators
can allow the following resources on BYOD.
• E-mail
• Contact
• Calendar
• Process specific documents
3. Disable the use of the following on BYOD devices:
• Storage or transmission of illicit materials
• Using another company's proprietary information
• Harassing
• Engaging in other business activities
4. Store data on BYOD devices with proper security measures using:
• The device
• Organization server
• Cloud
5. To secure data on BYOD devices follow these steps:
• Password (BYOD device also) and encryption policies
• Monitor data transferred
Software/Application Security
Policy
Application security policy mandates proper measures to be set up which enhance the
security of in house and purchased applications
Design Considerations:
Application security involves securing the inbuilt and purchased applications running on the
system. The security policy covers the application throughout its complete life cycle. The threat
to an application is caused by software tampering, parameter manipulation, authorization,
cryptography, etc.
Drafting the guidelines for application security mandates the proper functioning of the
application, further enhancing how the system works.
1. Data validation
2. Session Management
3. Authentication
4. Authorization
5. Encryption
A network administrator's role in enforcing application policies is:
1. Criteria for data validation: It is required to set measures to validate data flowing in and
out of the application.
2. Authentication process: Administrators should set up an authentication policy for all
systems. If a user is trying to install a third party application, the system will prompt for an
administrator password. This will restrict users from installing third party applications
without administrator rights.
3. Authorization standards: Administrators should authorize application use for only those
who need it. The authorization can also be limited to certain parts of the application's
data.
4. Encryption policy: Administrators can encrypt the sensitive application data, preventing
users from getting access to it.
The backup policy helps an organization recover and safeguard their information in t he
event of a securit y incident/network failure
Design Considerations:
~ Backup schedule
Creating a backup policy is one of the most important things you can do for your data security
plan. Optimized backup policies and procedures will save your organization time and money.
The biggest reason for this is by bringing the backup and recovery process in line with actual
requirements. It will also ensure a smooth recovery process in the event of a hard drive failure,
virus attack or natural disaster.
Backup policies and procedures vary according to the needs of an organization and industry.
There are certain elements of a data backup and restore process that every company should
identify:
Administrators should assign privileges to access backups to only those employees who
work on the data. It is important to keep track of the backup data. Keep the backup logs
updated regularly.
An organization backup policy should define the backup schedule employees must use.
Informing employees beforehand helps them prioritize their data for this requirement.
The schedule should be created, considering the business of the organization and the
severity of the data on the machines. It is not necessary to run a backup on everything at
the same time. Certain files or databases have to be backed at a different time. The
backup policy should also mention the time the backups should run. Usually an
organization prefers to perform backups after business hours. Based on the backup policy,
the backup process can be initiated by administrators.
While drafting the backup policies and procedures, administrators should also determine
the type of backup required. The type of backup depends on the organization's needs. The
three basic types of backup include:
• Full backups: Performs a backup of all data. The simplest form of backup and a very
time consuming process.
• Incremental backups: In this type of backup, the backup is created only when the data
was changed since the last full backup. It is a less time-consuming process.
• Differential backups: It backs up all the selected files that are new and changed si nee
the last full backup.
The backup policy should mention the location of the backup data and where it will be
stored. Administrators can store the data on a physical external device, cloud or both.
Confidential data policy defines guidelines for identifyi ng an organization's confidential data and
procedures to handle it
Design Considerations:
e Treatment of confidential data incl uding data @ Security controls for confidential data
storage, access, transmission, data sharing,
disposal, handling and disclosure of data e Emergency access to the data
A confidential data policy is a set of information that requires a very high level of protection. It
may consist of salary details, product details, organization structure details, etc. It is the
responsibility of administrators to ensure the confidential data is secured from non-authorized
access.
Drafting of a confidential data policy will help the organization protect the information,
important to the exist ence of the business. The presence of a confid ential data policy ensures
users maintain th e integrity and confidentiality of the business whi ch w ill further help the
overall growth of th e business.
r
_J A data classification policy Design Considerations:
establishes a framework for
classifying organizational data e Appropriat e data
based on its level of sensitivity, classification by dat a owners
value and crit icality within the
IT security policy e Protecting data at rest
The data classification policy document aims to classify sensitive data and secure it as per its
class. The implementation of a data classification policy helps the organization maintain and
secure their data and resources. The classification of data and prioritizing its risk level depends
on the organization. They can classify their data according to the user-requirement, security
requirement or managerial requirement. The prioritization of the risk level can be restricted,
confidential or public. The data classification policy should also include a list of users who can
have access to the information.
Points to consider when developing a data classification policy:
• Employees should avoid distribution of any restricted or confidential data internally and
externally.
• Authorized employees dealing with confidential data should send it only in an encrypted
format through email.
• Administrators should have a secure backup of the data and monitor the backups
regularly. The backups should have strong user credentials.
• After receiving the confidential data, an employee should scan the device or the file to
avoid any malicious activity.
• If the authorized employee finds confidential data that is public, they should immediately
delete the data (if possible).
• The document should mention the action taken against employees if they do not adhere
to the policy.
• The organization should perform regular audits to ensure authorized employees are
following the required measures.
Internet usage policy governs the way the organization's internet connection is used by every device on
the network.
Design
Considerations
Q M ethod adoption for web usage monitoring
An Internet usage policy informs employees about the rules which have to be follow ed while
accessing the corporate Internet network. The implementation of such policies helps the
organization maintain a secure network. Using an Internet policy keeps the syst ems secure and
helps the user understand the t ypes of risks a network can encounter. The policy should make
employees aware that browsing prohibited sites or downloading fil es from unreliable sources
can land th em in trouble.
A small negligence from an employee or administrator end can lead to a major v ulnerability in
the network. The Internet usage policy must be accepted by all employees and it must be
signed by them to acknowledge their understanding. Network administrators should (in
consultation with top management) ensure the following facts:
1. Limited usage: Employees should be aware that the corporate Internet is used for official
use only. Employees should refrain from using the Internet for their personal use.
Example, downloading movies should not be allow ed.
2. Setting a timeframe for personal use: If an organization plans to allow employees to use
the Intern et for personal purposes, it can set a timefram e for th e use.
3. The method to be adopted for monitoring web use: Administrators should set
monitoring standards to keep track of user activities on the Internet. Th ese monitoring
standards should follow the policies drafted in th e document.
4. Discuss and decide what content should be never allowed: Administrators should discu ss
with top management and decide on a list of sites that should be denied or can be add ed
to a list of non-trust ed sites.
Server policy establishes a standard for the base configuration of an organization's server
Design Considerations:
Configuration of servers
Monitoring of servers
A server policy is an internal organizational policy that defines the handling of server issues. It
includes the details of installation, configuration, services required, etc. for the server. The
policy document authorizes only its target audience - network/ system administrators to have
access to read it. The policy states administrators have the rights to perform deletions or
modifications in a server. Following the policy, if any changes are made administrators are
required to inform management or the users that will be affected by the changes.
The policy should cover the points that can help administrators rebuild the network or servers
during a tim e of a disaster or calamity. With many troubleshooters available, th e document
reduces the troubleshooting time of th e administrators.
For every server on a secure network, there are lists of items that must be documented and
reviewed on a regular basis to keep a private network secure. The server list of information
must be updated as new servers are added to th e network and updated regularly.
1. Server name
2. Server location
4. Hardware compon ents of the system, including the make and mod el of each part in the
system
5. List of all software running on the server including the operating system, programs, and
services
• Account settings
Responsibilities in enforcing general server policies are:
Design Consideration
The Wireless Network policy is designed to protect organizational resources against intrusion
from a wireless network. It applies to all wireless devices in use by the organization or those
that connect through a wireless device to any organization network.
A network administrator's responsibilities in enforcing Wireless policies are:
1. Access Point: Administrator should provide a clear description of new established access
points in the network. All access points must be registered and approved. They should be
connected to the organizational network.
2. Configuration: Administrators should configure the 551D on all wireless devices so they do
not reveal any information about the organization.
3. Permissible devices: The policy document should mention the type of devices that can be
used to connect to the corporate wireless network. Only those devices that a re approved
by management should be connected to the network.
,
IRP is an integral part of the security policy which instructs how to detect, respond, and limit
the effects of an information security incident
.
Design Considerations:
-...
.. ..-
.............................................................................................................
.... ..
...
. ...
An incident response plan (IRP) is a set of written instructions for detecting, responding to and
limiting the effects of an information security event. Incident response plans provide
instructions for responding to a number of potential scenarios, including data breaches, denial
of service/distributed denial of service attacks, firewall breaches, virus or malware outbreaks or
insider threats. Without an incident response plan in place, organizations may not detect the
attack in the first place, or not follow proper protocol to contain the threat and quickly recover
from it.
The design process of an IRP should concentrate on these aspects:
• To limit the ill effects of damage
• Recover lost data
• Get the systems up and working
Network administrator's responsibilities in designing an IRP are:
• Prepare an IRP as a preventive measure.
• Scan all log files on a daily basis to discover an attack in the earliest stage.
• After you detect an attack incident, immediately debrief your top officials.
• Follow the IRP steps and take appropriate actions to minimize the damage.
• Ensure the organization fully recovers from the attack.
• Take appropriate steps to prevent a similar kind of attack in the future.
User Access control policy gives an organization the ability to control, restrict, monitor, and
protect corporate resource availability, integrity, and confidentiality
The access control policy provides a way to control the interaction between users, systems and
resources. An access control policy helps an organization control, constrain and defend the
resource availability of an organization.
The access control policy should define:
• Who can access (people, process, machines)?
• What system resources can be accessed?
• What files can be read?
• What programs can be executed?
• How to share data with other entities?
The policy should address the typical Access Control Practices such as:
• Undefined user or unknown account logins should be prohibited.
• Powerful accounts such as an administrator account must be monitored continuously.
• Lock access to accounts after crossing a limited number of unsuccessful login attempts.
• Remove unused accounts.
• Administer strict access criteria.
• Enforce the need-to-know and least-privilege practices.
• Disable unrequired system features and unused ports.
• Restrict global access rules.
Switch security policy describes a required minimal security configuration for the
switches in the network
Design Considerations:
1. Monitor regularly: The data in the switch should be monitored regularly for smooth
network function.
2. Services and applications: It is not necessary to block all the services and applications of
the switch device. Block the items which are not required and those which are known to
be vulnerable.
3. Encryption: Administrators should encrypt all the stored data and passwords.
4. Restricted area: Physical storage of the switch should be in a restricted area.
5. Configuring a L3 switch: If an organization is using a L3 switch, it should be configured
identical to the router policy.
A network administrator's switch policy responsibilities are:
1. Enable Password: You should always maintain the 'enable password' option. This helps to
keep the switch in a secure encrypted form.
2. Timeout periods: Setting session timeout periods on the switch will not keep the switch
busy, until the time a packet does not reach its destination.
3. Privileges: Privileges should be enabled on all levels of the switch.
4. SSH: Administrators should avoid using Telnet as a communication channel. SSH has
prove n to be more secure than Telnet. Use SSH with a strong password.
5. Port security: Port security limits the MAC based access. Enhancing the security of the
switch. Limit MAC based access by implementing port security.
6. Disable ports: Ports that are not used by the switch should be disabled. Administrators
can assign these ports to an unused VLAN number.
7. Configure trunk ports: Trunk ports carry traffic for all VLANs. A VLAN number that is not in
use should handle the configuration of trunk ports.
8. VLAN restrictions: Use a static VLAN and limit the number of VLANs that can be
transported over the trunk.
14. Disable VTP: If you are unable to disable VTP, then set VTP to management domain,
password, and pruning. After performing the above st eps set VTP to transparent mode.
The IDS and IPS policy facilitates detection and prevention of intrusion into the I
organization's network I
: Regularly update the intruder's definition in the IDS logic for all evolving threats
Copyr ight© by EC-Council. All Rights Reserved . Reproduction is Str ictly Prohibited.
The policy of an IDS/IPS should facilitate the detection and prevention of intrusions 1n the
organization's network.
The IDS and IPS policy design should include the following components:
1. Deployment of a standard IDS system: For a successful working IPS, administrators
should deploy a standard IDS system across the network. The successful deployment of an
IDS ensures threats will be detected and then prevented using the IPS standards.
2. Monitor log files of an IDS continuously: For monitoring the activity on a network
continuously, administrators should actively audit and monitor the IDS.
3. Regular update: It is important for administrators to perform regular updates for the
intruder's definitions in IDS logic as per evolving threats.
4. Need of IPS: It is advisable to deploy an IPS for large organizations. Deployment and
implementation of an I PS ensures threats are detected using the same software as an IDS
and prevents the networking using these prevention tools.
The encryption policy defines an acceptable use and management of encryption methods,
techniques, and tools throughout an enterprise
The policy is applicable to all enterprise network resources, users(staff, stake holders etc.),
internal network (LAN, Wi-Fi) and remote(WAN) connections
The encryption policy sets universal standards for organizations to facilitate data protection. It
involves establishing business and technical strategies for accomplishing data security. The
encryption policy determines the need for data encryption and the process of encrypting it.
The encryption policy is applicable to large and small organizations. It is applicable to but not
limited to employees, partners, vendors, stakeholders, etc. It is necessary to understand every
aspect of the policy to implement it further across the organization. The encryption policy
defines the standards which can be deployed and implemented in electronic devices like
servers, laptops, smart phones, removable devices, etc.
Encryption policies should be designed based on the following points:
1. Encryption algorithm: Once the encryption policy is approved by management,
administrators should research the encryption algorithm which can be implemented in the
infrastructure.
2. Changes in hash functions: You should change the hash functions of the selected
algorithm, if required.
3. Type of key: As per the organization's requirement, administrators can use a symmetric or
asymmetric key for encrypting the data.
4. Verified certificates: Before installing any certificate on the server, administrators should
verify the authenticity of the certificates and its provider.
5. SSL and TLS certificate: Ensure the servers are using SSL and TLS and that both of these
have a trusted certificate.
Access rules
~
... . -
Placement
Password management
An organization should establish router policies for the smooth functioning of the IT
infrastructure.
1. No local user account: Routers must use TACACS user authentication. Administrators
should not create local user accounts on the router.
2. Encryption: The security of the router can be done by setting up the 'enable secret
password' on the router in a secure encrypted form.
4. Do not touch: Administrators should place warnings such as, 'Do not touch' on the routers
to avoid any mishandling by employees.
5. Maintain standards: Routers should comply with th e standards outlined in th e Router 105
Template.
7. Login information: Administrators should ensure every router saves system logging
information to a local RAM buffer. The information should also be stored on "syslog"
server.
• Source routing
• IP directed broadcasts
The security policy training and procedures are required to ensure the security and effective
netw ork management.
• The security policy training program helps employees appropriately recognize and
respond to security threats in real time. The training teaches employees understand the
importance of data on their devices or systems. Employees adapt themselves to secure
computing ha bits.
• The security policy training provides new updates to employees with the awareness of
probable vulnerabilities that can occur if they do not follow the policies.
• Security policy training and awareness helps minimize security breaches in the
organization. Early identification of a breach decreases the cost to the organization.
• Security policy awareness among users helps notify them about new security policies, by
publishing policy documentation and by developing descriptive security documentation
for users, etc.
• Employees following the security policy correctly reduces potential fines or legal actions.
• An effective training program will help an employee monitor their computing behavior
and inform their security concerns to management. The training will enhance the overall
compliance with the company's security policies and procedures.
Sr.
Standards Objective
No.
1 ISO/IEC 27001 Formal ISMS specification
http://www.iso27001security.com
http://www.iso27001security.com
1S0/IEC 27001
Source: http://www.iso27001security.com
ISO/ IEC 27001 formally specifies an Information Security Management System (ISMS), a suite of
activities concerning the management of information security risks. The ISMS is an overarching
management framework through which the organization identifies, analyzes and addresses its
information security risks. The ISMS ensures that the security arrangements are fine-tuned to
keep pace with changes to the security threats, vulnerabilities and business impacts - an
important aspect in such a dynamic field, and a key advantage of ISO27k's flexible risk-driven
approach as compared to, say, PCI-DSS.
1S0/IEC 27002
Source: http://www.iso27001security.com
ISO/ IEC 27002, is relevant to all types of organizations, including commercial enterprises of all
sizes (from one-man-bands up to multinational giants), not-for-profits, charities, government
departments and quasi-autonomous bodies - in fact any organization that handles and depends
on information. The specific information security risk and control requirements may differ in
detail, but there is a lot of common ground, for instance, most organizations need to address
the information security risks relating to their employees plus contractors, consultants and the
external suppliers of information services.
1S0/IEC 27003
Source: http://www.iso2700lsecurity.com
ISO/IEC 27003 guides the design of an ISO/IEC 27001-compliant ISMS, leading up to the
initiation of an ISMS implementation project. It describes the process of ISMS specification and
design from inception to the production of implementation project plans, covering the
preparation and planning activities prior to the actual implementation.
1S0/IEC 27004
Source: http://www.iso2700lsecurity.com
ISO/IEC 27004 concerns the measurements relating to information security management: these
are commonly known as 'security metrics'.
1S0/IEC 27005
Source: http://www.iso2700lsecurity.com
The standard provides guidelines for information security risk management and supports the
general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory
implementation of information security based on a risk management approach.
1S0/IEC 27006
Source: http://www.iso2700lsecurity.com
ISO/IEC 27006 is the accreditation standard that guides certification bodies on the formal
processes they must follow when auditing their client's Information Security Management
Systems (ISMSs) against ISO/IEC 27001 in order to certify or register them compliant. The
accreditation processes laid out in the standard give assurance that ISO/IEC 27001 certificates
issued by accredited organizations are valid.
1S0/IEC 27007
Source: http://www.iso2700lsecurity.com
ISO/IEC 27007 provides guidance for accredited certification bodies, internal auditors,
external/third party auditors and others auditing ISMSs against ISO/IEC 27001 (i.e. auditing the
management system for compliance with the standard).
ISO/IEC 27007 reflects and largely refers to ISO 19011, the ISO standard for auditing quality and
environmental management systems - "management systems" of course being the common
factor linking it to the ISO27k standards. It provides additional ISMS-specific guidance.
1S0/IEC TR 27008
Source: http://www.iso2700lsecurity.com
This standard provides guidance for all auditors regarding "information security management
system controls" [sic] selected through a risk-based approach (e.g. as presented in a statement
of applicability) for information security management. It supports the information security risk
management process and internal, external and third party audits of ISMS by explaining the
relationship between the ISMS and its supporting controls. It provides guidance on how to
verify the extent to which required "ISMS controls" are implemented. Furthermore, it supports
any organization using ISO/IEC 27001 and ISO/IEC 27002 to satisfy assurance requirements, and
as a strategic platform for information security governance.
1S0/IEC 27010
Source: http://www.iso27001security.com
This standard provides guidance in relation to sharing information about information security
risks, controls, issues and/or incidents that span the boundaries between industry sectors
and/or nations, particularly those affecting "critical infrastructure".
1S0/IEC 27011
Source: http://www.iso2700lsecurity.com
This ISMS implementation guide for the telecom industry was developed jointly by ITU-T and
ISO/IEC JTCl/SC 27, with the identical text being published as both ITU-T X.1051 and ISO/IEC
27011.
1S0/IEC 27013
Source: http://www.iso2700lsecurity.com
1S0/IEC 27014
Source: http://www.iso2700lsecurity.com
ISO/IEC JTCl/SC 27, in collaboration with the ITU Telecommunication Standardization Sector
(ITU-T), has developed a standard specifically aimed at helping organizations govern their
information security arrangements.
1S0/IEC TR 27015
Source: http://www.iso2700lsecurity.com
This is a guideline intended to help financial services organizations (banks, insurance
companies, credit card companies etc.) implement ISMSs using the ISO27k standards.
Although the financial services sector already labors under a vast swathe of risk and security
standards (such as ISO TR 13569 "Banking Information Security Guidelines", SOX and Basel
11/111), the ISMS implementation guidance developed by SC 27 reflects ISO/IEC
27001 and27002 along with various general-purpose security standards such as COBIT and the
PCI-DSS requirements.
1S0/IEC TR 27016
Source: http://www.iso2700lsecurity.com
It helps management appreciate and understand the financial impacts of information security
in the context of an ISO27k ISMS, along with political, social, compliance and other potential
impacts on the organization that collectively influence how much it needs to invest in
protecting its information assets.
1S0/IEC 27017
Source: http://www.iso2700lsecurity.com
This standard provides guidance on the information security aspects of cloud computing,
recommending and assisting with the implementation of a cloud-specific information security
controls supplementing the guidance in ISO/IEC 27002 and other ISO27k standards.
1S0/IEC 27018
Source: http://www.iso27001security.com
This standard provides guida nee aimed at ensuring that cloud service providers (such as
Amazon and Google) offer suitable information security controls to protect the privacy of their
customer's clients by securing PII ( Personally Identifiable Information) entrusted to them. The
standard will be followed by ISO/IEC 27017 covering the wider information security angles of
cloud computing, other than privacy.
1S0/IEC TR 27019
Source: http://www.iso2700lsecurity.com
This standard (a Technical Report) is intended to help organizations in "the energy industry"
interpret and apply ISO/IEC 27002:2005 in order to secure their electronic process control
systems.
1S0/IEC 27031
Source: http://www.iso2700lsecurity.com
ISO/IEC 27031 provides guidance on the concepts and principles behind the role of information
and communications technology in ensuring business continuity.
The standard:
• Suggests a structure or framework (actually a set of methods and processes) for any
organization - private, governmental, and non-governmental.
• Identifies and specifies all relevant aspects including performance criteria, design, and
implementation details, for improving ICT readiness as part of the organization's ISMS,
helping to ensure business continuity.
• Enables an organization to measure its ICT continuity, security and hence readiness to
survive a disaster in a consistent and recognized manner.
1S0/IEC 27032
Source: http://www.iso2700lsecurity.com
ISO/IEC 27032 addresses "Cybersecurity" or "Cyberspace security", defined as the
"preservation of confidentiality, integrity and availability of information in the Cyberspace". In
turn "the Cyberspace" (complete with definite article) is defined as "the complex environment
resulting from the interaction of people, software and services on the Internet by means of
technology devices and networks connected to it, which does not exist in any physical form".
1S0/IEC 27033-1 to -5
Source: http://www.iso27001security.com
ISO/IEC 27033 is a multi-part standard derived from the existing five-part network security
standard ISO/IEC 18028. It is being substantially revised, not just renamed, to fit into
thelSO27k suite.
Source: http://www.iso2700lsecurity.com
ISO/IEC 27034 offers guidance on information security to those specifying, designing and
programming or procuring, implementing and using application systems, in other
words business and IT managers, developers and auditors, and ultimately the end-users of ICT.
The aim is to ensure that computer applications deliver the desired or necessary level of
security in support of the organization's Information Security Management System, adequately
addressing many ICT security risks.
1S0/IEC 27035
Source: http://www.iso2700lsecurity.com
Information security controls are imperfect in various ways: controls can be overwhelmed or
undermined (e.g. by competent hackers, fraudsters or malware), fail in service (e.g.
authentication failures), work partially or poorly (e.g. slow anomaly detection), or be more or
less completely missing (e.g. not [yet] fully implemented, not [yet] fully operational, or never
even conceived due to failures upstream in risk identification and analysis). Consequently,
information security incidents are bound to occur to some extent, even in organizations that
take their information security extremely seriously.
Source: http://www.iso2700lsecurity.com
ISO/IEC 27036 is a multi-part standard offering guidance on the evaluation and treatment of
information security risks involved in the acquisition of goods and services from suppliers. The
implied context is business-to-business relationships, rather than retailing, and information-
related products. The terms acquisition and acquirer are used rather than purchase and
purchasing si nee the process and the risks are much the same whether or not the transactions
are commercial.
1S0/IEC 27037
Source: http://www.iso27001security.com
1S0/IEC 27038
Source: http://www.iso2700lsecurity.com
Digital data sometimes have to be revealed to third parties, occasionally even published to the
public, for reasons such as disclosure of official documents under Freedom of Information laws
or as evidence in commercial disputes or legal cases. 'Redaction' is the conventional term for
the process of denying file recipients' knowledge of certain sensitive data within the original
files.
1S0/IEC 27039
Source: http://www.iso2700lsecurity.com
IDS (Intrusion Detection Systems) are largely automated systems for identifying attacks on and
intrusions into a network or system by hackers and raising the alarm. IPS (Intrusion Prevention
Systems) take the automation a step further by automatically responding to certain types of
identified attack, for example by closing off specific network ports through a firewall to block
identified hacker traffic. IDPS refers to either type.
1S0/IEC 27040
Source: http://www.iso27001security.com
The proposers of this standard felt that the information security aspects of data storage
systems and infrastructures have been neglected due to misconceptions and limited familiarity
with the storage technology, or in the case of [some] storage managers and administrators, a
limited understanding of the inherent risks or basic security concepts.
1S0/IEC 27041
Source: http://www.iso2700lsecurity.com
The fundamental purpose of the ISO27k digital forensics standards is to promote best practice
methods and processes for forensic capture and investigation of digital evidence. While
individual investigators, organizations and jurisdictions may well retain certain methods,
processes and controls, it is hoped that standardization will (eventually) lead to the adoption of
similar, if not identical approaches internationally, making it easier to compare, combine and
contrast the results of such investigations even when performed by different people or
organizations and potentially across different jurisdictions.
1S0/IEC 27042
Source: http://www.iso2700lsecurity.com
The fundamental purpose of the ISO27k digital forensics standards is to promote best practice
methods and processes for forensic capture and investigation of digital evidence. While
individual investigators, organizations and jurisdictions may well retain certain methods,
processes and controls, it is hoped that standardization will (eventually) lead to the adoption of
similar, if not identical approaches internationally, making it easier to compare, combine and
contrast the results of such investigations even when performed by different people or
organizations and potentially across different jurisdictions.
1S0/IEC 27043
Source: http://www.iso2700lsecurity.com
The fundamental purpose of the digital forensics standards ISO/IEC 27037, 27041, 27042,
27043 and 27050 is to promote best practice methods and processes for forensic capture and
investigation of digital evidence. While individual investigators, organizations and jurisdictions
may well retain certain methods, processes and controls, it is hoped that standardization will
(eventually) lead to the adoption of similar, if not identical approaches internationally, making
it easier to compare, combine and contrast the results of such investigations even when
performed by different people or organizations and potentially across different jurisdictions.
1S0/IEC 27799
Source: http://www.iso27001security.com
This International Standard provides guidance to healthcare organizations and other custodians
of personal health information on how best to protect the confidentiality, integrity and
availability of such information by implementing ISO/IEC 27002. Specifically, this International
Standard addresses the special information security management needs of the health sector
and its unique operating environments. While the protection and security of personal
information is important to all individuals, corporations, institutions and governments, there
are special requirements in the health sector that need to be met to ensure the confidentiality,
integrity, adaptability, and availability of personal health information.
1S0/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually
improving an information security management system within the context of t he organization
It is intended to be suitable for several different types of use, including the follow ing:
http:// www.iso.org
Copyright© by EC-Council. All Rights Reserved. Reproduction is Strict ly Prohibited.
1S0 / IEC 27001:2013 specifies 114 controls in 14 groups and 35 control objectives
14 A.18 Compliance; with internal requirements, such as policies, and with external
requirements, such as laws (8 controls)
,r
Structure of 1S0/IEC
27001:2013
• A.7: Human resource security - 6 controls that are applied before, during, or after
employment
• A.18: Compliance; with internal requirements, such as policies, and with external
requirements, such as laws (8 controls)
7. Planning: Outlines the process to identify, analyze and plan to treat information security
risks, and clarify the objectives of information security.
9. Operation: A bit more detail about assessing and treating information security risks,
managing changes, and documenting things (partly so that they can be audited by the
certification auditors).
11. Improvement: Address the findings of audits and reviews (e.g. nonconformities and
corrective actions); make continual refinements to the ISMS.
Source: http://www.iso27001security.com
The purpose of 1S0/ IEC 27033 is to provide detailed guida nee on the security aspects of the
management, operation and use of information system networks, and their interconnections.
Those individuals within an organization that are responsible for information security in
general, and network security in particular, should be able to adapt the material in this
standard to meet their specific requirements." [quoted from the introduction to 27033-1].
1S01/ IEC 27033 provides detailed guidance on implementing the network security controls that
are introduced in 1S0/ IEC 27002. It applies to the security of networked devices and the
management of their security, network applications/ services and users of the network, in
addition to the security of information being transferred through communications links. It is
aimed at network security architects, designers, managers and officers.
Source: http://www.iso27001security.com
J PCI DSS applies to all entities involved in payment card processing - including merchants, processors, acquirers,
issuers, and service providers, as well as all other entities that store, process or transmit cardholder data
J High level overview of the PCI DSS requirements developed and maintained by Payment Card Industry (PCI)
Security Standards Council :
Build and Maintain a Secure Network Implement Strong Access Control Measures
Failure to meet the PCI DSS requirements may result in fines or term ination of payment card processing priv ileges
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information
security standard for organizations that handle cardholder information for the
major debit, credit, prepaid, e-purse, ATM, and POS cards. This standard offers robust and
comprehensive standards and supporting materials to enhance payment card data security.
These materials include a fram ework of specifications, tools, measurements, and support
resources to help organizations ensure the safe handling of cardhold er information . PCI DSS
applies to all entities involved in payment card processing, including m erchants, processors,
acquirers, issu ers, and service providers, as w ell as all other entities that store, process or
transmit cardholder data. PCI DSS comprises a minimum set of requirements for protecting
cardholder data . High-level overview of the PCI DSS requirements developed and maintained by
the Pa yment Card Industry (PCI) Security Standards Council.
Source: https://www.pcisecuritystandards.org
Requires every provider who does business electronically to use the same
health care transactions, code sets, and identifiers
.....
Ptlvacy Provides federal protections for personal health information held by covered
entities and gives patients an array of rights with respect to that information
.....
Security covered entities to use and assure the confidentiality, integrity, and availability
of electronic protected health information
.........
ld111tlll•t
Requires that health care providers, health plans, and employers have standard
national numbers that identify them on standard transactions
--.u1111•Nts
http://www.hhs.gov
Copyright© by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
The HIPAA Privacy Rule provides federal protections for individually identifiable health
information held by covered entities and their business associates and gives patients an array of
rights with respect to that information. At the same time, the Privacy Rule permits the
disclosure of health information needed for patient care and other important purposes. The
Security Rule specifies a series of administrative, physical, and technical safeguards for covered
entities and their business associates to assure the confidentiality, integrity, and availability of
electronic protected health information.
The office of civil rights implemented HIPAA's Administrative Simplification Statute and Rules,
as discussed below:
Transactions are electronic exchanges involving the transfer of information between two
parties for specific purposes. The Health Insurance Portability and Accountability Act of
1996 (HIPAA) named certain types of organizations as covered entities, including health
plans, health care clearinghouses, and certain health care providers. In the HIPAA
regulations, the Secretary of Health and Human Services (HHS) adopted certain standard
transactions for Electronic Data Interchange (EDI) of health care data. These transactions
are claims and encounter information, payment and remittance advice, claim status,
eligibility, enrollment and disenrollment, referrals and authorizations, coordination of
benefits and premium payment. Under HIPAA, if a covered entity conducts one of the
adopted transactions electronically, they must use the adopted standard-either from
ASC X12N or NCPDP (for certain pharmacy transactions). Covered entities must adhere to
the content and format requirements of each transaction.
• Privacy Rule
The HIPAA Privacy Rule establishes national standards to protect individual's medical
records and other personal health information and applies to health plans, health care
clearinghouses, and those health care providers that conduct certain health care
transactions electronically. The Rule requires appropriate safeguards to protect the
privacy of personal health information, and sets limits and conditions on the uses and
disclosures that may be made of such information without patient authorization. The Rule
also gives patient's rights over their health information, including rights to examine and
obtain a copy of their health records, and to request corrections.
• Security Rule
The H IPAA Security Rule establishes national standards to protect individual's electronic
personal health information that is created, received, used, or maintained by a covered
entity. The Security Rule requires appropriate administrative, physical, and technical
safeguards to ensure the confidentiality, integrity, and security of electronic protected
health information.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires that
employers have standard national numbers that identify them on standard transactions.
The National Provider Identifier (NPI) is a Health Insurance Portability and Accountability
Act (HIPAA) Administrative Simplification Standard. The NPI is a unique identification
number for covered health care providers. Covered health care providers and all health
plans and health care clearinghouses must use the NPls in the administrative and financial
transactions adopted under HIPAA. The NPI is a 10-position, intelligence-free numeric
identifier {10-digit number). This means that the numbers do not carry other information
about healthcare providers, such as the state in which they live or their medical specialty.
• Enforcement Rule
Source: http://www.hhs.gov
0 Sar banes-Oxley is a United States federal law t hat sets new or enhanced standards for all
0
US public company boards, management, and accounting firms.
The r ules and enforcement policies outlined by the SOX Act amend or supplement
existing legislation dealing with security regulations.
0
0 0 0 0
Enacted in 2002, the Sarbanes-Oxley Act aims to protect investors and th e public by increasing
the accuracy and reliability of corporate disclosures. This act does not explain how an
organization needs to store r ecord s, but describes records that organizations need to store and
the duration of the storage. The Act mandated a number of reforms to enhance corporate
responsibility, enhance financial disclosures and combat corporate and accounting fraud.
Key requirements and provisions of SOX are organized into 11 titl es:
Title I consist s of nine sections and establishes th e Public Company Accounting Oversight
Board, to provide independent oversight of public accounting firms providing audit
services ("auditors") . It also creates a central oversight board ta sked with r egistering audit
services, defining th e specifi c processes and procedures for compliance audits, inspecting
and policing conduct and quality control, and enforcing compliance w ith th e specific
mandates of SOX.
Title II consist s of nine sections and establishes standards for external auditor
independ ence, to limit conflicts of interest . It also addresses new auditor approval
requirements, audit partner rotation, and auditor reporting requirements. It restri cts
auditing companies from providing non-audit services (e.g., consulting) for th e same
cli ents.
Title Ill consists of eight sections and mandates that senior executives take individual
responsibility for the accuracy and completeness of corporate financial reports. It defines
the interaction of external auditors and corporate audit committees, and specifies the
responsibility of corporate officers for the accuracy and validity of corporate financial
reports. It enumerates specific limits on the behaviors of corporate officers and describes
specific forfeitures of benefits and civil penalties for non-compliance.
Title V consists of only one section, which includes measures designed to help restore
investor confidence in the reporting of securities analysts. It defines the codes of conduct
for securities analysts and requires disclosure of knowable conflicts of interest.
Title VI consists of four sections and defines practices to restore investor confidence in
securities analysts. It also defines the SEC's authority to censure or bar securities
professionals from practice and defines conditions to bar a person from practicing as a
broker, advisor, or dealer.
Title VII consists of five sections and requires the Comptroller General and the Securities
and Exchange Commission (SEC) to perform various studies and report their findings.
Studies and reports include the effects of consolidation of public accounting firms, the
role of credit rating agencies in the operation of securities markets, securities violations,
and enforcement actions, and whether investment banks assisted Enron, Global Crossing,
and others to manipulate earnings and obfuscate true financial conditions.
Title VIII, also known as the "Corporate and Criminal Fraud Accountability Act of 2002,"
consists of seven sections. It describes specific criminal penalties for manipulation,
destruction, or alteration of financial records or other interference with investigations,
while providing certain protections for whistle-blowers.
Title IX, also known as the "White Collar Crime Penalty Enhancement Act of 2002,"
consists of six sections. This title increases the criminal penalties associated with white-
collar crimes and conspiracies. It recommends stronger sentencing guidelines and
specifically adds failure to certify corporate financial reports as a criminal offense.
Title X consists of one section and states that the Chief Executive Officer should sign the
company tax return.
Title XI consists of seven sections. Section 1101 recommends the following name for this
title: "Corporate Fraud Accountability Act of 2002." It identifies corporate fraud and
records tampering as criminal offenses and joins those offenses to specific penalties. It
also revises sentencing guidelines and strengthens their penalties. This enables the SEC to
resort to temporaril y freeze "large" or "unusual" transactions or payments.
Source: www.soxlaw.com
The objective of the Gramm-Leach-Bliley Act was to ease the transfer of financial
information between institutions and banks while making the right s of the
individual through security requirements more specific. 0
The Gramm-Leach-Bliley Act requires financial institutions - companies that offer consumers
financial products or services like loans, financial or investment advice, or insurance - to explain
their information-sharing practices to their customers and to safeguard sensitive data.
Source: https://www.ftc.gov
The DMCA is a United States copyright law that implements two 1996 treati es of the World
Intellectual Property Organization (WIPO): the WIPO Copyright Treaty and the WIPO
Performances and Phonograms Treaty. It defines legal prohibitions against circumvention of
technological protection measures employed by copyright owners to protect their works, and
against th e removal or alteration of copyright management information in order to implement
US treaty obligations. The DMCA contains five titles:
Title I implements the WIPO treaties. First, it makes certain t echnical amendments to US
law, in order to provide appropriate references and links to the treati es. Second, it creates
two new prohibitions in Title 17 of the U.S. Code-one on circumvention of technological
measures used by copyright owners to protect their works and one on tampering with
copyright management information-and adds civil rem edies and criminal penalties for
violating the prohibitions.
Title II of the DMCA adds a new section 512 to the Copyright Act to create four new
limitations on liability for copyright infringement by online service providers. The
limitations are based on the following four categories of conduct by a service provider:
• Transitory communications
• System caching
Title IV contains six miscellaneous provisions, where the first prov1s1on provides
Clarification of the Authority of the Copyright Office. The second provision grants
exemption for the making of "ephemeral recordings". The third provision promotes the
distance education study. The fourth provision provides exemption for Nonprofit Libraries
and Archives. The fifth provision allows Webcasting Amendments to the Digital
Performance Right in Sound Recordings, and the sixth provision addresses concerns about
the ability of writers, directors and screen actors to obtain residual payments for the
exploitation of motion pictures in situations in which the producer is no longer able to
make these payments.
FISMA is the Federal Information Security Management Act of 2002 to produce several key
security standards and guidelines required by Congressional legislation. It requires each federal
agency to develop, document, and implement an agency-wide program to provide information
security for the information and information systems that support the operations and assets of
the agency, including those provided or managed by another agency, contractor, or other
source.
Source: https://www.fincen.gov
The purpose of the USA PATRIOT Act is to deter and punish terrorist acts in the United States
and around the world, to enhance law enforcement investigatory tool s, and other purposes,
some of which include:
• To require all appropriate elements of the financial services industry to report potential
money laundering
• To strengthen measures to prevent use of the U.S. financial system for personal gain by
corrupt foreign officials and facilitate repatriation of stolen assets to the citizens of
countries to whom such assets belong.
Source: https://www.gov.uk
The Data Protection Act controls how your personal information is used by organizations,
businesses or the government. Everyone responsible for using data has to follow strict rules
called 'data protection principles'. They must make sure the information is:
• accurate
• handled according to people's data protection rights kept safe and secure
• not transferred outside the European Economic Area without adequate protection
Freedom of Information Act (FOIA)
Source: http://www.foia.gov
The Freedom of Information Act (FOIA) has provided the public the right to request access to
records from any federal agency. It is often described as the law that keeps citizens in the know
about their government. Federal agencies are required to disclose any information requested
under the FOIA unless it falls under one of nine exemptions, which protect interests such as
personal privacy, national security, and law enforcement.
Source: https:1/it.oip.qov
The Electronic Communications Privacy Act and the Stored Wire Electronic Communications Act
are commonly referred together as the Electronic Communications Privacy Act (ECPA) of
1986. The ECPA updated the Federal Wiretap Act of 1968, which addressed interception of
conversations using "hard" telephone lines, but did not apply to interception of computer and
other digital and electronic communications. Several subsequent pieces of legislation, including
The USA PATRIOT Act, clarify and update the ECPA to keep pace with the evolution of new
communications technologies and methods, including easing restrictions on law enforcement
access to stored communications in some cases.
Source: http://www.legislation.gov.uk
An Act to amend the law relating to company auditors and accounts, to the provision that may
be made in respect of certain liabilities incurred by a company's officers, and to company
investigations; to make provision for community interest companies; and for connected
purposes.
Source: http://www.legislation.gov.uk
An Act to give further effect to rights and freedoms guaranteed under the European
Convention on Human Rights; to make provision with respect to holders of certain judicial
offices who become judges of the European Court of Human Rights; and for connected
purposes.
Source: http://www.legislation.gov.uk
An Act to make provision for the disclosure of information held by public authorities or by
persons providing services for them and to amend the Data Protection Act 1998 and the Public
Records Act 1958; and for connected purposes.
Source: https:1/ilt.ef{.org
The Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030, is an amendment made in 1986
to the Counterfeit Access Device and Abuse Act that was passed in 1984 and essentially states
that, whoever intentionally accesses a computer without authorization or exceeds authorized
access, and thereby obtains information from any protected computer if the conduct involved
an interstate or foreign communication shall be punished under the Act. In 1996 the CFAA was,
again, broadened by an amendment that replaced the term "federal interest computer" with
the term "protected computer."18 U.S.C. § 1030. While the CFAA is primarily a criminal law
intended to reduce the instances of malicious interferences with computer systems and to
address federal computer offenses, an amendment in 1994 allows civil actions to bring under
the statute, as well.
Section 107 of the Copyright Law mentions the doctrine of" fair use"
http://www.copyright .gov
Online Copyright Infringement Liability Limitation Act
The Patents (Amendment) Act, 1999, Trade Marks Act, 1999, The
http://www.ipindia.nic.in
Copyright Act, 1957
India
Information Technology Act http://www.dot.gov.in
□ Security policies outline constraints using rules and regulations concerning every
aspect of an organization's network security
In this module, you have learned the various aspects of security policies such as the role of
security policies, its characteristics, policy content, policy statement, types of information
security policy, etc.
Through design considerations, the module also provided guida nee on how to design a policy
statement for various types of security policies for your organization. The module also taught
you the various laws and standards that you may need to comply with.
Physical Security
Module 05
After network policy design and implementation, the next step is the physical security of the
network and its equipment. According to John Canavan, the first rule of security is to physically
safeguard the systems and networks. Organizations should con sider placing appropriate
physical security control s to deal with unauthorized physical access, personal security threats,
and environmental threats. The administrator should ensure that all the physical security
measures are in place and working properly in order to keep the organization away from
physical security threats.
As stated in the HIPAA Security Rule, physical safeguards are "physical measures, policies, and
procedures to protect a covered entity's electronic information systems and related buildings
and equipment, from natural and environmental hazards, and unauthorized intrusion."
Physical Security deals with the security of physical devices, personnel, networks and data from
attacks. Any damage to the physical devices or the data may lead to the loss of information and
increased cost to the organization. The security of the data, networks and devices, includes
protection from environmental and man-made threats. Organizations need to use appropriate
preventive measures to ensure physical security. The organization should consider all the ways
which may affect the physical security of their infrastructure and information systems.
This module discusses the various physical security controls, security measures, and best
practices to deal with physical security threats. It also helps you choose the best possible
physical security solution depending upon your organization's need. With this module, you will
be able to design a more robust physical security environment for your organization.
Physical security is an important part of the organization's information security program. In the
past, people would relate physical security with keys, locks, security personnel, gates, fencing,
etc. Now, the physical security paradigm has completely changed. Organizations need to
manage manpower, property and assets. It has become a critical task for organizations to
manage physical security of these assets. Everything such as planning the building layout,
purchase of equipment, manpower recruitment, natural disasters, power supply, temperature
control, etc., are all needs to consider while designing physical security for an organization.
Every organization, whether it is a small, medium, large or multinational company gives utmost
importance to the security of information assets. Implementing security at each level has
become the primary function of an organization.
Physical security refers to protecting an organization's building and assets including software
and hardware from robbery, vandalism, natural disasters, climate changes, environmental
conditions, and man-made threats. Having strong multileveled security at appropriate places
will provide effective protection against a physical security breach. The first level of security
should effectively deal with external vehicles and control traffic outside the premises of the
organization. It should restrict outsiders or intruders from entering the premises without
permission thereby minimizing the security risk to a great extent in the first level. The next level
of protection should control the vehicles, people and other-related organizational assets from
internal and external entities. This level keeps the power supply system in a secure location
with appropriate measures such as fire extinguishers, backup systems, etc. The main building
will be separated from the parking lot; well-equipped plumbing system should be in place with
proper ventilation, alarm system, etc. The next level is the most crucial part of physical security
where managing access of insiders (employees) and outsiders comes into light. At this level if an
attacker gains access to physical assets, they can acquire sensitive information related to an
organization.
Physical breaches
accounted for 61 % of all
Other
HIPPA Violations for 2015 13%
Physical Access
Breach
Hacking/ff
34%
Breach
23%
Physical Theft
27%
..
~---=-~~.::--=~~~---- _,,
http://www.alphaguardian.ne
i PRESENTATION LAYER 6
TRADITIONAL :
i SESSION LAYER 5 FIREWALL :
i TRANSPORT LAYER 4
i NETWORK lAYER 3
i
, _______________ _ DATA UNK lAYER 2
-----------------'
PHYSICAL LAYER 1
Although cyber-attacks are becoming more complex, attackers are continuing to use various
techniques to compromise the physical security of an organization. Organizations are focusing
more on strengthening their IT security which overshadows the importance of physical security.
Physical security is the most-overlooked aspect of security and it has been brought to the
forefront of many organizations over the last five years. Knowing this fact, attackers are taking
advantage of loopholes to compromise the physical security of the organization. According to
data collected by the US Dept. of Health and Human Services Breach Portal, it has been found
that physical security breaches are among the most occurring security incidents in organizations
in 2015.
According to the findings of the fifth annual Horizon Business Continuity Institute (BCI) Scan
Report, physical security is now perceived as a growing concern for business continuity
professionals. According to this report, a degree of concern has been expressed concerning the
possibility of both an act of terrorism and a security incident such as vandalism, theft or fraud
disrupting their organization at some point.
Physical security is now perceived as a growing concern for business continuity professionals That's according
to the findings of the fifth annual Horizon Scan Report published by the Business Continuity Institute in
association with the British Standards Institution (BSI)
Among the ranks of potential threats that today's organisations face, acts of terrorism gained six places, rising
from tenth in 2015 to fourth, while security incidents moved from sixth place to fifth.
Some 55% of respondents to the global BCI survey expressed a degree of concern about the possibility of both
an act of terrorism or a security incident such as vandalism, theft or fraud disrupting their organisation at some
point. That compares with 42% and 48% respectively for the previous year's study.
Physical security breaches are totally different than other security breaches. They can be
carried out with little to no technical knowledge. The real physical security concerns arise when
traditional security measures such as a firewall, IDS, etc., does not ensure physical security.
Deploying a firewall at various levels ensures security from different types of attacks but it does
not hold true with the physical security of the organization. The firewall has nothing to do with
physical security as traditional firewalls work above the physical layer of the OSI model.
Physical security cannot be dealt with in the same way as network, application, or database
security. Separate security measures are required to ensure physical security. Physical security
should be dealt with at the physical layer of the OSI model.
Source:http://thepaper.uk.com
► Device loss
► Fires
Organizations are at risk with the following types of physical security threats:
Natural/Environmental Threats
• Floods: Floods commonly occur due to heavy rains or the melting of ice. Heavy rains
increase the level of water beyond the carrying capacity of a river and this results in a
flood. Floods may affect electrical systems and server rooms in an organization. Server
rooms located in the basement have a greater chance of getting affected by floods.
• Fires: Fires mainly occur due to short circuits or poor building materials. These may affect
the operational facility and computer rooms in an organization. Fires can completely
damage the hardware, cabling system, and other important components.
• Earthquakes: An earthquake is the sudden release of stored energy in the Earth's crust
that creates seismic waves. It disrupts the physical infrastructure in an organization. It
damages computers and other hardware devices and documents in the sensitive areas
inside an organization. It can affect the safety or security of the organization. Earthquakes
mainly affect the cabling, the wiring system and the physical building itself. Any damage in
the cabling system affects the working of the computer systems.
• Lightning and Thunder: Lighting and thunder occur due to environmental changes. It
necessitates the shutdown of all outdoor activities. Lightning and thunder lead to power
and voltage fluctuations that in turn affect the working of the system. It may affect
memory chips and other hardware components of the system. It may lead to a short
circuit in the cabling and other wiring systems, if they are not covered properly. The
information system may stop working with one strike. Lightning may damage all electrical
and electronic appliances and lead to the loss of all sensitive information.
• Temperature and Computer systems operate between a range of
Humidity:
temperatures, otherwise they will function in an inappropriate manner. Computer
systems do not like hot areas. Computer systems may get damaged if the temperature
rises or lowers by extreme amounts. Even though every computer system has cooling
systems, performance of a computer still depends on the exterior temperature
conditions. Electrical and electronic appliances in an organization may be affected by the
change in the humidity. High humidity leads to issues like Corrosion, short-circuits and
damages the magnetic tapes, optical storage media. Low humidity affects the electronic
devices mainly due to electric discharge.
Man-made Threats
The biggest threat to physical components and the network is from man-made errors, both
intentional or unintentional errors. A wide range of possibilities include hackers/crackers, theft,
fire, and human error. Some of the examples of human error that may lead to man-made
threats are the unintentional pressing of a wrong button, unplugging the wrong device, etc.
Typical man-made threats include mechanical, electrical disturbance, pollution, radio frequency
interference, explosion, etc.
• Vandalism: Disgruntled employees or former employees may try to compromise the
system by willingly breaking or harming the system components. During civil unrest or a
disaster, there is a chance of the systems being mishandled.
• Device Loss: Unauthorized access may give way to the loss of important information and
devices. Device theft is a concern if not properly secured.
• Damage of Physical Devices: Improper device maintenance activities such as how the
device is handled or the information, not replacing damaged devices, poor cabling can
damage the physical devices to great extent.
• Theft: Lack of proper security and locks may result in equipment theft.
• Terrorism: Terrorism activities such as planting a vehicle bomb, human bomb, postal
bomb in and around the organization's premises, will impact physical security in many
ways.
• Unauthorized access to systems: Both internal users and external users can try to gain
unauthorized access to a system or information about the organization.
Physical access cont rols help organizations monitor, record, and control access to t he
informat ion asset s and facility
Without proper security controls, it becom es quite difficult to have any physical security at all.
Physical security control s should be applied at various levels in order to create a robust physical
security environment. Based on the level at w hich the physical security controls are applied,
they are classified as:
Administrative Control
It includes the human factors for security controls. All levels of personnel should be involved in
building administrative control s. It is based on the resources and information each user has
access to. It involves management constraints, operational procedures, accountability
procedures, and acceptable level of protection for the information syst em. It is basically a
personnel-oriented technique implemented to control people's behavior.
Physical Control
Physical control deals w ith the prevention of damage to th e physical syst ems in an organization .
It invol ves deterring or preventing unauthorized access to devices, the facility or other sensitive
areas. In addition, physical security controls are required to deal w ith physical threats such as
device loss/ th eft, and destruction or damage by accident, fire, or natural disaster.
Technical Control
Technical control is referred to as logical controls. It makes use of t echnology to control access
to th e physical asset s or th e facility of th e organization. It is generally incorporated in the
computer hardw are, software, operations or applications to control access to sensitive areas.
Location Considerations
Organizations should consider various factors that may affect physical security before planning
to buy or lease a building for an organization. It may include the facility location, neighboring
buildings, power and water supply, sewage systems, proximity to public and private roads,
transportation, emergency support, fire station, hospital, airport, local crime or rate of riots and
prior security incidents that happened in the surrounding area. The location should not be
prone to natural disasters such as floods, tornadoes, earthquakes, hurricanes, excessive snow
or rainfall, mudslides, fires etc.
The organization should consider the following points while designing the infrastructure and
architecture:
• Decide the number of entrances required for the building, including the main entrance,
staircase, parking, lift, hallway, and reception area.
• Find the neighboring facilities around your site location and check the internal and
external architecture for them. Talk to the supervisors or owners of the buildings to gain
additional insights about the surroundings.
• Analyze the assets that can be impacted by catastrophic failures and visibility of assets
from outsiders
• Think about the joint tenancy factor, if the facility is shared with other companies and
their impact on your sensitive information and critical assets
• Identify the necessary critical infrastructure that is required for managing the physical
security, storing sensitive data and running business operations effectively.
These critical infrastructure systems may not use standard information technology [IT]) for
safety, performance, and reliability but they are critical to business operations. An improper or
faulty implementation of certain physical measures such as electricity, backup, storage
facilities, lighting, wiring and cooling systems can be critical to the business operations of the
organization.
■
Suppressant
Fire Source
water I I
Foam Dry Chemical Wet Chemical Clean Agents and CO2 ISpecial Chemicals
A Ordinary solid combustibles y y
v I v I I
B Flammable liquids & gases y
v I I v I
C Electrical equipment y y
D Combustible metals y y
Fire is a risk that can occur with or without any warnings usually from man-made errors, short
circuits, defective and faulty equipment. Fire protection is an important aspect of physical
security. Firefighting systems mainly deal with detecting and alerting the occupants to the fire
incidents. Fire incidents may be identified either manually or automatically.
Certain active fire systems include w ater sprinklers, fire/ smoke alarm systems, spray systems
and fire extinguishers. Fire/Smoke alarms indicate the presence of any fire or smoke in the
building. Water sprinklers reduce the spread of the fire and fire extinguishers help put the fire
out. Water sprinklers fall under the category of automatic fire protection system s, wh er eas fire
extinguishers and stand pipes fall under th e category of manual fire protection syst ems.
• Smoke Detectors: Smoke detectors generally detect the presence of smoke and send
an alert about the suspected fire incident in an organization. Upon detection of
smoke, detectors send out an alarm to the fire alarm control panel or generate an
audio/visual alarm.
• Flame Detectors: Flame detectors mainly deal with the detection of flames in a fire
incident. Flame detectors normally include sensors which detect the existence of
flames. The working of aflame detector includes:
o Generate an alarm on fire flame detection.
o Cutting the supply of gas through the fuel line.
o Activate the fire suppression system.
Flame detectors work more efficiently and faster than a smoke detector and a heat
detector.
• Heat Detectors: Heat detectors are used to detect and respond to thermal energy
generated due to fire incidents. Heat detectors are further classified into: fixed
temperature heat detectors and rate-of-rise heat detectors.
• Fire Suppression: A fire suppression system is used to quench the fire without much
human interaction. Fire suppression systems regulate the destruction and device loss. A
fire suppression system can be classified as: manual and automatic. Commonly used fire
suppression systems include:
• Fire Extinguisher: Fire extinguishers deal with extinguishing fires at the initial stage.
These may not be used in case of a fire covering a large area. A fire extinguisher
normally consists of an agent that is discharged, inside a cylindrical vessel. Fire
extinguisher systems need to be checked often in order to ensure they are working
properly in case of fire. Fire extinguishers are usually inspected yearly or bi-yearly by a
trained professional. They can also be recharged.
Dry chemicals, water, wet chemical, water additives, clean agents and carbon-dioxide
are used as agents in fire extinguisher systems. The following table provides details
about selecting the proper extinguisher based on various types of fire sources:
■
Suppressant
Fire Source
Water Foam Ory Chemical Wet Chemical Clean Agents and co, Speci al Chemicals
C Electrical equipment y y
• Standpipe System: Standpipe systems deal with the connection of hose lines to the
water supply. This provides a pre-piped water system for organizations and provides
water supply to hose lines in certain locations. Three types of standpipe systems
include: Class I -A, Class II - A, Class Ill - A. These types differ in accordance with the
thickness of the hose lines used and the volume of water that is used for fire
suppression.
• Sprinkler System: Fire sprinkler system maintains a water supply system in order to
supply water to a water distribution piping system that controls the sprinklers.
Sprinklers are used in order to avoid human and asset loss. These are mainly used in
areas where fire fighters are not able to reach with their hose lines.
• Building additional floors and rooms in a building slowing down the spread of the fire.
• Providing adequate training to the occupants regarding the procedures to follow when
a fire occurs.
• Detect fire.
• Notify the fire department and safety department regarding the fire.
• Close down all electrical and electronic systems in order to avoid the fire spreading.
Fences/ Electric fences/ Metal Rails: First line of defense to stop trespassers
Other Physical barriers : Include doors, windows, grills, glass, curtains, etc.
Many factors determine the physical security of an organization. All these factors are essential
and contribute to the successful operation of physical security in an organization. The main goal
of physical security relates to the control and prevention of unauthorized access, while physical
barriers restrict unauthorized people from entering the building. Physical barriers define the
physical boundary of your area and also divides vehicle traffic from pedestrians. Use of a
physical barrier deters and delays an outsider from entering the premises. An intruder or
outsider can compromise a barrier by spending time, money, planning and contemplating on
the site architecture. In order to discourage these intruders, it is a good policy to use a
multilayer approach such as external barriers, middle barriers and internal barriers. External
barriers are fences, walls, etc.; although they are built to form a structure, they inadvertently
act as an obstruction. Middle barriers are equipment used to obstruct the traffic and people.
Internal barriers are doors, windows, grills, glass, curtains, etc.
• Bollards: A bollard may be defined as a short vertical post which controls and restricts
motor vehicles to the parking areas, offices etc. This facilitates the easy movement of
people. Bollards are mainly used in building entrances, pedestrian areas and areas that
require safety and security. It is effective in controlling pedestrian and vehicle traffic in
sensitive areas.
• Turnstiles: This type of physical barrier allows entry to only one person at a time. Entry
may be achieved only by the insertion of a coin, ticket or a pass. It allows the security
personnel to closely watch the people entering the organization and stop any suspicious
persons at the gate. However, the use of a turnstile can affect the fast evacuation of the
occupants in case of a fire emergency.
• Other Barriers: It includes installing doors, windows, grills, glass, curtains to limit the
access to certain area.
• Doors: It can be used as a good source in controlling the access of users in a restricted
area. Door security may be increased with the installation of CCTV cameras, proper
lighting systems, locking technology, etc.
• Grills: Grills should be used with doors and windows for better security. Grills may be
used for internal as well as external security.
• Glass: Sliding glass doors, sliding glass windows provide a better level of physical
security.
., ,.
,,
, .::.,II• 11.,.,.
.........
,.,........
IH:I •Illt:111111'11
·••••••·•••·•··•·•
·1t11t:•
.Utt•••••••••••• ··-····
1"
··"•"!.tlz:~.
r,· ...
. IIJHUi.!•!~•; ·.
,, :~~~_,,,.,.,
, r' , . • . - ~·
.
People involved in physical security include guards, safety officer, plant's security
officer/supervisor, etc.
0
0 0
Security personnel should be aware of:
Security personnel/guards are hired to implement, monitor and maintain the physical security
of an organization. They are individuals who are responsible for developing, evaluating, and
implementing security functions such as installing security systems to protect sensitive
information from loss, theft, sabotage, misuse, and compromise. Hiring skilled and trained
security personnel can be an effective security measure for any organization. They play a crucial
role in physical security. Organizations are not considering them as a core competency that
they want to invest in as part of their strategic plan.
Organizations should hire security personnel by themselves and provide adequate training on
physical security or they can contact dedicated physical security service firms who handle
physical security for them. There are organizations that are dedicated to training security
officers, provide standardized procedures, and manage the security on a 24x7x365 schedule, by
sharing guards across different organizations.
• Chief Information Security Officer (CISO): In the past, it was common place for the CISO
of an organization to be an extremely technically competent individual who has held
various positions within an enterprise security function or may even have come from a
networking or systems background. Today, a CISO is required to be much more than
technically competent. The modern CISO must have a diversified set of skills in order to
successfully dispatch their duties and establish the appropriate level of security and
security investment for their organization.
Continuous training for your security personnel will provide maximum benefits and an effective
team for your organization. Regardless of the position, security-related personnel should be
selected based upon experience and qualification required for the job. Executives should
thoroughly evaluate the personnel's past experiences and based upon this information provide
adequate training to fill the gap between ability and skills necessary for the job.
An organization should train newly hired security personnel on following areas:
Note: You can also combine two or more authentication techniques (multi-factor authentication) for better access control
Access control restricts the unauthorized access of the properties of an organization. The access
control mechanism uses various types of authentication to verify the user's identity with the
system.
The different types of access control authentication schemes are:
• Knowledge Factors: Authentication with the system is done with knowledge factors.
Users have to prove knowledge of a secret they hold to authenticate themselves with the
system. The user may hold secret knowledge, such as a unique password, pass phrase,
personal identification number (PIN), challenge response, security question, etc.
• Ownership Factors: Ownership factors may also be described as "Something You Have".
Authentication with the system is done with these possession factors. Users have to prove
their identity with the system by using the physical devices such as an ID card,
Smart/proximity cards, Security token, mobile phone with a built-in hardware/software
token, etc. The users possess these physical devices to authenticate themselves with the
system. It is always recommended that a 2-factor authentication be used with physical
devices in order to add an extra layer of security.
• lnherence Factors: Authentication with the system is done with inherence factors. Users
prove their identity with the help of biometric data that they hold. Biometric data
depends on the behavioral and psychological characteristics of the user. The Biometric
authentication scheme may include fingerprint verification, vein structure, retina
scanning, iris scans, facial/hand recognition, voice recognition, signature, etc.
Authentication Techniques:
l{nowledge Factors
SCOJrlty Check
fn~r both WOl'ds bdow, s~ab!d by a spit()e..
C.vi'lread this?Try anothet.
Try an auclo cap«tia
-·
1} Wlait¥CUfavcwtecdorfior•c.1 v
◄ Back w,:.u
Passwords, passphrases or PIN based authentication offers an easy way of authenticating users.
Users have to supply their unique password, pass phrase or Pl N to authenticate with the system.
• Security Questions: Security questions are used as an extra step for authentication. These
are generally used by banks and wireless providers to reconfirm the identity of the user.
Security questions are generally implemented with "forgot password" features which
reconfirms or proves your identity.
Authentication Techniques:
Ownership Factors
ID Card
Identity document (ID card) can be used to authenticate users with the system. It includes ID
cards such as a driver's license, photo ID card, passport, etc. Generally, an ID card is the same
size as a credit card.
Smart Card
A smart card is a credit card -sized plastic device that contains a silicon computer chip and
memory . It can store, process, and output data in a secure manner. It commonly stores
cryptographic keys, digital certificates, identification credentials, and other information. It
provides strong two-factor authentication using a PIN number. The International Organization
for Standardizations (ISO) uses the term Integrated Circuit Card (ICC) instead of smart cards.
The smart card has the dimension of 85.6 mm x 53.98 mm x 0.76 mm which is similar to ATM
cards and credit cards. Smart cards can provide additional functionality such as credential
storage.
• Benefits of Smart Cards: There are many benefits of smart cards such as:
• Lower Administrative Costs: As there are fewer passwords in the network, the cost to
support and manage the system decreases.
• Reduce Losses and Liabilities: Security is increased as encryption and a strong two-
factor authentication protects the data.
• Increased Convenience: Smart cards are portable and simple to use. The convenient
factor for this system of authentication is high.
• Smart Card Uses: One of the important factors behind smart card use is the fact that
multiple applications are involved. A smart card provides portable secure storage for the
digital certificates. The smart card can also be used for many applications, such as:
• Authentication to website.
Proximity Cards
A proximity card is also similar to a credit card. Several companies use proximity cards to
control physical access. When using this card, the employee holds their card within a few inches
from the reader. The card reader receives a unique ID from the card and transmits it to the
central computer that tells the receiver whether or not to open the door.
Proximity cards are harder to duplicate and have more control when turning off access. Some
systems combine the logical and physical access on the same card. Different techniques are
used for card sensing like an integrated circuit which is embedded in the card to generate a
code magnetically or electrostatically and circuits are embedded with the code that is tuned to
varying resonant frequencies. It is a best practice to place the company's logo and address on
the keycard so if it is lost or stolen, it can be returned.
Security Token
Security tokens are generally used for verifying the identity of a user by means of electronic
devices. Users may store cryptographic keys like digital signatures, biometric data etc. as a
security token. Tokens consist of secret information that verifies the identity of the user. The
information may be stored using the following tokens:
• Static Password Token: Contains hidden information that 1s available during each
authentication step
• Synchronous Dynamic Password Token: Uses a cryptographic algorithm that uses a
synchronized clock between the token and the authentication server
• Asynchronous Token: Generates a one-time password using a cryptographic algorithm
Authentication Techniques:
Biometric Factors
Fingerprinting
Fingerprint verification or scanning is a popular biometric authentication technology used for
authenticating individuals. In the fingerprint verification, the entire fingerprint image of an
individual is obtained and stored in a database. The identity of the user is confirmed by
comparing the fingerprint with the stored image. If it matches, authentication becomes
successful. Biometric fingerprint scanning systems do not store a full image of the fingerprint in
a database. A small template created from the fingerprint is stored.
Fingerprint scanning devices come in different packages. For example: a stand-alone device for
the desktop PC, to small portable devices for laptop computers, built-in keyboards and built-in
mice.
Retinal Scanning
It is another method of biometric authentication where authentication is made based on a
retinal scan of the individual. The retina is a part of the human eye and holds different
characteristics for each person. Even identical twins have a different retinal pattern. The retina
is a thin layer of nerves (about 1/ S0thof an inch, or a 0.5 mm thick) found on the back of the
eye. As a part of th e eye, th e retina transmits impulses through the optic nerves to th e brain.
Retina scanning is difficult compared to other scans in biometric t echnology. To present the raw
biom etric data, users must move their head into position with their eye very close (less than an
inch) to the scanner for it to read the retina through the pupil. During the scan process, the user
will focus on a green light in the scanner. After generating the template, it provides an excellent
matching.
Iris Scanning
Each individual holds a unique iris pattern same as the retina. It can be different in structure
such as ligaments, furrows, striation, ridges, and zigzags. lridian technology measures 247
independent variables in an iris.
Iris scanning is a process of taking images of an iris and creating biometric templates used in
matching functions. Similar to fingerprints, it also requires a device to capture the image and
software to process the image. The iris scanning device uses a camera, which can be either a
still or a video camera to capture the iris information. The camera captures a high-resolution
image of the iris and then the device will locate the border between the pupil and the iris. The
device will then convert the data to a grayscale image. This gray scale image identifies the
unique feature of the iris.
Users need to place the palm, the back of the hand or the wrist on the scanner. The scanner
takes a picture of the part placed on the scanner using infrared light. Hemoglobin absorbs
infrared light and it highlights the veins in the picture. A reference template is created
according to the shape and location of the vein structure.
• Size of eyes
• Jaw line
The facial scanning process starts with the acquisition of an image of a human face. This
image can be acquired by using any imaging source, static cameras or video cameras, both
analog and digital. After capturing the isolated facial image, the system will create a face
print of that image. The face print is the template for the system. This is the process of
translating the facial image into unique code or a data set that can represent the facial
image.
Voice Recognition
Human voice scanning and recognition is another method of biometric authentication where a
user's voice is recorded using voice recognition software and it performs a matching function to
identify the individual. It is based on identifying a unique characteristic of the human voice. This
system uses voice recognition software to allow users to interact with the computer by issuing
commands verbally instead of using an input device, such as a mouse. Any microphone,
landline telephone, cellular telephone, or any other device is used to capture the human voice.
Mechanical locks:
Digital locks:
Uses a combination of
Requires a fingerprint, smart
springs, tumblers, levers,
card or Pl N authentication to
and latches, and operates
unlock
by means of physical keys
Types of Locks
Electronic / Electric
Combination locks:
/ Electromagnetic locks:
Requires a sequence of
Uses magnets, solenoids and
numbers or symbols to
motors to operate by
unlock
supplying or removing power
Various types of locking systems are available to improve the restriction of unauthorized
physical access. The organization should select an appropriate locking syst em according to their
security requirements.
• Warded Lock: Contains a spring loaded bolt attached to a notch. A key inserted into
the notch moves the bolt backw ard and forward. Only the correct keys can be inserted
into the notch and it blocks th e wrong key.
• Tumbler Lock: Consists of pieces of metal inside a slot in the bolt. This prevents the
bolt from movement. A correct key contains grooves that allow the bolt to move by
raising the metal pieces above the bolt. It is further classified into Pin Tumbler, Disk
Tumbler and Lever Tumbler locks.
• Digital Locks: Digital locks use fingerprint, smart card or a Pl N on the keypad to unlock. It
is easy to handle and does not require keys, so there is no chance of forgetting or losing
the keys. It provides automatic locking for doors. The user onl y has to use their fingerprint
impression, sw ipe th e smart card or enter the Pl N to unlock it.
• Combination Locks: It has a combination of numbers and letters. The user needs to
provide the combination to open the lock. Users may enter the combination sequence
either through a keypad or by using a rotating dial that intermingles with several other
rotating discs. Combination locks do not use keys for functioning.
Contraband includes materials that are banned from entering the environment such as explosives, bombs,
weapons, etc.
Use different tools such as hand held metal detectors, walkthrough metal detectors, X-ray inspection
systems, etc. to detect contraband materials
Walkthrough metal detectors are mainly used in airport terminals, schools, sports stadiums etc.
These help check people who have admission to certain areas. The walk through detectors
should be maintained and properly monitored. It should be deployed at each entry point of the
organization.
Handheld metal detectors allow people to be screened more closely and to detect any
suspected elements. Handheld detectors are used in all places where the walk through
detectors are used.
X-ray inspection systems are easy to handle and use. They use X-rays instead of visible light to
screen the objects.
Mantrap is another type of physical access security control which is used for catching
trespassers. It is most widely used to separate non-secure areas from secure areas and
prevents unauthorized access. It is a mechanical locking mechanism comprised of a small space
with two sets of interlocking doors. The first set of doors must close before the second set
opens. User authentication at mantrap doors is performed using smart cards, keypad/PIN or
biometric verification. The closing and opening of doors is handled automatically or through
security guards.
• Step 4: The second door opens with the person walking out of the room. The first door
gets automatically locked soon after the second door opens.
• Step 5: The second door gets into locked state soon after the person walks out the second
door.
Security labels are used to mark the security Warning signs are use to ensure
level requirements for the information assets someone does not inadvertently intrude
and controls access to it in any restricted areas
Organizations use security labels to manage Appropriate warning signs should be
access clearance to their information assets placed at each access control point
Security label scheme :
Unclassified
Restricted RESTRICTED
Confidential
Secret
AREA
Top Secret
AUTHORIZED
PERSONNEL ONLY
Security labels are used to restrict access to information in high and low security areas as a part
of mandatory access control decisions. This enables easy understanding for users with and
without permission to access and easy clearance of a large group of users. It defines the
sensitivity of the data or the object and authorizations required for accessing the object or data.
It provides a list of users who can access the document or the device and enables the user to
understand the documents that they can access.
Security labels are categorized into different t y pes based on who can access the data or object.
• Restricted: Only a few people can access the data or object. Sensitive data may be
restricted for use in an organization due to its technical, business and personal issues.
• Confidential: Confidential data or objects exposed may lead to financial or legal issues in
an organization. Documents may be highly confidential or just confidential. Revealing this
data is irrespective of whether it is confidential or highly confidential, either will lead to
the loss of critical information.
• Secret: Users authorized to access secret files may access secret, confidential, restricted
and unclassified data. Users cannot access documents or objects la belled as top secret as
it requires a higher clearance level.
• Top Secret: Users accessing top secret documents may access top secret, secret,
confidential, restricted and unclassified data.
Warning signs are generally used in order to restrict any unauthorized access in an organization.
Warning signs are kept at entrance points, boundaries of the locality and sensitive areas.
Warning signs should be visible to users such that people will understand the prohibited areas
where they should not enter. Warning signs also help organizations to clear a large amounts of
people from entering into sensitive areas. Warning Signs are generally kept at all sensitive areas
where there could be a threat of damaging and distrusting of information, assets, or life. For
example, a typical use of warning is kept on an Electrical fence. It may pose a threat to life,
when someone touches an electric fence unknowingly. Typical warning signs are RESTRICTED
AREA, WARNING, CAUTION, DANGER, BEWARE, etc.
Proper alarm systems should be installed inside and at the entrance to report
intrusions, suspicious activity, and emergencies
Alarms are used to draw attention when there is a breach or during an attempt of breach.
Alarm sounds can be different types based on a facility such as sirens, flash lighting with a
sound, email, and/or voice alerts. The organization should divide their large facilities such as
buildings, floors, sections, and offices into small security zones and depending upon their
significance, the appropriate alarm system should be placed. Security zones that store high
priority data are given multilevel security, such as restricting access with access control devices,
biometrics, surveillance, locks and alarms to draw attention in any event of intrusion.
Organizations should have a proper power backup to alarm systems so that it will work in
emergencies and also during a power shutdown. All wiring and components of an alarm should
be protected from tampering and even conceal the alarm box with proper locks and limited
access.
CCTV systems can be programmed to capture motion and trigger alarms if an intrusion or
movement is detected
Pan/tilt/zoom CCTV cameras are recommended for a closer look of suspicious objects
Surveillance systems should be installed at strategic locations in and around the premises such as
parking lots, reception, lobby, work area, server rooms, and areas having output devices such as
printers, scanners, fax machine, etc.
Establish procedures and guidelines for storage, retention, and disposal of CCTV recordings
Basic Types of
CCTVCamera
• Install surveillance systems at the parking lot, reception, lobby, and workstation.
• Place output devices such as printers, scanners, fax machine, etc., in public view under
surveillance.
• Integrate surveillance with an alarm system.
• Establish a procedure for the amount of time the recorded video should be kept and then
later disposed.
• Bullet CCTV: It is used for indoor and outdoor surveillance. These are generally placed in
protective covers that prevent it from dust, rain or any other disturbances. Bullet CCTV is
normally a long, cylindrical and tapered shape that facilitates for long distance
surveillance.
·- ----_/
• C-Mount CCTV Camera: It consists of detachable lenses, which provide surveillance for
more than 40.ft. Other CCTV camera lenses provide only 35 - 40 ft. coverage. C-Mount
allows different lenses to be used according to the distance to be covered.
---
---
FIGURE 5.9: C-Mount CCTV Camera
• Day/Night CCTV Camera: It is commonly used for outdoor surveillance. It can capture
images even during low light and darkness conditions. These t y pes of camera do not
require infrared illuminators in order to capture images. These can capture clear images
during glare, direct sunlight, reflections etc.
• Infrared Night Vision CCTV Camera: It is commonly used for outdoor surveillance and can
capture images in complete darkness. You can use an infrared LED's for areas having poor
lighting.
• Network/IP CCTV Camera: It consists of wired and wireless models. It allows sending
images over the internet. It is easier to install a wireless IP camera than a wired camera as
they do not require any cabling.
• Wireless CCTV Camera: Wireless CCTV cameras are easier to install and use different
modes for wireless transmission.
'
FIGURE 5.13: Wireless CCTV Camera
Organizations should enforce required physical security policies and procedures for effective
physical security management. Physical security policies may differ from one organization to
another.
• Typical physical security policies may include:
• Roles and Responsibilities of the Staff: It explains the roles clearly and the
responsibilities of every person associated with the facility. It also identifies how they
should perform their duties in order to maintain the security posture of the
organization.
• Intrusion incident reporting: It includes steps and procedures to adopt when an event
is found or has occurred.
► Continuous
► Standby
► Movable
► Emergency
Security lighting is an important aspect of physical security of a facility. If the organization has
not implemented an adequate lighting system in and around the organization, it can drastically
degrade the function or performance of all other security measures. For example, if the
organization does not have lighting at rear corners, near bushes, plants, parking, and near
surveillance cameras, then it is difficult to find people or objects hidden in these locations.
With poor lighting, it will be difficult to identify people entering the premises, as an intruder
may act as an employee or use tricks to circumvent the security. Lighting systems in a location
depend on its layout and sensitivity.
• Continuous Lighting: Fixed sets of lights arranged so they provide continuous lighting to a
large area throughout the night.
• Standby Lighting: Used whenever any suspicious activity is detected by security personnel
or by an alarm system. These operate either manually or automatically.
• Movable Lighting: Manually controlled lighting system that provides a lighting system at
night or only w hen needed . Normally used as an extension of a continuous or standby
lighting system .
• Emergency Lighting: Used mainly during power failures or if other normal lighting systems
do not operate properly.
I Line Interactive : Most commonly used for small business, web, and departmental servers
Delta Conversion On-Line: Can be useful where complete isolation and/or direct connectivity is
required
Facilities may suffer blackouts or power outages that could make the systems inoperable unless
appropriate alternative power management capabilities are kept in place. Power outages could
impact the ability to provide information technology as expected and also in maintaining
physical security. Power spikes, surges, or blackouts could result in too much or not enough
power and could damage equipment.
Consider the following security measures to deal with blackouts or power outages:
An Uninterruptible Power Supply (UPS) allows computers to function properly during a power
failure. It protects the computers during fluctuations in the power supply as well. An UPS
contains a battery that senses power fluctuations in the primary device. Users need to save all
the data when the UPS senses the power fluctuation. The operator needs to provide measures
which must be followed at the time of power loss. An UPS is commonly used to protect
computers, data centers, telecommunication equipment etc.
• Line Interactive: Line interactive mainly deals with maintaining continuous power
fluctuations. This method of a power supply needs very little battery usage.
• Stand by On-line hybrid: These are mainly used to supply power below 10k VA. It 1s
connected to the battery during a power failure.
• Stand by Ferro: A Ferro resonant transformer is used for filtering the output. Stand by
Ferro provides ample time for switching from main power to battery power.
• Double conversion on-line: It is used to supply power above 10k VA. It provides an ideal
electric output presentation, and its constant wear on the power components reduces the
dependability. It exhibits a transfer time only during a large load of current.
• Delta conversion on-line: It contains an inverter that supplies the load voltage. It is
available in a range between Sk VA to 1 MW. It controls the power input performance and
charging the UPS battery.
Workplace Security:
Reception Area
The reception area is alw ays the initial contact for an unknow n between th em and the
organization. The reception area can be vulnerable to physical security breach es as it provides
easy access to strangers. Organizations often have regular visits from clients, the general public,
invitees, etc., and require staff to greet, assist and direct them . Receptionists should be able to
recognize or identify any unusual behavior, including solicitors and peddlers, charity
organizations, ex- employees, etc. The reception personnel should maintain eye contact, non-
confrontational facial expressions or posture w hile m eeting people. They should be proficient
enough to handle emergency situations and follow procedures to cal I immediate attention,
alarm, radio, first aid, etc.
The reception area should be small in size. This provides a better area to closely monitor visitors
and the reception area. Reception personnel should observe people entering th e company.
They should notice and r ecord odd behavior for any strangers. Ther e should be certain
benchmarks to judge peopl e arriving to the organization . Their intentions have to be noted,
wh ether a person is searching for someone or for something.
Keep the server room and backup devices under video surveillance
The organization should consider the physical security of their critical servers and backup
devices. Physical access to these devices should be restricted. Only approved personnel should
have access to these devices.
Typical physical security measures for server and backup devices are:
• Keep the server and backup devices in a separate room. This reduces the accessibility of
these devices from the public and unknown people.
• Mount the CCTV, smart card, biometric authentication to track and monitor unauthorized
physical access to the server and backup devices.
• Use rack mount servers. This restricts attackers from stealing or damaging the servers.
• The server should be attached to an UPS so that it protects the server from file damage or
corruption due to temporary power loss.
• Backup devices should be stored at off-site locations and ensure that they are secured.
• Do not encourage employees to take backup on CD, DVD, USB, or external hard disks.
Ensure the backups are locked up at all times in a drawer, safe or separate room.
• Do not allow employees to leave an area carrying a backup device with them. Use motion
sensing alarms to detect movement of any backup device.
U Restrict the use of removable devices such as DVDs, USB pen drives,
SD cards, mobile phones, cameras, etc.
U Design and implement acceptable-use policies to manage the use of
removable device
U Implement a regular inventory review of removable devices
U Consider using corporate-controlled locked-down devices instead of
implementing a bring-your-own-device (BYOD) policy
The organization should always pay attention to their server and backup storage device
security. At the same time, they should not ignore the security of their other critical assets such
as workstations, routers and switches, printers, other network equipment, removable devices,
etc. The organization should employ all the physical security measures of server/backup devices
to critical assets and removable devices.
• Workstations: Workstations at unoccupied desks, empty offices, receptionist's desk, etc.
are more vulnerable to physical security breaches. Disconnect or remove such unoccupied
workstations or otherwise lock the doors to the room where the workstation is located.
• Routers and Switches: Keep these critical network devices in a locked room.
• Printers: Like servers and workstations, printers can store important information, should
be bolted down, and located in separate places.
• Removable Devices: Portable removable devices such as laptops, handheld computers,
mobile devices, SD cards, USB, Bluetooth etc. can pose physical security risks. Keep these
devices in a drawer, a safe or permanently attach a cable lock.
Workplace Security:
Securing Network Cables
...J Lay network wiring separate from all other wiring fo r easy
maintenance, monitoring, and to prevent electronic
interference
Network cable security is often overlooked as an aspect of physical security. The organization
should consider the importance of cable security before planning and installing any cabling.
Network cabling should be nice and neat, if it is not an organization can suffer from unplanned
downtime. With flawed or insecure network cabling, an attacker can easily access sensitive
information by passing other security controls. Wiretapping, physical damage or thefts are the
risks associated with network cabling.
It reduces the crosstalk and interference between pairs of wires. UTP cable is prone to
wiretapping. An attacker can easily tap the information flowing through network cables.
• Advantages:
o Easy to install.
o Suitable for domestic and office Ethernet connections.
• Disadvantages:
In STP cable, each pair of wires is individually shielded with foil. It is less susceptible to
external interference as the shielding absorbs all the EMI and RFI signals.
• Advantages:
• Disadvantages:
• Advantages:
o No crosstalk.
• Disadvantages:
Coaxial cable is made up of a single copper conductor at its center. A plastic layer provides
an insulated center conductor and a braided metal shield. The metal shield prevents
interference from fluorescent lights, motors, etc.
• Advantages:
o Moisture resistant.
• Disadvantages:
.J Use cables and locks to safeguard .J Do not leave your device unattended in
laptops public places
.J Encrypt hard drives to make it .J Label the device or attach a sticker with
impossible to access files when it's lost the name and contact details so the
or stolen device can be returned if lost
.J Install anti-theft software that can .J Enable the lockout option so the device
remotely lock and track devices using a will lock when consecutive unsuccessful
data connection attempts to login are made
.J Install device tracking software that _J Use a docking station that permanently
can assist in recovering stolen/lost affixes the laptop to the desktop and
devices also locks the laptop securely at one
place
.J Enable or install a remote wipe feature
to erase data stored in devices .J Use security gadgets like motion
detectors and alarms to alert when the
.J Do not lend your device to third
parties
laptop is moved without authorization
The use of portable mobile devices in an organization has risen over th e past f ew years. The risk
of physical security threats to these devices also has increased. These devices often are
vulnerable to physica l threats such as theft, loss, damage, resale, etc. The organization should
take proper care to deal with any security incidents related to th ese devices.
• Apply all security measures common for these network devices such as servers, backup
devices, portable devices, etc.
• Physically secure th e mobile device location.
• Apply proper access control procedures for these devices.
Co nsid er and implement person nel secu rity measures starti ng from the se lection and
hiring of staff or cont ractorst o relieving t hem of t hei r d uties
•• • • • •• •• •• •• •• •• •• •••••••• .. &•••••
.... ♦
, ................................................. ,
..----.---•---
• ... •·
--~.•---- • - - - -, •.r--- - - - -
{.-··r·················································-.'-: .···!··················································. .... -··r··································· ..... ·······..__
i • : ( ~ \ i • i
i Hire employees after a j Contractors should be I Sign an NDA with j
i thorough ident~y : hired w ith the same due employees and
:,verification and
;
i diligence as in-house contractors
i background check employees
: :i
:: :
:
. :
'••················································
.. .. ..
Copyright© by EC-Co■ncil. All Rights Reserved. Re producti on is Stri ctly Prohibited.
• Perform background checks to find criminal, financial screen, ng, education, past
experience, and other certifications.
• Provide an orientation session for new employees and explain the company's background.
• Hold employees accountable for every action performed and take disciplinary actions
against those who oppose or neglect the security policies.
• All physical security practices for employees also apply to contractors. In addition, the
organization should:
• Make sure only contractors with proper clearance level have access to sensitive
information.
• Contractors should have an office identity card with their photo and personal details.
It may even have an expiration date.
• All contractors should carry their ID cards when they work on the floor. Contractors
must exhibit their ID cards clearly to the security officer. Contractors should submit
their ID cards when they are terminated by the office and also submit their ID card
when they resign.
• An employee has to submit their resignation and/or retirement letter to the department
head with a copy going to the HR (Human Resource) department. The department head
will forward the resignation letter to the central leave coordinator to relieve the
employee from their responsibilities.
• After receiving the resignation letter from the employee, the department head will
provide the last working day for the employee.
• An employee should fill out the clearance form and have a meeting with the central leave
coordinator of the HR department who will provide a plan for the last working days of the
employee.
• After having a chat with the employee, the HR department will send a notice to obtain
clearance from all departments specified in the clearance form.
• After receiving the notice from the HR department, all departments will send the
certificates to the central leave coordinator, within two days.
• The employee should inform the central leave coordinator on their last day, so the
employee can complete the clearance process.
• After verifying all the clearance certificates from all departments, the central leave
coordinator will clear the employee through the clearance form.
• After getting all the clearance certificates, the central leave coordinator will provide the
employee with the following forms:
• Insurance form.
• The central leave coordinator will sign the clearance form, which depends on the
clearance certificates received from all the departments.
MO I
- - -- -
Features:
-
► Provides asset inventory,
geolocation, and command
execution in real-time -. -
► Uses Wi-Fi and cellular
t riangulation, GPS, MAC
address correlation, Google
•
••
. -
Maps, and IP add ress
databases to locate assets
._.. -
-- ---
http://www.exo5.com
EXOS helps you track and locate laptops, smartphones and tablets across your organization in
real-time
Features:
• Real-time Agent: The EXOS agent uses a persistent and secure connection to provide
asset inventory, geolocation and command execution in real -time. Information is always
up-to-date, which is critical in developing a theft scenario.
• Ultra-accurate Location: EXOS uses multiple methods to locate assets to provide the best
location accuracy worldwide, including Wi-Fi and cellular triangulation, GPS, MAC address
correlation, and IP address databases from multiple providers.
+- e ._ 0 II
. ....
--· "'-·
.._. ,...,
- ,__
-
-
- -
- --- .
-
-
-- -
.-
- -1'"'.-.
- - - -..
·-- --.
•
..
-· - 'F.
- ~-
FIGURE 5.14: EXOS M aps
• Dynamic Maps: Use the Google Maps interface to quickly locate assets, or the real -time
LiveMap and Google Earth display for a commanding view of your entire organization.
--· -· --· --
Source: https://www.exoS.com
Prey Adeona
http://preyproject.com http://odeona.cs.washington.edu
Ztrace Gold
Source: http://www.ztrace.com
ZTRACE GOLD is an invisible software security application that traces the location of missing
laptops for recovery. It is undetectable and cannot be removed from a laptop hard drive.
Prey
Source: http://preyproject.com
It is tracking software that helps users find , lock and recover th eir computer, tablet or
smartphone w hen stolen or missing.
Source: http://flamory.com
Snuko Anti-Theft and Flamory help you to track your Android device w hen it is lost or stolen.
You can remotely activate geolocation tracking, data encryption, data backup and device lock
dow n to protect against unauthorized use.
Laptopcop
Source: https:1/awarenesstechnoloqies.com
LAPTOP COP allows you to identify, track, and control w ho accesses data on a stolen laptop,
what data is accessed, and w hat can and cannot be done w ith that data .
GadgetTrak
Source: http://www.gadgettrak.com
GadgetTrak provides mobile security software for a range of mobile devices including mobile
phones, laptops, flash drives, external hard drives and more. It helps you in finding your lost or
stolen laptop.
LoJack
Source: http://www.loiack.com
LoJack allows you to track, manage, secure and recover mobile computers. It has remote data
and device security to prevent use of a lost laptop, protect privacy remotely, and map a
laptop's location.
Adeona
Source: http://adeona.cs.washinqton.edu
Adeona allows you to track the location of your lost or stolen laptop that does not rely on a
proprietary central service.
TrackMyLaptop
Source: http://trackmylaptop.net
MyLaptopTracker
Source: http://www.mydevicetracker.com
My Laptop Tracker can track down your stolen or lost laptop within minutes.
Source: http://www.unistal.com
Locate Laptop protects your laptop from being stolen. It is used to locate and recover lost or
stolen laptops.
Continuous pow er consumption/supply makes Consider various factors and components such
data centers, hardware, and equipment as hardware, cabling, fire protection, and
become hot very quickly power supply, etc. before installing the HVAC
equipment
Improper equipment placement can increase
th e risk of fire M aintain baseline temperature and humidity
levels to keep equipment working reliably
HVAC (Heating, Ventilation, and Air
Conditioning) systems control th e surrounding Continuous monitoring of equipment that
environment in a room or building especia lly emits hot or cold air is necessary
hu midity, temperature, and air flow
• Furnaces, a fan or evaporator coil: Converting the refrigerant and circulates the air.
• Refrigerant tubing and wires: Connects outdoor unit to the fan coil.
• Packaged Products: A heat pump or an air conditioner combined with a fan coil or an
evaporator coil in a single unit.
e High levels of disturba nce ca n cause severe damage such as shaky monitors,
system failures, un explained shutdowns, etc.
Electromagnetic radiation emitted from different electronic devices interferes with surrounding
devices and causes a problem with their functions. EMI shielding is the practice of coating the
electronic equipment with metals so the electromagnetic waves do not interfere with other
devices or block the field with certain materials. EMI shields separate one part of the
equipment from another.
Shielding uses materials such as metals or metal foams. An electric field produces a charge on
the conducting material applying an electromagnetic field on a conductor. The conductor
produces another charge which cancels the effect of the externally applied electric charge on it.
This causes no change in the conducting material. When the electric field is applied to the
material, it produces eddy currents (currents that flow within a material in closed loops). These
currents cancel the effect of the magnetic field. In this way the shielded material has no outside
effects or disturbances on it.
As organizations use heavy equipment, electronic hardware interference will become a
problem and EMI shielding will be needed for all devices in these t ypes of environments. Many
industries, such as t elecommunication, hospitals, etc. prefers to use EMI shielding.
Environmental Controls:
Hot and Cold Aisles
.... ..•
I
..••
..••
I ..•• ...J Cold aisles typically face air conditioner output
.. ducts and hot aisles should face air conditioner
. input ducts
=·······►
...J It saves the hardware from humidity and heat,
increases hardware performance and maintains
consistent room temperature
It is a systematic arrangement of equipment to maintain air flow and to save energy. Many
organizations follow hot and cold aisle alignment, mostly used in server rooms, data centers,
etc. where heavy electronic equipment comes into use.
In the rack of heavy equipment or servers they are arranged so the front of them faces th e cold
air coming from th e air conditioners. The backs of the equipment face the back of the next rack
of equipment. This goes on for all the equipment in the room . This arrangement pushes the hot
air coming from the back of the equipment to one end of the room. The cooling conditions are
kept so that the hot air coming out of the equipment is sucked out and does not mix w ith th e
cool air inside th e room. Place the cooling system below th e room or above the room
depending on the convenience.
• Easy to implement as it does not require any supplementary architecture to give out
air.
• Less expensive.
• Can easily fit into an existing data center with issues like power, network distribution
etc.
• Disadvantages:
• Most of the cold aisles have ceilings immediately above the aisle affecting fire and
lighting design.
• Air leaked from the raised floors and openings under the equipment enters the air
paths to the cooling units. This affects the efficiency of the system.
• Leakage from the raised floor openings are passed over to the cold space.
• More effective.
• Works well in a slab environment by supplying an adequate volume of air and covering
the exhaust air.
• Always requires an additional space for the flow of air from the hot aisle to the cooling
unit.
• Very expensive.
Physical Security:
Awareness/Training
e How to identify the elements that are e Making short films on physical
more prone to hardware theft security
Well trained and skilled personnel can minimize the risk of a physical security threat to a great
extent. The organization should provide proper physical security awareness training to all of
their employees.
• Classroom Training
Classroom training provides an interactive lecture based session. The benefits of having
classroom training are:
• Can be made more interactive by imposing role plays and simulation games.
The duration of the classroom training can vary. It depends upon the technique used in
implementing the classroom session.
• Round Table Sessions: Round table sessions may be conducted to train employees
regarding the need for physical security. These sessions may be held weekly or monthly.
• Making Short Films on Physical Security: Teaching using examples can help employees
understand more about the importance of physical security. Filming instances describing
the need for physical security, chance of risks and methods to prevent them.
• Conducting Seminars: Several seminars on each topic for physical security may be
conducted. Seminars may include examples, discussions and debates regarding the topic.
1 Ensure that proper access control methods are implemented to prevent unauthorized access
Ensure an ala rm system is installed fora II types of threats such as fire, smoke, electricity, water, etc. and is
3
working properly
s Ensure an adequate number of security guards is hired to monitor the physical security of the campus
• Ensure proper procedures are implemented for detecting and reporting physical security incidents
The following checklist will help an organization ensure they are implementing proper security
controls and measures:
• Follow copyright rules and licensing restrictions: The organization should enforce
copyright rules and licensing restrictions in order to prevent outsiders or insiders from
creating illegal copyrighted copies of the software.
• Store all removable and important items in the locker when not in use: Employees
should ensure to lock all sensitive information and important devices in a locker. Do not
leave any important information unattended as it may catch the eye of an attacker.
• Keep the sensitive areas under surveillance: The organization should ensure security for
sensitive areas like server rooms, etc. CCTV surveillance and guards may be enforced in
order to maintain security in the sensitive areas. The organization should enforce 24x7
surveillance for the sensitive areas.
• Always advise employees to swipe the card at the entrance: Swiping ID cards at the
entrance helps the organization to audit the login details of the employees in case of an
incident.
• Do not keep any combustible material in the workplace area: Always keep any sort of
combustible materials away from the workplace area. This ensures the safety of the
employees, the information stored and the devices stored inside the workplace area.
• Always ensure company satisfaction: Employ security measures that guarantee
satisfaction of the employees. The policies and procedures imposed by the organization
should ensure compatibility with the company infrastructure. Physical security measures
imposed should detect, report, correct and prevent attacks.
• Evaluate the physical security of the location: Proper security ensures the security of the
employees and the information in the organization. Preventing attackers from entering
the workstations and server rooms, authenticating each person using ID cards or
biometric ensures better security of the location. Other security measures include
ensuring locking cabinets, doors and windows, proper surveillance using CCTV, proper
lighting etc.
• Do not disconnect consoles from ports: Disconnecting cables or consoles from ports will
lead to a disconnection for the user. You should make sure the cables are all connected to
the ports and are working properly.
• Use of alarms and sensors during fire, smoke etc.: The organization should ensure proper
use of sensors and alarms in order to detect fire or smoke on the premises. An
organization may include sensors for devices in order to detect if anyone tries to take
those devices out of the organization.
• Prevent damage to hardware and software: Any damage to the hardware or software
results in damage of the information systems in the organization. Damage to the
hardware will lead to the damage of the electronic and mechanical systems used in data
processing. Damage to software leads to the damage in the programs and instructions
used for data development.
• Do not leave any devices or important data in the parking areas or cars: Any unattended
devices or data may attract attackers and may lead to the loss of these valuable items or
information. The organization should employ an adequate number of security guards to
monitor all parked cars. Proper lighting must be installed to watch these areas clearly.
Employ security cameras in sensitive areas and log the who is accessing those areas.
□ Physical Security is the core layer of the information security program which deals
with restricting unauthorized physical access attempts to the infrastructure, office
location, workstations and employees of an organization
□ Organizations should adopt a holistic approach to secure key physical and cyber
assets
□ Hiring efficient security personnel to implement, monitor and maintain the physical
security of an organization
□ Organizations need physical security policies and procedures for an effective physical
security management
-;-r--;.... ·~---
In this module, we have discussed the importance of physical security, and its role 1n the
organization's information security program. This module introduced you to the various
physical security controls and security measures that organizations should consider while
implementing physical security. It will help the organization implement their Defense-in-Depth
strategy for physical security.
In the next module, we will discuss security of an individual host on the network. We will make
discuss various security measures required to harden security of a host which may include
workstations, routers, switches, servers, etc.
•
♦
Certified Network Defender Exam 312-38
Host Security
Host Security
Module 06
Network security starts with securing the individual host on the network. Host security is the
next layer of security in defense-in-depth that should be taken care of. This module focuses on
security measures and techniques required for securing individual hosts. The module covers all
the security tools, techniques, best practices and recommendation s required for securing and
hardening various t y pes of hosts in the network. The module also provides a brief overview of
virtualization security, application security, and data loss prevention t echniques that help you in
attaining a complete host security.
.J Host Security is a comprehensive approach taken towards hardening each host on the network
individually
.J It involves hardeningthe host's operating system and applications to ensure protection against
possible risks and threats
.J The host can be any device which has an IP address on the network
Wirelessly
Laptops
Host Networked Devices
Routers Switches
Any device with an IP address connected to the network is considered a host. A host is an
important and integral part of any network in the organization. Host security plays a vital role in
securing organization network activities since the host can be the major conduit. If the host is
compromised, all devices and services risk being compromised as well. Host security refers to
the protection of hardware, software, information stored and services running on these
computers from any kind of theft or damage. The organization should ensure the
confidentiality, availability and integrity of the host and the data they hold. An insecure
configuration of a host can put the entire network at a security risk. Even though proper host
security measures are taken into consideration while installing host in the network, the host
can still be insecure through its use. Over time, the hardware and software installed on the host
get outdated and are prone to various types of threats inherent to poor patch management
methodologies. Thus, it is important to address and ensure the security of the host during its
lifecycle.
The organization needs to systematically monitor the hosts in order to check for the chances of
attacks and to identify the various possibilities of attacks on the hosts. Understanding the areas
of compromise can help the administrators come up with solutions to prevent those attacks.
They can put forward various policies and regulations in strengthening the security of the hosts
and thereby providing negligible or no impact to the business of the organization. Appropriate
training and awareness can help administrators maintain the security of the host in an
organization.
\ I \ I
\
' /
- J Worms
deletion of data
- J
J
Trojan
Spyware
.._
Unauthorized
- access
Hosts can be at risk of both internal and external threats. The internal threats mainly occur
within an organization and the damage caused by these threats can lead to a great loss to the
assets of an organization. These threats include malware attacks, information theft,
unauthorized access, illegal use of corporate resources etc. Any sort of attack on the host
internally can affect the end users and the business of an organization. Administrators should
evaluate their host against possible internal as well as external threats.
To ensure host security, you should be aware of different threats that the host is vulnerable to.
The host can be at risk of being exploited by the following major threats.
Malware Attack
• Viruses: Viruses are programs that replicate by reproducing itself to infect the host
system. These make changes in the host by deleting files, reformatting hard drive etc. A
virus infected system cannot operate again as before.
• Worms: They are viruses that repeat itself without much human interaction. They have
the ability to spread and infect systems as they travel through the network or the
internet.
• Trojans: Trojan is considered one of the most complex threats and creates damage to the
host. They hide the payload part of the data packet while travelling through the network,
thereby allowing file corruption, remote access, interrupting firewalls and anti-virus etc.
Another impact of a Trojan is its ability to steal data. This makes it easier for the attackers
to gather sensitive information.
• Spyware: Spyware is a malware that is used for spying on the actions performed by a user
on the system. This gathers the information of all activities performed by a user on the
system. For example, Keylogger is a type of spyware that is used to capture the
keystrokes.
• Backdoor: A backdoor is planted to skip all the authentication steps required and gain
unauthorized access to remote computers.
• A person gaining access to the host can perform intentional or unintentional deletion or
modification of data present in the system.
• Acquire the information present in the system.
Unauthorized Access
Unauthorized access refers to gaining unauthorized access to restricted files, data, operation,
services, etc. running on host. An attacker, if successful in gaining unauthorized access to the
system, can perform any malicious action, which will affect the security of the hosts in the
network. The unauthorized access can result in stealing, accessing sensitive files, installing a
virus in the system, among other actions.
Social
Engineering
Internet
Downloads
An attacker can take advantages of various vulnerabilities, which exist in order to compromise
the specific host. Threats of exploiting vulnerabilities on a host can take various ways to get
into the system and infect it. The lack of sufficient knowledge, skills, and insecure
configurations on host security opens the network to different types of the security threats:
• Un-patched Computers: The majority of attacks on a host are due to the lack of proper
patching or the use of outdated software installed on the host. The unpatched computer
can create security loopholes and gives attackers a path to compromise it.
• E-mail: Host system security can be compromised through sending unsolicited emails such
as phishing, malicious attachments, and spam e-mails etc.
• Network File Sharing: Network file sharing permits the users to share files between their
individual systems over the internet. Even though it makes things easier for users to share
files, it paves the way for many threats such as Malware infections, Exposure of sensitive
or important information, etc.
• Internet Downloads: Internet downloads from untrusted sources can lead the users in
downloading malware onto th eir systems.
• Social Engineering: Attackers use social engineering techniqu es to gain sensitive
information which may help them further to gain unauthorized access, ma lware infection
etc.
• Blended Threats: Attacker uses a combination of multiple techniques to attack or infect
the system.
Purpose of
Each Host
Q Network services provided by host
Hosts in the network are configured or dedicated to perform certain functions. These hosts
store and handle various types of sensitive information and provide various services of the
organization. Different types of hosts require different levels of security based on the data or
services it handles.
For example, the hosts that act as servers in the network, storing sensitive information and
performing critical functions, require more security than a normal host or workstation.
A prior host assessment is required to assess the existing level of security and to determine the
level of security required for a particular host based on its criticality, the level of sensitive
information it stores, network services provided by them, and security requirements specified
for them.
Server Security Baseline: Set security oaselines for aifferent types of servers
✓• Application Security Baseline: Set security baselines for different types of applications
Host security baselining plays an important role in enhancing the host security of the
organizations. Administrators must define and establish a security baseline for hosts in the
network depending upon their purpose, criticality, etc. The establishing of security baselines
depends on the needs of the organization. Defining any security baseline requires active
involvement of management and various departments of an organization to include their
preferences.
Host security baselines help you easily identify the hosts with configurations that do not match
as stated in the baseline.
A Host security baseline sets a security objective, standards, guidelines, checklists, etc., which
must be met to attain a high level of host security for organizations. It specifies the reference
points for installation, hardening, placing of new hosts in the network and all activities
performed on the host. Baselining facilitates more protection of the host and helps in
determining the actions taken for further security. The baselines should undergo a regular
update and monitoring.
The baselines help you to determine:
• The way the host performs in the network.
• Type of data the host uses to communicate across the network.
• Identify the services and resources associated with each host.
• The t ype of connectivity required for each host.
• A clear picture regarding the working of each host.
The baselines are different from the security policies in a way that the baselines define the
structure of the security policies. There are two types of security structures for the baselines:
High-level and technical. The execution of these two standards depends on the requirements of
the organization. The high-level standards are independent of operating system and depend on
the security policies of the organization. The technical baseline consists of statements for each
operating system configured in the system and the functions carried out by them. The best
method to implement a baseline is to create a simple baseline first and then increase the
complexity of the baselines as moving forward with the configurations.
The host security largely depends on the OS and applications installed on the host. Establishing
a host security baseline also requires establishing security baselines for the OS, user accounts,
and applications to be installed on the hosts.
OS security refers to the practice of securing OS system files, file system, and its resources
from any unauthorized access, modification, or destruction
.J Operating Systems play a vital role in host security as the built-in security features in
operating systems can be hardened to secure the hosts
.J OS Security Elements
e Baselining Operating System Security
e Operating System Security Settings Configuration
e Patch management
that the applications and services running in a system include only required resources in order
to perform the desired actions.
u
~ ~ / Disable unnecessary accounts
bO
·-cu
C
~
-a..
C
ca
% f-o/
Install Antivirus Software
Use of Access Control Lists (AC Ls) and file permissions for File and Directory Protection
~ ~
-Iu
1 ft
File and File System Encryption
The organization establishes OS security baselines to implement a standard for installing and
configuring the operating system. The setting up of the baseline varies from one organization to
another. The administrators should take immense care while creating the baseline for an
operating system and confirm that it meets the company requirements. The baseline for the OS
needs to include the configuration of various operation system settings as well as recording
each step, so that it helps for future configurations. The baseline for the OS should also include
the actions performed on the system.
The organization decides on the security baselines required for the OS and implement all the
settings based on it. An organization can use several security templates to decide the OS
security baselines required for their organization. The process of baselining the operating
system includes hardening the key components of the system architecture in order to reduce
risk of attack.
The OS security baseline should address the following security configurations at a minimum:
• Non-essential Services: Only essential services should be enabl ed on the OS. Enabling
unnecessary services on OS can give a path to an attacker to compromise the host
through OS security flaws. For example, if a host is not functioning as a web server or a
mail server, it should be disabled immediately.
• Patch Management: The operating system should undergo patch management regularly
in order to ensure that the OS is updated w ith all the latest updates and fixes.
• Password Management: Operating systems need to persuade the users to use complex
and strong passwords based on the organization's policy. Password management should
also urge the users to change the password after a certain period of time and implement
user lockout after a certain fixed number of attempts.
• Unnecessary Accounts: Organizations need to monitor the account details of the users.
They may remove or delete all unwanted and guest user accounts.
• File and Directory Protection: Organizations should control the file and directory
permissions using Access control lists.
• File and File System Encryption: Encryption of files and folders, formatting disk partitions
with a file system with the help of encryption features provided by the OS.
• File Sharing: Disabling unwanted file sharing applications running on the operating
system.
Microsoft announces the security baseline settings for their desktop and server OS products
periodically. With each release, Microsoft reevaluates older settings to determine whether they
address contemporary threats or not and adds updated baseline settings to address newly
discovered vulnerabilities and misconfigurations.
• Installing software.
1:1a
~ • Microsoft Mk:rosoft
~ ~ tr' Baseline Security Analyzer
1
S<o-'lu~o!An!:u~Ol"lly
https://www.microsoft.com
Microsoft Baseline Security Analyzer (MBSA) lets administrators scan local and remote systems
for missing security updates as well as common security misconfigurations. Microsoft baseline
security analyzer is used to analyze the security standards for the organization by identifying
the updates required by the organization and rectifying the weaker settings of Microsoft
Windows.
MBSA helps small and medium sized business organizations analyze the security status and
standards and check whether it is compatible with the Microsoft security recommendations.
All the scan results produced by MBSA check for critical issues, non-critical issues and best
methods that describe the remedies that can be taken for securing the operating system.
Administrative Vulnerabilities
~ ~rint this report ID !:;_opy to dipboard C:;I Previous security report Next security report CI!
OK
Source: https://www.microsoft.com
- I - 11 ' I -, I
N,:1.1n lldv'l11ced tlout Exit
..J Setting up a BIOS Passw ord is the first
!tea Specific Help
protection layer of the computer Supervisor Password ls: Clear
User Passuord Is: Clear
Supervisor Pa-d
controls access to ll1e
..J It helps you maintain OS security at a Set Superuisor PasS\Jor.d selu ullllty.
low-level 1
, •,;, I i I 1 11
Enter ,
Esc _ ,.
Setting up a BIOS password helps you in controlling the access of the system from external
users. The BIOS of an operating system provides the feature of setting up a password that in
turn prevents other users from:
• Accessing the system.
• Booting the computer.
• Booting from r emovable devices.
• Changing BIOS settings.
BIOS passwords are most suitable for system s 1n public places or a workplace that disables
other users from installing another operating system over an existing one. A BIOS setup
program can be used for setting a BIOS passw ord . This is easily done by clicking any key before
the booting of the operating system. Clicking on " Press F2 to enter set up" message helps the
user to go the BIOS settings page. Every computer has documentation available that helps in
the easy setting of the BIOS passw ord.
The BIOS provides an extra layer of security by starting even before the operating syst em and
other hardw are starts. This allow s the user to enter the password and prevents many
passw ord-cra cking applications to run. It is a complex task to retain the BIOS password w hen
compared to operating the passw ord . Hence, users need to rememb er the BIOS password
because if the user is unable to remember the BIOS password, th en the user w ill be locked out.
The users can always try resetting the BIOS password, but most of the time all the attempts are
in vain, as it requires more time and provides onl y less chances of changing it.
Windows registry, otherwise known as registry, is a database of all the configurational settings
of Microsoft Windows. Windows registry stores details like settings for software programs,
hardware devices, user preferences, OS configurations etc. At a glance, windows registry
consists of all details regarding th e operating system. Accessing windows registry requires the
user to execute the regedit command in the command prompt. The windows registry window
is as follows:
- □-
-~File Ed~ View Favorites Help
Reg istry Editor
-
Computer ...
A registry key is similar to folders. Folders contain files, whereas registry keys contain registry
values and other sub keys. Registry Hives are the group of registry keys found at the top of the
hierarchy. The registry keys are as follows:
• HKEY_CURRENT_ CON FIG: This registry key contains information regarding the currently
used hardware profile.
• HKEY_CURRENT_USER: This registry gives all details regarding the users that are currently
present on the computer. The user details include: desktop settings, network connections,
printers, application preferences, personal program groups. A new HKEY_CURRENT_USER
sub key is created every time a user logs in.
• HKEY_CLASSES_ROOT: This key contains the file name extensions and COM class
registration information.
• Allows setting up filters as per the user requirement. Reducing the loss of data.
.J Windows allows the setup of three types of user accounts f or user management
Guest Account
Has only read and write access. Users are
not allowed t o install new applications or
make changes to existing applications
The Windows operating system has a different view 1n managing the user accounts and
passwords.
User management in Windows helps administrators identify and control the users logged in the
system. This management includes identifying people logged into the network, managing the
user login and logout times. User management provides a better authentication and
authorizations of users accessing the network. Monitor user permissions before granting
permission to access the network and analyze the logging details. The administrators have the
benefit of analyzing the user details and activities. They can filter the user details by IP address
or by user, thereby enabling easy management for the users. The whole concept of user
management is based on user logging in and logging out of the system. A user trying to access
the system is first authenticated and allowed access to the system. There are certain policies for
user management that define certain rules for managing the user accounts.
A user can have multiple accounts or a single account. Multiple accounts in a single computer
allow multiple users to store data and files in the same system, apply background themes
according to each user's preference etc.
• Administrator Account: These account users have the complete privilege of performing
any action on the system. These users can install and uninstall programs make
configurational changes to the system, add or remove other user accounts in the system
etc.
• Standard Account: Standard account users are users that have a limited access to the
systems. They can access only those files and folders saved in their user account. They do
not have the permission to change or delete any configurations of other users.
• Guest Account: These types of users do not have the access to any of the files and folders
on the system. These users can only check their e-mails on the system.
The password management in windows proceeds with the authentication of the user trying to
access the system. In other words, all user accounts should be efficiently secured with
passwords.
An organization should have a well -defined and effective password policy that helps in
minimizing the risks of password compromise during authentication. The policies created need
to ensure the availability, confidentiality and integrity of the passwords. Allowing access to only
authorized users and preventing unauthorized access. Several access controls assist in
maintaining the integrity and availability of passwords, wh ereas, maintaining the confidentiality
of the passwords always remain a challenge to the organization. Maintaining the confidentiality
of the password includes several security controls and decisions.
• Some of the guidelines for creating strong and complex passwords are:
• Ensure that the password created does not include the user name.
• Avoid storing the passwords at any location. If you need to store it, do so 1n an
encrypted form.
• Properly define the password security policies followed throughout the organization.
3. The guest account users can make unauthenticated access to the Internet
Manage Accounts
Adininisu atol'
A Lc<a!Account
Admini~ rc,tor
P4~~word protc«cd
Administrators should disa ble unwanted accounts by deactivating them. Deleting a user
account is entirely different from disabling an account. Disabled user accounts can be restored,
whereas deleted user accounts cannot be restored. Here are the steps for disabling a user
account in Windows:
• Click on Local Policies option on the left side of the pane and click on Security Options
under it. Find the option 'User Account Control' from the list of options in the results
pane. Disable the user account option
Manage Accounts I- l e. .
® T t I~« All Control Panel Items • User Accounts • Manage Accounts ..., C, I I Search Control Panel ,P I
Choose the user you would like to change
Administrator
Local Account Guest
Administrator Guest account is off
Password protected
Authentication validates and identifies the users accessing the application. It defines whether
the user trying to access the system has user permissions to access and to perform actions.
• Change names and passwords for default accounts: Systems which have multiple
accounts should maintain different usernames and passwords.
• Disable inactive accounts: If an employee leaves the company it is the role of the
administrator to disable/delete all the accounts of the employee. Timely action can save
the resources of the system from intrusion.
• Assign rights to groups not individual users: Administrators should deploy and implement
group policy in the organization. Group policies allow the administrators to assign rights
to specific users. Implementation of group policies makes it easy for administrators to
monitor the user activities.
• Do not permit shared accounts: Avoid shared accounts in a network. Accounts shared by
users act as an open invitation to intruders.
Patch M anagement ensures appropriate and Patches are the small programs which apply a
updated patches are installed on the system fix to a specific type of vulnerability
It involves applying patches, Service Packs Service Packs can fix vulnerabilities along with
and/or upgrading Windows to a newer version some functionality improvements
Use Patch M anagement tools to identify the Version upgrades fix vulnerabilities and come
missing patches and install them on the system with improved security featu res
Patch management is an integral part of OS security. Patch management enhances the security
of the system with regular updates. In an IT infrastructure, patch management needs to be
efficient in order to maintain the security of the system. Patch management involves applying
patches, service packs or upgrading the OS to a newer version. Patch management facilitates a
consistent configured environment that is secure against the v ulnerabilities and threats on an
operating system.
• Detect: Install tool s that can automatically detect updates and initiate the patch
management process.
• Assess: Id entify the severity of the v ulnerabilities and the amount of patch required to
remove the error.
• Acquire: Take the patch for t esting if proper security measures are not taken for the
detected vulnerabiliti es.
• Maintain: Maintain all other syst ems by sending notifications regarding the detected
vulnerabilities.
• The patch management process can be implemented in two ways on the user machines:
• Distribute a written process among the employees that can be implemented on their
host machines.
• Written Process: In this process, the organization trusts their employees by allowing
them to install patches and keep their system updated. In such scenarios,
organizations randomly check the systems of the users to make sure, if employees
adhere to the patch management policy. However, following this process 1n an
organization is not safe and can easily expose the IT infrastructure to intrusions.
Change senings
1. Go to Start ➔ Control Panel ➔ @ • t IID « All Cont,ol Panel Item$ > WindOW5 Upd.1~e ► Ch.:i~ e $citing$ v C, I I Se.uch Control P.:ind
System and click Windows
Choose your Windom Update settings
Updates and select option When your PC is onllne,. Windows can automatiu lty check for impo11ant updates and i.nsu ll them using these
settings. When new updates art av,1il<1bfc. you on .1lso choose to instan them when you shut down your PC.
Install update automatically
lmportenl upd.!1CS
2. You can also use a third-party • IInstall upd4tes 11utom,d ic:alty (1« ommended)
Windows update tool for Updates will bt autom,1tic:.ilty downloaded in tht background when your PC is not on • mct~td
lntmiet conn«tion.
remote-desktop patch Update$ will b<e 11ulom.,u u ty in$t11lk d during tM: m11 mten11ncc window.
The Windows OS provides users the option of automated updates. Turning on the windows
automatic updates in the control panel enables Windows to download and install all the
updates. The process can take place automatically without much interaction from the user.
However, the user must respond on time to the alerts that occur during the update process.
Missing out on any alert can actually stop any important updates.
• Windows 7: The device should include service pack 1 in order to receive security fixes
through windows update.
The user must ensure there is enough disk space available before performing a Windows
update. Windows can configure updates properly if around ten percent of the system partition
capacity is free.
There are situations wherein the automatic windows update is turned off for a very long time.
Here, the user needs to perform an anti-virus scan before even applying the updates. The
scanning can ensure that no malware is present in the system.
Settings
Apps
Web
P advanced
II My stuff J) Web
advanced!
• Windows 8:
In Windows 8, the user may find another option Windows Update. This update option does not
provide any configuration option and hence the users must be careful while selecting the
option for update in Windows 8
• Windows 8.1
Search
Setting, v
updat~ X Iii
0 Windows L'pjate settings
Search
update" Settings Choose whether to automatically
install Windows upd3:es
updatel X
If Update device drive
View your J:J Jate history for
Windows
Install optional upd,
~ ~ , Windows Update
() Settings !mi"i. ~
View update history
• Windows 7:
Programs (1)
~ Windows Update
-,Device Manager
.,., View recent messages about your computer
.,., Review your computer's status and resolve issues
.,.,View relia bi lity hi story
.,., Fix problems with your computer
.,.,View recommended action s to keep Windows running smoothly
.,.,Check security statu s
.,., Choo se how to ch eek for solutions
.,.,View message archive
~ Change device insta llation settings
' Turn automatic updating on or off
• In Windows 10, the configuration updates are available in Modern UI/ Metro style
settings app. The user can actually schedule the restart after Windows update in the
Choose how updates are installed screen. There are two options in the drop-down -
Automatic (Recommended) and Notify to schedule restart. Clicking on Notify to schedule
restart allows the user to know if there is a need for a reboot or restart of the device
Settings D X
© ADVANCED OPTIONS
"-CC., eve, yu ""Y I UI II Ill 'Y :,11 ,uvthly. We'll restart your device
automatically when you're not using it. Updates won't download over a
__metered connection (where charges ma~ ply).
• Select the check box for the option Give me updates for other Microsoft products when I
update Windows. This provides updates to Microsoft products
• Make sure the users do not select the option Defer Updates as it postpones large feature
upgrades
~ Settings D X
@ ADVANCED OPTIONS
0 Defer upgrades
Learn more
Note: Windows Update might update itself automatically first when checking for other updates.
Privacy settings
FIGURE 6.9: Options to select for Automatic (recommended) update installation (Step 2)
• The user can now click on Choose how updates are delivered
D Defer upgrades
learn. ore
FIGURE 6.10: Selecting the option for when to receive updates (Step 3)
• Updates from more than one place allows applying the sa me updates to many Windows
10 devices
• The slider option can be turned off if there is only one Windows 10 device
• If there are several Windows 10 devices, turn the slider on and enable the option Updates
from more than one place
When this is turned on, your PC may also send parts of previously
downloaded Windows updates and apps to PCs on your local
network, or PCs on the Internet, depending on w hat's selected
below.
ti[) On
Get updates from Microsoft, and get updates from and send
updates to
FIGURE 6.11: Selecting the option to install updates for more than one Windows 10 machine (Step 4)
® • t Fa- ► Control Panel ► All Control Panel Items ► Windows Update Search Control Pane-I p
Contro l Panel Ho me
Windows Update
Check for upd ates
I Change settings
i I~ You' re set to auto matically install u pdates
View update history
Restore hidden updates ~ 12 optional updates are available
See also
Installed Updates
• t ,n. « All Control Panel Items ► Windows Update ► Change settings ., C Search Control Panel p
Important updates
Updates MUbe autom atically downloaded in the backgro und when you r PC is not on a metered
Internet connection .
Microsoft Update
~ Give m e updates for oth er Microsoft products wh en I update \\fin dows
Note: Windows Update m ight update itself automaticalfyfirstwhen checkin g for other updates. Read our
privacy BatE;ment 9nl1ne.
[__j_K__j LJ:•ncel__j
• Make sure that the options: Give me recommended updates the same way I receive
important updates and Allow all users to install updates on this computer are
enabled
• In Windows 7, the user gets an option to schedule the installation of new updates
Choose how Windows can install updates
When your computer is on line, Windows can automatically check for important updates and install them
using these settings. When new updates are available, you can also install them before shutting down the
comput er.
How does aut omatic upd ating h elp me?
Important updates
Recommended updates
rll Give me recomm ended updat es the same way I receive important updates
Wh o can install upd ates
II
~ Al low al l users to install updates on this computer
Note: Windows Update might update itself automatically first when checking for other updates. Read our
priv acy statement online.
• In Windows 8 and 8.1, Click on the link: Updates will be automatically installed during
the maintenance window
C oose your Win ows Up ate settings
When your PC is online, Windows can automatically check for important updates and install them using these
settings. When new updates are avai lable, you can also choose to install them when you shut down you r PC.
Recommended updat
~ Give me recommended updates the same way I receive important updates
Microsoft Update
~ Give me updates for other Microsoft products when I update Windows
Note: Windows Update might upd ate itself automatically fi rst when checking for other updates. Read our
privacy statem ent online.
Automatic Maintenance
Windows automatically runs scheduled maintenance on a daily schedule when you' re not using your
computer.
This includes tasks such as software updates, security scanning, and system diagnostics. This maintenance
will run daily if you aren't using your computer at the time you've chosen. If your computer is in use at the
scheduled t ime or maintenance is behind schedule,. Automatic Maintenance will run the next time the
computer is not being used.
Automatic Maintenance
FIGURE 6 .16: Schedu ling the time in Automatic Ma intenance for Windows 8 and 8 .1
You can click on Install Patch and select the OS that you wanted to deploy patches/service
packs to.
Steps to remotely install and uninstall patches for Windows using Desktop
Central
Source: https://www.manageengine.com
4. Provide a name and a description for the lnstall/ uninstall Patches Configuration
5. Define Configuration and Specify the Add the Patches, operation type, Scheduler Settings,
Deploy ment Settings, etc. as Install to install the patches/service packs
6. Define Target
• You can deploy the configuration to any of the following:
• Site - to deploy the configuration to all the users/ computers of that site.
• IP Addresses - to deploy the configuration to the specified IP Addresses. You can also
specify a range of IP Addresses to deploy a configuration by selecting the IP Range
option and specifying the starting and ending IP. This option is available only for the
computer configurations.
~
GFI LanGuard j~ LabTech's App-Care
http://www.gfi.com http://www. labtechsoftware.com
-·
·~ Altiris Patch Management Solution
https://www.symantec.com
Lumension
https://www.lumension.com
Batch Patch
Source: https:1/batchpatch.com
BatchPatch is Windows Update & WSUS Patch Management Software used to remotely initiate
Windows Update, WSUS, software deploy ments, and reboots on many computers.
Desktop Central
Source: https://www.manageengine.com
Desktop Central is patch management tool used to install/ uninstall patches and service packs
for Windows operating systems from a central location. It not only manages patch deployment,
but also scans for network vulnerabilities, identifies missing security patches and hotfixes,
applies th em immediately and mitigates risk.
Source: http://www.solarwinds.com
SolarWinds Patch Manager makes it easy to perform third party patch management across tens
of thousands of servers and workstations and enables you to leverage and extend the
capabilities of Microsoft WSUS or SCCM to report, deploy, and manage third -party patches as
well as Microsoft patches.
GFI LanGuard
Source: http://www.g[i.com
GFI LanGuard patches Microsoft, Mac OS X, Linux and more than 60 third-party applications,
and deploys both security and non-security patches. GFI LanGuard scans your operating
systems, virtual environments and installed applications through vulnerability check databases.
Source: https://www.symantec.com
Altiris Patch Management Solution allows you to proactively manage patches and software
updates by automating the collection, analysis, and delivery of patches across your enterprise.
Source: http://www.landesk.com
LANDESK Patch Manager evaluates, tests, and applies patches across the enterprise easily and
automatically to drastically simplify your efforts. It maintains patches for Microsoft Windows
and other vital operating systems by downloading patches automatically and streamlining
patch testing and deployment.
Shavlik Patch
Source: http://www.shavlik.com
With Shavlik Patch you leverage a single Configuration Manager workflow for publishing
updates for both Microsoft and non-Microsoft products.
Kaseya
Source: http://www.kaseya.com
Kaseya provides the tools and infrastructure to enforce policies and to easily address the
complexities of software and security patch deployment and simultaneously deploys all
required patches across machines.
LabTech's App-Care
Source: http://www.labtechsoftware.com
The App-Care patch management solution extends LabTech's Microsoft update patching to
third party applications with seamless integration to close security holes and guard against
attacks. It automatically downloads third party patches from the manufacturer and pushes
them to computers automatically to close security gaps in third party applications.
Lumension
Source: https://www.lumension.com
rFt.~~Upd.tt -
: VfflilDft C11tCS4
Ndinus
Pr0Yidc5 lk,~
r A(to1:,.c Upd,111t St,v._ Micbe: A(fO- fwMing
lh!lHn1u-
Adobee \'ec111-
G& ~ps ,,_
M,nu,11
.:...._omM.l<
M,m1,I
M..nual
M•nu•I
local Systt- _
lool Systt- =
loul Sy,:tf-
1.ocal S -"
--
loolSynt-
D~tription; :.tJOnbperi«lu P10<tU.tt-
11S P,o,.,,do ....,,nii.t,.tivc ~,.,.,u, fo,
IS, fo. Ull'l'lf'ltc tol'lfigu,,t,on hkto,y '
1S)"it'"--
--
-,_ndApphc.sllon, Pool .c:u,I.Wlt .-IOORldt:nt,iy Oct,l'Mlnft -
mapping, If thts str.i<t ism11ptd, ~ nlnfomuben fa<llit.MU t.. RuM Step
FTP <onf.g~ hl5'0ty' Md lod)ng
down fits Of dirtctorits with
:.ftionlfy'tfwt~ ... ProYidn su...
--
:.bORMINg,c,n,tnl P10<dkf.,_
Appli(arion Pool spt'mc Acctn
Con!JOI tntliff 'MIi not w,oi41, Dqiloyment Servl<t t- Provide$ ,nf,_
SQLServer n St.tee Sctvicec PrOYidtt su...
--
Al Tub
1oundll"ltdll9tntlr;)I\.. TrMslfflfil,_ ltuM
- Universal
machine
Plug And Play on any
;cylwlwon
• Evoent Sy$tem
l htCNG i;-
~Pf'MS Sy._ !tunning
"
M,,w,1(ln9-..
Aulom-'be
loul Sy,t-
loul SeMcoe v
···~
--
Copyright© by (C-CD■Dcil. All Rights Reserved. Reproduction is Strictly Prohibited.
Unnecessary services run in the background on the systems the user is not aware of. Leaving
these services enabled can give a path to the attacker to compromise the system as some of
them can be vulnerable to different types of attacks. Administrators can find unnecessary
services running on the system based on an organization policy. The policy statement may
include lists of necessary services that should be allowed to run on the system and unnecessary
services that should be not allowed to run. An administrator can create, pause, stop and restart
a service as per the system and user requirement. On the user machine, administrators can
disable a service which is not required. Disabling unnecessary services is important as it reduces
the chances of system exploitation. Services like 115, FTP, SQL Server, Proxy services and Telnet
are usually not required by the users. Administrator privileges are required to enable and
disable services on a particular host.
••I~ x 1;;tl 6 Im
lri>. Sec\JrityScttings ] N ame Description
p Q Account Policies Q Account Policies Pass>A'ord and account lockout policies
I> Iii l out Policies Q local Policies Auditing.. user rights a nd security options policL
I> ii Windows Firewall with Advanced Sec• ~ Windows Firewall with Advanced Security Windows Firewall with Advanced Security
tl Nttwork List Manage, Policies ~ Network list Manage, Policies Network name, icon a nd loc.11tion g,oup policies.
I> Iii Publ:ic Key Policies Iii Public Key Policies
I> ~ Software Restriction Policies
■ Software Restriction Policies
I> G Appliu tion Control Policies ::::!I Application Co<ltrol Policies Application Control Policies
f, {!, IP Security Policies on LO,Cal ComputE
(!. IP Security Policies on Local Compvte, lnteinet P,·o tocol Se<1.11ity (lPs«) Adminis:ttatio ...
Go to Control Panel ➔ I> .S Advanced Audit Policy Configu,ation
:IAdvanc.cd Audit Policy Configuration Advanced Audit Policy Configuration
Administrative Tools ➔ Local
Security Policy
Local policy settings allow enforcing many systems, users, and security related settings in
Microsoft Windows. These policy settings include Password Policy, Audit Policy, and User
Permissions. There are default policy settings available; however, the administrator needs to
configure more policies in order to confirm security. An administrator should define and set the
policies as per organization's security policies.
Steps for configuring the Local Policy Settings for the computer:
1. Go to Control Panel
2. Click Administrative Tools -> Local Security Policy
a. Click Account Policies in order to edit password policy and Account lockout policy
b. Click Local Policies in order to edit Audit policy, User rights assignment and security
options
4. Double - click on the policies in order to modify or edit the policies
Every organization should enforce their employees to change the password after a specified
time of interval. This urges the need for employing certain policies that outline the
requirements for setting a password. The changes in password policy affect only the local
computer. However, the configuration of the policies depends on the policies for each
organization.
For instance, an organization can edit or configure the local password policies as follows:
' .:!i
File Action View Help
Local Security Policy - □-
-.;-.. I ~ !ffll X ~ I 6 rm
,_
ii Security Settings n_1·__
~ "---.,, - ~n-1:,;--
< >
.!
• Maximum password age: Determines the time period for using a password. Default value
is 42.
• Minimum password age: Determines the minimum number of days the user needs to use
the password.
• Minimum password length: Determines the length of the passwords. Usually the
minimum va lue is '8'.
• Password must meet complexity requirements: Determines the criteria for creating a
password. This option is enabled and includes upper and lower case letters, numbers and
special characters.
- -
Go to Control Panel ➔ Windows Firewall and click Turn Windows Firewall on or off
~
• . 1' r. t ConlJOl,.ntl , Mc..ncrdP...... 11:fflw; 1 W~f.ftwd
.. "1 [ ~t:'11 c-t>o1 '•"'" p -~ . t [• .. • 11Con~Pant11ttm1. • w,noow,i;,_11 • C--.i:rS,tttings ... <i] [ w.m1(_;;-P•..;- P] I
c..e..i,__ ..._. H~lp protect your PC W1Ch Windows firtwal .
Customiz~ ~«in~ klr ~-'Ch type of network
-...~.,,.......,. ~-··~
I---,-~--
W~F---•c#l~~.. "-lfllOl,..,._~,-...,_.,,..c.tMteye,11"Kt~---
Y-ov<.- ffiOdfly t!rit l•ew•k'l•'""O!I IOI' w<ll~ol~fl, 1Nl:7°"' uH..
•
r'-'lh~"'--
0..111Jf: llcef--tt,gi
Pfw4l c nd\OOllt ktllncp
(tlr,.t110 f l ~h l ~
r•-• • lfl
$'
...
r-~r-.-""., w.tl._. nol 1aiing fie ,__,,.,,.
'411. .IO,,.tlflt'I ,-.-,,.._.
l3,UM:1tt_,-itd~ ]
Q Blod al ;......,;,,9con---.._ irdu&r,J t ho,.. ffl t he Ir.I .,f ~ ~pp,
Q Nol.fy~ ...... ~lvfW411blOdt••ntw•PI'
$~d..wb
61 . ._ ... _ "
'Mli• •·"" ·(--\,flt",J 0 O r..,11of1Wlftdo-, fi-tll [llot rec011'1111eadtd)
°" V
I o, II '-• I
.,_
..... ...,.. ,....... .....
ii W,n.-lwcw.olallt.~ m::=
Outbound rules . .-
~-
Q IN:lt ,._,
~ ., -
a• o.,,.
~ C-,
._...,_
Jillc, It)' , ...it •
c,, c,,i
($1 (St
......
..... Yti
:J 11 Ntwftf.lle.,
J MorM: Fillt11t)'Sutt
..
• 1otCS1c.sa .....
......
y.,
y., V f«'1bJPtoNc •
~
~ ' ·-..,..,.
Click Advanced Settings •
·-........,_......
...v-c..,.cs.4s,,,.,.. V f.AdbJSt.cc
f ,11,,~GN. .
... v-nCwCSdSo::r.~ ......
.....
Yn
Yn V Rtttbt-Grciup •
and configure ......
--
i.v--nc.... cs, s,,._ Yn
•
inbound/outbound rule
... v-11 c.. cs.a So::RICI
"'V-,.on C11t C$,I $,t,- .....
.....
Yn
y..
---
1otV.-..onC1M cs.a S.,- l=f
""' ......
.....
y., bpor1Lnl,M
---·
y.,
0
o ,.,..(C.'\Pltogr_ ,_ _1\Me~fl,_ ......
PM. .
......
Ya
Ya
.....
--...
0 'f1tdol' fC...\J'111191111tHes ~Mo:,11, f-..
-...............
Yn
Click Monitoring to active
firewall rules, active
0 'firtfo;' IC..\J'i.g1,m , -°"11Moall1 f
G ~Olf,ctO..-Ok
0 M1raoMm OMHci(t
..... Yn
y.,
YH
0 ~0ntHct. Yn
Connection security
--
0 t.k.lolooft011.Helt ~ YH
O ~OneHClt• y_,
0- Yft
rules, Security
·•~·'-°'-- ....
• 8'-tft(hC.OW Conttt11 lt111'°"'.i ltfTTP•ll'I) • ·~ •(Ofll.,1~- Al
""'
--·
.8'MCIIG!dw: Hctsud c..dlt ~ IHTT- 1 . - ~ · Hou.led C.ach_ A.I
Associations, etc. • •-i.c~ ""'
,
l>itw OiM....,.(WSD-ln)
e cOM, ~Amu(OCOM,•)
• COM· P.trnott A d ~ (DC~lf\J C()t,I. Rtr,,,«t ~ r f l l l- ..
COM• ~l.&u.cu ""'
""'
""' ,
.........•
<I I
" •
Windows Firewall is a built-in feature that governs the security of Windows. It helps in
preventing intrusions internally or externally. Windows Firewall has the ability to monitor the
incoming and outgoing traffic. Rules and exceptions in the Windows firewall maintain the logs
of the traffic. Administrators can apply rules and exceptions based on the type of the network
and location of the machine.
Turning the Firewall ON can stop filter communication passing through it. Administrator
privileges are required to turn ON the Windows firewall feature.
Configuration of Windows Firewall is done through the option Advanced Security. Windows
Firewall with Advanced Security displays the detail functioning of the firewall. It helps in the
implementation of rules and exceptions for the firewall. The snap-in displays the rul es and
exceptions for inbound and outbound traffic.
""
. COM,.. Network Access (OCOM-fn) COM• Network Access All No Allow Fitter by State
.CQM,. Remote Administtalion (OCOM-ln} COM+ Remote Administrali... All No Allow Filter by Group ►
0 Corc Networking · Ocstination Unreacha... Core Networking All Yes Allow
View ►
0 Core Networking • Destination Unreacha... Core Networking All Yes Allow
C, c ore Networking• Dynamic Host Config... Core Networking All Yes Allow @ Refresh
fj core NetvJOrking • Dynamic Host Config... Core Netwo,king All Yes Allow fl} Export list...
0 Core Networking • Internet Group M.:in.:i... Col'CNetworking All Yes Allow
O core Networking • IPHTTPS (TCP-In} Core Networking All Yes Allow
~ Help
< Ill ) ( II
• Inbound Rules: They apply to traffic that is coming from the network or the Internet to
your Windows computer or device. For example, if you are downloading a file through
BitTorrent, the download of that file is filtered through an inbound rule.
• Outbound Rules: These rules apply to traffic that is originating from your computer and
going to the network and the Internet. For example, your request to load a website in
your web browser, that is outbound traffic and is filtered through an outbound rule.
• Connection security rules: Less common rules that are used to secure the traffic between
two specific computers while it crosses the network. This type of rule is used in very
controlled environments with special security requirements. Unlike inbound and
outbound rules which are applied only to your computer or device, connection security
rules require both computers involved in the communication to have the same rules
applied.
All the rules can be configured so that they are specific to certain computers, user accounts,
programs, apps, services, ports, protocols, or network adapters. You can display the rules of a
certain type by selecting the appropriate category in the column on the left.
@Quick
Q Full
O cu,tom
~
~
ReaHim e protection:
Virus and spyware definit ions:
On
Up t o date
L Scan now
Keeping the system away from virus infections is an important task for host security. Securing
the system from viruses is the utmost need of the administrators and the users working on the
system. By installing updated antivirus software, you can keep your system from virus infected
files, system crash, unwanted pop-ups and damage to the operating system caused by a
malware infection. Administrators can also use various third party antivirus solutions for better
protection.
Windows has a built-in antivirus solution called Windows Defender to protect the system from
virus infection. Windows Defender runs in the background and notifies you when you need to
take specific action. However, you can use it anytime to scan for malware if your computer isn't
working properly or if you clicked a suspicious link on line or in an email message.
Windows Defender is malware protection software used in order to detect and mitigate viruses
and other malicious programs.
I. Quick scan: Scans only those areas of the computer, wherein those areas are more
prone to virus attacks.
II. Full Scan: Scans all files and folders present 1n the system. This process may be a
time consuming process.
Ill. Custom Scan: Scans only those files or folders as provided by the user.
Mi Window s Defender
PC status: Protected
@Quick:
Q Full
O c ustom
~ Real-time protection: On
Scan now
~ Virus: and spyware definitions: Up to date
McAfee GData
http://home.mcafee.com https://www.gdatasoftware.com
•
0"-\. Trend Micra's Maximum
Avira ~
http://www.avira.com • Security
http://www.trendmicro.com
Below is the list of some third-party antivirus software which can be used to protect you host
from malware infections.
AVG Antivirus
Source: http://jree.avg.com
AVG Antivirus helps stop, remove and prevent the spreading of viruses, worms, and Trojans. It
protects you from malware on your PC and helps stop anything that's infected.
Source: https:1/in.norton.com
Norton Security Scan to determine if your system has been infected with viruses, malware,
spyware, or other threats. It checks for suspicious or dangerous cookies and remove those that
raise a concern.
Source: https://www.avast.com
Avast Pro Antivirus scans for all the files being downloaded through torrents, servers or flash
drive. The files are first tested before being saved in the system. The software has the feature
of securing the DNS settings, preventing from hijacking of DNS, fake-password attacks etc. The
anti-virus pre-determines the malicious packet/ data travelling towards the user's router device
or network and dumps it, before exploitation.
McAfee
Source: http://home.mcafee.com
McAfee antivirus software tool scans the core components of the system and maintains it up-
to-date. The software timely installs the updates in the background without affecting the
productivity of the system. The tool has the feature to diagnose malware, worms or Trojans
hiding in the backend of the processes and modules. McAfee has the feature to maintain
schedule scans on the host machine.
Avira
Source: http://www.avira.com
Avira antivirus tool protects the system from viruses, worms and Trojans. It scans unknown files
in real time for malware and exploits, blocks harmful websites before they load and
identifies potentially unwanted applications hidden within legitimate software.
Quick Heal
Source: http://www.quickheal.co.in
Quick Heal is antivirus software used to protect your system from viruses, worms, Trojans,
spyware and other such threats.
Kaspersky
Source: http://www.kaspersky.com
Kaspersky antivirus delivers essential protection against all types of malware. It safeguards you
from the latest viruses, spyware, worms and more.
Panda
Source: http://www.pandasecurity.com
Panda provides real-time protection against the latest release malware. It protects PC, Mac or
Android device against all types of threats.
GData
Source: https://www.qdatasoftware.com
GData has the feature of proactively detecting the malware from the system. It scans SSL
encrypted emails for malicious attachments and suspicious content.
Source: http://www.trendmicro.com
Trend Micra's Maximum Security helps you to prevent identity theft by blocking phishing
emails. It scans privacy settings on social media accounts and provides a secure browser for
safe online banking.
Email threats have rapidly evolved as one of the major concerns for cyber users. Spamming is
one such threat to email security. Spamming involves sending unsolicited bulk email (UBE), junk
mail, or unsolicited commercial email (UCE) frequently to individual users or group of users.
These email spa ms typically cost users money out-of-pocket to receive. Spam mail sent via virus
infected networks can install a backdoor that allows the spammer to access the computer and
use it for malicious purposes.
Anti-spam is a method of denying spam e-mails in the user's e-mail. Generally, antispam
methods sea n the computers IP address, e-mail signatures and data. This can minimize users
from receiving spam emails. There are many types of anti-spam systems used together with
many e-mail systems and internet service providers (ISP).
MX Guarddog K9
https://www.mxguarddog.com http://keir.net
~ -
Avast
https://www.avast.com "~
. AVG Antivirus
http://www.avgcloudcore. net
MXGuarddog
Source: https://www.mxquarddoq.com
M X Guarddog offers complete email security, with no software to install and no changes to
your email clients. The tool protects user emails against, viruses, malware, phishing emails, Dos
attacks etc.
FireEye Email Security
Source: https://www.fireeye.com
FireEye Email Security products detonate and analyze susp1c1ous email attachments and
embedded URLs and block malicious activity to enhance email security. With these capabilities,
organizations can prevent, detect, and respond to email -based cyber-attacks. AV and anti-spam
protection are available to handle casual attacks and nuisance traffic. Customers can select
Email Threat Prevention Cloud (ETP) for a complete, off-premise email security solution with no
hardware or software to install.
Source: https://www.symantec.com
Symantec Email Security effectively blocks unwanted email. It is a cable of blocking spear-
phishing and targeted attack malicious URLs with Real Time Link. It analyzes the email body,
subject, and headers, as well as text within document attachments, to identify and prevent loss
of confidential data.
Spam Fighter
Source: http://www.spamfiqhter.com
Spam Fighter protects all the email accounts on your PC. It protects against phishing, identity
theft, and other email fraud. Blacklist and block emails and domains.
Avast
Source: https://www.avast.com
Avast Internet Security has anti-spam features which allow the so you can stay safe from
phishing and do not have to waste your time with junk emails.
K9
Source: http://keir.net
K9 is an email filtering application that works 1n conjunction with the regular POP3 email
program. It automatically classifies incoming emails as spam (junk email) or non-spam without
the need for maintaining dozens of rules or constant updates to be downloaded. It uses
intelligent statistical analysis that can result in extremely high accuracy over time. K9 is for
standard POP3 email accounts only. It does not support IMAP nor does it support Hotmail, AOL
or any other kind of webmail type systems. It does not natively support SSL or secure
authentication.
Spamihilator
Source: http://www.spamihilator.com
Spamihilator works between the email client and the Internet and examines every incoming
message. It filters the spam and non-spam mails. The Spamihilator uses a number of filters in
order to identify spam present on the user network. The program works with almost every
email client, such as Outlook, Mozilla Thunderbird, Eudora, lncrediMail, Pegasus Mail, Phoenix
Mail, Opera, etc.
G-Lock SpamCombat
Source: http://www.qlocksoft.com
SpamCombat removes the spam, virus, and junk emails from the inbox. It eliminates all
unwanted messages at the server level without receiving them with the email client. G-Lock
SpamCombat uses filters like: Complex Filter, Whitelist, Blacklist, HTML Validator, DNSBL filter,
and the Bayesian filter in order to avoid spam in the in box.
Cyberoam Anti-spam
Source: https://www.cyberoam.com
Cyberoam Anti-Spam solution provides real-time spam protection over SMTP, POP3, IMAP
protocols, protecting organizations from zero-hour threats and blended attacks that involve
spam, malware, botnets, phishing, Trojans.
AVG Antivirus
Source: http://www.avgcloudcare.net
AVG anti-virus is a cloud-based email security service that delivers comprehensive protection
against spam, viruses, phishing attacks, and other email-borne threats. It performs an
automatic update and identifies the spam before it affects the user's network.
.J Ma lw are may come t hrough unwanted Pop-ups on the site that users are visiting
.J Enable Po p-up Blockers feature to prevent unwanted windows from opening
Content
Go to Control Panel ➔ Internet Options ➔ select a setl!ng for lhe :nternet rone.
Medium
Privacy tab • elod<s thrd,p¥ty cookies that
Drivacv poky ,_.,c..l_
• 900:S thrdwrty cookies thoA 11e,.... ,_,. r,__ _ ,
be I.Md to QQntod you v.Hhout
• R~strict$ flrsl1)1!11t y CX>Ol:il!S Iha
ean be u!;!d to centaet you vf.lh
• Col""•ntWltf'IGS
e •
Location -------l
[JNc:'/Cf olO'H websites to tCQUC$t Yo'$
Go to Options ➔ Content and Check Block pop- physicd !ocabon
?op;UP S:od<er
up windows checkbox
CrPrtvate - - - - - -• , - - - - - - - - ,
"'~- I
• •
Pop-up blocker is a feature that automatically prevents websites from opening windows that
aren't the main browser window. Pop-up blockers allow you to control what happens as you
travel the web and prevent sites from filling your desktop with pop-up windows you do not
want or need. Now all modern browsers have pop-up blockers.
It prevents the unnecessary webpages and their pop-ups to store in the system. Usually, sites
add pop-ups so that users can get extra information about th eir search. However, it is advisable
to turn on the pop-up blocker, to avoid any intrusion on the system.
Follow the below steps to enable pop-up blocker feature to prevent unwanted windows from
opening:
• Internet Explorer:
1. Click on Start ➔ Control Panel
2. Select Internet Options ➔ Privacy tab
3. To enable th e pop-up blocker, check on th e box "turn on pop-up blocker"
4. Click on Settings option, to provide exceptions to the w ebsites
5. Enter the name of the websites in the textbox "Address of website to allow" ➔Allow
6. Select the "Blocking Level" as per the r equirement
7. Close ➔ Apply ➔ OK
j Internet Properties
1
'-I_ S_it_
e s_ _,I '-I_ Im_po
_ r_t __.I I Advanced 11 Default
Location - - - - - - - - - - - - - - - - - - - - -
□ Never a llow websites
physical locabon
to request your I dear Sites I
Poo~o Blocker
[i1 r um oo Pop~p Blocker I Settings I
InPrivate - - - - - - - - - - - - - - - - - - - - -
~ Disable toolbars and extensions when InPr1vate Browsing starts
._I_ O_
K ____,I I Cancel I[ 8J)ply J
• Google Chrome:
1. In Google Chrome, I- Click ➔ Settings
2. Go to Show advanced Settings ➔ Privacy ➔ Content Settings
3. In Pop-ups ➔ Do not allow any site to show pop-ups ➔ Finished
#-f_,D
,._
ch_,om_•_ _ _ _x_:J, (I S.rongs. Content S.nm, x ,._.._
•~....,.........................................................................""I''
~ C D chrome;//settings/content
X
Content Se ttings ...
Pop-ups
,-.
,. Q Allow _..u ~ite; to show pop·up~
I Manage e,cceptions... I
Location
I,,!) As.I: when.,, ; ite tne; to tr.>ek your ph~suil ioc.,,tion (recommended)
I M.in.igeexceptions... I
I
Notifications
• Mozilla Firefox:
3. Exceptions tab will allow adding the URL which exclude from pop- up block rule
4. Click OK
Optio ns
OK Cancel !:!elp
...J Conduct peer log review and audit periodically to '...J Typical log entries contain following types of
look for any suspicious activity and respond to the information about the events:
security incidents
e Level: It defines the severity of event. Various
...J You need to have administrative access privileges types of severity levels are Information,
to conduct a log review and audit Warning, Error, Critical. and component
~ Event Viewer provides a quick overview of when, e Keywords: It defines type of event occurred.
where, and how an event occurred Various types of events are Auditfailure,
AuditSuccess, Classic, Correlation Hint, Response
'...J Navigate to Control Panel, go to Administrative Time, SQM, WDI Context and WDI Diag
Tools, and then double-click Event Viewer
e Date and Time: It defines date of events
'...J Check Windows Event Log for various types of logs occurred
---
""
Setup logs
Application logs e
each type of event.
--
·-- ..
·--
...-,--
(1--
,._
c,-- ....
~
~·-""
·~ ""'
~ ,.,._....,
~·~""'
l,'W:nllS",W
---~c..,..,-,.,
--NIMoj.
'---~
---
,.._
...--
,.,. -·_ on the Event ID, source, date and time of
----.. _
(I-
~ i,..,_,,_"'
..
~ ,,,.,,,..,
"""''•1•""
---s,,_c-........
~-,--...
.~-
.,,__
lil•<I-
Iii-•-
(II--
(1--
c,---
ia---
\."Yltltl'111,l'J't,'
,.,,.,!""'
"~'~"'
~ ,:o:..:, ...
1,'W:C. IU.:.!'1,W
---
---s..-~-;,,,
·---"'""':I.
,.._
--
-·- ~-----------------------------♦
....... _,
W?N I J - N
.....
1.1 .., ........
"- -·,, ..... -...
....,t.,c..,.
,.........
,--·
l,VJl'll:U..._._
"ll»IIH,!..,.
-··
>,-IO!i:... - - -
-.--: I_.. ,...,.
_,,...
~ · t.,...
r-. c_1_.,.
e Login in attempts in non office hours
~--
i.wmua.
...
"-·- ·--
·--
~::::...- .,.,.
-·, .... s..i,...
Ullllf\ .... - ••
J,s,»IH"
l,\llll1J...__. .
Of;';,_
,..,... ,.,...
...,,,_
~--
e Authority change, addition and removal
.....- ,·--
•-·-
,--
1,1-... ,..w,,,
-··
1,wz,,-.., - ·---
,.,,,,iouo... - - -
...oci,...,.
,.,.. attempts
-·
Iii •-,--•.. - ·
.... ... ~vir••~- -
1,"'10!•---
··
o-
,1
i.1-~,-~-
,..- .........
"""'-•-Cfl"
............
.... $,,.,...1'1>L-•. .
~
,, _"""''
l,Wlt!l ~1L
~~h~L
- ••
...... .....
~ 1...... ,....
,_
~r-.c..-- e Account unlocked/password reset
~•-
>,\IJl!fV.111...---
.._M_, l,V)J!>l,\.)I,..-----
attempts
~ _ _ _. . , ~ l,\'»lUUOUM
,-•
..--
...., ,.u...,..,."""'
Note : CND Resource Kit contains detailed list of Event IDs for corresponding log events.
Windows Log review and Audit involve monitoring and analyzing the log entries for suspicious
behavior. Administrators find the log review and audit helpful in troubleshooting problems with
Windows and other programs as well as detecting signs of the malicious activities or attempts
such as unauthorized login attempts made on the computer.
All the activities of a user on a Windows computer is recorded and stored in a file called
Windows Event Log. Administrators can view these log entries with the help of Event Viewer.
Event Viewer tracks information in several different logs.
• Event Viewer:
...
Name Date modifi ed Type
• The main screen of the Event Viewer is divided into three parts:
• Navigation Pane: It displays the various types of logs and their related features.
• Detail Pane: In the detail pane, event entries are listed in chronological order.
Clicking on any event entry will show the event's detailed information in the bottom half of the
pane.
Each of these events also includes a level which indicates its severity. There are three levels:
1. Information messages: These are shown with icons with an "i" in a white circle, which
depicts the system performed the task successfully.
2. Warning messages: These are shown with a yellow triangular icon, which depicts that
an event occurred which, might create a problem later.
3. Error and critical messages: These are shown with an exclamation mark inside a red
circle, which depicts that a significant problem occurred.
Overview •
,,
To view events that have occurred on your com puter, select the appropriate sou re e,
log or custom view node in the console tree. The Administrative Events custom view
contains all the administrative events, regardless of source. An aggregate view of all v
,.
Eventlvi:>e Event ID Source Loci Last hour 24 hours V
< >
ILog Summa,y
-I
LoQ Name Size (Curr... Modified Enabled Retentior ~
< >
• Action Pane: The action menu items on the right pane include many of the options available
from the main menu bar. This includes saving event entries to a file, opening a saved event
file, exporting or filtering events, etc.
Actions
5. Forwarded Events: Other host machines in the network send these events when the
local machine is acting as a central domain for them.
• User: The name of the user logged in at the time of the occurrence of the event.
• Event ID: The identification number that states the event type.
• Level: Represents the severity of the events. The different levels are as follows:
o Information: Informs regarding the change in the application.
o Warning: Informs that an issue occurred can impact the services of the system.
• Log: The name of the log where the event was created.
In an organization, an administrator should have the practice of monitoring and auditing the log
files. Example of some of the suspicious activities on the computer may include:
Install and configure a Host -based IDS/IPS solution to detect intrusion attempts on
a single host system
The host-based IDS analyzes and identifies the presence of any malicious activity in a computer
system on which the IDS works. It analyzes all the parts of the computer system, especially the
resources used by each application, the current state of the system, the storage information
that includes RAM, log files, file system, and checks for any changes in the application.
• Any kind of modification in the critical configuration files like registry settings.
• Malware.
• Rootkits.
• Rogue processes.
host-based IDS and network-based IDS in order to confirm the presence of any changes in the
system performed by the intruders.
However, the network administrator should consider implementing both network-based IDS
and host-based IDS to secure their network.
Analysis Analyze the log files and contains all Network based analyze the
information regarding the status of network traffic
the system
Protection Protects even when LAN is off Protects only when LAN is ON
• Narrow operating system focus: Host-based IDS function only on certain operating
systems which in turn minimizes the number of drawbacks.
• Non-network based attacks: Identifies the attacks on the physical machine as well.
http://ossec.github.io
OSSEC is a platform to monitor and control your systems. It mixes together all the aspects of HIDS
(host -based intrusion detection); log monitoring, Security Incident Management (SIM)/Security
Information and Event Management {SIEM). It runs on most operating systems, including Linux,
OpenBSD, FreeBSD, Mac OS X, Solaris and Windows.
Key Features:
• File Integrity checking: The goal of file integrity checking (or FIM - file integrity monitoring)
is to detect these changes and alert you when they happen. It can be an attack, or a misuse
by an employee or even a typo by an admin, any file, directory or registry change will be
alerted to you.
• Log Monitoring: Every operating system, application, and device on your network generates
logs (events) to let you know what is happening. OSSEC collects, analyzes and correlates
these logs to let you know if something suspicious is happening (attack, misuse, errors, etc.).
• Rootkit Detection: Criminal hackers want to hide their actions, but when using rootkit
detection you can be notified when the system is modified in a way common to rootkits.
• Active Response: Active response allows OSSEC to take immediate action when specified
alerts are triggered. This may prevent an incident from spreading before an administrator
can take action.
Source: http://ossec.qithub.io
5 9
2
Modification of critical User access to
Rootkits Critical services that configuration files (e.g. systems and applications
have been stopped registry
settings,/etc/password )
https://www.alienvault.com
Copyright© by EC-Co■ncil. All Rights Reserved. Reproduction is Strictly Prohibited.
AlienVault's Unified Security Management™ (USM™) platform accelerates and simplifies threat
detection, incident response and compliance management for IT teams with limited resources.
With essential security controls and integrated threat intelligence built-in, AlienVault USM puts
complete security visibility of threats affecting your network and how to mitigate them within
fast and easy reach.
• Network IDS
• Host IDS
Source: https://www.alienvault.com
http://www.tripwire.com
Tripwire software can help to ensure the integrity of critical system files and directories by
identifying all changes made to them. Tripwire configuration options include the ability to
receive alerts via email if particular files are altered and automated integrity checking via
a cron job. Using Tripwire for intrusion detection and damage assessment helps you keep track
of system changes and can speed the recovery from a break-in by reducing the number of files
you must restore to repair the system.
Tripwire compares files and directories against a baseline data base of file locations, dates
modified, and other data. It generates the baseline by taking a snapshot of specified files and
directories in a known secure state. (For maximum security, Tripwire should be installed and
the baseline created before the system is at risk from intrusion.) After creating the baseline
database, Tripwire compares the current system to the baseline and reports any modifications,
additions, or deletions.
Source: http://www.tripwire.com
Use Access Control List (ACLs) and Permissions t o control access to Files and fold ers
Access Control
Allow/deny access to file or directories for user or group of users
Entry(ACE)
Access Control
It is a collection of ACEs for accessing specific files or directories
Ust(ACL)
Access controls can provide the authority to users, groups and computers to access files and
folders in the computer. When a user or an application requests for an access to the operating
system resources, they need to submit their credentials to the operating system. The
credentials are access tokens created every time a user or an application tries to log in. The
operating system verifies whether the access token created as the permission to access the
objects before permitting the user or the application to access the objects. Here, the OS
compares the details contained in the access tokens with the Access Control Entries (ACE) for
verification. The ACE's can block or permit the services depending on the t ype of the object. For
example, the ACE's available for a Printer are Print, Manage Printing and Manage Documents.
The ACL's contain a combination of the ACE's of an object.
• Least amount of access of objects to users or user groups, thereby allowing them to
perform only needed functions.
• Proper permissions are set up for files and folders while installing the operating
system. Upgrade the level of permissions from least privilege to the desired level
during installation itself.
• The files and other documents included in a folder can inherit the permitted privileges
assigned to that folder.
• Event viewer helps in viewing the security logs associated with any object.
• Access Control Entries: An ACL can have zero or more ACE's wherein each ACE has the
access to an object. Overall, there are six types of ACE's out of which securable objects
support three (Generic types) and the other three are directory service objects (Object-
specified types).
• Access denied ACE: Used in the discretionary access control list in order to prevent
access to any user.
• Access allowed ACE: Used in the discretionary access control list in order to allow
access to any user.
• System Audit ACE: Used in the system-access control list in order to create an audit log
for each attempt by a user while accessing the objects.
• Access denied, object specific: Used in the discretionary access control I ist to block
access to a property or property set. It can even stop the inheritance level of a
specified type of a child object.
• Access allowed, object specific: Used in the discretionary access control list to permit
access to a property or property set. It can even stop the inheritance level of a
specified type of a child object.
• System audit, object specific: Used in the system-access control list in order to create
an audit log when a user attempts to access the child object.
The object-specific types and generic types differ only in the design of the inheritance level.
• Access Control Lists: An access control list is a table that provides a detailed description of
the access rights of the users towards accessing objects. Every object has an access
control list that contains the details of the user rights and privileges for accessing that
object. Each OS system has specific ACL's. The ACL's has one or more ACE's that contains
the details of the users.
• Permissions: Each container or object has a security descriptor attached to itself. This
security descriptor contains a detailed description regarding the user access rights. The
security descriptor is created along with the container or object. An ACE represents the
permission to users or user groups and the whole list or set of permissions is contained in
an access control list (ACL). There are two types of permissions:
• Inherited permission: These are permissions achieved from the parent object to the
child object.
For example, any files and folders in a folder can inherit the permissions applicable to that
particular parent folder. Here, the parent folder has explicit permission, whereas the files and
folders have inherited permissions.
• There are two sets of permission entries for accessing a folder on a file server:
• Share Permission on a folder: Used for files and folders shared across the network or
many user accounts. The permissions can be either denied or allowed depending on
the users or user accounts. The most commonly used shared permissions are: Full
control, Change and Read.
• NTFS permission on a folder: Controls the perm1ss1ons over network and local
computers. The most commonly used NTFS permissions are: Full control, Modify, read
and execute, Read, Write.
Each are independent of each other, however, the final decision on confirming the access
permission depends on either of the two.
-
Special Read and
Modify Read Write
Permissions Execute
Applying NTFS permissions
~ ~ ~
Traverse folder/
•
Execute File
~ ~ ~ ~
List Folder/
Rea d Data
~
Del eteSubfolders
~ Read and Fi les
~ Write
Delete ~
Rea d Permission ~
.J Each of these permissions Cha nge
Permi ssion ~
includes a logical group of
special permissions Take Ownership ~
Synchronise
~
https://technet. microsoft. com
Copyright© by EC-Co■ncil. All Rights Reserved. Re producti on is Strictly Prohibited.
-
Special Read and List Folder
Modify Read Write
Typical folder permissions Permissions Execute Contents
allowed on NTFS file system Traverse Folder/
are Execute File ~ ~ ~ ~
e Full Control Li st Fol der/
Read Data ~ ~ ~ ~ ~
e Modify Read Attri butes
~ ~ ~ ~ ~
e Read & Execute Read Extended
Attri butes ~ ~ ~ ~ ~
e List Folder Contents
~ ~ ~
Create
e Read Fi I es/Write Data
Special permissions
Delete ~
associated with each of
Read Permi ssion
~
NTFS folder permissions -v Change
Permi ssion ~
Take Owner ship
~
Synchr onise
~
h . ech
Copyright© by EC-Co■ncil. All Rights Reserved. Re producti on is Strictly Prohibited.
Properties
General Sharing Secumy Previous Versions Customize
• Full Control: Specifies whether a user has all permissions to files. Users having full
control have a complete access right to any file even if he/she is denied permission.
• Modify: This allows the user to read, write, execute and traverse.
• Read and Execute -Allows the users to go through each directory, read all files.
• Read: This allows the users to list folders, read files, read attributes and read
perm1ss1ons.
• Write: Allows users to create files, write data, create folders and set attributes.
• Full Control: Specifies whether the user has complete access to folders.
• Modify: This allows the user to read, write, execute and tra verse .
• Read & Execute: This allows the users to list folders, read files, read attributes and
read permissions.
• List Folder Contents: Specifies if the user can access the folders and sub folders
included.
• Read: This allows the users to list folders, read files, read attributes and read
perm1ss1ons.
• Write: Allows users to create files, write data, create folders and set attributes.
List Folder contents permissions can be set only when these are inherited by folders and not
files whereas, the read and execute can appear for files and folders.
It is possible to back up and restore data on NTFS files. However, with FAT files, it is not possible
to set permissions to individual files and folders.
To set, view, change, or remove special permissions for files and folders, go to a specific file or
folder on which you want to set special permission.
1. Right-click the file or folder, click Properties, and th en click the Security tab
2. Click Advanced
3. Click Add to set special perm1ss1ons for a new group or user 1n the Permission Entry
Window
·-
>,\ File Sharing
Applying Share Permissions
Choose people to share with
Sha re permissions are applied Ty pe a name and then click Add, or click t he arrow to f ind som eone,
Note: Use NTFS Permission in addition to shared permissions to provide more restriction to shared folders
The shared folders can contain personal information, application, etc. Hence, configuring
shared permission depends on the t ype of data contained in a particular folder.
• Shared folder permissions are applicable only to folders and not individual files.
• Shared folders do not ask for access permission to users accessing the folder from the
system where the folder is stored. The access permission is asked for those users who
access the folder over the internet.
... I>\
Go to Computer Management a) W:" Ne,,o,21,t- ~ :-'l Desktop
a o~ r_. ~w.....--
• ~ t.oul u
9 ,.110,,. v-
---·..., I> iii Documents
1. Click System Tools, right- 0
a Or,r,,,l,cc Rdrnh ~ ,:i Downloads
•t2Sw~ t.pc,,tlilt...
click Shares and click New Share • • Vt,ndo,, I> Music
(If Oid,Mf 1-ftlp
► • S-.u .-rd Appl,c.rbOm I> ']I Pictures
2. Browse t he fol der that you to share
Cte,ne A S~red folder Create A Shared Folder Wizard
3. Enter the [Share Name] ,..-., °""°""'.iWI. .. Sd1infe
Soeo..,hQof~-...:1..-N!tlno-"lt"I:~ 511-irtd Fokkr Pc::rml:sslOns
Pef'IM~ons l!'t you
4 . Select Customize permissions and
click Custom to customize the Share
Folder Permissions
Mve.
......,,
I "''""'··· I
N'j\
[ J
e The Share Permissions only allow
Users and/or Group of users to
access to a specific shared Folder
SydefulJt. orl:fNe
~ to lh'.ls fd.der'
~ on the 5«1.r'ity
........,,.,e..-
"'""'"'
0.-..
"'"
-
"""··· 11-
D
D
@
On-
D
D
D
I
The windows environment puts forward the concept of shared folders that allow all the users
to access the resources contained in that particular shared folder. Shared folder enables every
user to view and access the contents of the folder without any restriction. However, the
organization needs to employ certain restrictions or permissions that can protect the contents
in the shared folder.
A shared folder can contain applications, personal data or any other data. The permissions set
on the data depend on the type of content included in the shared folder. Certain features of a
shared folder are:
• The shared folder permissions apply only to folders and not files.
• The shared permissions do not apply even to the files and folders contained in the shared
folder.
• The permission to access the folder applies to all users who gain access to connect to the
folder.
There are certain best practices followed while providing shared folder permissions:
• Assign folder permission to group accounts and not user accounts: Assigning permission
to group accounts is much easier than applying to user accounts. A user in a user account
can be a part of different shared folders. And, each folder can have different share folder
permissions. This leads to a combination of user and group folder permissions. Whereas in
the case of group permissions, it is just a matter of addition or removal of users from the
group and no need to reassign the permission to the users.
• Assign certain restrictions on the permissions applied to the users in such way that the
users can still perform their task.
• Do not explicitly deny permission to a shared resource: if there are any denied shared
folder permissions to a user, then that user cannot have that permission, even if they are
allowed permission to another group.
• Set NTFS file system permissions for users logging locally: Shared folder permissions apply
to those resources that are shared through the network and not locally. Also, shared
folder applies to those files and folders in FAT volume.
• Ensure that the copied or moved share folder possess the shared folder permissions.
These steps will show how to create and secure a Windows file share.
1. Click on Start Menu and in the search box, type "Computer Management''
2. Click System tools ➔ Share Folders
5. In "Folder path" textbox, enter the path of the folder to be shared ➔ Next
7. As per the requirement administrators can select the option from set the kind of
perm1ss1ons
8. Finish
U EFS Limitations
~ ~
, f ;,..,,._ ~, . . . . , ....
......
,,_,, '""' .........
n lr..,,_..,,.'-'......t... ..,.11-~
Bit l ocker is a full-disk 19iiiM:5@ I
•
-•~~..,~OOI
• ..,_ _ _ o,,, • ...,
..._.,
e It works only for NTFS file system encryption solution that 1
0
, 1!1-.;1,r""'"" ......
, ...<_,...,.
'~ ._...,......,...,,_
_.._t..4
..... ....... ...
..,_.,..........-
...,...,( ....,..,~
□
.........,_,.,...,
e
e
Loses encryption when encrypted
data copies to non-NTFS system
'
n•-"••f.oo• --
Note: Always use full-disk encryption instead of encrypting specific files or folders
Data encryption is used to prevent intercepting and altering or misusing. The Windows
operating system provides a built-in encryption mechanism such as EFS and Bit locker to
encrypt specific file, folder or entire drive.
• EFS Features:
• Helps in deciding the users that can access files and folders.
• EFS Limitations:
Bit locker
Bitlocker extends the level of protection to the disk level. All the sensitive and important
documents on the drive can be easily protected using the Bitlocker. It prevents the attackers
from achieving the system password or documents even after removing the hard drive and
placing it on another PC. The main feature of the Bitlocker is that it encrypts any new file added
to the drive. But, copying files to a not her drive or PC keeps the files in the decrypted form. The
Bitlocker finds its application in encrypting:
• Benefits of Bitlocker:
• Provide protection by encrypting the hard disk. Thus providing protection to the
information stored in a physically damaged and irreversible hard drive.
• As Bitlocker offers boot time inspection, it prevents the chances of any unauthorized
changes.
• It helps protect data even in the case of a system theft as the attacker cannot access
the encrypted files.
• Provide better protection for files and other sensitive documents at an offline. While
being online, the user needs to configure NTFS permission or use EFS.
Data Encryption
Recommendations
e e
e
e
Encrypt C:\HOME directory
Encrypt My Documents under C:\Docum ents and Settings
Encrypt Local Settings under C:\Documents and Settings
•
The organization should consider encrypting important and sensitive data related to Business
information or "secrets"/ intellectual property. It may include messages, financial reports, legal
docs, patents, product releases, research and development data, etc. Data is protected from
prying eyes even if the computer gets stolen .
• Use third party encryption tools to encrypt your sensitive data, if required.
VeraCrypt OpenPuff
https://veraaypt.codep/ex.com http://embeddedsw.net
7Zip Cryptoforge
http://www.7-zip.org http://www.cryptoforge.com
Cryptainer LE AutoKrypt
http://www.cypherix.com http://www.hiteksoftware.com
AxCrypt EncryptOnClick
http://www.axantum.com http://www.2brightsparks.com
~
•
KeePass ~ Steghide
http://keepass.in/o • http://www.securityfocus.com
VeraCrypt
Source: https:1/veracrypt.codeplex.com
VeraCrypt is used for on-the-fl y encryption (OTFE). It can create a virtual encrypted disk within
a file or encrypt a partition.
7Zip
Source: http://www.7-zip.org
7-Zip is o pen so urce software which performs encry ptio n with hig h co mpression .
Cryptainer LE
Source: http://www.cypherix.com
Cryptainer LE can encrypt every kind of file format, w hether it is textua I, tabular, graphical,
organized in a database, audio or video. It also allow s users to password protect files and
folders on CD ROMs, DVD's etc.
AxCrypt
Source: http://www.axantum.com
AxCrypt integrates seamlessly w ith Windows to compress, encrypt, decrypt, store, send and
work with individual fil es. Password Protect any number of files using strong encryption.
KeePass
Source: http://keepass.info
KeePass supports the Advanced Encryption Standard (AES, Rijndael) and the Twofish algorithm
to encrypt its password databases.
Steghide
Source: http://www.securityfocus.com
Steghide is a steganography program, which hides bits of a data file in some of the least
significant bits of another file in such a way that the existence of the data file is not visible and
cannot be proven.
OpenPuff
Source: http://embeddedsw.net
OpenPuff securely encrypts and hides files inside of other files. It supports many file formats
like Images (BMP, JPG, PCX, PNG, TGA), Audio support (AIFF, MP3, NEXT/SUN, WAV), Video
support (3GP, MP4, MPG, VOB), Flash-Adobe support (FLV, SWF, PDF).
Cryptoforge
Source: http ://www. cryptoforge. com
CryptoForge is file encryption software for personal and professional data security. It allows
protecting the privacy of sensitive files, folders, or emailing messages. After encrypting the
information, one can store it on insecure media or transmit it on an insecure network-like the
Internet-and still keep it secret. Later, it decrypts the information into its original form.
Internet- and still remain secret. Later, the information can be decrypted into its original form.
AutoKrypt
Source: http://www.hiteksoftware.com
AutoKrypt is data encryption software designed for automation. It automatically encrypts or
decrypts files and folders on a schedule.
EncryptOnCI ick
Source: http://www.2briqhtsparks.com
EncryptOnClick helps to encrypt and protect sensitive files.
• Features:
• Secure encryption and decryption method is used (256-bit AES encryption).
• Files are both compressed & encrypted, which results in a smaller file.
• Password protected.
• Encrypt single files or all files in a folder.
• Unicode enabled so filenames in any language can be encrypted.
• Encrypt, decrypt, compress, and un-compress files, which can also be opened and
decrypted using third party programs like WinZip 9 (provided the correct password is
used).
buck-security is a security scanner for Debian and Ubuntu Linux. It runs a couple of important
ch ecks and helps you harden your Linux system . This enables you to quickly overview the
security status of your Linux syst em. As a syst em administrator, you often get into situations
wh ere you have to take care of a server that has been maintained by other peopl e. In this
situation, it is useful to get an idea of th e security status of th e system immediately. Buck
Security w as designed exactly for this. It runs a few important checks and returns the results. It
was designed to be extremely easy to install, use and configure.
Source: http://www.buck-security.net
e # sudo vi /etc/logins.defs
The / etc/ login.defs file defines the site-specific configuration for password management in
Linux. The users in an organization need to ensure that the default password policy matches the
organization's password policy.
The "root" account is the most privileged account in Linux. The root account gives access to
administrators to add accounts, change user passwords, audit and monitor log files etc. The
root account does not have any security features imposed on it. Administrators can easily
perform their tasks with a root account.
If an administrator wants to change the password on behalf of a user, they have to log in to the
" root" account.
The user and group accounts can change their own passwords using the commands below:
• An individual user can change th eir password using the command: $ passwd. This
prompts the user to change the password by asking for the current and the new
password.
• An administrator can change the password for an individual user from his end using the
command: # passwd user name. This prompts the admin to provide the new
password.
• The administrator can change the password of any group accounts by the command: #
passwd -g group name.
Output
• Changing the password
With the help of /etc/ login.defs, you can set common best practices for password management
in Linux such as:
• Use strong 'root' passwords
system
e #ps ax
'..J Know the processes that are accepting
connections and a list of open ports
e # netstat - lp
e # netstat - a
J Use the following commands to d isable
unwanted services on Red Hat, Fedora, and Red
Hat based Linux distributions
e # c hkconfig [service name]off
e # c hkconfig [service name] - del
e # service [se rvice name] stop
The user needs to be completely sure about the services running on their Linux system and they
should be based on the organizational policy. Normally, installing an operating system installs
many services and packages automatically. These packages will automatically be installed
without the user's knowledge. The installation of many unnecessary services create security
threats to hosts. The unnecessary services which are not required or against the organization
security policy should be disabled. Administrators should check if their Linux system is running
unnecessary services and disable them periodically.
The administrator can use the command # ps ax in order to view all the services running in the
particular Linux system . This command lists the active services running in the system along with
their product ID (PIO). They can then compare the services running on a host with an
organization's policy and disable any unwanted services.
:- # ps ax
PID TTY STAT TIME COMMAND
l ? Ss G:01 lnlt [ 2 l
2 ? s G:00 [kthr0add]
3 ? s 0: 01 [ k soft i rqd/ 0]
5 ? S< G:00 [kworker/G:0H]
6 ? s (:
1
00 : [kworker/ul28:0]
7 ? s 0:(:)0 [ re u scr10dJ
-
8 ? s 0:00 [ re u bh]
-
9 ? s G:00 [migration/(:)]
10 ? s G:00 [,,atchdog/G]
l l ? S< 0:(:)0 [kh0lp0r]
12 ? s G:00 [k.d0vtmpfs]
13 ? S< G:00 [ netns]
14 ? S< G:00 [,,rit0back]
15 ? s1,1 0:00 [ksmd]
16 ? s1,1 G:00 [ khugepaged]
17 ? S< (:00
1
: [kintegr1tyd]
18 ? S< G:00 [bios0t]
19 ? S< 0:00 [kbloc kd]
21 ? s G:00 [khungtaskd] I
22 ? s G:00 [ks.-apdO]
23 ? s 0:(:)0 [fsnotify mar-~]
24 ? S< G:00 [cr-ypto]
Next, it is possible to find active ports using the netstat command: # nets tat -lp
var/run/pcscd/pcscd . comm
unix ...,
L [ ACC l STREAM LISTErHNG 8446 2502/Xorg I'
tmp/.Xll-unix/XO I
unix ')
L [ ACC STREAM LISTErHNG 9373 2880/gnome-keyring- I
The netstat command helps identify the unwanted services running in a system. This makes it
easier for the administrator to disa ble those services. The command chkconfig enables and
disa bles services in Fedora and CentOS. For example, suppose the administrator needs to
disa ble the Apache Web server at the system startup, they can use the following command:
• # chkconfig httpd off
■ # chkconfig httpd -del
In other operating systems like Ubuntu and LinuxMint the command: # update-re. d - f
[service name] remove helps to disable a service.
Disabling unwanted services in this way increases the processing speed of the operating system
and does not waste system resources for these unwanted services.
► #kill -9 [ PIO ]
The kill command is usually used in order to terminate any services in Linux. This allows the
service to run without a reboot after killing a service. There are many ways to execute the Kill
command. The kill command is generally represented using:
• # kill [signal or option] PID (s)
Type the command # ps -A in order to know the PIO's for all the processes running in the
system. After knowing the PIO for a particular service, type the command for killing a service.
For example, in order to achieve the PIO for the service cupsd, type th e command:
This provides the PIO for the service cupsd. Now in order to kill this service, t ype the command:
■ # kill -9 1511
...J Update or patch your Linux system in one of ...J Most Linux distributions come with a
the following ways: command line or even graphic software to
update your Linux system
1. Download updated packages from a
distribution's website and manually e Use the following tools to update your
install it on your system Linux system
@ Check your distribution's website e Use up2date for Red Hat based
for the latest patch and update Linux distributions
2. Download and install updates using e Use apt-get for Debian based
third-party applications Linux distributions
..__, e
-
, .............. l •......... ·►
Use autoupdate for other RPM-
based Linux distributions
Patch
In Linux, the patch updates are applied to software components of Linux such as kernel or
services. The patches help you remove any existing vu lnerabilities, look into security problems
and include the latest features. Administrators are required to test the patches before installing
on a host machine. Testing the upgraded software helps verify the upgraded software is
correct.
Some Linux distributions can be configured to warn you when patches for installed software are
available. Security fixes are the most important patches that resolve security issues of the
systems. Once the security threat is revealed, Linux distributes its security patches in hours. An
administrator shou ld keep themselves up to date while handling security issues of Linux.
An easy way to receive all the updates is to constantly subscribe for updates from the vendors.
The updates should be for kernel, inetd and for certain services.
Users can have custom based or free services from the online resource. For routine
awareness of patch releases, administrators are advised to setup a Java based
program called RHN Alert Notification Tool. When a new update is released, it notifies
the administrator through a change in its icon.
2. RPM Package Manager: The functioning of RPM is similar to RHN; however, it does
not provide detailed information about every patch available. RPM provides a list of
available patches through a user interface. The functioning of RPM is operated by the
command rpm. When an important patch is set to necessary, RPM downloads the
patch on the system.
Type ls -1 co mmand t o list out list of fil es and t heir permissions under home directory
Types of permissions
e r ➔ denotes read permission
e w ➔ denotes write permission
e x ➔ denotes execute permission
e - refers to No permission.
Permission details::
e The first character in the directory list denotes file
type(d, if directory)
e The next three characters denote user permissions.
e The next three characters denote group permissions.
e The fina l three characters denote other permissions
Permission Groups: Owner and group
e First name after number is Owner name
e Second name after number id group name
Access control through file permissions is useful to control unauthorized access to system
resources. An individual user, group of users or all who access the system can have access to
certain directories and files if they have the permissions to access them.
Each file and directory has three user based permission groups:
Permission Types
Each file or directory has three types of basic permissions:
• Read: Users can only read the contents of the files or directories.
• Write: Users can only write or modify the changes of the files or directories.
• Execute: Users can execute the files or directories to view its contents. The Execute
permission affects a user's capability to execute a file or view the contents of a directory.
User Rights/Permissions
The permission in the command line can be written as: rwxrwxrwx 1 owner: group
1. The first three characters (rwx) are for the owner permissions.
2. The next three characters (rwx) are for the Group permissions.
3. The next three characters (rwx) are for the All Users permissions.
4. The number in the command represents the hard links of the file.
5. The Owner and Group assignment formatted as Owner: Group.
-
"l_f_l=_I I ■r • ■ ~•I • ~
-" : -
"r.lllf!l "'' . . -i;l]J
" (Rwxrwxrwx) No restrcitions on anything. Anybody can do
777
(rwxrwxrwx) No restrctions on perm issions. anything. Generally, not a desirable setting
777 Anybody can list files, create new files in the
(Rwxr-xr-x) The fi le owner may read, write, and execute the
directory, and delete files in the directory
755 file. Others can read and execute the file. This setting is useful
for all programs that are used by all users
(Rwx••·--- )The file owner my read, write, and execute the file.
(Rwxr-xr-x) The d irectory owner has ful l access.
700 Nobody else has any rights. This setting is useful for programs
All oth ers can list the directory but ca nnot read or that only user may use and are kept private from others
755
delet e it. This sett ing is useful for directori es t hat
you wish to share with oth er users 666 (rw-rw-rw) All users can read and write the fi le
(rw-r- r--) The owner can read and write a file, whi le others
644 may only read the file. A very common setting where
(Rwx--- -- ) The directory owner has full access. everybody may read but only the owner can make changes
Nobody else has any rights. This setting is useful
700 (rw•-···--) Owner can read and write a fi le. Others have no
for directories that only the user can use and
must be kept private from others 600 rights. A common setting for files that the owner wants to
keep private
• u: Owner
• g:Group
• o or a: All Users
The operators used along with the groups are the+ (plus) and - (minus). These assignment
operators define if the permission has to added or deleted.
Example: A file has its permission set to r w r w r w, which means that the owner, group and
all users have read and write permission.
• If the permission has to be removed from All Users, the modification will be:
chmod a-rw filel
• If the same group permission has to be added, the command will be:
chmod a+rw filel
• r= 4
• w= 2
■ x=l
Administrators are required to include the binary permissions for each of the three permission
groups.
Advanced Permissions
The special permissions flag can be marked with any of the following:
• d: di rectory
• I: The file or directory is a symbolic link
• s: setuid/setgid permissions.
400 /etc/cron.deny List of users who can't use cron to submit periodic jobs
http://www.dummies.com
Copyright© by EC-Co■ncil. All Rights Reserved. Re producti on is Strictly Prohibited.
644 /etc/passwd Old-style password file with user account information but not the passwords
600 /etc/securetty TTY interfaces (term inals) from which root can log in
400 /etc/shadow Files with encrypted passwords and password expiration information
400 /etc/shutdown.allow Users who can shut down or reboot by pressing Ctrl+Alt+Delete
755 /etc/ssh Directory with configu ration files for the Secure Shell (SSH)
644 / etc/syslog.conf Configuration file for the syslogd server that logs messages
Configuration file for udev -the program that provides the capability to
644 /etc/udev/udev.conf dynamical ly name hot-pluggable devices and create the device files in the
/dev directory
600 /etc/vsftpd Configuration file for the very secure FTP server
600 /etc/vsftpd.ftpusers List of users who are not allowed to use FTP to transfer files
http://www.dummies.com
The table shown includes the typical numeric permission settings for important system files in
Linux. This may slightly vary depending on the Linux distribution.
After knowing the numeric permission values for common File and Directory Permission
Settings, you will be able to quickly identify the permissions given or changes in the permission
values for sensitive files and directories of Linux. Administrators should compare and identify
permission value allocations and changes in permission for the Linux hosts on their network.
IPtables is a built-in
firewall utility for Linux
.Jsage : ipti)blE's ·· ( AcD: cr<J.:. n n.~,e -· spe-c:ficat1-'.):1 :opticnsJ
operating systems. i ptabl.l?S -I chai·1 : rul. erun] rulg-s~0c1 f i cation :opt i ons]
iptabl~s -~ chai'l rul~n~m ,-Jl~ · sp~cification [cpti8rs]
ipti)blE'S · J cha i1 ~ulenl,m [ '.)ptions )
i ptabl.J?S -[LS I [ cta:n [ru1e1u111J: [ cpt10,isj
IPtables comes pre- iptabl~s -[ FZ] [ cra:n] [opll ons:
iptablE'S · ( l<X] C'1ain
installed on any Linux i ptabl.J?S _ ol d- ct··a.:.n -n,;;ing ·1e·1,·-chd i n-n<::1:i11?
iptabl~s _::, chai'l :a i-q~t [options )
distribution. However, you iptablE'S ~ :p r i1t this hel o 1n~orrat10:1)
can update/install it with "~cmmands:
following command '.: i :her long or sh::in options are- allc·,,.ied .
- -ap:::ir.;;nd -A Chdi n .,\poend t o chai·1
-- ch~c k - - cha in
' Ch~ck ~0 1- :hie! i;.xist1:rc'-" o f a ru11ee
del':' :e [: Ch,)in Delste mtitc lnng ··u1e f rom ch <11n
: sudo apt-get - -del. q:Q - [: chai n 1ul. enum
D~lete r c.Jli:,, rulenurn ( l =- fi r-st) f rom cha_:._n
install iptables ch,)in I r -11enum]
: nse rt i·1 cl1ai· 1 as rul.~m..111 '.d<?fdL..~~t l =fiis t)
lptables are command-line firewall utilities that can allow or deny traffic. lptables are
preinstalled in a Linux system. In order to update or install iptables, the user needs to regain
the iptable package using the command:
sudo apt-get install iptables
Every packet traversing through the filter system is assigned to an appropriate table depending
on the tasks performed by the packet. The table contains chains that display the details of the
destination of the packet. The tables can be used to create rules and the user has the facility to
create their own chains and link them from the built-in chains. This facilitates the ability to
create complex rules. However, the user needs to be extra alert while using the iptable
commands as any small error in the command can lock the system and requires the user to fix
the error manually.
There are three different t ypes of chains:
• Input: The input chain verifies the incoming connections and its behavior. The iptable
compares the IP address and port of the incoming connection to a rule in the chain.
• Forward: The forward chain mainly forwards the incoming connections to its destination.
The command: iptables -L - v, verifies whether an incoming connection needs a forward
chain.
• Output: The output chain is used for output connections, wherein the chain checks for the
output chain and decides whether to allow or deny the output request.
0 0
Va rious types of Linux OS and core applications logs are stored under
/var/log directory
0 0
Authentication log
/ v a r/ log/ s e c u r e o r / v a r/log/aut h . l og
/var/lo g/utmp o r / v a r/log / wtmp
Login records file
Logs provide a shadow of the system events performed on a computer. It lets you know what
has happened on the system. Regular monitoring and auditing of the logs help the
administrators trace out a user's activities on the system.
Log files are usually text-based files. The logs are stored from the system and various
programs/ services. All log files are stored in the path / var/ log. The log files var/ log/ wtmp,
stores all logins and logouts into the system and / var/ log/ messages stores logs from all kernel
and system programs.
It is advisable to monitor and clean the files in / var/ log at regular intervals. The Logrotate utility
allows for the automatic rotation, compression, removal and mailing of log files. Logrotate can
handle a log file daily, weekl y, monthly or when the log file gets to a certain size.
A.pp-lication, .,,.,, , ~ •-
..
-
- .. 2
2
09:09:01
09:09:01
ka l i
ka li
CRON[3564] :
CRON[3564] :
pam_unix(cron : se
pam_uni x( c r on : se
\illD,D [ -
- .. 2
2
09:17:01
09: 17:0 1
ka li
ka li
CRON[3579] :
CRON[3579] :
pam_unix(cron : se
pam_uni x( c r on : se
-
- . 2
2
2
09:39:01
09:39:01
10:09:01
ka li
ka li
ka ~i
CRON[3598]:
CRON[3598] :
CRON\3625J:
pam_unix(cron : se
pam_uni x( c r on : se
pam_unix\cron : se
653 tines (69.8 kB) · last update: Mon Feb 1 04:39:01 2016
Most log files are in plain text format. You can view these log files using any text editor.
However, some log files are not readable in a human format when opening with a text editor.
The System Log Viewer is a graphical, menu-driven viewer that facilitates the viewing and
monitoring of the system logs. It comes with a few functions that can help you manage your
logs, including a log monitor and log statistics display. It allows you to view system log files in an
interactive, real-time application.
Log File Viewer is useful if you are new to system administration because it provides an easier,
more user-friendly display of your logs than a text display of the log file. It is also useful for
more experienced administrators, as it contains a monitor to enable you to continuously
monitor crucial logs.
Note: Log File Viewer is useful only to those who have access to the system log files, which
generally requires root access.
To View system logs in Kali Linux, go to Applications ➔ system Tools ➔ Log File Viewer
Source: https:1/he/p.qnome.orq
Server hardening refers to the increased level of security provided in order for the servers to
operate in a more secured environment. Hardening a server involves applying all the system
security measures with some server specific security measures depending upon the type of
service it provides. Administrators should consider the following points before hardening the
servers:
1. Identify the network service that a server is providing.
Administrators use various methods and tools for hardening the server. Hardening involves
securing the key components of the IT architecture to reduce the risks of attack.
e It provides better way of monitoring network traffic and makes it easy to detect attacks
e A separate firewall can be used to restrict and block unnecessary traffic on webserver
:·· ...r,
: '4'
..
: ,-
l ,4'-
• •••• •••· •••· •••·. • ••• • ••• • •••••••• ·I• .."' ••••,,.
User
DMZ
Internal Network
HardeningWeb Server
(Cont'd)
Place the supporting servers such Directory (LDAP) server, Database server, etc. on protected network
...······························~
•
..-------. ..•
..• ..•
DMZ . .
..: ~~, .
. ··••►
·······:····
..
E-mail DNS Web .
Server Server Server Firewall SQL Server
Protected Subnet
•................................
.
~
..
,,
:···••fl-
..................... ~ ...r.
User Internet Firewall
.~ "'-
Internal Network
HardeningWeb Server
(Cont'd)
HardeningWeb Server
(Cont'd)
The web server is a client-server architecture that enables service requests through the HTTP
protocol. Proper authentication and firewall techniques enhance the security features for sites
that do not require public or external access. Secure Sockets Layer ensures security for web
based transactions. Proper analysis of the web server logs ensures it is secure and checks for
any unusual behavior.
Any attempts to access suspicious webpages have the potential to exploit the security of the
web server. Administrators should ensure that web servers are updated with the latest patches.
• Properly organize the web server software and web server host OS
• Place the supporting servers on other isolated subnets: This allows for the passage of
allowed traffic only between the web server and that particular server. For example, only
the SQL protocol is permitted between a SQL server and the webserver.
• Disable source routing and IP forwarding on the router: Enabling source routing and IP
forwarding can lead to MIM attacks and IP spoofing on a web server.
• The servers
• Use appropriate access control: Controls the access to the web server software.
• Password files
• Recognize the level of protection required: Only authorized administrators can read or
write, web server log files. Some temporary files are restricted and are stored in
subdirectories. Only those services which created the file has the permission to access
those subdirectories and files.
• Enable logging: Proper logging of the web server files helps locate any irregular activities
in the server. The following t ypes of logging help monitor web server logs:
• Transfer logging
• Error logging
• Agent logging
• Referrer Ioggi ng
• Proper authentication and encryption mechanisms: Find methods to overcome the use of
address-based authentication and HTTP basic authentication.
• Keep a copy of the web site content on a secure host: Create strategies for transferring
web site content to a secure location as a backup. Also, helps increase the security
mechanisms for this content.
\f Apply latest vendor supplied updates and patches to mail server software
-.
\f Activate Mail Relay prevention options
'sf Use Spam URI Real-time Block Lists (SURBL) filter to prevent from malware and phishing attacks
\f Ensure secure email communication using SSL (Secure Sockets Layer) and TLS (Transport Layer Security)
An organization requires electronic mail (email) systems (Email Server) for business or simple
exchange of information between people. These email servers, if not configured properly, can
be compromised and used for a malicious purpose.
An important thing about the hardening of an e-mail server is to disable the unwanted
configuration options in the server software. A perfect method to increase the security of the
server is to allow only authorized users access to the e-mail.
• Configure the SMTP authentication method. This requires users to access the SMTP server
and provide username and password credentials before sending an e-mail.
• Restrict the number of users that can access the SMTP server. This minimizes the chances
of any DoS attacks on the network.
• Enable DNS lookup to verify the existence of the sender's e-mail domain. This helps
restrict any mail from unknown senders.
• Enable the Sender Policy Framework in order to restrict spoofed sender addresses.
• Activate SURBL (Spam URI Real-time Block Lists) in order to identify any unwanted links
and messages in an e-mail.
• Keep track of the spammers who always send spam e-mails. This can limit unwanted
internet connections on the e-mail system.
- ...
Internee lntormatton Services (US) Mana9tt
9j • WIH•IMCHJ.rJHJGQ •
J>
V.W.8MCH1181U00(\\1N•
~ .Af,pliwtlon Pools
J-1 Sites
.....
Geoup by. Ho Geoupng
AnoaymOU5AMht~ ........,,....
SL.tu~
8tsl( AuthtntoubOt'I
•
Internet Information SeMces (US) Manager
• • WIN·SMCHlJBIUGO •
"
~ St.rtPt19c
ij W'N-8MCMJJIIAJG0f'Mtl+IN
) ::, ~pliution Poob
• FTP Logging
-I
-......
II,.,.
""-------•
Vitwlogt....
~ ,.,.;i s.to
,. >
e,. y I Iii\
@ Spccifk IP Ad'dr¢Ss: Restrict Access by IP or
Allow Entry...
r ~ SartPage
4 -~ WIN·BMCH3J81UGO
DMy Entry... domain name
l••..) Appbu ·tion Pool
0 A range of IP edd1,me-i:: Futu•c Settings._
~o,dcrcd L,~L
~ -till Sites
Mask: •
Internet Information Services (11S) Mana er I - I Cl I x ]
' ..:"~
L"Ji!...'.. ' lr - - - - - - -A-dd_ A_now
__ Au
_1_h0
' -n-·z_a,_io_n_R
_u_l•- - -==="'.I__I pj f_'lt 8 .
-·
f ilt ~ ~,.. tlelp Allow .,e<ess to this content to:
C @ All lkcn;
[ Ole J _ c_._"'_'_'~ e.•
~1
Id I Iii\
··-'1.1 sa 11 p.,9e
0 All Anonymous User-; '.IO'h Rule...
eny Rt.ilt ...
4 ,Gj \VIN•8MCH3J81U 0 59«-ified roles or ust:r groups:
.,tutt Stttings...
r Config\lr<1tion: ·appliu tionHost.config' ~-0 Applk •tion P
I> ~ Site~
Wt'l'lplt: Admins, Guests
0 Sf,ecified tnffl:
PennissioM
Configure Access controls on D Rt11d
□ Write
authenticated FTP accounts
with the help of ACLs < Ill
l Ole
1
I Cancel
Restr.ict •
- 0 ., [ - 0 ,c
-~~--l\colJ
& NN-..:H1191JOD • l:} ll •
lat t;- ~ 51. ll- t,111'
"-
:._ ....~. tJ. I• FTP Logon Atttmpt Restrictions
1f, Su1ti>OQ•
"', FTP Request Filtering
,. /ilj 1111K.6MC»l:t.eUGO~.-..
,11.. 1too ,• ...,. to U//H.,,,.,,• i,wc-, ..."' tu .,. n " - "·
~ ~ .,,,..IMQ!l,91UG,O(M,I W,,
;}Wto1.,,_.., rl,...,i.,,,~-...,.,_,i.._ • ~ $lift
l)
r.,•m.N-~fll 1-W,-.s.,.,_1~
..,._ _ _[__ _ _ _"0. ... ..-i.s.- •
'7
u.---
• ~ Sm
,.,._,,._r.,-.
L __]
...
e.e,.,ro1cN-~,._
(do:r~~
If.\
t;letp
◄
<I
"' I I> ® f eaturt~ Vitw I~ Content Vitw
Configuratio /\: 'appli<ationHost.<onfig' e,1.,,
I ~ ou:
-
' ....a
- «
C°"l'a lllti,c'lfl
I
,_..
Administrators should implement the following security measures while configuring the FTP
service:
• Enable logging for your FTP site: Keeping track of the FTP logs can help in identifying the
users accessing the site and the IP addresses they use. Logs provide a detailed description
on the status of the site and validates if there are any attacks or threats.
• Configure Access controls on authenticated FTP accounts with the help of ACLs: Access
control lists limit unauthorized access to the FTP directory using NTFS permissions.
However, users permitted to the FTP directory should not include everyone in one group
as it changes the configuration for those users who are limited to accessing FTP accounts.
• Restrict access by IP or domain name: Limiting access to FTP to only a certain number of
users reduces attacks from unauthorized users.
• Restrict logon attempts and time: Users access the FTP site within a specified logon time.
FTP denies permission to any user attempting to access the FTP site after the logon time
has expired. With this restriction, only those users who are authorized for a specific time
period can access.
• Configure filtering rules for your FTP service: The filtering rules check for each FTP
request. If it matches the filtering rules, that particular request is allowed or if it doesn't
match a filtering rule, it is declined.
• Use SSL / FTPS for authenticated FTP accounts: This represents the SSL settings for the
FTP service. Increasing the security of the FTP service as only authenticated users achieve
access.
Hardening Routers:
Recommendations
Change the default password
The following are recommended best practices enhancing the security of a router:
• Changing the default password: Most users do not change the default password of the
router after installation. This is the same thing as giving a key to attackers so they can
easily log in to your router.
• Deactivate the HTTP configuration: Enabling the HTTP protocol for routers sends clear text
traffic.
• Restrict ICMP Ping requests: Accepting PING requests enables attackers to guess the
active hosts and thereby sea n the network without the original user's knowledge.
• Disable IP source routing: Enabling this routing feature allows attackers to identify the
path taken by the packet. This give users the ability to sniff packets from the network.
• Identify the need for packet filtering: Filtering of packets depends on the needs of the
organization. The filtering mechanism helps identify whether to permit or block traffic.
• Creating ingress and egress address filtering policies: Creating policies for verifying the
inbound and outbound traffic based on an IP address increases the security of the router.
• Physical security of the router: It is mandatory to maintain physical security of the router
as inappropriate placement of routers allow attackers to sniff and have direct access to
the appliance.
• Review the security logs: Appropriate review of the security logs will provide detailed
information regarding what attacks, if any, have been launched against the router. It also
provides a detailed description of the router. Reviewing logs of the router provides an
overall idea regarding the status of the network too.
In addition to the above recommendations, implement the following best practices to harden
your router security:
The best way to confirm switch security is by using port level security. Port level security limits
the number of MAC addresses connected to a device. The three different methods of
connecting MAC addresses to a port are as follows:
• Statically: Allows only a single MAC address to be connected to a port.
• Dynamically: These are present by default in the content - addressable memory.
• Sticky: A MAC address given to a specific port. This MAC address can be lost if not sa ved
during reboot.
Additional switch security best practices:
• Create a strong password.
• Create time-out sessions and user access rights.
• Disable auto - trunking on ports and activate port security for MAC addresses in order to
control access.
• Deactivate all ports that are not in use and assign them an unused VLAN number.
• Control the number of VLANs that can pass over a trunk.
• Maximize the use of access control lists.
• Review all security logs of the sw itch
• Implement AAA for local and remote access to the switch.
• Keep the switch configuration file offline and control access to it.
J Logging server is dedicated server cal led Syslog e Management and filtering software
Server and Event send is called Syslog Messages
I
Administrators check for Syslog
Messages. Troubleshooting or
Monitorine:
Syslog Messages sentto Syslog Server
~------J---------------
------------------➔
--------------------➔
Admin
Network Devices
Syslog Server
Syslog enables network devices to record event messages to the logging server or the syslog
server. It is possible to log many events and the syslog protocol can handle many different
devices. Normally, Windows-based servers do not support syslog. But, there are many third-
party tools available that can actually gather the Windows server log information and then
forward it to the syslog server.
Syslog is the standard for message logging and uses a facility code that determines the software
used for generating the messages and also assigns a severity label to each. The syslog finds its
application in system management, security auditing and debugging messages. Many types of
devices such as printers, routers, etc. use the syslog standard that enables a centralized method
of logging data from different devices.
• Management and Filtering Software: The management and filtering software helps filter
data from the database. At times, network administrators find it difficult to find the log
details from the database. The use of this software can actually enable the administrators
to filter the required data.
• Syslog Messages: Syslog messages include all the information like the IP address,
timestamp and the actual log message. The syslog uses a method called facility that
identifies the source of message on any machine. The syslog message also has a severity
level field that determines the severity level. A severity level of 'O' signifies that the
message is an emergency. The severity level of '1' signifies that the messages need
immediate action and the syslog messages severity can go up in range.
• Syslog uses UDP as a protocol for the transport of messages. As UDP is connectionless
oriented, there are chances for syslog to lose packets.
• No method for authenticating the syslog messages. It can actually provide access to
another machine and send fake log events.
Applications Routers
Workstations Firewalls
IDS/I PS
GFI EventsManager
Source: http://www.qfi.com
GFI EventsManager performs network wide log monitoring, analysis, management and
archiving.
Features:
• Manage event log data for system reliability, security, availability and compliance.
By default, GFI EventsManager will listen for Syslog messages on port 514, therefore you must
make sure that this port is not being used by other applications. The port on which GFI
EventsManager listens for Syslog messages is configurable through the management console.
Servers Ef
General J Logan Credentials Operational Time
Windows Event Log I \.l/3C Logs Syslog
I[ OK I Cancel Apply
3. To enable the syslog server and listen for messages sent by the computers in a computer
group, select the option 'the computers specified in this group will send Syslog events'
Source: http://www.solarwinds.com
Kiwi Syslog® Server is a syslog server for IT administrators and network teams. Kiwi Syslog
Server receives logs, displays, alerts on, and forwards syslog, SNM P trap, and Windows event
log messages from routers, switches, firewalls, Linux and UNIX hosts, and Windows machines.
Kiwi Syslog Server also includes log archive management features that allow you to maintain
compliance by securing, compressing, moving, and purging logs exactly as specified in your log
retention policy.
Splunk Enterprise
Source: http://www.splunk.com
Splunk Enterprise is used to collect, analyze and act upon the untapped value of the big data
generated by your technology infrastructure, security systems and business applications-
giving you the insights to drive operational performance and business results. It collects and
indexes data regardless of format or location logs, clickstreams, sensors, stream network traffic,
web servers, custom applications, hypervisors, social media, and cloud services.
Host security can be compromised through security vulnerabilities of the instal led
I software
Keep those applications blacklisted which can pose huge threats to the users
or systems and never install them on your systems
Install or Allow only w hitelisting appl ication to be instal led on your hosts
Application Security
(Cont'd)
_J Application Configuration:
e Regularly update your application with latest updates, patches and versions for security implications
Application Security -
Recommendations
r
Monitor software use
e Data security ensures protection of data e Use TLS/SSL encrypted tunnel to secure
from unauthorized access or corruption your data in Motion
e Ident ify t he critical business data of t he e Use different Data Loss Prevention(DLP)
organization solutions to secure your data while in-
e Use different data encryption utilities to use, in-motion, and at-rest
secure your data at rest
.•
······<···· Data-in-Rest ........... ·►
..•
.. File-Shari ng Database Desktop
Dat a ..
.
..... Data-in-Use ••••••••• 3>-
Data security is the main concern for many organizations, irrespective of their size. Data
security ensures protective measures are applied to computers, databases and websites. A few
examples of data security are hardware/ software encryption, data backup and data masking.
Organizations should ensure various levels of business data security.
Data at rest encryption, protects the data using encryption. The process of encryption
preserves and/or protects the data stored in a particular location. Organizations can completely
depend on an encryption process for their data security. The process of encryption applies to
both structured and unstructured data. network administrators need to constantly check the
encryption mechanisms used for protecting data. The encryption of data at rest includes
encryption methods such as AES and RSA. The data needs to be encrypted even in the failure of
access controls. Keep the encryption keys at a separate location and make sure the keys are
updated constantly. A data federation is another method used for protecting data at rest from
unauthorized access.
DLP Agent
.
Enterprise Network
~
r.
Employee sends
Block
•···········'
Encrypt
:
r............... •♦ [ L-l';'I
-_. Supplier
Networks
11111
various emails •·················~
◄••··························•
-~ . ~
-~-~ . Block
◄ ••·································••I
Encrypt Networks
DLP Server •·············\.
L............. ~~ Partne r
~ Networks
Data loss prevention (OLP) does not allow users to send confidential corporate data outside the
organization. The term is used to describe software products that help a network administrator
control what data end users can transfer. OLP rules block the transfer of any confidential
information across external networks. This controls any unauthorized access to company
information and prevents anyone from sending malicious programs to the organization.
Implement OLP software according to the organizational rules set by management. This
prevents accidental/ malicious data leaks and loss. If an employee tri es to forward or even
upload company data on cloud storage or even on a blog, the action will be denied by the
system.
A OLP policy is adopted by management when internal threats to a company are detected. Data
loss prevention is a policy to ensure that none of its employees send sensitive information
outside the organization. New emerging OLP tool s not onl y, prevent the loss of data, but also
monitor and control irregular activities from occurring on th e syst em.
There are OLP products available that help administrators determine what data users transfer.
OLP products are also known as data leak prevention, information loss prevention or extrusion
prevention products .
1 Create awareness about the risks and losses associated with data leaks
2 Provide training to employees on the security policies for hand ling data
4 Identify any loop holes in your network and patch at regular intervals
Secure computers and hard drives with protective measures at entry and
8 I • •
exit points
Monitor employees and their systems for any illegal activities or security
9 policy infractions
Symantec Mcafee
http:// www.symantec.com ht tp:// www.mcafee.com
BlueCoat
https:// www.bluecoat. com
,.
•
~
- PixAlert
http://www.dev.pixalert.com
Symantec
Source: https://www.svmantec.com
Symantec DLP keeps track, secures your confidential data and ensures its safety, wherever it
lives: in the cloud, on-premises, or on mobile devices. It helps you keep data safe on Windows
and Mac endpoints by performing local scanning and real -time monitoring. It monitors
confidential data that is being downloaded, copied or transmitted to or from laptops and
desktops, through email or cloud storage. It uses a single web-based console to define data loss
policies, review and remediate incidents, and perform system administration across all of your
endpoints, mobile devices, cloud -based services, and on premise network and storage systems.
Websense
Source: http://www.websense.com
Websense Data Security Suite contains three modules Data Security Gateway, Data Discover,
and Data Endpoint. It provides a single intuitive, web-based interface for management and
reporting of Websense web, email and data security solutions.
Trustwave
Source: https://www.trustwave.com
Trustwave Data Loss Prevention helps enterprises discover, monitor and secure data at rest, in
motion, and in use to prevent exfiltration and ensure regulatory compliance. It anal yzes all
web-based communication and attachments, including email, instant messenger, P2P file
sharing, biogs, social media, FTP and Telnet, for violations of an organization's governance,
compliance and acceptable-use policies. Automatically blocks HTTP, HTTPS and FTP traffic
violating compliance policies. It can investigate data at rest to find and protect sensitive
information residing in the stored data. Discovery of sensitive data allows security teams to
focus their initiatives on specific users and systems, and then implement the appropriate
measures to meet compliance requirements.
BlueCoat
Source: https://www.bluecoat.com
Blue Coat Data Loss Prevention (DLP) enables you to detect and block potential data leaks
quickly and accurately, all while achieving industry and regulatory compliance. With Blue Coat
DLP, you can leverage powerful discovery capabilities to prevent sensitive, unsecured data
from traveling across the network and winding up in the wrong hands.
Source: https://www.codegreennetworks.com
Code Green Networks' TrueDLP™ solution is comprised of Network DLP, Discovery DLP and
Cloud DLP, and locates sensitive data resting on databases and network servers, including data
in the cloud.
McAfee
Source: http://www.mcafee.com
McAfee Total Protection for Data Loss Prevention (DLP) safeguards intellectual property and
ensures compliance by protecting sensitive data wherever it lives on premises, in the cloud, or
at the endpoints. McAfee Total Protection for DLP is delivered through physical or virtual low-
maintenance appliances and the McAfee ePolicy Orchestrator platform for streamlined
deployment, management, updates, and reports.
Palisade Systems
Source: http://palisadesystems.com
Palisade DLP provides a simple, all-in-one, cost-effective approach to data loss prevention
(DLP), which enables organizations to:
• Monitor: Palisade monitors all traffic and data leaving the network making you aware of
what is happening with your most critical data
• Prevent: Palisade prevents data loss using DLP enforcement, protocol management and
web filtering and enforcing data protection policies to ensure secure treatment of data
and proper adherence to company protocols.
Source: https://digitalguardian.com
Digital Guardian OLP provides visibility and audit reporting of potentially unsecured data.
It uses patent-pending Database Record Matching™ detection to accurately locate and identify
sensitive data at rest on endpoints and servers across your networks and cloud storage.
Automatic, configurable scanning of local and network shares using discovery specific
inspection policies ensure sensitive content is discovered wherever it is located. Detailed audit
logging and reports provide you with the information needed to demonstrate compliance,
protect confidential information and reduce data loss risk.
PixAlert
Source: http://www.dev.pixalert.com
Data Leakage Prevention (OLP) programs will effectively secure critical and sensitive data by
discovering & identifying data at rest that needs to be protected. It helps networks discover and
manage where critical data is located, monitoring and protecting networks and employees
against dissemination and leakage of unsecure data.
Safend
Source: https://www.wave.com
The Wave Data Protection Suite goes wherever your devices go, on or off your network, online
or offline. Which means it protects your data from the full range of modern risks: device theft,
emails, flash drives, portable hot spots, hardware key loggers, etc.
IE___] Host Operating System : It is the operating system installed on the physica l host machine and its
o components
~
Service Levels: It is t he level of service offered by the cloud provider to a customer and is often
part of SLAs where a formal defined contract is signed for those offered services
• Host Operating System: A Host Operating System is the OS installed physically on the
computer hardware which seeks direct access to the hardware resources for
computations. Resources it can access include processor, memory, Storage media etc.
• Guest Operating System: This is the operating system installed virtually on a host
operating system. It is dependent on the host operating system for the computations and
resource allocations.
• Hypervisor or Virtual Machine Manager (VMM): It is an application or firmware that
allows multiple guest operating systems to share a host's hardware resources. It acts as
middleware which allows the user to install a virtual operating system called 'Guest OS' on
the 'Host OS'.
• Execution Environments: It is the logical entity environment (Software/ Hardware) that
enables execution of programming code/software. JVM (Java Virtual Machine) is the best
example which acts as an execution environment for JAVA programs.
• Service Levels: A service level is a signed contract between the cloud provider and the
cloud customer which lists all the services offered by the cloud provider to the customer.
It also includes the terms and conditions between the two parties.
Operati ng Operati ng
Applications System System
Operating System
VMware Virtualization Laye r
X86 Archit ecture
X86 Archit ecture
'~~--~
- - .·- ~; . ...
• [I]
m-T,,
I CPU
·;,111, 1111' 1•1' 1•11:,:, ,,
Memory
-· ,.,.~
ul.. ~,. ,,,.
NIC Disk CPU Memory
- NIC
[c(,)~
Disk
A hardware platform (host machine) is used A hardware platform (host machine) is used to run
to run a single OS and its applications multiple operating systems and their applications
Virtualization offers computing, storage and networking hardware. Virtualization refers to the
separation of the services or requests from the physical processes. The mechanism of
virtualization has enabled IT managers to group resources across the enterprise providing
better management of those resources.
Applications
Operating System
X86 Architecture
[[[J,J,,,'
CPU Memory NIC Disk
In the figure above, a single instance of an operating system with a set of applications is
completely utilizing the given 32-bit hardware infrastructure. 'Host OS' directly interacts with
the hardware to request system resources.
2. After Virtualization: A hardware platform (host machine) is used to run multiple sets of
Virtual operating systems and their applications.
.© Applications
~
~
/
Applications
Operating Operating
System System
X86 Architecture
In the figure above, the virtualization layer acts as middleware between the operating system
installed and the computer hardware. It logically partitions the hardware resources based on
the requests received from the host and the guest operating systems. The host OS directly
interacts with the computer hardware but the guest OS interacts th rough the Virtualization
Layer. Different types of virtualization techniques are:
1. Full Virtualization: The guest OS is not aware that it is running in a virtualized
environment. It sends commands to Virtual Machine Manager (VMM) interact with the
computer hardware. The VMM then translates the command to binary instructions and
forwards it to the host OS. The resources are allocated to the guest OS through the VMM.
While designing a virtual environment, the levels involved in the application are:
• Storage Device Virtualization: This is the virtualization applied on storage devices such as
data striping and data mirroring. RAID is a good example of storage virtualization.
Isolation
Each virtual machine is isolated from its host physical system and
other virtual machines
• Partitioning: It is the ability to run multiple operating system instances with their
applications on a single physical system, by virtually partitioning the hardware resources
and the resources are allocated to handle host and guest requests.
• Isolation: Each virtual machine is isolated from its host physical system and other virtual
machines. This characteristic of virtualization prevents the effects of actions performed by
one virtual machine from affecting the other machines.
• Encapsulation: A virtual machine represents a single file used for identification based on
its services. Encapsulation protects a virtual machine from interference from the other
virtual machines.
Virtualization provides:
• A cost-effective solution for the central data hub: Replacing the physical hardware with
virtual machines can actually cut down the cost of purchasing more hardware, increasing
the space in the server room. Too many servers can emit a lot of heat leading to a server
crash.
• A time efficient option for the IT infrastructure: The use of virtual machines can reduce
the time it takes for installing computer components in an organization. The concept of
virtualization enables the network administrator perform tests on the software without
consuming time and resources.
• Back up the Servers: Virtualization ensures the complete restoration of the network at a
faster rate. The use of virtual machines reduces the time it takes, by the physical
hardware, to perform recovery.
The virtualization process enables users in an organization to use different platforms in a single
machine according to their needs. It provides continuous transition from one operating system
to another in the same machine.
The following are the benefits of virtualization technology :
• If the virtual machines are remote, then only one application present 1n one VM 1s
attacked.
\/Ill
VMware:
Source: http://www.vmware.com
VMware virtualizes networking, storage and security to create virtual data centers and
simplifies the provisioning of IT resources
•
CITRIX
• Citrix:
Source: http://www.citrix.com
Citrix virtualizes and transforms Windows apps and desktops into a secure on-demand
service and meets the mobility, security and performance needs of both IT and end users
Microsoft:
= Microsoft Source: http://www.microsoft.com
Microsoft virtualization products range from the data center to the desktop for managing
both physical and virtual assets from a single platform
VMware
Source: http://www.vmware.com
VMware virtualizes computing, from the data center to the cloud to mobile devices, to help
customers be more agile, responsive, and profitable.
• VMware vCloud Suite: vCloud Suite is a complete kit used for developing and managing a
private cloud infrastructure effectively.
• Horizon View: Horizon view is a virtual desktop service which offers remote access to
different resources available to the users under a common platform.
• VMware Fusion: Fusion enables Mac users to run Windows based applications without
compatibility issues.
• VMware Workstation: Workstation enables the user to run multiple virtual machines from
a single desktop.
Citrix
Source: https://www.citrix.com
Citrix securely delivers Windows, Linux, web and Saas apps plus full virtual desktops to any
device. Citrix solutions for application and desktop virtualization can help your business
increase productivity, enhance security and reduce costs.
ORACLE
Source: http://www.oracle.com
Oracle offers the virtualization, from desktop to the data center. Oracle virtualization enables
you to virtualize and manage your full hardware and software stack.
Microsoft
Source: http://www.microsoft.com
, r
Virtualization Security is obtained Virtualization Security Concerns
using certain set of security
measures, procedures and processes
e Due to additional layer of
infrastructure complexity, it is
in order to protect the virtualization
difficult to monitor unusual
infrastructure/environment
events and anomalies
Typical Virtualization Security e Offline can be used as gateway to
Process includes: gain access to a company's
systems
e Securing Virtual Environment
A virtualized environment facilitates the detection of new attack exposures thereby forcing the
user to take protective measures for both hosts and the virtual machines. In a non-virtualized
environment, each host is separately held, consisting of separate services and web servers. The
services run in their own spaces and they connect directly to the network. In a virtualized
environment, several guest hosts are placed in a single host. Here, all the services are grouped
together, thereby increasing the chances of vulnerabilities in the system.
1. Traditional threats
2. New threats
• A vulnerable hypervisor can act as a danger to both the host as well as virtual machines.
• Poor Hypervisor design makes the whole system vulnerable to attacks.
• Lack of updating guest OS and installing security patches to the virtual machines.
• Vulnerabilities in the host system makes it easier for the attacker to dive into the virtual
environment without much effort.
Securing hypervisor involves securing the hypervisor during its implementation, management
and development. Hypervisors can face many threats and risks. Most of the attacks occur
within an organization where users try to compromise the virtual machines running in the
system. Experts say that the number of attacks on hypervisors has increased dramatically in
recent years. This urges the need for securing the hypervisors using patch management and
other services.
The hypervisor platform enables multiple types of access like SSH, RDP, etc. However,
minimizing the remote and console access to the systems actually plays an important role in
securing the hypervisor. The hypervisor can be more secure if the hypervisor management is
given only access required to run the business environment.
Proper configuration also plays an important role in securing the hypervisor. Configuring only
the required settings and services can control the possibilities of threats and risks in the
hypervisor. Certain hardening mechanisms like controlling the user and group access on the
local system, controlling file permissions, using only required services, etc., can assist in
increasing the security of the hypervisor. The administrators need to confirm the security of
every platform on the hypervisor.
The hypervisors can decide the amount of resources provided to each guest OS. Resources
provided to each guest OS cannot be shared with another guest OS. Providing only limited
amount of resources to the guest OS can minimize attacks like denial of service and inserting
malicious code into another OS.
The network administrators need to be more careful while handling the access to VLANs. The
VLAN assists in keeping the traffic separated between the networks. Allowing the access of
VLANs to the virtual network may allow a compromised machine to access all the other VLANs.
Administrators need to be more careful while configuring the VLANs and should ensure the
presence of only those VLANs that are required for the hypervisor configuration.
Securing hypervisors requires the need to secure the direct interface to the system. Securing
these with complex and strong passwords allows the administrators to handle the out of band
interface (008). Implementing a firewall can limit the access of the 008 subnets to only
approved IP addresses.
The network administrators can also work on controlling the rights to perform a service using
the service account. Controlling the service accounts can actually bring down the risks during
the case of service accounts becoming compromised. Usage of long and strong passwords
enables the security of the service accounts.
0 Implement security controls and Apply all the general host security
procedures to each VM:
-- measures to each virtual machines
including:
e Software Firewall : Install software
firewalls on each virtual machine
e e Patch management
to detect and prevent the intrusion
of unwanted and malicious -- e Use user authentication for
verification
applications
In addition to general security measures for host security, administrators should implement the
following security measures to enhance virtual machine security.
• Implementing Protocols and Procedures: Designing certain rules and strategies helps
secure the virtual machines. Adding the recommendations below will provide more
security:
• Check for operating system updates for the virtual machines on a weekly basis.
• Implementing Software Firewall: It is fal se that virtual machines are safe as they are
always looked at as a sandboxed application. They are prone to external and internal
attacks similar to the physical system and always r equire attention.
• Provi des security to each virtual machine and reduces th e attack risk.
• Software firewa lls on eac h virtual machine detects and prevents th e intrusion of
unwanted and malicious applications.
• Virtual or software firewa ll s do not create collision between the firewall impl em ented
on the host operating syst em.
• There are many software firewalls available like comodo, zone alarm, etc.
• Deploying Anti-Virus Software
• Install anti-virus to protect the virtual environment from the inherent threats of
viruses, Trojans, worms, etc.
• Antivirus deployed on a virtual machine inspects for any unusual activity and scans all
files and folders for malicious content.
• Installation of anti-virus on a host machine does not secure the virtual machine. Install
antivirus on a virtual machine in order to secure it properly.
• Mostly used antiviruses are Kaspersky, McAfee, Microsoft security essential, Symantec
endpoint protection, etc.
• Encrypting the Virtual Machines: A virtual machine hosts highly confidential data so
encryption is required. Encrypting virtual machines protects the virtual machines from
unauthorized access. Users must enter a password to encrypt/decrypt virtual machines.
Steps to encrypt a virtual machine:
• Step 2: Go to configure from the virtual machine menu and a dialogue box appears
• Step 4: In the security pane, click turn on and provide a password and click ok
Virtual switch provides basic security to the virtual network whereas IDS/IPS,
firewalls provides security within the virtual appliances
= -------------------------- ==,,
Use physical network security devices (PNSD) with VLANs, it minimizes the
consumption of host resource
Using Virtualized Network Security System (VNSS) on the virtualized LAN addresses
external threats, inter-VM exploits, Dos attacks, etc.
= --------------------------
Mapping of virtual networks to the underlying physical network is known as
virtual network embedding (VNE), it minimizes the risks of virtual and physical
machines of the virtual network
• Physical Network Security Device (PNSD): This physical network security device resides
outside the host machine and deploying it for every host machine may reduce
performance. This approach does not provide security to VMs
• Physical Network Security Device (PNSD) with VLANs: Use physical network security
devices (PNSD) with VLANs; it reduces the consumption of host resources
• Host Intrusion Prevention System (HIPS): It resides inside the virtual server, uses host
machine resources and it offers server level protection
• Virtualized Network Security System (VNSS): It resides on a virtual LAN and consumes
host machine resources. It monitors, partitions the virtual environments and provides
security to virtual network segments, VLANs, servers and devices
Methods to secure virtual environments include:
• Resource Limitation: Apply resource usage limits to each virtual machine so that it
minimizes the risk of using multiple shared hardware resources at one time, which can
affect performance of the virtual machine
• Security Measures: Install Antivirus, Spyware and intrusion detection systems. Keep
everything updated on each virtual machine to reduce security vulnerabilities
• Native remote management services: Use native remote management services to reduce
the risk of an attacker intrusion to a virtual machine
Separate virtual networks into security or Use security controls to limit unauthorized
trust zones and provide high security at access and restrict access to unprivileged
critical areas networks
Secure the host operating systems and Ensure that every new VM added to the
applications w ith regular security updates network is in accordance to the
and patches organization's standards
~ Use encrypted communication technologies Avoid operation on all guest machines that
do not work on protected mode
• Enforce the least privileges: It is a core security principle which makes users operate with
the least set of privileges that are necessary to finish the task/ job.
• Harden Access Controls: Deploy controls to the hypervisor and virtual machines 1n a
secure manner to avoid unauthorized access.
• Monitor the virtual traffic: There are various tools available and using these tools to
identify malicious traffic and defend the virtual machines from intrusions and attackers.
• Scan and audit virtual machines: Virtual machines are scanned at regular intervals to
discover vulnerabilities and service failures.
Secure the host operating systems and Ensure that every new VM added to the
applications w ith regular security updates network is in accordance to the
and patches organization's standards
~ Use encrypted communication technologies Avoid operation on all guest machines that
do not work on protected mode
• Enforce the least privileges: It is a core security principle which makes users operate with
the least set of privileges that are necessary to finish the task/ job.
• Harden Access Controls: Deploy controls to the hypervisor and virtual machines 1n a
secure manner to avoid unauthorized access.
• Monitor the virtual traffic: There are various tools available and using these tools to
identify malicious traffic and defend the virtual machines from intrusions and attackers.
• Scan and audit virtual machines: Virtual machines are scanned at regular intervals to
discover vulnerabilities and service failures.
Secure the host operating systems and Ensure that every new VM added to the
applications w ith regular security updates network is in accordance to the
and patches organization's standards
~ Use encrypted communication technologies Avoid operation on all guest machines that
do not work on protected mode
• Enforce the least privileges: It is a core security principle which makes users operate with
the least set of privileges that are necessary to finish the task/ job.
• Harden Access Controls: Deploy controls to the hypervisor and virtual machines 1n a
secure manner to avoid unauthorized access.
• Monitor the virtual traffic: There are various tools available and using these tools to
identify malicious traffic and defend the virtual machines from intrusions and attackers.
• Scan and audit virtual machines: Virtual machines are scanned at regular intervals to
discover vulnerabilities and service failures.
Secure the host operating systems and Ensure that every new VM added to the
applications w ith regular security updates network is in accordance to the
and patches organization's standards
~ Use encrypted communication technologies Avoid operation on all guest machines that
do not work on protected mode
• Enforce the least privileges: It is a core security principle which makes users operate with
the least set of privileges that are necessary to finish the task/ job.
• Harden Access Controls: Deploy controls to the hypervisor and virtual machines 1n a
secure manner to avoid unauthorized access.
• Monitor the virtual traffic: There are various tools available and using these tools to
identify malicious traffic and defend the virtual machines from intrusions and attackers.
• Scan and audit virtual machines: Virtual machines are scanned at regular intervals to
discover vulnerabilities and service failures.
Secure the host operating systems and Ensure that every new VM added to the
applications w ith regular security updates network is in accordance to the
and patches organization's standards
~ Use encrypted communication technologies Avoid operation on all guest machines that
do not work on protected mode
• Enforce the least privileges: It is a core security principle which makes users operate with
the least set of privileges that are necessary to finish the task/ job.
• Harden Access Controls: Deploy controls to the hypervisor and virtual machines 1n a
secure manner to avoid unauthorized access.
• Monitor the virtual traffic: There are various tools available and using these tools to
identify malicious traffic and defend the virtual machines from intrusions and attackers.
• Scan and audit virtual machines: Virtual machines are scanned at regular intervals to
discover vulnerabilities and service failures.
Secure the host operating systems and Ensure that every new VM added to the
applications w ith regular security updates network is in accordance to the
and patches organization's standards
~ Use encrypted communication technologies Avoid operation on all guest machines that
do not work on protected mode
• Enforce the least privileges: It is a core security principle which makes users operate with
the least set of privileges that are necessary to finish the task/ job.
• Harden Access Controls: Deploy controls to the hypervisor and virtual machines 1n a
secure manner to avoid unauthorized access.
• Monitor the virtual traffic: There are various tools available and using these tools to
identify malicious traffic and defend the virtual machines from intrusions and attackers.
• Scan and audit virtual machines: Virtual machines are scanned at regular intervals to
discover vulnerabilities and service failures.
Secure the host operating systems and Ensure that every new VM added to the
applications w ith regular security updates network is in accordance to the
and patches organization's standards
~ Use encrypted communication technologies Avoid operation on all guest machines that
do not work on protected mode
• Enforce the least privileges: It is a core security principle which makes users operate with
the least set of privileges that are necessary to finish the task/ job.
• Harden Access Controls: Deploy controls to the hypervisor and virtual machines 1n a
secure manner to avoid unauthorized access.
• Monitor the virtual traffic: There are various tools available and using these tools to
identify malicious traffic and defend the virtual machines from intrusions and attackers.
• Scan and audit virtual machines: Virtual machines are scanned at regular intervals to
discover vulnerabilities and service failures.
Secure the host operating systems and Ensure that every new VM added to the
applications w ith regular security updates network is in accordance to the
and patches organization's standards
~ Use encrypted communication technologies Avoid operation on all guest machines that
do not work on protected mode
• Enforce the least privileges: It is a core security principle which makes users operate with
the least set of privileges that are necessary to finish the task/ job.
• Harden Access Controls: Deploy controls to the hypervisor and virtual machines 1n a
secure manner to avoid unauthorized access.
• Monitor the virtual traffic: There are various tools available and using these tools to
identify malicious traffic and defend the virtual machines from intrusions and attackers.
• Scan and audit virtual machines: Virtual machines are scanned at regular intervals to
discover vulnerabilities and service failures.
Secure the host operating systems and Ensure that every new VM added to the
applications w ith regular security updates network is in accordance to the
and patches organization's standards
~ Use encrypted communication technologies Avoid operation on all guest machines that
do not work on protected mode
• Enforce the least privileges: It is a core security principle which makes users operate with
the least set of privileges that are necessary to finish the task/ job.
• Harden Access Controls: Deploy controls to the hypervisor and virtual machines 1n a
secure manner to avoid unauthorized access.
• Monitor the virtual traffic: There are various tools available and using these tools to
identify malicious traffic and defend the virtual machines from intrusions and attackers.
• Scan and audit virtual machines: Virtual machines are scanned at regular intervals to
discover vulnerabilities and service failures.
Secure the host operating systems and Ensure that every new VM added to the
applications w ith regular security updates network is in accordance to the
and patches organization's standards
~ Use encrypted communication technologies Avoid operation on all guest machines that
do not work on protected mode
• Enforce the least privileges: It is a core security principle which makes users operate with
the least set of privileges that are necessary to finish the task/ job.
• Harden Access Controls: Deploy controls to the hypervisor and virtual machines 1n a
secure manner to avoid unauthorized access.
• Monitor the virtual traffic: There are various tools available and using these tools to
identify malicious traffic and defend the virtual machines from intrusions and attackers.
• Scan and audit virtual machines: Virtual machines are scanned at regular intervals to
discover vulnerabilities and service failures.
Secure the host operating systems and Ensure that every new VM added to the
applications w ith regular security updates network is in accordance to the
and patches organization's standards
~ Use encrypted communication technologies Avoid operation on all guest machines that
do not work on protected mode
• Enforce the least privileges: It is a core security principle which makes users operate with
the least set of privileges that are necessary to finish the task/ job.
• Harden Access Controls: Deploy controls to the hypervisor and virtual machines 1n a
secure manner to avoid unauthorized access.
• Monitor the virtual traffic: There are various tools available and using these tools to
identify malicious traffic and defend the virtual machines from intrusions and attackers.
• Scan and audit virtual machines: Virtual machines are scanned at regular intervals to
discover vulnerabilities and service failures.
Secure the host operating systems and Ensure that every new VM added to the
applications w ith regular security updates network is in accordance to the
and patches organization's standards
~ Use encrypted communication technologies Avoid operation on all guest machines that
do not work on protected mode
• Enforce the least privileges: It is a core security principle which makes users operate with
the least set of privileges that are necessary to finish the task/ job.
• Harden Access Controls: Deploy controls to the hypervisor and virtual machines 1n a
secure manner to avoid unauthorized access.
• Monitor the virtual traffic: There are various tools available and using these tools to
identify malicious traffic and defend the virtual machines from intrusions and attackers.
• Scan and audit virtual machines: Virtual machines are scanned at regular intervals to
discover vulnerabilities and service failures.
Secure the host operating systems and Ensure that every new VM added to the
applications w ith regular security updates network is in accordance to the
and patches organization's standards
~ Use encrypted communication technologies Avoid operation on all guest machines that
do not work on protected mode
• Enforce the least privileges: It is a core security principle which makes users operate with
the least set of privileges that are necessary to finish the task/ job.
• Harden Access Controls: Deploy controls to the hypervisor and virtual machines 1n a
secure manner to avoid unauthorized access.
• Monitor the virtual traffic: There are various tools available and using these tools to
identify malicious traffic and defend the virtual machines from intrusions and attackers.
• Scan and audit virtual machines: Virtual machines are scanned at regular intervals to
discover vulnerabilities and service failures.
Secure the host operating systems and Ensure that every new VM added to the
applications w ith regular security updates network is in accordance to the
and patches organization's standards
~ Use encrypted communication technologies Avoid operation on all guest machines that
do not work on protected mode
• Enforce the least privileges: It is a core security principle which makes users operate with
the least set of privileges that are necessary to finish the task/ job.
• Harden Access Controls: Deploy controls to the hypervisor and virtual machines 1n a
secure manner to avoid unauthorized access.
• Monitor the virtual traffic: There are various tools available and using these tools to
identify malicious traffic and defend the virtual machines from intrusions and attackers.
• Scan and audit virtual machines: Virtual machines are scanned at regular intervals to
discover vulnerabilities and service failures.
Secure the host operating systems and Ensure that every new VM added to the
applications w ith regular security updates network is in accordance to the
and patches organization's standards
~ Use encrypted communication technologies Avoid operation on all guest machines that
do not work on protected mode
• Enforce the least privileges: It is a core security principle which makes users operate with
the least set of privileges that are necessary to finish the task/ job.
• Harden Access Controls: Deploy controls to the hypervisor and virtual machines 1n a
secure manner to avoid unauthorized access.
• Monitor the virtual traffic: There are various tools available and using these tools to
identify malicious traffic and defend the virtual machines from intrusions and attackers.
• Scan and audit virtual machines: Virtual machines are scanned at regular intervals to
discover vulnerabilities and service failures.
Secure the host operating systems and Ensure that every new VM added to the
applications w ith regular security updates network is in accordance to the
and patches organization's standards
~ Use encrypted communication technologies Avoid operation on all guest machines that
do not work on protected mode
• Enforce the least privileges: It is a core security principle which makes users operate with
the least set of privileges that are necessary to finish the task/ job.
• Harden Access Controls: Deploy controls to the hypervisor and virtual machines 1n a
secure manner to avoid unauthorized access.
• Monitor the virtual traffic: There are various tools available and using these tools to
identify malicious traffic and defend the virtual machines from intrusions and attackers.
• Scan and audit virtual machines: Virtual machines are scanned at regular intervals to
discover vulnerabilities and service failures.
Secure the host operating systems and Ensure that every new VM added to the
applications w ith regular security updates network is in accordance to the
and patches organization's standards
~ Use encrypted communication technologies Avoid operation on all guest machines that
do not work on protected mode
• Enforce the least privileges: It is a core security principle which makes users operate with
the least set of privileges that are necessary to finish the task/ job.
• Harden Access Controls: Deploy controls to the hypervisor and virtual machines 1n a
secure manner to avoid unauthorized access.
• Monitor the virtual traffic: There are various tools available and using these tools to
identify malicious traffic and defend the virtual machines from intrusions and attackers.
• Scan and audit virtual machines: Virtual machines are scanned at regular intervals to
discover vulnerabilities and service failures.
Secure the host operating systems and Ensure that every new VM added to the
applications w ith regular security updates network is in accordance to the
and patches organization's standards
~ Use encrypted communication technologies Avoid operation on all guest machines that
do not work on protected mode
• Enforce the least privileges: It is a core security principle which makes users operate with
the least set of privileges that are necessary to finish the task/ job.
• Harden Access Controls: Deploy controls to the hypervisor and virtual machines 1n a
secure manner to avoid unauthorized access.
• Monitor the virtual traffic: There are various tools available and using these tools to
identify malicious traffic and defend the virtual machines from intrusions and attackers.
• Scan and audit virtual machines: Virtual machines are scanned at regular intervals to
discover vulnerabilities and service failures.
Secure the host operating systems and Ensure that every new VM added to the
applications w ith regular security updates network is in accordance to the
and patches organization's standards
~ Use encrypted communication technologies Avoid operation on all guest machines that
do not work on protected mode
• Enforce the least privileges: It is a core security principle which makes users operate with
the least set of privileges that are necessary to finish the task/ job.
• Harden Access Controls: Deploy controls to the hypervisor and virtual machines 1n a
secure manner to avoid unauthorized access.
• Monitor the virtual traffic: There are various tools available and using these tools to
identify malicious traffic and defend the virtual machines from intrusions and attackers.
• Scan and audit virtual machines: Virtual machines are scanned at regular intervals to
discover vulnerabilities and service failures.
□ Organizations should set and follow baselines for host security to protect hosts
from different kinds of host level threats
□ Operating Systems have a vital role in host security and can be hardened using
built-in security features
In this module, you have learned how important it is to secure an individual host for network
security. The module described host security, tools and techniques for securing each individual
host on the network. The module helps you prepare security baselines for host security
including workstations, router, switches, servers, etc., and provides security measures to
prevent them from various host security threats. The module also discussed the virtualization
concept and provided security measures for virtual machines in a virtual environment.
Attackers target firewalls to find the way to enter into organization networks
An attacker will take advantage of a weak firewall implementation and will use
various techniques to bypass the firewall restrictions altogether
A firewall is a hardware device or a software program located at the network gateway server
and used for secure communication between different networks according to a specified
security policy. Networks have firewalls configured between the corporate and public network
(internet). A firewall provides a line of defense, against attacks on an internal network from an
external network. It helps prevent unauthorized access to or from private networks connected
to the internet. A firewall application runs on a host that is connected to both trusted and
untrusted networks.
A firewall helps organizations protect confidential information from unauthorized users. The
most important feature of the firewall is that it can distinguish between good and bad traffic. A
firewall placed between a corporate and a public network limits the access to various services
on the internet. It also keeps track of what is going through the firewall. The firewall filters
inbound traffic, known as ingress filtering and outbound traffic known as egress filtering.
However, there are a few concerns with firewall functionality and they are:
• A firewall cannot block certain types of attacks. For example, social engineering, insider
attacks, etc.
• Firewalls sometimes have less computing speed than their network interface. This can
create a problem when a host with a network interface is faster than the firewalls internal
processor.
• Firewalls can restrict certain services that the user wants. The services include: TELNET,
FTP, X Windows, NFS, etc.
• Firewalls can restrict the communication between valid devices in the network thereby
causing unwanted interruption in the flow of data.
~ A firewall does not block attacks from a higher level of the protocol stack
~ A firewall does not protect against attacks originating from common ports and
~ a lications
The need of a firewall in your security strategy is important, but firewall s have the following
Ii mitations:
• Firewalls can restrict users from accessing valuable services like FTP, Telnet, NIS, etc. and
sometimes restricts Internet access as well.
• The firewall cannot protect you from internal attacks (backdoor) in a network. For
example, a disgruntled employee who cooperates with the external attacker.
• The firewall concentrates its security at one single point which makes other systems
within the network prone to security attacks.
• A bottleneck could occur if all the connection s pass through the firewall.
• The firewall cannot protect the network from social engineering and data -driven attacks
where the attacker sends malicious links and emails to employees inside the network.
• If external devices such as a laptop, mobile phone, portable hard drive, etc. are already
infected and connected to the network, then a firewall cannot protect the network from
these devices.
• The firewall is unable to full y protect the network from all types of zero day viruses that
try to by pass it.
Access to Specific
Resources
◄················1.--- ......1=-'""'
Firewall
A firewall monitors the incoming and outgoing traffic of the network or a system and blocks the
traffic that does not meet the specified security criteria. The security criteria of the network has
a set of predefined rules. A firewall monitors all the traffic and allows good data generally
known as permitted traffic and blocks suspect data also known as denied traffic. A firewall
filters traffic using various methods such as packet filtering, proxy service, stateful inspection,
etc.
• A firewall filters traffic based on the t ype of traffic, source and destination addresses,
source and destination ports.
• Sometimes, even a complex rule base is set on the firewall to filter application traffic.
Hardware Firewall
A hardware firewall is a dedicated firewall device placed on the perimeter of the network. It is
an important part of a network setup and is also built in to Broadband routers or as a stand-
alone product. A hardware firewall helps protect systems on the local network and they are
effective with little to no configuration. It employs a technique of packet filtering. It reads the
header of a packet to find out the source and destination address and compares it with a set of
predefined and/or user created rules that determine whether if it should forward or drop the
packet. A hardware firewall functions on an individual system or an individual network
connected using a single interface. Examples of a hardware firewall are Cisco ASA, Fortigate,
etc. Hardware firewalls provide protection to the private local area network.
However, hardware firewalls are considered a more expensive option, difficult to implement
and upgrade.
• Advantages
• Security: An operating system with its own operating system is considered to reduce
the security risks and has increased level of security controls.
• Speed: Hardware firewalls initiate faster responses and enable more traffic.
• Minimal Interference: Since a hardware firewall is a separate network component, it
enables better management and allows the firewall to shutdown, move or be
reconfigured with less interference on the network.
• Disadvantages
Software Firewall
A software firewall is similar to a filter. It sits between the normal application and the
networking components of the operating system. It is more helpful for individual home users, is
suitable for mobile users who need digital security working outside of corporate network and it
is easy to install on an individual's PC, notebook, or workgroup server. It helps protect your
system from outside attempts of unauthorized access and protects against common Trojans
and email worms. It includes privacy controls and web filtering and more. A software firewall
implants itself in the key area of the application/network path. It analyzes data flow against the
rule set.
Configuration of a software firewall is simple compared to the hardware firewall. It intercepts
all requests from a network to the computer to determine if they are valid and protects the
computer from illicit attacks that try to access it. It incorporates user-defined controls, privacy
controls, web filtering, content filtering, etc. to restrict unsafe applications from running on an
individual system. Software firewalls utilize more resources and this reduces the speed of your
system. Examples of software firewall s are produced by Norton, McAfee and Kaspersky among
others.
• Advantages
• Disadvantages
Firewalls are designed and developed with the help of different firewall services
Each firewall service provides security depending on their efficiency and sophistication
r\ r\ r\
Technologies used for creating a firewall service
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Several firewall technologies are available for organizations to implement their security
through. Sometimes, firewall technologies are combined with other technologies to build
another firewall technology. For example, NAT is a routing technology but when combined with
a firewall, it is considered a firewall technology instead.
• Packet Filtering
• Stateful Multilayer Inspection
• Circuit Level Gateways
• Application Level Gateways
• Application Proxies
• Network Address Translation
• Virtual Private Network
The table below describes technologies working at each OSI layer:
The security level of these technologies varies according to the efficiency level of each
technology. A comparison of these technologies can be concluded by allowing these
technologies to pass through the OSI layer between the hosts. The data passes through the
intermediate layers from a higher layer to a lower layer. Each layer adds additional information
to the data packets. The lower layer now sends the obtained information through the physical
network to the upper layers and thereafter to its destination.
e Packet filtering firewalls work at the network e Rules include the source and destination IP
level of the OSI model (or the IP layer of addresses, source and destination port number
TCP/IP) and the protocol used
e They are usually part of a router e The advantage of packet filtering firewalls is their
low cost and low impact on network
8 In a packet filtering firewall, each packet is performance
compared to a set of criteria before it is
forwa rded e Most routers support packet filtering
...................... ········>
Incoming Traffic Allowed Outgoing Traffic
I I
Packet filtering is the most basic core feature of all modern firewalls. They work at the network
layer and are usually part of a router. A packet filtering firewall evaluates each packet on the
basis of the packet header information including: source IP address, destination IP address,
source port, destination port, protocol etc. If the criteria don't match, the firewall drops the
packet or else forwards it. Rules can include source and destination IP address, source and
destination port number, and protocol used. When a data packet passes through the network,
a packet filter checks the packet header and compares it with the connection bypass table that
keeps a log of the connections passing through the network.
There are three methods available for configuring packet filters after determining the set of
filtering rules:
• Rule 1: This rule states that it accepts only those packets that are safe thereby dropping
the rest.
• Rule 2: This rule states that the filter drops only those packets that are confirmed unsafe.
• Rule 3: This rule states that, if there are no specific instructions provided for any particular
packet, then the user is given the chance to decide on what to do with the packet.
A network packet can pass through the network by entering the previously established
connection. If a new packet enters the network, it verifies the packets and checks if the new
packet follows/meets the rules. It then forwards the packet to the network and enters the new
data packet entry of the connection in the bypass table. A packet filtering firewall does not cost
very much and doesn't affect the network performance. Most routers support packet filtering.
Packet filtering is a relatively low level security which can be bypassed by techniques such as
packet spoofing, where the attacker crafts or replaces packet headers which are then unfiltered
by the firewall.
As you can tell from their name, packet filter-based firewalls concentrate on individual packets
and analyze their header information as well as the directed path. Traditional packet filters
make the decision based on the following information:
• Source IP address: This allows the user to check if the packet is coming from a valid
source or not. IP header stores the information about the source of a packet and the
address refers to the source system address.
• Destination IP address: It checks if the packet is heading towards the correct destination,
while the IP header of the packet stores the destination address of the packet.
• Source TCP/UDP port: This allows checking the source port of the packet.
• Destination TCP/UDP port: The port checks and verifies the destination port to allow or
deny the services.
• TCP code bits: Used to check whether the packet has a SYN, ACK, or other bits set for
connecting.
• Protocol in use: Packets carry protocols, and this field checks the protocols and decides to
allow or deny the related packets.
• Direction: Check whether the packet is coming from a packet filter firewall or leaving it.
• Interface: Used to check whether the packet is coming from an unreliable site.
Circu it level gateways work at t he session layer of the OSI model, or the TCP layer of TCP/IP
They monitor the TCP handshake between packets to determine w hether a requested
session is legitimate or not
Information passed t o a remote computer t hrough a circuit level gateway appears to have
originat ed from the gateway
They have the advantage of hiding information about t he private network they protect
TCP ~..
.
~J ~
...
recognized computer
. '¥l Allow ed
Network lnterfa, e
.
•.
...
L
..................
. ...... - ~
The circuit level gateway firewall uses the data present in the headers of the data packets to
perform this action. It is not a stand-alone firewall, but it works in coordination with other
firewalls like packet filter and application proxy to perform its functions. Information passed to
a remote computer through a circuit level gateway appears to have originated from the
gateway. They have the ability to hide the information of network they protect. Circuit level
gateways are relatively inexpensive.
If one system wants to view information on the other system, then it sends a request to the
second system and the Circuit level gateway firewall intercepts this request. The firewall
forwards the packet to the recipient system with a different address. After the first system
receives the reply, the firewall checks if the reply matches with the IP address of the initial
system. If the reply matches, the firewall forwards the packet, otherwise it will drop the packet.
Advantages
• Private network data hiding.
Disadvantages
• Inability to scan the active content.
• Able to handle only TCP connections.
'I
. ,----
J They can filter packets at the application layer of the OSI model
l
r-
J Incoming or outgoing packets cannot access services for which there is no proxy
J In plain terms, an application level gateway that is configured to be a web proxy will not allow any
FTP, gopher, Telnet, or other traffic through
l
Because they examine packets at the application layer, they can filter application-specific commands
such as http:post and get
'
An application level firewall is a firewall that controls input, output, and/or access across an
application or service. It monitors and possibly blocks the input, output, or system service calls,
which do not meet the policy of the firewall. Before allowing the connection, it evaluates the
network packets for valid data at the application layer of the firewall. The client and server
communication does not happen directly, but happens only through a proxy server. This server
acts as a gateway for two side communications and drops the data packets acting against the
firewall's rules.
• Application level gateways, also called proxies, concentrate on the Application layer
rather than just the packets.
• They perform packet filtering at the application layer and make decisions about whether
or not to transmit the packets.
• A proxy-based firewall asks for authentication to pass the packets as it works at the
Application layer.
• Incoming or outgoing packets cannot access services for which there is no proxy. In plain
terms, design of an application level gateway helps it to act as a web proxy and drop
packets such as FTP, gopher, Telnet, or any other traffic that should not be allowed to
pass through.
• As packet filtering is performed at the application level, they are able to filter application-
specific commands such as GET or POST requests.
• A content caching proxy optimizes performance by caching frequently accessed
information instead of sending new requests for repetitive data transfers to the servers.
The application level firewall checks for those packets that do not comply with the filtration
rules. The unauthorized packets are dropped and authorized packets are forwarded to the
application layer of the destination.
,, 11
Application ~ ~ I
Traffic is filtered at three levels,
based on a wide range of specified
~
I application, session, and packet
TCP ~ ~ I
filtering rules
~ .... Disallowed
.
Network Interface :
I .: ~ Allowed
..
............. .............;:..
Incoming Traffic Allowed Outgoing Traffic
Stateful multilayer inspection firewalls combine the aspects of the other three types of
firewalls. They filter packets at the network layer, determine whether session packets are
legitimate, and evaluate contents of packets at the application layer. They are expensive and
require competent personnel to administer the device. The packet filter firewall overcomes its
inability to check the packet headers using stateful packet filtering.
It eliminates the lack of transparency of application level gateways as it allows direct
connection between client and host. These firewalls use algorithms to examine, filter and
process the application layer data instead of using proxies. Stateful multilayer inspection
firewalls have many advantages such as providing a high level of security, performance
improvement and transparency to end users. They are quite expensive because of their
complexity and are potentially less secure than simpler types of firewalls.
• This type of firewall can remember the packets that passed through it earlier and make
decisions about future packets based on this memory.
• These firewalls provide the best of both packet filtering and application-based filtering.
For example, A FTP proxy will only allow FTP traffic to pass through, while
all other services and protocols will be blocked
An application level proxy works as a proxy server. It is a type of server that acts like an
interface between the user workstation and the Internet. It correlates with the gateway server
and separates the enterprise network from the Internet. It receives the request from a user to
provide the internet service and responds to the original request only. A proxy service is an
application or program that helps forward user requests (for example, FTP or Telnet) to the
actual services. The proxies are also called an application level gateway, as they renew the
connections and act as a gateway to the services. Proxies run on a firewall host that is either a
dual-homed host or some other bastion host for security purposes. Some proxies, named
caching proxies, run for the purpose of network efficiency. They keep copies of the requested
data of the hosts they proxy. Such proxies can provide the data directly when multiple hosts
request the same data. Caching proxies helps in reducing load on network connections whereas
proxy servers provide both security and caching.
A proxy service is available between the user in the internal network, the service on the outside
network (Internet) and is transparent. Instead of direct communication between each, they talk
with the proxy and it handles all the communication between users and the internet services.
Transparency is the advantage of proxy services. To the user, a proxy server presents the
illusion that they are dealing directly with the real server whereas with the real server, the
proxy server presents the illusion that it is dealing directly with the user.
Advantages
• Proxy services can be good at logging because they can understand application protocols
and allow logging in an effective way.
• Proxy services reduce the load on network links as they are capable of caching copies of
frequently requested data and allow it to be directly loaded from the system instead of
the network.
• Proxy systems perform user-level authentication, as they are involved in the connection.
• Proxy systems automatically provide protection for weak or faulty IP implementations as
it sits between the client and the internet and generates new IP packets for the client.
Disadvantages
• Proxy services lag behind non proxy services until suitable proxy software is available.
• Proxy services may require changes in the client, applications, and procedures.
Network address translation separates IP addresses into two sets and enabling
the LAN to use these addresses for internal and external traffic respectively
It also works with a router, the same as packet filtering does, NAT will also modify
the packets the router sends at the same time
It has the ability to change the address of the packet and make it appear to have
arrived from a valid address
It can act as a firewall filtering technique where it allows only those connections
which originate on the inside network and will block the connections which
originate on the outside network
The NAT helps hide an internal network layout and force connections to go through a choke
point. The NAT works with the help of a router, helping to send packets and modifying them.
When the internal machine sends the packet to the outside machine, NAT modifies the source
address of the particular packet to make it appear as if it is coming from a valid address. When
the outside machine sends the packet to the internal machine the NAT modifies the destination
address to turn the visible address into the correct internal address. The NAT can also modify
the source and destination port numbers. NAT systems use different schemes for translating
between internal and external addresses:
• Assigning one external host address for each internal address and always applying the
same translation. This slows down connections and does not provide any savings in
address space.
• Dynamically allocate an external host address without modifying the port numbers at the
time when the internal host initiates a connection. This restricts the number of internal
hosts that can simultaneously access the Internet to the number of available external
addresses.
• Create a fixed mapping from internal addresses to externally visible addresses, but use
port mapping so that multiple internal machines use the sa me external addresses.
• Dynamically allocate an external host address and port pair each time an internal host
initiates a connection. This makes the most efficient possible use of the external host
addresses.
Advantages
• Network address translation helps to enforce the firewall's control over outbound
connections.
• It restricts incoming traffic and allows only packets that are part of a current interaction
initiated from the inside.
• Helps hide the internal network's configuration and thereby reduces the success of
attacks on the network or system.
Disadvantages
• The NAT system has to guess how long it should keep a particular translation, which 1s
impossible to guess correctly every time.
• The NAT interferes with encryption and authentication systems to ensure security of the
data.
•, ... :
·•........·..( ...<.:: ·........... . ....... ..~-~yright © by EC-Cou■cl. All Rights_Aese'iv~ ...R~production is Strict ly Prohibite d.
·. .. : · .. ··•. : : : : • .. ··.. :
A VPN is a network that provides secure access to the network through the internet. Used for
connecting wide area networks (WAN). It allows computers of one network to connect to
computers on another network. It employs encryption and integrity protection helping you to
use a public network as a private network. A VPN performs encryption and the decryption
outside the packet-filtering perimeter to allow the inspection of packets coming from other
sites. A VPN encapsulates packets sent over the Internet. A VPN is an attempt to combine both
the advantages of public and private networks. VPNs have no relation to firewall technology,
but firewalls are convenient for adding VPN features as they help in providing secure remote
services. All virtual private networks that run over the Internet employ these principles:
• Encapsulates into new packets, which are sent across the Internet to something that
reverses the encapsulation
Advantages
VPNs provide some security advantages such as:
• A VPN hides all the traffic that flows over it, ensures encryption, and protects the data
from snooping.
• It provides remote access for protocols without letting people attack from the Internet at
large.
Disadvantages
• As the VPN runs on a public network, the user will be vulnerable to an attack on the
destination network.
Bastion host:
A Bastion host is a computer syst em designed and configured to Bastion Host Jt .......................
protect network resources from an attack. It is placed between two ..
networks and acts as an application level gat eway
Internet ....•-...... -:...•
Traffic entering or exiting t he network passes through a firewall,
..
which has two interfaces:
e The public interface is connected directly to the Internet Firewa ll .....................
Intranet
e The private interface is connected to t he Intranet
Screened subnet:
Intranet
.J The screened subnet or DMZ (additional zone) contains hosts
that offer public services
r·····~ ~--~---
.J The public zone is connected directly to the Internet and has no ..= ~
hosts which are controlled by the organization .
••••••••.
.J The private zone consists of systems Internet users have no ..
business accessing Firewall .....................
Intranet
Multi-homed firewall:
This type of firewa ll consists of t hree interfaces which allow for
further subdividing of the systems based on specific security
objectives in t he organization
Firewall 1
.
Firewall 2 : •••••••••••••••••••••
An organization will generally implement the firewall, which provides extremely effective
network based security control on a single machine. It may be a router or a host. The three
types of firewall architectures and their related use are explained below:
Bastion Host
A bastion host is a computer system designed and configured to protect network resources
from attacks. It acts as a mediator between inside and outside networks. The firewall resides
between the Internet and the protected private network. It filters all traffic that is incoming and
outgoing from the network. The bastion host provides a platform for an application level or
circuit level gateway. It requires additional authentication for the user to access the proxy
services. A network administrator installs onl y the essential services or applications on the
bastion host. Simple networks that do not offer any internet services use a bastion host
topology. Suppose the system has two firewalls, then a bastion host is placed inside the two
firewalls or on the public side of the DMZ. Examples of a bastion host include: mail, DNS and
FTP servers.
Traffic entering or leaving the network passes through the firewall. It has two interfaces:
Screened Subnet
The screened subnet is also known as a "triple-homed firewall" and uses a single firewall with
three network interfaces. The first interface connects the Internet, the second interface
connects the DMZ, and the third interface connects the intranet. The screened subnet or DMZ
(additional zone) contains hosts that offer public services. The public zone connects directly to
the Internet and has no organization-controlled hosts. The main advantage with using the
screened subnet is it separates the DMZ and Internet from the intranet. If the firewall is
compromised, access to the intranet will not be possible.
The screened subnet architecture consists of two screening routers, one is placed between the
perimeter net and the internal network, and the other is placed between the perimeter net and
the external network. This architecture is more secure because to enter the internal network,
the hacker/attacker has to pass both the routers.
Multi-homed Firewall
A multi-homed firewall refers to two or more networks. In this case, more than three interfaces
are present allowing for further subdividing of the systems based on the specific security
objectives of the organization. Each interface connects with the separate network segments
logically and physically. A multi homed firewall allows administrators to assign a different
security policy to each interface. Internet users access only presentation servers, which have
access to middleware servers, which can access only data servers. A multi homed firewall
increases the efficiency and reliability of an IP network. It duplicates all the functions of a
firewall in a single box and replaces the IP router that does not forward packets at the IP layer.
The multi-homed host processes the packets through the application layer, which provides
complete control over handling the packets.
A dual-homed host is similar to the multi-homed host. It has two network interface cards
(NIC's), one connected to an external network (untrusted) and the other to an internal network
(trusted). The key point here is it does not allow traffic coming from the untrusted network to
directly route on the trusted network. A firewall acts as an intermediary.
Choose a firewall topology that best suits your IT infrastructure and provides
maximum effectiveness
Choose the topology based on the risks and benefits that they offer:
~
L __
Choose a bastion host topology, if the organization uses a relatively simply network and
do•e•s •no•t •pr-o v-id_e _an_v_p_ub-lic_ s_erv
_ i_ce_s- -- - = = = = =;;.__ _ _ _ __ I
t Choose the screened subnet topology, if t he organization offers public services
Choose the multi-hom ed firewall topology, if the o rganization's network has different
zones which were created based on specific secu rity objectives
Place a separate firewall for each isolated network zone, based on the security demand
Before deploying a firewall on the network as part of their perimeter protection strategy,
organizations should understand which firewall topology suits their business needs best.
Bastion Host
This type of topology is ideal for simple networks. It monitors the traffic between the private
network and the outside world (Internet). This topology offers a single layer of protection. The
network may be compromised if an attacker penetrates through this layer though. Restricting
every user's Internet access through this firewall keeps the network relatively safe from threats.
Organizations use this topology to protect a corporate network intended for surfing the
Internet and other internal communications. It does not provide sufficient protection for web
hosting or protecting an e-mail server.
Screened Subnet
This type of topology is ideal for an organization hosting a website or an e-mail server. A
screened subnet topology provides secure services to internet users. In this type of topology,
the servers that provide public services are set up in separate zone called a demilitarized zone
(DMZ), keeping the trusted network secure from the internet. Users inside the trusted network
will have access to the Internet through the DMZ. Even though a malicious user compromises
the firewall, they cannot access the network inside the DMZ.
Multi-homed Firewall
A multi-homed firewall offers the advantage of protecting your trusted network even if the
demilitarized zone (DMZ) is compromised. This topology operates on two or more network
interfaces. One interface connects to the untrusted network (Internet) and other interface
connects to the trusted network. A DMZ can add a multi-homed firewall by adding a third
interface. The rules for accessing the DMZ are less than those protecting the private network.
This topology is ideal for organizations maintaining two or more network zones.
You should build rulesets that support and implement the organization's firewall policy while
offering better performance. These should be specific and dependent on the network traffic
they interact with and include information such as traffic types required and protocols used for
management purposes. The t y pe of firewall and specific products affect the ruleset's
development process.
The firewall rule allows a computer to send or receive packets from a program, services,
computers and/ or users. Firewall rules allow three actions:
• Allow the connection.
• Traffic type.
The ruleset should ensure that port filtering is performed both at the outer edge of the
network, and inside the network. The ruleset should also be capable of raising an alert if a user
logs on or changes any of the rules.
Blacklist vs Whitelist
There are two ways to define firewall rules based on the appropriate approach selected when
creating protocols, reducing vulnerabilities on a network and the desired functionality offered.
The two approaches are:
Black list
• In this approach, the network administrator estimates and defines all the properties of
malicious traffic and the firewall will prevent such traffic from entering the internal
network.
• With this type of configuration, it is easier to protect the internal network when using a
firewall.
• The firewall allows all packets, except the ones set to deny.
White list
• In this approach, the firewall contains the properties of acceptable traffic.
• All packets are denied by the firewall, except those, that are set to allow.
The following t ables illustrate a sample packet filter firewall ruleset, helping you t o
configure the packet filtering rules in software as well as hardware firewalls
,-
The follow ing tabl e shows how to build th e ruleset for packet filtering firewalls.
st
The 1 rul e in the table is described as:
This row states that if traffic originates from any IP address and port source and for a specified
destination IP address (10.1.1.0 in this case) and the port source is greater than 1023, this t ype
of traffic will be allowed to pass through the firew all.
Source Source
Dest Port Action
Address Port
If you want to allow all IP traffic between a trusted external host and your internal hosts, the
firewall rule will be as shown in following table
ACK
Rule Direction Source Address Destination Address Set Action
A Inbound Trusted external host Internal Any Permit
B Outbound Internal Trusted external host Any Permit
C Either Any Any Any Deny
TABLE 7.3: IP traffic between a trusted external host and internal hosts
You should use the following tricks to build packet filtering firewall rulesets more effectively
and securely.
0 Build a firewall t hat handles application traffic like web, email, or Telnet
0
The policy should explain how the firewall is to be updated and managed
Define a firewall policy, which explains how the firewall is setup, operated, updated and
maintained. The policy includes the scope of the firewall, services offered and t ypes of
communications supported.
The steps involved in creating a firewall policy are:
• Step 1: Identify the network applications that are of utmost importance, the traffic they
generate, bandwidth required and type of connection they use
• Step 2: Identify the vulnerabilities that are related to the network applications and their
impact over the network as well as the systems
• Step 4: Create a network application traffic matrix to identify the protection method
• Step 5: Create a firewall rule set that depends on the application's traffic matrix
• Always confirm that the policies implemented meet the needs of the organization.
• Always create one or more firewall rul es for inbound traffic to allow voluntary inbound
network traffic.
According to recent studies, almost 80% of the firewall s installed were misconfigured. Any small
error in the firewall increases risk for an organization. Security, regulatory compliance, network
availability and performance get altered if there are any issues in the firewall.
Firewall policies should align with day-to-day advancements in threat levels in order to deploy a
protected network. You have to verify the policy defining the processes regularly to check if
they are able to combat any new risks and attacks.
• Create periodic reviews for firewall policies to achieve accuracy and timeliness.
• Review and update firewall policies every six months.
• If a firewall's application is upgraded, then the firewall's ruleset must be formally
changed.
• Firewall installs, systems and other resources must be audited on a regular basis.
The scheduled periodic firewall policy reviews include:
• Actual audits and vulnerability assessments of production that give a good idea on what
systems are being used, internal communications patterns deployed and the type of
attacks they are prone to.
• Computer systems, shared drives, email servers, web servers and secured networks
placed at various locations must also be reviewed in order to keep the system updated
which offers the utmost speed and efficiency .
• The firewall rules that are not used often and whether they can be eliminated.
• Any changes in network security gives rise to additional or new security exposures.
Periodic firewall reviews help increase security, availability and performance of the
organization's network.
There are some factors to consider before implementing a firewall solution on the network. It is
the responsibility of a network administrator to specify network security issues and address
them during firewall implementation.
When implementing a firewall for the network, organizations must plan the positioning of
firewalls in advance. They should also consider conducting a security risk assessment to know
where a threat to the network would most likely originate and the reasons behind it.
Depending on the potential origin of threats, administrators attempt to build a layout for
firewall implementation. If an organization is considering implementing a firewall, remember to
outline a consistent security policy in advance based on the risk assessment. The security policy
must determine how basic communication will take place at the firewall, where the firewall
must sit and how to configure it.
Use a step-by-step process to ensure a successful firew all implementation and deployment
The process helps to min imize any unforeseen issues and identify any potential pitfalls ea rly on
Configuring Deploying
• After planning, administrators focus on configuring the firewall hardware and software
components and setting up rules for the system to work effectively.
• Administrators test the firewall prototype and its environment after successfully
configuring the firewall. They need to assess the functionality, performa nee, scalability,
and security of the firewall for possible vulnerabilities and issues in the components.
• After resolving all issues encountered during the testing phase, administrators need to
deploy the firewall into the network.
Don't construct a firewall using any other networking equipment such as a router, which are not meant for
use as a firewall. It causes overload on the equipment and does not provide the security intended
Sensitive net work data, resources or systems should not be placed behind a firewall to avoid
inside attacks from within the organization
Perform extensive market research to fin d out the capabilities and limitations each firewall
model has
• Do not configure a firewall on a device not meant for firewall purposes. For example,
configuring a firewall to function on a router can put additional burdens on the router's
functionality.
• Do not enable additional non-security services such as a web server or email server on the
firewall. This will overload the device and reduce its efficiency to provide network
security.
• Concentrating on external threats leaves the netw ork v ulnerabl e to internal threats or
inside attacks. Consider keeping all sensitive and criti cal syst ems behind internal firewalls.
• The administrator needs to be careful while deploying a specific type of firewall. It should
be done based on their techniques and limitations. Organizational security policies have
great impact on the type of firewall used.
FacJ·.b·~s ·t'~·. .
C.9.~ si . . . . .~.. -r before P~f.ch~~ing
a1'y. . Firewa11·· s ·q 1~,ion (Cont'd) ....-:::/·/ . . . . . . . . . . . . . . . . . . . . ..
... : :' .··· ··..:•,.. ... _.· ·· ..:· .. :
Physical Requirements
Personnel
The organization should consider the following factors before purchasing and implementing any
firewall solution for their network.
• Management: The firewall should support encrypted protocols such as HTTPS, SSH, and
access over a serial cable for remote management. Check whether any of these remote
management protocols are acceptable for use with the organization's policies.
Administrators need to ensure that it is possible to restrict remote management to certain
firewall interfaces and source IP addresses. In firewalls, look for centralized management
from the same vendor. If it is available, check whether it is a vendor-specific application
which performs this operation or any other application which controls it.
• Security Capabilities: Consider all the possible areas of the organization that require
security. Choose the type of firewall technology including packet filtering, stateful
inspection, application firewall, application-proxy gateway that will best address the kinds
of traffic you want to monitor. The administrators should also consider other network
security capabilities like an intrusion detection system, VPN and content filtering while
choosing a firewall.
• Physical Requirements: Consider the physical space and protection required for a firewall.
For example, extra shelf or rack space, adequate power backup facilities and air
conditioning facilities at the location of the placement of the firewall.
• Future Needs: Choose a firewall that meets the future needs of the organization such as
plans to move to 1Pv6, anticipated bandwidth requirements, and compliance with
regulations expected to be implemented.
Configuring Firewall
Implementation
Configuring a firewall involves configuring various components and features such as hardware,
software, policy configuration, implementing logging and alerting mechanisms.
Configuring Policies
Administrators have to focu s on creating the firewall's policies after installing the hardware and
software of a firewall. A ruleset's design depends on the type of traffic flowing through the
network, including the protocols of the firewall such as DNS, SNMP, and NTP. If multiple
firewalls need to have the same rules, sy nchronize all the rules across all the firewalls.
• Enable port filtering at the outer edge and inside the network.
• Create rules to perform content filtering close to the content receiver.
0 Test and evaluate your firewall implementation before deploying it in t he netw ork
0
Conduct your firewall test on a test network instead of the production netw ork
Test and evaluate the firew all for proper configuration and implementation with respect
to the following attributes:
0 0
...·• • •t·••
;' Security of the Implementation \ ,...... Component Interoperability .,,\ ,...... Policy Synchronization ...\
\ j 0 0
············....................................················ ··..............................................................·· ··...............................................·················
Testing a firewall involves examining the firewall for any bugs. The firewall implementation test
mainly focuses on whether the firewall rules are set according to the actions performed by the
firewall. Firewall testing increases the reliability of the products using the firewall.
Before deploying a firewall, the administrator runs a test on a test network, replicating the
original network. Different aspects of the firewall are evaluated in this phase:
• Connectivity: It involves testing whether users can establish a connection through the
implemented firewall.
• Ruleset: Checks whether the firewall permits and blocks the traffic as per security policies.
The analysis of the firewall rule set includes manual testing to verify if the rules work
according to the outlined security rules.
• Performance: Test the performance of a firewall on a live network using simulated traffic
generators. The testing process needs to include applications that can affect the network
throughput and latency.
If the firewalls do not perform as proposed? Then, the following reasons could be the reason
for their failure:
• Development of incorrect test cases and which causes the wrong prediction for firewall
performance.
Notify the users and/or ow ners of t he syst ems w hich will be effect ed
during the deployment
Integrate the firewall with the other network elements which require
interaction with the firewall
Administrators need to ensure they deploy the firew all according to the security policies of the
organization. Administrators should also al ert th e users of the deploy ment of the firewall. Add
the security policy of the firewall to the network's overall policy and any configuration changes
which happened during implementation should also be included. Employing a phased approach
to deploy multiple firewalls on a network helps detect and resol ve issues regarding conflicting
policies.
Reconfigure the network device on the outside of the network to handle addressing of the
firewall. Proper deploy ment of a firew all fa cilitates the sending and receiving of traffic from th e
new ly configured firewall system.
,----- . Update the fi rewall policy based on any new threats which are detect ed
1
I
------lI
,II ____ _
Periodically, review the firewall policy
,-----.
1
Continuously monitor and log all alerts raised when the fi rewall identifies t hreats
I
-----.,I
I
I
I
l----- Regularly, backup the fi rewall rulesets and policies
,-----.
1
I
Update the fi rewall ru lesets based on security requirements
I
-----➔I
I
I,__ --- Perform a firewall log analysis to detect security incidents
Managing a firewall includes maintaining the firewall architecture, policies, software, and other
components deployed on the network. Administrators should update the policy rules when
they identify new threats and if requirements change. The network administrator needs to
ensure the security of the firewall by constantly monitoring and addressing the issues in the
network. They monitor the firewall logs continuously in order to detect new threats and attacks
in the network.
Perform regular backups of the firewall policies and rulesets depending on the rule format used
by the firewall. Use restrictions offered by firewalls on who can change a ruleset and from
which addresses. Review the firewall policy regularly to uncover:
• -------------------------------------------------------------------------------------------------·
Firewall Logging Functionality:
e By default, all firewalls have a method for logging capabilities
e Use a centralized logging service such as a Unix syslog application
which also provides log examination and parsing
• ---------------------------------------------------------------------------------------------
Firewall Backups:
• ----------------------------------------------------------------------------------------·
Security Incidents:
e Firewa lls play a critical role in security incidents. They
correlate all the events which have passed through it,
especially where network attacks are concerned
e Synchronize the firewall w ith network time protocol (NTP)
to effectively correlate the incident events
Under an internal individual authentication process, the user should have a unique user ID
and password to gain access to the interface. Some firewalls also support Token based
authentication to grant access to centralized servers using Remote Authentication Dial-In
User Service (RADIUS).
• Build an Operating System Platform for A firewall: Platform consistency plays a vital role
in the successful implementation of a firewall such as Operating systems (OS) with
hardened security features for the applications. Do not install a firewall on systems that
offer all possible installation options especially after removing unnecessary OS features.
Firewall installations should not affect the functioning of the OS. Install all security
patches on the OS before installing the firewall. Unused network services, network
protocols, applications and user accounts must be disabled.
• Firewall Failover Strategies: Failover strategies are required to balance the security of the
network when a firewall failure occurs. Specially designed Network switches work on a
customized 'heartbeat' mechanism to balance the firewall failover by shifting all the
inbound and outbound traffic to the backup firewall. They reduce the chances of a
network failure. Both primary and backup firewalls are behind a single Media Access
Control (MAC) address to provide seamless functionality.
A firewall that does not support a syslog interface will have their own internal logging
functionality. Third party firewalls provide log maintenance and parsing tools such as
firewall analyser and Sawmill.
In a minor security incident, the attacker can use basic network probes. Due to its lower
severity, many companies don't treat these incidents as threats. In medium security
incidents, the attacker tries to get unauthorized access to the resources or the system.
A high-end incident describes a situation, where an attacker is successful in obtaining
access to the system. These incidents restrict resource availability, and are treated as a
serious situation.
A firewall uses an event-correlation technique, which works based on the time
synchronization rolling back the state of the firewall to a unique state in order to
reconstruct the phases of the incident.
• Firewall Backups: All firewall backups should be Day Zero or full backups instead of
incremental backups immediately before the production release. Because firewall access
control does not permit a centralized backup scheme, firewalls have in-built backup
facilities.
It is desirable to have all critical file systems backed up to external devices in Windows
operating systems. In UNIX the /var file system directory and sub directories require write
access and contain all the system logs and spool directories.
• Examine the communication path between the firewall and the system in order to
uncover any errors or faults in the configuration.
• Decide on the type of firewall that is best suited for a particular company.
Deny
Network Access
Weak network access controls increase the chances of unauthorized public network access. This
leads to the manipulation of data, services and denial of service attacks. Proper controls such as
user access restrictions and security controls for granting permissions can limit unauthorized
public network access.
Firewalls are equipped with a real time packet filtering mechanism that checks all the packets
for their malicious content and drops the packets if they are suspicious. Organizations should
use SSL and HTTPS protocol services while accessing corporate resources using public networks,
this will ensure the consistency of a firewall policy as these protocols pass only encrypted
information.
To prevent unauthorized public network access, you should scan the network regularly for open
ports and disable them to ensure proper utilization of any remotely accessible resources.
Netstat.exe is the built-in Windows network application, providing a list of open connections.
• Step 3: Press Enter, this will list all of the open ports
Restrict users from inserting virus-infected removable media into the system
Restrict employees from using remote access software from home, that bypasses
the perimeter firewall
Virus email can spread through all the computers on a network, when a user
attempts to open the mail causing damage to the files on their computer
Restriction of unauthorized access from inside the network prevents the user from running
malicious programs, installation of suspected software, etc.
• Restrict employees from using remotely available corporate resources from public
networks such as an internet cafe or free public Wi -Fi (e.g. hotels), which bypasses the
perimeter of the firewall.
• Educate employees on the topic of social engineering. Which is an attack involving
hackers who build confidence with the unsuspecting user to trick them into collecting
personal information such as user credentials, server information, IP addresses etc. which
is then used to perform network attacks against an organization.
• Firewall instructions are provided by well -trained firewall administrators enabling users to
configure their firewall to filter IP packets for detection of unauthorized packets.
• Emails containing viruses can spread through all the computers on a network, when the
user attempts to open the mail. Using an updated internet security solution can prevent
such email attacks.
• Providing access only to required documents and files. This controls access to those
people working inside an organization that do not have access to al I the sensitive
information.
• Account rights should be carefully structured in order to facilitate proper data access.
• Proper training to users can prevent unauthorized access inside an internal network.
There are limits to this strategy but educating users has many threat prevention benefits.
A firewall act s as a proxy server allowing high-level application connections related to internal
host s and ot her machines
A single firewall provides both outbound packet filtering and a proxy server
Application proxies restrict users from gaining unrestricted access to the Internet as well as
those technically sophisticated users who might be able to circumvent they security systems in
place
The user may dial through the remote access and open a security hole
A client should not have direct access to an external host which could make it vulnerable to
threats. As a result, the client should access the host through the firewall. The firewall would
act as a proxy server allowing high-level application connections related to internal hosts and
other machines. A single firewall acts as both packet filtering at the application level and a
proxy server at the domain level. Application proxies restrict users from gaining unrestricted
access to the Internet. Technically sophisticated users might be able to circumvent the security
systems altogether.
Vulnerable external hosts gather sensitive information from clients such as IP addresses, types
of security, level of security, server locations and remote access credentials. Remote access to
programs can be useful such as gotomypc.com providing remote access to work systems, the
concern is the risks associated with these, such as password sniffing, packet stealing and IP
Spoofing.
The user might dial through the remote access to connect with an illicit server and application,
which opens a security hole.
It is possible to restrict authorized access to areas by employing the following policies:
• Allow only internal IP addresses to pass through the firewall.
• Block traffic containing private addresses.
• Block all outbound traffic from VLAN workgroups.
• Block broadcast traffic and all traffic from servers that require no conn ectivity with any of
the external networks.
Firewalls log user activity in a netw ork, this is known as firewall logging
Attackers tend to leave footprints when trying to pass through a firewall. Investigate the firewall logs to get a basic
understanding on what happened with the attack
Use firewall logging to investigate all the "allow" events. This is very useful when trying to discover potential security
threats on the network
~ "'·
~ ~ •... ····........ I I
······
··········::~
.. ~
•···················::::
. ... .••..~Modem ...... . Internet
•••• ••
••• • ••
••• •• : Firewall Log
~
~ ca.;;:I •••··
u = Specified traffic allowed
~-~
3. ) ( = Restricted unknown traffic
•
L9............
Firewall Log
Cent ralized Server
Firewall logging is the ability of a firewall to record or log the details of user's activities on a
network. Log file maintenance is crucial to overcoming security breaches, as the attackers
unknowingly leave their footprints when trying to pass through a firewall. Firewall logs can help
you investigate such incidents.
Firewall logs contain information about activities such as port scans, unauthorized connection
attempts, activities from compromised systems and security threat attempts at the boundary of
the network. It helps you trace the source of the network attacks.
An administrator can disable the firewall logs temporarily, while troubleshooting or monitoring
its behavior. A centralized secure server should contain the firewall logs in order to protect it
from the attackers. Otherwise, an attacker could delete the logs which contain their footprints.
If any suspicious activity is detected in a firewall log, it should be handled immediately and all
necessary actions taken to avoid any security incidents.
Firewall analyzer, is an application for firewall log analysis providing many features to gather,
analyze, and report any logs found.
0 Firewall logs are st ored locally or in a centralized logging server (e.g. Syslog Server) o n t he network
0
Firewall devices log important informat ion such as spoofing attempts, fai led authenticat ion, malware
attacks, etc.
0 0
........
................................... ..... ....
......······· ······ . .. ...
..·· ...
Ev
Virus lo
..
. ..
.
. Attack
..
VPN
Audit
Firewall log data contains information such as failed authentication attempts, abnormal
protocols, virus attacks, etc. Firewall logs are huge datasets to look into. Especially for big
enterprises with more than one or two firewalls. These, record many log files with a very large
number of log file entries every day. Firewall logs are stored locally or in a centralized logging
server (Syslog Server) on the network. The collection of firewall log data helps administrators to
analyze the transactions between the source IP address and the destination IP address. A
firewall creates a huge log volume (approximately 10000 or even more events /sec), it is
necessary to use specialized software to collect and analyze them.
• Audit trail.
• Event logs.
• Network traffic.
The flawed design and/or implementation of firewalls encourage attackers to bypass them. An
attacker takes advantage of improper traffic handling, inspection, and detection techniques of a
firewall to bypass it. Most of the firewall vendors are unable to offer effective protection
against evasions.
• Accept the fact that evasion can and probably will happen.
• Determine the level of protection offered by a firewall against evasion.
Normalization is one of the techniques to prevent firewall evasion. Full data traffic
normalization can prevent firewall evasion by keeping you away from known attacks or by
restricting access to internal machines from an external host. Especially when a firewall detects
a probe or an attack.
Firewall design must incorporate and optimize the inline throughput performance in a network
to prevent attacks. Firewall vendors use shortcuts and execute only partial normalization and
inspection. For instance, TCP segmentation handling is very limited and done only for selected
protocols or ports (if not disabled by default). Evasions exploit these shortcuts and weaknesses
in normalization and inspection processes. Administrators should choose the firewall vendor
that normalizes data traffic to a maximum on every protocol layer before executing the payload
inspection.
Most firewalls are designed to inspect data traffic based on the segments or
pseudo-packets
Choose a firewall vendor that constantly inspects the data stream instead of
only the segment or pseudo-packets of traffic
Note: Firewalls require more memory and CPU capacity for data Stream-based Inspection
A firewall should be able to examine a constant data stream instead of fragments or pseudo-
packets. This vital design issue is extremely difficult to change. Especially in the case of
hardware-based products, the redesign of security devices would require significant R&D. Data
stream based inspection requires more memory and CPU capacity to perform efficiently. For
many vendors, this is impossible and the inspection scope is sacrificed. The attacker can take
advantage of this by spreading attacks over segments or pseudo-packet boundaries. The
administrator should choose the firewall vendor who implements a constant data stream
inspection instead of segments or pseudo-packets of traffic.
Vulnerability-based Detection
and Blocking
It uses 100% pattern match approach to detect and block evasion attempt
Choose a firewall vendor w ho uses vulnerability-based approach to detect and prevent attacks
Some firewall vendors implement an exploit-based approach to detect and block exploit
attempts. An exploit-based approach works on the principle of a packet-oriented pattern
(signature). It uses a 100% pattern match a pp roach to detect and block evasion attempts.
However, it is not possible to create signatures for every evasion com bi nation, new attack
patterns and signatures are invented daily. Firewalls with exploit-based approaches cannot
detect and block all firewall evasion attempts. Relying on these types of firewall s can pose a risk
to the organization's network.
Use a firewall with a vulnerability approach instead. These are implemented and used in the
organization's network. Vulnerability-based protections block exploitation attempts on both
the network and the application layers.
Set the firewall ruleset to deny all traffic and Immediately investigate all suspicious log
enable only the services required entries found
Change all the default passwords and create a Backup the firewall logs on a set schedule. Store
strong password which is not found in any these backups on a secondary storage device for
dictionary. A strong password to ensure brute future reference or for any legal issues arising
force attacks also fail. from an incident
Keep firewall ru les as granular as possible v Ensure all rules and objects follow standard
naming conventions
- -
Test the impact of a fire wall policy change
v Clean and optimize the firewall rule base
Schedule regular firewa II security audits v Monitor user access to firewalls and control
who can modify the f irewall configuration
Update the firewall software on a regular Centralize firewall m anagement for multi-
basis ~ vendor firewalls
Run the firewall as a unique user ID, instead of using an Admin or root ID
The following best practices will help you harden the security in your firewall.
• Filtering unused and vulnerable ports on a firewall is an effective and efficient method of
blocking malicious packets and payloads. There are different types of filters in firewalls
ranging from simple packet filters to complex application filters. A defense in depth
approach using layered filters is a very effective way to block attacks.
• While creating a firewall ruleset, organizations should first determine what types of traffic
is needed to run the approved applications. Administrators need to set firewall rules to
deny all the traffic and allow only those services the organization needs.
• Firewalls use a complex rule base to analyze applications and determine if the traffic
should be allowed through or not. Setting up firewall rules to grant access to important
applications and block the rest will improve the performance of the firewall.
• Administrators should ensure the date, time, and time zone on the remote syslog server
matches the network configuration, in order for the server to send syslog messages.
Syslog data is not useful for troubleshooting if it shows the wrong date and time. Also,
configuring all network devices to use NTP ensures a correct and synchronized system
clock on all network devices.
• Network administrators should monitor the firewall logs at regular intervals even if the
company's management policy allows for some private use of its equipment. Monitoring
what websites employees are visiting, what files employees are sending and receiving,
and even the content in their e-mails will assist administrators in maintaining the network
securely.
• Logging firewalls 'allow' actions offer greater insight into malicious traffic and tracking
firewall 'deny' actions help administrators identify threats.
• Take regular backups of the firewall logs, at least on a monthly basis and store these
backups on secondary storage devices for future reference or for legal issues in case there
is an incident. The best way to achieve this is to use a scheduling function in the firewall.
Backup the firewall before and after making a change in its rules and ensure that the
backup configuration file is usable.
• Administrators should perform audits at least once a year on firewalls to evaluate the
standards implemented to secure the organization's IT resources. This will offer a record
of all the files employees open and even failed attempts to access files. Ensuring every
change is accounted for will greatly simplify audits and help the daily troubleshooting.
• Firewalls cannot secure the network from internal attacks. Organizations are required to
implement different strategies such as policies that will restrict employee usage of
external devices in the internal network. For preventing any internal network attacks,
administrators should install monitoring software that will help detect any suspicious
internal activity.
• Clearly defining a centralized firewall management plan and a documented process can
help prevent unwanted changes to the current configuration of the network. It can limit
the chance of a change, opening vulnerabilities in network security.
• The effectiveness of any firewall solution depends on the rules with which it is configured.
In general, a firewall is configured to monitor inbound and outbound traffic and to protect
a network in which it is configured. It also monitors the source and type of traffic
traversing the network.
• Most organizations use it for protecting the network environment from threats and in
tracking the source of a threat. Augmenting a firewall ruleset with an effective logging
mechanism makes it an effective security mechanism to protect the network.
• Administrators should set a default 'deny' rule for inbound traffic with explicit 'allow'
rules. Deny policies at the end of a ruleset ensures you catch traffic that is trying to go to
the wrong zone. It is significant to cover every combination.
• A firewall rule should be properly prioritized based on the security requirement of the
organization.
• Manage the lifecycle of a firewall rule policy by enforcing an expiration date. This will help
administrators clean up newly created temporary rules for new services. When an
expiration date is set for a rule, the administrator can delete the rule after its lifetime or
can extend its duration if needed.
• Always perform testing of the firewall policies before implementing them in the network.
Testing a firewall can discover unexpected errors in the implementation by assessing
firewall performance, network traffic and other devices. These details provide the
network administrator with a view on how the proposed changes in the firewall
configuration will affect the environment.
• Auditing firewall security policies ensures the firewall rules implemented a re according to
the security regulations of an organization. It is the responsibility of the network
administrator to perform firewall security audits to identify policy violation activities.
• The organization needs to ensure they upgrade their firewall to the latest patches and
updates released by the firewall's vendor. Any delay in upgrading to the latest version can
impact the security of the network. Upgrading to the latest firewall version minimizes the
chances of a vulnerability in the network. It is also possible to conduct vulnerability
assessments on the firewall, enabling an administrator to easily assess the flaws and
weaknesses.
• The firewall administrator needs to ensure they remove the firewall rule base regularly as
it improves firewall security, firewall performance and efficiency. Cleaning the firewall
rule base prevents security and management issues.
• Most organizations implement firewalls from different vendors and the firewall
configuration architecture differs from one organization to another. The organization
needs to ensure that only skilled personnel are looking after the firewall administration
and maintenance.
• Always filter packets for the correct source and destination address in order to prevent
attackers from accessing the network.
• Always make sure to change th e passwords regularly, at least every six months.
• The configuration of the firewall is kept simple and should meet company requirements.
Periodic review of the firewall configuration helps maintain the firewall security.
• Always provid e minimal access to the firewall in order to avoid any incidents.
• Administrators should document any changes they make to the firewall. With firewalls, it
is especially critical to document the rules they add or change so that other administrators
know the purpose of each rule and who to contact about them. Good documentation can
make troubleshooting easier and reduces the ri sk of service disruptions which are caused
when an administrator deletes or changes a rule they do not understand.
• Organizations can generate analysis reports to evaluate firewall access rules. This assists
them in identifying rules that overlap or conflict with other rules in the access rule policy.
Delete, move or edit conflicting rules using the data from the report. Organizations can
develop an easier to use and more efficient access rules policy if they eliminate
unnecessary rules.
• Implement a consistent workflow solution to manage and streamline the firewall change
process. Identify potential risks and fix configuration errors before making changes to the
firewall. Reduce the time required to evaluate and implement the changes to support the
network.
2 Limit the applications that ru n on a firewall 10 Don 't rely on packet filtering alone
• Review and refine your policies and procedures Don't use underpowered hardware
7 Incorporate t rust marks 11 Don't allow telnet access through the firewa ll
Take regular backups of the firewa ll ruleset and Don't allow direct connections bet ween the
8 16 internal client and any outside services
configuration files
I
I
♦
• A firewall should include intrusion prevention and detection capabilities to guard against
denial of service attacks (DDoS). The consequences of not having these measures in place
will get worst in the future, if a DDoS incident occurs.
• While implementing a firewall do not overlook scalability. Most firewall vendors claim
they can scale up to thousands of devices. Determine what that actually means in terms
of management and the ability to perform under stress.
• After choosing a firewall that meets the business requirements of an organization, test
the firewall on a live production environment. The organization determines the network
requirements and evaluates the product capabilities accordingly. The test should
determine whether the chosen solution actually performs as expected.
• Installation of proxy servers assures security as it provides access only to selective users.
• When implementing a firewall solution, organizations need to focus on the hardware
required for the implementation. Refrain from buying more technology. First, make sure it
works for you and improves your security.
• The idea behind a workflow in firewall management is a natural extension from the
change management functionality. Manage the change process to ensure only the correct
rules are created. Most vendors offer complimentary workflow products to integrate their
core capabilities with change-management workflow tools. This may not be important if
your organization has a well -defined process and supporting tools already in place.
configuration
--· ~-
management by
providing reports and !:(\"bR"f>Ol1"'otllM ¥
0 1-19" ' ~ MttJllffl • . .... 0 ·}MIM:!l fl
0 0 ll ll
changes .. QOOlmrtJ!itPaoe
0
Cis<o_PO: l ~ I 12
0
0 21
0
'
llfHCOM f~ ) Ii
0
0 i 1l
li
11
'
Oltcl<P.-_M-l l~ l l
a . ~ ,~ 1 1
0 0 i
'
Oko_W l~ I .U
0
0
0 §
'
fOIU.Jiie BJ 1~ 1 ! I
0
J
li li
'
,.. •.,.._... , ~ , .!
'0 ll
'
!
•
! ll
'
M firtwalts 98
' "' "'
http://www. manageengine.cam
A firewall analyzer is a program that collects, correlates, and analyzes security device
information from enterprise-wide heterogeneous firewalls, proxy servers from Cisco, Fortinet,
CheckPoint, WatchGuard, NetScreen, and more. It is browser-based firewall/VPN/ proxy server
reporting solution.
It generates scheduled reports on firewall traffic, security breaches, and more that help
network administrators secure networks before security threats arise, avoid network abuses,
manage bandwidth requirements, monitor web site visits, and ensure appropriate usage of a
network by employees.
A firewall analyzer, analyzes the firewall and proxy server logs and provides support
with answering issues such as:
• Who are the top web surfers and the websites they visit?
• How much network activity is originating from each side of the firewall?
Source: http://www.manaqeenqine.com
Example:
https://nmap.org
Firewalk sends out TCP or UDP packets with a TTL one greater than the targeted
gateway/ firewall. If the gateway/ firewall allows the traffic, it will forward the packets to the
next hop where they will expire and elicit an ICMP_TIME_ EXCEEDED message. If the gateway
host does not allow th e traffic, it will likely drop th e packets and there will be no response.
To get the correct IP TTL that will result in expired packets you need to ramp up the hop-counts.
Example Usage
• n■ap --script•f irewalk --traceroute <host>
Source: https://nmap.org
e Vfl'IGate
~ Welcome
e D ""'tomo - 'I tfAT: TCPCOmKIS:ltl to SAG0: 143
,iJ Activity f,J NAT: TCPCom«t.on to SAG0:1-13
~ °'"'t,o,,d ·&N'AT: TCPCOmect on to SAG0: 143
The acbvrty window shows ,n
real time the current
~ CtlCP - f.A HAT: TCP Com«t:on lo SAG0:143 connec:t!ons opc.n to \l/1nG,1te .
..) frMi ~ 121,93,223.173 • ( Unkno-An ) lbg:ht•d idc on an 11cm 1n the
A No;rficav.ons -f i ttAi: TCP COmectiOc'l toSAC-0:143 activity' ttee for more ot)tions.
:j: Ttr..El"l'le
f_i NAT: TCPCom«ton io SAG0:1-13
~ \ 'PN System interni)I activity
P!I 122,57. 155.203 • ( • Authenoca,ed (Neoooatt))
s ~ Web Access Con:rol
@ Vfr'IG.e~ Mena9!m!n l Cont!Ktion
This panel shO'NS lo:iks being
perfotmed by \VinGate itself,
':;] ca:tg0e~s " 192-16$,29.99 • ( t,.h',ci(>',•tn} such as re.mote connec:bons
#'\ A-tecss rule& ··.ftl tfAT: TCP COmect«I to 74, l2:S. 237, 5S:443 for mail delivery.
a • aass:flers f,J NAT: TCP Comecfon to SAG0:1-13
)II ,_.,4!'11.1111 O«.~tier Shortcut keys
..... NAT: TCPCOmecton toSAG0: 1413
(e. Puresdl, 0 htl!):/j\)4e..,~.dlannel.facebook.oomft)A •HTTP/ !!. 1 200
DEL • delete a connecbon, or
all COtV1ections from a
8 9- Conb'CIIPan!I I:, 12S·231-10· l"IS,Jct:;~C$1,Xb".,,<0,nz • ( U,b'lown ) compute r.
Ii] ecr i:mc.,tt&
··.Ji NAi : TCP COmectoo to SAC-0: 143
14 Ctederttia1n.les I:, baroene- • ( lklblown )
~ Oa:a
.:> c.tlS d e!H
http://www.wingate.com
WinGate Proxy Server is an integrated Internet gateway and communications server designed
to meet the control, security and communication needs. WinGate Proxy Server's license options
offer the flexibility to satisfy requirements to manage an enterprise, small business, or home
network.
• Stop viruses, spam and inappropriate content from entering your network.
• Improve network performance and responsiveness with web and DNS caching.
Source: http://www.winqate.com
"' .. ...
~ WatchGuard's
,
SonicWALL
I"
• "' http://www.sonicwall.com
'•· Next-Generation Firewall
http://www.wotchguard.com
Sonic WALL
Source: http://www.sonicwall.com
The Sonic Wall firewall is a tool that supports network security, secured remote access, and
data protection. It applies Unified Threat Management (UTM) against an array of attacks,
combining intrusion prevention, anti-virus and antispyware with application-level control of
SonicWALL Application Firewall. It provides services for network firewalls, UTMs (Unified
network management), VPNs (Virtual Private Network), backup and recovery, and anti-spam for
email.
Checkpoint firewall products are used in education, energy, financial services, healthcare,
Internet and media, manufacturing, public sector, and telecommunications sectors where this
firewall is preferred.
FortiGate
Source: http://www.fortinet.com
Fortinet Firewall is a Network Security Solution that helps protect the network, users and data
from continually evolving threats. It helps to secure and manage network security. It also offers
a Data Center Firewall (DCFW), Unified Threat Management (UTM), and Next Generation
Source: http://www.mcafee.com
McAfee Next Generation Firewall delivers complete, centrally managed network security with
availability, multi tenancy, evasion protection, application control, and flexible deployment
options, including software, physical and virtual firewall appliances. This firewall uses
application control, an intrusion prevention system (IPS), and evasion prevention into a single
solution. It is the next-generation firewall solution to unite anti-evasion security with
enterprise-scale availability. It defends critical assets, such as regulated data sources (customer,
financial, and healthcare data), email and web servers, extranets, and data centers.
Barracuda Firewall
Source: https://www.barracuda.com
The Barracuda Spam Firewall is a hardware and software solution designed to protect email
servers from spam, viruses, spoofing, phishing and spyware attacks. It controls 12 defense
layers to provide industry-leading defense capabilities for any email server within a large
corporation or a small business.
WatchGuard's Next-Generation Firewall
Source: http://www.watchguard.com
The Watch guard's next generation firewall provides security inspection that blocks attacks and
unwanted traffic without stopping Internet usage. It provides users with a platform for network
traffic inspection and enforces a network security policy, with state-of-the-art security and
compatibility. It has secure throughput and with real-time visibility tools.
Cisco ASA
Source: http://www.cisco.com
The Cisco ASA firewall enables businesses to segment campus networks and secure data center
environments by integrating firewall security directly into the network infrastructure ..
NetScreen Firewall
Source: http://www.juniper.net
The NetScreen firewall provides a broad range of options from all-in-one security and
networking devices to chassis-based data center security solutions that can secure any size
enterprise data center or service provider with performance, functionality, and security
options. Support for fast, secure, data center and enterprise operations, with performance and
scalability, session volumes, and large-scale connectivity.
Sophos UTM
Source: http://www.sophos.com
Sop hos gives complete security, from the network firewall to web and application control, in a
single modular appliance. The Web Application Firewall intercepts traffic to servers using a
reverse proxy with dual scanning engines and attack pattern recognition. It uses layered
protection to prevent APTs, command and control traffic and targeted attacks.
Cyberoam Firewall
Source: http://www.comodo.com
Comodo Internet Security Pro 7 offers protection against viruses and malware, focusing on
detection and prevention. Comodo Internet Security Pro 7 offers protection against Viruses,
Trojans, Adware, Spyware and other Malware threats. It contains Auto Sandbox Technology,
which provides protection from unknown threats.
Kaspersky Internet Security
Source: http://www.kaspersky.com
Kaspersky internet security provides protection from internet threats such as viruses, spyware,
phishing, spam, rootkit, banners and online transactions for online banking and shopping.
Additional features include dangerous website alerts, advanced parental control and safe social
networking.
Source: http://www.totaldefense.com
Total Defense Internet Security Suite software provides protection for up to 3 devices against
viruses, malware, spyware, spam, inappropriate content, lost fil es, and data corruption.
Without all the hassle and includes Mobile Security in its protection circle. It provides features
such as industry grade solutions, parental controls and mobile security.
Source: http://www.bitdefender.com
Bitdefender prevents unauthorized access to your private data. Internet security includes two-
way firewall, provides parental control and many more. Other products of Bitdefender are Anti-
Virus and mobile security.
Private Firewall
Source: http://www.privacyware.com
The Private firewall monitors the web traffic in accordance with native firewall. It prevents
viruses, spyware and other online threats. It protects the system using application monitoring,
registry monitors, process monitors and Email anomalies.
Source: http://www.agnitum.com
Outpost Firewall Pro provides standard firewall protection by scanning web traffic and
preventing it from entering into the host systems. It keeps the ports closed when they are not
in use to prevent attacks. It offers services such as malware blocking, information privacy and
security, blocks incoming targeted attacks, makes PCs invisible and works without much
utilization of computer resources to boost the system performance.
Source: http://www.zonealarm.com
ZoneAlarm firewall offers services such as a firewall, two-way firewall, private browsing,
identity protection, Do Not Track methodology, Facebook Privacy scan, Online backup and a
security privacy tool bar.
Norton Internet Security
Source: http://in.norton.com
Norton Internet security provides protection for almost all types of online threats such as
viruses, worms and spyware. It provides safe online banking and shopping. It warns the user
about social media scams, suspicious content and blocks harmful files from downloading. It also
improves system performance by boosting system startup time.
Source: http://www.sphinx-soft.com
Windows 8 Firewall Control protects both local and remote running applications from
undesirable incoming and outgoing network activity in Windows operating systems. It provides
services such as per-application security settings, instant notification of blocked activity and
zone based network permissions. The program manages external connectivity by automatically
synchronizing hardware firewalls.
Source: http://home.mcafee.com
McAfee internet security provides online security from threats and other internet attacks,
which include viruses, worms, phishing websites and spywares. It offers protection to Windows
and Mac operating systems, smartphones and tablets. It protects you from social networking by
preserving the identity. It provides a cloud backup facility to backup and restore important files
and information in case of a system breach.
Source: http://home.mcafee.com
McAfee internet security provides online security from threats and other internet attacks,
which include viruses, worms, phishing websites and spywares. It offers protection to Windows
and Mac operating systems, smartphones and tablets. It protects you from social networking by
preserving the identity. It provides a cloud backup facility to backup and restore important files
and information in case of a system breach.
• •
•
• •
• •
• •
• •
• •
• • •
• •
• • •
•
• • • •
• • •
•• • •
• • ••
• • •
• • ••
• •• • •
• • • •
• •
• •
• • ••
••
•• ••
••
• • • •
•• • •
••
•
•
•
• •• • •
•
• -
•
• • • •• • •
• •• • •
•
•
•
• • • • •• ••
•• • • •• •
•• • • •
•
• • • ••
• •
• • •
• •
•
•
Certified Network Defender Exam 312-38
Secure IDS Configuration and Management
This module focuses on the configuration and deployment of IDS/ IPS solutions in the network.
The module starts with the basics of intrusion detection and prevention systems, how they
work and the role they play in network defense. The module discusses the different types of IDS
and IPS, their components, etc. The module also provides guidelines on the selection of an
appropriate IDPS product and each of their deployment strategies.
Types of Intrusions
I System Intrusions
II Network Intrusions
1. System Intrusions: System intrusions include the corruption and/ or damage of the
information stored in the system. An attacker exploits the system level vulnerabilities with
the help of malware such as a Virus, Trojan, Worms, etc. to perform system level
intrusions.
2. Network Intrusions: The attackers exploit network level vulnerabilities to perform
network intrusions. It may include v ulnerabilities which exist in the network
infrastructure, configuration, protocol, etc. Attackers may perform various network level
intrusions to compromise the target network. Some of the network level intrusions are
ARP poisoning, Denial of Service, Spoofing, etc.
3. File System Intrusions: Vulnerabilities in the fil e system exist du e to improper fil e
handling or permissions. Attacks take advantage of file system level vulnerabilities to gain
access to file systems. Attackers modify file permissions or content in the file.
General Indications of
Intrusions
.J Unfamiliar processes
It is mainly divided into IDS (Int rusion Detection System) and IPS (Intrusion Prevention System)
An IDS is used to detect intrusions while an IPS is used to detect and prevent the intrusion on the network
Classification of IDPS
( IDPS ]
.
..,• ................................................................. ..:•
[--,o-s -] [--,P-s -]
..•~·····································..• ..,,~·····································..,,
• ,•
[_ _
NID_s_ ) [_ _
HID
_s_ ) [_ _
NI_
Ps _ ) [_ _
HI_
Ps _ )
Intrusion detection and prevention systems (IDPS) are a network security appliance used to
monitor the network for malicious activity. IDPS systems are categorized into Intrusion
Detection Systems {IDS) and Intrusion Prevention Systems {IPS) and are used for identifying,
logging, blocking/stopping and reporting security incidents on the network. An IDPS also helps
you locate weaknesses existing in security policies and assessing the network against possible
threats. An IDPS is becoming an integral part of network security for most organizations.
Intrusion Prevention Systems (IPS) are considered extensions to Intrusion Detection Systems
(IDS). Unlike IDS though, IPS is placed in-line and detects the incident as well as blocks it from
getting into the network.
The IDS identifies and alerts the network administrator during an intrusion attempt. Besides
these activities, an IDPS like IPS can detect and stop the intrusion attempts. IPS systems can
also correct cyclic redundancy check (CRC) errors, defragment packet streams, TCP sequencing
issues and manage the options in the transport and network layers.
~,:? IDPS provides an additional layer of security to the network under the defense in depth principle
IDPS helps minimize the chance of missing security threats that could come from firewall evasions
Im proper IDPS configuration and management w ill make an IDPS fai l ineffective
IDPS deployment is performed w ith careful planning, preparation, prototyping, testing and
special ized training
Relying solely on a firewall for network security can provide a false sense of security. The
firewall is simply implemented in th e IT security policy which allows or denies traffic based on
the policy rul es. It allows certain packets to pass through or denies access if it does not meet
certain criteria specified in a rule. It does not check the content of legitimate traffic, allowed
based on a rule set. The legitimate traffic may contain malicious content which is not evaluated
during inspection by a firewall.
As an example, firewalls can be configured to pass traffic solely to port 80 of the Web server
and to port 25 of the email server but it w ill not inspect the nature of the traffic flowing
through either of these ports.
This is the reason for an IDPS and its applications. An IDPS application will inspect the legitimate
traffic coming from firew all and conduct signature based analysis to identify malicious activity
and raises an alarm to notify the administrators.
Intrusion detection and prevention syst ems (IDPS) are a proactive means of detecting and
responding to threats from both inside and outside a netw ork. It is an integral and necessary
element of a complete network security infrastructure. An IDPS provides a complete level of
supervision for a network, regardless of the action taken, in this way the information w ill always
exist when attempting to determine the nature and source of a security incident.
An IDS works from the inside of the network, unlike a firewall which only looks outside the network for
intrusions
An IDS is placed behind the firewall, inspecting all the traffic, looking for heuristics and a pattern match
for intrusions
•.................. ,.
.:•~··················~
IDS
.:•
:.• ,--~~-- .:•
: .
..• 11 1 I I t ' I
Firewall ..
. ..
················C-····~~~ ....:. ........... :...............!...............: ................
..:
I I • •
Internet . --.,.---,
..
..
Remote User
..
..
.
Intrusion Intrusion Internal
Prevention •
Detection .• LAN
• • • • • • • • • • • • • • • • • • • • 'f
Though firewalls and IDPS applications are security services used to prevent a network from
various types of attack, they are basically two different applications that tend to operate in
tandem. They are functionally different from each other. IDPS is placed behind the firewall in
the network. Firewalls use a filter for inbound/ outbound traffic based on the rules configured.
The purpose of a firewall is to control the traffic that should be allowed into a network based
on static rules. IDPS applications are used to locate and stop malicious activities, mainly through
signature based detection. An IDPS application monitors the filtered traffic coming from a
firewall for malicious activity based on these signatures.
Analyzing abnormal
IDS Analyzing system
activity patterns 5 configurations and
Functions vulnerabilities
In addition to its core functionality of identifying and analyzing intrusions, an IDS can perform
the following types of activities related to intrusion detection:
• Records information about events: Notes down every detail regarding the monitored
events. The intrusion detection systems forward the recorded information to various
other systems such as centralized logging servers, security information and event
management (SIEM) and enterprise management systems.
• Sending an alert: The IDS sends an intrusion alert to the network security administrator
through e-mails, pop up messages on the I OS user interface, etc.
• Generating Reports: The IDS generates reports providing insight into observed events or
any suspicious event which has occurred.
I
I I
I I
I I
I I
•
I I
An IDS observes computer network activity, keeps track of user policies and activity patterns to
ensure they do not violate policies. It also observes network traffic and components for
detecting virus and malware hidden in the form of spyware, key loggers, etc.
An IDS works by gathering information about illicit attempts made to compromise security and
verifies them. It also records the event data and an IT administrator will use this data to take
future preventive measures and make improvements to netw ork security.
An intrusion det ection system works by examining certain events such as:
• Observing Activity: The IDS will track all the activities taking place w ithin a netw ork and
keep track of user policies and activity patterns to detect any kind of attempts to violate
these patterns.
• Viruses: An IDS is capable of detecting virus and malware hidden w ithin a network syst em
in the form of spyware, key logging, password theft, etc.
• Vulnerabilities: The IDS identifies v ulnerabilities in the netw ork configuration files and
netw ork components.
• File Settings: The IDS verifies user authorization and group authorization files on a
netw ork, and checks them for tampering.
• Services: Routinel y ch ecks configuration files for unauthorized services operating on the
netw ork.
• Packet Sniffing: These systems check for unauthorized network monitoring programs that
can monitor and record user account activity data.
• PC Check: The IDS regularly checks PCs on the network for violations.
Network Logging
,----
F-~:::::~·.. . . . Systems
Vulnerability
,----
...... Assessment Tools
Anti-virus
. ,----
.,,,.... Products
Security/Cryptographic
,----
.......... Systems
···......•··· . .::>: ·........................ ..cri'~yright © by EC-Co■ncil. All R1ghts_d!?s'iiri,:~i(R~ product1 on is Strictly Prot,ib,ted.
: : • .. ·•. : : .. : ·•. •,. ..
Contrary to popular belief and terminology employed in the literature on intrusion detection
systems, not every security device falls into this category. In particular, the following security
devices are not an IDS:
• Network Logging Systems: These devices are network traffic monitoring systems. They
detect denial of service (DoS) vulnerabilities across a congested network.
• Vulnerability Assessment Tools: These devices check for bugs and flaws 1n operating
systems and network services (security scanners).
• Anti-virus Products: These devices detect malicious software such as viruses, Trojan
horses, worms, bacteria, logic bombs. When compared feature by feature, these devices
are very similar to intrusion detection systems and often provide effective security breach
detection.
Prevention
Simulation '
Intrusion Monitoring
Analysis
'
Intrusion Detection
Notification '
--------
Response
The main task of an intrusion detection system is detecting an intrusion attempt on a network
and a notification about what occurred. Detecting hostile attacks depends on several types of
actions including prevention, intrusion monitoring, intrusion detection and response. Intrusion
prevention requires a well-selected combination of luring and tricking aimed at investigating
threats. Diverting the intruder's attention from protected resources is another task. An IDS
constantly monitors both the real system and a possible trap system and carefully examines
data generated by intrusion detection systems for detection of possible attacks.
Once an IDS detects an intrusion it issues alerts notifying administrators. Once the intrusion is
detected and notified, the administrators can execute certain countermeasures. It may include
blocking functions, terminating sessions, backing up the systems, routing connections to a
system trap, legal infrastructure, etc. An IDS is an element of the security policy.
An IDS alerts and logs are useful in forensic research of any incidents and installing appropriate
patches to enable the detection of future attack attempts targeting specific people or
resources.
Internet
•me
-=•
Firewall
I
IDS
I I I I
~~~=
_
•
.
Signature file
comparison ~····••►
i ..:·····•1!'-'1-
.: Osco log sever
A Signature fie
.
~
__
database
Enterprise Network ..
Matched? • • • • • • • • • • • •:
♦ )( ,
..
I I - Anomaly
..
Detection .. Alarm notifies
admin and packet
can be dropped
/
Matched?
~ :
•••••••••••!•••••••••••••••••• :••••• ► d .._
: Action Rule : V
: : Connections a re
: : cut down from that
•
: : IP source
Stateful protocol
analysis l : ~
: =···••► ~
)( / ' ~ i Packet is
••• Switch
Ill ◄•• •••••••••• •••••••• Matched? •••••••••••= dropped
In a network, the IDS's sensor monitors all packets transmitted to and from the network. The
IDS detects network anomalies, attack patterns and the data containing viruses, malware and
other harmful threats. An IDS scans the network traffic and components for anomalies or
patterns that seem to be illicit. Then the IDS takes action against the threat and sends an alarm
signal to the administrator, resets the TCP connection or drops the packet to prevent the threat
signal from entering into the network.
An IDS should be implemented in combination with a firewall to offer better protection to the
network. An IDS generally uses two techniques to detect any abnormalities in the traffic.
Signature/Pattern matching
It involves checking and comparing the network traffic for known attack patterns or signatures.
Attacks are recognized by certain patterns in network traffic called signatures. An IDS is pre-
installed with signatures for known attacks. These signatures are stored in a signature database.
The IDS compares the traffic against these signatures to detect potential threats to the network
and sends an alert, if a pattern match is found. The pattern/signature technique is highly
efficient if and only if the database is up to date. The major disadvantage of this technique is if
pattern matching fail s to identify new attacks because there is no definite signature in the
database.
I I
I I
• •
I I
• Network Sensors: These agents analyze and report any suspicious activity.
• Alert Systems: These systems trigger alerts when detecting malicious activity.
• Command console: It acts as an interface between the user and the intrusion detection
system.
Network sensors are hardware and software components which monitor network traffic
and trigger alarms if any abnormal activity is detected
: Internet gateways
IDS Components:
Network Sensors (Cont'd)
Possible placement of an IDS sensor
Senso~ .......................
. .
: :
l ~
Remote
User
Internet
1•f '"T "**
Senso~
11
: : : fti················1• • • • r················· - Senso, ······t·············~
1 iiiiliii
Router
Branch
Office Subnetl Subnet2
..............................................................................................................................
Internal Network
IDS Components:
Network Sensors (Cont'd)
Placing IDS sensors behind a firewall is always recommended for secure IDS deployment
DMZ
Internet
•••
••
Firewall
Dual-Homed Host
A network sensor is a hardware and/or software device connected to the network and reports
to the IDS. It is a primary data collection point for the IDS. Network sensors collect data from
the data source and pass it to the alert systems.
The sensor integrates with the component responsible for data collection such as an event
generator. Network sensors determine data collection based on the event generator policy
which defines the filtering mode for event notification information.
The role of the sensor is to filter information and discard any irrelevant data obtained from the
event set associated with the protected system, thereby detecting suspicious activities. Sensors
check the traffic for malicious packets and trigger an alarm when they suspect a packet is
malicious and then alert the IDS. If an IDS confirms the packet as malicious then the sensors
generate an automatic response to block the traffic from the source of the attack.
To detect network intrusions, administrators should place several network sensors at strategic
locations on the network. The positioning of sensors will depend significantly on which kind of
network resources you want to monitor for intrusion. Some organizations will want to use the
IDS to monitor internal resources such as a sensitive collection of machines or a specific
department or physical location. In that case, the most logical place for the IDS sensor will be
on the choke point between those systems and the rest of the internal network. Some of the
critical common-entry points to place sensors include:
• At Internet gateways.
IDS Components:
Alert Systems
An alert system sends an alert message notifying administrators wh en any anomaly or misuse
is detected
Alerts can be sent using:
Pop-up windows
-------•
Sounds -------•
Alert Systems trigger an alert whenever sensors detect malicious activity in the network. The
alert communicates to the IDS about the type of malicious activity and its source. The IDS uses
triggers to respond to the alert and take countermeasures. An IDS can send alerts using:
• Pop-up windows
• E-mail messages
• Sounds
• Mobile messages
• The sensor has correctly identified a successful attack. This alert is most likely relevant,
termed as a true positive.
• The sensor has correctly identified an attack, but the attack failed to meet its objectives.
Such alerts are known as non-relevant positive or non-contextual.
• The sensor incorrectly identified an event as an attack. This alert represents incorrect
information, termed as a fal se positive.
As more IDSs are developed, network security administrators must face the task of analyzing an
increasing number of alerts resulting from the analysis of different event streams. In addition,
IDSs are far from perfect and may produce both false positives and non -relevant positives.
IDS Components:
Command Console
' '
The Command console is software that acts as an interface between a network administrator
and the IDS. The IDS collects all the data from security devices and analyzes it using the
command console. Administrators use the console to analyze alert messages triggered by the
alert system and manage log files. The Command console allows administrators in large
networks to process large volumes of activities and respond quickly.
An IDS collects information from security devices placed throughout the network and sends it
to the command console for evaluation. Installing a command console on the system for other
purposes such as backing up files and firewall functions, will make it slow to respond to events
which have occurred. Installing the command console on a dedicated system provides the
benefit of a fast response.
IDS Components:
Response System
The Response system issues countermeasures against any int rusion which is detected
~ The Response system is not a substitute for an administrator. They must also be
involved in the decision and have the ability to respond on their own
Administrators will make decisions on how to deal with false positives and w hen a
response needs esca lation
An IDS has the advantage of providing real -time corrective action in response to an attack. They
automatically take action in response to a detected intrusion. The exact action differs per
product and depends on the severity and t ype of attack detected. A common active response is
increasing the sensitivity level of the IDS to collect additional information about the attack and
the attacker. Another possible active response is making changes to the configuration of
systems or network devices such as routers and firewalls to stop the intrusion and block the
attacker. Administrators are responsible for determining the appropriate responses and
ensuring that those r esponses are carried out.
IDS Components:
Attack Signature Database
3
If any matches are
found, the IDS will
2 raise an alert and
block the suspicious
Network traffic is
traffic
compared against
1 these known attack
AnlDSdoesnothave signatures and then
the capability to make can make a decision
a decision, instead it
maintains a database
on attack signatures
and patterns
Note: Administrators will periodically update the Attack Signature database for their IDS
Network administrators should exercise their own judgment when evaluating security alerts
because an IDS does not have the ability to make these kinds of decisions. However, an IDS can
use a list of previously detected signatures, which are stored in the attack signature database,
to detect suspicious activity. The IDS compares the signature of packets in the network traffic
with the database of known attack signatures. The I OS blocks the traffic if a packet matches a
stored signature in the database. Administrators should always keep the database updated to
detect new types of attacks.
The IDS uses normal traffic logs to match against currently running network traffic to find
suspicious activity. If an IDS finds unusual traffic activity, it determines the traffic as suspicious
activity and blocks it before it enters the network.
Firewall
Internal LAN e Gather Data
Sensor
e Alert message sent
:. . . . . .!'. . . . ~ Damage
Escalation Procedures
Followed if Necessary
L. ........ . Events are Logged and
Reviewed
Screened Subnet DMZ Trusted management subnet
An IDS operates in different ways depending on the purpose of the configuration. There is a
generalized process for intrusion detection. The steps involved in the process include:
Gather Data
The I OS gathers all the data passing through the network using network sensors. The sensors
monitor all the packets allowed through the firewall and pass it to the next line of sensors. If it
identifies malicious packets, the sensor sends alert messages to the IDS.
IDS Responds
When the command console receives an alert message, it notifies the administrator of the alert
through a pop-up window, and/or email message depending on how it is configured for alerts.
However, if the administrator configured it to respond automatically, the IDS responds to the
alert and takes a counter action such as dropping the packet, restarting the network traffic and
more.
:•.........................•.......................
. .
•............•...........•.......................•........................•
. . .
.. ♦ ♦ ♦ ♦ -- t
Intrusion Detection
Approach
Protected
System L :ct
_u_re_ _,,
~
Data Source Behavior after
an Attack l Analysis Timing 'I
. .
\ I - ./ \; ,I
.. -
,···············: ··············, ., ................; .............. ... :........ -.........
-- • • • •
On the fly
y
11 HIDS I NIDS 11 H brid Audit Tral Network Syste m Stale Interval
•
Agent System
Generally, an IDS uses anomaly based detection and signature based det ection methods to
detect intrusions. Depending on the source of data an IDS uses or w hat it protects or other
factors, they are classified as show n in following figure. This categorization depends on the
information gathered from a single host or a netw ork segment, in terms of behavior, based on
continuous or periodic feed of information, and the data source.
Signature-Based Detection
Known as misuse detection
Monitors patterns of data packets in the network and compares t hem to pre-configured network attack patterns,
known as signatures
This method uses string comparison operations to compare ongoing activity, such as a packet or a log entry, against
a list of signatures
Advantages Disadvantages
e It detects attacks with minimal false alarms e This approach only detects known threats, the
database must be updated with new attack signatures
e It can quickly identify the use of a specific tool or constantly
technique
e It utilizes tightly defined signatures which prevent
e It assists administrators to quickly track any potential them from detecting common variants of the attacks
security issues and initiate incident handling
procedures
Anomaly-based Detection
In this approach, alarms for anomalous activities are generated by evaluating network
patterns such as what sort of bandwidth is used, what protocols are used, what ports and
which devices are connected to each other
An IDS monitors the typical activity for a particular time interval and then builds the
statistics for the network traffic
An example: Anomaly-based IDS monitors activities for normal Internet bandwidth usage,
failed logon attempts, processor utilization levels, etc.
Advantages Disadvantages
Signature-Based Detection
A signature is a pre-defined pattern in the traffic on a network. Normal traffic signatures denote
normal traffic behavior. However, attack signatures are malicious and are harmful to the
network. These patterns are unique and the attacker uses these patterns to get in to the
network.
Anomaly-Based Detection
The Anomaly-based detection process depends on observing and comparing the observed
events with the normal beha vior and then detects the deviation from it. The comparison
provides an understanding of significant deviations in the events. The normal activity of an
event depends on factors such as users, hosts, network connections and/ or applications. These
factors are considered only after examining a particular activity for a period of time.
The normal behavior of traffic is based on various behavioral attributes. For example, normal
email activity, reasonable failed attempts, processor usage. Any activity that does not match
with normal beha vior can be treated as an attack. For example, numerous emails coming from
a single sender, a high number of failed login attempts can indicate suspicious behavior. Unlike
signature-based detection, anomaly based det ection can detect previously unknow n attacks.
detect the suspicious activity by analyzing the deviation for specific protocol traffic from its
normal behavior. With this analysis, an IDS can analyze the network, transport and application
layer protocols and traffic against their normal behavior.
There are certain IDSs that can specify the suitable activities for each class of users 1n
accordance with the authenticator information.
Ill
Engine
Target Systems
~i ~2
~ I
• Advantages:
• It detects and identifies probes in network hardware. Providing early warnings about
attacks.
• If a legitimate network behavior is not part of the designed model, the system will
detect it as anomalous. This increases the number of false positive alerts in the
system.
• Network traffic varies and deployment of the same model throughout can lead to a
failure in detecting known attacks.
• Advantages:
• Disadvantage:
.-:······ ... ... ... .... ... .... ·••· ... ''••.. .·.·•·· ·.-.-.., .-.-. ..-. ..-.-. ..-.· ..-.- .-...-.-.....·~
- - - ....
-.-
J An IDS is categorized based on how ({ Passive IDS Mode :] Active IDS Mode ·~
, ..
it reacts to a potential intrusion I ll
~ It functions in one of tw o modes,
~
l:
Traffic :
:
~
•
::
g
Traffic :
•
•• • ••
~
•
T
Firewall
:
•
;;
::
::
;!;:
• Firewall
•
••
~
::!. ---=-----,,-
- : ..
::::
•
6 Active IDS: Detects and responds to
detected intrusions
~ : : ::
••
•
•
•
•
~ ! : : ! :
6 Passive IDS: Only detects intrusions i ··!:~~~::: II :·!.:~~::~·
~ : Usten and i Usten and i j Active
! -~~:~~
' ------
!II -·---~,~~·-
;, ..
\ ••......................................................) ;............................................................/
Active IDS
An Active intrusion detection system (IDS) is configured to automatically block suspected
attacks without any intervention from the administrator. This t ype of an IDS has the advantage
of providing real -time corrective action in response to an attack. An active IDS automatically
takes action in r esponse to a detected intrusion . The exact action differs per product and
depends on the severity and t y pe of the attack.
Passive IDS
A Passive intrusion det ection system (IDS) is configured onl y to monitor and analyze network
traffic activity, alert the administrator of any potential vulnerabilities and attacks. This t ype of
IDS is not capable of performing any protective or corrective functions on its own . It merely logs
the intrusion and notifies an administrator, through email or pop-ups. A system administrator
or someone else w ill have to respond to the alarm, take appropriate action to halt the attack
and possibly identify the intruder.
Detection
An IDS can be classified based on the device or network to which it offers protection. There are
mainly three t ypes of IDS technologies under this category which includes Network Intrusion
Detection Systems (NIDS), Host Intrusion Detection Systems (HIDS) and Hybrid Intrusion
Detection Systems (H ybrid IDS).
Centralized Control
IDS Console
D D
- - -
Fully Distributed (Agent·
based) Control
- - -
Copyright© by EC-Co■ncil. All Rights Reserved. Reproduction is Strictly Prohibited.
Depending on the structure, traditional IDSs can be categorized into two types:
A dlDS also allows a company to efficiently manage its incident analysis resources by
centralizing its attack records and by giving the analyst a way to spot new trends, patterns and
identify threats to the network across multiple network segments.
An alysis Tim e is a span of time ela psed between th e events occurring and the an alysis of those events
Analysis timing refers to the elapsed tim e between th e occurrence of events and analysis of
those events. Based on anal ysis timing, an IDS can be classified into two distinct t ypes: Interval-
Based IDS and Real-Time based IDS.
Interval-Based IDS
Interval based or offline anal ysis refers to the storage of the intrusion r elated information for
furth er anal ysis. This type of IDS checks the status and content of log files at predefined
intervals. The information flow from monitoring points to the analysis engine is not continuous.
Information is handled in a fashion similar to "store and forward" communication schemes.
Interval-based IDSs are prohibited from performing active responses. Batch mode is common in
early IDS implementations because their capabilities did not support real time data acquisition
and analysis.
An IDS is classified based on the type of data source used for detecting intrusions
An IDS uses data sources such as audit trail and network packets to detect int rusions
e Audit trails help the IDS detect - - e Capturing and analyzing network
performance problems, security - packets help an IDS detect well-known
violations and flaws in applications attacks
- -
- -
- -
Depending on the data source, an intrusion detection can be categorized into two t ypes :
Intrusion detection using audit trails and Intrusion detection using network packets.
Intrusion detection using audit trails:
Audit trail is a set of records that provide documentary evidence of a system's activity by the
system and application processes and user activity of systems and applications. Audit trails help
the IDS in detecting performance problems, security violations, and flaws in applications.
Administrators should avoid storage of audit trail reports in a single file to avoid intruders from
accessing the audit reports and making changes.
A network packet is a unit of data transmitted over a network for communication. It contains
control information in a header and user data. The header of the packet contains the address of
the packet's source, destination and the payload is the body of the packet storing the original
content. The header and the payload of a packet can contain malicious content sent by
attackers. Capturing these packets before they enter their final destination is an efficient way to
detect such attacks.
A staged deployment will help the administrator gain experience and discover
how much monitoring and maintenance of network resources is actually
required
I
rii.
. •
deployment options and all the
advantages/disadvantages associated with
each location
Advantages:
Location 1 Place an IDS sensor
e Monitors attacks originating from the outside world
behind each
e Highlights the inability of the firewall and its policies to defend against attacks
external firewall and
e It can see attacks which target the web or FTP servers located in the DMZ
in the network DMZ
e Monitors outgoing traffic results from a compromised server
Advantages:
Place an IDS sensor
outside an e Ability to identify the number and types of attack originating from the
external firewall Internet to the network
Advantages:
Location 3 Place an IDS sensor
.... e Monitors and inspects large amounts of traffic, increasing the chance
on major network for attack detection
backbones
e Detects unauthorized attempts from outside the organization
Advantages:
Place an IDS
sensor on e Detects attacks on critical systems and resources
critical subnets e Focuses on specific critical systems and resources
le •
t
.•
, Location
.I. . . . I•1. ...............••
= ~
, • • • • r················ ...
1
7 1 I
r......
: I
~ I ~
. Network backbones
.
l
Location 0
l 8..---...
Location
.... · .............. 1 1111 1111 1111 1111 1
........
Internet Firewall
l
I
\
. ••· •
1·~~~~~'.~-~--~ ...~
.
1. .............
I
..........
I
.I.
I
...
I
Critical subnets
As a NIDS protects multiple hosts from a single location, the administrator can also consider
customizing the NIDS to provide security for the entire network. The administrator should
consider deploying an IDS management console before adding its sensors.
• Location 1: The sensor is placed outside the organizational network and perimeter
firewall. The sensor placed at this location can detect inbound attacks. They are also
configured to detect outbound attacks. The sensors are configured to detect the least
sensitive attacks to avoid false alarms. These sensors are configured to only log the attack
attempts, instead of sending alerts out for them.
• Location 2: This location is ideal for securing the perimeter network as well as identifying
those attacks that bypass the external firewall. The NI DS sensor secures web, FTP and
other servers located on the perimeter of the network. The NIDS sensors detect attacks
with low to moderate impact in order to avoid the chances of generating false alarms. The
sensors placed here also have the ability to monitor for outbound attacks.
• Location 3: The sensor placed at this location is used to secure the internal network of the
organization. It detects the attack that bypasses the internal firewall. Sensors at this
location are capable of detecting both inbound and outbound attacks. These sensors are
configured to detect medium to high impact level attacks.
• Location 4: The sensors at this location are used to protect sensitive hosts in the network.
It may include critical servers. These sensors are capable of detecting both inbound and
outbound attacks. These sensors are configured to detect high impact level attacks.
This type of IDS must be installed and configured on each critical system in the
netw ork
Host-based IDS deployment is done with a proper plan and care, as deploying these types of IDS
on a large scale environment have the potential to generate numerous false alarms. It is quite
difficult to manage such a huge amount of false alarms. Initial deployment of a HIDS is done on
critical servers only. Administrators must consider implementing an IDS management console
before adding additional hosts.
If an administrator comfortabl y manages the HIDS on critical servers at the initial stage, then
and only then can they consider deploying the HIDS on all remaining hosts in the network. This
allows an administrator to provide security at the individual host level. However, deploying
HIDS on every host on the network is quite expensive and requires additional software and
maintenance especially in those cases of a wide-scale HIDS deploy ment.
An IDS does not raise an alarm when an attack has not t aken
place
An IDS generates four types of alerts which include: True Positive, False Positive, False Negative
and True Negative.
A false positive diminishes th e val ue and urgency for real alerts w hen they are raised for legitimate
attacks
False positives based on False positives based on False positives based on non-
reactionary traffic protocol violations malicious traffic
In a fal se positive alarm an IDS raises an alarm on a non-malicious event. As false positive alarm
triggers during unjustified alerts, they cause more chaos in the organization. They nullify the
urgency and the value of the real alerts, leading to ignoring the actual alarm situation.
4. Alarms caused by an IDS bug: A software bug in an IDS will raise an alarm for no
reason.
To reduce false positive alarms it is important to understand the w eakness of the device.
Implementing effective countermeasures can help reduce the occurrences of false
positive alarms.
1. Differentiating Alerts: Administrators distinguish the important priority alerts against
the less important on es. One of the methods used, is to verify the alerts with an alert
An IDS w ith no customization will raise false alarms 90% of the time depending
on the network traffic and the IDS deployment
Administrators fine tune their IDS to lower the false alarm rate to around 60%
or even less
Minimizing false positive alarms depends heavily upon the level of tuning an IDS
receives and the nature of the traffic on a network
If the number of intrusions in a network is low, compared to the network usage, the rate of
false alarms will be high. It is important to keep the false positive rate as minimal as possible. At
times an IDS will ignore half of the network traffic, tuning is not the only option. An effective
implementation of an IDS inspects both the incoming and outgoing traffic for anomalies. Based
on the organization's network tolerance towards false positives, administrators can set up a
threshold level for the IDS.
The amount of false alarms depends on two phases:
1. The detection phase: To bring false alarms down to acceptable levels, administrators
enhance the configuration of the IDS and change the detection approach methods. The
higher the detection rate and accuracy, the lower the a mount of false alarms will be.
Techniques like data mining and data clustering reduce the amount of false alarms.
2. The alert processing phase: Alert processing studies the cause of false alarms, recognizes
the high amount and uses case scenarios to subsequently provide a coherent response to
the alarm. Alert processing techniques like statistical filtering and fuzzy alert aggregation
help identify the sequences for false alarms, filters and later discards them from the
system.
Based on the organization's network tolerance, administrators can reduce false alarms by
raising the threshold level of the IDS. The threshold level depends on two statistics called
sensitivity and specificity of the IDS. Sensitivity displays a graph on the legitimacy of alerts
detected by the IDS. Specificity filters the accuracy of the alerts detected in the IDS.
The false positive and false negative rates for a specific IDS are calculated with a certain
formula. This formula will help calculate the rate of each for your IDS solution and by fine
tuning the IDS, will reduce both of these rates.
t
...J The sources responsible for the occurrences ...J To reduce the rate of false negative alarms,
of false negative alarms are: use these three items::
e Lack of inter-departmental communication e Properly writing and updating the IDS database
with the latest attack signatures
e Impro perly written signatures
A false negative is a more complex issue than a false positive. In a false negative, the intrusion
detection system does not detect the legitimate attacks on the network.
Some of the causes behind generating False Negative alarms are:
• Network setup issue: Network flaws involving improper port spanning on sw itches and
netw ork traffic imbalance . Failure of NIDS devices to detect incoming and outgoing
netw ork traffic due to multiple entry points is one of the causes of a fal se negative alert.
Improper configuration of an IDS w ill also raise a fals e negative alert.
• Encrypted Traffic design flaws: An IDS is not capable of detecting intrusions when
encapsulated in encrypted traffic, it is not possible to match encry pted traffic to
signatures. It is advisable to place an IDS behind a VPN t ermination with SSL encryption.
• Misleading signatures: If the signatures are not correctl y w ritten it can mislead in
determining the attacks. Vendors cannot create signatures of those attacks which they
are not aw are. Occasionally eve n th e tools are incapable of determining the legitimate
signatures.
• Appropriate Network Design: The primary requirement for minimizing a false negative
alert is to set up a proper network design. The network design should be parallel to the
security policies of the organization.
• Proper placement of an IDS: The proper placement of an IDS is behind the firewall. This
will raise the alerts against port scans, automated scans and denial of service attacks. The
IDS should also be configured to detect illegitimate signatures.
• Network Analysis: Active network analysis and monitoring will minimize the false
negative alert. For this, administrators can utilize various network analysis tools or
utilities. The IDS should also be configured to nullify false negative alerts from triggering
the rules set on it.
• Inclusion of additional data: False alerts can be reduced by including additional data
about the network in the security event. The additional information includes information
about the organization's assets, users, networks and network device sources. Inclusion of
this additional data can be through automated or manual processes.
e Go to Configuration ➔ Corp-lPS ➔ Policies ➔ Event e Type the filter name, signature ID, attacker's IPv4
Action Rules > rulesO, and click the Event Action address, and action to subtract in the appropriate fields,
Filters tab and click Add and then click OK
0 ' ifO Add Event Action FUte1 -- J;t
-~ ,fflQ>,l•••"Jn) ·-~--o,qJ ,._. . 't ...,,
~
C........,~.... > C-•P•IINI" > ...k _ > l ' I - l'M:'.tl_.111..,_ > •~·
( Name : Excluded Host ) 7
c:-..-- • Enabled: @ ves O N•
, , ~ ~..... ,
$'1,..._~...
S"1 Ml.:I.
f;,,..-(~0-•I~ (-..n(A(t/Qf'>~. .f
.],,..... ,_OIK.......,.11-l lMT..Oft l
..,.,,_II u .. conlll#lt
c-,c. -(lft ,..... 1.uyev ..,;1,o,t,..,n u-. ..ill(io'"lf •ooci.t• ...._.,
( sioneture 10: ( 210 0
J I
l!I ClO«I
..... ~ Ed,.
="' a Ocltto 1' .f, SU~ lgnature ID;
fl'!.:.... f Attllckcr 1Pv-t Adclrcs ; : ◄ 1 0. t o. :10.1'4 I
S!'lt()f ll. .
ft rAfl_. -•lt"<O
f;ii \ ift..111,4,.._0l!OW Attacker 1Pv6 Address: •
...,.,.
e
ti .....--'-S..-
...
S'j~,._ON
"'ns.,__-•
fll • ..- -
Attacker P0tt:
:a.o.o.o-2ss.2ss.2ss.zss
I
I
y""'"/Wo' .."'""
S'!I
t1w-s.-
Victim JPY6 Address: I I
fl ..., Slo't«v"'"
_ I
·:a::
Victim P~t : 0 -05'535
I OK 11 Cancel
11 Help
I
http://www.cisco.com
Copyright© by EC-Co■ncil. All Rights Reserved. Reproducti on is Stri ctly Prohibited .
e Go to Event Action Filters tab and click Add e Type the filter name, signature ID, network address
with subnet mask, and action to subtract in the
appropriate fields, and then click OK
$ ~ ~
• ~ 4CO
Q(t<)l',1. R.iskR.etr19: IO to ~
f:. Q.c;l:~<:,orr(i/jOtn
i- {Q fnlc'.«t•:ni'Roo~ t-,n .,
. -- >
J J(@
More Options
OK, I ! Ca9cel
.11 .H~
http://www.cisco.com
Copyright© by EC-Co■ncil. All Rights Reserved. Reproducti on is Stri ctly Prohibited .
Cisco Secure IPS provides the capability to exclude a specific signature from or to a specific host
or network address. Excluded signatures do not generate alarm icons or log records when they
are triggered from the hosts or networks that are specifically excluded through this mechanism.
For example, a network management station might perform network discovery by running ping
sweeps, which trigger the ICMP Network Sweep with Echo signature (signature ID 2100). If you
exclude the signature, you do not have to analyze the alarm and delete it every time the
network discovery process runs.
Source: http://www.cisco.com
,-----·
I
Observe deviations from normal behavior
I
-----◄
• Organizations should have an IDS that can run without or with minimal human
intervention. The configuration of the system monitors and detects all suspicious activities
on the host system. However, administrators should have all the privileges in auditing and
monitoring for this to work.
• Even if the host system fails or crashes the IDS will still function reliably. It is advisable to
configure the IDS so it is fault tolerant and does not require a reconfiguration or reboot
every time the host system fails. Also, it should be capable of monitoring itself to avoid
any damage.
• An IDS should have the features for halting and blocking attacks. These attacks can occur
from any application or software. This also involves alerting the administrator through
online, mobile or email notification. The method of notification depends on the
configuration set up by the administrator.
• By having th e feature for information gathering, an IDS helps an administrator detect the
t ype of attack, source of the attack and the effects the attack caused in the network.
Gathering evidence for a cyb er-forensic investigation is one of the required characteristics
of an IDS.
• In large organizations, an IDS is built with a fail -safe feature to help hide itself in th e
network. This feature helps create a fake network to attract intruders to as well as for
analyzing the possibilities of different types of attacks. It also helps vulnerability analysis
of the network.
• An IDS detects changes in the files of the system or network. The file checker feature in an
IDS notifies the administrator if the intruder made any sort of alteration to the files. An
IDS reports every activity which has occurred on the network and this aids an
administrator when analyzing v ulnerabilities and rectifying them.
• When recursi ve changes occur in the network, an IDS should be adaptable to these
changes. This also includes adapting different defense mechanisms for every different
system in the network.
• The configuration of an IDS is such, that it does not cause overh ead in the network or
system.
Deploying an IDS in a location where it does not see all the netw ork traffic
Not having the proper response policy and the best possible solutions to deal
with an event
Not fine tuning the IDS for false negatives and false positives
Not updating the IDS with the latest new signatures from the vendor
Below are the mistakes and the workarounds to avoid mistakes while deploying the IDS in the
network:
• After the deployment of an IDS, the organization sets its level to the highest sensitivity
enabling the IDS to detect a large number of attacks. However, this also includes a rise in
the number of fal se positives. An IDS generates a large number of fal se positive alerts per
day, which could cause the administrator to miss an actual alert. In the long run, ignoring
these alerts can be harmful for network security.
• Detecting an intrusion is not enough. Organizations should also design a response policy
that administrators implement in response to an incident which has occurred. This
response policy should answer the following questions: What is the normal event and
what is the malicious event? What is the response for every event generating an alert?
The person reviewing the alerts should be aware of this action plan.
• An infrastructure which has established a NIDS without IPsec network protocols, makes
the network more vulnerable to intrusions. A NIDS listens to all the traffic that it senses
and then compares the legitimacy of the traffic. If it encounters encrypted traffic, it can
only perform packet level analysis as the application layer contents are inaccessible. This
increases the vulnerability of the network.
• Many organizations prefer securing and monitoring only the inbound traffic and ignore
the outbound traffic. It is important to place the IDS sensors throughout the organization.
If th e setup is cost effective, the organization should place th e sensors near the choke
points on the network. This will help monitor outbound as well as internal host network
traffic.
• Do not deploy IDS sensors on a single NIC or on multiple data links. This will lead to an IDS
sensor sending th e data on the same interface on which it is sensing. This leads to
possible attacks as the interface reports all the data to the centralized database. If an
attacker gets access to this infrastructure, they can disable the IDS, preventing further
alerts. The attacker can also intercept the data on the interface and alter it. This issue can
be resolved by connecting the interface to a dedicated monitoring network.
Intrusion prevention syst ems (IPS) are a combination of systems w hich detect
threats and prevent their entry into t he network
The t echnology uses techniques such as st opping the attack, changing the security
environment and changing the content of the attack
An Intrusion Prevention System (IPS) is a network security technology which has the capability
of detecting an intrusion in the network. In addition, it also has the capability of blocking or
stopping th e detected intrusions. Therefore, sometimes it is called an inline firewall. It is
consid ered an extension of an IDS. The main function of an IPS is to detect, log, attempt to
block, and report malicious activity on the network. It provides a layer of analysis for th e
network. It works and is configured efficiently, otherwise deploying an IPS can degrade network
performance. An IPS also uses the same techniques for intrusion detection as an IDS uses.
The combination of an IDS and an IPS enhances network security by identifying real -time
threats and preventing th em.
............
··············~
Network Network
IPS Switch Host
IDS
Unlike an IDS, IPSs are placed in-line in the communication path between the source and
destination and generally sit directly behind the firewall. An IPS works from inside the firewall
and monitors for internal attacks as well as attacks penetrating the firewall. It will inspect the
network traffic for attacks before the firewall filters the attacks, thereby serving as an early
warning system and alerting when threats are found. An internal IPS configuration consumes
more time to investigate and the IDS reports to detect the attacks can fail and/ or succeed as
the normal network generates many alerts.
There are major drawbacks with placing an IPS on the outside of the firewall. It results in a
number of false positives making it difficult to manage and sniff out the real issues. Frame
reassembly is also an issue, since your IPS must be powerful enough to handle the reassembly
of packets before it can inspect th em.
An IPS detects as well as actively prevents any detected intrusions and even blocks traffic from
improper IP addresses. An IPS recognizes network-s niffing attempts that try to steal data
packets from the network. It decodes and analyzes application layer protocols.
• Log information: Creates logs on a regular basis w ith the all the information about the
activities performed on the network.
• Attempts to block/stop and report: Blocks the malicious activity by itself and reports the
activity to th e administrator.
e An IPS is designed to detect malicious data packets, stop intrusions and block
malicious traffic automatically prior to any netw ork attacks
e An JPS looks for preconfigu red and predeterm ined attack patterns (signatures).
Making it a highly efficient at com batting nefarious activities than other network
appliances
6 An JPS can handle CRC errors, unfragmented packet streams, prevents TCP
sequencing issues, and eliminates unwanted elements from netw ork and
transport layer
e An JPS uses Deep Packet Inspection to monitor the netw ork traffic for potential
intrusions, which are seen as norma l traffic by a t raditional firew all
- The JPS decreases the number of fa lse positives, helping an organization avoid
diverting precious resources to fight false alarms
An IPS performs the same functions as a firewall, but w ith firewalls most of the rules are to
allow the traffic. In an IPS, most of the rules are to deny the traffic.
AdvantagesofanlPS
• Quickly blocks know n threats.
• Det ects, stops and blocks netw ork attacks automatically.
• Decreases false positives and helps organizations avoid diverting their network resources
to fight false alarms.
• Corrects CRC errors, defragment of packet streams, TCP sequencing issues, etc.
• Uses deep packet inspection to monitor network traffic for potential intrusions which
usually would be seen as normal traffic by a traditional firew all.
• Looks for preconfigured and predetermined attack patterns (signatures), making it more
efficient than other netw ork appliances to combat nefarious activities.
• •
I I
•
I
I
I
•I
I
I
I I
• •
I I
N etworlt-Based IPS
As a drawback, it sends alerts to conditions that are not threatening. To avoid these problems,
it needs to be reconfigured by altering or reducing the security control signaling these
conditions as incidents. This can be set based on network administrator policies.
Network-Based IPS:
Security Capabilities
..J A network-based IPS provides security capabilities which are classified into f our
categories
-
lnformationgatheringcapabilities are limited and includethe host
_ _ _., .,______n_e_t_
w_o_rk_a_c_t i_v_it_v _a_
lo_n_g_w_it_h_: _ _ _ _ _ _., .,_ ..,
- -- -
e The identification of hosts by creating a list in the network in accordance with the IP
address or MAC address
-
e The identification of the operating systems and versions of all systems on the network,
using a passive fingerprinting technique to uncover user vulnerabilities
e The identification of applications by verifying the ports used and monitoring certain
characteristics of application communications
6 The identification of network characteristics such as the number of hops between two
devices, which is useful when detecting changes in the network configuration
Network-Based IPS:
Security Capabilities (Cont'd)
J Detecting the accuracy ranges between the high J Storing log data for detected events
rates for false positives and false negatives
J Confirming the validity of alerts (False
J Tuning and customization is required to improve positives and false negatives)
the detection capability
J Investigating incidents
J Technology limitations include:
e Analysis of encrypted network traffic J Correlating events with other logging
sources
e Handling high traffic loads
e Preventing an IPS bypass
Network-Based IPS:
Security Capabilities (Cont'd)
The network-based IPS offers many security related capabilities including information
gathering, monitoring, logging, detection and prevention of attacks. There are also certain
network-based I PS products that offer security information and event management (SIEM)
capabilities.
• Identifying Hosts: An IPS sensor creates a list of hosts arranged according to the IP
address or MAC address on the organization's network. The list identifies the new hosts
on the network.
• Identifying Operating Systems: Using various techniques, an IPS sensor identifies the
organization's host OSs and OS versions.
Like an IDS, a network based IPS also features detection capabilities which use signature-based
detection, anomaly-based detection and stateful protocol analysis techniques.
• Policy violations
Detection Accuracy
To increase the accuracy and the scope of detection, newer technologies use a combination of
detection methods. The different network-based IDPSs analyze the network activity using a
different method. This is very similar to how different types of web servers understand the
same kind of web requests in different ways. This enables the sensor to enhance their detection
capability and accuracy. Organizations should implement network-based IDPSs to deal with
. .
evasion issues.
Logging Capabilities
The network-based IPS is able to log the detected events. These logs are useful when
investigating incidents, checking the validity of the alerts, etc.
• Passive Only
Passive sensors send TCP reset packets to both endpoints in an attempt to end the
existing TCP connection. Both endpoints will assume the other endpoint wants to
terminate the connection. This process is called sniping. The goal is to get one of the
endpoints to terminate the connection before an attack can succeed. Session sniping
is not widely used as there are newer prevention capabilities that are more effective.
• lnline Only
There are a few inline IPS sensors that can replace the malicious content of a packet
with trusted content and then send the decontaminated packet to the destination.
Some sensors act as a proxy and perform normalization on the traffic to remove the
malicious content from a packet. This sanitizes some attacks involving packet headers
and application headers, irrespective of the attack detected by the IPS.
DMZ
-,.:n: ,-
NIPS Software
/
command Console •:
ii
.,,~ re»:m)J)i, _ :!.
..
Internet Firewall
~j•···
~ -.#••·······································································································.
... •' .....................•.....................,..... ,..... ,..... ,..... ,..... ,...... ,...... ,..... ,..... _/}
.
:......
. - z 'S ....
Gateway :
;~ Protected Hosts
"··· .........................................................................................................·
As a single management station supports multiple sensors, each side of the firewall can
therefore have an IPS sensor enabling the user to know what attacks the network is facing and
how exactly the firewall is protecting the network from those attacks. An IPS sensor analyzes
the attacks occurring on the external firewall, determines the potential attacks and stops them
from entering the network. This kind of I PS configuration does not discover the internal threats.
The IPS can work from a secondary location such as the DMZ and host segments to increase the
visibility of the network traffic.
Host-Based IPS
A host-based IPS is aimed at collecting Monitors characteristics and events which occur
information about host activity on a single host. Analyzing, detecting and
preventing suspicious activity
A host-based IPS monitors, detects, analyzes and prevents any intrusion activity on a particular
host. It checks the system integrity, logs, programs, applications, file access and/or
modification, traffic, etc. to detect intrusion attempts.
It has detection software known as agents installed on a single host instead of the whole
network, that monitors activity on a host and conducts prevention functions. It monitors the
status of key system files, triggers alerts on changes to file attributes, creation of new files, and
deletion of any existing files. It monitors multiple systems by creating a host configuration file
and making each HIPS report to a master console system.
Advantages
• Detects local events and attacks on host systems, where encrypted traffic is decrypted
and is available for processing.
Disadvantages
• Management issues as it is configured on each monitored host.
• Vulnerable to host OS attacks.
.... .
.,,,,.. ""'
. u . . . _
. -----:.i ·····• . . :._·······.·_
~ .
_1
1••••1
,..
..•
o-o -
IPS Consoles
•
.
:·································'
.
------===--.. --------------------!""------'
.
Switch : .. r··················.
..........................
DMZ Switch :
.................•................
. ..
. . .. .. .:
i ~ i j • •
Host-based IPS architecture involves deploying a HIPS agent on each of the hosts in the
organization. The system components communicate over an organization's network instead of
using a separate management network. Most products encrypt th eir communications to
prevent attackers from accessing th e sensitive information. A host-based I PS architecture uses
appliance based agents placed in front of the hosts it is protecting.
.:, .................................................
Corporate Network
.~
..••
• • • f\,
..•• ..••
..•• ..
.• ..
............. ··········· t:r::::o®:t" ··········•• ►~
..
IPS Sensor
.......... Firewall
.....................................................
A wireless IPS is used to monitor wireless network traffic for detection and prevention of
network intrusion activity. The system analyzes wirel ess networking protocols to identify and
avert suspicious activities.
The wireless IPS covers devices, which connect over a wireless local area network (WLAN)
through radio communication s and distribute the signals within a limited geographic area. A
wirel ess IPS detects abnormal activities in wireless network traffic which can be a device
compromise attempt or an unauthorized access to the network. It will also identify any device
that tries to spoof the identity of another device.
In an IPS, all the typical components use a wired network to connect with each other. The
wireless IPS components communicate with each other using a separate management network
or the organization's standard network. Some mobile wireless IPS sensors also act as
standalone devices.
The network architecture for a wireless IPS also includes deciding where the sensor locations
are in an IDPS. The location of the sensors should allow it to check regions where the WLAN
activity should not exist as well as monitor all the channels and bands to detect rogue APs and
ad-hoc WLANs.
Selection of wirel ess sensor locations depend on a wide arra y of criteria such as:
• Physical Security: Wirel ess sensors are prone to physical security threats because th ey are
placed in open interior or external locations. The organization should consider some form
of physical security for th e sensors while deploying a WIPS. It is advisable to choose
sensors w ith anti-tamper features.
• Sensor Range: The surrounding walls and doors may affect the range of WIPS sensors. It
may add attenuation problems and reduce their range. It is advisable to use a Wireless IPS
modeling software that helps administrators analyze building floor plans and features of
walls, location of doors, etc.
• Wired Network Connections: Wired netw orks are required to connect sensors, which
may require expanding the w ired network in the area .
• Cost: Organizations should analyze the WLAN threats they face and choose a cost
effective solution. Compare the cost of sensor purchases, deployment, and maintenance
in order to define the solution that is capable of reducing the level of risk required.
• AP and Wireless Switch Locations: The locations of access points and wireless switches
are crucial because they enable the implementation of wireless IPS software on
themselves.
I e
e
Susceptible to evasion techniques
Cannot withstand attacks against an IPS
Logging Prevention
Ca pa bi Iities Capabilities
Management of a w ireless IPS product is to perform efficiently involving major aspects such as:
Management of a wireless IPS involves crucial tasks like implementation, operation, and
maintenance of the products as well as providing guidelines for performing them effectively
and efficiently.
Implementation
Implementation of a wireless IPS follows the installation and customization of the selected
product.
• Component Testing and Deployment: Implementing a wireless IPS requires short network
outages during installation of the sensors, network taps and load balancers.
• Securing the IPS Components: Do not assign IP addresses for both the passive and inline
sensors used to monitor network traffic, as it keeps the sensors in stealth mode.
A NBA system, also known as Network Behavior Anomaly Detection (NBAD) systems monitor an
organization's internal network flows as well as flows between organizational and external
networks. This approach evaluates and analyzes network traffic or its statistics on active devices
such as switches, routers, firewalls etc. to identify:
• Unusual traffic
• Malware attacks
• Policy violations
• Advanced threats
• Undesirable behavior
• Anomalies
Some threats may evade an IDS and anti-virus software. The NBA system passively monitors the
network traffic from many points and tries to identify such threats. The main advantage of
using a NBA system is it focuses on the overall behavior of the network and flags new patterns
that might indicate the presence of a threat. This allows the organization to address specific
threats for which no signature is available. The NBA system is also capable of monitoring and
recording the variations in the bandwidth and protocol usage.
NBA sensors are deployed in passive mode using the same connection methods as in a network-
based JPS
lnline sensors are placed at network boundaries or in close border firewalls. For instance, a NBA
inline sensor deployed between the firewall and the Internet perimeter router is able to restrict
incoming attacks which overcome the firewall. Some products offer the combination of both
NBA and IPS providing IPS or firewall functions. NBA sensors can be deployed in passive mode
to collect the data from the switches.
NBA sensors detect attack attempts such Logs the same information as a HI PS
as policy violations, DoS, scanning, etc.
The NBA system offers a variety of security capabilities that can be classified into four
categories:
• Information capabilities
• Logging capabilities
• Detection capabilities
• Prevention capabilities
Information Capabilities
NBA systems gather information about hosts which is required for most of the NBA system's
detection methods. NBA sensors have the ability to automatically create and maintain a list of
hosts that are included across the organization's monitored network. These sensors gather
detailed information by monitoring the port usage, implements passive fingerprinting and other
techniques on the host. The information obtained for each host includes the IP address,
operating system, services provided by it such as IP protocols, TCP and UDP ports used by it,
other hosts interacting with this host, services used, IP protocols, and TCP or UDP ports it
connects to. The NBA sensors monitor this information consistently for any changes.
Logging Capabilities
NBA systems log detected anomalies. The data fi elds logged by the NBA syst em are:
• Alert type
• Source and destination IP addresses
• Rating priority, severity, etc.
• Protocols at application, transport and network layers
• Source and destination TCP or UDP ports or ICMP types and codes
• Additional packet header fields such as IP time-to-live
• Prevention action
Detection Capabilities
An NBA system detects different types of malicious behavior that has significant deviations
from normal behavior. To monitor and analyze the network activity most of the NBA system
uses anomaly-based detection and stateful protocol analysis methods. NBA sensors can detect
the following types of events:
• Denial of Service (Dos) and Distributed Denial of Service (DDoS) Attack: If a host utilizes
increased bandwidth, the NBA analyzes this type of activity and determines if it violates
the normal traffic behavior to detect these types of attacks.
• Scanning: The IDS detects scanning attacks by noticing abnormal flow patterns at
different layers, such as banner grabbing at the application layer, TCP and UDP port
scanning at the transport layer and ICMP scanning at the network layer.
• Worms: The IDS can detect worms in more than one way as it depends on the behavior of
a worm, such as its propagation, causing hosts to use undesirable ports, etc. For example,
if a network has a worm infection, the NBA sensor can examine the worm's flow and
identify the host that first transmitted the worm in the network.
• Policy Violations: In most NBA sensors, it is possible to create detailed policies such as
hosts, groups of hosts, communication between them, permitted activity, time period etc.
They also have the ability to detect policy violations such as running unauthorized services
etc.
Prevention Capabilities
The NBA system provides various intrusion prevention capabilities. The configuration of a NBA
sensor considers different types of alerts raised by NBA sensors in order to determine the kind
of prevention capability required to block a specific known threat. According to the type of
sensor, the following are the prevention capabilities of a NBA sensor:
• Passive sensor: Terminates the session by sending a TCP reset (RST) packet to both
endpoints of a communication line.
• lnline sensor: Performs inline firewall functions to allow or deny any suspicious network
traffic.
• Both passive and inline: Most NBA sensors have the ability to instruct network security
devices to perform reconfiguration to restrict certain types of attacks.
• Running a third-party program or script: If any malicious activity is detected, some NBA
sensors have the ability to run as an administrator-specified script or program.
Most NBA systems use limited prevention capabilities because of false positives, as blocking a
single false positive may disturb the entire network.
I© Gene.al ,equi,ement,
0 Performance requirements
© Management requirements
The selection of any IDPS product depends on whether the IDPS products meet certain
requirements. The selection process consists of assessing the four aspects of IDPS technologies,
they include security capabilities, performance, management, and life cycle cost.
Evaluate t he general requi rements the IDPS p roducts w ill have to meet post deployment
Size of an organization also modifies the number of IDPS p roducts needed
···.......... ...-·:>' ·........................ ..cri'~yright © by EC-Co■ncil. All Rights .d!?s•iiri,:~i(R~ product1 on is Strictly Prot,ib1ted .
: .. •.. ·•. : : .. : ·.. •,. ..
Goals and An organization should decide whether a particular IDPS solution satisfies their technical,
Objectives operational, business goals and objectives behind the reason for implementing an IDPS
Consider the fol lowing questions while articulating goals and objectives
e Which type of threats does an IDPS protect against?
e Will an IDPS be able to monit or activities against acceptable use, violations, non -security
reasons, etc.?
Review the current security and IT policies and evaluate whether a certain IDPS will offer
the specified protection to meet an organization's policies
Consider the following points when selecting and IDPS product:
e Policy goals
6 Reasonable use policies
6 Policy violations and consequences
D , 6
Security-specific requirements Security Audit requirements
Resource Constraints:
An organization should consider constraints which add extra costs to implement IDPS features
The budget required to purchase, deploy, administer and maintain the IDPS hardware, software and infrastructure
An organization needs to have a clear baseline of the requirements for an IDPS product. Each
IDPS solution may differ in features and services. An organization needs to determine which
IDPS product will suit their requirements the best. For example, there are situations where a
single IDPS product may not satisfy the requirements of an organization. This scenario
encourages the use of multiple IDPS products. Wireless IDPS products have certain general
requirements such as a method of detecting anomalies and the process of connecting to other
components that decide if the product can satisfy the company's requirements.
• Policy Goals
External Requirements
If the organization is supposed to undergo a review by other organizations, an administrator
will need to assess whether they can review the IDPS implementation in their organization.
Resource Constraints
Administrators should also consider their adequacy in terms of system or personnel to handle
the IDPS feature that they are thinking of implementing. Expenses on additional IDPS features
will be in vain, if the organizations do not have enough resources to handle them. Network
administrators must consider the following constraints:
• The budget for purchasing, implementing and maintaining IDPS hardware, software and
structure.
1 2 3 4
l '°
Performance Requirements: Verify the performance features such as:
Evaluate I DPS products based Tuning features such as manually or automatically configured
on their general performance
characteristics
monitor and handle network Ability to track va rious products and activities simultaneously
traffic
Latency processing event s caused by t he product
Host-based IDPS: Ability to
monitor a certain number of
events per second Delay in tracking an event
The products need to comply with the organization's management policy in order to offer
better performance. If the products do not comply with the company's policy, it would be
difficult to handle and make it work effectively. Management requirements for an IDPS include
categories such as:
• Design and implementation criteria include detailed information about the technology
t ype used in the product along with features like reliability, interoperability, scalability
and security.
• Operation and maintenance requirements include daily usage, maintenance and applying
updates to the product.
• The IDPS product should offer better interoperability, which refers to the process of
offering effective performance while working in combination with existing systems.
• The products should offer scalability, so that th e company w ould be able to increase or
decrease the product quantity to meet future requirements.
0 0
Estimated life cycle costs of the products should be within t he available funding
Life cycle costs for IDPS products are divided into two categories:
0 0
IDPS products are environment specific and can be a tedious task for organizations to quantify
the cost of IDPS solutions. The cost of the I DPS product should be proportional to the available
budget of the organization. Estimated life cycle costs of the selected IDPS products should be in
the range of the available funding. Selecting an IDPS based on cost is difficult as the
environment, security and other networking criteria are liable to dominate the situation. Life
cycle costs of the IDPS products include categories such as:
Initial Costs
Initial cost is the starting point for all I DPS product calculations. It includes:
• Cost for deploying hardware or software tools: It involves the cost of network appliances,
IDS load balancers, software tools such as reporting tools, database software, etc.
• Installation and configuration costs: This cost includes internal or external labor for fixing
systems, network appliances or installing network or system accessories.
• Cost for training and awareness: It involves the cost for training and its awareness among
the administrators.
Cost of maintenance
Usually organizations do not have a standard for measuring the cost of maintenance, this
results in different costs of maintenance within the same organization. The cost of maintenance
within the organization includes:
• Cost of Labor: Cost of labor includes the cost of staff handling the IDPS solutions and the
administration.
• Cost of technical support: Organizations using external technical support from the third-
party services are required to pay costs for technical support services.
• Cost of professional services: Technical support vendors that do not provide IDPS solution
services fall under professional services. Organizations using service support from these
IDPS vendors or third-parties are required to pay the costs of these professional services.
An adm inistrator should not depend on implementing an IDS for int rusion
detection
Use the following tools and techniques to compliment an IDS for better protection:
Although various types of IDPS and their hybrid solutions are used to detect and prevent
intrusions on a network, they are not always sufficient to detect specific types of intrusions.
Solutions are required which specialize in detecting a specific type of intrusions. There are other
technologies and solutions that act as counterparts to an IDS and help you detect various types
of intrusions on the network. IDPS solutions are more generalized whereas these solutions are
meant for targeting specific t ypes of intrusions and therefore are more specialized. These
solutions, if implemented can provide add-on security to the network. Some of the specialized
intrusion detection systems are:
• Honeypots
Vulnerability Analysis or
Assessment Systems
Advantages Disadvantages
e
e
Spot changes in security states rel iably
A vulnerability assessment helps the network administrator decide whether a host or a network
is susceptible to any kind of attack. These tests help the company design a framework for how
vulnerabilities affect the system and provide details about the intrusion detection process.
The vulnerability assessment should address issues related to human errors and also monitor
for any compliance issues with existing devices.
Advantages
• Vulnerability analysis allows detection of problems on systems that can not support an
IDS.
• Provide security-specific testing capabilities that record the current security state of the
systems.
• Vulnerability analysis systems spot changes 1n the security state and offer correction
procedures, when used on a regular basis.
• The tests help the companies to ensure mitigation of security problems and provide
methods to double-check the changes made to systems.
Disadvantages
• Vulnerability analysis systems are costly to build, maintain, and manage, as they require
specific operating systems and applications.
• Some systems that analyze denial-of-service attacks are liable to crash the systems they
are testing.
• Repeated network-based assessments are liable to train certain IDSs to ignore real
attacks.
File Integrity Ch eckers determin e w heth er attackers have altered system files or executables
They use message digest or cryptographic checksums to verify the integrity of critical files
An attacker may change or alter a file for the fol lowing reasons :
The checkers also help determine whether vendor-supplied bug patches or other changes are
made to system binaries. Cryptographic checksums are important, as attackers often alter
system files, at three stages of an attack such as:
• They attempt to cover their tracks so that system owners will be unaware of the attack.
I • I I • • I • I . . . -. .
- - :
Y.
Defl ect attackers f rom gaining access to cnt1ca I systems..
Encourage attackers to stay on the system in order to
study their unauthorized attempts and respond to
them
A padded cell is a simulated environment where attackers are contained once they are detected.
The simulated environment is different from a live environment and it contains fake data and
attackers cannot harm the actual live environment
A padded cell and a traditional IDS operate simultaneously i.e. When the IDS detects the intrusion
from the attacker, it seamlessly transfers the attackers to a special padded cell host
Advantages Disadvantages
e Helps divert attackers to different targets e Legal implications for these devices are not well
they cannot damage defined
e Gives extra time to decide when responding e Attackers may be encouraged to launch a more
to the incident hostile attack
Honey pots
Honey pots are decoy systems designed to lure potential attackers away from critical systems
and encourage attacks against themselves. The defender may lure them away from actual
targets, perhaps detect their presence, and then block access. This approach has the risk of
perhaps luring attackers into the defender's network. Honey pots are decoy systems which
perform important tasks such as:
• Diverting attackers from accessing critical systems.
• Gather information on an attacker's activity.
• Encourages an attacker to stay on the system for a long time.
The system stores information to make it seem crucial to the attacker and lures them to
attempt an attack. The system features monitors and event loggers that detect attacker
attempts to access the honey pot and collect information.
Advantages
Usage of honey pots and padded cell systems enables various functions such as:
• Attackers can be diverted to system targets that they cannot damage
• Administrators have additional time to decide how to respond to an attacker
• Easy and extensive monitoring helps to refine threat models and improve system
protections
• Effective at catching employees who are snooping around the network
Disadvantages
Disadvantages of using honey pots and padded cell systems are:
• The legal implications of using such devices are not well defined.
• An expert attacker, once diverted into a decoy system, may become angry and launch a
more hostile attack against an organization's system.
• In order to use these systems, a high level of expertise is needed.
~
LogRhythm
Controller) https://logrhythm.com
http://nixbit.com
ADAudit Plus
https://www.monageengine.com [l;j McAfee Integrity Control
http://www.mcojee.com
AFICK Tripwire
http://afick.sourceforge.net http://www.tripwire.com
Alien Vault
Source: https://www.alienvault.com
AlienVault's File Integrity Monitoring (FIM) alerts you to changes In critical system files,
configuration files, and content files.
Integrity-Checker
Source: http://integrity-checker.com
Integrity-Checker verifies the integrity of files on your Windows server. It supports WSSX
integration so you can access all functionality directly from the server's dashboard on Server
2012 Essentials, Windows Home Server 2011, SBS 2011 Essentials, and Storage Server 2008 R2.
Log Rhythm
Source: https:1/logrhythm.com
LogRhythm's File Integrity Monitoring protects your organization's critical files, wherever
they're stored. It sends alerts on malware-related registry changes, improper access of
confidential files, and theft of sensitive data.
McAfee Integrity Control
Source: http://www.mcafee.com
McAfee Integrity Control checks files and directories for changes to content and permissions. It
provides continuous file integrity monitoring, essential for verifying the security of an
environment and meeting compliance requirements.
Tripwire
Source: http://www.tripwire.com
Tripwire File Integrity Monitoring is available as a standalone solution or as part of Tripwire's
Security Configuration Management suite. With Tripwire, you have continual assurance of the
integrity of security configurations, complete visibility and control of all changes for your
continuous monitoring, change audit and compliance demands. Tripwire File Integrity
Monitoring (FIM) has the unique, built-in capability to reduce noise by providing multiple ways
of determining low-risk change from high-risk change as part of assessing, prioritizing and
reconciling detected change.
Trustwave
Source: https://www.trustwave.com
Trustwave File Integrity Monitoring monitors OS and registry file data on Windows-based POS
devices, laptops, desktops and servers.
SPECTER SEBEK
http://www.specter.com https://projects.honeynet. org
KOJONEY KFSENSOR
http://kojoney.sourceforge.net http://www.keyfocus.net
HoneyC Honeyd
https://projects.honeynet.org http://www.honeyd.org
honeytrap
Source: http://sourceforqe.net
Honeytrap is a low-interaction honeypot daemon for observing attacks against network
services. It monitors the network stream for incoming sessions and starts appropriate listeners
just in time. Each listener can handle multiple connections and terminates itself after being idle
for a certain length of time.
SPECTER
Source: http://www.specter.com
SPECTER is a honeypot-based intrusion detection system that simulates a vulnerable computer,
providing an interesting target to lure hackers away from production machines.
KOJONEY
Source: http://koioney.sourceforqe.net
Kojoney is a low-level interaction honeypot that emulates an SSH server, and the daemon
written in Python using the Twisted Conch libraries.
HoneyBow
Source: https://www.honeynet.org
HoneyBow is a high-interaction malware collection toolkit with integration with nepenthes and
the mwcollect Alliance's GOTEK architecture.
Honeyd
Source: www.honeyd.org
This is a low-interaction honeypot used for capturing attacker activity. Honeyd is a small
daemon that creates virtual hosts on a network configured to run arbitrary services, and their
personality can be adapted so they appear to be running certain operating systems. Honeyd
enables a single host to claim multiple addresses. Honeyd improves cyber security by providing
mechanisms for threat detection and assessment. It also deters adversaries by hiding real
systems in the middle of virtual systems.
I I
https://www.snort. org
Snort is an open source network intrusion detection and prevention system developed by
Martin Roesch. It is capable of performing live traffic analysis, packet sniffing, and packet
logging on IP networks. It can perform protocol analysis and content searching/ matching. It can
be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans,
CGI attacks, SMB probes, OS fingerprinting, attempts etc. Snort supports various platforms such
as Windows, Linux, Solaris, BSD, and Mac OS X.
The NIDS functionality of snort is based on libcap. Snort uses a flexible rules language to
describe traffic that it should collect or pass, as well as a detection engine that utilizes a
modular plug-in architecture. Snort has a live alerting capability as well, incorporating alerting
mechanisms for syslog, a user specified file, a UN IX socket, or WinPopup messages to Windows
clients.
Snort has three primary uses: a straight packet sniffer like tcpdump, a packet logger (useful for
network traffic debugging, etc.), or a full -blown network intrusion prevention system.
Features
• Live alert mechanism using syslog, pop-up m essages in Windows, Server Message Block
(SMB), etc. during run -time.
• Provides pay load verification in the Application layer and the ability to instruct the layer
to collect the suspected traffic.
Snort: Installation
Snort is a "lightweight" NIDS, non-intrusive, easily configured, utilizes familiar methods for rule
development and takes only a few minutes to install.
SNORTSNARF is a script for alerts from the Snort IDS which is run at regular intervals to
generate a convenient HTML output of all the alerts. SNORTSNARF comes with a load of options
that performs automatic review.
Planning a Deployment
In order to install snort IDS, it is important to locate the position of the IDS in the network.
• Initially, plan the deployment by identifying the type of sensors which will be used either
passive, inline or both.
• Choose which assets will be secured and maintain transparency between the sensors and
other network devices.
• Check the policies and access control for the communication of snort in the network.
Software Requirements
• Download Snort IDS
• Supported software of snort includes: Database - MySQL, Web server -Apache and PHP
• Snort prerequisites:
• PCRE
• Libnet-1.0.2.a
Source: http://www.snort.org
INTOUCH INSA-Network
Security Agent
-\c-....... AIDE (Advanced Intrusion
Detection Environment)
_j •
http://www. ttinet. com http://oide.sourceforge.net
-1'!!!
□ Improper IDPS configuration and management will make an IDPS not function
properly
□ An IDS works from inside the network, unlike a firewall which looks outside for
intrusions
□ IDPS network sensors are hardware/software appliances which are used to monitor
network traffic and will trigger alarms if any abnormal activity is detected
□ The staged deployment helps gain experience and to learn more about the amount
of monitoring and maintenance is required for network resources
□ Minimizing false positives depend upon the level of tuning and the type of traffic on
a network
In this module, you have learned the importance of implementing and deploying an IDPS
solution in the network. The module also explained important concepts about an IDPS including
types of I DPS systems, working, components, deployment strategies, etc. With this module, you
will able to determine an appropriate IDPS solution, implement the right IDPS deployment
strategy, configure them properly, reduce false positive and negative rates of an IDPS, etc.
--
- --
- ---
-----
-- ---
--
- -- -
-
--
-- ---
--
---- ---... ---
--------...... ---
-- -- -----
--....---.-. ... -
---
----.......--.-.. .................
--- -- -....... _..,...,.,.--
---- ........-..... . ... -- --........-.... -
-- ---
------ -----
--
- -
-- ----------
- - -- -
--- -
Certified Network Defender Exam 312-38
Secure VPN Configuration and Management
Understanding a Virtual
Private Network (VPN)
'F
I -- VPN Connectivity
I
~ VPN c.oncent rat«
/
l 'ft°
' ....
..J A VPN uses the Internet and /' :• ~~r with
I I. . VPN MQdule
ensures secure communication to 1' ; ....,
II ........
distant offices or users within their /I ' ,,
enterprise's network II · •-- • ------ -. •• _ ' ,..._ .
/ · .....__.,,. · ···· ··, - ---•- - .. g.i, Router w,lh
/ ,,/ / $ ; ... ' · .., - ·~ VPN MOdule
3G/ CDMA/HSDPA· / / I / ....... /
Mobile Brood.bond / / I •..~
I / I "ll ~ • Boatdbrand Modem ~ VPN concentratlX
t
rl, ,/
Tetecom,y,{er / / /
Trave~!~ pe/~I
: /
I ' '
/
@ ~ /
Laptop with VPN Client
Most of the organization has their offices located at different locations around the world. There
is a need of establishing a remote connection between these offices as a result. Previously,
remote access was established through leased lines with the help of dial-up telephone links
such as ISDN, DSL, cable modem, satellite, and mobile broadband. However, establishing
remote connections with these leased lines is quite expensive and the costs rise when the
distance between the offices increases.
To overcome the drawback of traditional remote access technologies, organizations are
adopting Virtual Private Networks (VPNs) to provide remote access to their employees and
distant offices.
Virtual private network (VPN) offers an attractive solution for network administrators to
connect their organization's network securely over the Internet. VPN is used to connect distant
offices or individual users to th eir organization's network over secure channel.
VPN uses a tunneling process to transport the encrypted data over the internet. IPSec is the
common protocol used in VPN at th e IP level. VPN ensures the data integrity check by using a
message digest and ensures data transmission is not tampered w ith. VPN guarantees the
quality of service (QoS) through service level agreements (SLA's) with the service provid er.
• VPNs allow cheap long distance connections over the Internet since both endpoints
require a local Internet link which serves as a free long-distance carrier.
• VPNs use encryption to provide a secured connection to a remote network over the
Internet and protect your communication.
• They provide virtual access to the physical network as if you are physically located in
the office.
• Advantages of VPNs:
• VPN allows you to access both web applications and websites in complete anonymity.
• Disadvantages of VPNs:
• Designing and the implementing the VPN is a complex issue, it requires experts for
configuring.
• VPN Architecture:
A certain set of protocols and standards need to be followed while establishing a VPN
architecture. Network administrators should decide the scope, implementation and
deployment of the VPN along with continuous network monitoring in order to ensure the
security of a VPN. They should be continuously aware of the overall architecture and
scope of the VPN.
For deploying the virtual private networks, there are two primary options IPsec and SSL.
Each protocol has its own unique advantages and utilized depending on the requirement
of the user or the organization's IT processes.
• IPsec VPN:
established using VPN client software which is pre-installed and it mainly focuses on the
company managed desktops.
• Advantages:
o IPsec VPNs can support all IP-based applications to an IPsec VPN product.
o It offers tremendous versatility and customizability through modification of the
VPN client software.
o Organizations can control the VPN client functions by using the APl's in IPsec client
software.
The three basic applications when using IPsec VPN's (associated with business
requirements) are:
• Intranet VPNs: This helps connect branch offices to the corporate headquarters,
creating a transparent Intranet.
• Extranet VPNs: This allows companies to connect with their business partners (for
example, suppliers, customers, and joint ventures).
• SSL VPN (web-based):
SSL-based VPNs provide remote-access connectivity using a Web browser and its native
SSL encryption irrespective of the location. SSL doesn't require any special client software
to be pre-installed and is capable of any type of connectivity. The connectivity ranges
from company-managed desktops and non-company-managed desktops, such as
employee-owned PCs, contractor or business partner desktops. It helps in reducing the
desktop software maintenance as it downloads the software dynamically whenever there
is need.
• Advantages:
o It will work wherever someone can gain access to HTTPS websites such as Internet
Banking, Secure Webmail or Intranet sites.
y ••
these
.: .: •
•.............., .......•..... , .:......•• ,..........
..... .:.
♦ ♦ ♦ I
~-- -I -- I
"t' NI, -
Internal Network
A VPN enables a secured connection over the Internet from a public network to a private
network placed at a far-off site. All the network traffic in a VPN is encrypted and passes through
a virtual secure tunnel, placed between the client and VPN server.
All the packets passing through a VPN is encrypted or decrypted with respect to inbound or
outbound traffic. The packets are encrypted at the client side and the packets are decrypted at
VPN server. For example, when a client with a VPN connection enabled, browses Youtube.com.
This outbound traffic is encrypted at the client side. The encrypted data is then sent to nearest
VPN server and passes it to the gateway server. Here, the data is decrypted and sent to the
server hosting Youtube.com. When Youtube.com sends a reply request, the VPN server
performs the reverse process on the outbound traffic.
A VPN keeps a close look on any unsecure networks. It creates a new IP address for the
encrypted packet concealing the real IP address which disables attackers from finding the real
IP address of the packets sent.
~ Improve productivity
The easy accessibility of sensitive data over the Internet poses a serious security threat to
organizations. Attackers easily exploit and gain access to sensitive information if it traverses on
an unsecured public network such as the Internet. A VPN ensures reliable communication
through an encrypted tunnel, preventing attackers from gaining access to organization
information. A w ell designed and implemented VPN can provide the following benefits:
A VPN allows users to access the servers across the world making it easy for them to access all
types of content. Users do not have to face restrictions like geo-blocking while browsing. A VPN
allows the user to stay anonymous without sharing their device information in the network. By
hiding this data, a VPN restricts websites from spying or monitoring the user. To avoid excessive
monitoring from third party websites or attackers, users should install a VPN for safe browsing.
VPN components
VPN Client
'r
~ Remote Netw ork
IP IP
.
~
ISP
• VPN client: A computer that initiates a secure remote connection to a VPN server.
• Network access server (NAS): It is also called a media gateway or a remote-access server
(RAS). It is responsible for setting up and maintaining each tunnel in a remote -access VPN.
Users need to connect to th e NAS to use a VPN .
• Tunnel terminating device (or VPN server): A computer that accepts VPN connections
from VPN clients.
• VPN protocol: It includes VPN specific protocols used to manage tunnels and encapsulate
private data. It includes the use of PPTP and L2TP protocols along w ith IPsec.
The following diagram shows the use of various VPN components in a remote access VPN:
VPN client
Remote Network
IP IP
ISP
PSTN
···············~········· ............~......... Internet
• The remote user propagates a PPP connection with an ISP's NAS through a PSTN.
• The packets sent by the user are sent to the tunnel connecting NAS and VPN server after
authenticating the user.
• The VPN server accepts the packet from the tunnel, de-encapsulates and sends it to the
final destination.
It acts as a VPN router which is generally used to create a remote access or site-to-site VPN
It uses tunnelling protocols to negotiate security parameters, create and manage tunnels, encapsulate,
tra nsmit or receive packets through the tunnel, and de-encapsulate them
r·-----~ ~ -----.;
- Intern et •• •• •• ••••••••••••••• •• •• ••••• I - ~ •
: VPN Acces.s via : : VPN Access via :
i.•..................•!
Modem -
:.
.................. .•-
cable :
o -·--------C:j.---·-·
File Server M ail Server Intranet Authentication
Private Segment (Trusted) Server Server
VPN concentrators normally enhance the security of the connections made through a VPN_
These are generally used when a single device needs to handle a large number of VPN tunnel s_
They are best used for developing a remote-access VPN and site-to-site VPN _
VPN concentrators impl ement security of th e tunnels using tunneling protocols_ These
protocols manage the following:
• Receives plain packets at one end, encapsulates at the other end and forw ards the packet
to the final destination_
• Receives encapsulated packets at one end, de-encapsulates at th e other end and forwards
the packet to the final destination_
:·····,··············.: t.... A. . . . .. =
.•••
:
-
VPN Access via
•
.••
:
Internet ............................ •
•
•
••
~
In the figure, the VPN concentrator is placed in parallel with the firewal I supporting remote
users who have both a slow and a fast Internet speed. If the VPN is placed behind the firewall,
the implementation requires additional configuration changes and is vendor dependent.
VPN concentrators provide a high level of security for SSL and IPsec VPN architecture. A normal
VPN tunnel requires IPsec to be implemented on the network layer of the OSI model. A major
benefit of using a VPN concentrator is that the client is considered to be present outside the
network and can access the network as if it is connected.
A VPN concentrator adds more security controls to the router, improving the security of th e
communication. The functions of a VPN concentrator are as follows:
• Data encryption and encapsulation: The VPN concentrator encrypts the data and
encapsulates it into an IPsec packet. Being bi-directional, it initially encapsulates the plain
packets it receives and later expands them at the end of the tunnel before sending them
to the destination.
• Managing tunnels: By adding the features of adva need data and network security, a VPN
concentrator has the ability to create and manage large VPN tunnels. These tunnels
ensure the data integrity among the systems.
• Traffic handler: A VPN concentrator routes the tunneled and non-tunneled traffic
depending on the server configuration. It simultaneously handles traffic of a corporate
network as well as Internet resources.
Client-to-Site (Remote-access)
VPNs
1
/, ImI R~
'
1
erwith VPN
ii Each host contains VPN client / 1• • Mod u~
"I
/ I ·, .
softwa re or uses a web-based
client /
I,
/
~·• I '·,
·· ------------
·,•
'-
Routerw ith
/ ./ .__,., lnte,.;-~-~----~ :~:-·--·----• VPN
to /--
that are forwarded over the I / /
Te leco,rhmut,t/ I / /
Internet to the VPN gatew ay at the Tra?lli~)'~ rsonal I •
Remote-access VPNs are used mainly to connect individual hosts to a private network. This
allows the users to access the information provided in the private netw ork. An older name for a
remote-access VPN is a virtual private dial -network (VPDN) in w hich a dial-up configuration 1s
required for the connection to a server .
Every host using remote-access needs to have the VPN client software installed, that wraps and
encrypts the data before the host sends any traffic over the Internet to a VPN gatew ay. After
reaching the gatew ay, the data is unw rapped , decrypted and passed over to the final
destination in a private netw ork. The gatew ay performs the reverse process in order to send
the data packets back to the user. The remote -access VPN consists of two t ypes of
components:
• Network access server (NAS) or remote-access server (RAS) : NAS is required w hile users
are accessing a VPN. A separate authentication process is involved while authenticating
users accessing a VPN
• Client software: Users accessing a VPN from their ow n network need to install softw are
that helps create and manage the VPN connection
VPN cli ent softw are and a VPN gatew ay are required for the hosts supporting a remote-access
VPN. Most of the VPN gateways support onl y IPSec w hile maintaining VPN services.
Advantages
• Minimizes the connection cost for the users.
• Encapsulation and encryption of data packets provides an added security layer . This hides
the IP address of the packets and prevents the attackers from accessing the packets.
• Handle large number of users. The VPN provides the same service even if more users are
added to VPN network.
Disadvantages
• Computers without any anti-virus installed pose a threat to the VPN connection.
• Implementing many VPN connections simultaneously may affect the bandwidth of the
network.
• Time consuming accessing files, applications over the Internet.
..J Extranet-based: VPN connectivity is between different organizations such as business partners,
business, and its clients
:
It connects a branch or remote office ........ Y. ... Main
Office
network to the company's
Internet
headquarters network Branch
Office ..
..J Also known as LAN-to-LAN or L2L .
VPNs
Branch
Office Branch
OfflCe
The site-to-site VPN helps connects all the networks together. For example, the branch offices
of an organization can be connected to the main campus through a site-to-site VPN. The main
differentiation between a remote and a site-to-site VPN is that site-to-site VPNs do not require
the need of any client software. The entire traffic is sent through a VPN gateway that
encapsulates and encrypts the data packets passing through it.
In a site-to-site VPN, the outbound traffic is passed through a tunnel to the VPN gateway. The
data packets in the outbound traffic are encapsulated and encrypted at the gateway and is
passed to the tunnel over the Internet. The traffic is sent to the nearest gateway in the target
location. The nearest gateway decrypts and de-encapsulates the data packets and they are then
forwarded to the final destination.
A site-to-site VPN consists of two types:
Intranet-based
Creates an intra net VPN in order to connect each individual LAN to a single WAN.
Extra net-based
Extranet VPN connects each single LAN of an organization. The extranet VPN configuration
prevents any access to an intranet VPN.
0 0
A dedicated hardware VPN appliance is used Advantage:
to connect routers and gateways to ensure It is more secure, as the hardware device's
communication over an insecure channel main function is to manage VPN connections
It is designed to serve as a VPN endpoint and Disadvantage:
can connect to multiple LANs
It is more expensive and changes the
network design
0 0
LAN 1 LAN 2
SonicWALL PRO
SonicWALL www.sonicwall.com
5060,4060,3060,2040,1260
Hardware-based VPNs are separate devices that consist of individual processors and hardware
firewalls. They easily manage authentication and encryption of the data packets. The main
advantage of using a hardware-based VPN is that they provide more protection than the
software variant.
Advantage
• Provides load balancing especially for large client loads.
Disadvantage
• It is more expensive than software VPN.
• More useful for large business organizations than for smaller ones.
• Less scalability.
Software VPNs
Advantage : Disadvantage:
Symantec Enterprise
Symantec Corporation Firewall, Norton Personal www.symantec.com
Firewall for Macintosh
Software-based VPNs are best suited for network traffic management and when the same party
does not manage the VPN end points. Traffic management is performed using a tunneling
process depending on the protocol and address of the traffic. Hardware encryption accelerators
are used in order to improve the performance of the network.
Advantages
• Minimizes the cost of an additional hardware purchase.
• It is easy to deploy and does not change the target network.
• More scalability.
Disadvantage
• Increased processing tasks for devices implementing the VPN.
• Security is an issue and is prone to more attacks as th ey need to share the server with
other servers and operating systems.
The selection of an appropriate VPN depends on many factors such as cost, protocols, technical
issues etc. The following are a few factors to consider while selecting a VPN:
• Compatibility: The organization should consider the compatibility of the selected VPN
within the organization's network and determine whether it is possible to adopt the
selected VPN. Selecting and implementing a VPN which is not compatible, will add an
extra expense on the company's expenditure and cause security issues.
• Security: Security is an important factor while selecting a VPN. Two maJor criteria 1n
selecting a VPN are:
• Encryption: Organizations should be highly alert regarding the encryption process for
the selected VPN. Some VPNs do not provide direct encryption, allowing attackers to
get information from the network.
• Capacity: Organizations need to foresee the number of users joining the organization in
the future and then select the VPN accordingly.
• Need: The need for a VPN depends on the requirements of an organization. Whether
remote employees need access to the network or there are encrypted traffic rules. Each
organization is different and it these differences which will decide the appropriate VPN
choice.
• Number of servers present and their location: The VPN is selected according to the
location of the vendor server and the activities performed.
• Does the vendor limit connections, use bandwidth throttling or restrict service? VPNs
that control bandwidth, reduce Internet speeds or limits them in any way are not used
in an organization. Also, care should be taken while dealing with the protocols and
services running in the network. The organization needs to decide on whether the
existing services and protocols running are actually needed by the organization or not.
Encapsulated packet
,---------------..,
Encapsulating data to conceal source and destination information
Internal LAN
has router's IP address ··•••► Source IP 192.168.50.1
__....--....
,__ • • ♦
=•-. •
•
Packet
(encrypted)
VPN router
192.168.50.1
Packet
=~
~
.-.
Copyright© by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
The VPN tunnel acts as a path between the source and the destination. To send the
encapsulated data securely, it is necessary to establish the tunnel. All the data packets
travelling through the tunnel are encapsulated at the source point and de-encapsulated at the
destination point. To send the data to the destination point, a tunnel data protocol is created.
The information in the data packet is called a payload. The tunnel data protocol encapsulates
the payload within the header containing the routing information. Once the server receives the
payload it discards the header, de-encapsulates the payload and sends it to the destination.
All data packets transmitted through a VPN network are encapsulated using a VPN base or a
carrier protocol. The encapsulated data packet is then sent through the tunnel which is later
de- encapsulated at the receiver's end.
For example, TCP/ IP packet encapsulated with an ATM frame, hides the TCP/ IP packet within
the ATM frame. Upon receiving the ATM frame, the encapsulated packet de-encapsulates 1n
order to remove the TCP/ IP packet from within.
The main goal is to provide an extra layer of security to each packet travelling across the
Internet. These protocols define the way packets are sent and received by the ISP.
• Compulsory Tunneling: In compulsory tunneling, the client machine is not the tunnel end
-point. A remote access server configures and creates the tunnel. The dial-up access
server acts as the tunnel end-point.
• Point to point Tunneling protocol (PPTP): This protocol lets multiprotocol to be encrypted
and encapsulates the IP header that is directed across the Internet. Used in both remote
and site-to-site VPN connections. PPTP manages the tunneling using a TCP connection and
encapsulates PPP frames in IP datagrams.
• La yer 2 tunneling protocol (L2TP): Permits multiprotocol to be encrypted and sent across
any medium supporting point-to-point delivery. L2TP is installed using the TCP/ IP
protocol. Encapsulation uses L2TP and consists of two layers:
• L2TP encapsulation: The PPP frame is encapsulated using a L2TP header and an UDP
header.
• IPsec encapsulation: The L2TP message after the first layer is encapsulated using IPsec
encapsulating security payload header, IPsec authentication trail er and a final IP
header.
• Secure shell (SSH): A connection -oriented service that uses a public key cryptography in
order to authenticate a remote user. Includes two types of features:
• Port forwarding
• Secure Tunneling
• Socket secures (SOCKS): Enables clients to communicate with Internet servers through
firewalls. SOCKS are employed on proxy servers.
~~~•···•
~ C4issc,
Ce . eso
data
..
. ... .. ······ Branch Office
rt1ficat ne Or rr,
Certificate
Authority(CA)
••••• "•••• esto Org ore
·•·· ••··•
.
an,za•·
aons
······ ... ...
······... ...
....-
....,
,
f.!:==~
,... ...
• ••
Internet
.........-~
Certificates are
managed by
certificate server
.. ...• p
Main Office
Home Office
A VPN uses encryption to provide an additional layer of security to data transmitted over the
VPN. Encryption plays an important role when sensitive data is carried over the Internet in an
organization. All data that enters the VPN tunnel is encrypted and decrypts as soon as it
reaches the end of the tunnel. An encryption key is used in the process helping the process of
encryption and decryption. Encryption disables monitoring, logging or tampering of the data in
an organization.
Encryption helps secure the data passing through the network. The sender encrypts th e data
passing through the network and the receiver decrypts th e data. It requires no encryption on
the communication link between a dial -up client and the internal service provider, as the
process of encryption takes place between the VPN client and the VPN server.
In VPN encryption, both the sender and the recei ver need to have a common encryption key
that is sent along with the data. If a packet travelling through the VPN connection does not
have the keys associated to it, then it is of no use to the computer. There are many mechanisms
to determine the length of the encryption key. The encryption of messages using the same key
enables easy interpretation of the encrypted data. The administrator can always select the
encryption keys used for a conn ection.
In end-to-end encryption, the encryption occurs between the client application and the server.
IPsec is used with an end-to end connection, once a remote access connection is made. IPsec
works as follows:
• Encryption of an encapsulated packet using an encryption key. The key is known only to
the sender and the receiver.
• An encapsulation header, a sub-protocol, conceals the sensitive information of the
packets including: sender identity.
• Open VPN: It is an open source VPN and works with the SSL protocol.
=• "T'
( - ,.. ~
··L...J··►, • • •
'!'
~ f ~
• . ···••::i-(©•··:,.{ Internet )
~
't'
....l>t • • • • ,........: ......
3. Autho! zation
successful
{f~.........~
( -.':. r,,
Successful
··> =M
=•
j : requested ~
=M 1. Packet(unencrypted)
2. Packet(encrypted
Not successful
Packet is refused and error message
returned to sender
Network 1 and encapsulated) Network 2
• User authentication: The VPN deploys the mutual authentication concept. The VPN
server authenticates the VPN client to check whether the client has the permission to
connect. Also, the VPN client can authenticate a VPN server for proper permissions.
• Data authentication and Integrity: All L2TP/ 1Psec packets sent are included with a
cryptographic checksum based on the encryption key. Only the sender and the receiver
know this checksum. This is to ensure the data sent is not manipulated during transit.
• Internet Protocol Security (IPsec): All application traffic is secured using the IP
network. IPsec conducts session authentication and data packet authentication for
any two securely connected entities. IPsec ensures a secured connection between two
networks or remote networks to a main network.
• Layer2 Tunneling protocol {L2TP): This protocol initiates a connection between two
L2TP connections. L2TP is always combined with the IPsec protocol in order to confirm
security.
• Kerberos
Kerberos consists of a record of clients and their private keys. Only the client and Kerberos
know the details of the private key. Kerberos generates session keys that encrypt
messages between two clients.
• PAP
• MS-CHAP
The Microsoft Challenge Handshake Authentication Protocol uses a remote access server
to send a session identifier and a challenge string to the remote access client. The client in
turn sends an encrypted form of the identifier and challenge string to the server. This
encrypted form is irreversible.
With EAP, the data for authentication is compared against an authentication database
server. The EAP authentication protocol allows new plug-ins to be added at the client and
server.
J Were used before the Internet became J Used when the Internet became a
universal corporate communications medium
J Technologies such as ATM circuits, frame- J They protect the confidentiality and
relay circuits, Multiprotocol Label integrity of the data, but do not ensure
Switching (MPLS) are used to implement the transmission path
~
trusted VPNs
Secure VPN
~-·······························•
Network Network
VPN technology enables organizations to connect mobile and remote users with network access
and also to connect separate branches of the same organization to a single network.
Common technologies used to deploy VPNs for secure data transmission are:
Trusted VPN
Even before the popularity of the Internet, service providers provided customers with specific
circuits that could not be used by anyone else. This gave customers privacy and the ability to
have their own IP addresses and policies. In order to provide security measures and avoid
sniffing of the data, VPN providers are entrusted to maintain circuit integrity. This type of VPN
is called a trusted VPN. The technologies used for implementing trusted VPNs over an Internet
Protocol network are: Asynchronous Transfer Mode (ATM) circuits, frame relay circuits and
MLPS.
ATM and frame relay operates at layer 2 of the OSI model and MLPS operates in between the
data link layer and network layer. The requirements for a trusted VPN are:
• Any changes in the path of a VPN can be made only by a trusted VPN.
• All routing and addressing methods need to be described before creating a trusted VPN.
• Only a VPN provider can inject, change, or delete the data in the path of a VPN.
Secure VPN
The main goal behind implementing a secure VPN is to ensure complete security of the data in
transit. In a secure VPN, all the data packets sent through the tunnel undergoes an encryption
process at one end of the tunnel and decryption process at the other end of the tunnel. This
prevents any attempt from the attacker to achieve data in transit. The main requirements for
secure VPNs are:
• All the data packets in the traffic are encrypted and authenticated prior to sending to the
client.
• The client and server need to be 1n a mutual understanding before initiating the
connection between each other.
Hybrid VPN
Hybrid VPNs are those with trusted VPNs as part of the secure VPNs. They implement different
network components of an organization at the same time in order to confirm security at very
low costs. A network administrator takes extra time in differentiating between the data transfer
among the secured VPNs that are part of the trusted VPNs. The main requirements for hybrid
VPNs are:
• There should be a clear differentiation between the trusted VPN and the secure VPN.
Network
<llil(••·········································• ►
Secure VPN
Network
Trusted VPN
Network
Network
Secure VPN
-c(••·········································· ►
A VPN topology specifies how t he peers and networks w ithin a VPN are connected
•I
I
I
•I
I
I
I I
• •
I I
•
I
I
I
•I
I
I
I I
• •
I I
A VPN topology mainly deals with the specifications of how nodes in a network are connected
and how they communicate with the other nodes. A VPN enables companies in a different
network to communicate with each other and allows data sharing. VPN topologi es enable the
organization to design the way they can communicate with other networks. The different VPN
topologies are:
• Hub-and-Spoke
• Point-to-Point
• Full Mesh
• Star
It is important to note that the selection of topologies depends on the requirements of the
organization. For example, a Star topology is best suited in environments where the company
needs to share information with another company located in a different network. A Mesh
topology is best suited for an intra net.
..
,,
Spoke
HUB
. ..
A persistent connection is established between an
organization's main office and their branch offices using a
third-party network or the Internet
M ain Optional Secondary
HUBs for resilience :• Secure
Office
: Tunnel
••• • I··• ·1
t=
This topology is commonly used in organizations with strict
hierarchical structures {banks, governments, retail stores,
international organizations, etc.) Branch Office
In hub-and-spoke technology, the main organization is considered the hub and its remote
offices are considered the spokes. The spokes access the VPN through the hub. This topology is
mainly used in banking and international organizations. The hub controls two types of
communication:
Advantages
• Less expensive and easy to repair when one of the spokes doesn't work.
• Bonded circuits in between the hub and the spoke increase the flexibility of the network.
• Offers better security as each device in the network is separated from the other through
one single connection to the hub.
Disadvantages
• Any issue in the hub can affect the connection between the hub and spoke and the
connection between the different spokes.
Spoke
,••· .,..
•
··..\. . .
Branch Office
....
,- -,..•~lb
Spoke
•• \•>.
··"~
•• (,1:
•• G,..,.. •••:v
••'">- ,,,,•.,..._~..._..._
• • G,: •
•..• •, ...•••
• <ty ••
HUB
•• • ••• ••
••••••••••••••• •••••••
Internet ·······
I ♦♦ I ♦
·:',
. ,
•• • •• •
...
•••• ••••••••• •••• ••
........
••• •••••
~
··~~~
Main Office
··••1••·•C,~
•• t,.,,,,. .- • ~_,
I •
••t-••
•• '1'
Spoke •• .._.§'
.•·.f"' Optional Secondary
....,...
,
~~
Spoke
•••.,<& HUBs for resilience
Branch Office
The figure clearly explains the process of the hub-and-spoke topology. In the figure, each spoke
at the branch offices makes a secured connection with the hub at the main office. These
secured connections are made across the Internet. The main office can have more than one
hub at a time, only one hub is used to connect to each spoke. The other hubs are kept as
backup hubs for flexibility.
This topology works well, if the traffic is between the hub and spoke rather than between the
spokes or the remote sites. This is because, traffic between two spokes needs to go through the
hub first and then forwarded to the respective spoke. This increases the chance of a bottleneck
at the hub due to more spoke-to-spoke connections. All IPsec technologies can be used in this
topology.
If the hub faces any issue in the connection, IPsec failover transfers the connection to a backup
hub, used by all spokes. It is possible to configure multiple hubs as a main hub.
Unlike the Hub-and-Spoke This topology treats two end Only Regular IPsec or IPsec/GRE
topology, offices at different points as two peer devices is assigned for the tunnel, as any
locations can directly participating in communication of the peer devices can initiate
communicate with each other the communication
without any IPsec failover
Secure
.... ...........
,...__...._ Tunnel
, Internet
Site 1 Site 2
In a point-to-point topology, any two end points are considered as peer devices which can
communicate with each other. Any of the devices can be used to initiate the connection. The
IPsec technology assigned can be either IPsec or IPsec/ GRE.
Commonly configured as a regular IPsec point-to-point VPN also known as an extranet. This is
where a connection is established between a device in a regularly managed network and an
unmanaged device in the service provider's network.
• Uses a tunneling process in order to capture data packets with normal IP packets for
forwarding over IP-based networks.
This topology is suitable for complicated networks where all peers communicate with one another
Device to device communication in a network takes place with a unique IPsec tunnel
A peer to peer connection is established between each device, preventing a bottleneck at the VPN gateway and
saving encryption/decryption overhead
Secu re
Tunnel
... Secure
....
• ··•• Tunnel
: Site 1
..•• ······ Site 2
Internet Secure
: Secure Tunnel
Secure
: Tunnel
..•• "'-::,,-...:::::::~r" ••••••• Tunnel
Site 3 Site 4
In a fully meshed VPN network, all peers can communicate with each other, making it a
complex network. This topology allows all the devices in a network to communicate directly
with each other through an IPsec channel. This reduces the chance of any holdup at the
gateway and reduces the overhead of encryption and decryption of the device. A fully meshed
VPN can implement normal IPsec, IPsec/ GRE and GET VPN technologies.
Advantages
• Any failure on one of the devices does not affect the entire network.
• Very reliable.
Disadvantages
• Increases the number of devices connected to the network making it difficult to manage.
This is the most commonly used topology in almost all organizations. Here, all the remote
offices communicate with the corporate office but at the same time deny communication
between the remote offices. Each device on the network is connected to a central hub that
manages the traffic through the network.
In the figure, all the branch offices can communicate with each other through the corporate
headquarters. But in this topology, no two branch offices can initiate a separate communication
as these are allowed only through the corporate network.
Advantages
• Most suitable for a financial infrastructure as the compromise on one system does not
compromise another branch without detection.
• Any attack on the branch offices can be performed through the main branch. Any
manipulation in the network can be easily detected by the network administrator.
• Easy to add and remove new branch offices to the main office without affecting the
neighboring sites. But, it is mandatory to update the main site regarding the new addition
or removal of the sites.
Disadvantages
• Any failure in the central site affects the communication of all other sites.
VPN Concerns:
VPN Fingerprinting
An attacker can use UDP backoff fingerprinting or Vendor ID fingerprinting for
VPN server fingerprinting
Ly II i:::;;
A VPN server may expose sensitive information such as type of device,
software version details, etc. during VPN fingerprinting
_ ;;......_ _ __ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __ _ _ _ _.....
..;;
Ike-scan is used to fingerprint the VPN server vendor and the version number
of the IPsec VPNs
The Ike-scan uses its own retransmission strategy to deal with lost packets in
A VPN transmits data using various protocols such as TCP, IP, UDPC, IP sec, etc. Among these
UDP is not a reliable transport layer protocol and completely depends on the application to
provide the reliability. The main technique UDP uses for reliability is retransmission with
backoff which allows the application to replace any lost packets.
Because of certain vulnerabilities in transmission protocols, several VPN servers are prone to
fingerprinting. For example, UDP needs backoff and with this, the attacker could fingerprint the
VPN or Vendor ID.
The VPN fingerprinting technique allows the attacker to access useful information such as the
type of connections implemented, devices used and operating systems deployed. Some
systems, such as Cisco PIX or Nortel Contivity, potentially reveal crucial data like the general
type of devices deployed for building the network, while other systems display the software
version details.
Attackers also trace out the IKE (Internet Key Exchange) scan to fingerprint the VPN server
vendor and the version number of IPsec VPNs. The IKE-scan uses its own retransmission
strategy to deal with lost packets and this helps attackers to fingerprint the VPN server. The IKE-
scan log can find similar patterns to determine which IKE implementation a specific host has
deployed.
I
Stores the Username Unencrypted i n a File
or the Registry
m Stores the Plain-Text Password in Memory
There are certain security issues if the credentials are not stored and protected appropriately.
These security issues are due to an insecure method of storing the authentication credentials
by VPN clients. Common VPN issues with authentication and credentials:
• Storing the username unencrypted in a file or a registry: Attackers can easily perform an
offline attack on the authentication process, if the credentials are stored in an encrypted
format. This is possible if and only if the VPN is using the IKE aggressive mode.
• Storing the password in a scrambled form: If an attacker succeeds in gaining access to the
client computer, they can easily gain the password. Even though the password is in a
scrambled form, there is no key required to decrypt it. This provides for the attacker to
implement a decryption algorithm to crack the VPN encryption.
• Storing the plain-text in memory: Passwords stored in plain-text are always susceptible to
attack. Any user with access to the client machine can initiate the VPN client to dump the
process memory using a tool known as pmdump. This tool will get access to th e
credential s.
• Weak registry or file permissions for stored credentials: Passwords are easy to get if they
are not stored in a secure location and assigned with strict permissions.
Many remote-access VPN use the IKE aggressive mode with a pre-shared key authentication
method. The client sends an IKE packet to the VPN server which responds using another IKE
packet. These packets contain several payloads, including the identity payload sent by the client
and hash payload sent by the server. The identity payload contains the username and the hash
payload contains the password. Certain flaws identified in the flow of packets are as follows:
In all the above instances, the attacker confirms the difference between the valid and invalid
username from their computational differences. An attacker guesses the correct password
using the IKE aggressive mode can easily uncover the hash from the VPN server. This hash can
be used with a brute-force-attack in order to gain the password.
Identifying all the possible types of attacks which can occur on the login page, account
registration and password changes will help prevent username enumeration vulnerabilities.
An attacker can perfo rm an offline dictionary attack to crack t he password of a VPN client
Offline password cracking activit ies are neither logged in t he VPN se rve r log or
triggers an account lockout
Offline password cracking is one of the most common flaws of a VPN. An attacker can perform
an offline password crack by gaining access to the password hashes. Once the attacker gets the
user credentials, they can easily gain the hash access from the VPN server.
When the VPN server gives a response to the client, it consists of the contents like key
exchange, identity, header, and hash. The server responding with the hash query from the
client is called a hash responder. Since the responses are not in an encrypted form, an attacker
gets the access to the hash responder and uses a pre-shared key to perform the attack. The
attack is offline and as a result the VPN log server does not create any log entry. The attack
goes unnoticed by the administrator.
Simple passwords and using simple words have increased the frequency of passwords being
cracked. To prevent password cracking in the network, implement hash functions like MDS and
SHA.
This attack is possible when the VPN system uses an insecure authentication
protocol like IKE
M alicious attacker intercepts communication between the client and the VPN
server, obtaining the client authentication to the server and using the
credentials to authentication to the VPN server
Attackers may use insecure authentication protocols such as IKE to perform Man-in-the-Middle
attacks on a VPN. An attacker intercepts the communication in between the client and the
server and obtains the client authentication to the server. The attacker then utilizes these
authentication credentials to login and access the VPN server, allowing for complete control
over the VPN Server.
Man-in-the-Middle attacks occur during data transfer through the VPN and allows an attacker
to intercept, insert, delete, and modify messages, reflect messages back to the sender, replay
old messages and redirect messages.
The main aim of using the account lockout feature is to restrict the number of login attempts to
a certain limit and if anyone goes on trying login beyond the limit, the account will
automatically get locked out. This feature prevents you from password cracking attacks such as
brute force, dictionary attacks etc. However, there are a few VPNs that do not provide an
account lockout feature and this enables users to perform login attempts repeatedly. Attackers
can take advantage of the lack of an account lockout feature to gain account credentials and it
reduces the security of the account details.
Even if the default security mode is certificate based and very strong, certain default
configurations will allow an end user to switch to a less secure method
All authentication and encryption modes should be made unavailable except only the
strongest
Almost all organizations have an automated configuration set-up. However, if the organization
remains with the default configuration for the VPN, attackers may exploit these default
configurations to compromise the security of the VPN. The organization can go for a better and
secure configuration management solution.
There are certain default configurations that allow an end user to switch to a less secure
method like IKE, even in the presence of stronger certificates. It is mandatory to restrict all
weak authentication and encryption modes. Normally, the end user does not attempt to
change the default configurations of the system thinking the vendors provided the correct and
secure configuration for the system. The default configurations support many ciphers and
modes, ESP and AH. These may include both strong and weak ciphers. An attacker with access
to the client machine can prompt the end user to use the weaker cipher which will make things
easier for them. The end user may not notice the cipher and configuration was changed
because the VPN still functions normally.
The selection of weak authentication mechanisms such as IKE aggressive mode with a pre-shred
key allows attackers to gain authentication credentials. It must be ensured that mechanisms
selected for protecting VPNs have a certificate based authentication mechanism enabled.
Common default configuration flaws
VPN vendors usually provide a default password, which users fail to change. The default
passwords are known and it makes it easy for attackers to enter the network and get access to
the systems.
• Users may change the configuration setting of the VPN without prior knowledge of the
setting.
A VPN implementation does not provide any important directions and/or documentation for which
configuration is best to use
-
Situations where this guidance is required:
Choosing an appropriate protocol for secure and encrypted communication to prevent M ITM
attacks
There are instances where the end user is not aware of the correct configuration for the VPN.
Improper guidance and documentation regarding the VPN implementation can lead the
customers making mistakes while using a VPN. Poor guidance can lead to security
vulnerabilities in the configuration and implementation of a VPN. An incorrect implementation
provides a way for attackers to gain access to the VPN. The following are situations where this
guidance is required:
• Using weak ciphers like export-grade or single DES which can be cracked easily.
• While using the weak key authentication such as pre-s hared key with IKE aggressive
mode, which sends the user name and vulnerable offline password to crack if a valid
userna me is identified.
• Choosing AH protocol which does not encrypt VPN traffic.
Users are not provided any warning message when the implementation is incorrect. Making it
very difficult for the user to know the risks and dangers associated with the improper
configuration.
0 Firew alls establish a protect ion barrier between t he VPN and t he Internet 0
Before implementing a VPN, ensure that a good firewall is in place
Firewalls should be configured to restrict open ports, the types of packets and
protocols that traffic is allowed to pass through to the VPN
=•
=•
IPSEC TUNNEL or WAN
: ..... ... ................................••.......
·····-·······
:
.•• ········•.. ,,,t
Firewall
: ..........
••• • • • er,,.,,.
~,..-t
Corporate Network
..
.
····□'
111111:tl
www.sports.com
IAN PCs
Wireless t erminals Branch Server
A firewall can allow or deny the flow of data through the network. These generally help 1n
protecting the network from attackers. Firewalls can be used in two ways w ith a VPN:
• The VPN server is attached to th e Internet and the firew all is located between the VPN
server and intranet.
• Here, packet filters are added 1n order to allow onl y VPN traffic to and from the IP
address of the VPN server.
• Firewall is attached to the Internet and the VPN server is located between the firew all and
intra net.
• Here, the firew all has input and output filters on the Internet interface 1n order to
maintain traffic and passage of traffic to the VPN server.
.J The IPsec server enhances VPN security through the use of strong encryption algorithms and
authentication
Tunnel mode
payload of each
packet is encrypted
IPsec server
contains
two encryption Transport mode
modes
Header Payload
Only payload of each
packet is encrypted
Transport mode
This is the default mode for an IPsec server. These are generally used for end-to-end
communication between a server and a client. In transport mode, IPsec encrypts the IP payload
through an Authentication header (AH) or Encapsulating Security Payload (ESP) header. The IP
payloads can be TCP segments (containing TCP header and TCP segment data), UDP message
(containing a UDP header and a message data) and ICMP messages (containing ICMP header
and ICMP message data).
AH does not generally encrypt the data an only provides authentication, integrity and anti-
replay protection. In an AH, it is possible to read the data but it denies all kinds of changes on
the data.
Tunnel mode
In tunnel mode, IPsec encrypts both the IP payload and the header to protect an entire IP
packet by encapsulating it with an AH or ESP header and an additional IP header. This mode is
useful for protecting traffic between different networks and is primarily used for
interoperability with gateways.
.J The MA server is used to establish secure access in a remote-access VPN enviro nment
Internet ............ ~
VPN
~ ----------·-·-·-·
~
.• ·•
•
Gateway
•
•••
•
•••
•
•••
•
••
.• ·•
•
•• DualSheild
••
11---::----i ... Radius Server
DualSheild
Authentication
.............................. ~
Active
Directory
Server
In RADIUS, the VPN server interacts with the RADIUS server once the user attempts a
connection. The RADIUS server authenticates the user using their credentials. The user is
granted access if and only if the user provides the correct credentials and has dial-in access. The
RADIUS server sends a RADIUS message to the RADIUS client in response to the request for
authentication.
The RADIUS messages are sent as user datagram protocol (UDP) messages and the UDP payload
of a RADIUS packet can include only one RADIUS message.
• Access-reject: Sent by access-server to the RADIUS client informing them the connection
request is rejected.
• Access-challenge: Sent by the RADIUS server to the RADIUS client 1n response to the
access-request from the client.
• Accounting-request: Sent by the RADIUS client to request the information for a permitted
connection.
• Accounting-response: Sent by the RADIUS server in response to the accounting-request
message from the RADIUS client.
~
/ Internet ......... . · l>
..................
VPN •
Gateway :
OualSheild
Radius Server
...,
Au~~:~t~:~:~on
Server
I ·············· l>
Active
Directory
A RADIUS message consists of a RADIUS header and RADIUS attributes. The RADIUS attributes
provide information regarding the number of connection attempts, username, password,
service requested by the user, etc. Each has a separate RADIUS attribute and they share
information between RADIUS servers, RADIUS clients and RADIUS proxies.
• Access clients
• Access servers
• RADIUS proxies
• RADIUS servers
Factors that could influence Internet speed while using a VPN service and the techniques to improve
the speed of a VPN are:
VPN SIIWI'
Configure the VPN server located in your area to avoid the losing the Internet connection
LGcalMI
VPN servers with many connected users tend to cause delay and loss in Internet speed. Use
VPN SIIWI' Load
a paid VPN service as they have plenty of free space to accommodate new subscribers
Select a dependable VPN provider which has a very low packet data loss. Ensure the loss is
•1• 11teproulder
at a minimum
Conflpre FIi• • • Su....... Set up and configure the correct firewall on the system to allow the VPN service to flow
t.. Oplll IN VPN Sp 11 II smoothly
Make sure your computers have fast CPU's, this will provide better system speed, capacity
Plac orSp11d
and a stable Internet connection
Use L2TP/IPsec and PPTP VPN protocols since they use 128-bit encryption
Oloose • Stable ISP The better the Internet connection, the faster the VPN service
Copyr ight© by EC-Council. All Rights Reserved . Reproduction is Str ictly Prohibited.
Many people using a VPN connection are concerned about the speed of the VPN affecting their
internet connection. Factors influencing VPN speeds are:
Reliable Provider
A good and reliable VPN provider offers a zero percent data packet loss for their VPN services.
For better performance select a dependable virtual private network provider which has a
minimum amount of packet data loss.
Processor Speed
In order to avoid losses in bandwidth and connection, furnish your computer with a faster and
better CPU or processor to have better system speed, capacity, and a stable internet
connection.
Iii The Quality of Service (QoS) in VPNs acts as a resource reservation control mechanism for a
VPN
ii It offers better management and use of network resources
(
Jitter: Denotes variation in delay l Packet loss: Denotes network packets
loss/drop due to a large amount of traffic
• Delay: Total time required to transmit data from the source location to the destination
• Network Address Translation (NAT): The presence of Network Address Translation (NAT)
or proxy devices betw een the client and the gateway can affect the connectivity in an
undesirable manner. The connectivity alw ays needs a cli ent configuration prior to the
implementation of the tunnel.
• Goodput (Packets): The ratio on th e number of data packets sent versus th e total number
of packets transmitted in th e netw ork.
• Goodput (Bytes) : The ratio of bytes of data sent versus the total number of bytes
transmitted in the network.
• Data Dropped: Data lost or dropped at the destination may be due to improper access to
the medium.
A SSL (Secure Socket Layer) VPN is used to provide remote user with access to web applications,
client/ server applications, and internal network connections. It provides a secure way for
mobile users to access network resources. Deployment considerations of SSL VPNs include:
• SSL portal VPN: Allows secure access of network devices by enabling a single SSL
connection to a web site. Portal refers to the website that permits the user to access
other services.
• SSL tunnel VPN: Enables web browsers to access multiple network services, applications
and protocols. This is facilitated by a tunnel under the SSL. The SSL tunnel allows a web
browser to access services that cannot be accessed by SSL portals.
••r,,., .J A SLA is an agreement between an ISP and their subscribers. Can also be between peer
ISPs. SLAs specify the service criteria (traffic profile, network behavior and payment/billing)
.J Specifies the penalties a service provider will pay if they fail to meet the committed goals
Challenges and issues providers and subscribers can face due to a SLA:
The challenge for subscribers is to use service management tools to confirm the provider is meeting all the
criteria of the SLA
d If a subscriber uses one SLA to bind more than one provider, especially if the VPN uses multiple providers, the
SLA must address the provider interconnection and end-to-end service performance
The challenge for the provider is to honor multiple SLAs from many service providers
A service level agreement (SLA) is a contract between the ISP, its subscribers and between any
peer ISP's. The SLA specifies traffic profile, network behavior, payment/billing etc., and the
penalties given for not following or meeting the prescribed criteria. The SLA can be fixed
through a phone call, fax or using bandwidth brokers (BBs). Bandwidth brokers are agents
allocating resources and controlling traffic of the administrative domain. These brokers keep a
mutual agreement between each of the neighboring domains. The SLA can be either static or
dynamic. Static agreements are defined with the initialization of the service and changes
frequently. These agreements are negotiated by human interaction whereas negotiating
dynamic agreements require an automated protocol between the BBs.
Providers and subscribers face certain challenges and technical issues using SLAs:
• The challenge for subscribers is to devise and operate service measurement tools showing
an indication of what extent the SLA is honored by the provider.
• When subscribers use a SLA to bind more than one provider, when the subscriber's VPN
spans multiple provider domains, the SLA must also encompass provider interconnection
and the end-to-end service performance.
• The challenge for the provider is to honor multiple SLAs from many service providers.
.J A VPN service provides a level of secu rity to hide you r IP address, geographic location, and protecting
your data w hile online
TorGuard PrivateTunnel
https://targuard. net https://www.privatetunnel.com
https://www.privateinternetaccess.com
The service provider offers services to protect your privacy, identity and to Unblock Censorship
Filters i.e. unrestricted access even w hen the user is in another country.
TorGuard
IPVanish VPN
https://www.ipvanish.com
IPVanish VPN offers features such as:
• It provides faster and more stable speeds.
• It protects from cyber threats and unsecured Wi-Fi hotspots.
CyberGhost VPN
http://www.cyberghostvpn. com
CyberGhost VPN offers features such as:
• Simple & secure access to content from all over the world
http://www.hotspotshield.com
Some of the benefits of Using Hotspot Shield VPN are listed below:
• Protects privacy
https://www.tunnelbear.com
Some of the features of TunnelBear:
PrivateTunnel
https://www.privatetunnel.com
• Secures user communications
VPN Reactor
http://www.vpnreactor.com
VPNReactor maps off the ISP assigned IP address with a mysterious IP. It provides encrypted
untraceable connections between th e network and th e Internet. It w orks on all platforms such
as Windows, Mac OSX, IPhone.
proXPN's VPN
https://proxpn.com
Some of the benefits of proXPN:
■ Unlimited VPN speed
http://www. qoldenfroq.com
• NAT firewall for additional security.
• When the user connects to VyprVPN, user ISP encounters only encrypted traffic. The
result is faster, unrestricted Internet speeds.
• Multiple Protocols such as L2TP, PPTP for Encryption.
J After a VPN is installed, the VPN client must be tested on every computer, using a VPN step-by-step scenario
I I I I ' I I •
VPN testing can provide the administrator with an idea on the weaknesses in the
implementation. The auditing of a VPN mainly concentrates on the standards, guidelines and
procedures. VPN audits depend on other t ypes of security audits such as a configuration audit,
network security audit, server security audit etc.
After a VPN is installed, the VPN client must be tested on each computer using a VPN step-by-
step scenario:
• Remote user is issued the VPN client software and certificate.
• Guide the user to install the software and store the certificate successfully.
• If IPsec is being used, verify the IPsec policies on the remote user's machine and the VPN
gateway are identical.
• Have the user start the VPN software and connect to the gateway.
• If problems arise while connecting to the gateway, ask the user to write down or report all
error messages to correctly diagnose the problem.
• Once the connection is established, the remote user should authenticate entering their
username and password when prompted.
.J Afte r testing the client, check the VPN to ensure files are transfer red at acceptable rates and that all
parts of the VPN are on line w he n needed
I When a remote user connects to your network, they connect to the server via a web browser
N Copy files from the corporate network to the remote user and vice versa
Open the transferred files to make sure if they are transferred completely and working correctly
W The remote user disconnect ed from the corporate network after the file
To ensure a successful file transfer between the VPN host and the client are at an acceptable
rate, all the VPN ports and other VPN components are to be checked for their online availability
such as VPN gateway, Tunnel, etc.
Steps involved in checking the VPN file transfer between the host and the client are:
• User should enter credentials to access the server. Then the user is to be authenticated
and given access to the server contents if found genuine.
• User has to select the required files from a list of folders that are to be transferred to his
system.
• Copy the files from the corporate network to the client system 1n the specified user
location or directory and vice versa.
• Remote user is to be disconnected from the corporate network after the file transfer is
complete.
~ Ensure t hat your VPN service is configured to enforce requirement s defined in the security policy
Recommendations forVPN
Connections
The VPN should follow federal information
Provide a dedicated firewall for every VPN processing standards (FIPS), approved
connection/server encryption and integrity protection
algorithms
Recommendations forVPN
ConnectionS(Cont'd)
Configure user authentication, access and Manage and configure IPsec gateways to
restriction to the VPN network protect communication between networks
Strictly restrict and specify the type of Deploy and plan SSL VPN connections
communication permitted between packet according to the requirements of the
filters organization
Recommendations forVPN
ConnectionS(Cont'd)
Recommendations forVPN
ConnectionS(Cont'd)
Configure user authentication, access and Manage and configure IPsec gateways to
restriction to the VPN network protect communication between networks
Strictly restrict and specify the type of Deploy and plan SSL VPN connections
communication permitted between packet according to the requirements of the
filters organization
Recommendations forVPN
ConnectionS(Cont'd)
• e
• •
•· . • •
•
•
•
• ••
•
•
• e- -· •• •
e • •
• • •
• •
Certified Network Defender Exam 312-38
Wireless Network Defense
This module focuses on various defensive techniques used for wireless network security.
Besides the security measures that are used to secure a wired network, a wireless network
requires extra security measures to defend against wireless specific threats. This module covers
wireless network components, topologies, standards, encryption, threats and security
measures that should be implemented to make a wireless network more robust and secure.
Wireless Ter111.inologies
Direct-sequence Spread Spectrum (DSSS): Temporal Key Integrity Protocol (TKIP): A security
Original data signal is multiplied w ith a pseudo protocol used i n W PA as a replacem ent for W EP
random noi se spreading code
Service Set Identifier (SSID): A 32 alphanumeric Extensible Authentication Protocol (EAP): Support s
unique identifier given to wireless local area multiple authentication m ethods, such as t oken
network (WLAN) cards, Kerberos, certificates etc.
0 0
W ireless netw orks use Radio Frequency (RF) signals to conn ect wireless-enabled
devices in the network
It uses IEE E standard of 802.11 and uses radio waves for communication
0 0
1'0"l _ _ _
Advantages
_ _ _ _ _....._~I
Limitations 0
• Installation is easy and eliminates • Wi-Fi Security may not meet the
wiring expectations
• Access to the network can be from • The bandwidth suffers with the
anywhere within the range of an number of users on the network
access point • Wi-Fi standard changes may requi re
• Public places like airports, schools, replacing wireless components
etc. can offer constant Internet • Some electronic equipment can
connection using Wireless LAN interfere with the W i-Fi network
0 0 0 0
The computer world 1s heading towards a new era of technological evolution, using wireless
technologies.
Wireless networking is revolutionizing the way people work and play. By removing the physical
connection or cable, individuals are able to use networks in newer wa ys to make data portable,
mobile and accessible.
A wireless environment opens up so many new expansions and workflow possibilities. With
wirel ess, there is no need to worry if a user wants to move th e PC from one office to the next or
if they want to work in a location that does not have an Ethernet port.
Wireless networking is very useful in public places including libraries, coffee shops, hotels,
airports and other establishments that offer wirel ess local area network (LAN) connections.
The most important thing for wireless networking is an access point where th e user can
communicate w ith other mobile or a fixed host. An access point is a device that contains a radio
transceiver (send and receive signals) along with an RJ -45 wired network interface, w hich
allows a user to connect to a standard w ired netw ork using a cable.
Wireless Technologies
In a w ireless network, data transmits by means of electromagnetic waves to carry signals over
the communication path.
5 3S 120
6, 9, 12, 18, 24, 36, 48,
802.ll a 20 OFDM
54
3.7 S000
802. l lb 2.4
22 1, 2, 5.5, 11 DSSS 35 140
It is an enhancement to 802. l la and 802.ll b that enables global portability by allowing variation in
802. l ld
frequencies, power levels, and bandwidth
802.ll e It provide guidance for prioritization of data, vo ice, and video transmissions enabling QoS
A standard for Wireless Local Area Networks (WLANs) that provides improved encryption for networks that
802. l li
use 802.lla, 802. l lb, and 802.ll g standards
802.12 It defines demand priority, media access control protocol to increase Ethernet data rate to 100 Mbps
802.15 It defines communication specifications for wireless personal area networks (WPANs)
802.15.1
2.4 1-3 Mbps 10
(Bluetooth)
802.15.4
2.4 868,900
(ZigBee)
802.15.5 A standard for mesh networks with enhanced reliability via route redundancy
802.16 A group of broadband wireless communication standards for Metropolitan Area Networks (MANs)
IEEE standards
These standards are wireless networking transmission methods. The following are the IEEE
standards:
• 8021.11 (Wi-Fi): It applies to wireless LANs and uses FHSS or DSSS as the frequency
hopping spectrum. It allows the electronic device to connect to using a wireless
connection that is established in any network.
• 802.lla: It is the second extension to the original 802.11 and it operates in the 5GHz
frequency band and supports bandwidth up to 54 Mbps by using Orthogonal Frequency
Division Multiplexing.
It has a fast maximum speed, but is more sensitive to walls and other obstacles.
• 802.llb: IEEE expanded the 802.11 by creating 802.llb specifications in 1999. This
standard operates in the 2.4 GHz ISM band and it supports bandwidth up to 11 Mbps by
using direct-sequence spread spectrum modulation.
• 802.lld: It is an enha need version of 802.lla and 802.llb. The standard supports
regulatory domains. The particulars of this standard can be set at the media access
control (MAC) layer.
• 802.lle: It defines the Quality of Service (QoS) for wireless applications. The enhanced
service is modified through the MAC layer. The standard maintains the quality of video
and audio streaming, real time online applications, VoIP, etc.
It is compatible with the 802.llb standard, which means 802.llb devices can work
directly with an 802.llg access point.
• 802.lli: It is used as a standard for WLANs and provides improved encryption for
networks. 802.lli requires new protocols such as TKIP, AES.
• 802.lln: Developed in 2009. This standard aims to improve the 802.llg standard in terms
of bandwidth amount. It operates on both the 2.4 and 5 GHz bands and supports a
maximum data rate up to 300Mbps. It uses multiple transmitters and receiver antennas
(MIMO) to allow a maximum data rate along with security improvements.
• 802.llac: It provides a high throughput network at the frequency of 5GHz. It is faster and
more reliable than the 802.lln version. The standard involves Gigabit networking that
provides an instantaneous data transfer experience.
• 802.llad: 802.llad involves the inclusion of a new physical layer for 802.11 networks.
The standard works on the 60GHz spectrum. The data propagation speed in this standard
is a lot different from bands operating on 2.4GHz and 5GHz. With a very high frequency
spectrum, the transfer speed is much higher than that of 802.lln.
• 802.12: This standard dominates media utilization by working on the demand priority
protocol. Based on this standard, the Ethernet speed increases to l00Mbps. It is
compatible with 802.3 and 802.5 standards. Users currently on those standards can
directly upgrade to the 802.12 standard.
• 802.15: It defines the standards for a wireless personal area network (WPAN). It describes
the specification for wireless connectivity with fixed or portable devices.
• 802.15.1 (Bluetooth): Bluetooth is mainly used for exchanging data over short distances
fixed and mobile devices.
• 802.15.4 (ZigBee): The 802.15.4 has a low data rate and complexity. Zig Bee is the
specification used in the 802.15.4 standard. ZigBee transmits long distance data through a
mesh network. The specification handles applications with a low data rate, but longer
battery life. Its data rate is 250kbits/s.
• 802.15.5: The standard deploys itself on a full mesh or a half mesh topology. It includes
network initialization, addressing and unicasting.
• IEEE 802.16: It is also known as WiMax. This standard is a specification for fixed
broadband wireless metropolitan access networks (MANs) that use a point-to-multipoint
architecture.
9 t.:... .,., a
..•·
Infrastructure Network Topology (Centrally
Coordinated Architecture/ BSS - Basic Service Set)
··.
· · ·. . . 'r' . · · · . .- Devices in the wireless network are connected through
IL◄II <··········:~ ~ y ~:...........► ~ an access point
~ }'I r ~I'\ ~
.··.· '=• o.J ·.··. An access point {switch or router) connects to the Internet
..··· ··..• via a modem
OJ i,:;...... ·····.:::t~
Installed in large organizations
To plan and install a wireless network, first determine the type of architecture suited for the
network environment.
There are two types of wireless topologies:
(infrastructure mode). This mode uses the functionality of each adaptor to enable security
authentication and to use wireless services.
The key characteristics of an Ad-Hoc wireless network:
This mode provides enha need security options, scalability, stability and easy management. The
downside is that it is expensive, since an access point (router or switch) is required to connect
the devices to each other.
The key characteristics of an infrastructure mode include:
• Increases or decreases the wireless network range by adding and removing access points.
• The controller reconfigures the network according to the changes in the RF footprint.
• The controller regularly monitors and controls the activities on the wireless network by
reconfiguring the access point elements to maintain and protect the network.
• The wireless centralized controller manages all the access point tasks.
• The wireless network controller performs various crucial tasks such as user
authentication, policy creation and enforcement, fault tolerances, network expansion,
configuration control, etc.
• Maintains backups of other access points in another location and is used when the access
point malfunctions.
~ ···.•.
• ·• . f..t3A<coss ~ -/&\
Users ............... .
...,,, _.
. .. .
Pi /
•••
/
· ·
..... •
:. f J
~
-
Point
L.:),- .· ·
I
·············l •. • • ;
~ lkoadband
Router
Extension
)
Users : Point
..... "
(._J:················t,"'
Access :
Point ;
........
Users
lJ'
" ' ••~ : ••• Point
......······ i ······.... l Internet
: ......................, Ill •
• Q
Ill • J
~..................~; -~;-~·-························
Users
(j (._J'-.. Internet
~
Iii
= 3GUS8
Users
Cell Tower
Wireless networks are classified according based on the connection used and the geographical
area.
1. Software access points can be connected to a wired network and run on a computer
with a wireless network interface card.
2. Hardware access points (HAP) provide comprehensive support of most wireless
features. With suitable networking software support, users on the wireless LAN can
share files and printers situated on the wired LAN and vice versa.
The network may be further extended in accorda nee with the size of the location and
interference from other devices. This enables the wired/wireless connection across the
location for multiple users.
Wireless computers connect using multiple access points. If a single large area is not
covered by a single access point, then use multiple access points, or extension points.
Extension points are not defined in the wireless standard. While using multiple access
points, each access point must cover its neighbors. This allows users to move around
seamlessly using a feature called roaming. Some manufacturers develop extension points,
which act as wireless relays, extending the range of a single access point. Multiple
extension points can be strung together to give wireless access to distant locations from
the central access point.
• LAN to LAN wireless networks
• 3G Hotspot
A hotspot provides Internet access over a WLAN with the help of a router connected to
the ISP. Many devices may be connected at the same time using a Wi-Fi network adapter.
3G networks provide 300Kbits per second. Hotspots use the service from cellular
providers for 3G Internet access. Computers generally scan for hotspots thereby
identifying the SSID (network name) of the wireless network.
• In 1990, IEEE (Institute of Electrical and Electronic Engineers) created a group to develop a
standard for wireless equipment.
• In the peer-to-peer mode, wireless devices within range of each other communicate
directly with each other without using a central access point.
• While in infrastructure mode, the access point is wired to the Internet with wireless users.
An access point functions as a mediator between the wired and wireless networks.
• Advantages:
• It handles cellular network technology such as CDMA, GSM, GPRS, and CDPD for data
transmission.
• This technology may cover a particular region, nation, or even the entire globe.
• The system has built-in cellular radio (GSM/CDMA), which helps users send or receive
data.
• In WWAN, the wireless data consists of fixed microwave links, digital dispatch networks,
wireless LANs, data over cellular networks, wireless WANs, satellite links, one-way and
two-way paging networks, laser-based communications, diffuse infrared, keyless car
entry, the global positioning system and more.
• PAN has a very short range. It can communicate within a range of 10 meters. For example,
Bluetooth.
• A WPAN interconnects the mobile network devices that people carry with them or have
on their desk.
• A main concept in WPAN technology is plugging in.
• When any two WPAN devices come within the range of a few meters to the central
server, they communicate with each other, like a wired network.
• Another characteristic of a WPAN is the ability to lock out other devices and prevent
interference.
• Every device in a WPAN can connect to any other device in the same WPAN, but they
should be within physical range of each another. Bluetooth is the best example of WPAN.
• A WMAN uses a wireless infrastructure or optical fiber connections to link the sites.
■ A WMAN links between the WLANs. Distributed Queue Dual Bus (DQDB), is the MAN
standard for data communications, specified by the IEEE 802.6 standards. By the DQDB,
the network can be established over 30 miles with a speed of 34 to 154 Mbits/s.
Components of a Wireless
Network
..........................................................................................
It is a device that receives and transmits the network signals to other
Wireless Modern
units without physical cabling
..........................................................................................
Connects multiple LANs at the MAC layer and is separated either logically
Wireless Bridge or physically. It is used to increase the wireless coverage area
Components of a Wireless
Network (Cont'd)
Wireless Repeater Retransmits the existing signal captured from the wireless router or
access point to create a new network
..........................................................................................
..........................................................................................
Routes data packets and functions as a wireless access point. An Internet
Wireless Gateways
connection can be shared between multiple stations
..........................................................................................
Connects different devices to a wireless network in order to access the
Wireless USBAdapter Internet without a computer, router or any other network device
A Wireless Access point is a hardware device that uses the wireless infrastructure network
mode to connect wireless components to a wired network for data transmission. It serves
as a switch or hub between the wired LAN and wireless network. It has a built-in
transmitter, receiver and antenna. The additional ports in the WAP help to expand the
network range and provide access to additional clients. The number of APs depends on
the network size. However, multiple APs provide access to more wireless clients and in
turn expand the wireless network range. The transmission range and dista nee a client has
to be from the wireless access point is a maximum default value, access points transmit
usable signals well beyond the default range. The distance a wireless access point signal is
transmitted depends on the wireless standards, obstructions and environmental
conditions between the clients and the access points.
The transmission range and number of devices that a WAP can connect depends on the
wireless standard used and the signal interference between the devices. In the wireless
infrastructure network design, multiple access points can be used to cover an extensive
area or a single access point can be used to cover a small geographical area such as
buildings, homes, etc.
Wireless network cards or Wireless network adapters (wireless NICs) are cards that locate
and communicate to an access point with a powerful signal giving users network access. It
is required on each device to connect to the wireless network. Laptops or desktop
computers generally have built-in wireless NICs or have slots to attach them. These
include two types of plug-in cards. One is called a PCMCIA and the other is a PCI. Laptops
have slots to insert the PCMCIA plug-in cards, whereas desktop computers have internal
slots to add PCI cards. The functionality of a wired network card and a wireless network
card is similar to each other. The difference between the two cards is a wired network
card has a port to connect over the network and a wireless network card has a built-in
antenna to connect over the wireless network. Typically, computers having a PCI bus or
USB ports can connect to the wireless NIC.
Data transmitted using a NIC:
• Division of the data into small blocks which incorporate both the sending and
receiving addresses.
• Wireless modem:
A wireless modem is a device that allows PCs to connect to a wireless network and access
the Internet connection directly with the help of an Internet Service Provider (ISP). They
receive and transmit network signals to other units without a physical cable. Wi-Fi routers
have the capacity to transmit an Internet service up to a confined range, whereas,
wireless modems can be used in almost any place where a mobile phone is present.
Portable devices such as laptops, mobile phones, PDAs etc. use wireless modems to
receive signals over the air like a cellular network. There are various types of wireless
modems. Users can choose a wireless modem based on their needs. Common types of
wireless modems include:
• Cards: Oldest form of wireless connection. Two types of cards are Data cards and
Connect cards which are available from mobile providers and used by laptops, PCs,
and routers. They are small in size and easy to use.
o USB Sticks: Quickly connects to the Internet with a wireless modem. They
resemble a USB flash drive and fit easily into the USB port of a laptop. Computers
require installation of special drivers and software to use them. They are portable.
o Mobile Hotspots
o Wireless Routers
The following features for deciding on a wireless modem:
• Protocols it can support such as Ethernet, GPRS, ISDN, EVDO, Wi-Fi, CPCD
• Wireless bridge:
A Wireless bridge connects multiple LANs at the MAC layer. These bridges separate
networks either logically or physically. They cover longer distances than APs. Few wireless
bridges support point-to-point connections to another AP and some support point-to-
multipoint connections to several other APs. Wireless bridging helps connect two LAN
segments through a wireless link. Two segments reside on the same subnet and look like
two Ethernet switches connected with a cable to all computers within the subnet.
Broadcasts reach all the machines on that subnet allowing DHCP clients in one segment to
obtain respective addresses from a DHCP server from a different segment. A wireless
bridge can be used to connect computers in one room to computers in another room
without a cable.
This device retransmits the existing signal captured from the wireless router or access
point to create a new network. It works as an access point and station simultaneously. The
clients who are too far away from the router or access point can integrate with the same
wireless local area network via a repeater. It means that it extends the signal by taking it
from a wireless access point and transmits it to the uncovered area. These repeaters
require an omni-directional antenna. It captures, boosts and retransmits the signals.
• Wireless Router:
A wireless router is a device in a wireless local area network (WLAN) which interconnects
two types of networks through radio waves to the wireless enabled devices like
computers, laptops and tablets. It functions as a router in the LAN, but also provides
mobility to users. Wireless routers have the ability to filter the network traffic based on
the sender and receiver's IP address. A wireless router provides strong encryption, filters
MAC addresses and controls 551D authentication.
• Wireless Gateways:
A wireless gateway is the key component of a wireless network. It is a device that allows
Internet-enabled devices to access the connection. It combines the functions of wireless
access points and routers. Wireless gateways have a feature like NAT, which translates the
public IP into a private IP and DHCP.
A wireless USB adapter enables Internet access through a USB port on a computer. It also
supports communication links and syncs between two or more devices. There are three
main varieties of a wireless adapter:
• Cellular
• Bluetooth
• Wi-Fi
Components of a Wireless
Network: Antenna
U Converts electrical impulses into radio waves and vice versa
Omnidirectional Antenna
Yagi Antenna
Reflector Antennas
An antenna is a device that is designed to transmit and receive electromagnetic waves that are
called radio waves. An antenna is a collection of metal rods and wires that capture radio waves
and translate them into electrical current. The size and shape of an antenna is designed
according to the frequency of the signal they are designed to receive.
• An antenna that gains high frequency is highly focused, while a low-gain antenna receives
or transmits over a large angle.
Antennas Functions
The antenna functions are:
• Transmission line:
Antennas transmit or receive radio waves from one point to another. This power
transmission takes place in free space through the natural media like air, water and earth.
Antennas avoid power that is transmitted through other means.
• Radiator:
It radiates the energy powerfully. This radiated energy 1s transmitted through the
medium. A radiator is always the size of half a wavelength.
• Resonator:
The use of the resonator is necessary in broadband applications. Resonances that occur
must be attenuated.
Antenna Characteristics
The characteristics of an antenna are:
• Operating frequency band: Antennas operate at a frequency band between 960 MHz and
1215 MHz.
• Transmit power: Antennas transmit power at 1200-watt peak and 140-watt average.
• Typical gain: Gain is the ratio of power input to the antenna to the power output from the
antenna. It is measured in decibels (dBi). Gain is 3.0dBi.
• Radiation pattern: The radiation pattern of an antenna Is In a 3-D plot. This pattern
generally takes two forms of patterns: elevation and azimuth.
• Polarization: It is the orientation of electromagnetic waves from the source. There are a
number of polarizations like linear, vertical, horizontal, circular, Circular Left Hand (LHCP),
and Circular Right Hand (RHCP).
A directional antenna can broadcast and receive radio waves from a single direction. In
order to improve the transmission and reception, the directional antenna is designed to
work effectively in a specified direction. This also helps in reducing interference.
• Omnidirectional Antenna:
• Advantages :
• Disadvantages :
A parabolic grid antenna relies on the principle of a satellite dish, but it does not have a
solid backing. Instead of a solid backing, this kind of antenna has a semi-dish formed by a
grid made of aluminum wire. These grid parabolic antennas can achieve very long distance
Wi-Fi transmissions by making use of the principle of a highly focused radio beam. This
type of antenna can transmit weak radio signals millions of miles back to earth.
• Advantages:
• Disadvantages:
o A parabolic grid antenna is expensive, as it requires a feed system for reflecting the
radio signals.
o Along with the feed system, the antenna requires a reflector as well. The
assembling of these components makes the installation time consuming.
• Yagi Antenna:
• Advantages:
o A Yagi antenna includes good range and ease of aiming the antenna.
o The Yagi antenna is directional, focusing the entire signal in a cardinal direction.
This results in high throughput.
o The installation and assembly of the antenna is easy and less time consuming
compared with other antennas.
• Disadvantages:
• Dipole Antenna:
A dipole is a straight electrical conductor measuring half a wavelength from end to end
and connected to the RF feed line's center. The other name of dipole antenna is
"doublet". It is bilaterally symmetrical so it is inherently a balanced antenna. Usually, a
balanced parallel-wire RF transmission line serves this kind of antenna.
• Advantages:
o A Dipole antenna offers balanced signals. With the two-pole design, the device
receives signals from a variety of frequencies.
• Disadvantages:
o Although the indoor dipole antenna might be small, the outdoor dipole can be
much larger, making it difficult to manage.
• Reflector Antennas:
• Advantages:
o If the surface of the parabolic antenna is within the tolerance limit, it can be used
as a primary mirror for all the frequencies. This can prevent interference while
communicating with other satellites.
o The larger the antenna reflector in terms of wavelengths, the higher the gain.
• Disadvantage:
o Reflector antennas reflect radio signals, the manufacturing cost of the antenna is
high.
!..J A 24-bit arbitrary number know n as Initialization Vector (IV) is added to the WEP key. The WEP key and the IV
together are called as a WEP seed
!..J The 64, 128, and 256-bit WEP versions use 40, 104, and 232-bit keys respectively
!..J The WEP seed is used as the input for the RC4 algorithm to generate a keystream (keystream is bit-w ise XORed
with the combination of data and ICV to produce the encrypted data)
!..J The CRC-32 checksum is used to calculate a 32-bit Integrity Check Value (ICV)forthe data, w hich, in turn, is
added to the data frame
!..J The IV field (IV+PAD+KI D) is added to the cipher text to generate a MAC frame
r--;;PKey Store(~
1C2, K3, K4) ;
..............1...............................
• l
ACIIC-32
;···············➔~
' WEP Seed ~
1.. ... ... ... ~~~~ ··· ··· ··· ··· ·~~......
XOR Algorithm
=-f
i................... fl
@ ··································································;
·· ··· ··· ··· ·!i':····· ·;· ··· ··· ··· ··· ··· ··· ·· . . 1' ......................................................)ic ............
iiilllil ! : .--
.......~~~~~·············· •.......· :............► Keystream
~ i~
L~ ...PAD· ····KID·········· Cphertext········
:..............................................................................; WEP-i!ncrypted Packet (Frame body of
MAC Frame)
The 802.11 MAC implementation specifies a protocol called Wired Equivalent Privacy (WEP).
The objective of WEP is to make WLAN communication as trustworthy as a wired LAN
communication. WEP presents two vital segments to the architecture of wireless security. They
are the validation of data and the secrecy of the data. WEP uses a mechanism in which a key is
used in common with a cipher that is symmetric, called RC4.
A standard 64-bit WEP is used as a string of 10 Hexadecimal (Base 16) characters (0-9) (A-F).
Each character has 4 bits and 10 digits of 4 bits is 10 * 4 = 40 bits (WEP-40). Now the 40 bit keys
are attached to another 24 bit Initialization Vector (IV) which completes the 64-bit WEP (4 * 10
= 40 bits + 24-bit IV = 64 - bit WEP key).
Another WEP standard used is the 128-bit WEP that uses a 104-bit key. The 128-bit key is
entered as a 26 Hexadecimal character. Here, 26 digits * 4 bits= 104-bit key. Again, adding 24-
bit IV gives 104-bit + 24 bit= 128-bit WEP key.
Similarly, 152-bit and 256-bit WEP is available that uses a 128-bit and a 232-bit key respectively.
Now adding th e 24-bit IV to 128-bit key and 232-bit key provides the 152-bit and 256-bit WEP.
The steps involved in how WEP works when using RC4:
• Packets to be transmitted are passed through an integrity check algorithm In order to
generate a checksum (checksum avoids the message from being chang ed).
• The 24-bit Initialization Vector (IV) together with a 40-bit WEP key produces the 64-bit
key.
• RC4 uses this key to generate the key stream. The key stream should have the same
length as the plain text or original message with the checksum included.
• The keystream is XORed with the original message or the plain text along with a
checksum. This generates a cipher text or an encrypted packet.
• The client on the other hand, receives the encrypted text and XOR it with the same key
stream to generate the plain text or original message. The client validates with the
checksum in order to authenticate the message.
WEP Issues
WEP has the following issues:
1. CRC32 is not sufficient to ensure complete cryptographic integrity of a packet:
• By capturing two packets, an attacker can reliably flip a bit in the encrypted stream
and modify the checksum so that the packet is accepted.
2. IVs are 24 bits:
• An AP broadcasting 1500 byte packets at 11 Mb/s would exhaust the entire IV space in
five hours.
3. Known plaintext attacks:
• When there is an IV collision, it becomes possible to reconstruct the RC4 key stream
based on the IV and the decrypted payload of the packet.
4. Dictionary attacks:
• WEP is based on a password.
• The small space of the initialization vector allows the attacker to create a decryption
table, which is a dictionary attack.
5. Denial of service:
• Associate and disassociate messages are not authenticated.
6. Eventually, an attacker can construct a decryption table of reconstructed key streams:
• With about 24 GB of space, an attacker can use this table to decrypt WEP packets in
real-time.
7. A lack of centralized key management makes it difficult to change WEP keys with any
regularity.
8. IV is a value that is used to randomize the key stream value and each packet has an IV
value:
• The standard allows only 24 bits, which can be used within hours at a busy AP.
• IV values can be reused.
9. The standard does not dictate that each packet must have a unique IV, so vendors use
only a small amount of the available 24-bit possibilities:
• A mechanism that depends on randomness is not random at all and attackers can
easily figure out the key stream and decrypt other messages.
Data to Transmit
MICkoy -
.................)> .,.,_, ................. :)
,....................................................................................... -
MSOU + MIC
v:
y : ...... .......................... )> CIIW2
WEPNed v •'. . --
MPDU ICV ~ ...............;
l,',,,,,,,, " ' , " ' -
Wi-Fi Protected Access (WPA) is used as a security standard for Wi-Fi connections. WPA
provides refined data encryption and user authentication techniques. WPA uses TKIP for data
encryption and TKIP eliminates the weaknesses of WEP by including per-packet mixing
functions, message integrity checks, extended initialization vectors and re-keying mechanisms.
WEP normally uses 40-bit or a 140-bit encryption key whereas TKIP uses 128-bit keys for each
packet. The message integrity check for WPA avoids the chances of the attacker changing or
resending the packets. TKIP uses a Michael Integrity Check algorithm with a message integrity
check key to generate the MIC value.
WPA requires 802.lX authentication and changes the unicast and global encryption keys. TKIP is
used in an unicast encryption key, which changes the key for every packet, thereby enhancing
the security. This change in key for each packet is coordinated between the client and the
access point. In a global encryption key, the access points advertise the change in the key to the
connected wireless clients.
TKIP is a short-term fix for WEP, organized as a simple software/firmware upgrade. A number of
design weaknesses are made in order to sustain reverse compliance with the large number of
existing hardware in the field. TKIP detects all of the identified weaknesses linked with WEP.
• The MAC destination and source address and MIC keys are combined with a hash function
in order to produce the MIC va I ue
• The MIC value is fragmented to produce the MPDU. The checksum is later attached to the
MPDU
• The MPDU along with the checksum is XORed with the keystream to produce the cipher
text
• This cipher text may be XO Red again by the client using the same keystream in order to
produce the original message
Types of WPA
1. WPA-Personal: This version makes the use of set-up passwords and protects
unauthorized network access.
Features of WPA
• WPA Authentication: WPA needs 802.1 x authentications. WPA makes the use of a pre-
shared key for the environment without the Remote Authentication Dial-In Use Service
(RADIUS) infrastructure and uses the Extensible Authentication Protocol (EAP) and RADIUS
for environments with a RADIUS infrastructure.
• WPA Key Management: It is necessary to change both the unicast and global encryption
keys while using WPA. The temporal key integrity protocol (TKIP) keeps changing the key
for every frame when using an unicast key. In the case of a global key, WPA enforces the
wireless access point to report the changed key to the connected wireless clients.
• Temporal Key Management: In WPA, encryption with TKIP is needed. TKIP changes the
WEP by a new encryption algorithm that is stronger than the standard WEP algorithm.
• Michael Algorithm: 802.11 and WEP data uses a 32-bit integrity check value (ICV) to check
the integrity. In WPA, the Michael technique identifies the algorithm that determines an
8-byte Message Integrity Code (MIC} with the help of the methods present in the wireless
devices.
• AES Support: WPA supports Advanced Encryption Standard (AES) as a substitute for WEP
encryption. This support is optional and it depends on vendor driver support.
• Supporting a Mixture of WPA and WEP Wireless Clients: A wireless AP maintains both
WEP and WPA simultaneously, to help the gradual transition of WEP-based wireless
networks to WPA.
0 0
WPA2 is an upgrade to WPA, it includes mandatory supportfor Counter Mod e with
Cipher Block Chaining Message Authentication Code Protocol (CCM P), an AES-based
encryption mode with strong security
0 0
r ,
1 I
•·an r r es ./
' '
WPA2 depends on IEE 802.lli standards for data encryption and has replaced WPA technology
in 2006. This protocol provides greater protection compared to WPA and WEP. It uses
Advanced Encryption Standard (AES) to encrypt the data over wireless networks and supports
for the CCMP (Counter Mode with Cipher Block Chaining Message Auth entication Code
Protocol) encryption mechanism.
• WPA2- Personal: Mostly used in home networks. It supports homes or locations where
authentication servers are not used. Each wireless device uses the same 256-bit key
generated from a password to authenticate with th e AP. The router uses the combination
of a passphrase, a network SSID and a TKIP to generate a unique encryption key for each
wirel ess client. These encryption keys keep changing con stantly.
encryptions. Because of this, it protects the non-encrypted portion of the frame from alteration
or distortion. The protocol uses a sequenced packet number (PN) and a portion of the MAC
header to generate a Nonce that it uses in the encryption process. The protocol gives plaintext
data, temporal keys, AAD and Nonce as an input to the encryption process that uses both AES
and CCMP algorithms. A PN is included in the CCM P header to protect against replay attacks.
The results from the AES and the CCMP algorithms produces encrypted text and an encrypted
MIC value. Finally, the assembled MAC header, CCMP header, encrypted data and encrypted
MIC forms the WPA2 MAC frame. The following diagram depicts the functions of WPA2.
V
~
Bulld <···.,,
AAD
.
~ V .
. ~ :
Nonce •·· ·j·······➔
. AES ~··················=
...... ................... ................... ..;. ...... .:::,. CCMP ·················
V .:
Build
.
CCMP
header
. .
~················'9'·········~ ············~ ······~•
•
• MAC CCMP Encrypted Encrypted :
······· ········· ····················~
• header header data MIC :
•• ••
•••••••••••••••••••••••••••••••••••••••••••••••••••
WPA2 MAC Frame
• Additional authentication data is taken from the MAC header in order to add to the
implementation of the CCMP implementation of WPA2.
• The packet number (PN) attached in the CCMP header creates the Nonce used for the
encryption process.
Encryption Attributes
Encryption Encryption Key Integrity Check
IV Size
Algorithm Length Mechanism
Michael algorithm
WPA RC4, TKIP 48-bit 128-bit
and CRC-32
WEP initially provided data confidentiality on wireless networks, but it was weak and failed to
meet any of its security goals. WPA fixes most of WEP's problems. WPA2 makes wireless
networks almost as secure as wired networks. WPA2 supports authentication, so that only
authorized users can access the network. WEP should be replaced with either WPA or WPA2 in
order to secure a Wi -Fi network. Both WPA and WPA2 incorporate protections against forgery
and replay attacks. The previous slide provides a comparison between WEP, WPA, and WPA2
with respect to the encryption algorithm used, size of Encryption Key and the initialization
vector (IV) it produces, etc.
Probe Request
--~ ··············································➔
I ,~_,-
,..' : Probe Response (Security Parameters)
~ -c[••············································'\b'··
Open System Authentication Request
••~ ••••••••••••••••••••••••••••••••••••••••••••••])- F✓III -- \
Open System Authentication Response - - . i . . . _ • • • • • • • • • •, • • • • 1• • • • • • • • •
-c[•• .. ···········································~ -- ~ - -
' '-- .,, Switch or cable
. . , . -.-
··'\:!,················· ..............................
Association Request (Security Parameters)
3>- Access Point (AP) Modem
Client attempti~ Internet
to connect ,<£ •••••••••••••• ~J~S~!t'!~ ~'!~e~~.5.~ ••••••••••• \§,·.
Open System Authentication Process
In the open system authentication process, any wireless client that wants to access a Wi -Fi
network sends a request to the wireless AP for authentication. In this process, the station sends
an authentication management frame containing the identity of the sending station, for
authentication and connection with the other wireless stations. The AP then returns an
authentication frame to confirm access to the requested station and completes the
authentication process.
Open System Authentication is a null authentication algorithm that does not verify whether it is
a user or a machine. It uses clear-text transmission to allow the device to associate with an AP.
In the absence of encry ption, the device can use the SSID of a WLAN available to gain access to
the wireless network. The enabled WEP key on the access point acts as an access control to
enter the network. Any user entering the wrong WEP key cannot transmit messages via the AP
even though th e authentication is successful. The device can only transmit the messages when
its WEP key matches with the WEP key of the access point. This authentication mechanism does
not depend on a RADIUS server on the network.
Advantage
• You can use this mechanism with wireless devices that do not support complex
authentication algorithms.
Disadvantage
• In this mechanism, there is no way to check wheth er someone is a genuine client or an
attacker. Anyone who knows the SSID can easily access the wireless network.
...~ -............................................
Authentication request sent to AP
►
•
Cl1ent •
attempt•~ ... ·1. 5
Oient connects to network
••••••••••••• ••••••••••••••.•.•••.•••.••.•••• ►
1 Internet
to connect --
Shared Key Authentication Process
In this process, each wireless station receives a shared secret key over a secure channel that is
distinct from the 802.11 wireless network communication channels. The following steps
illustrate the establishment of a connection in the shared key authentication process:
• The station sends an authentication frame to the AP.
• The AP sends the challenge text to the station.
• The station encrypts the challenge text by making use of its configured 64 -bit or 128-bit
key and it sends the encrypted text to the AP.
• The AP uses its configured WEP key to decrypt the encrypted text. The AP compares the
decrypted text with the original challenge text. If the decrypted text matches the original
challenge text, the AP authenticates the station.
• The station connects to the network.
The AP can reject the station if the decrypted text does not match the original challenge text,
and then the station will be unable to communicate with either the Ethernet network or 802.11
network.
Advantage
• It is more secure compared to an open key authentication method.
Disadvantage
• This mechanism is not suitable for large networks, as it requires long-key strings
configured on each device, which is a highly cumbersome task.
Client :o
..
:··
..
Oient requests connection
·················································>:.
. .
: Access Point RADIUS
Server
. ..
!.:(.. !!'. !!.".~! ~-"- ~ -~.e.~~~!!!?.~~!~~r_t!i~!.i~.e..".!~r..
.:
1
.:
&·
..••t.e■ •••••••• ~-~~-Sf.~~!~.~~ !~~?~~Y...............~-.
..•• e . .-~-'~~
Forward the identity to the
~!~!~ ~.s!~~-t-~~ ~-~~~~!~~~~~- ~~!! .... ·> ~
•
..••
:
: : Sends a request to the w ireless client via the AP
: be
specifying the authentication mechanism to
:-<(······················································•·!·•·················································
.• .•
used
··:.•
:
e:
: The wireless ctient responds to the : :
!·. G·.... ~~~( f........................................................►i
~~.s.e.,r;;,.e.,r.V:!t_~ !t.5.~~e..~!~!!~~-~i~.t.h.e_ ~!'......
.: Sends a multicast/global authentication key .: Sends an encrypted authentication
.:
I.:(...e..n.~~~!!~~~-~ P.e..~-J!~!~~"- ~.n}~~ !~~~"-~!.x. -~ .. I.:(....~~r.t~!~:.~.i!.t~.e.~~~:;~-~~e. ~~~:f.~~~1:.. ft .. I
- ~ V . ~ V .
The 802.lX standard provides centralized authentication. For 802.lX authentication to work on
a wireless network, the AP must be able to securely identify the traffic from a specific wireless
cli ent. In this Wi -Fi authentication process, a centralized authentication server known as
Remote Auth entication Dial in User Service (RADIUS) sends authentication keys to both the AP
and the clients that want to authenticate with the AP. This key enables the AP to identify a
particular wireless client.
Denial-of- Wireless DoS attacks disrupt network Attackers sniff and capture packets and
WEP Cracking
Service Attack · wireless connections by sending run a WEP cracking program to derive the
broadcast "de-authenticate" WEP key
commands
WPA-PSK Attackers sniff and capture Man-ln-the- Attackers set up a rogue AP, and spoofs
authentication packets and run a the client's MAC address to position
lddle Attack
brute force attack to crack t he WPA- himself between the real AP and the
PSK key client to listen to all the traffic
Attackers replay the valid RADIUS Fragmentation Attackers obtain 1500 bytes of PRGA
server response and successfully Attack (pseudo random generation algorithm) to
authenticate to the client without generate forged WEP packets which are in
valid credentials turn used for various inj ection attacks
An attacker spoofs the MAC of a client Jamming An attacker stakes out the area from a
~RP Poisoning
and attempts to authenticate to the AP lgnal Attack nearby location with a high gain
Attack
which leads to updating the MAC address amplifier drowning out the legitimate
info to the network routers and switches access point
Wireless proves to be an advanced networking option for Internet users. However, wireless
networks may pose various security risks that can affect the function of the entire network. The
wireless network can be at risk to various types of attacks, including access control attacks,
integrity attacks, confidentiality attacks, availability attacks, authentication attacks, etc.
War Driving
In a wardriving attack, wireless LANS are detected either by sending probe requests over a
connection or by listening to web beacons. An attacker who discovers a penetration point can
launch further attacks on the LAN. Some of the tools that the attacker may use to perform
wardriving attacks are KisMAC, NetStumbler and WaveStumber.
Client Mis-Association
The client may connect or associate with an AP outside the legitimate network, either
intentionally or accidentally. This is because the WLAN signals travel in the air, through walls
and other obstructions. This kind of client mis-association can lead to access control attacks.
Unauthorized Association
Unauthorized association is a major threat to a wireless network. Prevention of this kind of
attack depends on the method or technique that the attacker uses to become associated with
the network.
configure any of the critical security settings at any of the APs, the entire network could be
open to attack. If the networking devices are managed centrally, it can go unnoticed.
AP MAC Spoofing
Using the MAC spoofing technique, an attacker can reconfigure a MAC address to appear as an
authorized AP to a host on a trusted network. Tools for carrying out this kind of attack include
changemac.sh, SMAC, and Wicontrol.
WEP Cracking
It involves capturing data to recover a WEP key using a brute force or Fluhrer-Mantin-Shamir
(FMS) cryptanalysis.
WPA-PSK Cracking
Attackers use various sniffing tools like packet analyzers to sniff for authentication packets in
the network. With the brute force method, the attacker can crack the WPA-PSK key.
Man-in-the-Middle Attack
In M ITM attack, the attacker runs traditional MITM attack tools on an evil twin AP to intercept
TCP sessions or SSL/SSH tunnels.
RADIUS Replay
It involves capturing RADIUS Access-Accept or Reject messages for later replay. In this type of
attack, the attacker maliciously repeats the valid data.
Fragmentation Attack
A fragmentation attack is the process of breaking up a single packet into multiple packets of a
much smaller size. Fragmentation attacks can be performed through:
1. Ping of Death: It is a denial of service attack that utilizes the ping utility for creating an IP
packet. It uses fragmented ICMP packets, after reaching the destination exceed the
allowable size of an IP datagram.
2. Tiny Fragment Attack: Small fragments are used to gather the TCP header information.
This attack targets the filtering rules set on the networking device.
3. Teardrop Attack: It causes the target machine to reboot or shutdown. The attack occurs
on the IP protocol, which utilizes the offset fields of a UDP packet.
,
Leaking Calendars and Address Books
Terrorists cou ld send false bomb threats t o airlines using Hackers could send many MMS messages with an
the phones of legitimate users international user's phone, resulting in a high phone bill
( Protocol Vulnerabilities
i
I Mobile phone worms can exploit a Bluetooth Attackers exploit Bluetooth pairings and communication
connection to replicate and spread itself protocols t o st eal data, make calls, send messages,
conduct DoS attacks on a device, start phone spying, etc.
Similar to wireless networks, Bluetooth devices are also at risk of compromise from various
threats. Attackers target the vulnerabilities in security configurations of Bluetooth devices to
gain access to confidential information and the network to which they are connected.
4. Social Engineering: Attackers can perform social engineering through the user's phone to
steal sensitive information from the intended victim.
5. Sending SMS Messages: Attackers can send messages with false bomb threats through a
user's mobile phone.
6. Malicious Code: An attacker can use Bluetooth -specific malicious code to infect a user's
device or gain access to the user's phone.
7. Causing Financial Losses: With the user's phone, an attacker can send a large number of
MMS messages which is expensive for large files especially for international
communication.
8. Protocol Vulnerabilities: Attackers can exploit vulnerabilities which already exist in the
core Bluetooth protocol of the devices, making it vulnerable to various types of attacks.
An attacker can easily compromise a wireless network, if proper security measures are not
applied or if there is no appropriate network configuration. Lack of adequate knowl edge and
skills can pose a large risk to the wireless network. Besides wireless network policies,
administrators need to apply various security measures and tricks to ensure the security of
their wireless network from various types of attacks. The administrator needs to focus on an
appropriate use of security controls and their effective configuration to defend their networks.
The following points should be clearly stated in the organization's wireless security policy.
• Describe conditions where w ireless devices are allowed to use the network.
Furthermore, a successful and effective wireless security implementation should involve the
following:
• Configuration management and control to make sure the latest security patches and
features are available on wireless devices.
The following activities help administrators defend and maintain the security of the wireless
network.
■ 8 fhird1oct
• - •·~- - - - - - -
?
□• ""'
8D
. ......... .,,_
-- __
D
□
■G•• • • ,
A
..,_ '°'°° 0101 W.OCE NCT - -•• • 20 big 17d8m
I'<•- ~ -'"
8• 8 5170 WO 20dlm
,
s~ NU
- T l Pi.-.,
-
C V :I I -•PSI( •20 b only 12d8m
?
?
"
0..,,., ...., 0 ,..
D
E
~
53101.X
MS-008
w.-..XP
WEP
,. ~.o
bony
•""II
20d8m
20dlm
Network device inventory helps administrators consolidate all the updated network data and
devices. The inventory can help administrators quickly identify any non-functioning devices as
well as any rogue network devices which are present on the network. A list of those devices
that are not connected to the network should also be added to the list. This helps detect
unknown devices in the network. Regular scanning of the inventory is important. Through
scanning, administrators can determine the rogue network devices, problem devices, potential
vulnerabilities, which devices need a patch/update, etc. in the network. A network is only as
secure as its weakest link. Administrators should maintain information about all the devices
regardless of their configuration settings or the vendor.
An administrator should maintain the inventory either manually or with the help of an effective
inventory tracking solution. At times, an inventory tool may not auto update the network
device. In such scenarios, administrators are required to add the device in the inventory list.
.,... .-51
the manufacturer r '
,: !__A
I ' •
,. I '
e I
e
Install an AP on the cei ling
Avoid placing APs too high on ceili ngs ·-·
e Avoid mounting an AP on a wall as it may
Recommended Not ~eommendt'd
e
restricts its 360 degree coverage • AP • AP
- ..,. ..,.
e
Avoid installing APs in corridors
Avoid installing APs above suspended ceil ings
..,. • AP
• AP • AP •AP
•AP .. ■ O.vle,
The appropriate location of APs is important as it plays a vital role in achieving a high network
performance, coverage and speed. Many organizations have their APs placed across their
interior spaces. Every AP requires installation at a specific location and angle. Installation of APs
at random locations will restrict the network performance. Plan the coverage area wisely.
Overlap is good. Be careful to not create dead-zones.
Below are guidelines that help with placing APs at appropriate locations and to achieve the
maximum coverage, performance and speed.
• APs with an antenna cover a circular area and can be obstructed by walls, metal shutters
or furniture. It is good practice to set up APs at a location with no interference. Place the
AP within a line of sight so that users can optimize the maximum network performance
from it.
• The ideal placement of an AP is the ceiling. Although this location will not always be
feasible in organizations with very high ceilings. Setting up an AP correctly on the ceiling is
also important. An AP that is facing upwards will not provide good coverage and it will
drastically impact the network performance. It is beneficial to place the AP upside down
to get an optimal network performance.
• Placing APs on a des k is not part of a good network infrastructure implementation. APs, if
placed on a desk encounter large amounts of interference such as phones, Bluetooth
devices, furniture, etc. All these interferences will nullify the wireless connectivity
Placement of a Wireless
Antenna
0 Placement of an antenna depends on the type, I
angle, location of the AP and the coverage required
l
0 Antenna placement guidelines:
e Use t rial and error to select an appropriate location and
direction
-
e Place the AP ant enna in a perpendicular direction Wlfl Router
e
e
Avoid keeping the antenna at a 45 degree angle
Point antennas gain toward users
tJ Metal Fifing
Mirror"'
GoodWlff
• A wireless device should be placed in the center of a room with proper positioning of the
antennas. The antennas should be positioned vertically, especially in a spacious interior.
• Use third party applications to help find the best location for placing the device.
Applications like HeatMapper builds a map of the interior and according to the map
designed, it provides a guide helping place the device in the best location.
• Choose an appropriate band and channel for the wireless antenna to work on. A reliable
frequency starts from 2.4 GHz. Establish a frequency that is compatible with the wireless
device and can travel through walls. To analyze an appropriate channel use applications
like WiFi Analyzer.
• Replace the wireless antenna to get better networking results. Setup omnidirectional
antennas that will help improve the range of the wireless environment.
• Try to avoid keeping the wireless devices near objects interfering with EM radiations. CRT
TVs, monitors, loudspeakers are some of these devices that should not be placed near the
wireless device.
• Use a trial and error method to determine the best location of the wireless device.
I R.eHt ~ 1,1rit y I
name.
!..J This discourages unauthorized association requests to the network and permits connections
from legitimate users to the wireless network who have the correct 551D
The SSID is the character sequence or code that is attached to each packet in a wireless
network. This is used to identify the packet that is covered in a particular network when there
are a number of networks present. The code can contain a maximum of 32 alphanumeric
characters. All wireless devices that communicate with each other have the same SSID. A SSID is
used to uniquely identify a set of wireless network devices that work in the given service set.
A wireless network SSID can be either broadcast or hidden. By broadcasting a SSID, anyone can
find it and access it. If the SSID is hidden, the user has to know the exact SSID in order to
connect to the wireless network. Network administrators should always disable SSID
broadcasting on their devices.
..J Select a stronger wireless encryption mode for the wire less network
l_•N~~y~•
..J Order of preference : A Oi'I\Sion of Cisco Systems, Inc.
2. WPA2 Enterprise
Wireless Secunty Security Mode: You may
3. WPA2 PSK dloose from Disable, WPA
Securty Mooe: Disabled • Personal, WPA Enterprise,
Disabled WPA2 Personal, WPA2
4. WPA Enterprise WPA Personal Enterprise, RADIUS. WEP, Al
dcvic:cs on your network musl
WPA Enterp<ise use the same securty mode in
WPA2 Personal order to communielile ,
5. WPA More_
Save Settings
Administrators should use a strong wireless encryption mode to keep their wireless network
safe from various types of attacks. There are various encryption modes that can be used for the
organization's wireless network.
Most wireless routers have MAC address filtering capabilities. The MAC address filtering
feature, permits access to known MAC addresses only and restricts all others.
MAC address filtering has two options, open or closed. In a closed MAC filter, only the listed
addresses are permitted to access the network. This option is a more secure way of accessing
the network. In an open MAC filter, the addresses listed in the filter are prevented from
accessing the network. This is not always practical in a large network.
MAC address filtering maintains the list of all known MAC addresses. When a user tries to enter
the network, the access point first ch ecks the user's MAC address against the list of MAC
addresses stored locally. If the user's MAC address matches an address in the list, then the
access point allows the user to enter and access the wireless network.
In this technique, the client authentication is based on MAC addresses. This type of
authentication is more secure compared to an open and a shared authentication method.
However, an attacker can bypass this filtering t echnique with the help of a MAC spoofing
attack. This authentication method minimizes the unauthorized users accessing the network.
.J Network administrators must continuously monitor and analyze the wireless network traffic for
any abnormalities
.J Use the Wireshark sniffing tool to conduct the wireless traffic monitoring and analysis
Administrators are required to monitor the traffic of a wireless network in order to find any
abnormalities or signs of an attack. Just like a wired network, the network traffic on a wireless
network can be monitored using packet sniffing utilities such as Wireshark. Select the wireless
network interface corresponding to the wireless router and start sniffing the traffic on it. Look
for the traffic based on 802.11 standard wireless protocols denoting wireless network traffic.
Apply various filters to filter out the traffic most interested for the particular analysis.
8 The only way to crack WPA is to sniff 8 Select a random passphrase that is not
t he password PMK associated with made up of dictionary words
t he "handshake" authentication
8 Select a complex passphrase which
process, and if this password is
contains a minimum of 20 characters and
extremely complicated, it might be
change the passphrase at regular intervals
almost impossible to crack
• Random
• At least 12 characters in length
• Contains at least one upper-case letter
e Perform wireless network e Use network scanners such !! Use the Simple Network
scanning to detect the as Nmap to identify APs on Management Protocol
presence of wireless access the network. It will help (SNMP) to identify the IP
points in the vicinity locate rogue devices on the devices attached to the wired
wired network network
e Discovery of an AP not listed
in the wireless device !! Use the SNScan SN MP
inventory indicates the Detection utility to identify
presence of a rogue AP SNMP enabled devices on the
network
e Use wireless discovery tools
such as inSSIDer,
NetSurveyor, NetStumbler,
Vistumbler, Kismet, etc. to
detect wireless networks
Note: To use SNMP polling, enable the SNMP service on all IP devices in the network
Wireless access point is termed as a rogue access point when it is installed on a trusted network
without authorization. An inside or outside attacker can install rogue access points on a trusted
network for their malicious intent.
Types of Rogue Access Points:
1. Wireless router connected via the "trusted" interface
• It will help detect unauthorized or hidden wireless access points that can be malicious.
• Use wireless discovery tools such as inSSIDer, NetSurveyor, NetStumbler, Vistumbler,
Kismet, etc. to detect wirel ess networks.
3. SNMP Polling:
• Use Simple Network Management Protocol (SNMP) polling to identify IP devices
attached to the wired network.
• Use SNScan SNMP Detection Utility to identify SNMP enabled devices on the network.
·-
-
... ·-~-
-... ____ -
._...
__ ___ -
....
- - . ......
~
,_
·- -• -- -
~·-···....
........
_,,.....
~..... ...." ·-·-. ... ,.,
._
--
""''-" -.....
..,..
-- -......
-
~-...- , \-
.. .-
Administrators can use the following Wi -Fi discovery tools for their wireless network scanning
activity.
inSSIDer
Source: http://www.inssider.com
lnSSIDer is an open source, multi-platform Wi -Fi scanner software. It provides the user with
information about the proper channeling of a wireless network, while offering the ability to
check co -channel effects and overlapping networks. The application uses a native Wi -Fi API and
the user's N IC and sorts the results by MAC address, SSID, channel, RSSI, MAC, vendor, data
rate, signal strength and Time Last Seen. Features: Inspect WLAN and surrounding networks to
troubleshoot competing APs, track the strength of the received signal in dBm over time, filter
APs, highlight APs for areas with high Wi -Fi concentration, export Wi-Fi and GPS data to a KML
file to view in Google Earth, shows which Wi -Fi network channels overlap and compatible with
GPS devices.
NetSurveyor
Source: http://nutsaboutnets.com
NetSurveyor is an 802.11 (Wi-Fi) network discovery tool that gathers information about nearby
wirel ess APs in real time and displays it in useful ways. It displays the data using a variety of
different diagnostic views and charts. It records and plays back the data. Features: Provides six
graphical diagnostic views, generates reports in Adobe PDF format that include the list of APs
and their properties along with images, supports most wireless adapters installed with a N DIS
S.x driver or later.
-·
---- •• -......-· ............ ........ ... .................. ··-·•-·-
U.(,S ~ " f t ' i ll i-..11aoc1Xa
i.....,.l_,Mllt
--....
~
............ -...... --
00,lS;il-.s.t I
"" _ •..,
·~ •• .....i........,..
a, ._ '' R Ofl'J,..,._l _,
f,ft, ......
·" G,14',V,.. . . .
- ~ -
"' "
~ J l...... ¥#"1-4"'""'" '
•• ~>t•'-M "'""
""'
--· "' ..
..
~- ~- ... ·- u "
'
-- .-...........,.,..
·-
'
.....•••. -...... -~
"'
00,!U,. . . .
'' .._
.. ,. .... .""'
...... .... - .... ---
IDIIMl.4. .
.,.
IOfUN•
"" ...
.....
·-
..... ''"
•41-----
,...,_, ._,_
. . ...
- ---
......... .
....
te.(► • • t , ...'I
~"
~,..,_ -. "'
u,
-
:.t»J~ . . . .
......
.....
.,._ ·•-
.,. '"
W,,i.J~
.,..,._ ·-(-
... .
""~
'
,
,._
i;
-·
,.__,.
-··
"'"'
"' "
"
,...
"
"' ••
ft
"
a(Ul_. . . ..._._
-·
"
-
,!C.'(J . . .
..
OMO◄MI.-- Kl<;~
ao, .. ,.,o,•
...
.....
--
~-
·-
OCIV..J,
S..••-
.....
"
,.
,,. ,._ '
•• ·•- •""
--
---
.,_
.............
IW'.i..!....__
'
'
'
'
'
''
'·
,._
-•-
·•-
http://www.vistumbler.net http://www.netstumbler.com
Copyright© by EC-Co■ncil. All Rights Reserved. Reproduction is Strictly Prohibited.
Vistumbler
Source: http://www.vistumbler.net
Vistumbler Features:
• GPS support
• Export/ import APs from Vistumbler TXT/ VSl/ VSZ or Netstumbler TXT/ Text NSl
• Export AP GPS locations to a Google earth kml file or GPX (GPS exchange format)
• Live Google Earth Tracking: auto KML automatically shows APs in Google Earth
• Speaks, signal strength using sound files, Windows sound API, or MIDI
NetStumbler
Source: http://www.netstumbler.com
NetStumbler Uses:
• Wardriving
WirelessMon Wifinder
http://www.passmarlc.com ht tp://www.pgmsaft.com
Kismet Wellenreiter
http://www.kismetwireless.net http://wellenreiter.sourceforge.net
Wavestumbler AirRadar 2
http://www.cqure.net http://www.koingosw.com
~ -
iStumbler
http://www.is tumbler. net "~
.
Xirrus Wi-Fi Inspector
http://www.xirrus.com
In addition to those discussed already, there are many tools administrators can use to discover
rogue wireless networks:
WirelessMon
Source: http://www.passmark.com
WirelessMon is a software tool that allows users to monitor the status of wireless Wi -Fi
adapter(s) and gather information about nearby wireless APs and hot spots in real time. It can
log the information it collects, while also providing comprehensive graphing of signal level and
real time IP and 802.11 Wi -Fi statistics.
Kismet
Source: https://www.kismetwireless.net
Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.
Kismet will work with any wirel ess NIC that supports raw monitoring (rfmon) mode, and (with
appropriate hardware) can sniff 802.llb, 802.lla, 802.llg, and 802.lln traffic. Kismet also
supports plugins, which allow sniffing other media such as DECT.
WiFi Hopper
Source: http://wifihopper.com
WiFi Hopper is a WLAN utility that performs Network Discovery and Site Survey. It includes a
collection of network details, filters, RSSI graphing, as w ell as built-in GPS support for
identification and advanced characterization of neighboring wireless devices. WiFi Hopper can
connect to unsecured, WEP, WPA-PSK and WPA2-PSK networks directly from within the
application.
Wavestumbler
Sources: www.cqure.net
Wavestumbler is console-based 802.11 network mapper for Linux. It reports AP details like
channel, WEP, ESSID, MAC, etc. It has support for Hermes-based cards including Compaq and
Lucent/Agere.
iStumbler
Source: http://www.istumbler.net
!Stumbler is a wireless discovery tool that provides plugins for finding as well as information on
AirPort networks, Bluetooth devices, Bonjour services and location information with Mac-based
devices.
WiFinder
Source: http://www.pgmsoft.com
WiFinder is a wireless network discovery tool for android-based devices allowing the user to
connect with all types of Wi-Fi networks, including Open, WEP, WPA and WPA2.
Wellenreiter
Source: http://wellenreiter.sourceforge.net
Wellenreiter is a wireless network discovery and auditing tool that supports Prism2, Lucent, and
Cisco-based cards. It is a Linux scanning tool capable of discovering BSS/IBSS networks and
detecting ESSID broadcasting or non-broadcasting networks and their WEP capabilities, as well
as the hardware manufacturers. Wellenreiter is available in two flavors including the perl/gtk
based version and the Wellenreiter II C++ based version.
Source: http://www.flukenetworks.com
AirCheck Wi-Fi Tester is a Wi-Fi troubleshooting software tool designed to troubleshoot most of
the common issues with Wi-Fi networks. The tool provides enterprise, Carrier Wi-Fi hotspot,
and residential Wi-Fi deployments with the ability to validate and troubleshoot issues.
AirRadar 2
Source: http://www.koingosw.com
AirRadar 2 is a wireless network discovery and maintenance tool specifically built for the Apple
Mac OS. The tool enables personalized scanning of open wireless networks and allows the user
to tag or filter them out.
Source: http://www.xirrus.com
Xirrus Wi-Fi Inspector is a utility for monitoring Wi-Fi networks and managing the Wi -Fi
operation of a laptop. It provides information about available Wi -Fi networks, management of a
laptop's Wi-Fi connection, and tools to troubleshoot Wi - Fi connectivity issues.
http://www.flukenetworks.com
Once a rogue access point is detected in the network, the next step is to trace its location in the
organization. This can be done with AirCheck Wi-Fi Tester. It helps find the exact location of any
wireless access point. It is handheld wireless tester. The AirCheck Wi -Fi Tester must be carried
to track the rogue access point. It detects the access point based on the signal strength.
Track down rogue and other APs by graphing the signal strength over time or by using an
audible indication, which can be muted.
Source: www.f/ukenetworks.com
RF Spectrum analyzers:
e r• ·.· .·.·_\:
- ~-
AirMagnet Spectrum XT
e
http://www.flukenetworks.com
WiFi Surveyor
• ., 0 -
http://rfexplorer.com
Wireless networks are often susceptible to Denial of Service (DoS) attacks, as wireless networks
have a shared medium of tran smission. DoS attacks may be carried out in the various levels of
the OSI network layer. The Dos attack in the physical layer is carried out through signal jamming
or intentional interference.
Wireless networks use radio frequencies for communication and RF spectrum analyzing tools
can be helpful in detecting the radio frequency interference.
There are various RF spectrum analyzers available:
AirMagnet Spectrum XT
Source: http://www.flukenetworks.com
AirMagnet Spectrum identifies the radio frequency interference impacting a wireless network's
performance.
Wi-Fi Surveyor
Source: http://rfexplorer.com
Wi-Fi Surveyor provides the following services:
• Displays the RF environment
• Monitors RF signals
• Troubleshoots RF issues
• Detects sources of RF interference
Wi-Fi surveyor helps detect the wireless devices and RF interference in the network that may
affect the network's performance.
Ekahau Spectrum Analyzer
Source: http://www.ekahau.com
Ekahau is a device, which assists in determining the devices causing the interference.
Locate,
the risks posed by the current configuration of a wireless network
and
Mitigate
A wireless network should be regularly checked for possible vulnerabilities. Parameters such as
security, performance and speed should be considered while performing the assessment. This
helps to ensure that the wireless network is adequately protected from attacks. Use various
security assessment and vulnerability scanning tools to find the potential v ulnerabilities.
• Check if proper and up to date inventory is maintained for all wireless network devices
• Check the location of access points, to make sure they are properly placed
• Check if the wireless antennas are pointing in the right direction
• Discover new wireless devices
• Document all the findings for new wireless devices
• If the wireless device found is using the Wi -Fi network, check if it is using weak encryption
.J Automatically detects
security threats and other
wireless network
vulnerabilities
r
- http://WWW•fl
ukenetworks.com
AirMagnet Wi -Fi analyzer offers continuous evaluation of the wireless channels, devices,
speeds, interference issues and RF spectrum. It helps automatically detect security threats and
wireless network vulnerabilities, common wireless performance issues including throughput
issues, connectivity issues, device conflicts and signal multipath problems.
AirMagnet Wi- Fi Anal yzer can detect Wi -Fi attacks such as DoS attacks,
authentication/ encryptions attacks, network penetration attacks, etc. It can easil y locate
unauthorized (rogue) devices or any policy violator. The tool examines 802.lla\ b\ g\ n and 5GHz
channels for interference and can be installed in PCs, laptops tablets etc. in order to assess for
interference issues.
Source: http://www.flukenetworks.com
-
accessible wireless networks
Ssid Possword Sto.,,
.J It comes with a built-in wireless
network sniffer (w ith Ai rPcap •
adapters)
http://www. e/comsoft.com
Elcomsoft Wireless Security Auditor allows you to verify the security of a company's wireless
network by executing an audit of accessible wireless networks. It comes with a built-in wireless
network sniffer (with AirPcap adapters). It attempts to recover the original WPA/ WPA2 -PSK text
passwords in order to test how secure the wireless environment is.
Source: http://www.elcomso[t.com
Wesside-ng CloudCracker
http://www.aircrack-ng.org https://www.cloudcracker.com
Aircrack-ng coWPAtty
http://www.aircrack-ng.org http://sourceforge.net
WepAttack
Source: http://wepattack.sourceforqe.net
WepAttack is a WLAN open source Linux tool for breaking 802.11 WEP keys. This tool is based
on an active dictionary attack that tests millions of words to find the right key.
Wesside-ng
Source: http://www.aircrack-ng.org
Wesside-ng incorporates a number of techniques to seamlessly obtain a WEP key in minutes. It
first identifies a network, then proceeds to associate with it, obtain PRGA (pseudo random
generation algorithm) xor data, determine the network IP scheme, reinject ARP requests and
finally determine the WEP key.
Aircrack-ng
Source: http://www.aircrack-ng.org
Aircrack-ng is a complete suite of tools to assess Wi-Fi network security.
• Monitoring: Packet capture and export of data to text files for further processing by third
party tools.
• Attacking: Replay attacks, de-authentication, fake access points and others via packet
injection.
• Testing: Checking Wi-Fi cards and driver capabilities (capture and injection).
WEPCrack
Source: http://wepcrack.sourceforqe.net
WEPCrack is an open source tool for breaking 802.11 WEP secret keys. It cracks 802.11 WEP
encryption keys using the latest discovered weakness of RC4 key scheduling.
WepDecrypt
Source: http://wepdecrypt.sourceforqe.net
WepDecrypt guesses WEP Keys based on an active dictionary attack, key generator, distributed
network attack and some other methods.
Portable Penetrator
Source: https://www.secpoint.com
With Portable Penetrator, you can recover Wi-Fi Passwords WEP, WPA, WPA2, and WPS PINs. It
can reveal Wi-Fi Passwords from Access Points for WEP WPA WPA2 WPS Encryption.
Cloud Cracker
Source: https://www.cloudcracker.com/
It is an online password cracking service, which will help you in checking the security of WPA
protected wireless networks, crack password hashes or break document encryption.
coWPAtty
Source: http://sourceforqe.net
coWPAtty is designed to audit the security of pre-shared keys selected in WiFi Protected Access
(WPA) networks.
Infernal-Twin tool
Source: https://github.com
• WPA2 cracking
• WEP cracking
Source: http://www.tamos.com
CommView for WiFi captures every packet on the air to display important information such as
the list of access points and stations, per-node and per-channel statistics, signal strength, a list
of packets and network connections and protocol distribution charts.
Penetrator Vulnerability
OSWA
http://securitystartshere.org Scanning Appliance
http://www.secpaint.com
WiFiZoo SILICA
http://www.dorknet.org. uk http://www.immunityinc.com
Wireless Network
Network Security Toolkit
http://networksecuritytaolkit.org Vulnerability Assessment
http://www.secnop.com
Wi-Fi vulnerability scanning tools determine the weaknesses in wireless networks and secures
them before attackers actually attack. Wi -Fi vulnerability scanning tools include:
Zenmap
Source: http://nmap.org
Zenmap is a multi-platform GUI for the Nmap Security Scanner, which is useful for scanning
vulnerabilities on wireless networks. This tool saves the vulnerability scans as profiles to make
them run repeatedly. The results of recent scans are stored in a searchable database.
Nessus
Source: http://www.tenable.com
Nessus is a vulnerability, configuration and compliance scanner. It features high -speed
discovery, configuration auditing, asset profiling, malware detection, sensitive data discovery,
patch management integration and vulnerability analysis of a wireless network.
OS WA-Assistant
Source: http://securitystartshere.org
The Organizational Systems Wireless Auditor Assistant (OSWA-Assistant) is a wireless auditing
toolkit. This toolkit can be used for wireless security/auditing to execute technical wireless
security testing against a wireless infrastructure and clients.
WiFizoo
Source: http://www.darknet.org.uk
WiFizoo tool is intended to get all the possible info from open wifi networks (and possibly
encrypted networks, at least with WEP) without joining any network and covering all WiFi
channels.
Source: http://www.rapid7.com
Nexpose is a vulnerability management application that analyzes vulnerabilities, controls and
configurations to find security risks. It uses RealContext, RealRisk and the attacker's mindset to
prioritize and drive risk reduction. This tool helps a user to understand the network, prioritize
and manage risks effectively.
WiFish Finder
Source: http://www.airtiqhtnetworks.com
WiFish Finder is a vulnerability assessment tool that determines if active Wi-Fi devices are
vulnerable to 'Wi-Fishing' attacks. A user can perform this assessment through a combination of
passive traffic sniffing and active probing techniques. Most Wi-Fi clients keep a memory of
networks (SSIDs) they have connected to in the past. Wi-Fish Finder first builds a list of probed
networks and then determines the security setting of each probed network. A client is a fishing
target if it is actively seeking to connect to an OPEN or a WEP network.
Source: http://www.secpoint.com
The Penetrator Vulnerability Scanning Appliance is a vulnerability-scanning tool that discovers
vulnerabilities in firewalls, routers, Windows, Linux, MAC, Mobile devices, printers and any
device with an IP address. The tool can scan both public and local IP addresses.
SILICA
Source: http://www.immunityinc.com
SILICA is a vulnerability scanner that determines the true risk of a specific AP. SILICA does this
by intrusively leveraging vulnerabilities and determining which assets behind the vulnerable AP
can be compromised. SILICA also reports whether an attacker can successfully exploit the
vulnerability.
Source: https://www.secnap.com
A Vulnerability Assessment Unit (VAU) is deployed onsite to perform the network scans that are
central to this assessment and it remains active onsite throughout the assessment. SECNAP
audit staff install the VAU after receiving a completed pre-installation questionnaire and a
conference call with the IT and Security team. This ensures that a properly sized VAU is utilized
for the engagement and identifies the IP address ranges to be tested and excluded. Since the
VAU is not placed in-line with the client Internet connection, there is generally no impact on the
network during installation.
A wireless intrusion prevention system (WIPS) is a network device that monitors the radio
spectrum to detect access points (intrusion detection) without the host's permission in nearby
locations. It can also implement countermeasures automatically. Wireless intrusion prevention
systems protect networks against wireless threats and provide administrators with the ability to
detect and prevent various network attacks.
Airsnarf Attack , - - - - , - - - - - , - - - - - r - - - - , - - - - - , - - - - - :
Day-zero Attack t - - - - t - - - - - i - - - - - - 1 - - - - ~
Unauthorized
Assodation t-=-
Pr-o~
bl~n,- a-n-:
dt:-N:-
e-:--
tw- o-rk:---'.
Disco ery
Fragmentation
Attack ---
Honeypot
A wireless intrusion detection system (WIDS) is a tool that collects data about user activity. It
monitors unauthorized network activity, policy violations and known pattern s of recognized
wireless threats. It alerts the system administrator if it finds any anomalies in the network,
rogue wireless AP, unencrypted traffic, etc. Wireless intrusion prevention systems (WI PS)
provide additional features beyond a WIDS to prevent wireless threats.
Consisting of three components:
r Authentication
~ ~······ .. 1 !.. · · · ►~
Database Mail Server
Server Wi-Fi Access
Point
b=5 'f'·v·'f' M
Wi -Fi Access
Point - i
~ ' Wi-Fi
Intru sion
Preve ntion
System
• Access Points in Monitor Mode: Provides constant channel scanning with attack
detection and packet capture capabilities.
• Mobility Services Engine (running wireless IPS Service): The central point of alarm
aggregation from all controllers and their respective wireless IPS Monitor Mode Access
Points. Alarm information and forensic files are stored on the system for archival
purposes.
• Local Mode Access Point(s): Provides wireless service to clients in addition to time-sliced
rogue and location scanning.
• Wireless LAN Controller(s): Forwards attack information from wireless IPS Monitor Mode
Access Points to the MSE and distributes configuration parameters to APs.
• Wireless Control System: Provides the administrator with the means to configure the
wireless IPS Service on the MSE, push wireless IPS configurations to the controller and set
APs in wireless IPS Monitor mode. It also allows the user to view wireless IPS alarms,
forensics, reporting and access the threat encyclopedia.
Adaptive Wireless I PS (WI PS) provides wireless network threat detection, mitigation against malicious attacks
and security vulnerabilities
It provides the ability to detect, analyze, and identify wireless threats
, I, Ii 111, r AhoffllSu_...., q ., • 0 T o 0
y) WirelHS Control System
CISCO
Us.r: £l221. @> Virtual Domain: root •
1ft t!_on1tor • B,eport~ • £onf1gure • ierv1c:cs • ,$.dm1n1str-1t1011 • }ools • tj,.Jp • E) \.~ ,a l ogout
system 0 Advanced Paramet ers: sanity-mse
S!f~es . f@ltx SrrrisM. Sy!t~. Ad'rlln«td P$rame-1~$
l3 GenetalPr~ e,s:
~ ~y.
l,;J NMSP P41Mieters
58Ssions
[!j r,ac,oe~
Cenel'ol lnfolfll.OtJon
Pr oduct Name
Version
Cisco Mobility Setvice E"Qine
6 .0A2.0
Ckco UOl
Produet Identifier (PIO)
Verst0n Identified (VIO)
AIR•MS!•3310·K9
VOl
l.iJ Advftn.:c:d P«ameteN: S~1'tecd At 2/16/09 1:49 PM ~tial Number (SN) Not Specified
~ toos Cur~nt $ en1er Time 2/11/09 9:$4 AJWI
► ~ A«CU'llS Ameriea/los,..Anoetes
► i) status D
t1<1rd..., <1re Restarts 10
► Iii ►\'lnte~ Number of Days to keep Even« ._
I> _ _,j 1 • 99999
A~ e Seuions
Context Aware Setvioe ® Se n ion Time~ 30 I • 99999 f'linJ
wJPS Service ®
l oooino Level I Trece 1;;:;.il
f<IIR Ser vice ® Corl!' Eft9.1ne El En.able ~Advancff COMmalWk
o atabase @ En.able I I Rt bool H~~rt I
0 En.able Q ru;td- H,,,:iw,,CJ
@ (n,0bl¢
MSEAocation Serv ers
I cru, confi91;1,i;o11 I
Obje ct M.aneger 0 En.able
~ Jom• nt l>.llJ-;;;;-J
SNf~P Mediation D En.,bJc
XML Med1abon El En.able
~
Asynchronous
t lMSP Protocol
D Encable
0 fn.abte _J
V
http://www.corecom.com
Copyright© by EC-Co■ncil. All Rights Reserved. Re producti on is Strictly Prohibited.
Adaptive Wireless IPS (WIPS) provides specific network threat detection and mitigation against
malicious attacks, security vulnerabilities and sources of performance disruption. It provides the
ability to detect, analyze and identify wireless threats. It also delivers proactive threat
prevention capabilities for a hardened wireless network core. This is impenetrable by most
wireless attacks, allowing customers to maintain constant awareness of their RF environment.
Source: http://www.corecom.com
Save
Oo,hb o4rd Compooents
Drao al\<! drop co"'°onents
III] .tippli.:,ncc St.:itvs What does AirDefense do?
S BSSs by Confu;uretlon
HP TippingPoint NX FortiWiFi
Platform NGIPS http://www.fortinet.com
http://wwwB.hp.com
Wi-Fi intrusion prevention systems block wireless threats by automatically scanning, detecting
and classifying unauthorized wireless access and rogue traffic to the network. This prevents
neighboring users or skilled hackers from gaining unauthorized access to the Wi -Fi networking
resources. The following Wi -Fi intrusion prevention systems can be useful in the prevention for
all the various threats on a wireless network:
Extreme Networks Intrusion Prevention System
Source: http://www.extremenetworks.com
The Intrusion Prevention System (IPS) gathers evidence of an attacker's activity, removes the
attacker's access to the network and reconfigures the network to resist the attacker's
penetration technique. It ensures the confidentiality, integrity and availability of critical
resources with intrusion prevention capabilities. These include in -line intrusion prevention to
provide advanced security in a specific location, distributed intrusion prevention to automate
response to threats in real -time, out-of-band intrusion detection that simultaneously utilizes
multiple response technologies, forensics tools for session reconstruction to simplify threat
mitigation/ resolution and threat containment that leverages existing network investments.
Source: http://www.arubanetworks.com
RFProtect software prevents Denial-of-Service and Man -in-the-Middle attacks and mitigates
over-the-air security threats.
Source: http://www.sonicwall.com
Dell SonicWALL Clean Wireless combines 802.lln technology with network security appliances
to deliver comprehensive network security and performance while simplifying set-up and
management of 802.11-based wireless networks. SonicPoint-N Series wireless APs used in
conjunction with the Dell SonicWALL family of firewall security ensure that wireless traffic is
scrutinized with the same intensity as wired network traffic, allowing IT administrators to retain
control over their entire network.
Source: http://wwwB.hp.com
The HP TippingPoint NX Platform Next Generation Intrusion Prevention System (NGIPS) offers
in-line threat protection that defends critical data and applications without affecting
performance and productivity. The NGIPS platforms leverage advanced threat research with the
correlation of security events and vulnerabilities.
AirTight WIPS:
Source: http://www.moionetworks.com
AirTight WIPS is a wireless intrusion prevention system that precisely blocks only those Wi-Fi
connections that violate network policies or pose a threat to network security, without
affecting legitimate Wi-Fi communication on local or neighboring networks.
Source: http://www.network-box.com
The Network Box IDP (Intrusion Detection and Prevention) module scans network traffic at the
application level and blocks malicious behavior with zero latency. A comprehensive database of
IDP signatures precisely matches and actively blocks known exploits. A database of
vulnerability-class based signatures and heuristic (expert system) anomaly-based behavioral
analysis provides the protection against newly emerging threats.
AirMobile Server:
Source: http://airmobile.se
The AirMobile server sorts incoming scanning reports from the agents. The server discovers and
analyzes the APs, estimating the level of threat the AP poses to the network. When a new AP is
discovered, the server automatically matches the AP's MAC-address to the database containing
all known MAC addresses by the switches, pointing out where the AP is connected to the
network. The server will raise the risk indicator to 100% if it finds any AP on the network that
runs without encryption.
Source: https://www.novell.com
ZENworks Endpoint Security Management is a client/ server endpoint solution that works on
Novell's ZENworks Control Center platform (ZCC}. It provides VPN and wireless security
enforcement, client firewall, device control, file/ folder encryption and other features. It puts
end-user devices behind a potent firewall and protects against bugs in USB Storage devices. A
user can deploy it physically or virtually to Windows or Linux platforms using a number of
compatible database backend systems and directory services. It deploys the Endpoints to
Windows' client OSs.
AirPatrol WLS
Source: http://www.gigatest.net
WLS can be used as an Intrusion Detection solution in " no-wireless" environments and easily
scales to protect and manage wireless networks.
FortiWiFi
Source: http://www.fortinet.com
FortiWiFi Thick APs integrate an 802.lln wireless LAN radio and antennas into the FortiGate
Connected UTM. FortiWiFi provides access to both the wired and wireless LAN in a single
device, delivering network security visibility and control. It provides security functions such as a
firewall, VPN and traffic shaping, application control, IPS, antimalware, web filtering etc.
log I DidQIIO!lli:a
Re~b id ion11 & G11m1ng
St11t u s
U Enable logging on the router
To harden the wireless router, apply all the recommended security configurations on the
wireless router. These security configuration settings will help minimize any wireless attacks
and will provide the best performance, security and reliability when using Wi -Fi.
It should include:
1. Changing the default password of the wireless router.
Limit the strength of the wireless network so that it Place wireless access points in a secured location
cannot be detected outside the organization
Implement a different technique for encrypting Use a centralized server for authentication
traffic, such as IPSEC over wireless
The following list contains the security measures and configurations an administrator should
use for Wi-Fi Security:
• The WEP keys should be changed often. Recommend using a very difficult key to avoid
unauthorized access.
• Avoid the broadcasting of SSIDs as they can become easy for the intruder to enter the
network.
• Collect the connection logs can help to determine the unnecessary utilization of a wireless
network in the organization.
• Monitor using WIDPS sensors and WLAN scanners to detect a rogue WLAN connection.
• Detect the laptops that are being illegitimately used as access points.
• Collect the connection logs can help to determine the unnecessary utilization of a wireless
network in the organization.
• Monitor using WIDPS sensors and WLAN scanners to detect a rogue WLAN connection.
• Detect the laptops that are being illegitimately used as access points.
•
•
• • •
• • •• • •
• • •
'
r.\ · ·:'/\
- • • •• - •
•
•• ••
Certified Network Defender Exam 312-38
Network Traffic Monitoring and Analysis
Network monitoring and analysis is a very important day to day task for the network
administrator. It provides an additional layer of security to the network and involves analyzing
network performance and traffic patterns to detect abnormal activities in the network.
This module will teach you various aspects of network monitoring signature analysis. The
module starts with an introduction to the network monitoring concept, its importance, and
then educates you on how to detect and analyze various types of attacks on your network.
Network monitoring is a vital and demanding task within network security operations
L
'.
Firewalls and IDS are unable to detect malicious traffic due to continuous changes in attack
patterns, which is why manual network traffic monitoring is essential to detect attacks on the
network
I•
Network administrators are required to continuously monitor and analyze traffic for all
abnormalities
Network traffic monitoring is the process of capturing network traffic and inspecting it closely
to determine what is happening on the network. Network Administrators should constantly
strive to maintain a smooth network operation. If a network is down even for a small period of
time, productivity within a company would decline. In order to be proactive rather than
reactive, administrators need to monitor the traffic movement and performance ensuring a
security breach doesn't occur within the network.
The network monitoring process involves sniffing the traffic flowing through the network. It
requires capturing network packets and conducting a signature analysis to identify any
malicious activity. Administrators should continuously monitor and analyze the network traffic
to look for the presence of attack signatures.
Network operators use network traffic analysis tools to identify malicious or suspicious packets
hiding within the traffic. They monitor download/upload speeds, throughput, content, traffic
behaviors, etc. to understand what is going on in the network operations.
Network traffic analysis is done to get an in-depth insight into what type of network packets or
data is flowing through a network. Typically, it is done through network monitoring or network
bandwidth monitoring utilities. The traffic statistics from the network traffic analysis helps:
• Download/upload speeds.
• Type, size, origin, destination and content/data of packets.
The typical network monitoring advantages are:
• Utilization: It is important to analyze the need for network utilization, especially with all
the new and evolving technology. Network monitoring provides the complete details on
the infrastructure. This provides an idea about the amount of load a network can handle
during heavy traffic periods. Leading to the required utilization of the space in the
network.
the required actions, before the situation worsens. Applications that prove vulnerable to
the network are located by this technique.
• Minimizing Risk: Network monitoring techniques comprise all the required SLAs and
compliance applicable to users or consumers. The complete infrastructure information is
required when drafting the SLAs. Real -time monitoring of network topologies and
channels helps document these SLAs.
The network monitoring technique is beneficial for administrators. It is very easy to setup and
implement considering the complexity of the networks.
A network administrator can implement two t y pes of techniques to monitor their network.
Each technique has advantages and disadvantages. It is recommended that both a router-based
and non-router based techniques be used for the network monitoring task.
A router uses SNMP based monitoring to manage t he network performance and problem s
Simple Networking Monitoring Protocol (SNMP) is a part of the TCP/ IP suite and functions on
the application layer. SNMP helps administrators manage network performance by resolving
network issues it encounters. The passive sensors implemented from a router to a host gather
traffic statistics.
• SNMP Manager: SNMP manager is a system that maintains the proper network function.
The communication between the SNMP manager and agents uses a message format. The
SNMP manager controls and monitors the activities of the host. The main role of a SNMP
manager 1s:
• SNMP Agent: SN MP agent maintains and saves the data for network devices. This data is
passed on to the managing systems of the network. An SNMP agent can only work when a
relationship is defined between a SNMP manager and a SNMP agent. The main role of
SNMP agents is:
• Managed Devices: Network based devices such as routers, switches and servers require
some form of monitoring and management.
• Management Information base {MIB): The SNM P manager uses the device records saved
by the SNMP agent. The sharing of this database is known as the Management
Information Base. The MIB allows the SNMP manager to query SNMP agents about the
devices.
• SNMP Commands: The SNMP commands make the implementation of SNMP less
complex for administrators. Here are the SNMP commands:
• GET: It retrieves the information from the managed device. It 1s used by SNMP
managers.
• GET NEXT: Works similar to GET and also retrieves the object identifiers from the
MIB.
• SET: SNMP managers use this command to modify or assign the value of the managed
device.
• TRAPS: SNMP agents use this command to notify SNMP managers about an event
occurring in the network.
• RESPONSE: The SNMP manager uses this command to carry the actions back to the
agents.
Information collected by SNMP helps to control the network by resol ving the issues in real time
before affecting the productivity of the organization.
0
The Netflow feature in Cisco routers collects and monitors the IP traffic passing through
the router
0 0
To specify the interface and enter Enable net flow for IP routing
interface configuration mode Use the following command:
Use the following command: ► Router(Config - if) # I P route -
► Router(config) # interface type cache flow
slort/port - adapter/port (Cisco
7500 series routers)
OR
► Router(config) # interface type
slort/port (Cisco 7200 series
routers)
Step 1 Step2
The Netflow monitoring technique has the ability to collect the IP network traffic while entering
or exiting the interface. This helps administrators determine the source and destination of the
traffic, class of service and reason for traffic congestion, whenever it occurs. Netflow monitoring
allows a network a wide view of the traffic enhancing the performance monitoring and security
of the network. Cisco devices support Netflow based network monitoring.
• Netflow Collector: The Netflow collector involves pre-processing flow of data received
from the Netflow exporter.
• Analysis Console: Administrators are responsible for the analysis console that analyzes
the intrusion detection or traffic profiling.
Network Monitors
u To run network t raffic monitoring/sniffing ut ilit ies, t he machine must be pla ced at an
appropriat e location
, .............................................•
Internal Network/LAN
User ~
.: Normal Traffic
·>--.~
•••••••·:::::::::::. ••••••·."'!JJ,,,
Malicious Traffic
Switch
• ~
Internet
Attacker
Administrators should place and connect their system so th ey can view all the inbound and
outbound traffic flowing through their network. Network administrators should ensure that
each packet is inspected against policy violations. The machine must be placed as described in
the figure below. It should connect to the switch in front of the firewall and is installed with the
required packet sniffing and network monitoring tools.
• ••••••••••••••••••••••••••••••••••••••••••
Internal Network/LAN
User >..
• Sw itch
•
•
: Normal Traffic
••••••••••••••••••• ]>.. <IIIIIIC(_■ ••••••••••••• ·> 4.·.· ~ ·>=
~·················,...
Malicious Traffic
,_,~ <llllif(••·············> - -/JiA
- - <C("
Firewall
Internet : :
•• ••
-
.: .... -.. .,_ '
•
•
••
•
•
••
w
• t ::
:·······... .. ...........................................
Attacker
Administrators should ensure the switch is connected and configured as a managed switch. A
managed switch can only view the network traffic flowing through the network. Configure the
switch as a managed switch by enabling the port monitoring or port mirroring feature on a
specific port in the switch. Different vendors have different names for this feature. For example,
the port mirroring feature on a CISCO switch is known as a Switched Port Analyzer (SPAN) port.
The port mirroring process includes copying the switch network traffic and sending it to
another port in the switch so the monitoring tool can analyze it.
The managed switch can configure, manage, and monitor the LAN. It allows the administrator
to have greater control over the flow of data traversing the network. With accessibility to
manage the data flow, the chances of an intrusion are much lower. Though a managed switch
may cost more than an unmanaged switch, it assures better security and filtered data
transmissions among the system.
Types of Signatures
A signature is a set of characters that define network activity, including IP addresses, TCP flags,
and port numbers. It includes a set of rules used to detect malicious traffic entering a network.
Signatures are used to:
Type of Signatures
Signatures are classified into two main categories depending on their behavior:
• Normal Traffic Signatures: They include the normal network traffic regularly flowing to
and from the network. These signatures are defined based on a normal traffic baseline for
the organization. These signatures do not contain any malicious signature patterns and
can be allowed to enter the network.
• Attack Signatures: The traffic patterns that look suspicious are generally treated as attack
signatures. These signatures should not be allowed to enter the network. If allowed, they
often are the reason for a network security breach. These signatures deviate from the
normal signature behavior and should be analyzed.
Network traffic baselines differ between organizations and change over time according to
the operating environment and prevailing threat scenario
The network traffic baseline helps understand the behavioral patterns of the network.
Baselining allows a set of metrics to monitor network performance. These metrics define the
normal working condition of an enterprise's network traffic. The network traffic is compared
with metrics to detect any changes in the traffic, which could be an alert to the security of the
network. A network traffic baseline establishes the accepted packets, which are safe for the
organization. Baselining the traffic makes it easier to detect suspicious activities on the
network. Any deviation from the normal traffic baseline can be considered suspicious traffic
signatures. The administrator should define a network baseline for their organization and
validate the traffic against it. Baselining is more effective if it works in parallel with the
organization's policy. With the help of normal traffic baselining administrators can judge the
requirements needed to secure the network.
• According to a network traffic baseline, normal traffic signatures for TCP packets should
have the following characteristics:
• To establish a three-way handshake TCP uses SYN, SYN ACK and ACK bits in every
session.
• The ACK bit should be set in every packet, except for the initial packet in which the
SYN bit is set.
• FIN ACK and ACK are used in a terminating the connection. PSH FIN and ACK may also
be used initially in the same process.
• RST and RST ACK are used to quickly end an on -going connection.
• During the conversation (after a handshake and before termination) packets only
contain an ACK bit by default. Sometimes they may also have a PSH or URG bit set.
• If both SYN and FIN bits are set, it is an illegal TCP packet.
• SYN Fl N PSH, SYN FIN RST, SIN FIN PSH RST are all variants of SIN Fl N. An attacker sets
these additional bits to avoid being detected.
• A packet which has only a FIN flag is illegal as FIN can be used in network mapping,
port scanning and other stealth activities.
• Some packets have all six flags unset known as a NULL flag. These are illegal packets.
• If the ACK flag is set, then the acknowledgement number should not be zero.
• If a packet onl y has the SYN bit set (which is at the beginning, to establish a
connection), and any other data is present then it's an illegal packet.
• If the destination address is a broadcast address (ending with O or 255) it's an illegal
packet.
• Every TCP packet has two bits reserved for future use. If any of them or both of them
are set it's an illegal packet.
....
Informational Reconnaissance
Network traffic deviating from its normal behavior, 1s categorized as a susp1c1ous traffic
signature. It is classified into four categories:
• UDP connections
■ Reconnaissance: The reconnaissance traffic consists of signatures which indicate an
attempt to gain network access. Reconnaissance is an unauthorized discovery of
vulnerabilities, mapping of systems and services. Reconnaissance is also known as
information gathering and in most of these cases it normally precedes a network attack.
For example, the reconnaissance traffic signatures may include:
• Sniffing attempts
• Denial of Service: Traffic may contain a large number of requests from a single or
multiple sources as an attempt to perform a Denial of Service attack. This type of attempt
is made to disrupt the service of the target organization. For example, the DoS traffic
signatures may include:
..J Attack signatures are contained in packet Attack signatures are contained in packet
payloads headers
..J Check for specific strings occurring in the u Inspecting packets for unusual/suspicious Header
suspicious payload Information such as:
e Source and Dest inat ion IP Address
..J Single Packet analysis is enough to detect attack Multiple packet analysis is required to
signatures detect attack signatures
Attack signature analysis techniques are classified into four different categories including:
• Context-based Signature: Packets are usually altered using the header information.
Suspicious signatures in the header can include malicious data that can affect:
• IP options
• IP protocols
attack patterns is very difficult. ICMP flooding is an example of the attacks performed
using composite signatures. In this attack, multiple ICM P packets are sent to a single host
so the server is busy responding to the requests.
Attacker signatures may be located in either the header or payload of the packet.
Administrators need to examine the packet payloads within TCP and UDP to identify suspicious
payload values. They should understand that a protocol such as DNS is contained within TCP or
UDP. Decoding a packet's IP header information, gives a clear indication of whether its payload
contains TCP, UDP or another protocol. If the payload is TCP, administrators need to process
some of the TCP header information within the IP payload before accessing the TCP payload.
DNS data is contained within UDP and TCP payloads.
An example for this is a DNS buffer overflow attempt contained in the payload of a query. By
parsing the DNS fields and checking the length of each, administrators can identify an attempt
to perform a buffer overflow using a DNS field. Another method is to look for exploiting
shellcode sequences in the payload.
....-----------------... '
.
Features:
d
"'' • E•t v,.., Go
,, """"
r-'l ,: e <\ - StillOsciu ...
capturing from vEthemet (Dell Wireless 1705 802.1 lb On (lAGHZ) • Virtual Switch)
, ,_,, Wi1tltss
e.e. e. !I
Tools Http
-
·r - I Cl
-
<'- • Q f .!~ ~
"
1•1~.,.!._, .... ,c(.i,-: I•
~ ·IE»-"'°"
...
♦
.,,o
e Deep inspection of hundreds of protocols '''"' """'"" ""'""' IAIY.,;h
• https://www. wireshark.arg
A packet analyzer or packet sniffer is a tool that can intercept and log traffic passing through
the network. The sniffer is used in network management because of its monitoring and
analyzing features, which help to detect intrusions, supervise network contents, troubleshoot
network and control traffic. Network administrators use them to analyze the behavior of an
application or device causing network issues.
The information running through a network is a valuable source of evidence to counter
intrusions or anomalous connections. The need to capture this information has led to the
development of packet sniffers.
Wireshark
Wireshark is an open source cross-platform packet capture and analysis tool. It is available for
Windows and Linux operating systems. The GUI window gives a detailed breakdown of the
network protocol stack for each packet. Wireshark can also save packet data to a file for offline
analysis as well as export and import packet captures to and from other tools. Statistics can also
be generated for packet capture files.
Wireshark can be used for network troubleshooting, to investigate security issues and to
analyze and understand network protocols. The packet sniffer can exploit information passed in
plain text.
• Features:
Wireshark has a rich feature set which includes the following:
• Identify poor network performance due to high path latency
•
A The Wireshark Network Analyzer
I File EditI Capture I Analyze Statistics
View Go Telephony Wireless Tools Help
I
A: ■ Lt ~ !:!l ~~~ ~ ~ 4 ,::;;\IJ 1 Q ~ ~El_€l_!}
111Apply • doplay filter . <Ctrl·/> a · IExpression... +
Capt ure
.. .1Jsiig I
this filter: Enter a capb.Jre filter .
@) US8Pcop1
(@) US8Pcop2
local Area Connection~ 11
Et hem et __
vEthernet (Dell Wireless 1705 802.1 l b g n (2.4GHZ) • Virtual Switch) _ _
Wi·Fi L__
l)Jetw,ork)
Inter.f ac::e,s,
Learn
User's Guide Wiki Questions and Answers Mailing Lists
You are rum ing \'/ireshark 2.0. 1 (v2.0. 1-0-g59ea380 from master·2.0). You rtt~e au tom&tk updates.
II
~
No Pad<ets 11 Profie: Defallt ..
l
43 85 .• f e80: : 9991 : b379 : 3fl ... f f02 : :1 : 2 OHCPv6 157 Solicit XID: 0x4f96bb CID : 00010 ...
44 86 .• f e80: :9991 : b379 : 3fl... f f 0 2: :1 : 2 DHCPv6 157 Soli cit XI D: 0x4f96bb CID : 00010...
45 87_ f • 80: :9991 : b379 : 3f1... f f02 : :1 : 2 DHCPvG 157 Solicit XID: 0x4f96bb CID: 00010 .•
46 91 .. f e80: :9991 :b 379: 3fl... ff0 2: :1 : 2 DHCPvG 157 Solicit XID: 0x4f 96bb CID : 0001 0 ...
47 92.• 169 . 254. 208 .147 239. 192 . 152 . 143 UDP 161 plysrv- https ➔ p l ysrv- https Len ... -
48 93.• 169 . 254 . 208 .147 239. 2SS . 255.250 SSDP 341 NOTI FY * HTTP/1 . 1
-
V
~
~
fr ame 157 bytes on wi re (1256 bits) , 157 bytes ca pt ur ed (1256 bit s ) on i nt e r f ace 0
1:
Eth~rn~t I I , Src: HonHa i Pr _23 : 3~ : cl (4S : 5a:b6:23:3~:c1) , Ost : IPv6mcost_01 :00 :02 ( 33:33:00:01 :00:02) -
A
0000 33 33 00 01 00 02 48 Sa bG 23 3• cl 86 dd 60 00 33 . . • . HZ ,# ) • • •
0010 00 00 00 67 11 01 fe 80 00 00 00 00 00 00 99 91 . • . g• . . • .. . .. . . .
0020 b3 79 3f 13 d0 93 ff 02 00 00 00 00 00 00 00 00 . y ? . . .. . ........
0030 00 00 00 01 00 02 02 22 02 23 00 67 Sa bl 01 84 .......- .# . gZ. . .
0040 9d 3a 00 08 00 02 02 bf 00 01 00 0e 00 01 00 01 . . . .. . .. .. . ' .. ' .
0050 le b5 f4 c8 74 86 7a 30 c2 44 00 03 00 0c 21 48 . . .. t . z0 . 0 . . . . ! H
0060 Sa b6 00 00 00 00 00 00 00 00 00 27 00 11 00 0f z. . . . . . . . . . . . ' .
0070 57 49 4e 2d 42 4d 43 48 33 4a 42 49 55 47 30 00 HIN·BMCH 3JBIUG0.
0080 10 00 0e 00 00 01 37 00 08 4d 53 46 54 20 35 2e . . .. . . 7. .MSFT 5 .
0090 30 00 06 00 08 00 18 00 17 00 11 00 27 0 • . . • . . • ....
Source: https://www.wireshark.org
Oes.tlnat!Oo
!!l .:ii~ <A E\. e,
Fi1t or Tnnl
Protocol
M,,. r
Length Info
tt 1
• Tool Bar
• :11
-
• IE~:;$'0t'I, .. +
A
14 12... 169. 254. 208 . 147 169 . 254. 255 . 255 BRONSER 243 Ho st Announcement WI N-8MCH3)8IUG8,
15 12... 169. 254. 208 . 147 239 . 255. 255 . 250 SS.DP 140 "1- SEARCH + HTTP/1. l
140 M-seARCH • HTTP/1. 1 Packet List
Tool Bar: Hosts the more frequently
used tools and icons
I 16 13-. 169 . 254 . 208. 14 7
17 13 •. 169 . 254 . 208. 147
18 1 L 0.0 . 0 . 0
239 . 255.255 . 250
239 . 255.255 . 250
255 . 255. 255 . 255
SSDP
SSDP
OHCP
140 1-l- SEARCH • HTTP/1. 1 Panel
342 DttCP Di scover - Tr ansaction I D 8~~ >- -
V
<I I I>
w Filter Tool Bar: Filters the traffic based ;-f rame 1 : 157 byt e$ on wi re (1256 bi t $) , 157 byte$ capt ured (1lS6 bi t$) on interface 8
~ Ether net I I , Sr c: HonHoi Pr_23:3c:c1 ( 48 :So:b6 :23: 3c:c1) , Ost : I Pv6mcost _01 :08:8 2 ( 33:33:00 :81 :08 :82)
A
-
on filter options ~ I nt ernet Prot ocol Version 6, Src: f e88: :9991 : b379 :3f13:d893, Ost: f f 82: :1:2 Packet
I> user Datagram Protocol , Sr,c Por t: dhcpv6•client ( 546) , Ost Port: dhcpv6•ser ver ( 547) Details Panel >- V
-
0000 33 33 00 01 00 82 48 Sa b6 23 3e cl 86 dd 60 00 33 • . • •HZ . S> •• .
0018 80 80 00 67 11 81 f e 88 00 00 00 00 08 08 99 91 . . .g. . . . ........
W Packet List Panel: Displays the captured 8028 b3 79 3f 13 d0 93 ff 82 00 00 00 00 00 00 00 00 .y ? .. . . : .. ... .. .
8038 00 00 00 01 ee 02 02 22 82 23 00 67 Sa bl 81 as ..... .. .,.gz.. .
packets 8048 00 66 80 88 00 82 18 9d 80 91 80 0e 00 81 00 01 . f • .. . . . .. ... .. . Packet Bytes
oos0 le b5 f4 c8 74 86 7a 38 c2 44 00 03 00 ec 21 48 . . . . t .ze .o . . . . !H
0068 So b6 80 80 00 08 08 00 80 80 00 27 08 11 00 0f z.. .. ... .. . . .. . Panel
8078 57 49 4e 2d 42 4d 43 48 33 4a 42 49 55 47 30 oo Will·S:.'IC.H 3J8IUG0.
W Packet Details Panel: Displays the 0088
8098
18
30
80
00
0c 80
06 00
00 01 37 08
08 00 1S 00
88
17
4d
00
53
11
46
00 27
54 28 35 2e . . • . • •7• . XSFT S.
0 . . .. . . . .. ..
detailed information about the captured
packets at a granular level
I
0 .,, II Pacb!ts: ts · IX~il!ayed: 18 (100.0 %) Ptofile: oefad l
Packet Byte Panel: Displays the captured
-
The main menu of the Wireshark tool contains the following items:
• File: This menu contains items to open and merge, capture files, save, print, import and
export capture files in whole or in part, and to quit the Wireshark application.
• Edit: This menu contains items to find a packet, time reference or mark one or more
packets. It handles the configuration profiles and sets your preferences.
• View: This menu controls the display of the captured data, including colorization of
packets, font zoom, showing a packet in a separate window, expanding and collapsing the
packet tree details.
• Colorize Packet List: This option allows administrators to control whether or not
Wireshark should colorize the packet list. Enabling colorization will slow down the
display of new packets while capturing and loading capture files.
• Coloring Rules: This option allows administrators to color packets in the packet list
pane according to the filter expressions of their choice. It can be very useful for
spotting certain t ypes of packets.
• Colorize Conversation: This menu item brings up a submenu that allows the color of
the packets to be changed in the packet list pane based on the addresses of the
currently selected packet. This makes it easy to distinguish packets belonging to
different conversations.
• Go: This menu contains options to navigate to a specific packet including a previous
packet, next packet, corresponding packet, first packet and last packet.
• Capture: This menu allows the capture to start, stop and restart and edit capture filters.
• Capture Filters: This option allows administrators to create and edit capture filters.
Filters can be named and saved for future use.
• Analyze: This menu contains items to manipulate, display and apply filters, enable or
disable the dissection of protocols, configure user specified decodes and follow a different
stream including TCP, UDP and SSL.
• Follow TCP Stream: This option displays all the TCP segments captured that are on the
same TCP connection as a selected packet.
• Follow UDP Stream: This option displays all the UDP segments captured that are on
the same UDP connection as a selected packet.
• Follow SSL Stream: This option displays all the SSL segments captured that are on the
same SSL connection as a selected packet.
• Statistics: This menu contains options to display various statistic windows, including a
summary of the packets that have been captured, display protocol hierarchy statistics, 10
graphs, flow graphs and more.
• Telephony: This menu contains options to display various telephony related statistic
windows, including a media analysis, flow diagrams, display protocol hierarchy statistics
and more.
• Wireless: This menu shows Bluetooth and IEEE 802.11 wireless statistics.
• Tools: This menu contains various tools available in Wireshark, including creating firewall
ACL rules and using the Lua interpreter.
• Firewall ACL Rules: This allows you to create command-line ACL rules for many
different firewall products, including Cisco 105, Linux Netfilter, 0penBSD and Windows
Firewall. Rules for MAC addresses, 1Pv4 addresses, TCP and UDP ports, and 1Pv4+port
combinations are supported. It is assumed that the rules will be applied to an outside
interface.
• Lua: It includes options that allow administrators to work with the Lua interpreter,
which is built-in to Wireshark. Wireshark uses Lua to write protocol dissectors.
• Help: This menu contains items to help the user, including access to basic help manual
pages for the various command line tools, online access to some of the webpages and the
About Wireshark dialog.
• The Main Toolbar: The main tool bar provides quick access to frequently used items from
the menu. This tool bar cannot be customized by the user. If the space on the screen is
needed to show more packet data, then hide the toolbar using the View menu. As in the
menu, only the items useful in the current program state will be available. The others will
be greyed out.
• The Filter Toolbar: The filter toolbar allows administrators to quickly edit and apply display
filters.
• Packet List Panel: This is a list of packets in the current capture file. It colors the packets
based on the protocol. Each line in the packet list corresponds to one packet in the
capture file. If you select a line in this pane, more details will be displayed in the Packet
Details and Packet Bytes panes.
• No: The number of the packets in the capture file. This number won't change, even if a
display filter is used.
• Time: The timestamp of the packet. The presentation format of this timestamp can be
changed.
• Packet Details Panel: This views the details of the selected packet. It includes the
different protocols making up the layers of data for this packet. The protocols and fields of
the packet are displayed using a tree, which can be expanded and collapsed. Layers
include Frame, Ethernet, IP, TCP, UDP, ICMP and application protocols such as HTTP.
• Packet Bytes Panel: This panel views the packet bytes in a hex dump and ASCII encodings.
For a hex dump, the left side shows the offset in the packet data and the middle of the
packet data is shown in a hexadecimal representation. On the right the corresponding
ASCII characters are displayed.
• The Status Bar: The status bar displays informational messages. In general, the left side
will show context related information, the middle part will show the current number of
packets and the right side will show the selected configuration profile. Administrators can
drag the handles between the text areas to change the size.
Note: The CND resource kit contains the cheat sheets for all available capture and display filters
Wireshark provides the opportunity to use different t ypes of filters to sort out the network
traffic. The tool helps confine the search and shows only th e desired traffic. By default,
Wireshark provides Capture Filters and Display Filters to filter the traffic.
Administrators can define filters and give them labels for later use. This saves time in recreating
and retyping the more complex filters used often.
Display Filters
Display filters are used on captured packets. These are useful when the need to apply filters
before starting packet captures is not required. Capture all the packets that traverse on the
netw ork and th en sort the captured items using display filters.
Display filters are used w hile displaying packets. They allow administrators to concentrate on
the packets they are most interest ed in, while at th e same time hiding th e uninteresting ones.
They allow administrators to select packets by:
• Protocol
• The presence of a field
The mechanism for defining and saving capture filters and display filters is almost identical.
Administrators can use the"+" (plus) button to add new filters and the " -" (minus) button to
remove any unwanted filters. The copy button is used to copy a selected filter. Administrators
can edit existing filters by double-clicking on the filter. After creating a new filter or editing an
existing filter, click OK to save the changes.
Capture Filters
Capture Filters are applied before starting a capture of the traffic on the selected network
interface. You cannot apply capture filters directly on captured traffic. A capture filter should
only be applied when the administrator knows what they are looking for. Administrators should
be aware of all capture filters available, to quickly find network anomalies.
Wireshark uses the libpcap filter language for capture filters. A capture filter takes the form of a
series of primitive expressions connected by conjunctions (and/ or) and optionally preceded by
'not'. The syntax of a capture filters is: [not] primitive [and I or [not]
primitive ... ]
For example, a capture filter for Telnet that captures traffic to and from a particular host is:
tcp port 23 and host 10.0.0.5
Use the ftp filter to check w hether any unauthorized FTP sessions have been established in the
network
. .
File Edit View Go Capture Analyze Statistics Telephony 1ools Help
~
• I
•ftp
® ~ ~ ~ ~ $$<='=~ ~ ~~ ~ ~ Il
I
No. Time Source Destination Protocol Leng Info
1
28 3 . ... 206 .188 .192. 205 192.168.0.57 FTP 77 Response: 220 FTP Server ready .
I
1 ... 7 . ... 192.168.0.57 206.188.192.205 FTP 6 Request: USER Admin ]
I
1 ... 7 . ... 206 .188 .192. 205 192.168.0.57 FTP 87 Response: 331 Password required for Admi n ~
I
2 ..
3 ...
12..
20...
192.168.0.57
206 .188 .192. 205
206.188.192.205 FTP
192.168.0.57 FTP
69[Request: PASS
76 Response: 530
tEst@123 I
Login i ncorrect . -
~ Frame 127: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 0
~ Ethernet II, Src: Oell_24:93:e7 (64:00:6a:24:93:e7), Ost: Ciscolnc_1e:02:c1 (f4:0f:1b:1e:02:c1)
~ Internet Protocol Version 4, Src: 192.168.0.57, Ost: 206.188.192.205
~ Transmission Control Protocol, Src Port: 30936 (30936), Ost Port: 21 (21), Seq: 1, Ack: 24, Len: 12 ·,
~ File Transfer Protocol (FTP) ...
~ USER Admin\r\n
FTP doesn't offer a secure network environment nor does it offer secure user authentication.
Individuals do not need authentication to access the FTP server in the network. This provides an
easy method for attackers to get on the network and access resources. FTP does not provide
encryption in the data transfer process. The data transfer between the sender and the receiver
is in plain text. The critical information such as usernames and passwords is exposed to
attackers. Implementation of FTP in an organization's network leaves the data accessible to
external sources. Deploying FTP in a network can lead to types of attacks such as, FTP bounce,
FTP brute force and packet sniffing.
Administrators should monitor the FTP traffic using Wireshark. It provides the administrator
with complete information a bout the FTP traffic on the network. Applying a FTP filter helps
detect unauthorized sessions running on the server. Apart from monitoring the traffic on the
FTP server, administrators should also monitor the existing file content and the file size stored
in the server.
Telnet is not encrypted, the password and all 2S4 17_ 192. 16 8 . 0 . 158 192 . 168 . 0 . 142 TELUET 75 Te l net Data . ..
258 17_ 192. 16 8 . 0 . 142 192 . 168.0. 15 8 TELUET 57 Te l net Data . ..
other data is t ransmitted as clear text 259 17_ 192. 168 . 0.158 192 .168.0. 142 TELUET 62 Te l net Data ...
- 2 60-1.1-192-•.168_~9..-142 - l .92..._168-Jt,._l '" ... .. .. 1 •te..t. ~ a1...r.e1ne.t-Da.ta..-.
Ethernet 1 Fibre Channel FOOi 1Pv4: I IPvt IPX JXTA NCP RSVP SCTP I TCP: I !Toi
Ideally it should be disabled, enabling it
TCP Conversations
poses huge security risks to the network
Addr r.·Wireshark • Follow TCP St ream (tcpstream eq 0) • wireshark_pcapng_S9476B6..L ~ IIMes J
will be viewable
•·
. . .
The Telnet protocol works on a client server model. It provides access to remote network
equipment and operating systems. The data transferred through Telnet is not encrypted,
making it easy for intruders to eavesdrop. If a person has access to a network device with
Telnet configured, they can gain access to the network and user account information.
Generally, Telnet should be disa bled in the organization.
Telnet is a session oriented protocol, which means the connection has to be open during the
entire session. Attackers can use Telnet open sessions to carry out a network security breach.
Administrators should monitor Telnet sessions (if any) running on their network. Timely
monitoring of Telnet sessions through Wireshark can greatly minimize the risk for a network
intrusion.
HTTP sends information in plain , ■ ,~ ® ... ~ ~ ~ <\ "' e& ~ 1ii .¥z. GI ~ ®. (;1. €\ ll
11 lhttp«ontr· ....~
text format .... Tirre so.rce
"'"""'"' Pro,::xol LEn11!h In.~
I
40319... 192 . 168.0. 87 192 .168 .0 .10 KTTP 326 GET / goodshopping/ HTTP/1 .1
41419... 192 .168 .0 . 87 192.168 .0 . 10 KTTP 412 GET /goodshopping/tlllp/ t op_slider/slidE
Monitor and analyze HTTP traffic 998 41... 192. 168.0.87 192. 168.0.10 KTTP 809 POST /goodshopp1ng/ HTTP/1.1 (•ppl1"
1008 41.• 192 .168.0.87 192. 168.0.10 HTTP 4.12 GET / goodshopping/Ulp/top_slide r/slidE
to:
II
@ Check if there is any sensitive
information using HTTP > I nt ernet Prot ocol Ver sion 4, Src: 192.168. 0.87, Ost : 192 .168.0.10
> Trans• i ssi on Cont r,ol Prot ocol , Src Port: 8591 (8591) , Ost Po rt: 80 (80) , Seq: 631, Ack: 11399, l <
) 1111vn1:rttvt T,.ansf tf' vrntocol I
1> i:orm i t em: " EVEtlTVALIDATI 011" .. ../~dAAWOc7 s saS+G XqwRe 32RT6 7PVK78rRAt Eiqu9nGi= EI+j 8 3Y2ff\c 6S r nA
@ Check the traffic against a policy • Fo rm i t em: "txt User name" = " stevenjeccouncil.org'"
Key: t xtUser name
violation Value: st eve~ccounci l . or s
• Form i t em: "txt Passwol'd" = " t Est@l.23"
Key: t xtPassword
@ Detect applications using Value: tEst@l23
1> ►Orm i t em: "btnlogtn· • "l og i n"
1> Fo rm i t em: "rtail ·· = ""
unnecessary/restricted services
Applications implementing HTTP send data in clear text format. Impl ementing HTTP can pose
security risks to the organization as sensitive information such as username and passwords are
sent over as HTTP requ ests. The attacker can easily sniff th e traffic and steal sensitive
information for malicious use. Administrators have to ensure that th eir HTTP traffic is sent over
an encrypted protocol such as HTTPS. At the same time, they should monitor and ensure their
applications do not send data over HTTP. Monitoring the HTTP traffic also helps detect the
volume of HTTP traffic flowing through the network.
0 Attackers use various fingerprinting techniques t o det ect the OS type and version 0
running on the t arget system
OS Fingerprinting techniques include:
e Passive OS
0 e Active OS 0
,- - - - - - - - - - - - - - - -
I
I
•
························'II··········~····
: -
- -
:
I :
Attacker I :
L.. =g
Internet
L----------------
Internal Network
OS fingerprinting is a process of gaining information a bout the target host's OS. Attackers use
this method during their reconnaissance phase. Once the target OS is identified, the attacker
can then find out what possible vulnerabilities exist in the OS or a specific version of the OS. An
attacker can get into the network with the vulnerabilities existing in the OS. The attacker can
attempt both active and passive OS Fingerprinting to detect the target OS.
Passive OS Fingerprinting
In this t echnique, the attacker does not send any packets to the target instead, they sniff the
TCP/ IP ports and analyze the default value for the various IP packet fields.
Active OS Fingerprinting
In this technique, the attacker sends packets to the target. If the target responds to the packets,
the attacker analyzes the responses and identifies th e underlying OS.
Detecting Passive OS
Fingerprinting Attempts
Protocol Default
Field Operating System
Header Value
u Check for certain
64 Nmap, BSD, Mac OS 10, Linux
fingerprinting values in Initial
IP Time to 128 Novell, W indows
Wireshark to detect passive Live
255 CISCO IOS, Palm OS, Solaris
OS fingerprinting attempts
Don't Set BSD, Mac OS 10, Linux, Novell, W indows, Palm OS, Solaris
IP Fragment
U The table shows the Flag Not set Nmap, CISCO IOS
1024-
Nmap
4096
2920-
Window Linux
5840
TCP Size
16384 Novell
4128 CiscolOS
24820 Solaris
Variable Windows
In passive OS fingerprinting the attacker does not send any packets in the traffic rather, they
sniff the TCP/IP ports. The detection of the target OS is done based on verifying the various IP
header fields. The IP header consists of a field such as initial TTL, do not fragment flag,
maximum segment size, window size, sack OK. The default values of these fields can help
administrators to detect the fingerprinting attempt. Administrators should inspect these fields
to detect OS fingerprinting attempts on their network. However, the default values for these
fields may vary when the packet traverses between one router and another. It is very difficult
to detect a passive fingerprinting attempt. Firewalls or other security devices cannot detect
passive OS fingerprinting either. It has become essential for administrators to detect these
attempts manually with the help of packet sniffing tools.
The following table shows the possible default values of the IP header fields for different types
of OSes. This will help administrators compare and identify OS fingerprinting attempts.
0 Nmap
Maximum
TCP Segment 1440 Windows, Novell
Size
1460 BSD, Mac OS 10, Linux, Solaris
1024-4096 Nmap
2920-5840 Linux
Window
TCP 16384 Novell
Size
24820 Solaris
Variable Windows
Detecting Active OS
Fingerprinting Attempts
U Wireshark can detect active OS fingerprinting attem pts based on t he probes sent by attackers
lJ An attacker may send ICMP probes and TCP probes to look for a response from the potential
t arget OS
..J Attackers make different types of active OS fingerprinting attempts on a target such as:
t, ICMP-Based
6 TCP-Based
In active OS fingerprinting, an attacker sends packets to th e target and waits for the reply. Th ey
will then analyze the repl y received from th e target to determine the OS. An attacker performs
active OS fingerprinting in two ways. They can either use ICMP probes or TCP probes to detect
the target OS. The attacker then anal yzes the reply from the target and makes an educated
guess based on the reply obtained from the target.
Administrators can detect active OS fingerprinting attempts much easier compared to passive
OS fingerprinting attempts. Administrators use specific W ireshark filters to filter out the OS
fi ngerpri nti ng traffic.
Attackers send unique ICMP probes to t he target and look for the response
Discover t he unique ICMP probes, unusual ICMP code, ICMP timestamp requests(13),
ICMP information requests(lS) and ICMP address mask requests (917) from the t raffic
to make an educated guess to detect OS fingerprinting
An attacker can use various tools to perform ICMP based fingerprinting. These tools send a
specific ICMP probe to the target. It depends upon how it manipulates the ICMP probe to
detect the target OS.
• Some tools use ICMP echo requests with an unusual ICMP code.
• Some tools use ICMP Timestamp requests (13), ICMP Information requests (15), ICMP
Address Mask requests (17), etc.
The administrator can use various traffic filters on ICMP and check for these types of ICMP
requests being received from the outside.
The fields to look for when trying to find OS fingerprinting attempts are Initial Sequence
Numbers, timestamp, IP ID sequence and TCP options
e tcp.flags=Ox2b
e tcp.flags=OxOO
e tcp.options.wscale_val==lO
e tcp.options.mss_val<1460
In TCP based OS fingerprinting, an attacker sends TCP probe packets to the target and then
waits for the response. Based on the response received from the target, the attacker then
makes a valid guess to determine the OS. An attacker may use a variety of tools to perform
TCP-based fingerprinting such as Nmap and Queso. The attacker sends different types of TCP
probes and based on the response received can detect the OS running on the target.
• FIN Probe: Sending a FIN without an ACK or SYN flag to an open port. Many broken OS
implementations such as MS Windows, BSDI, CISCO, HP/UX, MVS, and IRIX replies back to
a FIN probe with RESET.
• BOGUS Flag Probe: Sending a SYN Packet with an undefined TCP "flag" in the TCP header.
The Linux OS version prior to 2.0.35 responds to this packet with the flag set.
• TCP Initial Window: Checking the size of the window field in the response.
• TCP ISN Sampling: Sending the connection request and then finding specific patterns in
the initial sequence numbers in the response.
• IPID Sampling: Checking the IPID value for each packet in the response. Most operating
systems increment a system-wide IPID value.
• TCP Timestamp: Checking the TCP timestamp option values in the response. It may be at
frequencies of 2Hz, l00Hz, or l000Hz, and still others return 0.
• Don't Fragment bit: Some OS set a "Don't Fragment" bit in the response.
• ACK Value: Checking the ACK field in the response.
■ ICMP Echo Request (Type 8) with 120 or 150 byte payload of 0x00s
■ TCP Acknowledgement Number fie ld non -zero without the ACK bit set
In most cases, attackers generally use Nmap to perform target OS fingerprinting. It is necessary
to understand how Nmap is used to perform OS fingerprinting. Knowing the Nmap process for
OS fingerprinting will help to detect OS detection attempts made using Nmap.
Nmap investigates the TCP/IP stack of the systems by sending them eight different packets.
Once the target machines receive the packets they either:
• Tseq: The machine sends a series of SYN packets to the targets to analyze their TCP
sequence numbers.
• Tl: A SYN packet with the options (WNMTE) is sent to an open TCP port.
• T2: A NULL packet with the options (WNMTE) is sent to an open TCP port.
■ T3: A SYN, FIN, PSH, URG packet with the options (WNMTE) is sent to an open TCP port.
• T4: An ACK packet with the options (WNMTE) is sent to an open TCP port.
• TS: A SYN packet with the options (WNMTE) is sent to a closed TCP port.
■ T6: An ACK packet with the options (WNMTE) is sent to a closed TCP port.
■ T7: A FIN, PSH, URG packet with the options (WNMTE) is sent to a closed TCP port.
• Status of the ACK number for the TCP packet sent to Nmap.
File Edo View Go Capture Analyze Statistics Telephony Wireless Tools Help
({ <s,, ~ 1Y 11!. ::; ~ <a El. <a y Attackers use a ping sweep to
A ■ ,~. @ .J ~ /gl ~ $
-
No. Tme Souce
22 e .... 192.168 . 0 . 54
Oestnation
-
192.168 . 0.55
Protocol
I GIP
L<n91h Info
106 Echo (ping) request id•0x0001j
specified IP range
I~
V
Ethernet II, Src : cadausco_09 :ef :ce ( 08 :00:27 :09:ef :ce) , Ost: cadmusco_00:36:dd (08 :00 :27 :00 :36:dc
I nternet Prot oco l Ver sion 4, Sr c : 192.168 . 0 ,54, Ost : 192 .168.0. 55
I nternet Cont rol Mess age Protocol
►
detect a TCP ping sweep attempt
A ping sweep scan helps attackers discover the active systems in the network. It involves
sending multiple ICMP, TCP or UDP ECHO requests to target ports and then analyzing the ECHO
reply obtained from the port.
In an ICMP ping sweep, the attacker sends an ICMP type 8 ECHO request followed by an ICMP
type O and analyzes the ECHO reply. To detect the ICMP ping sweep, find the ICMP t ype 8 and
ICMP type O ECHO request s in the network traffic. It is recommended that a filter is used to
accomplish this task. Use the filter icmp. type==S or icmp. type==O to detect an ICMP
ping sweep attempt.
In a TCP/ UDP ping sweep, an attacker sends an ECHO request packet to the TCP/ UDP port 7. To
detect the TCP/ UDP ping sweep attempt, find the TCP ECHO request packets going to port 7
and the UDP ECHO request packets going to port 7 in the network traffic. Use the filter
tcp. dstport==7 to detect the TCP ping sweep and the filter udp. dstport==7 to detect
the UDP ping sweep attempts. If the target port doesn't support an ECHO reply, then this
technique will not work.
31_ CadnusCo_09:ef:ce
.,,,,,.~ SUtittks
""""""
Sc-oadcast
- -
.. !!!I !!It ~ 'l ee ,g Wl :; 'g ~e,.e,. r.
"'"""
ARP
\VnfC'f,$ took
..J Use the arp filter to detect ARP sweep 0000 ff ff ff ff ff ff 1c 56 fe 99 80 0.a 08 06 80 01 ... . ... v . . . . .. . •
I, 0010 08 00 06 04 08 01 le S6 Te 99 80 0a c9 as 00 b? . . . . . .. v . . . . . . . .
and ARP scan attempts on the network 0020 00 00 80 00 00 00 c0 a8 00 89 00 00 00 00 00 00 ... ... .. .. ......
0030 00 88 00 00 00 00 00 00 88 00 00 00 ........ ....
-
- - '
Similar to a ping sweep scan, an attacker also uses an ARP Sweep/ ARP Sean to locate active IPs
in the network. Attackers use this method especially when a firewall is implemented in
between them and the target network. If a firewall is implemented in the network the ping
sweep method will not work. In an ARP sweep, an attacker broadcasts ARP packets to all the
hosts in the selected subnet and waits for a response. If they get an ARP response from a
specific host, this indicates the host is live.
ARP communications cannot be disabled to restrict an ARP sweep attempt on the network as all
TCP/ IP communication is based on it. If ARP communication is disabled, it will also break the
TCP communication. However, administrators can easily monitor and detect this type of
attempt using an ARP filter in Wireshark. If they detect an unexpected number of broadcast
ARP requests, then they also know it indicates an ARP sweep attempt on the network.
'
t:l Cl -I
An attacker sends a SYN packet and Fit E"1 Vi('W &> C...Vrt Nl,ly::t Scatisix, ldtptlon)" Wirdfs;s Tools Hq)
receives a SYN+ACK response if the port is • • . ® ~ l!l ~ 'l ,.,,. r;;,1. [:;J~ e.e.e.!!
attempt is recognized if there are a large Fil,:, Edit View Go Capt..c ArMllyu St.l'littiu Telephony \Vitti«.~ looK Hdp
"'
192 .1'
•••
192.H,IS. 8 . 9.!
'" :R'.>l] ,, 1 ;' Ii
:<J]. 168.8.177 . -l W
and click on the TCP tab to view and
ll] S.974S99
113 5. 9745'J9 :•'.12.16-8.0.117
l'H.168 . 6 . 93
191.168. 1).93 "'
S4 344&9 -.
S4 ~ 3,1 " [R'ST j
13 [11ST} s - 1 "
"'
4
1191 7 . 239356 '...92.16-8 . 0 . 177 192 . 168.0.93 TCP 'i4 3448'9 • '19 5' [RS'.'" J i,q~l
analyze multiple TCP sessions 14'.>2 I • .1-202..12 : 92 llxl.0 192.1'.,IS. 8 . 9.!
'" '>4 .J441S9 • 49 '.. l (R'>~ ]
1685 7 .433311 :92. 168.9.177 "' 192.168. 8 . 93
-"'q-1
[RS'.") ,-,,q-1
114') 7.436112 :•1 2. 168.0. r n 191.168. 0 . 'H "' S4 :l-44&9 -. 49
S4 ¾48-!l "
49 S5 [RS'.'") -i>q-1
e "'
4
'"
'i4 34-18') • '19
S4 J-4489 • 49 ,,ss
[R5'.'" J i,q-1
(RY ] -"'q~1
2124 7.5-41598 :92. 168.8.177 -,,q-1
packets then it is a sign of a TCP port
192.168. 8 . 93
"' S4 ¾-lS9 .. 49 RS'.'"
'"
scan on the network
The attacker uses a TCP Half Open/ Stealth scan to detect open or closed TCP ports on the
target system. It involves sending a SYN packet to the target port exactly like normal TCP
communication and waits for the response. If they receive a SYN+ACK packet in the response,
then it indicates the target port is open. If they receive a RST or RST+ACK packet in the
response, then it indicates the port is closed. If the target port is behind a firewall, then they
will receive an ICMP type 3 packet with a code 1, 2, 3, 9, 10 or 13 in the response.
The TCP half connection can act as an open gate for attackers to get in to the network. It is
necessary for administrators to detect the TCP Half Open connection. If there are too many RST
packets or ICMP type 3 response packets in Wireshark, then it can be a sign of a TCP Half
Open/ Stealth scan attempt on the network.
A TCP full connect scan is recognized using the same methods to detect a stealth scan or a TCP full connect scan attempt
Check for SYN+ACK, RST & RST+ACK packets or ICMP type 3 packets
Use the fol lowing filters to quickly detect both TCP half open and TCP ful l connect scanning attempts on the network
To check SYN+ACK, RST & RST+ACK To check SYN+ACK, RST & RST+ACK
packets in communication packets along with ICMP type 3 packets
e tcp.flags==Ox 002 or e tcp.flags=Ox 002 or
tcp.flags==Ox 012 or tcp.flags=Ox 012 or
tcp. flags==O x 00 4 or tcp. flags=Ox 004 o r
tcp.flags==Ox 01 4 tcp.flags=Ox 01 4 or
To check ICMP type 3 packets with a (icmp.type=3 and
code 1, 2,3, 9,10, or 13 Packet (icmp.code=l or
icmp.code=2 or icmp.
e icmp. type==3 and
code==3 or
(icmp.code==l o r
icmp.code=9 or
icmp.code==2 o r
icmp.code==3 o r icmp.code=lO or
icmp. code=l3 ) )
icmp.code==9 o r
icmp.code==lO o r
icmp.code==l3)
-
,. • ti)
L!l=·-..t!"••1..-c110~,.-•-1'=1'
9l. =
M•''"-
-- - - - - ~
- lWle S.Sot
1,,.,••.•.•, "'"'·
..
" ,,,,., ..
.... 67)1'6f
17 4 613HI
lt:t.lM ••. an
"'
T(O
SYN
1'2 , .. t 177
•"' ,s ,.,.u
7'P4tl
lN 111 • 177
JtJ,16199!
"'
_ , ,_..
- '7974U 1N UI • 1n
.l.U••• 177 File Ecfit View Go Copturc An11ly:c St11ti~cs Te lephony \tfstcltH Tools Help
a, s.n,""
u, 6.9117-" .. ■ ,, e r;i ~ ~ q ..., * ~ w §L ~ @! El. e. ®. i1
u, ff •UNI
9l1Nf
111tcp.f!oq:;.syn n l oYld tq,.11. ~--l Md p .5rc--192. 168.0.93
U51 UJ'JW 92Ultl77 No, Ttne SOurce Detti'la tiOt'I Protocol
1)7 7 eH7e7
uo,_
W 7 Ul.lN
HJUltl71
Ul 1111.t 111
ltJHltl
146
1S5
7.-
7 __
192.168. 9 . 93
192.168. 9 . 93
192 . 168 .9 .177
192 .168 .9 .177
TCP
TCP
66
66
445 • 541 [SYN. ACK]
139 .. 541 [SYN. ACK]
SVN+ACK
228 7 __ 192.168.9.93 192.168.9 .177 66 135 .. [SYN, ACK)
1M 7 UMH tN uae an TCP
Wl711WM IN 111 t 177 227 7 __ 192. 168.8. 93 192 . 168 .9 . 177 TCP 66 445 .. 539 (SYN, ACK)
SS1711NN J91 J.11 t 177 261 8 . - 192.168.8.93 192 . 168.9. 177 TCP 66 23 .. S464 [SYN. ACK)
~ .
1'1171- INHlt177
4'St 9-- 192-168.8, 93 192-168.8.177
11•17 , ..... IN lat t 11'7
l'M7..,.... lN U l t 1'1 619 19- 192-168, 9 , 93 192 -168.9.177 f ill Edil Y- Go C.,curc AI\W)-:1 S.M,JWI Wrplony W.itkM Tool, Http
... ,... 192 .168 .9 .177 ,i ~ <\ •,. <ii T .._ ;:: ~ a~e. !!
"''~
W 1 24"41
IN lttt 177
IN,. . . 177
763 12..
98813..
192.168. 8 .93
192.168.8.93 192.168.8.177
-in..:
®
~ .-•.,.-,eick••tn
l.,Jt,e2'f,I ltJ 161 t 117
1822 14-
192. 168.8. 93
192. 168.8. 93
192 .168 .8 . 177
192 . 168 .8 . 177
... n, '·-
l'lec ~ cc
OS<••?!ll.1M,o.1n
192.168. 8.ln
,,,,_
192.168.8.9}
1157 lS- 192.168.8, 93 192-168.8.177
1185 15- 192-168, 9 , 93 192-168 .9.177 2.U 1,- 19"2,168,t.ln U2.1'8,t.9J
nee 17_ 192.168. 8 . 93 192 .168 . 9 .177
1427 18- 192.168. 8 . 93 192.168.9.177 191:,1"9, •• ln 192,lM,.,9)
272 · · -
1S62 19_ 192. 168.8.93 192 .168 .9 . 177
•55 '·- 1.92.168. &.1» 1.92.168.&.9}
1698 28.. 192. 168.8. 93 192 . 168 .8 . 177
1848 22.. 192. 168.8, 93 192.168.8. 177 615 1e... 192.168. t.ln i,1.168.e.tJ
u,,o~~
~
Frame 111 : 66 byt e~ on wi r e (528 b i ts) , 66 byt e~ ca
Ethern et II, Sr c : Ki c r osof_00: 39: 00 (00: 15 : Sd :00: 39
761 17... 1.,.,,.. . • • 1n
m.16a,e.1n
117.lf.l .••H
1.92,168,&.9)
RST+ACK
916 U-
~ Interne t P·rot oc;o l Version 4 • Sr c : 192. 168.8 .93, Os t
~ ..-a5111i u ion Con t r o P toc:ol Src. Port: 445 445 9U IA- 192.168.1.ln 192.168.8.9}
A TCP full connect scan or a TCP connect scan is the default scan that establishes a complete
three-way handshake connection. A successful three-way handshake means that the port is
open. To establish a TCP full connect scan, the attacker sends a SYN probe packet to the target
port. If the port is open the attacker will receive a SYN/ACK packet in the response. It indicates
the target port is open. The attacker will complete the communication by sending an ACK flag
and will send a RST flag to terminate the session. If the port is closed, the attacker will receive
the response as a RST/ ACK. If the target port is behind a firewall, they will receive an ICMP t y pe
3 packet with a code 1, 2, 3, 9, 10 or 13 in the response.
As a full TCP connection is established in the network, it is easy for an administrator to detect a
TCP full connect scan attempt with the help of Wireshark. The following filters are used to
detect a TCP Full Connect scan attempt:
L'l
I•"''Itcp.■ flaos==OxOO
®✓ . .
~ ~ ~ t'{ $> <$ ,;,;
.
W .l ~ ~ E\. El. El ~
■ In a Null port scan an attacker
sends a TCP packet without -
No. lime S01Sce
1... 4 . ... 192 .168. 0 . 54
L 4 . ._ 192 .168 . 0 .54
Oestination
~
A TCP Null scan helps attackers identify the listening ports in the network. A TCP Null scan is a
series of TCP scan packets containing a sequence number of O and no set flag. Since the null
scan does not contain any set flags, it can penetrate through a router and a firewall that filter
incoming packets with particular flags set.
In the TCP Null scan, the attacker sends a TCP packet to the target port. If the port is closed, it
will receive a RST flag. If the port is open, the port will not respond because there are no flags
sent with the packet. A TCP Null scan sets all the TCP headers (ACK, FIN, RST, SYN, URG, and
PSH) to NULL. By applying the filter tcp. flags==0x000 in Wireshark administrators can
detect a TCP Null scan on UNIX servers. A TCP Null scan does not support Windows.
CJ In a TCP Xmas scan an File Edit View Go Capture Analyze Statistics Telephony V-/ird ess Tools Help
~ • ~ • ~ ~ ~ ~a~ff
attacker sends packets
11!ta,. fl•os --0x029
with the FIN, PSH & URG No. rome :so,,,,e Deslinaltion Pl'Otocol Length tnfo
,U711.. 92 .168.&.Sol 192.168.&.55 TCP Sol 515:IA .. 135 FIN.,, PSHJI URG
TCP flags set and waits for 488 11- 192.168.9.54 192.168.9.SS TCP 54 S1S14 • 33 [FIN, PSH, U s
489 11- 192.168.0.54 192.168.0.SS TCP 54 51514 • 21 FIN, PSH, URG)
the response 490 11- 192.168.0.54 192.168.0.SS TCP 54 51514 -,. 338 (FIN, PSH, U
491 11- 192.168.0.54 192.168.0.55 TCP 54 51514 -,. 172 (FIN, PSff, U
492 11- 192.168.0.54 192.168.0.55 TCP 54 51514 • 587 (FIN 1 PSff1 URG
r.J If they receive a RST 493 11- 192.168.0.54 192.168.0.55 TCP 54 51514 _. 25 FIN, PSH., URG)
494 11- 192.168.9.54 192.168.9.SS TCP 54 S1S14 • 443 (FIN, PSH, URG s;
packet in the response, 495 11- 192.168.0.54 192.168.0.SS TCP 54 51514 • (FIN, PSH, UR6
110 s.
496 11- 192.168.0.54 192.168.0.SS TCP 54 51514 • 5 (FIN, PSH, U
then the port is closed. If 599 1L 192.168.0.54 192.168.0.SS TCP 54 51514 -,. 111 (FIN., PSH., URG 5<
591 11- 192.168.0.54 192.168.0.55 TCP 54 51514 -+ 23 FIN, PSH, URG)
there is no response, then 584 1L 192.168.0.54 192.168.0.55 TCP 54 51514 _. 445 (FIN, PSH, UR6
se5 1L 192.168.9.54 192.168.9.55 TCP 54 51514 -+ 182 (FIN, PSH, UR
the port is either open or 506 1L 192.168,0.54 192.168.0.SS TCP 54 51514 • 22 FIN, PSH, URG)
7 T p 4 N R6
filtered 512 11-192 .168 ,0,54 192 .168 , 0 ,55 TCP 54 51514 '" 88 FIN, P5ti , URG)
513 11-192.168.0.54 192.168.0.55 TCP 54 51514 -+ 139 (FIN, PSH, UR6
S14 lL 192.168.9.54 192.168.9.55 TCP 54 51514 -+ 995 (FIN, PSH, UR6
515 lL 192.168.9.54 192.168.9.55 54 51514 -+ 554 (FIN, PSH, UR6
.J Use the following filter to
1
S18 lL 192.168.9.54 192.168.9.55
TCP
TCP 54 51514 • 143 (FIN, PSH, UR6 s.
view the packets with FIN, 521 lL 192.168.0.54 192.168.0.SS TCP 54 51514 • 993 (FIN, PSH, URG s.
522 1L 192.168.0.54 192.168.0.SS TCP 54 51514 -+ 53 FIN, PSH, URG)
PSH & URG TCP flags set:
[ St re~m i ndex: 4 5)
tcp.flags==0X029 [ TCP segment Len : 0]
Sequence nu~ber : 1 (re l at i ve sequence number)
Acknowl edp ent number : 9
Hea der Length : 20 b es
> Flags ;,,0x929_ (1;IN,....,Pc,-,
SH,,_.,,
u""
R6,)~ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ __
0 1
In the TCP Xmas scan, attackers scan the entire network and look for the machines that are up
and running. It also scans for the services running on those machines.
The Xmas scan involves sending packets set with URG, PSH, ACK and FIN flags. If the port is
closed, it will receive a RST flag. If th e port is open, the port will not respond as there are no
flags sent with the packet.
The TCP Xmas can scan through the firewa ll and ACL filters. An ACL filter blocks the ports with
the help of SYN packets. However, the FIN and ACK packets bypass this security.
FIN sca ns do not work on many operating systems. Operating Systems like Microsoft Windows
send a RST flag to any malformed TCP segment. This makes it difficult for th e attacker to
distinguish bet ween th e open and closed ports.
Apply the filter tcp . flags==OX029 in Wireshark to det ect a TCP Xmas sca n attempt.
File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help
A ■ ~ - (@, IID ~ ~ ~ q <e-,..,~w~ ~ ~ <t1.E\.€l. ff
!I , ~ . fla~ ==Ox003
No. Tine Soll'Ce Destination Protocol Leng Info Attackers send
1- 1._ 192.168.0 . 54 192.168.0 . 57 TCP 58 43484 -+ 1720 (FIN , SYN] Seq-t
1- 1. _ 192.168.0 . 54 192.168.0 . 57 TCP 58 43404 • 111 FIN, SYN] eq-0 packets with both
1- 1. _ 192.168.0.54 192.168.0 . 57 TCP 58 43404 • S87 FIN, SYN] eq•0 l
1_ 1. _ 192.168.0.S4 192.168.0 . S7 TCP S8 43404 • 199 FIN, SYN] eq•0 the SYN and FIN
1_ 1. _ 192.168.0.S4 192.168.0.57 TCP 58 43404 • 993 FIN, SYN] eq-0
1- 1._ 192.168.0.54 192.168.0.57 TCP 58 43404 -> 256 FIN, SYN] eq-0
flags set in an
1- 1. _ 192.168.0.54 192.168.0.57 TCP 58 43404 -+ 554 FIN, SYN] eq=0 attempt to DDoS the
1- 1.- 192.168.0.54 192.168.0.57 TCP 58 43404 -+ 139 FIN, SYN] eq=0
1- 1.- 192.168.0.54 192.168.0.57 TCP 58 43404 -+ 1025 (FIN , SYN] Seq~ network
1- 1._ 192.168.0.54 192.168.0 . 57 TCP 58 43404 -+ 1723 (FIN , SYN] Seq~
1- 2.- 192.168.0 . 54 192.168.0.57 TCP 58 43405 -+ 1723 (FIN , SYN] Seq~
1- 2.- 192.168.0.54 192.168.0.57 TCP 58 43405 • 1025 (FIN, SYN] Seq•f .J Use the filter
1- 2.- 192.168.0.54 192.168.0 . 57 TCP 58 43405 • 139 FIN, SYN] eq-0 l
1_ 2.- 192.168.0.54 192.168.0 . 57 TCP 58 43405 • 554 FIN, SYN] eq-0 l tcp.flags==0x003 to
1_ 2._ 192.168.0.54 192.168.0.57 TCP 58 43405 • 256 FIN, SYN] eq-e l detect a SYN/Fl N
1- 2.- 192.168.0.54 192.168.0.57 TCP 58 43405 -> 993 FIN, SYN] eq-0
1-
1 .,
2. - 192.168.0.54
101 1"R t:\ CA
192.168.0.57
101 1"R t:\ C1
TCP
_TCP.
58 43405
ro A:t.AtU:.
-+
➔
199
l:.R7
FIN, SYN]
CTll C~l
eq=0
M-4
attack
Sequence numbe r : 0 (r e lat ive sequence number)
Acknoi,ledgment number : 0
Header Length : 24 bytes
~ IFlaas : 0x003 <FIN SYNl I
IJ ; n ,t~., c i 7 0 u ::io 1 110 • 1 ~,JI
-
In a SYN attack, the attacker sends a succession of SYN requests to a target's system in order to
make the system unavailable for legitimate users. It exploits a known weakness in the TCP
connection.
Typical TCP communication (TCP three-way handshake) works as follows:
The SYN flag establishes a connection and the FIN flag terminates the connection. In a SYN/FIN
DDoS attempt, the attacker floods the network by setting both the SYN and FIN flags. In a
typical TCP communication, both the SYN and FIN are not set simultaneously. If an
administrator detects traffic with both a SYN and FIN flags set, then it is a sign of a SYN/FIN
DDoS attempt. The SYN/FIN DDoS attempt can exhaust the firewall on the server by sending the
packets regularly. To detect such susp1c1ous attacks, you should use the filter
tcp. flags==OX003 to find out if these traffic entries are in the same packet.
~ Et herne t u , Sr c: C.:11:h usco_ac: b? : U (88:88: 27:8c: b7:U), Ost : C11dftusco_e9 :cf: cc (88:88: 27:89:cf:c e)
1> I t1terr1et Protocol Vef'sion 4, Sf'C: 192 . 168 .0,Sl , Dst: 192,168.8 . 54
~ In t e r ne t cont rol Mcss11 c Protocol
Type: 3 (Dest1n&t1on unread,al>l e)
Code: 3 (Por t unreach11bl c)
Ched:sun: 0x7ed2 COl'f'«t
U If the target responds with a large number of packets with an ICMP Type 3 Code 3 then the port is unavailable,
then it is sign of UDP port scan on the network
U Use the follow ing filter to view packets with an ICMP Type 3 Code 3 port to detect UDP scan attempt:
icmp.type=3 and icmp.code==3
The UDP service can receive packets without establishing a connection. When an attacker sends
a UDP packet to the target, either of the following can occur:
• If the UDP port is open, the target accepts the packet and does not send any response.
• If the UDP port is closed, the ICMP packet is sent in response.
UDP scanning is more difficult to probe than TCP as it does not depend on the
acknowledgements received. A UDP scan gathers all the ICMP errors received from closed
ports. Administrators should take proper measure to handle open UDP ports to avoid any
intrusion in the network. While monitoring if any machine is replying with bulk ICMP type 3
responses, it is a sign of a UDP scan attempt on the network. To identify the UDP scan attempt,
run the filter icmp. type==3 and icmp. code==3 in Wireshark.
..J They use a variety of tools t o perform these password cracking attacks
Password cracking is a process of gaining or recovering passwords either through trial and error
or running a passw ord guessing attempt using an available file. These contain the most
commonly used passw ords. These techniqu es are called a brute force attack and a dictionary
attack respectively.
Brute-Force Attack
Though brute-force attacks can be a lengthy process, attackers use various tools to implement
on the network.
Dictionary Attack
The attacker uses a limited set of w ords to perform a dictionary attack. With SSH services
running in th e netw ork, it is easier for attackers to perform a dictionary attack. SSH dictionary
attacks rely on th e log files or on the network traffic. The dictionary attack can be accomplished
easily on an account that has a weak password. This type of attack is performed on a single
target machine or on the network.
An administrator can detect this t ype of attack by monitoring the number of log in attempts
made from the same IP address or username.
•• ,1 ® . ~ ill\ ~
ftti,reo.,est.eommani:J
~ <Sa e9 <§ "i> l!I. ::; E <1l. El.
,d Capturing from vEthemet (Reallek PCle GBE Family Controller• Virtual Switch)
#.
No,
Edit
ii: a. ®
View
ft?.mpomc.cocic--sJO
Ttn! Soo.s'ct
Go C-,pMc
~ ~ ~ <\
An~ly',_c
*..,
St~
Ot$ti'lation
wm
Telephony Wirclc~~ Tool~
~ ©.Et©. iI
Pl'otirxol l enc:h
Hd p
tnfo
3836 7 1_ 192 .168. 0.151 192. 168 .0 . 37 FTP 1864 18- 192 .168.0.37 192 .168. 8 .151 FTP 79 R.e~ponsc : 530 U~cr cennot l og in.
3875 73- 192 . 168. 0 . 151 192. 168 .0 .37 FTP 1519 29- 192, 168 .8 , )7 192- 168.8, l Sl HP 79 ltt$pon $t:: S38 VHf' ( Mnot l O{l in .
7888 20- 192.168.0.1S1 192.. 168 .0 . 37 FTP 11 74 46- 192 . 168.0.37 192 .168. 8 .151 FTP 79 R.e~ponsc : 530 U~cr connot log in ,
7983 2L 192.168. 0.151 192. 168.0. 37 FTP 3976 73_ 192, 168.8 , 37 192 . 168. 8 , l Sl HP 79 Res pon se: S38 IJsc r c.,nnot l og in .
Q o/ w eshark,.JXaPnQ_0):112.;f-8e9=-4377-8822'fl2313'l8COEl>_20160'111115
I> Ff'il• t 949 : 75 bytes on wit'e ( 6e0 bits ) , 75 bytes optvred ( 600 bits) on i nt erla,c e 8
I• Ethe rnet !I, Src: Microsof_00:81 :03 (00:1S:Sd:00:0 1:03) , O~t: Odl_d : d: cc ( d4 : be:d9:c3:c3:cc)
I> In t eMet P/"Ot ocol Vef'sion 4, $1'(: 192, 168,0 , 37, Ost : l 92,16S,0-151
I• Tr-,n smiuion Control Pr otocol , Sr c Port: 21 (21) , O~t Port: 49298 ( 492'98 ), Seq: St, Ack: 36, Len: 21
Use ftp .request.command to filter FTP I> File Tr;,.nsf tr Protocol ( FTP)
The file transfer protocol (FTP) is a standard protocol to transmit files between systems over
the Internet using the TCP/ IP suite. FTP is a client server protocol relying on two
communication channels between a client and a server. One manages the conversations and
the other is responsible for the actual content transmission. A client initiates a session with a
download request, which the server responds with the particular file requested.
An FTP session requires the user to login to the FTP server with their username and password.
In an FTP password attack, the attacker tries to gain user's password.
Use the filter ftp. request. command in Wireshark to detect a FTP password cracking
attempt in the network. The filter ftp. request. command provides all the FTP requests
made in the network. It also displays the number of attempts made by the attacker to gain
access to the FTP server.
• To check the successful attempt of FTP password cracking, apply the filter
ftp.response.code== 230
• To check the unsuccessful attempt of FTP password cracking, apply the filter
ftp.response.code== 530
They use different approaches to sniff the traffic depending on the type of network
Passive sniffing is used to sniff a hub based network while active sniffing is used to
sniff a switch based network
An attacker uses Mac flooding and ARP poisoning to sniff the network traffic
Identify sniffing attempts by detecting the signs of a Mac flood and/or an ARP poisoning
using Wireshark
Sniffing or Man in The Middle attacks are a form of eavesdropping w here an attacker captures
packets by placing themselves between a client and a server. Sniffing is attempted using either
an active form or a passive form.
Active Sniffing
Sniffing performed over a switched network is called active sniffing. The attacker injects packets
into the network traffic to gain information from the switch, which maintains its own ARP cache
known as content addressable memory (CAM).
Passive Sniffing
Sniffing performed on the hub is called passive sniffing. Since a hub broadcasts all packets, an
attacker only has to initiate the session and wait for someone else to send packets on the same
collision domain.
• MAC flooding
• ARP poisoning
....
--- . •
- ~>
~ " - '.. l&loot.. ~ Ecw-
~
'" ..,,,.,.c...... .
...J Wireshark detects MAC Flooded packets using Po,,_,,_,
the Expert Information window c-..-..ii.nJ:11... .
( 111-Sli!I-(
&r.bli!fOr,;,lot,:li,..
OKOlltA~
iwo..ll.,..P1¥Ji..
..
c,11.s,.,ti.t
,_...,__
...J Wireshark considers these as malformed packets ..."''
~
II
analyzing the source IP, destination IP and t he
-
• '7 ~ 1 2 " ~ M1 IOClf<E218_;t)ll!0111!60IJ, ""°""' •'-=-t>
- -
l'>tllr.~
.
TTL values
lOU • .,.,..- 11).• .1u, u: . 1-, l!lt,1-N,, l ~
ltt. t n . t:.· o U l . 1M.U.I
...J Check if the traffic is originating from various IP 1fM
H.1'
0.♦1'UO)
. . .:"( ~J a s.MM . IIJ,1,1) lllt. tu.,t.1
10
fU
8 Notes,0(0) e o..u:otw l, I
-
O...ils:l3597 I
IG,oup 4 Protoc:ol • Summa,y I
:t3 Maffomied TCP
MAC flooding is an active sniffing method in which the attacker connects to a port on the
switch. They send a flurry of Ethernet frames with various fake MAC addresses. The switch
maintains a CAM (content addressable memory) table, which the attacker is trying to gain
access to. This attack is also known as CAM flooding attack.
A MAC flooding attempt is detected in Wireshark by carefully analyzing the packet's source and
destination addresses along with its Time to live (TTL).
After capturing the packets go to the 'Analyze' tab and click on 'Expert Information' from the
drop down context menu.
· Ethemet
Fde Edit View Go C~pture Anol :c St11ti~ics l elq,1,ony Wirele ss lools Help
Displ11y Filt~ ...
Q ?'
•I~N=ot•-------------,.Ma=W
.o,rem
, esd,.__.,_H
cT,.TP
,c.----., .--------------------------------------iL
346c BER: Dissector for 0 10 not implcmt.ntcd, Cont,,,
,
753: This frame is a (suspect ed) ret1anunission
··t
100: M•SEARCH ,. HTTP/1.l\r\n
.. •
237: GIT I HTTP/1.1\r\n
2-1(); M·SURCH • HTTP/1.1\r\n
241: HllP/ 1.1 301 Moved ~m~Mntly\1\n
261: GIT / HTlP/1. l\r\n
318: GIT /Port,1ls/. dd<111h/Sl:ins,fl-,lollow·OttpPink...
359; GIT / Portals/O/ec·council·logo·rtflection,pn9..,
36(); GH / Portals,( ddault/$kin$/Hollow·OttpPink.. .
361: GIT / Port11ls/. dd6ult/Sl:ins/Hollow•OttpPink.. .
36l: GtT /Port,1ls/. dd, 11h/Sl:ins,fl-,lollow·OctpPink..,
3~ HTTP/I. 1 304 Not Mod'lfied\r\n
3951 HTTP/ 1. 1 304 No-t Mod"tfied\(\n
39& HTTP/ 1.1 304 Not Modtfied\r\n
397: HTTP/ I. I 304 Not Modified\r\n
~01: HTTP/t.1 304 Not M.ocflfie.d\r\n
633: HTTP/ 1. 1 200 OK\)'\n
634: GH / poMl$/O/lmj9.es/im9/icons/gtt-certifi~..
642: GIT / port.!ils./O/lm,19es/imcJlicons/cci~o•lo90•-·
645c GIT /Port,1ls/. dd<111h/Cont,1ifl.f)ts/OitkKni9ht-,
646c GIT / portals/O/lma9eS/im9/ icons/lnte.rne.t-Se...
I I I
Malformed packets result for various reasons and they may not be an attempt to MAC flood. To
accurately detect a MAC flooding attempt check if several packets are destined towards the
same machine but originated from different sources.
'tthernet - U'M
file Edit l/ie,v Go Capture Analyze Statistics Telephony Wireless Tools Help
i • ,t ~ ~ ; 11 q~ $ ~ i ! ~I~ @. ~ ~ fl
11Aw,y adsp~y firer ...<Ctrl·/> C •IExpression +
t,b, rrne 501.m Destilation Protocol L6tglh Info II
r-
16 0.., 192,168,0.3 192,168.0,87 TCP 1514 [TCP segment of a reassembled POU]
17 0.., 192.168,0.3 192.168.0.87 TCP 1514 [TCP segment of a reassembled POU]
18 0.., 192,168.0.3 192,168.0,87 TCP 1514 [TCP segment of a reassembled POU]
19 0.., 192.168.0.3 192.168.0,87 SM82 1110 Find Response; Find Response, Error: STATUS_NO_MORE_FILES
200.., 192,168,0,87 192,168.0.3 TCP 54 56467 ➔ 445 [ACK] Seq=439 Ack=10489 Nin=256 Len=0 -
..'I.
Although in the above screenshot, the destination address is the same it should be noted the
source address is the same, which implies the packets were sent from a legitimate source.
Administrators can also verify the TTL values for each packet. If every source has the sa me TTL
values and all the packets are directed towards the same machine, it is an indication of a MAC
flood attempt on the network.
Preventing MAC Flooding:
• MAC flooding can be avoided by using Port security that is a built-in feature with Cisco
switches. Port security limits the number of MAC addresses. It creates a small MAC
address table as compared to the traditional larger ones.
• Implementing authentication, authorization and accounting (AAA) by vendors, minimizes
the MAC flooding risk.
• Implementing IEEE suites allows packet filtering rules to be installed by an AAA server.
~ Check for 'duplicate IP address configured' messages in the Warnings tab in Wireshark
arp . duplicate-address-detected
·-
11l!::2•~~_.uc1ec1
... 6,_
Tme So.r<t
36... t6:cb:ec:6b:2b:e7
o...-
8road<1st
""' .,~
ARP 42 Who has 192.168.8.H Tdl 192.168.8.54 (dupl ic1te use of 192. 168.8 . 54 det«tedl)
6.. 36... 16:c.b:ec:6b:2b:e7 Broadcast ARP 42 Who has 192.168.8. l l Tell 192.168.8. 54 (duplicate use of 192.163.8.S-4 detected!)
4- 2IL Chcolnc_te:82:ct a.8:98: 9c:Bo:68- ARP 68192.168.8.1 i5 at f4 :9f: 1b:1e:82 : c1 (ct. pl icate use of 192,168.0 . 54 detected!)
4- 23... a8:98:9c:8e:68:46 Broadcast ARP 42 WhO has 192 . 168 .8.ll Tel l 192. 168.8 . 54 (duplicate use of 192. 168.8 . 54 dete<ted!)
4- 2L a8:98:9c:8e:68:46 8r-oa<kut: ARP 42 Who has 192 .168.e.u Tell 192.168.fJ.54 (duplicate use of 192, 168.8,54 detKtedl)
4_ 27- Clscoinc_le:02:c:1 a8:98:9c : 8e:68- ARP 68192 . 168 .0 . 1 ts at f4:&f : 1b:1e:02: '1 (d: pUcate use Of 192. 168.0 . 54 det.ecud!)
4.. 27- a8:98:9c:8e :68:~ 8ro.td-cast ARP 42 Who has 192.168.0.1? Tell 192.168.0.54 (duplicate use of 192.168.0.54 detKtedl)
4_ 27- .S:98:9c:8•:68:46 Broodust ARP 42 Who has 192.168.0.1} T• ll 192.168.8.54 (duplicat• UH of 192. 168. 0.54 dottcUd!)
3_ IIL CadaJsCo_99:ef:ce Ciscoln<_le:82- MP 42 WhO has 192.168.0.H Tell 192.168.&. 54 (duplicate use of 192. 168.&. 54 detected!)
3... 18,.. Chcolnc_le:02:cl .C:18:91:98:d.. ARP 68 192.168.&.J is at f4:&f:lb:le:82:cl (ct; plic.n• use of 192,168,8,54 dtttcttd!)
3... lL a4:a8:91:90:t3:3b 8r<>a<kUt ARP 42 Who has 192. 168 .9.1? T•ll 192.168.&. 54 (<tupUcatt ust of 192. 168.8 . $4 dttt<ttd!)
3... 1&. -4:a8:91:99:e3:3b 8roadcut ARP 42 WhO his 192 .168.0. 1) Te ll 192.168.8.54 (duplicate use of 192.168.8.S,4 detKttdl)
3... 1&.. Ctscolnc_b:02:cl a4:a3: 91:98:d... ARP 68192.168.8.1 is at f4:&f:1b:1e:82:cl (ct; pllcate use of 192. 168.8.54 detected!)
3... 18,_ a4:a8:91:90:e3:3b 8r-oadcut ARP 42 Who has 192.168.0.H 1-11 192.168.8,54 (<tupliute us♦ of 192. 168.9 . 54 dettcttdl)
3.. l L a4:a8:91:99:e3:3b 8r-oadcast ARP 42 Who has 192.168.0. 1 > Tell 192.168.8, 54 (dllplicate use of 192.168.8.S4 d-etectedl)
2- 16... Chcolnc_le:02:ct e3:38: 78:74:8d.. ARP 68192.168.0.1 is at f4:&f:1b:1e:82:cl (d plicate use of 192. 168.8.54 detected!)
2- 16.... d:30:78:74:Sd:36 8r-oa6c: ast ARP 42 WhO has 192.168.0.ll Tell 192.'168.8.54 d1J&l1cau use of 192.168.8.S4 deu-cted!)
• Fl"eint 631: 42 bytes on wlr-e (336 bits), 42 bytes captured (336 bits) on lnterf•c• 0
• Ethernet II, Src : 16: c'b: tc:6b: 2b: t7 (l6: cb:tc:6b:2b:t7), Ost: Broadcast (ff: ff: ff: ff:ff:ff)
l
~ Otst1n•t10fl: 6t-oadc•1t ( ff:ff:f-f:ff : ff : ff)
► Source: 16:cb:ec:6b:2b:e7 (16:cb:ec:6b:2b:e7)
T··-e, . . . , ...... ,
• l (Ou~llcate IP cKSdress detected for 192.168,8. 5~ (16:cb:ec:6b:2b:e7) • also in use by (c:f8:51:74:6<: l d (frame 70)~ 1 :
• !wff....ihmWli.-Utliu...u.s.e gf If a~d.c.e-.u..:.-1.a)
The address resolution protocol (ARP) maps the MAC address to an IP address. In an ARP
poisoning attack, an attacker changes the MAC address of the target system to his MAC
address. All packets destined to the target system are now going to the attacker's machine. An
attacker can monitor the data flow in the network, forge more than one device on the network
and have all their packets directed towards them instead. An ARP poisoning attack can be
detected in Wireshark by looking for a warning message which reads 'duplicate IP address
configured'. An administrator can use the filter arp.duplicate-address-detected, after capturing
the packets. The packets with these messages are shown in figure below. It is an indication of
an ARP poisoning attempt on the network.
~ Errors: 0 (0) Q Warnings: 6 (420) 0 Notes: 0 (0) Chats: 0 (0) LJ Details: 420
◄ Protocol ◄
VisualSniffer PacketMon
http://www.biovisualtech.com http://www.analogx.com
Network Sniffer
Source: http://www.colasoft.com
Network Sniffer can help you locate network problems by allowing you to capture and view the
packet level data on your network. It consists of a well -integrated set of functions that can
resolve network problems. It can list all the network packets in real -time from multi-network
cards (Include Modem, ISDN, ADSL) and can also support capturing packets based on
applications (SOCKET, TOI etc.).
VisualSniffer
Source: http ://www. biovis ua /tech. com
VisualSniffer is a packet capture tool and protocol analyzer ( IP sniffer or packet sniffer) for a
Windows system. VisualSniffer can be used by LAN administrators and security professionals for
network monitoring, intrusion detection and network traffic logging. It can also be used by
network programmers, for checking what the developing program has sent and received or
others to get a full picture of the network traffic.
SniffPass Password Sniffer
Source: http://www.nirso[t.net
SniffPass captures the passwords that pass through th e network adapter. Sniff Pass can capture
the passwords of the following Protocols: POP3, IMAP4, SMTP, FTP, and HTTP (basic
authentication passwords).
.... -
OK
.. ...,_,,
...,....
'"
!Top Talkers!
t
.....
'"
[Top Connections I - .~
,_,..
!Acid Toplistl
Total
._,
°"' / ....,.Citnx
/
fTP/PlP
·-·....,,, /
lnfnlffNctUfe
,_..
o....
-- ·-· Mj,i1
/
NetBIOS
·-
R.tmou Conucii Var',ous
WWW
I ltbit/1 --
https://www.paessler.com
PRTG Network Monitor is a network monitoring software which supports remote management
using any web browser or smart phone, various notification methods and multiple location
monitoring. Administrators can use this utility for availability, usage and activity monitoring,
covering the entire range from website monitoring to database performance monitoring.
It helps:
Source: https://www.paessler.com
Nagios NetworkMiner
https://www.nogios.org http://www.netresec.com
Source: https://www.microsoft.com
Message Analyzer enables an administrator to capture, display and analyze protocol messaging
traffic and other system messages. Message Analyzer also can import, aggregate and analyze
data from log and trace files.
Nagios
Source: https://www.naqios.org
Nagios monitors the entire IT infrastructure to ensure systems, applications, services, and
business processes are functioning properly.
OpenNMS
Source: http://www.opennms.org
The application comes with a large number of service monitors that perform synthetic
transactions ranging from a simple ICMP request (ping) or port check, up through complex
website monitoring and round trip e- mail testing.
Advanced IP Scanner
Sou re e: http ://www. advanced-ip-scan ner. com
Advanced IP Scanner analyzes the traffic in the LAN. The program shows all network devices,
provides access to shared folders and FTP servers. It provides remote control of computers and
can even switch computers off remotely.
Bandwidth is the amount of information that can be transmitted over a network in a given
amount of time
Network bandwidth selection plays a vital role in the design, maintenance and performance of an
organization's network
Poor bandwidth management leads to network congestion and poor performance of the
network
...J Bandwidth monitoring involves measuring and controlling the traffic on a network link to avoid
overfilling of link
Bandwidth Monitoring
(Cont'd)
► Data compression
► Latency mitigation
► Loss mitigation
Bandwidth is the amount data that can be transferred from one point to another. Bandwidth is
one of the criteria defining network performance. An effective bandwidth is the one that
provides the highest transmission rate. The bandwidth monitoring test will identify the
maximum throughput of a system. Bandwidth monitoring tools provide output of the real-time
network traffic for any device. The tools provide bandwidth information at the interface level
and the device level. If the bandwidth detected is low, it degrades the functioning of the
network.
An organization works on two types of bandwidth speed: upload and download. The speed at
which the data is sent to the destination is called the upload speed. The speed at which the
destination receives the data is called the download speed. With growing networks and huge
volumes of data, organizations have started to maximize their upload and download speeds.
It is also important to consider the bandwidth capacity in the network. Bandwidth capacity
involves the maximum data rate a link can transfer. With hundreds of users in the network, it is
important to know the bandwidth usage required per day. Although it can be a tedious job for
administrators to determine the usage per day capacity of the bandwidth, a blue print of the
usage can help draft a proper bandwidth monitoring plan.
Bandwidth monitoring includes monitoring various bandwidth utilizations that are
implemented in the organization. Many software tools allow you to monitor bandwidth in real
time. Bandwidth monitoring benefits are:
• Bandwidth monitoring helps determine the network utilization for the system. Systems
using high bandwidth amounts should be monitored closely as they can be suspicious
activities or have become a victim of suspicious activity.
• High amounts of network traffic lead to network congestion and affect the function of the
organization. Deploying a network limit, will provide an alarm when the network is about
to reach the maximum bandwidth.
• If the network congestion is high depending on the size of the organization, additional
links can be added to the network. An additional link in the network will boost the
network performance resulting in reduced network congestion.
• Limited Use of Media Sites: Organizations can limit their employees using media access,
like online gaming, movies, music, etc. This will enhance the upload as well as the
download speed of the overall network.
• Proxy Cache: When a user visits a website for the first time, the content of the site is
saved (cached) on the proxy server. If the user visits the same website again the content
does not have to be downloaded again.
applications. In the future if a user accesses these applications, the QoS bandwidth will be
utilized. Utilizing QoS bandwidth will not affect the bandwidth usage for other users in the
network.
It is recommended to use only a single bandwidth monitoring tool to assess the current utilization of
bandwidth for the organization
Define and categorize the bandwidth need based on the application, user, user groups, time
period, etc.
Calculate the total number of nodes that contribute to the overall bandwidth requirement including
workstations, shared printers, and servers
Determine, assess and list the type of application that should be used within a specific time period )
and how much bandwidth it will consume _,_)
Check with the Internet service provider (ISP) as to whether they allow provisions for growth in the
bandwidth requirements
The following best practices can also be helpful in effective bandwidth monitoring:
• Timely educating or training the employees about excessive bandwidth consumption can
create awareness among them concerning bandwidth usage.
• Backup the devices that are configured on the network. During a power failure or network
failure, these backups act as a good configuration and keep the bandwidth stable.
SolarWinds Real-Time
=
BitMeterOS
https://codebox.org. uk Bandwidth Monitor
http://www.solorwinds.com
ManageEngine Bandwidth
BandwidthD
http://sourceforge.net
Monitor
http://www.monogeengine.com
BitMeter OS
Source: https:1/codebox.orq.uk
BitMeter OS keeps track of how much of the internet/ network connection is used and allows an
administrator to view this information either via a web browser or by using the command line
tools.
FreeMeter Bandwidth Monitor
Source: http://miechu.pl
FreeMeter Bandwidth Monitor 1s used to monitor the network bandwidth and any or all
network interfaces. It also provides supporting utilities, including Ping, Trace, UPnP utilities, etc.
BandwidthD
Source: https:1/sourceforqe.net
BandwidthD monitors the amount of traffic being received/ transmitted by specific machines
and or subnets. It tracks the usage of TCP/ IP network subnets and builds HTML files with graphs
to display utilization.
PRTG Bandwidth Monitor
Source: https://www.paessler.com
PRTG Bandwidth Monitor analyzes the traffic 1n the network and provides detailed results -
tables and graphs. It monitors network devices, bandwidth, servers, applications, virtual
environments, remote systems, loT and many more.
NetWorx
Source: https://www.softperfect.com
NetWorx monitors all the network connections or just a specific network connection, such as
Wireless or Mobile Broadband. The incoming and outgoing traffic is represented on a line chart
and logged into a file, so the statistics can always be viewed about the daily, weekly and
monthly bandwidth usage and dial-up duration. The reports can be exported to a variety of
formats, such as HTML, MS Word and Excel for further analysis.
SolarWinds Real-Time Bandwidth Monitor
Source: http://www.solarwinds.com
With the Real-Time Bandwidth Monitor, critical and warning thresholds can be set to instantly
see when usage is out of bounds.
Rokario Bandwidth Monitor
Source: http://www.rokario.com
Rokario Bandwidth Monitor enables an administrator to keep a close eye on the amount of
bandwidth accumulated over the current hour, day, week, month or even year. Advanced
logging tools make it easy to view the bandwidth usage and make alterations to bandwidth
logs.
ManageEngine Bandwidth Monitor
Source: https://www.manageengine.com
The Bandwidth Monitor tool provides real-time network traffic of any SNMP device. It provides
the bandwidth usage details both on an interface - level and at the device-level. It uses SNMP to
fetch the bandwidth utilization details of a network interface. The bandwidth utilization of the
device displays a comparison of the individual traffic and its interfaces.
tbbMeter
Source: http://www.thinkbroadband.com
tbbMeter is a bandwidth meter that monitors Internet usage. It shows how much the computer
is sending to and receiving from the Internet in real time. It also shows how the Internet usage
varies at different times of the day.
ShaPlus Bandwidth Meter
Source: http://www.shaplus.com
ShaPlus Bandwidth Meter is a bandwidth monitoring software used to track Internet bandwidth
usage. It displays the bandwidth usage in the current session, day and month.
□ Signatures are patterns created using a set of rules which identify typical intrusive
activity on the network
□ Signature ana lysis helps differentiate legitimate traffic from suspicious traffic
□ Wireshark is a widely used network packet analyzer for network ana lysis
□ A network baseline is a description of the accepted behavior for the network traffic
□ Administrators should monitor the network t raffic for different types of attack
attempts
. ... ; ....
This module covered the importance of manual network traffic monitoring, types of network
signatures, network traffic baselining, network monitoring tools and detection techniques for
various types of attacks. The skills acquired include the ability to monitor and detect various
types of network traffic abnormalities in the network. The information learned in this module
provided the skills to manage and monitor the network devices in the infrastructure. Then also
the skills to monitor the network bandwidth.
Understanding risk and risk management ii Understanding vulnerability assessment and its
importance
Ident ifying t he key roles and responsibilities in r isk
Identifying requ irements for an effective network
management
vulnerability assessment
Understanding Key Risk Indicators (KRI) in risk
Discussing internal and external vulnerability assessment
management
Recalling the steps for effective external vulnerability
Explaining phases involved in risk management assessment
Understanding enterprise network risk management Describing the various phases involved in a vulnerability
Describing various risk management frameworks assessment
This module focuses on network risk and vulnerability management. Organizations are required
to manage network risks and vulnerabilities to an acceptable level. This module describes the
impact of risk and vulnerabilities on the organization. Dealing with various phases involved in
risk and vulnerability management. It will guide you through the various risk levels, roles and
responsibilities for the people involved in risk management, different risk management
frameworks, vulnerability phases, and the tools used for a vulnerability assessment.
0 0
Risk refers to a degree of uncertainty or expectation that an adve rse event may
ca use damage to t he system
0 0
0 0 "11 0 0
Risk is a function of the following Potentiality of the risk is best
factors: expressed by answering the followi ng
..J Presence of weakness in the questions:
system (Vulnerability) e W hat is risk?
..J Probability of the occurrence of t:j What is the impact of risk?
an adverse event (Threat ) t:j W hat is the frequency of risk?
..J Consequences of the adverse
event (Impact)
.
0 0 J ~
0 0
Risk is an expectation that a threat may succeed to potentially damage resources under
specified conditions. In another way, risk can be also defined as:
• Risk is a probability of the occurrence of a threat or an event that may damage, or cause
loss or have other negative impacts, either from internal or external liabilities.
• Risk is a possibility of a threat, acting upon an internal or external vulnerability causing
harm to a resource.
• Risk is the product of the likelihood an event will occur and the impact the event would
have on an information technology asset.
The impact of an event on an information asset is the product of a vulnerability in the asset and
the asset's value to its stakeholders. IT risk can be expanded to
RISK = Threat x Vulnerability x Asset Value
Impact of Risk
Events which restrict the normal performance and affects the project cost or schedule
outcomes. The impact of risk on an organization, process or system is affected by the adverse
conditions. The impact indicates the potential seriousness of the risk that occurred.
Frequency of Risk
Depending on the risk identification and risk assessment, classification of risk depends on the
frequency of the occurrence and the severity of their consequences. Frequency and severity are
the most important characteristics used to monitor risks. Risks are separated into two
categories. Minor risks that don't require further management attention and significant risk
that requires management attention and further analysis. The two-dimensional matrix method
1s a common method to classify risk into three categories, based on the frequency and the
severity.
Cl Risks are categorized into different levels according to their estimated impact on the system
Cl The impact level of a risk depends on the value of assets and resources it affects, and the
severity of the damage
The risk level is an assessment of the resulted impact on the network. Various methods exist to
differentiate risk levels depending on the risk frequency and severity. One of the common
methods used to classify risks is to develop a two-dimensional matrix.
To analyze risks, you need to work out the frequency or probability of an incident happening
(likelihood) and the consequences it would have. This is referred to as the level of risk. Risk can
be represented and calculated using the following formula:
There are four risk levels. Those include extremely high, high, medium and low levels.
Remember that control measures decrease the level of risk, but do not always eliminate them.
Medium Moderate
" Immediate action is not required, but it should
be implemented at the earliest
Risk danger
" Implement controls as soon as possible to reduce
risk to a reasonably low level
Negligible
Low Risk f, Take preventive steps to mitigate the risk effect
danger
A risk matrix is used to scale risk by considering the probability, likelihood, and consequence/impact of the risk
Probability Consequences
Insignificant Minor Moderate Major Severe
Very High
81-100% Low Medium High Extreme Extreme
Probability
High
61-80% Low Medium High High Extreme
Probability
"t:I
0
0
.s::. Equal
41 - 60% ·- Probability
Low Medium Medium High High
J!
·-
_,
Low
21-40% Low Low Medium Medium High
Probability
Very Low
1 - 20% Low Low Medium Medium High
Probability
The risk matrix scales the risk occurrence/ likelihood probability along with their consequences
or impact. It is the graphical representation of Risk Severity and the extent to which the
controls can/will mitigate it. The Risk matrix is one of the simplest processes to use for
increased visibility of risk and contributes to management's decision making capability. The risk
matrix defines various levels of risk and categorizes them as the product of negative probability
and negative severity categories. Although there are many standard risk matrices individual
organizations need to create their own.
Probability Consequences
Insignificant Minor Moderate Major Severe
Very High
81-100% Low M edium High Extreme Extreme
Probability
High
61- 80% Low Medium High High Extreme
Probability
"t:I
0
0
41-60% ·-.s::. Equal
Probability
Low Medium Medium High High
J!
·-_,
Low
21-40% Low Low Medium Medium High
Probability
Very Low
1-20% Low Low Medium Medium High
Probability
The above figure is the graphical representation of the risk matrix which is displayed for
visualizing the risk and comparing risks. It is the simple way for analyzing risks and differentiates
the two levels of risk.
1. Very High Probability: The probability of occurrence is more than 80% and will most likely
cause more problems.
2. High Probability: The probability of occurrence is 61-80% and will likely cause more
problems.
2. Minor: These risks cause damage, but not to a large extent and do not affect the network
significantly.
3. Moderate: These risks do not impose a great threat, can inflict sizable damage.
4. Major: These risks have significantly large consequences, which lead to a great loss to the
organization.
5. Severe: These risks make the network completely unresponsive and are the top priority
risk for management.
Risk management is the process of identifying, assessing, response and implementing the
activities which control how the organization manages the potential effects. Risk management
has a prominent place throughout the security life cycle. Risk management is a continuous and
ever-increasing complex process. The type of risks vary from organization to organization,
preparing a risk management plan will be common between all organizations.
• Depending on the impact/severity of the risk, prioritize the risks and use established risk
management methods, tools and techniques to assist.
• Understand and analyze the risks and report identified risk events.
• Control the risk and mitigate the risk effect.
• Create awareness among the security staff, develop strategies and plans for risk
management strategies that last.
System and Information Owners: Responsible for the appropriate security control use to
maintain confidentiality, integrity and availability for an information system
Business and Functional Managers: Responsible for making trade-off decisions in the risk
management process
IT security program managers and computer security officers (ISSO) : Responsible for an
organization's information security programs
• Chief Information Officer {CIO): The person entitled with the position "Chief Information
Officer" is responsible for executing the policies and plans required for supporting the
information technology and computer systems of an organization. They play a vital role in
the formation of basic plans and policies for risk management. The main responsibility for
a CIO is to train employees and other executive management regarding the possible risks
in IT and its effect on business.
• System and Information Owners: System and information owners mainly monitor the
plans and policies developed for information systems. Their responsibilities include:
• Conduct an investigation on all the changes in the information systems and its impact.
• Update the security controls required for protecting the information systems.
• Examine and evaluate the existing security controls in order to confirm their efficiency
in protecting the system.
• Business and Functional Managers: They are responsible for maintaining all management
processes in an organization. They are empowered with an authority to manage almost all
the processes in an organization. The roles defining functional managers are:
• Sales manager
• IT Security Program Managers and Computer Security Officers (ISSO): 1550 provides
required support to the information system owners with the selection of the security
controls for protecting the system. They also play an important role in the selection and
the amendment of the security controls in an organization.
• IT Security Practitioners: The IT security practitioners protect the personnel, physical and
information security in an organization. The main responsibilities include:
KRI is an importa nt component of an effective risk management process which shows the riskiness
of an activity
A Key risk indicator (KRI) is a metric showing the risk appetite probabilityfor an organization
Key Risk Indicators (KRls) are an important component of an effective risk management
process, which show the riskiness of an activity at an early stage. Understanding of the
organizational goals is required to properly identify KRI. It is a metric which is capable in
showing the risk appetite probability of the organization. KRls are the most important
indicators of an organization's overall health helping reduce loss and prevents risk exposure.
Risk exposure is prevented by measuring the risk profiles and risk situations in advance, before
the risk event occurs.
KRI assists in performing the following:
spreadsheets, using the powerful Force.com data loader or input automatically via the
Force.com web services API.
Management identifies the KRls to execute its strategic initiatives by mapping the risks. An
effective method for developing KRls is to first identify the risk events that affect the
organization's financial status, then find the intermediate and root cause for the risk event. The
indicator assists management with responding to the risk event in advance.
e Identifying the sources, cau ses, con seq uences, etc. of t he internal and extern al risks
affecting the security of t he organi zation
e Understand the current posture the e Determ ines the effect of risk
organization operates in
e Calibrates the possible outcome of risks
e Defini ng t he external and internal
environment in w hich the orga nization is
operating
Risk management is a continuous process performed by achieving goals at every phase. It helps
reduce and maintain risk at an acceptable level utilizing a well -defined and actively employed
security program. This process is applied in all stages of the organization, i.e., strategic and
operational contexts, to specific network locations.
The 4 key steps commonly termed as risk management phases a re:
1. Risk Identification
2. Risk Assessment
3. Risk Treatment
4. Risk Monitoring & Review
Every organization should follow the above steps while performing the risk management
process. The initial step in this process is to identify the risk events before they cause
harm/ damage. After identifying and assessing the severity of the risk event across an
organization, the employees need to take certain actions to control the risk situation and
reduce the damages inflicted from it. The last and important step is to monitor and review, to
ensure that the controls are working and there is no danger for new risks.
Risk Identification
It is the initial step of the risk management plan. The main aim is to identify the risks before
they cause harm to the organization. The risk identification process depends on the skill set of
the people and it differs from one organization to another organization. It identifies the
sources, causes, consequences, etc. of the internal and external risks affecting the security of
the organization. Risks commonly originate from five key areas.
The purpose of risk identification is to generate a list of threats and opportunities based on
those events that may enhance and prevent the achievement of objectives. They are:
• Environment: Risks associated with the environment can include tight work spaces,
clutter, hot/cold environments, smoking, poor lighting, and electrical hazards.
• Equipment: Risks associated with equipment are poor repair condition, not working,
unavailable, and inappropriate for the task.
• Client: Risks happen with clients due to conditions changing, unpredictable movements,
and poor communication.
• Tasks: These include insufficient time allocated, repetitive tasks, work design, task
organization, maintaining a fixed posture, poor postures, and insufficient employee
numbers.
• Quantifying Risks: Determines the effect of risk and calibrates the possible outcome of
the risks.
Risk identification reduces the bias in the risk assessment while at the same time reduces any
for likelihood or impact in the future. There are many ways to identify risks, there are
documents and tools available to support the risk identification process. Most identification
processes begin with an issue examination and concerns created by the development team.
The risk identification process varies, depending on a few factors such as the nature of the
network and the risk management skills of the team members.
Defines the nature of the risk ~ Risks are prioritized and treated
Determines the level of risk according to the severity
exposure e Whi le performi ng the risk
Provides an understanding of response step, consider the risk
inherent and controlled risk prioritization
0 0 0 0
The risk assessment phase assesses the organization's risks and estimates the likelihood and
impact of those risks. Risk assessment is an ongoing iterative process and assigning priorities for
risk mitigation and implementation plans. This helps determine the quantitative and qualitative
value of risk. Every organization should adopt a risk evaluation process in order to detect,
prioritize, and remove risks.
The risk assessment determines the kind of risks present, the likelihood and severity of risk,
priorities and plans for risk control. Organizations perform a risk assessment when they identify
a hazard, but are not able to control it immediately. After performing a risk assessment, you
need to update all information facilities at regular intervals.
After assessing the risks, prioritize them depending on their severity or impact on the
organization. The prioritized list helps develop and handle the plans, preparing a handling task
sequence list, and allocating handling resources. The numbers represent risk prioritization in
accordance with their severity such as:
1-2: The risks with a priority of 1-2 need to be eliminated immediately (usually within 24
hours) or if you cannot eliminate it, reduce the risk of the hazard to a lower rating by
implementing at least one control measure.
3-4: Risks with this priority need to be eliminated or control the hazard within a reasonable
timeframe.
5--6: Eliminate this type of risk as soon as possible or control the hazard when possible.
• Risk Prioritization: Risk prioritization is the process of rating a risk during its analysis
according to its severity and designing a response plan.
The risk treatment is the process of selecting and implementing appropriate controls on the
identified risks in order to modify them. The risk treatment method addresses and treats the
risks, according to their severity level. Decisions made in this phase are based on the results of a
risk assessment. The purpose of this step is to identify what treatments for the risks that fall
outside the department's risk tolerance and provide an understanding of the level of risk with
controls and treatments. It identifies the priority order in which individual risks should be
treated, monitored and reviewed. Before treating the risk, you need to gather the information
about:
• Benefits of treatment
• Likelihood of success
• Ways to measure and assess the treatment
Once you have decided how to treat identified risks you need to develop and regularly review
the risk management plan. The different options that are performed to treat the risks are
avoiding the risk itself (avoiding the activities that lead to a rise of risk), reducing the risk
(reducing the likelihood of the risk occurring and reducing the impact if the risk occurs), transfer
the risk (shift the risk responsibilities to another party through insurance or partnership).
Accept the risk (if it cannot be avoided or transferred). Employees will perform the following
actions to minimize or to eliminate the risk.
• Develop a risk control plan.
• Completely document the risk control plan as a part of the risk control process.
Transfer the
Transferring the risk treatment responsibility to another party or organization
risk
Mitigate the Reducing the risk associated with a threat or vulnerability by implementing direct
risk or competing controls
Accept the Risks are accepted when the effort to address, transfer or mitigation has exceeded
risk the impact of the risk on the network
Risk
Eliminating the cause and consequences of risk
Avoidance
Risk Managing the risk by a risk mitigation plan which prioritizes the risks, implements and
Planning maintains the controls for the risks throughout the risk management lifecycle
Research and
Vulnerability research and finding the controls to rectify them
Acknowledgment
A risk treatment can change the likelihood for occurrences of risk by considering the options
and detailed designs required to select the appropriate risk treatment step. Risk treatment
involves a series of options for mitigating the risks, assessing the options and preparing and
implementing the action plans. The risk with the highest rate is dealt with first. The options
available according to the type and nature of the risks are:
• Avoid: Avoiding the factor that enhances the risk factor of any process in the business or
finding an alternative that goes well with business needs.
• Reduce: Finding ways to reduce the likelihood rate of risk to an acceptable level.
• Share or Transfer: Transferring the risk factor to a third party, so they manage the risk
levels.
• Accept: The risk factor should be at an acceptable level.
The steps taken in risk treatment differ from case to case. Stakeholders and process owners
mutually decide these steps. Key points while considering risk treatments are:
• Implement an appropriate risk treatment option.
• Adequate resources are available while implementing the risk treatment plan.
• The risk treatment plan should reduce the risk factor to a certain acceptable level.
• If there are risks to be handled immediately, remedial actions are taken for those risks.
.J The risk tracking phase identifies the .J The Review phase evaluates the
chance of a new risk occurring performance of the implemented risk
.J The tracking phase ensures management strategies
appropriate controls are .J Risk reporting ensures management
implemented to handle risks is aware of the top risks, enabling
.J Risk tracking also includes them to plan to reduce the risk
monitoring the probability, impact, appropriately
status and exposure of risk
An effective risk management plan requires a tracking and review structure to ensure effective
identification and assessment of the risks as well as the use of appropriate controls and
responses. Perform regular inspections of policies and standards, as well as review them
regularly to identify the opportunities for improvement. The monitoring process assures there
are appropriate controls in place for the organization's activities and that the procedures are
understood and followed. The tracking and review process should determine the measures
adopted, the procedures adopted, and information gathered for undertaking the assessment
was appropriate.
According to the Enterprise Risk Management Framework (ERM), a risk is the possible event
that can have a negative impact on an enterprise. The impact will be on any of the following:
the resources of the enterprise, i.e. Human and revenue, facilities by the enterprise, its clients,
and market value. Financial organizations describe ERM as a combination of risks based on
credit, interest, liquidity, market, and operational.
• ----------------------------------------------------------------------
Th e risk management framework defines th e implementation
Activities activities specific to how an organization handles risk
•-------------------------------------------------------------------
Th e Enterprise Risk Management Framew ork provides a
structured process integrating information security and
Structured Process
risk management activities
•----------------------------------------------------------------
ERM frameworks identify, analyze and perform the
following actions:
Actions e Risk avoidance by aborting the actions that lead to risk
e Risk reduction by minimizing the likelihood or impact of risk
e Provides risk management process standards
ERM provides a framew ork for risk management, which t ypically invol ves identifying events
that are relevant to the organization's objectives. The ERM framework provides an organized
process combining information security and risk management events.
• Maintain the document for all selected security controls in th e system security plan.
• Implementation of th e security controls.
Integrate the enterprise risk management w ith the organization's performance management
Defining the roles and responsibilities in the organizat io n to manage the risk
Organizations manage risks and have a number of departments or risk functions that help in
identifying and managing risks. A common goal or the challenge of ERM is improving the
capability and coordination, while integrating the output to provide a unified picture of ri sk for
stakeholders and improving the organization's ability to manage the risks effectively. The
Enterprise Risk Management Framework has the following additional goals:
• Convey the organization's policies, approach and attitude towards risk management.
■
guidance and supplement controls as needed based on risk
assessment
Implement: Implement security controls within enterprise
.·:• . ◄ Monitor ◄ ..
architecture using sound system engineering practices; apply
security configuration changes Security Life Cycle
■ Assess: Determine security control effectiveness (i.e. controls
implemented correctly, operating as intended, meeting
■
security requirements for information system)
Authorize: Determine risk to organizational operations and
assets, individuals, other organizations, and the Nation; if
acceptable, authorize operation
. ► . ► ..
■ Monitor: Continuously track changes to the information
system that may affect security controls and reassess control
effectiveness
http://csrc.nist.gov
NIST Risk Management Framework is a structured and continuous process which integrates
information security and risk management activities into the system development life cycle
(SDLC). The NIST risk management framework follows a security life cycle, which involves six
stages. The framework's six stages are:
Source: http://csrc.nist.gov
...
~
0
==
GI
E
"'
.::
..
GI
~
0
~GI
Control ctivities
C
0
Q.
Info at ion & omm unic tion
E
8 M oni oring
http://www.coso.org
COSO ERM framework defines enterprise risk management as a process, effected by an entity's
board of directors, management and other personnel, applied in a strategy setting and across
the enterprise. It is designed to identify potential events that may affect the entity, and manage
risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of
the entity's objectives. The framework defines essential components, suggests a common
language, and provides clear direction and guidance for enterprise risk management.
COSO framework emphasizes that ERM involves those elements of the management process
that enable management to make genuine risk-based decisions.
The categorization of entity objectives allows a focus on separate aspects of enterprise risk
management. The categories overlap and a particular objective can fall into more than one
category as well as address different entity needs and may be the direct responsibility of
different executives.
• Internal Environment: It contains the tone of an organization and sets the basis for the
processes such as viewing and addressing by an organization. This includes the risk
management philosophy and risk appetite, integrity and ethical values and the
environment in which they operate.
• Objective Setting: A framework should define objectives before management can identify
potential events affecting them. Enterprise risk management ensures that management
has in place a process to set the objectives that support and align with the organization's
mission and are consistent with its risk appetite.
• Event Identification: The organization should identify the internal and external events
affecting their completion of objectives and differentiate the risks from opportunities. The
channel supports the opportunities to the management strategy or objective-setting
processes.
• Risk Assessment: Risk assessments include analyzing the risks by considering their
probability and impact as a basis for determining the process to manage them. Risk
assessments should be on an inherent and a residual basis.
• Risk Response: Management selects the risk responses avoiding, accepting, reducing, or
sharing risk by developing a set of actions to align risks with their risk tolerance and risk
appetite.
• Control Activities: Every organization has policies and procedures which are established
and implemented to ensure an effective execution of the risk responses.
Source: www.coso.org
.J COBIT is an IT governance
framework and supporting
toolset that allows managers to
bridge the gap between control Plan and
Organise
requirements, technical issues
and business risks
http://www.isaca.org
COBIT is a business framework for IT governance and management toolset enabling managers
to bridge the gap between control requirements, technical issues and business risks. The
framework offers globally accepted principles, practices, analytical tools and models to help
increase the trust in, and value from, information systems.
COBIT emphasizes regulatory compliance, helping organizations increase the value attained
from IT, enables alignment and simplifies the implementation of the enterprise's IT governance
and control framework.
• Achieve strategic goals and realize business benefits through the effective and innovative
use of IT.
• Support compliance with relevant laws, regulations, contractual agreements and policies.
The COBIT Framework is based on five key principles for the governance and management of
enterprise IT that include:
Source: http://www.isaca.org
.J RMIS is a management informatio n system allowing the storage, management, analysis and the
ability to retrieve the risk information for an organization's network
.J Organization's incorporate the risk management framework with the RMIS to optimize the risk
management process
U Assess the risk and its adversary U Generating different types of reports
- J
J Data can be efficiently managed and
'.J Target specific risk factors
analyzed with limited resources
RMIS is a medium which stores, manages, analyzes, and retrieves the risk information of an
organization network from a single system. The system assists in consolidating property values,
claims, policy, and exposure information to enable the user to monitor and control the overall
cost of risk. RMIS not only provides a means to examine the organization's network but also
addresses the risks.
The organization needs to incorporate the risk management framework with the RMIS to get
optimum results as these systems act as risk management instruments in the organization.
Network security professionals use RMIS to do the following:
The main objective of RMIS is to combine information and store it in one place. This assists risk
managers in making many critical decisions. The three main advantages of RMIS are:
• Helps reduce the cost factor in an organization due to better risk management through
RMIS.
• RMIS in compliance with the company standards, helps them to implement risk
management policies resourcefully.
RMIS generates reports on various aspects and these reports enable the organization to have a
consolidated view of the network risks and manage them. Types of RMIS reports generated are
dependent on the type of request sent. The RMIS generates the following types of reports:
• Ad-hoc Reports: The system also generates the ad hoc reports as a response to special
queries. They contain categorical data.
~
Riskonnect RMIS j~ Enterprise Risk Management
http://riskonnect.com http://www.emrisk.com
Source: http://www.aon.com
Enterprise Risk Management (ERM) provides a framework to understand and respond to
business uncertainties and opportunities with relevant risk insight delivered through common,
integrated risk identification, analysis and management disciplines. ERM enhances
organizational resiliency by improving decision making, strengthening governance and
supporting a risk intelligent culture.
STARS RMIS
Source: https://www.stars-web.com
STARS RMIS supports comprehensive risk management, enterprise risk management (ERM),
claims management, compliance and safety management and peer benchmarking.
RiskEnvision
Source: http://www.ebix.com
RiskEnvision offers a web-based total risk management and claim administration solution.
RiskEnvision supports risk management and claims administration functions including pa yment
processing, reserve management, form letters and correspondence, policy management, diary,
reporting, and more for Auto, GL, Product, Property, and Worker Compensation lines of
insurance coverage in a user-friendly application, with minimal maintenance overhead.
Riskonnect RMIS
Source: http://riskonnect.com
A risk management software platform, which enables customers and risk professionals to
automate their entire risk management process. It is an approach towards claims, litigation,
exposure, policy management and more with technology.
Source: www.loqicmanaqer.com
INFORM
Source: http://www.informapplications.com
INFORM provides a set of reporting tools and data intake tools for both basic and complex
needs. The reporting tool provides the platform of Bl Intelligence based reporting solution from
very basic to very complex needs.
Travelers e-CARMA
Source: https://www.travelers.com
Travelers e-CARMA is a risk management information system that helps users to manage loss
costs. The main activities of Travelers e-CARMA include:
RMIS INSIGHT
Source: https://rmisinsights.com
RMIS INSIGHT simplifies sharing, comparing, and acting on RMIS data analytics. It supports both
Claim and Policy Analytics.
Source: http://www.emrisk.com
Enterprise Risk Management provides business key support and guidance in computer security
risk assessment and the management of technology risk.
• Evaluate them
Source: www.eftisoft.com
Webrisk RMIS helps risk managers manage their daily operations easier, and achieve
sustainable results. Features of Webrisk RMIS include:
• Prevention management
,..
~ bjectives:
...J Provide a consistent risk ...J Combat the existing and ...J Facilitates with assistance
management framework emerging risks in taking strategic
management decisions
J Provide the overall direction J Integrate operational risks
and purpose of performing into the risk management J Meets legal and regulatory
risk management process requirements
The policy will develop and establish essential procedures and processes to address and
minimize information security risks. The policy will protect the Confidentiality, Integrity , and the
Availability of a company's IT assets. The Enterprise network risk management policy addresses
information security issues and their impact. It also suggests measures to keep them secure
from both internal and external risks.
The risk management policy also outlines different aspects of risk and identifies people to
manage the risk in the organization. Risk management is the process of balancing operational
and economic costs for protecti ve measures while achieving the objectives and business goals.
The policy should have characteristics including dynamic, real and applicable, built to achieve
long term organizational goals, and is easy to maintain.
The risk management security policy addresses the following issues related to the security of an
organization:
• Internal controls
• Risk Assessment
• Risk Mapping
• Contingency Planning
• Incident Response
• Business asset valuation
Track and monitor internal and external risks of the organization at regular intervals
Specify the responsibilities for risk managers with their respective domains
• Always make sure the risk assessment 1s conducted by experienced and trained
professionals.
• Always identify the risk in its initial stage in order to provide a quick response.
• Proper metrics are chosen in order to measure the effectiveness of a risk management
system.
~ Vu lnerability M anagement is a
continuous information security
risk process which includes
identifying, assessing, classifying, Asset
Discovery
remediating, and mitigating
vulnerabilities
U It provides a comprehensive
approach tow ards m itigating risks Verification Reporting
on the organization's system and
netw ork
u It is a superset of the
vul nerability assessment process
Vulnerability Management Phases
• Asset prioritization (and Allocation): Risks are compared against a predefined set of
features and assigned a priority.
• Reporting (Technical and Executive): Reports the results achieved for the different
vulnerability management processes.
• Remediation (Treating risks): Reduce th e risks in the vulnerability and remove the root
cause.
• 10.10.10.)t •
10.10.10.)1
......)?.Wlf!At'~C.,._ • .•.. ---!"- • ..!.
.-•·... -...-~
• . ! .. ~- •
• 10.10.10.41
thP"'l,WII!~<- •
.
- -~. --~- - .
.J Provides a hacker's view
of the network
•
•
lo.10.IOA?
~"""-41~(-
1°'10.10A>
dl'qt-0,~(-
10.10.10-4)
•
- .......
--
--
d'q)-<U.Ul.4l~-
~I.'«"-» ~~
• 10.10.IOM
• Pon ~., ~,• ~"" c.w-
• ~0.10.10.•1 •
An inventory detailing the assets is created and later identifies the host details in order to
identify vulnerabilities. An automated scheduled check for vulnerabilities is performed.
The basic steps in the Discovery phase are:
• Identifies all the hosts (including rogue devices) 1n the network and assigns the host
according to the business needs.
Assign the identified assets, according to the business needs. Help 1n categorizing the
approaches and reducing the effect of a vulnerability in the network.
Provides details regarding the identified operating system, open ports available and the
certificates installed on each device.
third and so on ,
5
I I I • • I
Copyright© by EC-Co■ncil. All Rights Reserved. Reproduction is Strictly Prohibited.
Classify the identified assets, according to the business needs. Classification helps in identifying
the high business risks in an organization. Prioritize the rate assets based on the impact of their
failure and on the reliability of those assets in the business. Prioritization helps:
• Evaluating and deciding a solution for the consequence of the assets failing.
• Examining the risk tolerance level.
The risk based vulnerability assessment can help identify, classify and analyze
th e vuln erabilities comprehensively and finding out solutions to mitigate th em
There are automated tools available for v ulnerability scanning, including Nessus, SAINT,
OpenVAS, and Nikto.
Advantages of a Vulnerability
Assessment
Select the assessment tools which will cause the least network disturbance
Maintain a change control system during the vulnerability scan, to keep track of all activities
Effective assessment tools include features such as trending, reporting and remediation
tracking
• Identify what assets of the network should be assessed for vulnerabilities. Identify the
assets and evaluate its criticality is important to minimize any potential risks to the assets.
• Check the vulnerability scanning tools for false positives wh en receiving the assessment
results. Id entified vulnerabiliti es may be a false positive. It is very important to validate
the identified v ulnerability as genuine. To do this, perform a vulnerability assessment with
a variet y of tools. Do not depend on a single tool for th e vulnerability scanning
assignment.
• Choose assessment tool s which cause minimal network disturbances . Vulnerability
assessment tools can create a serious impact on netw ork performance during an
assessment. Choose onl y the appropriate tool s to get the job done and those which do
not cause additional issues with network performance.
• Use a change control system to keep track of all th e activities during a vulnerability scan.
• Only consider assessment tools with key features such as trending, reporting and
remediation tracking.
Types of Vulnerability
Assessments
Understand t he design of the network and the systems befo re co nducting a vulnerab ility
assessment
Network performance ca n be degraded or even stop fu nctio ning due to vul nerability
assessments
---·
Internal vulnerability assessments
helps identify vulnerabilities within External vulnerability assessments
the network including password examine an organization's network
complexity, antivirus protection, security from the outside
and other potential weaknesses
•••••••••••• ••••••••••••
• External Vulnerability: Examines the security of the servers facing the Internet.
A complete understanding of the design of the network and the system is required before
performing a vulnerability assessment. There are instances where the vulnerability assessment
may affect the network, causing a performance degradation or even preventing it from
functioning properly.
• Unnecessary Services: Multiple ports open indicating the presence of unnecessa ry server
services.
• E-mail Relay: Checking whether the email server allows open email relaying.
Execute t he fol lowing steps to conduct an effective external network vu lnerability assessment:
6. Map the service version with the security vu lnerabilities which are
associated
• Assess and analyze the hardware manufacture, procurement, storage, and installation.
Find the devices that are non-functional or non-compatible with the infrastructure. Detect
all the open ports and interfaces and take action accordingly.
• Map the network infrastructure, connecting the hardware together to boost the network
and application performance.
Vulnerability Assessment
Phases
..J Vulnerability assessments are conducted in phases
A phase-based vulnerability assessment helps identify the possible improvement areas and any
potential vulnerabilities
.i
w Identify and analyze the .i
w Use industry best e Use industry best
existing network practices, tools and practices, tools and
security policy guides to perform a guides to perform a host-
.i network-based based vulnerability
w Check whether the
vulnerability assessment assessment
policies are in
compliance with the e Every existing host on
security requirements the network must be
considered for
e Check whether they are
assessment
developed using the
correct risk assessment
procedures
A vulnera bility assessment is a highly complex procedure for administrators, depending on the
version and the configuration of the network setup. The network environment is dynamic and
an administrator may implement th e vulnerability assessment phases below.
• Policy Identification:
In this phase, the administrator is required to understand the security policy of the
organization. Based on the security policy identification, they will determine if the policy is
in adherence with the current network infrastructure. After reviewing th e organization's
policy, the administrator will able to detect the location(s) where v ulnerabilities exist and
what t ype of vulnera bility assessment is required to be performed.
Involves assessing the system or the account of a local user. In this phase, the
administrator checks the configuration settings for the system. They detect the accounts
with weak or old passwords, suspicious files in the system, modifications in the system
settings, etc. The main advantage of a host vulnerability assessment is that it allows the
administrator to assess every file present in the system.
Network Vulnerability
Assessment Tools
o..tcio.nl Sc.a,,. ~ ~ Aw-. Kl'!Ow'ldge8.- U..
=. Scans .....
- ■ ;. iii
l'ii,.f &.f. L,w , ::c- y u - ' . J
..----
- Q II Q I II -
I'~
u - I ..
1 -
:
_,~-
1911 _ _ , _ _ _ 1
' --
._
-- ... -
-~
l«tt ._..... . . . . . •.IOICI t •
- ·--
----
--
.,~ ...... - ·------
--
Network Vulnerability Assessment using QualysGaurd Network Vulnerability Assessment using Nessus
{https://www.qualys.com) {https://www.tenable .com)
& . ...
:=-9!.- .
··--
-- : - --··-
------ --
...
't,
--
V .., U
~
•••
•• •••• •
~..-
--
~
o~ -
··-
·=-
•-:::
• :=-
.·=-=-
-
- '... ....
• a.--
--· ·----. ---
-·-------i----,
_
....
..,, __...,.___
- -·
• ----
.
-- -
-·
...
_
=--1CD1.,._,oma,,,_■.,..-,....,
....,. ·-·
__
... . ~~----
·-..... ----
_,... -·--
--.. ..........
.._
_.... •..•
·--··- •·.
_ - l ~ -~
- --- ,........
-- -•i.t.,.... ---
..._._......... ••
- -- = -
-~-: -= .--=
-- 0 ·-- -- .
-__...........
- -·...... ..•.
---
___......... ·-
.. ..
Network Vulnerability Assessment using GFI LanGuard Network Vulnerability Assessment using OpenVAS
(http://www.gfi.com) (http://www.openvas. arg)
QualysGaurd
Source: https://www.qualys.com
Qualysguard helps in protecting the IT infrastructure in accordance with the company policies
and procedures. It identifies the internal threats and develops methods required to protect the
network. Features of Qualysguard network vulnerability tool are:
• It identifies the operating system, open ports, active services running on a system.
• Provides reports to the user in order to understand the security of the network.
Nessus
Source: www.tenable.com
A vulnerability sea nner that sea ns the following types of vulnerabilities:
• Misconfiguration.
• Password attack.
• Scanning provides the real time values and no need to wait for the scanning to be
completed in order to view the results.
• Provides the same user interface for all operating systems, including Mac, Windows, and
Linux.
• Provides a scan template that creates scan policies for auditing the network.
GFI LanGuard
Source: www.g[i.com
GFI LanGuard scans your operating systems, virtual environments and installed applications
through vulnerability check databases such as OVAL and SANS Top 20. GFI LanGuard enables
you to analyze the state of your network security, identify risks and address how to take action
before it is compromised.
A proper network analysis to determine the state of your network is another essential step to
reduce the risks to the network, determine its degree of exposure, and address how to take
action before it is compromised.
GFI LanGuard is able to scan for over 60,000 vulnerabilities across your network, including
virtual environments, mobile and network devices.
OpenVas
Source: http://www.openvas.org
Additional Vulnerability
Assessment Tools
Acunetix Online Vulnerability
Retina CS
http://www.beyondtrust.com Scanner (OVS)
http://www.ocunetbc.com
MBSA Nexpose
http://www.mkrosoft.com I I:": .... . J I http://www.ropidl.com
Retina CS
Source: http://www.beyondtrust.com
Retina CS provides organizations with context-aware vulnerability assessment and risk analysis.
It identifies security exposures, analyzes business impact, plans and conducts remediation
across disparate and heterogeneous infrastructure. Features of Retina CS include:
• Leverage true multi-vector testing capabilities across network, web, mobile, and wireless
MBSA
Source: http://www.microsoft.com
MBSA identifies missing security updates and common security misconfigurations. MBSA
includes a graphical and command line interface that can perform local or remote scans of
Microsoft Windows systems.
Source: http://www.safety-lab.com
Shadow security scanner provides a secure, prompt and reliable detection of a vast range of
security system holes. It analyzes the data collected, locates vulnerabilities and possible errors
in server tuning options and suggests possible solutions.
Source: http://www.nsauditor.com
Nsauditor Network Security auditor scans networks and hosts for vulnerabilities, and provides
security alerts. It reduces the total cost of network management in enterprise environments by
enabling IT personnel and systems administrators to gather a wide range of information from
all computers in the network, without installing server-side applications on these computers
and it creates a report of potential problems found.
Source: http://www.acunetix.com
Acunetix Online Vulnerability Scanner acts as a virtual security officer. It helps you scan
websites, including integrated web applications, web servers and any additional perimeter
servers for vulnerabilities. And allowing you to fix them before hackers exploit the weak points
in your IT infrastructure.
Source: http://www.manaqeenqine.com
A network security scanner, that proactively reports on network vulnerabilities and helps
remediate them by ensuring compliance. Security Manager Plus protects the network from
security threats and malicious attacks using vulnerability scanning, open ports detection, patch
management, Windows file/folder/registry change management and vulnerability reporting
capabilities.
Nexpose
Source: http://www.rapid7.com
Nexpose provides assessment solutions for your physical, virtual, mobile, and cloud
environments. It supports the entire vulnerability management lifecycle, including discovery,
detection, verification, risk classification, impact analysis, reporting and mitigation.
SAINT
Source: http://www.saintcorporation.com
SAINT uncovers areas of weakness and recommends fixes. SAINT scanner includes:
• Detect and fix possible weaknesses in the network's security before they can be exploited
by intruders.
• Demonstrate compliance with current government and industry regulations such as PCI
DSS, N ERC, FISMA, SOX, GLBA, and H IPAA.
• Perform configuration audits with policies defined by FDCC, USGCB, and DISA.
Source: https://www.alienvault.com
AlienVault USM provides built-in vulnerability assessment with the essential capabilities you
need for complete security visibility and threat intelligence.
Choosing a Vulnerability
Assessment Tool
e Vulnerability scan ners can not identify vul nerabilities w hen its plug-in is outdated
e A vulnerability sca nner should be capable of producing a report of the scan ned and
detected vulnerabilities
There are various vulnerability assessment tools available in th e market. Multiple tools should
be identified as several different products are needed to evaluate the network environment.
Evaluate each product based on the quality and speed of updates, compatibility with the
environment, support for cloud services, compliance, prioritization, active and passive
detection, authenticated and unauthenticated scanning, remediation guidance and vendor
support.
The selection of an appropriate vulnerability assessment is done based on the how it works, key
features such as expertise, accuracy, reliability, scalability and reporting.
The follow ing points will help make the best selection:
• Scanners will find the vulnerabilities at a faster rate with the help of updated plug-ins.
• Scanners w ith an auto-update feature are best suited for vulnerability scanning .
• The identified vulnerability accuracy will be concentrated more than the amount of
vulnerability checks which are completed .
• The scan report w ill provide all th e details so any problems can be examined and solved.
By comparing the scan results, vulnerability trends will be understood.
• Check if th e tool is compatible w ith the applications, operating systems and infrastru cture
components.
• Distinguish between authenticated and unauthenticated sea nning .
• What solutions does the tool provide after vulnerabilities are identified?
• Can security managers identify the issues with the configuration?
Netw o rk operators should consider th e follow ing issues before conducting a vulnerability assess ment:
Place a vul nerabi lity scanner in front A risk assessment along with ca reful
of the firewall planning are necessary before
conducting a vulnerability
Consider including a port sca n in the assessment
vulnerability assessment
It is importantto safeguard the
It is recommendable to keep archived assessment results by encrypting
logs of all vulnerability assessments them to prevent unauthorized
and compare them with the latest access
resu lts
Policies and procedures should be
Correctly interpret t he assessment defined and in place for the use of
resu lts to identify valid vu lnerabilities the vulnerabi lity assessment tools
and fix them
The following are the re commended deployment practices and precautions that are taken
while selecting a vulnerability assessment tool:
Practices
• Location of the Scanner: The scanners are placed inside or outside the firewall and must
be monitored separately as th ey perform differ ent actions.
• Scanning Port-Range: All the ports should be examined for vulnerabiliti es. Open ports are
more susceptibl e to attacks. Scanning should include every port even those which are not
specifi ed.
• Create a Baseline: Every scan result should be logged to compare th e results from
previous scans . Logging is important as it helps check th e effectiveness of the remedies
applied after each scan .
Precautions
• Risks in Scan Process: High alert should be given to enabling plug-ins as th ey may affect
the scan process. Network performanc e may be affected as many network requests and
traffic is gen erated during the scan process.
• Securing Scanning Results: If the results of the scan are disclosed, attackers will have an
easier time exploiting the vulnerabilities in the network. Take precautions with the results
and properly handle them.
• Proper Policies and Procedures: Proper policies and procedures should be implemented
while performing a scan. Proper vulnerability tools should be used to maintain the
security of the network.
Report the vulnerabilities discovered to the security team, auditors and management
Reports include a prioritization matrix for all discovered assets and vulnerabilities
Reports include a risk summary, consolidated vulnerability list, exploit results and
network device details
Reports summarize the assets discovered and the exposure of each based on the following
criteria:
e Geographic location e Goal category
e Business unit e Compliance area
Vulnerability Management
Report Examples
............
_ _
CORE INSIGHT
Oocembot 25
.,. ~ ,,,lc!nJO.ct~
\llftflblty Soorecso
........,_,.
Gil t: ski
-*~-
-- ·- --~ - o-
-·- ..,.., ---
1:---- •--
o-
.____
---
Result.$
_.....,_..,r,.. o --
-- -- •--
-- ----
0 • ~ - , U.ZIO ~
• ~M2 1'.1.. ~
• • - 1 J.tU ~
•-- ••
f.ucutiw Aepon
~"°"''""'-1111
"'
--...
-l°'il-1
•• ...,...._..,. ,., •U G
---
•u o
* CORE INSIGHT
r·.. • lll:-"7"l •~ D
' •• .....,c.$-••~l
..., 8,tf£RPA1SE
I-· I -· I-· -·
"'"
•> D
••
• lJf 0 1.~TOCTAI L$
..........
u ..
·-• - ·~-
.. .......,
... ~,-s,,,
•
·-· ■ -·- •
=--- ·--··- _,.....__
·--· ·- ..ti_,
•l'> ...• • - -
...
■ »-••
o:t_,., , •U O -- g
g
·-- ·--·--
I"'.
■ •U O
g • - 0 - O•g - .. -
■
__..,.,
1.111:-•~l <UII
•U OD
■
■ 18-llpl -I D
, I -- '1# 0
• - - - -- - - - - -
http://www.coresecurity.com
https://www.qualys.com
The important goals in creating a report are to provide a brief summary of what vulnerabilities
exist in the network. Reporting enables security managers to prioritize and suggest proper
remediation actions to deal with them.
The report should contain the following details regarding the vulnerabilities found:
• Geographic Location
• Business unit
• Goal Category
• Compliance area
• Summary
• List of vulnerabilities - For each vulnerability, provide the following:
• Risk level
o High: Immediate action
• Vulnerability details
• Assessment setup
For example,
e Installing a web application firewall is a mitigation action for a discovered
web application vulnerability, instead of fixing the vulnerability
• Unicast reverse path forwarding (URPF): It protects the packets in the network from
spoofing. A proper URPF mode should be configured before enabling this feature.
---
eCltJr l'NoNllgOI P411CbH PMCMS Aclclrtu,td
Id on; 0111oncn•
e Develop a remediation plan to fix the 149 14 156
identified vulnerability
► E.g. Applying appropriate patches to fix
the vulnerability
e Remediate a vulnerability by executing the
+- __steps in a remediation plan _________ •
,.,.,. ..
Remediation plan should include:
e Actions for fixing, mitigating or accepting
vulnerabilities U _,,..._llb.\'laf Wl!Qll$4 Wtl'ldooo$71,1t,i,o1n"'bll S ...,_T__ ") ~T;:,,o,,,QII.._AJP~ ...... •--
~ on > ►I ,_
e
--.. 1 ., "- X l • l 4 alH I ..... 1 M
Mode of remediation (automatic or manual)
e Action for mitigating any remaining Remediation using Qualys Vulnerability Management (VM)
vulnerabilities
e Justification for accepting any vulnerability
Remediation is the process of fixing the identified vulnerabilities. Administrators should create
a remediation plan and implement it to eradicate the discovered vulnerabilities. They should
have a phased remediation strategy to address the vulnerability landscape. Remediation may
range from applying technical security measures at the host level all the wa y up to the network
level.
• Remediation should improve the efficiency of the process. Automation of the process
improves the functioning of the process.
• Budget
• Resources
• Priority
• Timing
• Immediate
• 30 Days
• 6 Months
• Future
Typical Actions:
• Patch
• Upgrade
• Infrastructure Refresh
• New Deployment
Perform another scan to ensure the vulnerability is fixed after the remediation process
The verification should not damage any other network devices, services or applications
Verifying the remediation ensures the vulnerabilities have been solved and fixed appropriately.
After the remediation process concludes, scan for the vulnerability again. Perform an unlimited
scan for all vulnerabilities which were originally discovered. Your vulnerability assessment will
close upon verification of a successful remediation. Verification should not lead to the
malfunction of any other network devices, services or applications. The vulnerability scan
reports obtained after the fixes were verified ensures compliance with security provisions.
Perform another scan to ensure the vulnerability is fixed after the remediation process
The verification should not damage any other network devices, services or applications
Verifying the remediation ensures the vulnerabilities have been solved and fixed appropriately.
After the remediation process concludes, scan for the vulnerability again. Perform an unlimited
scan for all vulnerabilities which were originally discovered. Your vulnerability assessment will
close upon verification of a successful remediation. Verification should not lead to the
malfunction of any other network devices, services or applications. The vulnerability scan
reports obtained after the fixes were verified ensures compliance with security provisions.
Data loss is a maJor risk facing organizations today. Loss of critical data can incur a lot of
damage to the organization. Any organization that encounters a severe data loss has a higher
probability for facing serious issues later. It is important to perform regular backups of the
important data.
This module describes a detailed process for data backup and recovery. A network
administrator is required to perform data backups for the organization on a regular basis. This
module will help plan and perform data backups for the organization.
Data backup is the process of copying or storing important data. The backup copy will help you
restore the original data when data is lost or corrupted. Backup is a mandatory process for all
organizations. The process of retrieving the lost files from the backup is known as restoring or
recovery of files.
The main aim behind data backup is to protect data and information and recover the same
after data loss. Data backup is mainly used for two purposes: To reinstate a system to its
normal working state after damage or to recover data and information after a data loss or data
corruption.
Data loss in an organization affects the financial, customer relationship and company data. Data
loss in personal computers may lead to a loss of personal files, images and other important
documents sa ved in the system.
• Natural causes: Power failures, sudden software changes or hardw are damage.
• Natural disaster: Floods, earthquakes, fire etc.
• Offers access to critical data even in the event of a disaster, giving peace of mind in the
workplace.
• Backup of critical data prevents the organization from losing its business. Helps them
retrieve data anytime.
• Data recovery helps organizations recover lost data and helps maintaining their business.
It is recommended that every organization perform a data backup on a regular schedule to run
their business successfully and efficiently.
To avoid severe damage to the organization's assets, it is important to design a strategy for a
successful data backup process. This data backup strategy will act as a blue print while working
on the data backup process for the entire organization moving forward. Certain companies also
create a data backup policy that is required while implementing the backup strategy.
An ideal backup strategy includes steps ranging from selecting the right data to conducting a
drill test data restoration. Although the backup strategy might differ among the organization, it
is important to consider the features below before drafting a backup strategy:
• The backup strategy should have a data recover feature from any external device. These
devices may include servers, host machines, laptops, etc.
• If the data loss is due to a natural disaster, the backup strategy should not be restricted to
only a certain number of incidents. The strategy should also cover the methods for
recovering the data after a natural disaster has occurred.
• The strategy should include the steps to recover the data at the earliest stage.
• The lower the cost for data recovery, the more financial benefit to the organization.
• Auto recovery options should be included in the backup strategy as well, as they reduce
the chances of human-error during the recovery process.
This includes :
► Accounting files
Every organization has an abundance of data. An organization should identify critical data or
files that require backup. The criticality of the data is based on the importance it serves to the
organization. It requires analyzing and deciding which information is more important to the
organization functioning properly. The critical data consists of revenue, emerging trends,
market plans, database, files including documents, spreadsheet, e-mails, etc. Loss of such
critical data can affect the organization immensely.
• Organize a business impact analysis to determine the critical functions and data in an
organization. They need to identify processes and functions that depend and co-exist with
the critical data.
• Examining the documents and implementing them 1n order to recover critical business
functions.
• Create business teams to evaluate the impact of what data damage would do to the
business.
• Provide adequate employee training covering the strategies and plans for recovery.
Data backups consume a large amount of storage space as a result select the best backup method to
meet the organization's requirements
Choose
your backup media
based on these
factors
Speed
Choosing the best backup media is a common concern within most organizations. The selection
of the wrong media device leads to the segregation of data to many different media devices.
With a better well thought out plan, selecting the proper media will enable a better level of
data backup.
Once the data is identified, it is important to choose the correct backup media to store the
data. Backup media selection depends on the type and amount of data the backup will consist
of. At times, data backup consumes a large amount of space and as a result attention is
required while selecting the best backup media for the situation and to fulfill the needs of the
organization.
• Reliability: Organizations must be able to rely on the data stored on the backup media
without fail. Organizations must select the media that is highly reliable and not
susceptible to damage or loss.
• Speed: Organizations should select backup mediums which require a reduced amount of
human interaction during the backup process. Speed becomes a concern if the backup
process cannot be completed while a machine is idle.
• Availability: The unavailability of the backup medium poses as an issue after a data loss or
data damage. Organizations should decide on a medium that is available all the time.
• Usability: Organizations should select the media that is easy to use. An easy media type
has great flexibility during the backup process.
• Relatively high
storage capacity than
Portable
using optical disks
hard
No limit • Ideal for the home or
• More expensive than
drives/USS DVD backups
sma II office
flash drives
• Recording backup is
fast
• Advantages:
• Disadvantages:
Another hard drive option available is RAID. It contains two or more hard drives. The second
drive may be used to copy data stored in the first drive. This process allows important data to
be preserved. Any change in the data will be automatically reflected in all other drives as well.
• Advantages:
Tape Drives
The Tape drive is considered the best source of media for data backup. It facilitates data backup
at the enterprise level. Tape drives are used for storing programs and data.
• Advantages:
ID (Redundant Array Of
Independent Disks) Technology
. ■ •••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••
.
: ~
j A method of combining multiple hard drives into a single unit and writing data across several
j disk drives that offers fault tolerance (if one drive fails, the system can continue operations)
·······································································································································
.·····································································································································•.
Placing data on RAID disks enables input/output (1/0) operations to overlap in a balanced way,
j improving the system performance, simplifying the storage management and protecting from
.: data loss
·······································································································································
........................................................................................................................................
~ ~
: RAID represents a portion of computer storage that can divide and replicate data among several (
( drives working as secondary storage (
: :
.
·······································································································································
.······································································································································ .
Ij Increases fault tolerance and multiple disks increase the mean time between failures (MTBF)
!.
·······································································································································
Many organizations depend on RAID technology for handling their critical backup needs.
Especially with the increases in data flow and data volume. Organizations are expanding their
networks in order to improve their productivity in the market. However, this additional increase
can ca use network bottlenecks. The probability of losing data due to a disaster, threats,
mistakes and hardware failure hamper an organization's ability to grow. RAID technology
overcomes these situations providing an option for data availability, high performance, efficient
and accessible recovery options without a loss of data.
• Fault-tolerance: Fault tolerance is if a disk fails to work, other disks will continue to
function normally.
• Performance: RAID achieves high performance during read and write processes across
multiple disks.
• Competence: This is defined by the amount of data stored. The storage capacity of the
disks depends on the particular RAID level chosen. The storage capacity does not need to
equal the size of the individual RAID disks.
All the RAID levels depend on the storage techniques below:
• Striping: Data striping divides the data into multiple blocks. These blocks are further
written across the RAID system. Striping improves the data storage performance.
• Mirroring: Data mirroring makes image copies of the data and simultaneously stores this
data across the RAID. This affects fault tolerance and data performance.
• Parity: Parity uses a striping method to calculate a parity function of a data block. During
drive failure, the parity recalculates the function using the ch ecksum method.
Advantages/Disadvantages of
_._. ._. _ ID Systems
ADVANTAGES DISADVANTAGES
e RAID offers hot-sw apping or hot plugging e RAID is not compatible w ith some
i.e. system component replacement hardware components and software
(i n case a drive fails) without affecti ng systems e.g.: system imaging programs
network functionality
e RAID data is lost if important d rives fai l
e RAID supports disk striping resulting in an one after another e.g.: in case of RAID 5
improvement of read/write performance where a d rive is exclusive for pa rity
as the system completely utilizes the cannot recreate t he first drive if a
processor speed second drive fails too
e Increased RAID parity check that prevents e RAID cannot protect t he data and offer
a system crash or data loss performance boosts for all applications
Before RAID technology w as introduced, many organizations used a single drive to store data .
RAID technology is found across all storage devices in an organization. RAID has advantages and
disadvantages depending on the RAID level implemented.
3. Data redundancy: Failure of a disk can occur at any tim e. Data redundancy is important
for th e organization. RAID provides enhanced data redundancy in case of a hardw are
failure.
4. Disk Striping: Disk striping improves the read/write performance of the data. The data is
divided into small chunks and spread amount multiple disks. Depending on the RAID level
implementation, the data is divided in bytes, bits or blocks. Data reading and writing can
be done simultaneously on a RAID system.
5. System uptime: This is a metric that detects the reliability and stability of a computer.
System uptime defines the time the system can be left unattended without any
assistance. Configuring RAID on a system helps enhance system uptime. A high system
uptime in an organization signifies their productivity is high.
3. Loss of data: The RAID drives function in the same environment. The drives can become
non-functional due to mechanical issues. The potential data loss increases in if the disk
failure occurs one after another. When two drives fail at the same time, recovering the
data from the disk becomes difficult.
4. Time consuming in rebuilding: Drive capacity has increased much more than the transfer
speed. Recovering data from large storage capacity drives can be time consuming. In such
scenarios, rebuilding a failed disk can also be time consuming. Increasing the number of
drives won't help increase the data transfer speed.
Configuration
Network Connection to Host Dat a
~.............:;,.·... _; ..........................
~
~-..."'. ...............;...................·~
. - - - - - -_,.__ _______
Multiport
Memory
Control ler
Backup Control
Processor
V
Processor RAID Control Processor
~
~ Battery Backup or Ultracapacitor
Unit
: SATA/SAS Expander
~~ -~
Primary RAID Memory Cache
ID Storage Architecture
(Cont'd)
Manages the array of physical disk drives and presents Cache is used to write the data in transition, A RAID
them to the computer as if t hey are logical units system uses a cache to speed up 1/0 performance on
the storage system
SDRAM Disk
Dynamic Random Access Memory (DRAM) that is The hardware presents the RAID to the host system as a
synchronized with the clock speed the CPU single and large disk
The RAID architecture depends on two principles: Redundancy and Parallelism providing a wide
range of storage facility options with better performance and freedom from disk failures. The
wide demand of the Internet has caused an increase in the use of RAID systems because of its
high data storage capabilities and management systems. There are many implementations
available for RAID depending on the application and these implementations depend on factors
like: parallelism, duplication, and redundancy.
In RAID architecture, the switch receives the data from servers connected to the network. The
switch sends the data to the processor at a later stage. The processor transfers the received
data to the RAID controller. The RAID controller may be implemented either as hardware using
a RAID-on-Chip (ROC) or in software. The ROC can contain the 1/0 interfaces, processor, host
interface and memory controller. The ROC is installed directly in a motherboard using an
expansion card or in an external drive enclosure.
Configuration
Network Connection to Host Data
RAID Journa l,
<(·•···
RAID -E········
Controll er
Transaction, ...C·····.
SAN/NAS/Host and Error Log
Fi rmw are
Interface File
.
'IIU
.
: :
. Multiport
~-············ ....-~......................... ~---~··············y··················· Memory
Controller I
Backup Control
Processor
FLASH
SATA/SAS Expander
Primary RAID Memory Cache
The RAID storage architecture outlines how the RAID server functions. The processor controls
the entire function of the drive arrays and interfaces. It provides flexible and high performance
functions. The architecture in the figure above shows a RAID system can depend on HDDs as
well as SSDs. The processor requires DRAM and NANO flash memory. The installation of NANO
flash memory provides non-volatile storage to the primary RAID memory cache.
A battery backup or an ultra-capacitor unit in the primary RAID memory cache is helpful when
the RAID Control Processor goes suffers from a power failure. In this scenario, the battery
backup independently copies the DRAM's contents to the NANO flash memory. A battery
backup is an inexpensive alternative during a power loss. The architecture shows the
requirement of non-volatile memory in the RAID controller firmware, RAID Journal, transaction
and the error log file.
• RAID Controller: This is either hardware or software based and contains hard disk drives
or solid state drives as a single logical unit. A RAID controller has permission to access
multiple copies of files present on multiple disks, thereby preventing damage and
increases the scope of system performance. In a hardware RAID, a physical controller
manages the RAID array with a controller in the form of a PCI card that supports SATA or
SCSI. A software RAID works similarly to a hardware RAID, except they provide less
performance when compared to the former.
• Primary RAID Memory Cache: The RAID controller has direct access to the cache memory,
enabling faster read and writes access to the storage system. The cache is used to store
the changing data. Cache memory is bigger in size and uses high speed SDRAMs. A normal
cache memory has a write cache and a separate read cache. The read cache decreases the
latency for the read process. The write cache memory consists of two types:
• Write-through mode: Writes data directly to the disk after the host sends the data,
bypassing the cache memory. The host sends the next data item after receiving a
confirmation the writing process completed.
• Write-back mode: Data sent from the host is written to the cache memory. The host
may perform other actions while the RAID controller transfers data from the cache to
the disk drive. The RAID controller acknowledges the write process to the host soon
after writing the data to the cache. Issues may arise if a RAID controller sends an
acknowledgement before the data has been completely written to the disk.
• IDE, SATA, or SCSI interface: IDE, SATA, or SCSI are device cables that transmit signals to
read/write to and from the drive. These are mostly used for connecting drives internally.
Also, servers are connected using these interfaces.
• IDE: Integrated Drive Electronics (IDE) allows the connection of two devices per
channel. Normally used for internal devices as the cables are large and flat.
• SATA: Serial ATA deals with hot plugging and serial connectivity. The hot plugging
technique may be used to replace computer components without the need to shut
down the system. SATA enables only one connection per connector and it is not
flexible for industrial purposes.
• SCSI: Small Computer System Interface (SCSI) allows multiple devices to be connected
to a single port at the same time. SCSI uses a parallel cable for attaching internal and
external devices.
• nvSRAM: Non-Volatile SRAM, nvSRAM has a faster read and write process due to the
presence of a standard asynchronous SRAM interface. nvSRAM enables adequate data
storage capabilities without the need for a battery during shut down. nvSRAM finds its
best use in applications that require high speed and non-volatile storage at a low cost
such as the medical industry. nvSRAM backups the data even in the event of a power
failure.
• Multiport Memory Controller: A MPMC provides access to memory for up to eight ports.
A memory controller can be present as a separate chip or as integrated memory.
• NANO Flash Memory: Flash memory is a storage medium designed from electrically
erasable programmable read - only memory (EEPROM). NANO and NOR are two types of
flash memory. The main aim of NANO flash memory is to reduce the cost and increase the
capacity. NANO flash memory does not require power to retain the data. NAN D flash
memory has improved its read-write cycles with reduced voltage demands.
• SDRAM: Synchronous dynamic random access memory or synchronous DRAM is memory
that is synchronized with the clock speed of the processor. This increases the number of
instructions the processor can perform. SDRAM speed is measured in Mega Hertz (MHz).
The memory is divided into several sections called banks that allow the device to operate
on several memory access commands simultaneously.
It improves 1/0 performance by spreading the 1/0 load across many channels and disk
drives
RAID 0
,· ---- . ----. ---- . ---- . ---- . ---- . ---- . ---- . ---- . ----. ---- . ---- . ---- . ----. ---- . ---- . ---- . ----. ---- . ---- . ---- . ----. ---- . ----,
' '
:' :'
' '
' '
' '
' '
DiskO Disk 1
Copyright © by EC-CODICIi. All Rights Reserved. Reproduction is Strictly Prohibited.
Depending on the requirement of your organization, you can choose any RAID level available.
RAID levels have a foundation for performance, fault tolerance or both.
RAID 0 deals with data performance. In this level, data is broken into sections and is written
across multiple drives. The storage capacity of RAID 0 is equal to the sum of the disk's capacity
in the set. RAID 0 does not provide fault-tolerance. Failure of one disk can lead to the failure of
all the disk in a level 0 volume. The probability for recovering data from a RAID level 0 is
minimal at best.
The data distribution in a RAID Level 0 is equal among all the disk sets, resulting in high
performance. With concurrent high performance, the throughput of the read and write
operation on multiple disks is equal to the throughput of the array of disks. Increased
throughput is an advantage for RAID 0, considering data recovery is unavailable. Software and
hardware RAID controllers support RAID 0, helping to boost server performance.
Example: Assume that the IT infrastructure has a hard disk with high performance. The data in
the hard disk is transferred at a very high speed. All the large and critical files are stored in this
disk. However, if this disk fails the entire content s of the files w ill be affected, leading to
unavailability of the data . It is advisable to not store any critical data in a RAID level 0.
• Cost: RAID level O is cost effective compared to the other RAID levels.
• Non-critical data: Data that is not critical to the organization can be stored on RAID level
0. This level does not use mirroring. If the critical data is lost on a RAID Level O recovery is
not possible.
.J Multiple copies of data are written to multiple drives at the same time
RAID 1
....••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••u..
.. ..
. .
DiskO Disk 1
A typical RAID 1 contains an exact copy of the data on two or more disks. RAID 1 writes data on
multiple drives and multiple mirror drives at the same time. Failure of one drive does not affect
the data on the other drives. This allows data retrieval from the mirror drive. Similar to RAID 0,
RAID 1 provides no parity, stripping or spanning of disk space across multiple disks. RAID 1 can
be used in accounting, payroll and other financial applications.
RAID 1 is suitable in environments where read performance matters more than the write
performance. RAID 1 has improved read performance since the data in the disk can be read at
the same time simultaneously.
RAID level 1 provides data reliability, since failure of one disk can still provide access to the
same data mirrored on the other disks. In a RAID 1 hardware implementation, a minimum of
two disks is required. In a software RAID 1, data can be copied to a volume of the disk. RAID 1
reduces the total capacity by half.
Example: If a RAID 1 server with two 4TB drives is configured, the storage capacity will be 4TB
not 8TB.
The drive that accesses the data first will service the request. The write throughput in RAID 1 is
always slower because every drive needs to be updated. The slowest drive will limit the
performance. It is only has fast as its slowest drive. RAID 1 will continue to function as long as
there is at least one drive working.
• Compatible: RAID 1 is compatible with hardware and software RAID systems, including
controllers.
• Reliable: The mirroring feature in a RAID 1 ensures the data will be available. Making it
more reliable than a RAID level 0.
• Hot-swapping unavailable: If a disk fail s to run, it cannot be replaced while the server is
still in operation. This is called hot swapping. RAID level 1 does not provide the hot
swapping feature.
..J If a drive fails, data recovery and error correction is possible using the parity drive in the set
r ·············..1
: Parity :
I.. ·····························r·····························I·································r·················:Generation r········ ......... ··1
: : : !...••••••••••••••., :
: : : :
: : : :
AP
BP
Cp
Dp
Disk4
DiskO Disk 1 Disk2 Disk 3
• Slow performance: Random operations affect the performance, reducing the speed.
The data is striped at the byte level across mu ltiple drives and the parity information is distributed
among all t he member drives
The data writing process is slow
This level requires a minimum of three drives to be setup
RAID S
A1
=~
DiskO Disk l Disk2
The data chunks in a RAID level 5 system are larger than the regular 1/ 0 size, but they can be
resized. To prevent data loss after a drive fails, data can be calculated from the distributed
parity.
The RAID 5 needs at least three disks, but for better performance, more than three disks can be
used. RAID 5 is not a good choice for write operations on the system. If a disk fails, it takes a
long time to rebuild the RAID 5 array. Wh en the array is being built again, the performance can
degrade making it v ulnerable to additional disk failure. This level offers significant read
performance as the disks satisfy th e data requests independently.
RAID 5 is found most often in file and application servers, database servers, web, e-mail, and
news servers.
• Withstand failure: The RAID 5 level can withstand the failure of a single drive, without
affecting the loss of data.
• Hot swapping: In case of a disk failure, the fail ed disk can be replaced with a new one,
without a server shutdown.
Example: Employees accessing a database on a RAID 5 server will reduce the production time of
the server.
a ,_
RAID 10 is a combination of RAID 0 (Striping Volume Data) and RAID 1 (Disk M irroring)
, _ a_n_d_re es_a_t _le_as_t _fo_u_r _d r_iv_e_s_
_q_u_ir_ to_i_
m_pl_e_
m_en
_t_ _ _ _ _ _ _ _ _ _ _ _ __
It has same fault tolerance as RAID level 1 and the same overhead fo r the m irroring as Raid 0
~
• - - - - - -
. /----------------------------
It stripes the data across mirrored pairs. The mirroring provides redundancy and improved
perform ance. The data striping provides maximum performance
RAID l+O
RAIDO
............................................................................. ''.'' ....... ..
.
r··················· ... ·r ..............................................···r..···••u•.•.••••••••••• ·;
RAID 1 RAID 1
! : : :
.......... ►
RAID Level 10 includes disk striping and mirroring in a nested hybrid RAID level. It is a
combination of RAID level 1 and RAID level 0. It is also called as "stripe of mirrors". The level
can symbolically be represented as RAID l+0 or RAID 10. RAID 10 includes the mirroring of RAID
1 without the parity and striping of RAID 0. The performance of RAID 10 is higher than a RAID 1.
RAID level 10 has the same fault tolerance as RAID level 1. It requires a minimum of four drives
for its operation. RAID 10 is a great choice for database servers, web servers, email, etc. and
can be used on hardware or software RAID implementations.
• Better throughput: Compared with other RAID levels, RAID 10 provides better throughput
and higher latency.
• Efficient write operations: The write operations of this level are efficient and 1s often
implemented on database servers and other servers performing write operations.
.
.
It is more fault tolerant than a RAID 5 but uses twice t he parity overhead I.,
'
A minimum of 6 drives are required for setup. A drive from each segment can fa il and the array will
recover. If more than one drive fai ls in a segment, the array will stop f unctioning
This RAID level offers greater reads and writes compared to a RAID 5 and the highest levels of redundancy
and performance
RAID 5+0
RAID O
RAIDS ; ; RAIDS
r························r··· .................. ··1 =....................... ··-r·· .................. ····1
~
DiskO Diskl Disk2 Disk 3 Disk4 Disk s
RAID level SO includes mirroring and striping across multiple RAID levels. This level is a
combination of the block level striping of level O and the distributed parity of level 5. The
configuration of RAID level SO requires a minimum of six drives. This level undergoes a hot
swapping process when a disk fails.
RAID SO is an improvement over RAID 5, specifically for its write operation and fault tolerance.
RAID level SO can be implemented on servers that run applications requiring high fault
tolerance, capacity and random access performance. This level offers data protection and faster
rebuilds compared to a RAID 5 system. When one disk fails in a segment, it only affects that
segment and not the entire array. Only that segment is rebuilt. The rest of the array functions
normally.
Advantages
• Security: The data stored in a RAID SO is more secured than 1n a RAID 5. With a larger
storage capacity, this level offers more than RAID 5.
• Non-degradable: With the use of a minimum of six drives in the configuration
environment, failure of one disk does not impact the server function configured on this
level.
• Read and write performance: The read and w rite performance of RAID level SO is far
better than RAID level 5.
Disadvantages
• Controller: Only a sophisticated controller can handle RAID level SO.
Selecting Appropriate ID
Levels
. .. . Fault Large Data Data
RAID Disk Ut1hzat1on I f 1/0 Rate . b"I" Key Problems
To erance Trans ers Ava, 1a 1 1ty
Use double
RAID 1 Moderate 50% Yes Good Good Good
the disk space
Lower throughput
RAID 5 Good - Very Good Yes Good - Very Good Good Good
with disk failure
Use double
RAID 0+1 Moderate 50% Yes Good Very Good Good
t he disk space
Very expensive,
RAID l+o Moderate 50% Yes Very Good Very Good Very Good
not scalable
RAID30 Good - Very Good Yes Very Good Excellent Excell ent Very expensive
RAID SO Good - Very Good Yes Good - Very Good Excellent Excellent Very expensive
Selection of any RAID level should be based on the needs of the organization and the features
offered by each level.
• Application performance needs: Not all RAID levels are useful for all applications and data
needs. Choose an appropriate RAID level according to other factors like 1/ 0 need, storage
capacity, fault tolerance etc.
• Capacity: Each RAID level offers different amounts of storage capacity. The choice of a
RAID level depends on the capacity required. For example, if 30 drives are needed, a RAID
SO or 60 is the better choice. Three segments of 10 drives each. Could do a RAID 5 but the
rebuild process would be tedious, among other problems. One drive is lost to parity for
each segment. There would only be 27 drives available towards the capacity
requirements. Capacity is lost but perform a nee is gained.
• Cost: Both performance and capacity cost money. Weigh the options between
performance and capacity. Capacity can be lost and performance gained. Losing a small
amount of capacity may be worth it for the gains in performance. This all depends on the
where the RAID system will be utilized. Have to strike a balance between both capacity
and performa nee and what works best for the organization.
• Availability needs: Choose a RAID level that matches the availability requirements for the
organization.
The following table will help you in selecting an appropriate RAID for your organization:
Use double
RAID 1 Moderate 50% Yes Good Good Good
the disk space
Lower throughput
RAIDS Good - Very Good Yes Good - Very Good Good Good
with disk failure
Use double
RAID 0+1 Moderate 50% Yes Good Very Good Good
the disk space
Very expensive,
RAID l+0 Moderate 50% Yes Very Good Very Good Very Good
not scalable
RAID 30 Good - Very Good Yes Very Good Excellent Excellent Very expensive
RAID 50 Good - Very Good Yes Good - Very Good Excellent Excellent Very expensive
J The hardware RAI D uses a disk controller Runs directly on the server using server
and a redu ndanta rrayof drives to safegua rd resources
against data loss and improves read/write
U Relying on a host system's CPU f or t he
operational performance
processing and implementation
J Advantages:
Advantages:
e Fault tolerance
e Low Cost, less complicated to set up
e Data protection and performance
e Only a standard controller is required
e Easy to implement
U Disadvantages:
e No utilization of the host's CPU
e No hot-swapping
e Hot-swapping is supported
e Slower than a hardware RAID
J Disadva ntages
e Expensive configuration req uiring additional
hardware and RAID controller
Choosing between a hardware and software RAID depends on the requirements of the
organization as well as the need of the IT infrastructure. Th e organization should consider th eir
budget before selecting a specific RAID t ype, as hardware costs more than a software-based
RAID system.
Hardware RAID
This is where the processing is done, such as on a motherboard or a RAID expansion card. In a
hardware-based RAID, logical disks are configured and mirrored on the hardware. A physical
controll er is located on the PCI bus and it manages the application data and operating
system(s). The controller prevents the drives from data loss and enhances the read -write
operations.
RAID levels 0, 1, 3 and 5 are compatible with a hardware RAID. A hardware RAID provides
efficient and non-stop recovery from media failure. Performance based advantages are much
higher with a hardware RAID. For example, the implem entation of RAID level 5 w ill enhance the
data throughput as compared to a softw are-based RAID. Multiple controllers can be added in to
improve the read-write performance and total storage capacity.
A hardw are RAID can be implemented w hen there is a compl ex and critical setup or with large
databases.
• Advantages:
1. Write-Back mode: A typical hardware controller has a battery backup unit (BBU). The
hardware RAID can work in write-back mode because of the BBU feature. If there is a
power failure while writing data to a drive, the data will not be lost or deleted.
The BBU plays a very important role in write-back mode.
2. Hot-swapping: Many controllers in a hardware RAID support hot swapping. The disk
can be replaced while the server is still running, this does not affect the production of
the organization.
3. Higher throughput: With the availability of a BBU, a hardware RAID offers higher read
and write throughput, increasing the overall performa nee of the RAID level.
4. Rebuild: Rebuilding disk sets can be easier, with the availability of a BBU. A BBU
speeds up the rebuild process, decreasing the total amount of time it takes to rebuild.
5. Overhead: Hardware RAID requires external hardware to function. It does not affect
the overhead of the CPU or RAM on the host machines.
6. Boot loader: A hardware RAID can recover from a boot loader failure.
• Disadvantages:
1. Expensive: Hardware RAID requires an external RAID card or external hardware for
the implementation. This adds to the overall cost of the implementation, making it
more expensive.
Software RAID
Software RAID uses software instead of hardware for its implementation. Unlike a hardware
RAID that uses a controller, software RAID uses system processors and other applications to
work. Software RAID is implemented in the operating system or at the kernel level. The
performance of a software RAID depends on the CPU performance. Software RAID relies on a
standard host adapter and executes all 1/0 commands using mathematical calculations. RAID
levels 0, 1 and 5 are compatible with a software RAID.
• Advantages:
1. Cost-effective: Software RAID is part of the operating system. There are no additional
items needed increasing the cost for its implementation. It is more cost-effective than
a hardware RAID implementation.
2. Simplicity: A software RAID does not need a hardware controller. There are no
complexities for its implementation.
3. Duplexing: Duplexing in a software RAID requires only a standard controller for the
process.
• Disadvantages:
4. Advanced features unavailable: Software RAID does not offer hot swapping or a drive
swapping feature.
If there are any unusual mechanical noises from the Take and keep a valid backup before performing a
drive, immediately turn it off and get assistance software or hardware change
Label the drives with t heir respective positions in Never run volume repair utilities on suspected bad
the RAID array drives
The following are the additional best practices for selecting and using RAID:
• Always ensure the chosen RAID level is according to the needs of the organization.
• Avoid replacing a failed drive that was a part of a previous RAID system.
• Always seek assistance if there are any unusual noises from the system.
• Label hard drives with their respective RAID array positions.
• Always select a RAID group according to logical unit numbers, accommodated by the
server.
• Avoid making any changes to the data in a RAID.
r---·---·--------·--------·---······---······---·················-----·-
''
''
..J A SAN is a specialized, dedicated and discrete high ''
'' •~ •l"'"""'l
speed network that connects storage devices ' : Oients : Clients :
'' i .•..•..•..•..•..•..•..•k ·····················:
(disks, disk arrays, tapes, servers, etc.) with a high '
''
speed 1/0 interconnect (Fibre Channel, SAS, ''
''
''
~ Communication
Ethernet, etc.) '' ( LAN ",. Infrastructure Layer
''
''
A
'
. ''.''.''.''.''.'' .. ' .. ' .. ' .. ' ..'ii' .. ' .. ' .. ' .. ' .. ' .. ' .. ' .. ' .. ' .. '' ..
i u ,
..J SANs are preferred in large scale enterprises ''
Copyright © by EC-GIUDCil. All Rights Reserved. Reprod uction 1s Stri ctly Prohibited.
A Storage Area Network (SAN) is a high performance network that interconnects storage
devices with multiple servers. The role of a SAN is to transfer stored resources available on the
common network and reorganize them on an independent and high performance network. This
helps the servers to share the storage across the network. Primarily, a SAN enhances storage
devices like, tape drives, disk drives, file servers, RAID, etc. Implementation of a SAN makes disk
maintenance controllable and easier. The implementation of SAN needs a cable, switch and
host bus adapters. Each storage system on the SAN must be interconnected and in case of
physical interconnection, the bandwidth level should be such that it supports high data
activities.
We know that systems in the network connect to the storage devices. But, to assure that all
systems in the network should be connected to every storage device available on the network,
implementation of a SAN is needed. SAN allows these systems to take the ownership of the
storage devices; systems can exchange the ownership of the storage devices among
themselves.
Example: If computer A needs a data from computer B, it will need a copy of data from the
server, to which computer B is connected to. This can be done through, file transfer, inter-
process communication and backup. Even though the data is transferred from computer B to
computer A, there can be a probability that computer A may face the situation of untimely data
errors, an expensive transferring process taking place between two servers or any other
operational process. To resolve this issue, SAN architecture will be the perfect solution towards
it. In SAN architecture, all servers are connected to storage devices like, tape drive, RAID, disk
systems, etc. through a fiber channel. Thus, instead of computer A communicating to computer
B for data, it can directly get a copy of it from the storage devices connected to the servers. For
this process to be successful, data storage devices act as a common access point for all the
servers.
SAN storage sharing eliminates the scheduling of the data transfers among the servers. It
reduces the cost of data transfer among the servers. Storage devices help timely transfer of
data. SAN storage offers only block level operations that do not provide file abstraction.
However, if the file systems are structured on top of storage area network, file access 1s
provided which is known as a SAN file system.
Now-a-days, in large organizations, SAN is a storage pool for the servers that are connected via
a network. The fiber channel is now replaced by iSCSI which has become the choice of many
mainstream organizations. Whatever, be the size of the organization, SAN has become a
consolidation of workloads in the network.
Types of SAN
1. Virtual Storage Area Network (VSAN): VSAN designed by Cisco is a logical partitioning
that is within the physical storage area network. VSAN allows the allocation of some or
entire storage network to logical SANs. VSAN is mainly used in cloud computing and
virtualization environment. It can be used to build a virtual storage.
The working of VSAN is similar to traditional SAN, since it has a virtualized environment,
the addition or relocation of end users can take place. This will not affect or change the
physical layout of the network. Implementation of VSAN enhances the security of the
entire network.
2. Unified SAN: Unified SAN is also known as network unified storage or multiprotocol
storage. It allows the applications and files to perform actions through a single device. It
handles data storage and block based input/output operations. It merges files and block
based access in a single storage network. Unified SAN is cost effective as it saves the
expense of hardware requirements. Storing the combined modes in a single device,
unified SAN is easily manageable. Although it is advisable to deploy the critical
applications on block-based storage systems.
3. Converged SAN: A converged SAN uses a common network arrangement for network and
SAN traffic. This reduces the cost and complexity of the SAN technology. Converged SANs
depend on 10 Giga bit Ethernet and network ports.
Disaster tolerance
High performance and low
latency
With the rise in technology and an increase in data, organizations need a storage device that
can fulfill and handle their needs. The SAN advantages below, help determine the benefits of
deploying in an IT infrastructure.
SAN Advantages
1. Capacity: SAN performance is directly proportional to the type of network. A SAN allows
unlimited sharing of data regardless of the storage capacity. The SAN capacity can be
extended limitlessly to thousands of terabytes.
2. Easy sharing: SAN data is easily shared between systems as it maintains isolated traffic.
The traffic does not interfere with the normal user traffic, increasing data transfer
performance.
3. Security: If a SAN is configured correctly, the data is secured. Chances of device intrusion
is minimal.
4. Productive: A SAN is scalable, adding a new disk to the network does not stop the SAN's
productivity. When adding a new hard disk, a reboot or shut down is not required.
5. Availability of applications: The algorithms in the SAN storage array offers data
protection. This results in application availability at all times.
6. Fast backup: The data mirror copy can be created instantly. These mirror images can be
used as a backup whenever required.
7. Bootable: A SAN can run a server without a physical disk and it can be booted by the SAN.
This feature permits access to all the page files and applications.
8. Distance connectivity: For better security, plan to keep storage devices in an isolated
location. A SAN has a feature where it can connect devices up to a distance of ten
kilometers.
9. Recovery: A SAN is the most reliable data recovery option. If the servers are offline a SAN
remains available.
10. Effective utilization: A SAN is an appropriate option for storage space compared to local
disks. If a system requires more storage, a SAN dynamically allocates the space. This
process is similar to virtual machines.
The implementation of a SAN is beneficial to an organization. Especially, when considering the
limitations caused by budget constraints, availability and employee expertise.
SAN Disadvantages
1. Very costly: The implementation of a SAN can cost more than the available budget
limitations. A SAN is an investment and only implement if it meets the goals of the
organization.
In a SAN infrastructure, the backup proxy server runs on a separate physical machine
When using a third party backup software, run multiple backups the software supports
When performing a full image backup consider putting the backup on a SAN volume rather than
storing it on a local disk
Do not only keep the most recent backup or overwrite any previous backups
When running host-level backups, periodically run guest- level backup s at the same t ime
Use an individual backup agent on each virtua l machine to avoid data inconsistency and
repl ication during the backup process
Secure the data from accidental or malicious disclosure using encryption, whether the data is in
transit or at rest
When transferring data through a switch, use a fiber channel (FC) SAN to rapidly transfer the data
between storage devices and servers
Additional best practices for an effective design, implementation and performance of a SAN:
SanTool
Brocade
http://www.santools.com
http:// www.brocade.com
Amanda Nagios
http:// www.amonda.org https://www.nagios.org
Opstor
Source: http://www.manaqeenqine.com
OpStor helps reduce the clutter of point products in storage by providing deep insight into
backup and maintenance schedules. It also provides a detailed server, client, node, disk and
plug-in report for single and multiple-node configurations of an EMC Ava mar backup server.
Brocade
Source: http://www.brocade.com
The Brocade data center fabric supports controller-based network virtualization architectures
such as VMware NSX and the Brocade BGP-EVPN Network Virtualization controller-less
architecture. Brocade BGP-EVPN Network Virtualization eliminates the need for an external
controller by leveraging open standards-based protocols to enable workload agility,
segmentation and security within and across data centers.
Amanda
Source: http://www.amanda.org
AMANDA, the Advanced Maryland Automatic Network Disk Archiver, is a backup system that
allows the administrator of a LAN to set up a single master backup server to back up multiple
hosts to a single large capacity tape or disk drive. Amanda uses native tools (such as GNUtar,
dump) for backup and can back up a large number of workstations running multiple versions of
Unix/ Mac OS X/Linux/Windows.
Source: http://www.symantec.com
The Symantec Storage Foundation Basic provides a complete solution for heterogeneous online
storage management. It is designed for heterogeneous online storage management of edge-tier
workloads with up to four file systems, four volumes and two processor sockets per system.
NetBackup
Source: www.veritas.com
NetBackup reduces complexity and makes data protection as manageable as possible for
limited staff. NetBackup provides a single solution for the entire enterprise, available on a
converged platform and built to require minimal administration in even the largest, most
dynamic environments.
Source: http://www.cisco.com
The Cisco Prime Data Center Network Manager (DCNM) is designed to efficiently implement,
visualize and manage the Cisco Unified Fabric. It includes a comprehensive feature set, along
with a customizable dashboard that provides enhanced visibility and automated fabric
provisioning for dynamic data centers.
SanTool
Source: http://www.santools.com
SANtools provides software and consulting services for manufacturers, OEMS and resellers of
storage peripherals, subsystems and SAN and NAS appliances.
Nagios
Source: https://www.naqios.org
Nagios provides complete monitoring of SAN solutions - including disk usage, directories, file
count, file presence, file size, RAID array status and more.
IBM's SAN
Source: http://www-03.ibm.com
IBM SAN products and solutions provide integrated SMB and enterprise SAN solutions with
multi-protocol local, campus, metropolitan and global storage networking.
EMC NetWorker
Source: http://www.emc.com
The EMC NetWorker unifies and automates backup to tape, disk-based and flash-based storage
media across physical and virtual environments for granular and disaster recovery.
0 0
NAS is a file-based data storage service and a dedicated computer appliance shared over the network
NAS is a high performance file server optimized for storing, retrieving and serving files
NAS servers contain proprietary or open-source operating systems optimized for file serving
0 0
e Users w ith different operating systems can share e Applications that use a majority of the data
files with no compatibility issues transfer bandwidth will greatly reduce network
e A NAS can be connected to a LAN using the plug performance
and play feature e Data transfer is inefficient as it uses TCP/IP
e Minimal administration required unlike Unix or NT instead of a specialized data transfer protocol
file servers e The storage service guarantee cannot be trusted
e Centralized usage, reduced cost for backup and for mission critical operations
maintenance compared to a SAN
e Administrators must set user quotas for storage
e Faster response than Direct Attached Storage (DAS) space
Advantages
Network attached storage (NAS) is a storage device that is connected to a network. It stores
and retrieves data from a centralized location. NAS provides a dedicated shared storage space
for a local area network. Implementing a NAS eradicates the server file sharing process on the
network. The NAS contain s one or more storage devices which are logically arranged. NAS
offers file storage through a standard Ethernet connection.
NAS devices do not use an external device management and they are operated through a web-
based utility. Since it resides on every node on the LAN, it has its own IP address. NAS is similar
to a file server. NAS devices are scalable, vertically as well as horizontally. Implementing a NAS
is accomplished using large and clustered disks.
NAS has evolved from supporting virtualization to data replication and multiprotocol access. A
clustered NAS is one such example of the NAS evolution. In a clustered NAS infrastructure,
access is provided to all files, irrespective of their physical location. It does not require a full
source operating system like Windows. Certain devices run on the stripped down OS like
FreeNAS or any other open source solutions.
NAS devices are in high demand in small enterprises due to the effective, low cost and scalable
storage capacity. They are classified into three types based on the number of drives, drive
capacity and scalability.
NAS Advantages
1. Accessibility: A NAS system stores data as files and is compatible with CIFS and NFS
protocols. Multiple users can access the files simultaneously using an Ethernet network.
Computers in a shared network can access the data either through a wireless or a wired
connection.
2. Storage: NAS deployment in the network increases the a mount of storage available to the
other systems. A NAS system can store up to 8 TB. NAS acts as the best source for storing
large applications or video files.
3. Efficient and Reliable: NAS assures an efficient transfer of data and reliable network
access. If a system in a network fails, the function of the other systems is not affected. A
NAS server can also be created giving users to ability to access large files or applications.
4. Automatic backup: Certain NAS devices are configured with an automatic backup feature.
The data is available on the user's system as well as on the server hard drive. Changes
made on the user's system are reflected on the server hard drive as well. Automatic
backup is not time consuming and is an assurance for the security of the data.
Disadvantages
1. Consumption: NAS shares the network with other host machines and this tends to
consume a larger amount of network bandwidth. For remote NAS systems, the data
transfer performance will depend on the available bandwidth. It is advisable to avoid
storing data bases on network attached storage, as the server response time fluctuates
depending on the bandwidth.
2. Network congestion: During a large backup, the process can affect the function of the IP
network and may lead to network congestion.
U The NAST head is responsible f or the conn ectivity betw een the 1/0 requests and the clients
lJ Storage may include a wide range of disks, ranging from low-cost ATA to high performa nce SSDs and
low-end single enclosure devices and high-end exte rnally connected storage solutions
<........................,
'<.........
'0
Ill
<.......................,,_·,- - - + IP Network < .....................> ::c
GI
Ill
~
z
Storage
<........................ :
-
Clients and Servers Integrated NAS System
The integrated NAS system includes all the NAS components in a single frame. To provide
connectivity to all cli ents, th e NAS head connects to th e IP network. An integrated NAS fram e
may vary from a low-end device to high-end solutions containing external storage arrays.
Low-end devices focus more on data storage rather than disaster recovery or performance.
These are primarily used in small organizations where the amount of storage space available
may be increased. Increasing the amount of space also increases the management overhead
because of the increased number of devices being used.
High-end devices provide additional amounts of storage space and high scalability.
Advantages
• Easy to implement
• Uses simple tools
Disadvantages
• Limited capacity and performance
• No performance upgrade
USB20
Source: https://www.synoloqy.com
The Synology DiskStation DS1513+ offers massive dynamically scalable storage space, stellar
performance, a robust Web interface and it supports a vast quantity of useful features for
home, small and medium business applications.
WD My Cloud EX4
Source: www.wdc.com
The WD My Cloud EX4 offers data redundancy, Windows Server integration and an excellent set
of personal cloud features. It is affordable and very easy to use. It is not the fastest NAS, nor
does it include many advanced features, but the WD My Cloud EX4 still combines great ease of
use into an affordable personal cloud system that is excellent for a connected home.
Source: www.lacie.com
The LaCie Sbig NAS Pro offers super-fast performance and has an excellent drive bay design.
The NAS server is also easy to use and can scale up its storage space dynamically.
Pogoplug Series 4
Source: https://pogoplug.com
Features of Pogoplug Series 4 include:
• Powerful
Source: https://www.asustor.com
ASUSTOR NAS devices provide optimal data protection through RAID technology. Support a
diverse array of automatic backup solutions, guaranteeing the security of data. Seamless cross-
platform file sharing allows to easily connect to the NAS device no matter what OS is used such
as Windows, Mac OS or Unix-based.
Source: www.buffalotech.com
TeraStation 5200 is a high performance 2-drive network storage solution ideal for businesses
and demanding users requiring a reliable RAID based NAS and iSCSI storage solution for larger
networks and business critical applications.
J The gateway NAS System contains storage arrays and a separate NAS head
J Separate administration of the NAS head and storage enab les maintenance to be less comp lex
U The storage array and NAS head can be scaled up independently making a gateway NAS more
scalable when compared to an Integrated NAS
<······································~
_-,·
:
·
:..
:
:
. .
:
:
..
:
:
"---"'
Disk Systems
<·········1 '0
Fiber Channel
ra SAN Switches
CII
<·····································: ) IP Network <···············:> ::c ~······ Fiber Channel t---+~
~ RAID
z
Fiber Channel
<·········1 . .
······>~ _,
<······································'
··.·L;•
:
:
;
;
SAN Switches
Tape Drive
A NAS gateway is considered a NAS appliance attached to an already existing SAN. In this NAS
implementation, a SAN deals with the storage and a NAS gateway deals with a section of the
block storage capacity. File-based storage is used in a gateway implementation.
• The NAS hardware is comparatively more costly than other file servers.
• Difficult for users to manage the block-level storage of the SAN, which is attached to the
NAS's overhead.
• The NAS GUI 1s entirely different from that of a SAN, making it difficult for users to
manage.
The gateway NAS system includes an independent NAS Head and multiple storage arrays.
Gateway NAS requires additional management functions compared to an Integrated NAS.
Gateway NAS provides high sca lability as the NAS head and storage arrays scale up according to
the requirements of the organization. A gateway NAS w hen combined with a SAN, provides a
large amount of storage capacity.
Increase scalability by adding more NAS heads, making it difficult to determine the network
requirements for the gateway environment. A fiber channel SAN may be used for the
connection between the gateway NAS and the storage system.
Advantages
• Ability to use available SAN storage.
• Upgrades front-end and back-end separately.
Disadvantages
• The capacity depends on the storage space available on the NAS system.
- 0 X
~=======================:---___/
A foeen¥. · Fr~A:=,:s-9::.:_
+-
.10-.:_F.:..:._
C fi D 192.168.0.64
X
<Ci r. =
I (Y-\ FreeNAS"
~ ~ !Al ii ~ " +t 11D • Ei' .. II
Account Tasks 1-letwortc Storaoe Oirecto,-y Sha rino Services Plugin s Jails Reportin~ YliUird 5 UJ)1)0rt Guide Alt rt
I• El Account l1nform11tionl Genenil Boot Advanced Ematl System Dataset Tu.nab!u Update CAs Certificatu Support
• . SySUl'I'\
[!. ~ Ta:;k~ System Information
..: ~<t. Networ k
Ir
♦ ~ Storaoe Hostn;im c frecnas.loc.al I I
ldit
♦ IJ Directory Service
• ~ Sh aring Ouild FrecttA$·9.l O·RELEASE (2def9c:8)
.. ef Service;
ft Plugin s Platform Jntcl(R) Corc(TM) iS-.:590 C9U@ 3.30GHz
• llD Jails
~ Reportil'l9
Ii Guide Systtm Time Hon Apr 11 02:38:01 POT 2016
ft Wizard
Iii Oisc>lay System Processes Uptime 2:38AM up 2: 51, O users
Iii ShclJ
Load Avl!!ra9c 0 .30, 0 .37, 0 .33
,C Loo Out
~:} Reboo t
@) Shutdown
FreeNAS is an operating system that is installed virtually on any hardware platform, to share
data over a network. It is the simplest way to create a centralized and easil y accessible location
for data. FreeNAS with ZFS protects, stores and backups all the data. FreeNAS is used
everywhere, for the home, small business and the enterprise. FreeNAS features are:
• Web Interface: Simplifies administrative tasks. Every aspect of the FreeNAS system can be
managed from a web interface.
■ File Sharing: SMB/ CIFS (Windows File shares), NFS (Unix File shares) and AFP (Apple File
Shares), FTP, iSCSI (block sharing).
• Snapshots: Snapshots of the entire file system can be made and saved at any time. Access
files as they were when the snapshot was made.
• Replication: Employ the replication feature to send snapshots over the network to
another system for true off-site disaster recovery.
Selecting an Appropriate
Backup Method
Select the backup method based on the cost and ability according the organization's
requirements
,.. ~
,.. ~
Organizations can choose any backup method depending on their budget and IT infrastructure.
The different types of data backup methods are:
Hot Backup
A Hot backup is a popular type of backup method used. It is also called as dynamic backup or
active backup. In a hot backup, the system continues to perform the backup process even if the
user is accessing the system. Implementation of a hot backup in an organization, avoids
downtime. However, changes made to the data during the backup process is not reflected in
the final backup file. Also, while the backup is in process, users may find the system is running
slow. A hot backup is an expensive process.
Cold Backup
A Cold backup is also called an offline backup. The cold backup takes place when the system is
not working or is not accessible by users. A cold backup is the safest method of backup as it
avoids the risk of copying the data. A cold backup involves downtime as the users cannot use
the machine until the process is back online. A cold backup is not as expensive as a hot backup.
Warm Backup
A Warm backup is also called a nearline backup. It will have connectivity to the network. In a
warm backup, the system updates are turned on to receive periodic updates. It is beneficial
when mirroring or duplicating the data. The warm backup process can take a long time and the
process can be conducted in intervals that can last from days to weeks.
► Storing backup data at onsite ► Storing backup data in remote ► Storing backup data on storage
data storage only locations in fire-proof, provided by an online backup
indestructible safes provider
Advantage:
Advantage: Advantages:
► Onsite backup data can be
easily accessible and restored ► Data is secured from physical ► The data is encrypted and free
security threats such as f ire, from physical security threats
► Less expensive
floods, etc.
Disadvantage: ► Data can be accessed from
Disadvantage: anywhere
► Data loss risk is greater
► Problems with a regular data Disadvantages:
backup schedule
► No direct control of the backup
data
► More time to backup
• Advantages:
• Less expensive.
• Media used for onsite backup is readily available and cost s less.
• Faster recovery.
• Enhanced scalability.
• Disadvantage:
• Implementing offsite backup creates multiple copies that can be stored 1n multiple
locations.
• Advantages:
• Many proprietors provide data monitoring and create reports for the organization.
• The data in a cloud backup is easily accessed and the data can be accessed through
the Internet.
• Disadvantages:
• Cloud data backup proprietors do not give any assurances or guarantees concerning
the completion of the backup. It is the responsibility of the organization to check if the
backup process was successful.
All th e system data is copied All th e data that has been Only th e files that have
to the backup media changed since the last full been changed or created
backup is copied to the after th e last backup are
backup media copied to the backup media
•·····••► •·····••►
Incremental 3
300MB
Differential 3
......- ...... ····---••« - - --
A
Differential 2 ~ Incremental 2
10GB
0~ 1 _,, ~ _
An appropriate backup type is the one that does not add a major impact to the bandwidth,
cost, time required and the resources of the organization. The three most common backup
types are full , differential and incremental.
Backup Types:
• Full Backup: Is also called a normal backup. The full backup occurs automatically
according to a set schedule. It copies all the files and compresses th em to sa ve space. A
full backup provides efficient data protection to the copied data.
• Incremental Backup: Backups onl y the data that has changed since the last backup. The
last backup can be any t ype of backup. Before an incremental backup can be performed,
the syst em should be backed up using a full or normal backup.
Example: Assume a full backup of a system is schedule for Sunday and from Tuesday to
Saturday, an incremental backup is scheduled . Once the full backup is perform ed on
Sunday, the incremental backup on Monday w ill onl y backup th e changes that occurred
on Sunday. This process w ill continue until Saturday.
completed on Sunday, the differential backup will occur on Monday and the data that was
changed will be backed up. This sounds a lot like an incremental backup. However, on
Tuesday, the backup will be for the changes made on Sunday and Monday. Then on
Wednesday, it will contain the changes from Sunday, Monday and Tuesday.
.J Fastest method
Incremental .J Slowest restore speed compa red to
.J Least amount of storage space
Backup other backup types
com pared to the oth er backup types
Compare the advantages and disadvantages for each backup type and then sel ect the t ype best
suited for the organization.
Full Backup
• Advantages:
• A tim e-consuming process because each file is backed up every time a full backup is
performed.
Incremental Backup
• Advantages:
• Disadvantages:
• Data restoration is time consuming and a complex process, first a full backup is done
of and then an incremental backup afterwards.
Differential Backup
• Advantages:
• Uses storage space more efficiently than a full backup, the backup onl y contains the
changes made at regular intervals.
~ Does it meet the organization's recovery requirements including RTO and RPO?
~ How much does the solution cost, including labor, maintenance and support?
Choosing an appropriate backup solution is essential for efficient and effective backups. Data
loss is avoidable to an extent with excellent backup solutions.
Consider the following items before selecting a backup solution:
1. RTO and RPO standards: RTO and RPO should be the main parameter of your disaster
recovery plan. RTO is Recovery Time Objective and is the duration required to restore the
data. RPO is Recovery Point Objective and is the interval that passes before data quality is
lost.
2. Data restoration: The data restoration process should be easy and reliable. The longer the
restoration process, the higher the productive loss. Look for a backup solution that offers
an efficient and quick data restoration process to your organization.
3. Off-site storage: It is necessary to identify if the solution stores the data off-site. If the
backup solution does not offer an off-site storage solution, the security of the data is not
guaranteed and the backup can get affected from unwanted occurrences.
4. Security: It is the responsibility of the backup solution vendor to provide proper security
to the data. The solution should consist of an encryption feature, acting as add-on security
to the data.
5. Solution know-how: Understand how the backup solution functions. Understand how
long a backup takes to complete, the maintenance required, additional costs,
implementation in the organization infrastructure, cost and etc.
e Partition/Volume Backup
e Automatic/Schedule
Backup
e Incremental &
Differential Backup
e Backup to a NAS
http://www.bockup-utility.com
AOMEI Backupper is available backup and recovery software helping those with little to no
knowledge on backup and recovery processes. The main functions of software are:
• Reduces the time required for backing up data through incremental and automatic
backups.
AOMEI backs up files, folders, hard disk drives, partitions and applications . If there is a loss of
data, it will restore the files. It includes a disk imaging and cloning tool to create an exact image
of the hard disk and operating system. The backup t y pes supported by AOMEI include:
• Partition/Volume
• Automatic/ Schedule
• Incremental/ Schedule
• Backup to a NAS
Source: http://www.backup-utility.com
PowerBackup
00 Norton Ghost
http://www.symontec.com http://www. cyberlink.com
Backup4all
BullGuard Backup
http://www.backup4all.com
http://www.bullguard.com
Source: https://www.qenie9.com
Genie Backup Manager Home is a tool that provides full control of backup procedures. The
main features of Genie Backup Manager Home are:
• Security
• Resource friendly
Norton Ghost
Source: https://www.symantec.com
Norton Ghost 15 backs up an entire syst em or specific files and folders while saving recovery
points to offsite locations using FTP.
BullGuard Backup
Source: http://www.bullguard.com
BullGuard Backup is an online backup solution for keeping electronic valuables safe.
Turbo Backup
Source: http://www.[ilestream.com
TurboBackup provides an option to create multiple backups of shared documents to more than
one destination. It also offers the ability to back up and retain different versions of the same file
to protect documents from accidental loss.
The Active Backup Expert (ABE) is a software that backs up important files on a Windows
platform.
• Hard disk, network, CD-RW, CD-R, DVD, floppy, FTP server and other device support. Can
choose any drive in the system to store the backups.
• Strong encryption.
• Set-and-forget.
• Backup management.
Source: http://www.nticorp.com
NTI Backup Now backs up and restores files and folders on your Windows PC.
Features:
• Incremental drive image backup for a complete system backup and restore.
PowerBackup
Source: http://www.cyberlink.com
PowerBackup provides support for the following types of data backup:
■ Full.
• Differential.
• Incremental.
Backup4all
Source: http://www.backup4all.com
Backup4all is a backup program for Windows that protects data from partial or total losses. It
automates the backup process, compresses the data to save storage space (using standard zip
format) and encrypts the backup to protect it from unauthorized use.
Handy Backup
Source: http://www.handybackup.com
Handy Backup is a program designed for an automatic backup of critical data virtually to any
type of storage media including CD/DVD-RW devices and remote FTP servers. This tool creates
a reserve copy of valuable data. Special add-ons provided enable MS Outlook, system registry
and ICQ files to be backed up.
SyncBackPro
Source: http://www.2briqhtsparks.com
SyncBackPro is used to backup, synchronize and restore data files. It is used by individuals,
small businesses and mission critical organizations including law enforcement agencies,
hospitals and government departments.
; iBackup
http://www.ibackup.com
p
.. .
71
llfiOOnaOil
Chronosync
http:// www.econtechnologies.com
Synchronize! Pro X
Source: http://www.qdea.com
Synchronize! Pro is a tool for high-end server backup solutions because it can reliably handle
millions of files on disks containing terabytes of data. Synchronize! Pro X actions can be scheduled
when changes occur, at night or at any preset time, once or periodically, without anyone present.
Pa sswords can be supplied automatically for file server connections.
iBackup
Source: http://www.ibackup.com
iBackup backups and restores user data, system and applications settings such as System
Preferences, Mail, iPhoto, iTunes. It can also use third party application settings from any Mac
to another Mac.
Roxio Retrospect
Source: http://www.retrospect.com
Retrospect backup and recovery software is mainly used at m edical offices, law firms, banks,
auto r epair shops, restaurants, departments in large corporations, universities, government
offices and many others.
SuperDuper
Source: http://www.shirt-pocket.com
SuperDuper has a user friendly interface to create a fully bootable backup.
Data Backup3
Source: https://www.prosofteng.com
Data Backup3 is a backup software solution that backs up, restores, and synchronizes important
files with minimal effort.
Tri-BACKUP
Source: http://www.tri-edre.com
Tri-BACKUP protects the data from a single copy on an external drive to a set of actions that
back up on different types of media. Each is then kept in different locations for maximum
security (including backups on the Internet).
Chronosync
Source: http://www.econtechnoloqies.com
ChronoSync can synchronize backups and create a bootable backup for almost anything a Mac
can be connected to: external drives, NAS drives, other Macs, PC's or anything else that can be
mounted as a volume.
SilverKeeper
Source: http://www.lacie.com
SilverKeeper provides the use of a USB drive or FireWire to create a complete backup. This tool
provides the function for verifying the backup is complete by comparing the source and
destination. It keeps a status log recording the details of the backup.
Source: https:1/bombich.com
Carbon Copy Cloner is a cloning and backup utility. With this software, the data and the
operating system's data is preserved on a bootable volume.
Copycat X
Source: https:1/secure.subrosasoft.com
SubRosaSoft CopyCatX™ is an easy-to-use and fast utility for duplicating volumes, cloning drives
or recovering intermittent/mechanically unsound drives.
Advantages:
e Ensuring data recovery is efficient and the data backup plan is effective
e If t he system is not functioning according to the data backup pla n, changes can be implemented
in the recovery process
While 80% of organizations create a disast er r ecovery plan, only 40% create any plans for
testing it.
The organization needs to perform these data drills often to check if the recovery process is
effective according to backup plans created . These drills further help locate the areas of
improvement in the recovery plans. The challenges performing these drills are:
• Whether issues found in one test is addressed and resolved by the team .
• Whether there are any changes in the recovery plans.
• Was the drill test perfect?
• Whether the right person is addressing the issues the drill test identified.
The purposes for conducting a recovery drill test are:
• Check if the recovery plans meet the company's requirements.
• Provide a level of expertise to th e team who is conducting the tests for the recovery plans.
• Detect what areas of the recovery plan r equire improvement .
An organization performs a drill test to validate it has a foolproof and updated DR plan. It is
advised to perform a recovery drill test at least once or twice a year, depending on th e size of
the organization .
2. Broadcasting to users: Before performing a recovery drill test it is important to inform all
employees, stakeholders and vendors of the organization. Organizations should brief
employees on the necessary actions to take when there is a data breach or disaster. This
is also covered in the incident response plan.
3. Testing applications: Apart from system testing, application and user account testing
should also be performed. Any user account without a password should be immediately
corrected.
4. Pen Tester: If a user can access the files and folders in the system without administrator
privileges, it means that any user can. Organizations should have a pen tester check for
any vulnerabilities in the network. If a vulnerability is detected it must be documented
and a solution provided.
Performing a drill test:
Before beginning the recovery drill test, organizations should set certain goals:
1. An internal DR team or a third party can conduct the drill test.
2. Maintain a record of the analysis.
Dat a recovery is a process f or the recovery of data that may have been
accidentally/intentionally deleted or corrupted
Deleted items include files, folders and partitions from electronic storage media (hard
drives, removable media, optical devices, etc.)
A majority of data that is lost is recoverable. There are situations where the damage to
the data is permanent and irreversible and cannot be recovered
When attempting to recover data from a target, use several different data recovery tools
Data loss is a primary concern for any organization. Data recovery refers to the restoration of
data from devices or from a backup. The process of data recovery varies depending on how the
data was lost, the data recovery software and the device where the data will be restored.
Information stored on storage devices such as a flash drive, a hard disk, DVD, etc. can be
recovered. Users should not write or save over any data stored on the affected media.
Improperly trained users should not perform data recovery. The disaster recovery plan should
mention the individual/team responsible for recovery of data in the organization. Data recovery
software can assist with retrieving the data usually with great results.
The correct knowledge and the proper use of tools help in the recovery process.
Data recovery will not always be successful. If a system is too corrupt and/or damaged,
recovery may not be possible and fail. The probability of recovering the data depends on the
cause of the loss. The common causes for data loss are:
1. File Deletion: If a file is deleted, it will remain in the storage space until it has been
overwritten. This can happen if the OS reuses the disk space. Even if the change is minor it
can make the chances of data recovery negligible. Windows operating systems have a file
deletion algorithm on NTFS formatted disks and the data can be recovered using this
algorithm.
2. File Corruption: If an operating system is corrupted, the data can be recovered using the
partition table. If the partition table is corrupt, it can be repaired using data recovery
software.
3. Physical Drive Damage: Physical damage to a hard drive or an external drive can cause a
larger amount of data loss compared to a file corruption. Recovering data from a
damaged device requires a specific level of expertise. When recovering from corrupt
physical devices, the environment where the recovery process takes place must be free of
pollutants. This process often occurs in a clean room. Dust particles can make the
recovery difficult if not impossible. Having a certified clean room to recover the data is
recommended. When recovering data from damaged drives, the drive is either rebuilt or a
disk image is created. This process can be very expensive, depending on how extensive
the damage.
Points to remember:
1. Be cautious when plugging in an external device to the system. The device may be
corrupt, which will result in corruption of the files or the system.
2. Never overwrite the data on the same storage location where the data was lost.
Recover M y Files data recovery software recovers deleted files emptied from t he
Windows Recycle Bin. These files could be lost because of a hard d rive format or
install. This softwa re also recove rs files removed by a virus, Trojan infection o r an
unexpected system shutdown orfa ilure
-
El ".."o.... 11
~-...
-
LoSL Otkiled, Ac~@tll# lorrriat, Iii t,,ow.it •'1 ?$ Gt Al,._ (St
~ t o m Rfcycle ti.11, WlncSo.s~.
Ftoma prograniuash Systtfll ltStote j c, ...... •5l9:)Ge ,ms AJAM
~
Co!Np OfffilSU19dtfl't' ltltM
E-•-J
ii " --
1•S2G8 1trrs ussr.ir11 Ii...,,..
http://www.recovermyfiles.com
Recover My Files recovery software recovers data lost from the Windows recycle bin, hard
drives, files and data lost due to a virus or malware. The recovery of the data depends on the
file content. The Recover M y Files recovery tool uses two mechanisms:
• Lost file: This mechanism searches for deleted files. Unfamiliar file types cannot be added.
The file name searched is found in the 'deleted files' and not in the 'lost file', as deleted
files are stored on the disk and not destroye d.
• Lost drive recovery: This mechanism helps recover files that were stored on old drives.
Source: http://www.recovermyfiles.com
EaseUS data recovery wizard is a tool that recovers lost data or files from iOS, Android,
removable media and hard drives in the event of an unexpected error.
EaseUS features:
Source: http://www.easeus.com
-" .
Features:
.
Q
and date including network drives
"
■
~
0 Supports saving recovered data "
G Recovers files, even when a header
entry is no longer available
P..uflfo!Mtp
http://www. pcinspeetor. de
PC Inspector File Recovery deals with the recovery of data supporting FAT 12/ 16/32 and NTFS
file systems. PC Inspector automatically locates deleted files or damaged recovered fil es along
with the date and time. Recovers files even in the absence of a header entry.
The software supports: Files with .JPG, .TIF, .BMP, .GIF formats and many types of memory
cards such as CompactFlash, SmartMedia etc.
Source: http://www.pcinspector.de
Source: http://www.systweak.com
Advanced Disk Recovery used to recover accidentally deleted data. It is possible to restore
every type of file and folder stored on a Windows PC and from multiple storage devices.
Handy Recovery
Source: http://www.handyrecovery.com
Handy Recovery™ is used to restore files accidentally deleted from hard drives, all types of
USB/ eSATA devices and memory cards.
• File deleted by a program that does not use the Recycle Bin or if the Recycle Bin was
emptied containing the file.
R-Studio
Source: http://www.paretologic.com
Data Recovery Pro scans for deleted email messages and recovers emails. It can even recover
deleted email attachments and partial files due to bad sectors. It has the ability to retrieve
missing files from many peripheral storage devices, including iPod Shuffle, iPod Nano, and iPod
Classic.
Recuva
Source: https://www.piriform.com
Recuva recovers pictures, music, documents, videos, emails or any other file type lost
accidently from a Windows system, recycle bin or a memory card.
Total Recall
Source: http://www.totalrecall.com
Total Recall Data Recovery Software obtains lost data back from hard drives, RAID, photos,
deleted files, iPods, even removable disks connected via Firewire or USB is supported by Total
Recall.
Source: http://www.stellarinfo.com
Stellar Phoenix Windows recovery software recovers photos, images, songs, movies, and other
multimedia files deleted or lost due to corruption or formatting of hard drives, memory cards,
or external storage.
Pandora Recovery
Source: http://www.pandorarecovery.com
Pandora Recovery allows finding and recovering deleted files from NTFS and FAT-formatted
volumes, regardless of their type. Pandora Recovery scans the hard drive and builds an index of
existing and deleted files and directories (folders) on any logical drive on the system with
supported file format.
GetDataBack
Source: http://www.runtime.org
GetDataBack software allows easy and fast recovery of data with NTFS, FAT and EXT formats.
AppleXsoft File Recovery for Mac Stellar Phoenix Mac Data Recovery
http://www.applexsaft.com http://www.stellarinfa.com
DiskWarrior
Source: http://alsoft.com
DiskWarrior will recover documents, photos, music and any other files from a Mac system.
AppleXsoft File Recovery for Mac
Source: http://www.applexsoft.com
AppleXsoft File Recovery scans and recovers damaged or deleted files from any t ype of storage
drive, including all hard disks, external hard drives and SSD. It supports various digital
removable media such as a SD card, CF card, CD/ DVD, USB drive, etc.
Source: http://www.diskdoctors.net
Disk Doctors Mac Data Recovery software recovers lost and deleted data from HFS+ and HFSX
file systems on Mac OS. Disk Doctors Mac Data Recovery software helps recover lost data with
simplicity matching the Mac OS.
Source: http://www.r-tt.com
R-Studio for Mac recovers files from HFS/ HFS+ (Macintosh), FAT/ NTFS/ReFS (Window s),
UFS1/ UFS2 (FreeBSD/ OpenBSD/ NetBSD/ Solaris) and Ext2/ Ext3/ Ext4 FS (Linux) partitions. In
addition, raw file recovery (scan for known file types) can be used for heavily damaged or
unknown file systems. R-Studio for Mac also recovers data on disks, even if their partitions are
formatted, damaged or deleted.
Disk Drill
Source: http://www.cleverfiles.com
Disk Drill can scan and recover data from virtually any storage device - including internal Mac
hard drives, external hard drives, cameras, iPods, USB flash drives, Kindles and memory cards.
Data Rescue
Source: http://www.prosofteng.com
Data Rescue is hard drive recovery software that can recover your photos, videos and
documents from:
Source: http://www.stellarinfo.com
Use Mac data recovery software to restore documents, photos, music or videos lost due to
deletion from any HFS, HFS+, FAT, ExFAT and NTFS format based file systems.
File Salvage
Source: http://subrosasoft.com
FileSalvage can recover files from a normal Mac OS hard drive, USB key, PC disk, Linux disk,
FAT32 disk, FLASH card, scratched CD, Digital Camera, iPod and almost any other media or file
system that can be recognized in a Mac OS.
TechTool Pro
Source: http://www.micromat.com
~
Power Data Recovery j~ Datalech Labs
http://www.powerdatarecovery.com http://www. datatechlob.com
Source: http://www.seaqate.com
Seagate Recovery Services can successfully recover data from the very earliest to most recent
NAS, SAN, and Server RAID configurations on the market.
Disk Internals
Source: http://www.diskinternals.com
Disk Internals recover all types of RAID arrays. It supports all configurations of RAID arrays,
including RAID 0, 1, 5, 0+1, and JBOD (span), and supports dedicated RAID controllers and
native RAID chipsets embedded into motherboards produced by Intel, NVIDIA, and VIA.
Stellar Phoenix RAID Recovery
Source: http://www.stellarinfo.com
Stellar Phoenix RAID Data Recovery Software recovers lost or inaccessible data from RAID 0, 5
or 6 hard drives. The tool has a full range of advanced features for recovering files, photos,
videos, documents and emails from Windows hard drives, external media and RAID servers.
Source: http://www.powerdatarecovery.com
Power Data Recovery is able to recover lost RAID data.
Source: http://www.freeraidrecovery.com
ReclaiMe Free RAID Recovery is designed for recovering RAID configuration parameters like:
• Disk order
• Block size
Kroll Ontrack
Source: https://www.krollontrack.com
Salvage Data Recovery centers specialize in recovering all types of files and RAID servers.
Source: https:1/qillware.com
RAID data recovery is done by recovering data from individual failed disks and then
reassembling it based on the type of RAID system.
DataTech Labs
Source: https:1/datatechlab.com
DataTech Labs is a nationwide leader in professional data recovery services. This software deals
with deleted files, crashed hard drives or a failed RAID.
DTI Data
Source: http://dtidatarecovery.com
DTI Data Recovery can restore or recover RAID 5, SAN, NAS, Snap Server and many others.
Source: http://www.krollontrack.co.uk
The Kroll Ontrack can be used to restore the original data on a SAN's shared pool storage
architecture.
DriveSavers SAN Data Recovery
Source: http://www.drivesaversdatarecovery.com
DriveSa vers can be used to recover data from all operating systems and all types of high-
capacity storage environm ents including SAN, NAS, RAID, tape and multi -disk servers.
Source: http://www.datarecovervqroup.com
Data Recovery Group is a data recovery service used for recovering data from Desktop Drives,
Laptop Drives, Ext ernal Drives, Servers, Netw ork Attached Storage Devices (NAS), Storage Area
Network Devices (SAN), Flash Drives and Camera Media.
Source: http://www.qeeksnerds.co.uk
Geeksnerds offers data recovery services for SAN devices. It recovers data from almost all
manufacturers of SAN devices.
Source: https:1/datarecovery.com
Datarecovery.com's SAN services recover or restore your SAN without the expensive downtime.
DTI Data Recovery can restore or recover your RAID 5, SAN, NAS, Snap and many others.
CBL SAN Data Recovery
Source: http://www.cbldatarecovery.com
CBL provides data recovery services for a failed Storage Area Network (SAN), disk drives 1n
laptops, desktops, servers, RAID arrays and tape cartridges.
Stellar SAN Data Recovery
Source: http://www.stellardatarecovery.co.uk
Data Recovery Services by Stellar facilitates secure data recovery for all hard drives, RAID, SSDs,
SAN/ NAS and for encrypted drives.
UFS Explorer
Source: http://www. ufsexplore r.com
UFS Explorer is used for data recovery from distributed SAN systems.
DataRecoveryGroup
• Virus attack
• System crash
Source: http://www.krollontrack.co.uk
Kroll Ontrack provides data recovery services for fail ed and damaged DAS, SAN and NAS storage
systems.
Source: https://www.runtime.org
NAS Data Recovery is capable of recovering the entire content of the broken NAS. NAS Data
Recovery works for all XFS or EXT-formatted single-drive, RAID-0, RAID-1, or RAID-5 NAS
stations from manufacturers such as Buffalo, Seagate, Western Digital, D-Link or Iomega.
Source: http://www.diydatarecovery.nl
iRecover is used to recover data from hard disks, memory cards, RAID arrays and Network
Attached Storage (NAS) devices.
UFS Explorer
Source: http://www. ufsexplore r.com
UFS Explorer is capable of restoring lost data from a NAS. Use UFS Explorer RAID Recovery for
recovery and reconstruction of a RAID will be helpful in the event when the NAS disks are
organized in a RAID system.
Source: http://www.reclaime.com
The ReclaiMe software recovers data from a NAS, hard drives, memory cards, USB drives and
RAID arrays.
ZARX
Source: http://www.z-a-recovery.com
ZAR X NAS data recovery provides data recovery for Windows and Linux.
Uneraser
Source: http://www.diskinternals.com
Disklnternals Uneraser recovers lost data, undelete deleted files and documents and recovers
entire folders. It uses a unique signature scan algorithm to locate and successfully recover
supported documents(*) stored on formatted disks and memory cards.
Source: http://www.seaqate.com
Seagate Rescue Data Recovery involves recovery of a RAID controller failure, lost RAID
configuration, accidental reconfiguration and re-initialization of the RAID array, missing RAID
partitions, reformatted RAID partitions, virus damage, natural disaster, human error and drive
failures.
Drive Savers
Source: http://www.drivesaversdatarecovery.com
DriveSavers recovers data from NAS devices that have failed mechanically. It provides
unparalleled data recovery and digital forensic services for all NAS systems.
□ Organizations are adopting SAN/NAS devices as one of the options for their data
backup process
In this module, the importance of performing regular backups of an organization's critical data
was covered. The module also talked about how to plan and execute a data backup for the
organization and provided comprehensive guidelines for selecting the appropriate method,
type, media and software for according to the backup plan. By completing this module, you
now have the skills to effectively and efficiently design and execute a backup plan for your
organization.
Organizations must deal with various security incidents which may compromise their network,
data or physical security. These security breaches decrease an organization's brand value and
cost the company millions of dollars. These negative repercussions often are responsible for the
loss of prospective customers. A proper incident handling and response management plan will
help an organization handle and recover from security incidents . This saves an organization
from financial loss and reputation damage.
This module focuses on incident response and management. It will teach you the various steps
invol ved in incident r esponse and the management required to deal w ith problems. This
module also describes the importance of the first respond er in an incident response and
management process.
Incident handling and response is a set of procedures, actions and measures taken against an
unexpected event occurrence. The purpose of incident handling and response is to quickly and
efficiently recover from a security incident. It is required to identify any attacks which have
compromised personal and/or business information.
• Protect personnel: Protect the personal information and data stored in the compromised
system.
• Deal with legal issues: To efficiently handle legal issues to stop future incidents.
• Efficiently use the resources: Ensures organizational resources are used efficiently by
legitimate users.
3. Incident response: A series of steps to contain, investigate, eradicate and recover from
security incidents.
• Equips the organization with safe procedures to be followed when an incident occurs.
• Saves time and effort, which is otherwise wasted when fixing an encountered incident.
• Helps the organization learn from past experiences, and then recover from losses
more quickly.
• The skills and technologies required to tackle an incident are determined in advance.
• Saves the organization from legal consequences arising from a severe incident.
• Helps determine similar patterns in incidents and handle them more efficiently.
Information An individual from the information security team who has experience in
Security Team discovering and containing incidents
An individual who is aware of the information system and network areas. They
IT Staff may be system or network administrators
Physical An individual who is responsible for the physical security and identifying the
Security Staff extent of any damage
Copyr ight© by EC-Council. All Rights Reserved . Reproduction is Str ictly Prohibited.
An IRT is responsible for handling and responding to security incidents. The IRT 1s broadly
classified into in-house IRT (internal) and External IRT.
Internal IRT
An internal IRT offers its incident response services to its own organization.
National IRT
A national IRT focuses on providing its complete services for its nation. For example: The Japan
Computer Emergency Response Team Coordination Center (JPCERT/ CC).
Coordination centers
Work across various IRTs to coordinate and facilitate incident handling. They do this for any
particular country, state, research network, or entities.
Analysis centers
The main aim of an analysis center is to find out the latest trends and patterns occurring 1n
incident activities and for creating data points across various sources. This information helps
predict future activities and/ or provides a warning when present activities match up to the
previous determined characteristics.
Vendor teams
Vendor teams coordinate with the organizations who report and track vulnerabilities. There are
also vendor teams that provide incident handling services internally for their particular
organizations.
• Report security incidents to the Information Security and Policy (ISP), who appoints a
security analyst to handle the incident
when an incident occurs. The management decide the steps to be taken after the
detection of an incident is confirmed.
• Information Security Team: The team consists of the group of individuals who have the
skills to detect and analyze security incidents. They can easily identify the nature,
category, and scope of the incident.
• IT Staff: IT Staff are the individuals who are either a system or a network administrator.
They detect the incident by analyzing network traffic, system logs, service packages and
patches, etc. and report it to management or IRT. They can execute first response step to
avoid further damage.
• Physical Security Staff: The Physical security staff contributes to the handling and
response to physical security incidents. They can also be a first responder to a physical
security incident. The staff actively report the occurrence of the physical security incident
such as fire, theft, damage, and unauthorized access to management.
• Attorney: Attorney is a legal advisor for the organization. An attorney plays a major role in
dealing with making sure any evidence collected is admissible in a court of law. They can
also help an organization recover from a financial loss due to an incident.
~---------.......
PR specialist An individual responsible for conveying company details after an incident
Financial
An individual who assesses the financial loss to a company from an incident
Auditor
An individual responsible for all actions of the JR Team and JR Function. They may be
IR Officer an executive level employee, such as a CJSO, or another corporate representative
An individual who receives the initial IR alerts and leads the JR Team in all the IR
IR Manager activities
A group of individuals who make decisions on the classifications and the severity of
IR Assessment the incident identified. The team is comprised of representatives from IT, Security,
Team Application, Support and other business areas.
An individual responsible for the remediation and resolution of the incident which
IR Custodians occurred. They are made up of technical experts and application support
re resentatives
Copyr ight© by EC-Council. All Rights Reserved . Reproduction is Str ictly Prohibited.
PR Specialist
This department serves as a primary contact for the media and informs the media about an
event. They update the website information, monitor media coverage, and are responsible for
stakeholder communication including:
• Board
• Foundation personnel
• Donors
• Suppliers/ vendors
Financial Auditor
The Financial Auditors are the individuals who assess the financial loss of the organization after
an incident. It is the responsibility of the auditor to include each and every loss which occurred
as a result of the incident. The Auditor is responsible for reporting the financial imbalance in the
organization's account.
IR Officer
The IR officer is an individual who oversees all the incident response activities in an
organization. IR officers are an executive employee who is responsible for how the IR Team
functions. Every action conducted by the IR Team is reported back to the IR Officer who further
reports to the management of the organization.
IR Manager
The incident manager must be a technical expert who understands security and incident
management. The Incident Manager focuses on the incident and analyzes how to handle it
from a management and a technical point of view. They are responsible for the actions
performed by the incident analysts and report the information to the incident officer.
IR Assessment Team
They are the individuals who prioritize the occurrence of an incident on the amount of loss it
caused to the organization. The team comprises individuals from various domains such as, IT,
security, application support and other business areas.
IR Custodians
They are either technical experts or application support representatives. The role of IR
custodians comes into picture during a time of an application incident. To provide a remedy of
the incident, IR custodians create an action framework which is further shared to the
management.
A First Responder is an individua l w ho arrives first to t he crime scene and brings the incident
to the attention of others
They cou ld be an end user, network adm inistrator, law enforcement officer and/ or an
investigation officer.
I Reporting the incident N Identifying the crime scene VII Documenting all the find ings
The term first responder refers to the people who arrive first at the crime scene and gain access
to the victim's computer system after the incident report. A first responder may be a user,
network administrator, law enforcement officer, or investigation officer. They are responsible
for protecting, integrating, and preserving any evidence obtained from the crime scene.
The time gap between the occurrence of an incident and transference of evidence is an
important aspect in incident response. It is the responsibility of the first responder to keep up
the reliability and liability of the evidence. The method accepted by any first responder is very
important in preserving the evidence and finding the attackers. The first responder needs to
have a dedicated and well-organized plan when responding to any type of incident. It is the first
responder who collects the initial information, determines the extent and impact of the attack
or incident. This allows other people involved in handling the incident to determine other
courses of action which may be required for investigating the incident.
An experienced first responder can easily apply good forensic techniques when they respond to
an incident in the initial stages. They can predict the extent to which any change in the evidence
may affect the further investigation. This proficiency is an extra add-on in maintaining the
availability, integrity and reliability of the evidence. The first responder needs to always
understand the importance of their role as it highly affects the security and efficiency of the
organization.
The role of any first responder is to prioritize according to the severity of the incident, gather
evidence for the incident which has occurred, and conduct fewer experiments on the suspected
devices. This will ensure enough data is provided for the other investigators to solve the issue.
Also, the first responders should be trained to gather evidence without changing any of the
services running at that moment. Evidently, this is a critical task for the first responders as they
have to gather evidence before it is lost.
It is not mandatory that every evidence gathered may lead to a complete investigation of the
incident. However, first responders need to have the complete picture of the methods used in
handling the incident in the initial stages, as different incidents require different methods of
approach.
• The workplace or office must be secured and protected to maintain the truthfulness and
quality of the crime scene and the electronic storage media.
..J Network administrators spend a lot of time in network environments and are familiar
with the network traffic, performance and utilization, network topology, location of
each system, security policy, etc .
..J They play a key role as a first responder when security incidents occur. They can detect
the source of the incident and determine the systems which are affected.
If they are not aware of the incident response procedures, any response to the incident
will be delayed. This can and most often does increase the potential impact and
evidence is more often than not corrupted and/or lost
It is the network administrator who has the knowledge of network topology, network traffic,
important assets and information system of the organization. They can easily detect the type of
incident, severity, and location in an organization. They are expected to be completely
equipped with all the tools and knowledge required for dealing with an incident as a first
responder. This is a major reason why network administrators must have good knowledge
regarding incident response and forensic investigation procedures. Ultimately, a first responder
is responsible for gathering all the information and preventing evidence tampering. This is to
ensure any evidence collected can be useful during legal proceedings.
You should review the organizational incident response plan, which contains the
following :
. ··•..
................ ~.. ~ Names and contact informat ion of t he local IRT \
.......................................................................................................................................................··································
·•
Copyr ight© by EC-Council. All Rights Reserved . Reproduction is Str ictly Prohibited.
An organization should have an incident response plan which includes a set of procedures and
actions required when responding to security incidents. The administrator must review the
incident plan of their organization and suggest or implement changes to the incident response
plan as required.
A typical incident response plan includes:
• Contacts of IRT: Contact information for the IRT team. It will help a first responder to
immediately contact the IRT team when an incident occurs. Having IRT immediately on
the location of the incident will help minimize any delay in responding to an incident.
• Escalation Procedures: First responders must know who to contact and report the
incident to. There will be certain escalation procedures for the first responder which will
help th em report the incident without any delay.
Administrators collect and document certain information before escalating the incident. It
includes:
• Containment actions: The incident response plan includes containment actions for all
types of security incidents. Different containment actions are required for different types
of incidents. Network administrators should be aware of containment actions for various
types of security incidents. It helps to prevent further damage to an organization.
Network administrators ensure evidence is not tampered with or completely lost during
containment activities.
The biggest challenge facing an organization is the unavailability of a first response after the
incident has occurred. Lack of knowledge or skills required for a first response will only make
things worse for the organization.
If the first responder is not adequately trained or not aware of first repose procedures, they will
not be able to:
FUD is not a new concept for organizations. Any incident can create an environment of fear and
anxiety among the team. A security incident outbreak is often very stressful, combined with lots
of doubt and uncertainty. The decisions made in fear and anxiety will worsen the situation.
Usually, small-sized companies do not have an incident response team. In such scenarios, the
first responders usually lack the confidence required in dealing with an incident.
Providing a first response in fear or uncertainty can forego certain important and resourceful
information related to the incident. If this happens, it can mislead the investigation team,
causing delays in finding the reason the incident occurred. A decision made while panicking can
affect the evidence quality.
You should be proactive and confident while providing a first response to an incident. If you are
unsure about the decision to make during a first response, you should consult with top
management, the information security team or the in-house IRT.
Denial of Service (DoS) An attack resu lting in the unavailability of services for authorized network users
Malware (e.g. virus, worm, Trojan horse, keyloggers, spywares, rootkits, backdoors,
Malicious Code
etc.) infecting operating systems and/or applications
Improper Usage Individuals in the organization using system resources against acceptable usage policies
Scans/Probes/Attempted Activities undertaken by attackers to identify open ports, protocols, services, etc. for later
Access exploit of an information system
Multiple Component An incident which encompasses two or more incident types mentioned above
The network administrator should conduct an initial assessment upon the occurrence of an
incident which has been identified. An initial assessment helps you determine the following
points:
• Able to decide the severity of the incident further helping to take immediate actions and
minimizing the risk.
• Note down all the actions performed during the occurrence of the incident.
An initial assessment provides an outline for the type of attack that occurred. The information
recorded in this stage is useful in containing the damage and avoiding risk. Further handling of
the incident depends on the facts developed in the initial assessment phase.
The least-severe incidents that Comparatively more serious Should be handled immediately
are supposed to be handled than low level incidents and after the incident
within one day after the incident thus should be handled the
► Denial of Service attacks
occurs same day the event occurs
► Suspected computer break-in
► Loss of personal password ► In-active external/internal
unauthorized access to systems ► Computer virus or worms of
► Unsuccessful scans and probes highest intensity; e.g. Trojan,
► Violation of special access to a back door, etc.
► Request to review security logs computer or computing facility
► Changes to system hardware,
► Presence of any computer virus or ► Unauthorized storing and firmware, or software without
worms processing data authentication
► Failure to download antivirus ► Localized worm/virus outbreak ► Destruction of property
signatures
exceeding $100,000
► Computer virus or worms of
► Suspected sharing of the comparatively larger intensity ► Personal theft exceeding
organization's accounts
$100,000 and illegal electronic
► Breach of the organization's
► Minor breaches of the acceptable usage policy fund transfer or download/sale
organization's acceptable usage
policy
• Impact of the incident: Determines the extent of the damage or impact of the incident on
the organization.
• Criticality of the service: Determines the level of dependency of other services on the
affected service.
• Confidentiality of the information : The severity of the information stored in the incident
service.
• Probability of spread: The rate at which other systems or services are affected by the
incident.
Organizations categorize th e severity of incidents as:
• High - Level Incidents:
• The incident has more chances of affecting a large number of syst ems or services in an
organization.
• Medium-Level Incidents:
• The incident has a chance of affecting at least half of the systems or services 1n an
organization.
• Low-level Incidents:
If you suspect a security incident has occurred, you should be able to quickly
identify who must be contacted inside and/or outside of an organization
You should quickly communicate the breach to the in-house IRT Team or
Management
Incident response plan will include procedures and point of contact for communication of
incidents. It may include:
■ Whether to disconnect the suspected device from the network or let it stay connected with the
-
network. This must be decided by the forensic examiner or incident response team
■ Both course of action may have adverse side effects on the forensics investigation
► If you disconnect the device from the network when an attack is in progress, the forensic
investigator may not find any evidence when it would have been found if connect ed
► If you allow the device to stay connected to the network, it may cause f urther harm t o your
network, as the attack proceeds and is successful
■ You should coordinate with the forensic investigation team to find any evidence and at
the same time you should ensure it will not cause any further harm
Administrators have to take appropriate care while containing the incident. The process for
containing the incident may take on different approaches for different types of incidents.
Common actions that help administrators avoid furth er harm to the organization:
• Prioritizing components.
• Distinguish the instances wherein the incidents need to be handled offline or online.
• Determine all the areas that are more likely for attack and implement methods to prevent
it.
• Build a new system with all services and requirements with new administrative and
service account passwords.
Secure any and all supporting devices such as mobiles, CDs, DVDs, flash
media, cables, etc., attached or found near the suspected device
The administrators should understand the importance of securing the evidence during their
first response. They should implement and execute certain preventive measures to control
access to a suspected device:
• Secure the device: The administrators should securely maintain the devices that were
compromised or was the source of the incident. These devices can be potential evidence
during the time of an incident investigation.
• Scrutiny of devices: Administrators should keep the devices under observation and should
not tamper with the devices until the forensic team arrives. Tampering with the devices
can lead to loss of evidence thus affecting the incident investigation.
• Secure supporting devices: Apart from the suspected device, administrators should also
gather all the other devices or media that were found near the suspected devices. Leaving
any such evidence behind can change the course of an investigation action plan.
• Control access to the device: No other user or employee should have the access to the
suspected or the evidence device.
The scrutiny of the devices depends on the first responder, any damage or tampering with the
devices can affect the investigation procedure. If the premises can be locked down, the first
responder should lock the premises, until the arrival of the forensic team.
► IP address
► System time
► System Name
Administrators should collect and prepare any and all information relevant to the incident
during their first response. Gathering firsthand information during this time is useful in the
forensics investigation. It will be helpful for investigators if the first responder documents the
changes the affected system went through from the time the incident occurred until the arrival
of the forensic team. If the system is still on, administrators should note down all the
information gathered related to the incident. This information can help the forensic team
during their investigation.
• Who, what, when and how the problem was discovered: By notating this information it
will help the investigator investigate the initial findings of the incident.
• IP address: An investigator is required to keep records of all IP addresses for all the
affected machines. Such machines should not be connected to the network to avoid,
rep Iication of data.
• System time: Knowing the system time when the incident occurred is vital to an
investigator. Using this information, they can monitor the changes the system is going
through across the entire timeframe.
• Any other relevant information about the crime: An administrator must save any findings
relevant to the incident. If any handwritten notes were found near the suspected device,
the first responder should preserve the note and record the content as a copy, per the
incident response procedures.
0 Note down all actions you have taken upon discovering the incident
The logs of the first responder should be in a descriptive manner. The responder should record
the actions in a series. If the actions are not in chronological order, it confuses the investigator.
Responders should avoid writing any speculations in their record. Only facts should be notated.
As these are the most vital to uncovering the incident.
For example, do not document the action as, "The web browser started rece1v1ng various
po pups after the attack". An ideal record of the action should be, "Unknown po pups were
displayed on a Google Chrome browser for thirty minutes after the incident occurred" .
If a network device or an external drive is also affected, the responder should note down the
serial number or part number of the device. The first responder should also record the
statements of the users whose system were affected by the incident.
A result of not doing this properly could very well put you in the direct line
of fire regarding legal punishment
First responders should not involve themselves in the investigation of the incident. If the first
responder is not well-versed in the forensics investigation process or not trained on forensics
investigation techniques, any attempt towards performing forensics can and most often leads
to damage of any potential evidence. Even though the first responder might be aware of the
reason for the incident, they should not proceed on their own. First responders should wait till
the time they are authorized by the forensic team or management.
Even though the first responder carried out the forensics investigation and collected the
evidence, the integrity of the evidence will no longer be valid in the court. This is because a first
responder is not an expert with performing a forensics investigation. There is a chance the
integrity of the evidence will be lost or tampered with. The evidence collected will no longer be
accepted in court as it is not collected by an expert forensics investigator who normally ensures
the evidence is collected in a forensically sound manner. Moreover, if first responders do so,
the organization will be authorized to take legal action against the first responder.
For example,
Tampering with the state of the suspected device is not advisable to the first responder.
Altering the state of a system leads to massive changes in the evidence collected. Actions like
system restart and system shutdown force the system to make internal changes thereby
making it difficult for the investigators to properly investigate the incident. Any changes made
to the state of the suspected device create adverse effects on the quality of evidence or can
completely destroy the evidence. Make sure as a first responder you always leave the system in
the same state as when the incident occurred.
For example, if the suspected device is ON, the first responder should not turn it off, till the
time advised by the forensic investigator. If the suspected device is in a shut-down state, the
first responder should not turn it on.
Anti-virus software installed on a suspected system may create problems when collecting
evidence during a forensics investigation. Antivirus software running on the system may delete
or change the state of the evidence as it accesses each file and alters its timestamp. At times, it
can even remove the files which are potential evidence. Hence, security experts suggest that a
first responder should disable the virus protection systems as soon as they confront an incident.
Notification Containment
Eradication
Forensic Post-incident
and
Investigation Activities
Recovery
.. .
Preparation for
····"' .
--- --- . --- . --- . --- . --- -- -- -- -- -- -- _._.. --- . --- . --- . --..
::
OtL:C
f.1923 7
I ad ........... ➔
22 C
~ ::•:
~ . ., "-_ ■
. . ........................, _--=:!
_ ·=
I H
· -=-·-:.I
ffl I
::,.•:
::•:
::•: .---.---.-- y ·-----------. .'~- ---- ---- -- "' -- . --- . --- -- '
---
Administrator Suspects an Incident
.-------·- ..:
::•: ..:
........... '
'
•
)( NO ::•: :' :'
Close Incident ,(
Report
.................... . :: ..: .. : '
C 5 I
. .....................~................~
'
'
:'
,
•:
::, ; "==~==-i :
::•: E) V
..i ~ :
,................
.
--·- ------
:: ''
ITDep.Send ....•: .: :. 7
• '
r········· ➔ ,;
·'
8 """"'""""""""""""""""""""JI '==:::.:
'<==.I
::•:
::•: :_ -";:
__=._=__=._=__=.;:::
, _=_.=__=__=_-=-~---: . ~
v
""":=:'!"""""""~~
;
E\.._ac
•J:F C
II ell, r I! .. ::,.
::•:
::
•:
ResoMd?
')( No
,;
::•:
············vl ··--··---·---------··············· J ~ .~~ ....
..::•: .:' r - - -lnddent
" - - - - ,. .:: .:'
::•: l .__.... <·······························=
,;
:
::
::•: A
v - - 1.
---·
V ~ YEi ( V r---~
Close Incident ,( .......... . . ~••~~ • ~ .. •.. •.. i.·'
Report , ............. ➔
.. I :
. ' ..............................................:!c_ !'
- --. ---. --- . --- -- -- -- -- ---------. ---. --- . -- - . ------- ----------
Incident Handling and Response Process differs from organization to organization according to
their business and operating environment. A framework is defined that can be utilized to create
a sound incident handling response for your organization.
Every incident handling and response process clearly defines some of these rules. Some of them
are:
• Restore the normal state of the system in the shortest possible time
• Minimize the impact of the incident on other systems
• Assess the impact and damage of the incident and try to recover the corrupted or deleted
data
Determining the Need for Incident Handling & Response (IH&R) Processes
Organizations determine the need of an incident handling and response (IH&R) process based
on the current security scenario, risk perception, business advantages of having such processes,
legal compliance requirements, other organizational policies, previous incidents, etc.
Cyber-attacks have increased in number as well as in diversity, and have become more
damaging and disruptive. Since these types of attacks can be harmful and can gather all the
personal and business sensitive data, it has become necessary to effectively and timely respond
to these incidents.
The incident handling and response {IH&R) process will allow the organization to design
preventive activities based on the results of risk assessments, but cannot prevent the
occurrence of all incidents. IH&R processes are necessary for detecting the incidents, reducing
any loss and destruction, mitigating the exploited weaknesses, and restoring IT services.
Inputs, complaints and queries from all the stakeholders involved in the organization's business
processes affect the decision to establish an IH&R process. The organization's IRT development
project team, executive manager, head of the information security department or any other
person exclusively designated by the management can initiate the IH &R process.
The main purpose of incident response management and process is to:
• Protect systems:
It is difficult to place high levels of security and special access controls on various
computing resources due to high costs and other constraints. The best strategy for
computer systems and network protection is to quickly detect and recover from the
security incident. An efficient incident response procedure ensures that critical business
operations run as they would normally before, during and after an incident.
• Protect personnel:
A swift incident response helps in ensuring that no physical damage occurs to human
resources due to any workplace incident.
It is necessary to adhere to the legal principles and practices while responding to incidents.
According to the US department of justice, it is illegal to use certain monitoring techniques for
identifying the incident. The procedures to respond to an incident should guarantee non-
violation of legal statutes.
Communicate the vision to all stakeholders and make sure it is published in an easily accessible
repository after appropriate approvals.
Per the results of a risk assessment, t he organization minimizes the occurrence of certa in incidents t hrough
the selection and implementation of specific controls
There may still be a residual risk after implementing t he controls, which is why organizations must be
notified when incidents occur. Because detecting security breaches will still be required
YES ~ ~
Determine the Need for Changes in Evaluate the c.. rent Security
IH&R Processes
Define IH&R Vision ·➔ Posture
t ) ( NO
Obtain Management Approvals and Additional Controls
Evaluate Current IH&R Processes
Funding Required?
v
Determine Changes in IH&R Develop IH&R Plan, Core Policies, Obtain Management Approvals and
Processes and Procedures Funding
• Contact information
• Keeping information from other neighboring organizations
• Assigning people to participate in the incident response effort
o Patch management
o Ensuring proper backups
o Ensuring the integrity of file systems
o Identifying abnormal behavior in the system
• ,. y
NO )( If
a ose Incident
Report
<····················· ............... Incident Requires a
Response?
~ ~ YES
If "# YES
lnddent Was Closed ......................:>-L__a_eope11
_ ...!"!!!:
•~ lli~o1111
I IF 7
_ __J
~ly-Clclled
Previously?
~ )( NO
"'
I IF 7
. -
~ -.,
Close Incident
Report
NO )(
<···················· ............... .
If Response is
Required?
V'...........................................
YES
:)-.
~
Sometimes it is useful to use certain detection software to detect security incidents. It may
include IDS, antivirus, integrity checking software, etc. However, there are certain incidents that
are clearly noticeable, so specific software is not required to detect them.
Some of ways for identifying the incident are as follows:
• Detection of anomaly in data packets sent across the network through the alarm
generated by the IDS and firewall
• Unusual system crashes can indicate attacks. Attackers or intruders can damage the
system that contains data important to the network.
• Staff identifies content on a colleague's computer that violates the organization's security
policy.
• History of activities during non-working hours shows that unauthorized access to systems
has occurred
Incident analysis is performed after detection of an incident. Incident analysis may vary
depending on the incident discovered.
-
Evaluat e Incident Details and
Correlate with Indicators
proper way
y'
e The IRT manager should classify and
Classify Incidents Based on
prioritize the incident s based on the Incident Record
level (high, medium, or low level)
YES ~
e The incident with high priority Other Organizational <I:........................ Incident Falls Outside
Departments Purview
should be attended first
\ )( NO
'ii
The IRT evaluates the incident details and correlates these with any
Indicators
The IRT classifies the incidents based on their severity and potential
targets
Classify the incident based on such factors like nature of the incident,
critical systems impacted, number of system impacted, legal and
regulatory requirements
If the incident is outside their review, the IRT will contact any and all
departments
The IRT prioritizes the incident based on the current and potential
technical effects of the incident on systems effected
J1
The IRT evaluates the incident details obtained in an incident detection and analysis phase and
correlates it with indicators. An IRT classifies and prioritizes a security incident based on the
following factors
• Nature of the incident
• Incident severity and potential targets
• The criticality of the systems being impacted
• Current and potential technical effect of the incident and the criticality of the affected
resources
• Number of systems impacted by the incident
• Incident falls outside the IRT's purview
• Legal and regulatory requirements
Upon detection of an incident, the IRT should categorize it appropriately based on its type,
severity, and impact. Incident classification helps the IRT in taking appropriate necessary
responses. Incident classification is done based on an incident categorization and incident
severity rating.
Incident categorization
Incident categorization helps the IRT team keep incidents under a certain single category which
provides better coordination and consistent incident handling and responses.
Incident severity rating
A Severity rating adds a sense of urgency to the detected incidents.
Incident classification helps the IRT quickly respond to incidents by avoiding any Operational
mix-up.
According to the NIST, incidents can be categorized into seven categories. The NIST taxonomy
for incident categorization is shown below:
Federa l Agency Incident Cat egories
Incident Prioritization
■ Prioritizing the handling of the incident is critical for the
process
■ Incidents should not be handled on a first-come, first-serve
ba sis
■ Prioritize the incidents based on two factors
• Current and potential technical effect of the incident
• Criticality of the affected resources
•
Copyright© by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
After classifying the incidents, the IRT should prioritize the incidents. The high impact incidents
which could severely sabotage an organization's network should be attended first and their
effects mitigated in the early stages.
The IRT should construct an impact urgency matrix based on three levels of high medium and
low as follows:
Impact >
High Medium Low
Urgency '1,,
High
Medium
Low
TABLE 14.2: Impact urgency matrix
1. Red
2. Light yellow
3. Dark yellow
4. Light green
5. Dark green
Communication plays a
major role in a swift ....,.._MPS•a...lllltl ........ b 25 Ill ,, a
respo nse to an incident
It helps in reducing t he
impact of an incident by
Approval for
Notification
...............
)( NO
►
facilitating a better
coordination between j ¥ ' YES
different stakeholders Notify the Required
555¥■■
affected by the incident
The IRT notifies management regarding the incident and its effects
The IRT requests the approval from management to disclose the incident information
to stakeholders and any others affected based on the severity of the incident
If the IRT receives an approval, the details of the incident are disclosed
If management does not approve the disclosure, then the IRT team plans to proceed
with the incident handling process
The IRT checks whether external support is required to handle the case
If external support is required, the IRT team will contact external agencies for their input
The IRT along with any external agencies, the IT department and management must plan
the incident handling and response procedure
An organization which is suffering from a security incident needs to notify the appropriate
internal and external IRT to minimize any repercussions of the security event.
The IRT's role in the notification and planning includes the following:
• Notifying management: It is the responsibility of the IRT to notify management about the
incident which occurred. The management should also be informed about the effects the
incident caused.
• Broadcasting the incident: Before broadcasting any information about the incident, the
IRT should have documented approval from the management. The incident information
should not be hidden from the stakeholders and other people. People that are likely to be
affected by the incident need to be informed about the incident.
• Disclosing the details of incident: Apart from broadcasting about the incident, the IRT
should also seek approval for disclosing the details of the incident. Disclosing the details
of an incident is important, as certain stakeholders of the organization are required to be
kept in loop.
• Approval denied: If management does not give their approval for disclosing the incident
details, the IRT should proceed with the procedure of incident handling.
• External support: Before proceeding with the in-depth investigation of the incident, the
IRT checks if external support is required to handle the case.
• External support required: If external support is required, the IRT contacts external
agencies for input.
• IRT and external support: Once the external support joins the investigation of th e
incident, the IRT and the management team proceeds with handling the incident and
response plan .
The IRT, technical, management and the legal team prepares a containment
strategy to control the effects of the incident and requests input from the external
support agencies (if required)
Once containment strategy is prepared, the IRT checks if the incident is actually
contained or not
The IRT checks the type of response required to contain the incident. The
containment task is then assigned to the correct team
If the incident is not contained, the IRT will review and update the containment
strategy and follow the same processes again
If the incident is contained, the IRT will escalate the containment task and move
to the next level of the incident handling and response process
Return to
Decide a Containment Strategy External Suppo rt Inputs Containment
Strategy
~----------------------------------------~'
'
Technical Response
Required?
. .. .. .. .. . ... . ...!
.., YB
► Task is Assigned to Technical
Team
...
:
i........ ,
:
Escalate the Containment Task
---- : '
~
NO )( i ''
''
i )( NO
V '' _.-1-
y ' YES ''
Management Response .......................!:> Task is Assigned to Management
-~·········>·..······➔ Incident Contained?
Team
Required?
NO )( j
'Ii/
y ' YES
Legal Response .......................:?" Task is Assigned to Legal Team ··~'····•"*'
Required? ''
,_ -- -- -- -- --- . --- . --- . --- . --- -- -- -- -- -- --- .''
NO )( i
'<I
Provide Initial Response And
Close the Case
The IRT plays a significant role in reducing an incident's magnitude or complexity in preventing
further damage to the organization. Containment focuses on limiting the scope and extent of
an incident. The aim of the containment stage is to reduce any losses and/or damages from
attacks, by eliminating the threat sources. If the systems, networks, or workstations are
compromised by a security incident, the IRT has to determine whether to shut down the
system, disconnect the network, or continue with operations in order to monitor the system's
activities. The response to all of these situations depends on the type and magnitude of the
incident.
• Disable system services temporarily in order to reduce the impact of the incident and
to continue system operations.
• Change passwords on all the systems which interact with the affected system, so
there are no more infections.
• Back up data on the affected systems to reduce the damage during an incident
response. Use a system backup for further investigation of the incident.
• System restoration:
• Replace the recovered computers with a trusted and clean backup copy.
• Identify the incident sources such as vulnerabilities, threats, access paths, etc. and
patch everything before restoring the system.
• When detecting network-based attacks be careful to not tip off the intruder. Because
the intruder might do more harm to other systems in the network and/or erase
everything they can to remove the chance of being traced. Maintain standard
procedures, including continuing to use the intrusion detection systems and the latest
antivirus and anti-spam software.
The main purpose of the containment strategy is to control the effects of the attack and restore
the information system to its normal state. This is vital so that business continuity of an
organization is maintained. A few key considerations for an IRT in this crucial stage are:
• Compromised code: A compromised code can lead to a data breach increasing the
chances of an intrusion. It is important for the IRT to be cautious while working with the
compromised code. A minor mistake can lead to the replication of the code and can
furth er affect the network and functioning of the organization.
• Safe storage: Data should be stored in a safe location so that any intrusion or external
threat does not affect or alter it.
• Acquiring logs: The IRT team must actively acquire and retrieve all th e system and router
logs before, during and after the time of incident. This will help the team analyze the
changes the network or system went through that caused the incident to occur.
• Identifying risk factors: It is important to identify the various risks if operations are
continued.
• Informing administrators and system owners: The IRT should communicate among the
administrators and system owners about the latest security threats that can affect the
system . This helps to implement preventive measures, avoiding the occurrence of a major
incident.
• Strong password policy: After the incident handling is successful, users must change their
passwords. Administrators must implement a strong password policy among the
organization.
Organizations face a lot of problems when incident containment guidelines are not in place. For
example, an organization which is not well-prepared, gets infected and then attacked by
malware, cannot handle the situation as effectively as an organization that follows incident
containment guidelines. Sometimes this lack of preparedness will allow malware to spread like
wildfire. In these cases, people act haphazardly to find solutions for such incidents, and nobody
has any ideas on how to deal with it. This delay in finding a solution can bring an organization's
network, information systems, business, and reputation to the ground. Without proper
guidelines in place, network administrators implement stopgap actions trying everything they
can to find the appropriate solution. This can cost the organization huge amounts of money and
time. This situation can be avoided if an organization follows certain guidelines:
• Dedicated team: A team must be dedicated to handle any type of security issue. This
team acts as a first responder during the time of an incident. Technical experts are
required for this team.
• Securing the affected area: In order to avoid any new changes being affected, the
affected area must be secured. Review the information at the beginning of the
identification phase.
• Installation of Honey pots: Honeypots are invisible traps that play a vital role in enhancing
security. Implementing honey pots in the network will help system administrators track
the attacker instantly, with no data loss.
• Avoid conventional methods: Refrain from using conventional tracking methods when
trying to identify the attacker. This will not help the investigation. It is important the team
is updated on the new methods available. Attackers know the conventional tracking
methods and what to look for. The last thing you want is for them to know you are looking
for them.
• Follow standard procedures: Documented procedures are required and management, the
IRT, and administrators must follow them.
Investigation is a process of gathering evidence related to an incident from systems and networks
The urgency in making a decision helps the investigators to determine the seriousness of the
security issue and contain it
The purpose of the investigation process is to identify the incident, attacker, attack time, and
mitigation steps to prevent a future occurrence
The forensic investigation and the containment process run at the same time
An experienced incident handler and/or computer forensic investigator supervises the collection
of all the evidence
Data collection involves two unique forensic challenges: Gathering data exceeding computer
storage capacity and collecting data to ensure integrity
Forensic Investigation
(Cont'd)
Host-based evidence: Host-based evidence consists of logs, records, documents, and any
other information available on the system
Other evidence: Other evidence that contains information and evidence gathered from
the people
The incident handler creates a chain of custody document, which includes the detailed
information about the evidence. This document includes items such as the model number, serial
number, IP address, time of collection, etc. It also includes information about the people involved
in the collection and evidence handling such as the name, designation, department, contact
numbers, etc.
Incident handling helps organizations contain security events, but a computer forensic
investigation lets investigators find the root cause of the security issue. Forensic investigation is
the process of gathering evidence related to an incident from the systems and networks. The
main goal of any of the computer security forensic investigation is to identify the incident, the
time of the incident, the perpetrator of the incident, and steps to mitigate future occurrences.
Forensic investigation is carried out in parallel with the containment process.
• It helps in generating a timeline for the incident, which will correlate different incidents.
• It helps balance operations and the security required according to the organization's
budgetary constraint.
• Forensic analysis of the affected system helps determine the nature and impact of the
incident.
• It helps to mitigate loss caused by a breach and to begin the recovery process.
• It extracts, processes, and interprets factual evidence proving the attacker's actions in
court.
• It saves the organization money and time by conducting a damage assessment of the
victimized network.
Host-based evidence
Host-based evidence is the evidence gathered from the compromised system. It may include
collecting volatile or non-volatile information such as:
• Logs, records, documents, and any other information stored in a computer system.
Network-based evidence
Network-based evidence is the information gathered from the network resources, such as:
• IDS logs: Intrusion Detection System (IDS) logs helps in identifying the unusual level of
attacks, concerted attack, unusual protocol and port combination.
• Router logs: Router logs helps in identifying the number of systems connected to the
specific router.
• Firewall logs: Firewall logs displays the active and inactive sessions of a host machine.
• Monitoring logs: It collects the information of the systems in a network. Any suspected
activity of a host machine can be analyzed through monitoring logs.
• Wiretaps: Wiretap gathers metadata of the device where the monitoring device is being
placed.
• Pen-register/trap and traces: The logs of pen-register records routing information of the
devices.
Other Evidence
Other evidence may consist of:
Network forensics is a method of sniffing, recording, acquiring, and analysis of network traffic
and event logs in order to investigate a network security incident. Usually, network forensics
involves a pro-active investigation as it deals with network traffic that contains dynamic
information.
Network forensics aims to enhance security and provide evidence for legal issues. Information
is collected from the network traffic (such as packet sniffing) and remote network services
(such as ftp servers, websites etc.) acting as a source for network forensic evidence.
Based on the requirement of the organization, the primary users of forensic tools and
techniques fall under three groups:
• Photographer: Photographs the crime scene and the evidence gathered. They must be
certified for evidence photography. By photographing all the evidence found at the crime
scene, will record the key evidence in the forensics process.
• Incident Responder: Responsible for the measures taken when an incident occurs. The
incident responder is responsible for securing the incident area and collecting the
evidence that is present at the crime scene.
• Decision Maker: Authority responsible for the policy or procedure taken during the
investigation process. Based on the incident t ype, a decision maker decides the policies
and procedures and adapts them while handling the incident.
• Incident Analyzer: Analyzes the incidents based on their occurrence. They examine the
incident with regard to its type, how it affects the system, different threats, and
vulnerabilities associated with it, etc.
• Evidence Documenter: Documents all the evidence and the phases present in the
investigation process. The evidence documenter gathers information from all the people
involved in the forensics process and documents it in an orderly fashion, from the incident
occurrence to the end of the investigation. The documents contain the complete
information about the forensics process.
• Evidence Manager: Manages the evidence so it is admissible in a court of law. They have
all the information about the evidence, for example, evidence name, evidence type, time,
and source of evidence, etc. They manage and maintain a record of the evidence that it is
admissible in a court of law.
• Expert Witness: Offers a formal opinion as testimony in a court of law. Expert witnesses
authenticate the facts and witnesses during a complex case. Expert witnesses are often
called to cross-examine other witnesses and evidence, as a normal witness may be
influenced by various factors.
j[;1n1•11 f
Assess Evidence Prepare the Testify as an
and Case Final Report Expert Witness
The forensic investigation methodology includes a series of steps that are followed to carry out
a successful forensic investigation. It guides the investigator in the collection of potential
evidence concerning the security incident and makes sure it is admissible in a court of law. A
t ypical forensics investigation methodology includes the following steps:
1. Obtain a search warrant: Investigators obtain a search warrant before investigating any
suspects. The warrant proves beneficial for the investigator.
2. Evaluate and secure the scene: Investigators evaluate and secure the scene before
collecting the evidence. Tampering or damaging the devices can affect the evidential
proof against the suspect.
3. Collect the evidence: Investigators collect all the evidence discovered from the scene. The
investigators must not neglect any of the supporting items related to the incident which
can act as evidence and be helpful in a court of law.
4. Secure the evidence: The investigator securely stores the evidence collected. Loss of
evidence will weaken the case against the suspect.
5. Acquire the data: It is important to acquire the affected data. This will help the
investigator find the reason for the intrusion.
6. Analyze the data: Analyzing the data also includes monitoring the target's activity before,
during and after the incident. The Anal ysis phase is the most important phase, as the
investigator gathers more evidence through the monitoring of logs.
7. Assess Evidence and Case: Once the investigator has done the analysis, it is important to
gather the evidence and assess.
8. Prepare the final report: The final report will include detailed information about the
actions taken by the investigator and the suspect/ attacker.
9. Testify as an expert witness: The investigator will testify as an expert witness confirming
the facts of the case.
)( NO External NO )(
.... .............> Perpetrator .. ... ...... ........... ....:;:.. Investigation .... .. ... \
Identified? Required?
jV' YES
C I 7%11
NO )(
law Enforcement
Required?
~........... ... -.w.._a. Uz 1 •
ManapmentReceives Close the E--....,_,---_ _ _ _~: .. .... ... ... ... ... ... ... ..... ;
.._ •
I • , I rt Investigation
A forensic investigation involves using various processes, tools and techniques to gather
valuable information. The forensics investigation team analyzes the evidence to identify the
real cause and nature of the incident and trace the perpetrators after the collection and
protection of the evidence. The team documents and submits the results of the forensic
analysis to management.
~
'l
-l The eradication stage removes or Eliminate Components of
the Incident
~·······························
eliminates the root cause of the
incident
-l Vulnerability analysis is
)( NO
performed in this stage Incident is Eliminated? .. •·· •·· •·· •l> Escalate the Problem
v
··········:>- RestartSenricesandProcesses •·························l>•
The eradication and recovery from a security incident generally depends on its extent.
Sometimes it is easy to contain and recover from a malware attack but in some cases, it is quite
difficult and takes more time to recover if it has infected more systems in the network. In this
case, the organization needs to furth er harden, monitor, and validate all computer and
information systems against all future threats. The extent of damage to the network may be
unknown in this case . Therefore, there is no other alternative than building the whole network
again from scratch. This is something an organization will w ant to avoid at all costs. Eradication
and recovery is vital to the success of an organization .
Eradication and recovery also depends on how effectively the attack is contain ed during the
containment phase. This phase is capable of:
Improve defenses
Various kinds of protection tools and techniques such as firewalls, routers, and router filters
should be used to strengthen the security of the organization. It is also important to configure
network security devices and applications to block identified attack paths. Patch all the
identified vulnerabilities to stop further exploitation.
In extreme cases, change network component addresses for devices which face the public. This
will help ensure any established attack paths are removed.
Vulnerability analysis
Vulnerability analysis is necessary as it provides important information about the vulnerable
points and areas present in the system. It reduces the damage caused by the incident and
safeguards the organization, as it carries out its normal operations.
The following countermeasures prevent organizations from further security threats. The IRT
should implement these countermeasures in their eradication and recovery phase.
• Organization's priorities: Identifying the organization's top priorities, such as restoring
the system to normal operations, ensuring data integrity, determining the impact of
evidence, gathering evidence, and/or avoiding public disclosure.
• Examining the incident: Examining the nature, severity and cause of the incident.
• Antivirus software: Usage of antivirus software on the system prevents intrusion to the
system, which in turn prevents data loss.
• Installing the latest patches: Installation of the latest patches hardens system security.
However, before installing patches on host machines, administrators should check the
patches using a test machine.
• Security audits: Timely independent security audits conducted to detect all suspected
activities.
• Disabling any unnecessary services: Administrators should disable services users do not
use. Intrusion can be done through non-working services on a host machine.
• Eliminating the intruder's access paths: After the removal of the external threats, it is
also necessary to eliminate the intruder's access path by changing the information
system.
• Corrective actions: Corrective actions reduce vulnerabilities in the system, making them
less vulnerable to intrusion.
• Network-based countermeasures: Network based countermeasures secure network
devices in the network.
J The computer systems and networks are J Actions performed in the recovery stage
monitored and validated are:
J The recovery stage determines the course e Rebuilding the system by installing a
of action for an incident new OS
Recovering a system generally depends on the extent of the security breach. In the recovery
step, restoration begins for the affected systems in normal operation. When a computer
security incident occurs, the IRTs should decide whether to restore the existing system or
completely rebuild the system. Utilizing system backups to rebuild the compromised system.
Monitoring and system validation ensures that the recovered systems are sanitized of any
incident causes and are operating in normal conditions. Validation also involves checking
the integrity of the restored information from a backup. Conduct regular vulnerability
assessments and penetration testing to monitor the system's behavior and the possible
vulnerabilities which may exist in the system or network. Monitor the system for potential
back doors, which can result in the loss of data or another incident.
A restoration process is only successful when the backup files are properly stored and
preserved. The amount of data recovery, safety and preservation mainly depend on the
techniques used in the recovery process. During this process, the integrity of the data can be
damaged, which can be determined using a backup file integrity check. This operation verifies
the success of the operation and the normal condition of the system. Harden the network
monitoring using network loggers, system log files, and potential back doors to check for any
missed vulnerabilities.
Some of the actions to perform in the recovery stage are:
• Rebuilding the system by installing a new OS.
D C
Incident damage and recovery costs
play an important role in legal actions
against the perpetrator(s)
n; C -
·-
Review/Update Incident
.,,,,_
Communicate with all
It is a good habit to learn from past mistakes. The IRT as well as the organization can learn a lot
from its past security mistakes and vulnerabilities. Incident handling involves more than
effectively handling an incident, it also involves the process of learning and improving.
Organizations who conduct a meeting with their staff after an incident, know the lessons
learned have found them to be beneficial. This learning process also involves the policies which
were responsible for the security failure. An update or review of al I the security policies will
help the organization build a robust network that is highly difficult to penetrate.
Post-Incident Activities -
Incident Documentation
The incident response team will document all the various processes while handling and responding to an
incident
The documentation must provide the description of the security breach and details of all actions which took
place such as: who handled the incident, when the incident handling took place and all the reasons why the
incident occurred
Document all the steps and conclusion statements, immediately after completing the forensic process
The document must be organized properly, examined, reviewed and vetted by the management and legal
counsel
The best way to prosecute the offender(s) is through proper documentation
The evidence gathered as well as the documents prepared should be safeguarded during the
protect evidence phase.
Document the steps and conclusions during the investigation process as soon as possible. The
document prepared should be:
• Concise and clear:
Prepare the reports so that everyone can understand them. Avoid using shortcuts while
preparing the reports.
• Standard format:
Maintain a standard format that makes report writing scalable, saves time, and supports
accuracy. Organize the response process by generating forms, outlines, and templates and
support the storage of the data related to the incident.
• Error-free:
Accept the help of technical editors to read the forensic reports. Editors provide their
support in developing error-free reports.
0 0
The t wo most importa nt types of evidence t hat are required for legal prosecution are
incident damage and cost
0 0
Legal costs
Installation cost
Incidents cause extensive damage in organizations, resulting in huge losses that range from the
loss of business to the loss of a customer's goodwill. Sometimes, reports of incidents result in
losing prospective customers. Most importantly, lost confidential information can cost an
organization millions of dollars, because customers file lawsuits over the organization's
negligence handling the personal information of customers. An organization can estimate their
internal losses, which provide an idea on the actual asset losses. The estimation of losses is the
sum of all the damage costs as well as the cost to recover from the incident. Incident damage
and recovery costs play an important role in legal actions against perpetrators.
Incident damage includes:
• Costs pertaining to analyzing the incident, recovering, and installing software and
hardware.
• Costs due to damage of the organization's reputation, and the loss of customer trust.
• Regularly patched
The awa reness campaign is designed for several purposes, such as:
Training and awareness not only enhances employee's security knowledge, but also helps
change the lackadaisical attitude towards security in organizations overall. The human factor in
security affects much more than any software or hardware enhancement ever could. Training
provides a great deal of understanding of the policies implemented in the organization, which
also increases the security. A security awareness program is a two-way information flow where
the use of various types of communication media take place such as audio, video, text, and
practical training sessions.
• Training is necessary to create awareness and preparedness among the staff and team
members.
A training and awareness program educates people on how to handle computer-related
incidents. It provides skills required to implement incident handling policies. Give training to all
teams regarding their roles, responsibilities, and specific tasks. There is a need for specific skills
during the recovery process. Training and awareness are necessary for general incident
handling operations, the level of importance, incident handling know -how etc.
Some of the important points that constitute a training and awareness program's success are:
□ A first responder esca lates a security incident to the information security team,
dedicated in-house or external IRT team
In this module, you learned how important it is to provide timely responses to incidents. The
timely response prevents major losses to the organization. Network administrators play vital
roles in providing a timely response for incidents as a first responder. The IRT team's
investigation works with the initial information provided by the first responder concerning the
incident. The module also provided an overview of the entire process for incident handling and
response which the IRT follows and implements, for successful handling, eradication,
containment, investigation, and recovery from all types of security incidents.
References
Module 01: Computer Network and Defense Fundamentals
1. Ms. Mousami Pawar (Dec 5, 2014), Network Security, from http://www.slideshare.net/mousmip/network-security-
fundamental.
2. Internet and Internet Communication(s) (June 2012), from https:// ccdcoe.org/ cycon/ 2012/ workshops/ Internet_
Internet_ Comms.pdf.
5. Mariusz Stawowski (ISSA Journal October 2007), The Principles of Network Security Design, from http://www.clico.pl/
services/ Principles_Network_Security_Design.pdf.
6. Diane Teare, Designing for Cisco Internetwork Solutions (DESGN), from http://portal.aauj.edu/ portal_resources/
downloads/ networking/ designing_network_security_cisco_press.pdf.
8. Department of Defense (March 9, 2001, Support to Computer Network Defense (CND), from
https ://info. pubIicintel ligence .net/DoD-SupportCN D. pdf.
17. Trusted Information Sharing Network for critical infrastructure protection (June 208), from
http://www.qcert. org/sites/defa ult/fi Ies/pub Ii c/ documents/au-b p-d efence_in_depth-e ng-2 008. pdf.
19. Vanessa Frias-Martinez, Joseph Sherrick,Salvatore J. Stolfo, Angelos D. Keromytis, A Network Access Control Mechanism
Based on Behavior Profiles, from https:// www.cs.columbia.edu/ ~angelos/ Papers/ 2009/acsac09.pdf.
20. Ajay Yadav (April 1 2013), Network Design: Firewall, IDS/IPS, from http://resources.infosecinstitute.com/network-design-
firewall-idsips/.
24. Margaret Rouse(March 2001), Common Criteria (CC) for Information Technology Security Evaluation, from
http ://whatis.tech target.com/definition/Comm on-Criteria-CC-for-Inform ati on-Tech n ol ogy-Secu rity-Eva Iu atio n.
25. GERALD J. POPEK AND CHARLES S. KLINE, Encryption and Secure Computer Networks, from http://
www.cs.swarthmore.edu/ ~newhall/readings/popek.pdf.
27. Deb Shinder (August 28, 2001), Understanding and selecting authentication methods, fromhttp://www.techrepublic.com/
article/ understanding-and-selecting-authentication-methods/.
29. Network Security Audit - Multi platform consolidation with security event corelation, from
http://www.enforcive. com/network-security-audit.
30. Frederick M. Avolio (July 2007), Producing your network security policy, from https://www.watchguard.com/docs
/whitepaper /securitypolicy_wp.pdf.
32. Padmavathy Ramesh (July 2002), Business Continuity Planning, fromhttp://www.tcs.com/ SiteCollectionDocuments/
White%20Papers/Business%20Continuity%20Planning.pdf.
35. August 2000, Security Culture: a handbook for activists, from http://www.animalliberationfront.com/ALFront/ELF/sec-
handbook.pdf.
36. Jennifer Pfeffer (7/11/2016), What Does a Network Administrator Do? A Behind-the-Scenes Look, from http://
www.rasmussen.edu/ degrees/ technology/ blog/what-does-a-network-administrator-do/.
39. Nimmy Reichen berg (September 26, 2013), Four Tips for Designing a Secure Network Perimeter, from
http://www.secu ritywee k. com/four-tips-design i ng-secu re-network-perimeter.
43. 6 November, 2015, Responding to Network Attacks and Security Incidents, from http://www.tech-faq.com/responding-to-
network-attacks-and-security-incidents.html.
44. The Difference Between Events, Alerts, and Incidents, from https://danielmiessler.com/study/event-alert-incident/.
47. Red Team/Blue Team, Capture the Flag, and Treasure Hunt: Teaching Network Security Through Live Exercises, from
http://ictf.cs.ucsb.edu/pdfs/2003_WISE_iCTF.pdf.
48. Cyril Onwubiko (13th December 2011), Computer Network Defense Approaches, from http://www.research-series.com/
cyril/ Approaches%20in%20security%20defense.pdf.
55. The Internet Transport Protocols: TCP, from http://eee.guc.edu.eg/ Courses/ Networks/
NETW901%20Local%20Area%20Networks/Lectures/TCP.pdf.
56. half-duplex and full-duplex Ethernet vs Switches and Hubs, from http://queryd.com/questions/full-duplex.html.
57. Media session framework using a control module to direct and manage application and service servers, from
http://www.google.co.in/patents/US7185094.
60. TCP Basic Operation: Connection Establishment, Management and Termination, fromhttp://www.tcpipguide.com/ free/
t_TCPBasicOperationConnection Esta blishmentManagement. htm.
64. TCP Connection Establishment Process: The "Three-Way Handshake", fromhttp://www.tcpipguide.com/ free/
t _TCPCon nection Establish mentProcessTheThreeW ayHa n d sh.htm.
71. Nick (August 20, 2014),CCIE Written Blueprint: 1.1.f Explain UDP operations, from https:// www.geekynick.co.uk/1-1-f-
explain-udp-operations/.
75. Himanshu Arora (26 March 2012), Protocol Header Fundamentals Explained with Diagrams, from
http://www.thegeekstuff.com/2012/03/ip-protocol-header/.
76. Internet Addressing and Routing First Step, fromhttp://www.ciscopress.com/ articles/ article.asp?p=348253&seqNum=4.
79. INTERNET PROTOCOL DARPA INTERNET PROGRAM PROTOCOL SPECIFICATION ( September 1981), from
https://tools.ietf.org/html/rfc791.
85. Vangie Beal, IPng - 1Pv6 (Internet Protocol Version 6), from http://www.webopedia.com/TERM/I/IPng.html.
89. Kaushik Das, IPv6 - The Next Generation Internet, from http://www.ipv6.com/articles/general/ipv6-the-next-generation-
internet.htm.
98. October 2006, IPv6 Extension Headers Review and Considerations, from
http://www.cisco. com/en/US/tech n ol ogi es/tk648/tk872/tech nol ogi es_white_pa per0900a ecd8054d 37d. htm I.
104. April 21, 2009, IPv6 Transition Mechanisms and Strategies http://www.rmv6tf.org/wp-content/uploads/2012/11/Chuck-
Sellers-090421-1Pv6-Transition-Mechanisms-Sellers1.pdf.
105. Making the Transition From IPv4 to IPv6 (Reference), from https://docs.oracle.com/cd/E19683-01/817-0573/transition-
10/index.html.
106. Basic Transition Mechanisms for IPv6 Hosts and Routers, from https://tools.ietf.org/html/rfc4213.
109. Todd Lammie, CISCO Certified Network Associate Study Guide, 5th Edition, from http://www.cs.rpi.edu/ ~kotfid/nel/
CCNA_chapter2.pdf .
111. Vangie Beal, DHCP - Dynamic Host Configuration Protocol, from http://www.webopedia.com/TERM/D/DHCP.html .
117. Dynamic Host Configuration Protocol for IPv6 (DHCPv6), from https://www.rfc-editor.org/rfc/rfc3315.txt.
120. Dynamic Host Configuration Protocol (DHCP) Message Format), from http://www.omnisecu.com/tcpip/dhcp-dynamic-host-
configuration-protocol-message-format.php.
122. MARSHALL BRAIN & STEPHANIE CRAWFORD, How Domain Name Servers Work, from
http://computer.howstuffworks.com/dns. htm.
123. How the Domain Name System (DNS) works, from https://www.bytemark.co.uk/support/document_library/dnsworks/.
141. Swayam Prakasha, Internet Control Message Protocol (ICMP) Explained, from
http://www. Ii nuxuser. co. uk/featu res/intern et-control-message-protocol-i cm p-expla in ed.
146. ICMP Common Message Format and Data Encapsulation, from http://www.tcpipguide.com/ free/
t_lCMPCommonMessageFormatandDataEncapsulation.htm.
149. Jhemphill (February 18, 2008), ARP cache: What is it and how can it help you?, from https://www.petri.com/csc_arp_cache.
154. DRAFT: 1Pv6 Address Allocation and Assignment Policy, from https://www.ripe.net/publications/docs/draft-ipv6-address-
allocation-and-assignment-policy.
158. Internet Resource Management at ICANN and Regional Internet Registries from https://www.ntt-
review.jp/archive/ntttechnical .php?contents=ntr201003gls.html.
159. Nathali Trenaman {24 April 2012), ipv6 addressing plan fundamentals, from http://www.slideshare.net/ripencc/ipv6-
addressing-plan-fundamentals.
160. Draft: PA/Pl Unification 1Pv6 Address Space - New Policy Text, from https://www.ripe.net/pub1ications/docs/ripe-
documents/other-documents/draft-pa-pi-unification-ipv6-address-space-new-policy-text.
179. Carla Schroder (Sep 20, 2006), Understand 1Pv6 Addresses, fromhttp://www.enterprisenetworkingplanet.com/ netsp/
article.php/3633211/Understand-1Pv6-Addresses.htm.
180. 1Pv6 Addressing, from https:// www.cisco.com/ en/ US/ technologies/ tk648/ tk872/
technologies_white_paper0900aecd8026003d.pdf.
189. ISC DHCP Enterprise Grade Solution for Configuration Needs, from https://www.isc.org/downloads/dhcp/.
190. Tom Cross (DEC 11, 2012), 5 Key Computer Network Security Challenges For 2013, from
http://www.forbes. com/sites/ci ocent ra 1/2012/12/11/5-key-co m puter-n etwork-secu rity-ch a11 enges-for-2013 /.
192. CALYPTIX ( JUNE 17, 2015), Top 7 Network Attack Types in 2015,from http://www.calyptix.com/top-threats/top-7-network-
attack-types-in-2015-so-far/.
195. Rick Lutkus (May 29, 2015), Information Security Threat: Technological Exploits, from
http://www. lawtech nol ogytod ay .o rg/2015 /05/i nformati on-security-th re at-tech n ologi ca 1-expl oits/.
196. Kuna I Thakur, Vishal Shirguppi, Justin Francis, Sazia Ali, Packet Sniffing, from http://www.slideshare.net/superfun/packet-
sniffers?qid=25ccf028-6c61-4cf2-89a0-e86bd6c8b021&v=qf1&b=&from_search=2.
200. CCNA Security: ACLs for Telnet, SNMP and DDOS Attacks, from https://www.certificationkits.com/cisco-certification/ccna-
security-certification-topics/ccna-security-cisco-routers-and-acls/ccna-security-acls-for-telnet-snmp-and-ddos-attacks/.
204. Joseph Caudle (12 February 2015),Top DNS Lookup Tools, from http://blog.dnsimple.com/2015/02/top-dns-lookup-tools/.
207. Ethical hacking and Countermeasures: Attack Phase, Booklhases, Book 1, from https://books.google.co.in/
books?id=iC9TCwAAQBAJ&pg=PA28&1pg =PA28&dq=attack+system+using+network+range&
source=bl&ots=ym748JDTp0&sig=QbSq6XmVEVKL9aq3fLMDwbB48Bc&hl=en&sa=X&ved=0ahUKEwiKzJq85LzKAhUNJl4KHal
qCHYQ6AEIGzAA#v=onepage&q=attack%20system%20using%20network%20range&f=false.
210. Create network diagrams and export them to Microsoft Visio, from http://www.solarwinds.com/network-topology-
mapper.aspx.
215. Luiz Firmino {5th October 2011), Cyber Defense Misconfigured AP Attack, from
http://luizfirmino.blogspot.in/2011/10/m isconfigured-ap-attack. html.
217. Luiz Firmino {5th October 2011), Cyber Defense Unauthorized Association, from
http ://1 uizfi rm in o. blogspot. i n/2011/10/una uth ori zed-a ssoci ati on. htm I.
221. Darren Miller (24 Jan. 2013), The Dangers Of Ad-Hoc Wireless Networking, from http://www.windowsecurity.com/
whitepapers/Wireless_Security/Dangers-Ad-Hoc-Wireless-Networking.html.
228. Michael Kassner March 9, 2008),How to prevent automatic association with ad hoc networks, from
http://www.tech republic. com/blog/mobile-enterprise/how-to-prevent-a utom ati c-associ ati on-with-a d-hoc-n etwor ks/.
231. MYLES GRAY(JUNE 17, 2015 ), Scanning for network vulnerabilities using nmap, from http://www.mylesgray.com/security/.
232. scanning-for-network-vulnerabilities-using-nmap/.
233. Eddie Sutton, Footprinting: What is it and How Do You Erase The, from http://www.infosecwriters.com/
text_resources/pdf/Footprinting.pdf.
236. Lei Han (April 2006), A Threat Analysis of The Extensible Authentication Protocol, from
http://people .scs. ca rl eton. ca/~ba rbea u/H onou rs/Lei_ Han. pdf.
239. darkAudax {20 January 11, 2010), Tutorial : Simple WEP Crack, from http://www.aircrack-
ng.org/doku.php?id=simple_wep_crack.
290. Ravi S. Sandhu and Pierangela Samarati (September 1994), Access Control: Principles and Practice, from
http://www. profsa nd hu. com/jou rna Is/comm un/i94ac(org). pdf.
299. 6-5-2015, Attribute based Access control (ABAC)- Overview, from http://csrc.nist.gov/projects/abac/.
306. 12-2008, Implement access control systems successfully in your organization from
http://search itch an n el. tech target .com/feature/The-importance-of-access-control.
307. 6-5-2015, Access control policy and implememtnation guides, from http://csrc.nist.gov/projects/ac-policy-igs/index.html.
308. Vincent C. Hu, David F. Ferraiolo, D. Rick Kuhn (September 2006), Assessment of access control systems, from
http://csrc.nist.gov/publ ications/nistir/7316/N ISTI R-7316.pdf.
311. 2011, Network access control and network security standards, from
http://www. ncsi. com/N SAtcl 1/presentations/tu es day/basics/serrao_ha nna. pdf.
312. Andrew plato, Implementing network access control products: how to prep your clients, from
http://search itcha nn el. techta rget .com/tip/Im pl em enti ng-network-access-control-prod u cts-H ow-to-prep-your-clients.
313. Deb Shinder (28-8-2001), Understanding and selecting authentication methods, from
http://www.tech republic. com/ article/understanding-an d-sel ecti ng-a uthe nti cation-met hods/.
322. Deb Shinder (28-8-2001), Understanding and selecting authentication methods, from
http://www.tech republic. com/ article/und erstanding-a nd-sel ecti ng-a uth enti cat ion-met hods/.
341. Alan Henry (22-7-2011), Cyberghost VPN is a free anonymous VPN, from http://lifehacker.com/5823586/cyberghost-vpn-
is-a-free-anonymous-vpn-that-protects-your-surfing-from-prying-eyes.
355. Raksha, Sahana, Sai Janaki, Shruti (7-11-2009), Network protocol analyzers, from
http://www.sl id es ha re.net/ sou rav894/ network-protocol-analyzer.
359. Sandra 4211 (4-5-2010), Security guide to network security fundamentals, from
http://www.sl id es ha re.net/Sand ra4211/secu rity-gu ide-to-n etwork-secu rity-fu n dam enta ls-th i rd-edition.
370. Srikanth Ramesh, what is Secure Socket layer (SSL), and how it works, from http://www.gohacking.com/secure-sockets-
layer-ssl/.
375. What is SSL and what are SSL certificates, from https://www.digicert.com/ssl.htm.
438. Andy Scott, How to create a good information security policy, from http://www.computerweekly.com/feature/How-to-
create-a-good-i nform ation-security-pol icy.
442. Dec 02, 2004, Understanding physical security: definition, forms, and importance, from
http://resources.i nfoseci nstit ute. com/physica 1-secu rity-pol icy-can-save-com pa ny-thousa n ds-d ol Iars/.
445. Jethro Perkins (16th October 2015), Policy IT User Accounts, from
http://www.lse .ac. uk/i ntra net/LS EServices/policies/pdfs/school/useAccPo I.pdf.
448. Joshua Cormas, Network Security Policy in the Work place, from
htt ps ://www .googl e.co.in/url ?sa=t&rct=j&q =&esrc=s&so urce=web&cd =9&cad= rja&ua ct=8&ved =0a hUKE wi L8ZW 4zu 7JAh W
RW44KHeUiADIQFghTMAg&url=https%3A%2F%2Fwww.iup.edu%2FWorkArea%2FDownloadAsset.aspx%3Fid%3D195254&
usg=AFQjCN Egz0pzRkn H9ddG6UysN H131p7k2g&bvm=bv .110151844,d.c2E.
449. March 2007, Network and Server Security Management Policy, from
http://www.rye rs on. ca/policies/administration/n etworksecu ritypol icy.htm I.
457. ISO/IEC 27033:2010+ Information technology - Security techniques - Network security, from
http://www.iso27001security.com/html/27033. htm I.
461. Catherine Paquet (Feb 5, 2013), Network Security Concepts and Policies, from http://www.ciscopress.com/
articles/article.asp?p=1998559&seqNum=3 .
463. Ladan Kianmehr, Deborah Becker, Ali Kama Ii, Saint Joseph, The importance of written security policy for any network
connection from, http://proc.isecon.org/2011/pdf/1774.pdf.
464. Catherine Paquet (Feb 5, 2013) ,Network Security Concepts and Policies, from
http://www.ciscopress.com/articles/article.asp ?p=1998559&seqNu m=3.
465. Courtney Hamby (Sep 11, 2013), Advantages Of Network Security, from
http ://info. ava la nwi re less.com/blog/bi d/334529/ Advantages-Of-N etwork-Secu rity.
466. Rob McMillan (14 April 2014), Information Security Program Management Key Initiative Overview, from
https ://www .gartner.com/doc/2708617/information-security-program-management-key.
468. Oct 20, 2012, Information Security Management System ISO/IEC 27001 :205 Introduction and Requirements, from
http://www.sl id es ha re.net/ Control Case/isms-prese ntation-oct-20 2012 ?qi d=bS f12 936-0a7 d-4dad-9e6e-
2b68c654397 b&v=& b=& from search=9.
469. ISO/IEC 27001:2013 Information technology - Security techniques - Information security management systems, from
http://www.iso27001security.com/html/27001. htm I.
471. Dancho Danchev, Building and Implementing a Successful Information Security Policy, from http://
www.windowsecurity.com/ pages/ security-policy.pdf.
477. Muhanned Wajahat Rajab (Jun 30, 2013),Physical Security, from http://www.slideshare.net/wajraj/physical-security-
presentation-23717721 ?qid=f4e0b456-8a7 4-42a 7-9543-d03f369c2a 72&v=&b=&from_search=2.
479. Dr. AMAN JANTAN (2012), INFORMATION SECURITY AND ASSURANCE, from http://www.scribd.com/doc/96301211/Eisp-
lssp-SysSp#scribd.
489. Sarah Granger (OS Jul 2011), The Simplest Security: A Guide To Better Password Practices, from
http://www.syma ntec. com/ connect/articles/si m pl est-secu rity-gu ide-better-passwo rd-practices.
490. April 23, 2009, New Guidelines For Organization-wide Password Management, from
http://www.sci enceda i ly. com/rel eases/2009/04/090423105900. htm.
491. Jethro Perkins (16th October 2015), Policy IT User Accounts, from https://hipaa.wisc.edu/docs/accountCreation.pdf.
492. Mark Ciampa (Jan 29, 2010), Security+ Guide to Network Security Fundamentals, 3rd Edition,
http://www.slideshare.net/itsec/ch08-authentication ?qid=30418012-le73-4fe0-a249-
8b397fb3b055&v=&b=&from_search= 13.
493. Kristine Buyers (May 8, 2015), Backup and Recovery Tip: Determine Backup Policies and Procedures, from
http://go. dewpoi nt. com/on point/d eterm in i ng-ba cku p-pol i ci es-a nd-proced ures-for-backup-and-recovery.
495. The Unicode Consortium Policy on Handling of Confidential Data, from http://unicode.org/policies/
confidential_data_policy.html.
500. April 15, 2001, Employee Internet Usage Policy, from http://www.workforce.com/articles/employee-internet-usage-policy.
504. January 21, 2005, Remote Access Policies Examples, from http://technet.microsoft.com/en-
in/library/cc776865(v=ws.10).aspx.
510. Vincent C. Hu, David F. Ferraiolo, D. Rick Kuhn, Assessment of Access Control Systems, from
http://csrc.nist.gov/publ ications/nistir/7316/N ISTI R-7316.pdf.
512. Access control and authentication isn't as simple as setting up user IDs and passwords, from
http://sea rchsecu rity. techta rget. com/magazi neContent/1 nterview-CISO-expla ins-enterprises-access-control-policies.
515. Ganesh Dutt Sharma (June 26, 2010), Firewall Security Policy, from http://securityworld.worldiswelcome.com/firewall-
security-policy.
521. Ivy Wigmore (October 2012), BYOD (bring your own device), from http://whatis.techtarget.com/definition/BYOD-bring-
your-own-device.
522. Tony Bradley (Dec 20, 2011), Pros and Cons of Bringing Your Own Device to Work, from http://www.pcworld.com/
article/246 7 60/pros_and_cons_of_byod _bring_your_own_device_. htm I.
523. Nov 25, 2002, DMZ Policy and Guidelines, from http://www.nesnip.org/pdf/dmz.pdf.
525. Jonathan Gana KOLO, Umar Suleiman DAU DA, Network Security: Policies and Guidelines for Effective Network
Management, from http://ljs.academicdirect.org/A13/007_021.htm .
526. Catherine Paquet (Feb 5, 2013), Network Security Concepts and Policies, from http://www.ciscopress.com/
articles/article.asp?p=1998559&seqNum=3.
529. Your guide to the Payment Card Industry Data Security Standard (PCI DSS), from
http://www.westpac.com .au/docs/pdf/bb/Guide_to_payment_card_i ndusl. pdf.
532. Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C. § 2510-22., from
https://it.ojp.gov/default.aspx?area=privacy&page=1285.
533. The Foreign Intelligence Surveillance Act of 1978 (FISA), from https://it.ojp.gov/default.aspx?area=privacy&page=1286.
534. FISA 101: Why FISA Modernization Amendments Must Be Made Permanent, from http://www.justice.gov/archive/ll/.
536. Fact Sheet: The Protect America Act of 2007, from http://georgewbush-whitehouse.archives.gov/news/releases/
2007/08/20070806-5.html.
541. Search and Seizure and the Fourth Amendment, from http://criminal.findlaw.com/criminal-rights/search-and-seizure-and-
the-fourth-amendment.html.
542. What is the Privacy and Civil Liberties Oversight Board?, from http://www.pclob.gov/.
552. Business-Partner Pol icy, from http://www.transfieldservices.com/pdf/Business_Pa rtners_Pol icy_TM C-0000-LE-0013 .pdf.
571. Tom Eston (Dec 1, 2008), Physical Security Assessments, from http://www.slideshare.net/agentOxO/physical-security-
assessments-presentation.
574. Michael Betancourt, Security Challenges for the New Paradigm, from
https://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=OahUKEwiRoOzfs87KAhWHt44KHX41DyEQ
FggbMAA&url=http%3A%2F%2Fwww.eecs.ucf.edu%2F~turgut%2FCOURSES%2FEEL6788_AWN_Spr11%2FLectures%2FSecu
rityChallenges.ppt&usg=AFQjCNEkelSU19Pry3weQl27MtQT1N3V0A&bvm=bv.113034660,d.c2E&cad=rja.
576. Lisa Phifer, Removable storage device endpoint security and control, from
http://sea rchsecu rity. techta rget. com/ m agazi neContent/Rem ova ble-storage-d evi ce-en d point-security-and-control.
577. Alan Calder, Steve Watkins, IT Governance: An International Guide to Data Security and 15027001/15027002, from
https://books.google.co.in/books?id=OctwCgAAQBAJ&pg=PA194&Ipg=PA194&dq=failure+of+supporting+utilities&source=
bl&ots=b6cDcmMH5i&sig=LRTS-tSiJniQ5_rzy_9SGFiZfdA&hl=en&sa=X&sqi=2&ved=0ahUKEwje_537yOUAhURA44KHcN-
Cw4Q6AEILjAE#v=onepage&q=failure%20of%20supporting%20utilities&f=false Peter H. Gregory, IT Disaster Recovery
Planning For Dummies, from https://books.google.co.in/books?id=YC49DXW-
_60C&pg=PA137&Ipg=PA137&dq=mantrap+diagram+representation&source=bl&ots=vtplq0ypDb&sig=Ob9Ikbltsu0a2mg0
aeV-
zst0RXw&h l=en&sa=X&sqi=2&ved=0ah UKEwipuJ nfzOUAhVMj44KHWhbA0YQ6AEILTAD#v=onepage&q=mantrap%20diagra
m%20representation&f=false.
578. Dhani Ahmad (Mar 17, 2015), Physical security, from http://www.slideshare.net/emolagi/physical-security-45924353.
582. Access Control: Models and Methods (NOVEMBER 28, 2012), from http://resources.infosecinstitute.com/access-control-
models-and-methods/.
584. Microsoft Tech Net (March 28, 2003), Authorization and Access Control Technologies, https://technet.microsoft.com/en-
us/library/cc782880(v=ws.10).aspx.
585. https://technet.microsoft.com/en-us/library/cc782880(v=ws.10).aspx.
586. Jeff A Sandine (January 20, 2009), What is the Difference Between Tailgating and Piggybacking Through an Access
Controlled Secure Door?, from http://ezinearticles.com/?What-is-the-Difference-Between-Tailgating-and-Piggybacking-
Through-an-Access-Controlled-Secure-Door?&id=1902821.
587. Mohd Hamizi (May 21, 2015), ensuring physical and data security, http://www.slideshare.net/pdawackomct/3-ensuring-
physical-and-data-security.
588. Deb Shinder (July 16, 2007), 10 physical security measures every organization should take, from
http://www.techrepublic.com/blog/10-things/10-physical-security-measures-every-organization-should-take/.
589. Hudson K., Ruth A., Microsoft Corporation, Securing Network Cabling, from http://flylib.com/books/en/2.902.1.22/1/.
593. lrsandi Hasan (Sep 24, 2014), Network Fundamentals, from http://www.slideshare.net/kazhuyo/ccna-rsnb-chapter-11.
596. Laptop & Mobile Device Physical Security Dos & Don'ts!, from https://www.it.umass.edu/support/security/laptop-mobile-
device-physical-security-dos-donts.
597. Physical Security "Dos" & "Don'ts" (September 9, 2014), from http://www.informationsecuritybuzz.com/news/physical-
security-dos-donts/.
598. Faheem UI Hasan (Nov 6, 2009), Physical Security Assessment, from http://www.slideshare.net/faheemi07/physical-
security-assessment.
601. Physical Security Audit Checklist (January 16, 2013), from http://locknet.com/lockbytes/excerpts/physical-security-audit-
checklist/.
603. Vijay Luiz( Aug 3, 2015), Physical security challenges when vendors are on site, from
htt ps ://www. Ii nked in. com/pulse/physi ca 1-secu rity-cha 11 enges-when-ve ndors-site-vijay-1 uiz.
629. 5-5-2016, Security Baselines and Operating system, Network and application hardening from
http://www.techotopia.com/index.php/Security_Baselines_and_Operating_System,_Network_and_Application_Hardening
633. Description of security events in Windows 7 and server 2008 R2, from https://support.microsoft.com/en-us/kb/977519.
636. Use access control to restrict who can use files, from https://technet.microsoft.com/en-us/library/bb456977.aspx.
641. Using Microsoft Windows Encrypted File System (EFS), from http://infosec.wfu.edu/files/2013/02/EFS.pdf.
642. 7-3-2014, How to Stop and Disable Unwanted Services from Linux System, from http://www.tecmint.com/remove-
unwanted-services-from-linux/.
646. Jered Heeschen(22-6-2016), Check Linux file permissions with Is, from
https://www.rackspace.com/knowledge_center/article/checking-linux-file-permissions-with-ls.
647. Lenny zeltser, Critical Log Review Checklist for Security Incidents, from https://zeltser.com/security-incident-log-review-
checklist/.
648. Vivek Gite(17-7-2006), Linux Log Files Location And How Do I View Logs Files on Linux?, from
http://www. cyberciti. biz/faq/1 in ux-1 og-fi les-locati on-a nd-how-do-i-view-1 ogs-fi Ies/.
649. Yves Lacombe(16-8-2011), Top 10 tips to secure your email server, from https://www.vircom.com/top-10-tips-to-secure-
your-email-server/.
651. Chris Cox, Hardening your router in 9 easy steps, from http://searchnetworking.techtarget.com/tip/Hardening-your-router-
in-9-easy-steps.
652. Sean Wilkins(24-1-2012), Basic Switch Security Concepts and Configuration, from
http://www.pearson itcertification .com/articles/article.aspx?p=1829347 .
653. Shelley Bard, Week 47: Switch security tips, from http://searchsecurity.techtarget.com/tip/Week-47-Switch-security-tips.
660. Mindi McDowell, Brent Wrisley, and Will Dormann (19-5-2010), Risks of File-Sharing Technology, from https://www.us-
cert.gov/ncas/tips/ST05-007.
663. Nate Lord (28-9-2015), What is Social Engineering? Defining and Avoiding Common Social Engineering Threats, from
https://digitalguardian.com/blog/what-social-engineering-defining-and-avoiding-common-social-engineering-threats.
664. Bogdan Sergiu Dragos (17-12-2012), Blended Threat Concept in Web Applications - DefCamp 2012, from
http://www.sl id es ha re. net/DefCa mp/bl ended-threat-con cepti nweba p pl i cati ons-15670548?qid=c5 lb0e9a-cade-4587-9 729-
e299bf5a27 d3&v=d efa ult&b=&from_search= 1.
672. Joe Lee(15-5-2015), Operating System Hardening - Working with Services, from
https://www.grandmstramrod.co.uk/operating-system-hardening-working-with-services/.
674. How to Track Firewall Activity with the Windows Firewall Log, from http://www.howtogeek.com/220204/how-to-track-
firewall-activity-with-the-windows-firewall-log/.
676. Getting Started with using the Microsoft Baseline Security Analyzer (MBSA), from
http ://technology. p itt. ed u/security/getting-started-with-using-the-mi crosoft-basel ine-secu rity-a n alyze r-m bsa.
683. Understanding Patch and Update Management: Microsoft's Software Update Strategy, from
https://msdn.microsoft.com/en-us/library/cc768045.aspx.
686. Jason Chan(31-1-2004), Essentials of Patch Management Policy and Practice, from
http://patchmanagement.org/pmessentia ls.asp.
689. Earl Follis, The business case for automated patch management tools, from
http://sea rchsecu rity. techta rget. com/feature/The-business-case-for-automated-patch-management-too Is.
694. Margus Saluste, 27-4-2016, Local Security Policy in Windows, from https://www.winhelp.us/local-security-policy-in-
windows.html.
697. How To Protect your Windows computer from viruses, Correctly!, from http://www.softwarecandy.com/shop/free-
tips/how-to-correctly-protect-your-windows-computer-from-viruses.
705. Amy Echeverri and Sadequl Hussain, Windows Logging Basics, from https://www.loggly.com/ultimate-guide/windows-
logging-basics/.
712. Telmo Sampaio (15-3-2016), What is an endpoint Access Control List (ACLs)?, from https://azure.microsoft.com/en-
in/documentation/articles/virtual-networks-acl/.
713. 3-7-2014, What's New in NTFS for Windows Server, from https://technet.microsoft.com/en-us/library/dn466520.aspx.
715. Jim Boyce (11-6-2002), Learn the basic differences between share and NTFS permissions, from
http://www.tech republic. com/ arti cl e/1 earn-the-bas ic-d ifferences-between-s ha re-a nd-ntfs-perm issions/.
718. Advantages and disadvantages of EFS and effective recovery of encrypted data, from
https://www.elcomsoft.com/WP/advantages_and_disadvantages_of_efs_and_effective_recovery_of_encrypted_data_en.
pdf.
719. Vivek gite(21-9-2006), Linux Set or Change User Password, from http://www.cyberciti.biz/faq/linux-set-change-password-
how-to/.
722. 7-3-2014, How to Stop and Disable Unwanted Services from Linux System, from http://www.tecmint.com/remove-
unwanted-services-from-linux/.
7 24. http://ptgmed ia. pea rson cmg. com/i m ages/97801323 66755/down loads/013 23667 54_Jang_book. pdf.
728. Korbin Brown(2-6-2014), The Beginner' s Guide to iptables, the Linux Firewall, from
http://www. h owtogee k. co m/177 621/th e-begi nners-gu id e-to-i pta bles-th e-1 in ux-fi rewa 11/.
730. Ramesh natarajan(l-8-2011), 20 Linux Log Files that are Located under /var/log Directory, from
http://www.th egee kst uff.com/2011/08/1 in u x-va r-1 og-fi les/.
733. James Michael Stewart, Web Server Isolation Domain, from http://searchenterprisedesktop.techtarget.com/tip/Web-
Server-lsolation-Domain.
738. Margaret Rouse(October 2014), data loss prevention (DLP), from http://whatis.techtarget.com/definition/data-loss-
prevention-DLP.
739. Michael Avdeev and John Callaghan (14-8-2013), Best Practices for Implementing Data Loss Prevention (DLP), from
http://www.sl id esha re.net/sa rfa razch ougu Ie/isaca-webi na rd Ipaug82013fi na 1-vl 28451 ?related= 1.
818. Habtamu Abie (January 2000), An Overview of Firewall Technologies, from http://heim.ifi.uio.no/~abie/fwt.pdf.
824. Create A Basic Firewall (Packet Filter) Rule in Astaro Security Gateway (5 Nov 2015), from https://www.sophos.com/en-
us/support/knowledgebase/115155.aspx.
837. Karen Scarfone, Paul Hoffman, Guidelines on Firewalls and Firewall Policy, from
http://cs re. nist .gov/pu bl i cations/nistpu bs/800-41-Revl/sp800-41-revl. pdf.
838. Network Design: Firewall, IDS/IPS (APRIL 10, 2013), from http://resources.infosecinstitute.com/network-design-firewall-
idsips/.
862. Alfred Basta, Nadine Basta, Mary Brown, Computer Security and Penetration Testing, from
https://books.google.co.in/books?id=Eg_TCQAAQBAJ&pg=PA185&1pg=PA185&dq=How+to+prevent+hacker+bypassing+the
+firewall?+attacks&source=bl&ots=yjTdm30Ezd&sig=E11Kblcyw_HUe_naP-
6WRPy2PV0&hl=en&sa=X&ved=0CCgQ6AEwAjgKahUKEwj7tcLWnvbHAhWCTl4KHV3FBSQ#v=onepage&q=How%20to%20pr
event%20hacker%20bypassing%20the%20firewall%3F%20attacks&f=false.
863. Adam Gowdiak (29-30th May 2003), Techniques used for bypassing firewall systems, from
https://www.terena.org/activities/tf-csirt/meeting9/gowdiak-bypassing-firewalls.pdf.
865. Wing (December 13, 2013), How to Protect Networks against Advanced Evasion Techniques(AET), from
http://secu ritywi ng. com/how-to-protect-networks-against-a dva n ced-evasi on-techniques/.
869. Oriyano, CEH: Certified Ethical Hacker Version 8 Study Guide, from https://books.google.co.in/books?id=aKw-
BAAAQBAJ&pg=PA385&1pg=PA385&dq=How+attacker+bypasses+firewall+%22process%22&source=bl&ots=CylwzzYIFz&sig
=VfrscKnlD4Jk4BpkFlfldFPehUs&hl=en&sa=X&ved=0ahUKEwiowYrFyKvJAhXCU44KHeg4Dc4Q6AEIPjAG#v=onepage&q=How
%20attacker%20bypasses%20firewall%20%22process%22&f=false.
871. Margaret Rouse, IP spoofing (IP address forgery or a host file hijack), from
http://searchsecurity.techtarget.com/defi nition/1 P-spoofing.
874. Spoofing Attack: IP, DNS & ARP I Veracode, from http://www.veracode.com/security/spoofing-attack.
875. IP address spoofing (August 2016), from http://ccm.net/contents/41-ip-address-spoofing.
882. Ryan Dube (April 23, 2009), How to Bypass Firewalls & Get Into Blocked Websites in School or at Work With FreeProxy
(Windows), from http://www.makeuseof.com/tag/how-to-get-into-blocked-websites-in-school-with-freeproxy/.
887. Daniel St0dle (May 26. 2005), Ping Tunnel, from http://www.mit.edu/afs.new/sipb/user/golem/tmp/ptunnel-
0.61.orig/web/.
888. Matt Schulz (August 21, 2009), TUNNELING IP TRAFFIC OVER ICMP, from http://hackaday.com/2009/08/21/tunneling-ip-
traffic-over-icmp/.
896. Firewall Deployment for Multitier Applications (April, 2002), from http://zeltser.com/multi-firewall/.
899. John R. Vacca, Scott Ellis, Firewalls: Jumpstart for Network and Systems Administrators, from
https://books.google.co.in/books?id=ipvoml8c9zcC&pg=PA25&1pg=PA25&dq=Multi-
homed+firewall+architecture&source=bl&ots=3E-
Q8RRoS9&sig=KbpZfz1RrZmRAn3a5_QtlQB6CJ4&hl=en&sa=X&ei=ZfOXVM-
cEMeTuAT8ylLgDg&ved=OCF8Q6AEwCg#v=onepage&q=Multi-homed%20firewall%20architecture&f=false.
900. CBK Telecommunications and Network Security - Firewall architecture (Wednesday, 13 June 2012), from
http://www.secu ritya re na. com/ciss p-crux/7 4-cb k-tel ecom mun ications-a nd-n etwork-secu rity ?start= 10.
910. John Wack, Ken Cutler, Jamie Pole, Guidelines on Firewalls and Firewall Policy, from
http://ithandbook.ffiec.gov/med ia/27459/nis-guide_on_firewall_and_fi rewa ll_pol_800_41. pdf.
911. Laura Pelkey (11/16/12), 3 Steps to a Successful Firewall Implementation, from http://blog.icorps.com/bid/138231/3-
Steps-to-a-Successful-Firewall-lmplementation.
915. Scott Hogg (Jul 31, 2011), Firewall Administration Techniques and Tools, from
http://www. n etworkworl d. com/arti cle/2220307/ cisco-su bnet/cisco-su b net-fi rewa 11-a dministration-techniques-and-
tools.htm I.
916. Ethan Banks (11/12/2013), Firewall Administration For Sysadmins: A Primer, from
http://www.networkcom puti ng.com/ca reers/fi rewa 11-a d min istration-sysa d mi ns-primer/2 09 6601244.
917. Ethan Banks (11/12/2013), Firewall Administration For Sysadmins: A Primer, from
http://www.networkcom puti ng.com/networki ng/fi rewa II-ad ministrati on-for-sysad mins-pa rt-2-key-con ce pts/a/d-
id/1234542?.
918. Linda Musthaler (Sep 11, 2009), Top 5 best practices for firewall administrators, from
http://www.networkworl d. com/arti cl e/2247110/network-security/top-5-best-p racti ces-for-fi rewa 11-a d min istrators. htm I.
922. John Wack (Fri Feb 3 08:10:14 EST 1995), Little Protection from Insider Attacks, from
http://www.vtcif.telstra .com .au/pub/docs/security/800-10/ node42. html.
923. Nathan Einwechter (14 Feb 2002), The Enemy Inside the Gates: Preventing and Detecting Insider Attacks, from
http://www.syma ntec. com/ connect/articles/en emy-i nsi de-gates-preventing-a nd-d etecting-i nsi der-attac ks.
924. Deb Shinder (16 March 2011), Protecting Against Insider Attacks In Todays Network Environments, from
http://www.win dowsecu rity.com/arti cles-tutori aIs/misc_network_security/Protecti ng-Aga i nst-1 nsi der-Attac ks-Todays-
Network-Envi ron ments. htm I.
926. Dave Piscitello, Firewall Best Practices - Egress Traffic Filtering, from http://securityskeptic.typepad.com/the-security-
skeptic/firewall-best-practices-egress-traffic-filtering.html.
929. Laura Taylor,(July 5, 2001), Read your firewall logs, from http://www.zdnet.com/news/read-your-firewall-logs/298230.
930. Overview of the Windows Firewall Security Log File in Windows XP (2015-04-29), from
http://ecross. mvps. org/howto/overvi ew-of-t he-wind ows-fi rewa 11-secu rity-1 og-fi Ie-i n-wi n dows-xp. htm.
933. Anand Sastry, Firewall logging: Telling valid traffic from network 'allows' threats, from
http://sea rchsecu rity. techta rget. com/tip/Firewa 11-1 ogging-Tel Ii ng-va Iid-traffic-from-network-a 11 ows-th reats.
944. Intel Security (Aug 30, 2013), Five Website Security Do's and Don'ts for Online Merchants, from
https://blogs.mcafee.com/business/five-website-security-dos-and-donts-for-online-merchants/.
945. The Do's and Don'ts of Firewall Audit Tools, from https://www.firemon.com/dos-and-donts-of-firewall-audit-tools/.
949. http://nmap.org/nsedoc/scripts/firewalk.html.
953. Firewalk - Firewall Ruleset Testing Tool (October 15, 2008 ), from http://www.darknet.org.uk/2008/10/firewalk-firewall-
ruleset-testing-tool/.
954. FTester - Firewall Tester and IDS Testing tool (July 19, 2007), from http://www.darknet.org.uk/2007/07/ftester-firewall-
tester-and-ids-testing-tool/.
955. Joel Snyder (Feb 5, 2007), How we tested Check Point firewall, from
http://www.networkworld.com/article/2303641/network-security/how-we-tested-check-point-firewall.html.
956. G. Ziemba (October 1995), Security Considerations for IP Fragment Filtering, from https://www.rfc-
editor.org/rfc/rfc1858.txt.
979. Jason Anderson (March 15, 2001), An Analysis of Fragmentation Attacks, from http://www.ouah.org/fragma.html.
982. I. Miller (June 2001), Protection Against a Variant of the Tiny Fragment Attack, from https://tools.ietf.org/html/rfc3128.
1004. Przemyslaw Kazienko & Piotr Dorosz (7-4-2003), Intrusion Detection Systems (IDS) Part I, from
http://googleweblight.com/?I ite_url=http://www.wi ndowsecurity.com/articles-
tutorials/intrusion_detection/1 ntrusion_Detection_Systems_l DS_Part_l_ network_intrusions_ attack_sym ptoms_IDS_tasks
_and_lDS_architecture.html&ei=wjgGk8gA&lc=en-lN&geid=7&s=l&m=328&ts=1443607601&sig=APONPFmMHyzAy-
6SXYxgKzR70YUCJw_i ng.
1005. Patrick Harper, Secure IDS deployment best practices, from http://searchitchannel.techtarget.com/tip/Secure-lDS-
deployment-best-practices .
1007. K.Rajasekhar, B.Sekhar Babu, P.Lakshmi Prasanna, D.R.Lavanya, T.Vamsi Krishna (12-2-11), An Overview of Intrusion
Detection System Strategies and Issues, from http://www.ijcst.com/vol24/1/krajasekhar.pdf.
1016. Deb Shinder(13-7-2005), SolutionBase: Understanding how an intrusion detection system (IDS) works, from
http://www.tech republic. com/ article/solution base-understanding-how-a n-i ntru si on-detection-system-ids-works/.
1017. J. Forlanda(3-2-2010), Intrusion Detection Systems: How They Work, from http://www.brighthub.com/computing/smb-
security/articles/65416.aspx
1018. Randy Weaver and Dean Farwood, Guide to Network Defense and Countermeasures, from
htt ps ://books .googl e.co.in/books ?id =qbwu j_ Um h9YC&pg= PA270&1 pg= PA270&dq= Examining+ Intrusion+ Detection+System
+Components&source=bl&ots=WfGd_NXJSY&sig=S6De3 koOOOSbZNy30dRIP-
ZCcls&hl=en&sa=X&ved=0CDIQ6AEwAmoVChMI0_H9sMygyAIVTlmOCh32VQut#v=onepage&q=Examining%201ntrusion%20
Detection%20System%20Components&f=false
1021. Fredrik Valeur, Giovanni Vigna, Christopher Kruegel and Richard A. Kemmerer (9-2004), Comprehensive Approach to
intrusion detection alert correlation, from
http://www.cs.ucsb.edu/"'Vigna/publications/2004_va leur_vigna_kruegel_kemmerer_TDSC_Correlation. pdf.
1023. Karen Scarfone and Peter Mell (Feb 2007), Guide to Intrusion Detection and Prevention Systems, from
http://cs re. nist .gov/pu bl i cations/nistpu bs/800-94/SP800-94. pdf.
1024. Przemyslaw Kazienko & Piotr Dorosz(15-6-2004), Intrusion Detection Systems (IDS) Part 2 - Classification, from
http://www.windowsecurity.com/articles-tutorials/intrusion_detection/lDS-Part2-Classification-methods-techniques.html.
1026. Pedro A. Diaz-Gomez, Dean F. Hougen, misuse detection: An Iterative Process vs. A Genetic Algorithm Approach, from
http://www.cameron.edu/~pdiaz-go/lter_ GAsMisUseF .pdf.
1028. Kanika, Urmila(June 2013), Security of Network Using Ids and Firewall, from http://www.ijsrp.org/research-paper-
0613/ijsrp-p18150.pdf.
1029. Shiv Shakti Srivastava, Nitin Gupta, Saurabh Chaturvedi, Saugata Ghosh(2011), A survey on mobile agent based intrusion
detection system, from http://www.ijcaonline.org/isdmisc/number6/isdm137.pdf.
1031. Saidat Adebukola Onashoga, Adebayo D. Akinde and Adesina Simon Sodiya(2009), A Strategic Review of Existing Mobile
Agent Based Intrusion Detection Systems, from http://iisit.org/Vol6/IIS1Tv6p669-6820nashoga623.pdf.
1032. http://www.syma ntec. com/ connect/arti cles/introd u ction-d istributed-i ntrusi on-detection-systems.
1040. Manish Kumar, Dr. M. Hanumanthappa, Dr. T. V. Suresh Kumar(July 2011), Intrusion Detection System - False Positive Alert
reduction technique, from http://searchdl.org/publ ic/journals/2011/IJ NS/2/3/104.pdf.
1042. Kevin Timm(l0-9-2001), Strategies to Reduce False Positives and False Negatives in NIDS, from
http://www.syma ntec. com/ connect/articles/strategies-reduce-false-positives-and-fa lse-negatives-n ids.
1043. Tu Hoang Nguyen, JiaWei Luo and Humphrey Waita Njogu(2014), Improving the management of IDS alerts, from
http://www.sersc. o rg/jou rna ls/lJ SIA/vol 8_ no3_2014/38. pdf.
1047. Vangie Beal (15-7-2005), Intrusion Detection (IDS) and Prevention (IPS) systems, from
http://www. weboped ia .com/DidYou Know/Computer_Science/intrusion_detection_prevention .asp.
1049. Riggs C, Network Perimeter Security: Building Defense In-Depth, from http://flylib.com/books/en/4.426.l.54/1/.
1051. Steve Piper(2011), Intrusion prevention systems for dummies, from http://www.bradreese.com/sourcefire-ips-for-
dummies.pdf.
1053. 24-7-2013, How Intrusion Prevention Systems (IPS) Work in firewall?, from
http://community.s piceworks .co m/topi c/362007 -h ow-intrusion-preventi on-systems-i ps-work-i n-fi rewa 11.
1054. Joel Snyder, Do you need an IDS or IPS, or both?, from http://searchsecurity.techtarget.com/Do-you-need-an-lDS-or-lPS-
or-both.
1055. Ron Lepofsky(23-2-2011), Intrusion Detection: Why do I need IDS, IPS or HIDS, from
http://www. networkworl d. com/arti cl e/2228598/security/i ntrusion-detect ion--why-do-i-need-ids--ips--o r-h ids-. htm I.
1057. Jennifer J. Minella, DS vs. IPS: How to know when I you need the technology, from
http://sea rchsecu rity. techta rget. com/ti p/1 DS-vs-1 PS-How-to-know-when-you-need-the-tech no logy.
1059. R. Kabila(2008), Network Based Intrusion Detection and Prevention Systems in IP-Level security protocols, from
http://waset.org/publications/14713/network-based-intrusion-detection-and-prevention-systems-in-ip-level-security-
protocols.
1060. Jonathan Lister, What are the Advantages & Disadvantages of an Intrusion Detection System?, from
http://www. ehow. com/I ist_ 73 553 52_types-systems-av ai Iable-protect-networks. htm I.
1061. 1-1-2007, Wireless Intrusion Detection and Prevention Systems Analyst Report, from
http://www. i nformati onweek. com/wh itepa per/M obi Iity/Wi rel ess-Secu rity/wi rel ess-i ntrusi on-detection-and-prevention-
systemwp 1213893028282.
1063. Mohseen mohammed, Al-sakib khan pathan, Automatic Defense Against Zero-day Polymorphic Worms in Communication
Networks, from
http://books.google.co.in/books?id=DtYnAAAAQBAJ&pg=PT87&lpg=PT87&dq=Wireless+IDPS,+Security+Capabilities&sourc
e=bl&ots=-
NAAM8Ms7Q&sig=sZugNlrbt81z8Dr4wB2CSPAodto&hl=en&sa=X&ei=5fpJVl7ZLZPx8gWhyoHAAw&ved=0CFQQ6AEwCQ#v=
onepage&q=Wireless%201DPS%2C%20Security%20Capabilities&f=false.
1064. Brad reese(l0-9-2008), Intrusion detection systems vs. network behavior analysis: Which do you need?, from
http://www. n etworkworl d. com/arti cl e/2346145/ cisco-su bnet/intrusi on-d etectio n-systems-vs--n etwork-behavior-a na lysis--
wh ich-do-you-need-. htm I.
1066. Jack TIMOFTE and Praktiker Romania(2007), Securing the Organization with Network Behavior Analysis, from
http://www.economyinformatics.ase.ro/content/EN7/JTimofte.pdf.
1070. Chris Martin, Intrusion Detection and Prevention Systems in the Industrial Automation and Control Systems Environment,
from https://ics-cert.us-cert.gov/sites/default/files/pcsf-arc/intrusion_detection_prevention_systems-martin.pdf.
1071. Rebecca Bace and Peter Mell(19-8-2001), Intrusion Detection Systems, from http://cryptome.org/sp800-31.htm.
1072. Honey pots, honey nets, and padded cell system, from http://www.idc-
online.com/technical_references/pdfs/data_communications/Honey_Pots_Honey_Nets_Padded_Cell_system.pdf.
1076. James Michael Stewart, Ed Tittel & Mike Chapple, Cissp Study Guide, from
https://books.google.co.in/books?id=458urJ6_9iYC&pg=PA49&1pg=PA49&dq=Honey+Pot+%26+Padded+Cell++Systems&so
urce=bl&ots=kkG5LmwjEt&sig=T5QBe7RGRai3oihmglzv7r2kpYA&hl=en&sa=X&ved=0ahUKEwib_Zb7rbrJAhXBno4KHcTnCd
4Q6AEIRzAl#v=onepage&q=Honey<'/420Pot%20%26%20Padded%20Cell%20%20Systems&f=false.
1138. P Raju (March 27th, 2013), Different Types of VPN Protocols, from http://techpp.com/2010/07/16/different-types-of-vpn-
protocols/
1139. VPN Consortium, January 2003, Definitions and Requirements, from http://www.hit.bme.hu/~jakab/edu/litr/VPN/vpn-
technologies.pdf.
1146. JEFF TYSON & STEPHANIE CRAWFORD, How VPNs Work, from http://computer.howstuffworks.com/vpn3.htm.
1147. JEFF TYSON & STEPHANIE CRAWFORD, How VPNs Work, http://computer.howstuffworks.com/vpn4.htm.
1148. Chris Partsenidis, Hardware vs. software VPNs: Choose the right enterprise solution, from
http://sea rchenterprisewa n.techta rget. com/tip/Ha rdwa re-vs-software-VPN s-Choose-th e-right-enterp rise-solution.
1149. Martin Heller (Aug 8, 2006), What you need to know about VPN technologies, from
http://www.computerworld.com/s/article/9002090/What_you_need_to_know_about_VPN_technologies.
1153. SSL VPN (Secure Sockets Layer virtual private network), from searchsecurity.techtarget.com/definition/SSL-VPN.
1160. Aaron (February 21, 2013), GRE over IPSec VPN Tunneling, from http://www.ccnpguide.com/gre-over-ipsec-vpn-tunneling/.
1163. Mark Shea (Nov 12, 2010), How to Set Up VPN in Windows 7, from http://www.pcworld.com/article/
210562/how_set_up_vpn_in_windows_l.html.
1164. FAHMIDA Y. RASHID (MAY 30, 2013), How to Set Up a VPN in Windows 7, from http://www.pcmag.com/article2/
0,2817,2419612,00.asp.
1165. Fahmida Y. Rashid (03/06/2013), A guide to setting up a VPN in Windows 7, from http://www.itproportal.com/2013/
06/03/a-guide-to-setting-up-a-vpn-in-windows-7/.
1166. Jeff Tyson, How Virtual Private Networks Work, from http://www.communicat.com/wp-
content/uploads/2013/04/how_vpn_work.pdf.
1167. Martin Heller (02 Oct 2006), 10 tips to secure client VPNs, from http://www.computerworld.com/s/
article/9003 779/10_tips_to_secure_ client_V PNs?taxon omyl d =16& page Number= 1.
1169. JEFF TYSON & STEPHANIE CRAWFORD, How VPNs Work, from http://computer.howstuffworks.com/vpn7.htm.
1170. Strong Authentication for SecureVPN Access Solving the Challenge of Simple and Secure Remote Access, from
http://ca co mvi p. ca. com/fr/~/media/Fi Ies/wh itepa pers/strong-a uth enticati on-fo r-secu re-vpn-access-wp. pdf.
1171. Azhar Shabbir Khan, Bilal Afzal BPLS VPNs with DiffServ- A QoS Performance study, from http://hh.diva-
portal.org/smash/get/diva2:400278/FULLTEXT01.pdf.
1173. Waheed Warden (2003-12-01), SSL VPN Deployment Considerations, from http://archive.networknewz.com/networknewz-
10-20031201SSLVPN DeploymentConsiderations.html.
1174. Paul Ferguson, What Is a VPN? - Part I - The Internet Protocol Journal - Volume 1, No. 1, from
http://www.cisco.com/web/about/ac123/ac147/ archived_issues/i pj_l-1/what_is_a_vpn. htm I.
1175. FAHMIDA Y. RASHID (AUGUST 7, 2015), The Best Free VPN Services of 2015, from http://www.pcmag.com/article2/
0,2817,2390381,00.asp.
1176. Alan Henry (3/20/14), What's The Best VPN Service Provider?, from http://lifehacker.com/whats-the-best-vpn-service-
provider-1547612561.
1177. Mike Bedford (22 Jun 16), The best free VPN services of 2016 in the UK, from
http://www. pea dvisor. co. u k/featu res/i nte rnet/349 7781/best-free-vp n-se rvi ces-of-2014/.
1180. Gabriel Knight June (26, 2013), Virtual Private Network: The Advantages of the VPN, from
http://www. bandwidth place. com/vi rtu a1-private-n etwo rk-th e-adva ntages-of-the-vpn-a rti cle/.
1182. May 22, How the VPN Concentrator Works, from http://networkingtechnicalsupport.blogspot.in/2012/05/how-vpn-
concentrator-works.html .
1185. Puneet Mehta, How does the VPN concentrator work?, from http://searchnetworking.techtarget.com/answer/How-does-
the-VPN-concentrator-work.
1188. July 28, The Pros and Cons of Using a Virtual Private Network, from http://www.thrivenetworks.com/blog/2011/07/28/the-
pros-and-cons-of-using-a-virtual-private-network/.
1189. Lisa Phifer, What are the differences between a site-to-site VPN and a VPN client connecting to a VPN server?, from
http://search networking.tech target. com/ answer/What-a re-the-d iffe re nces-between-a-s ite-to-s ite-VP N-a n d-a-VP N-cl ient-
con n ecti ng-to-a-VP N-serve r-Wh.
1190. CONFIGURING SITE TO SITE IPSEC VPN TUNNEL BETWEEN CISCO ROUTERS, from http://www.firewall.cx/cisco-technical-
knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html.
1191. Sean Wilkins (MARCH 10, 2015), A Guide To Enterprise VPN Solutions, from http://www.tomsitpro.com/articles/enterprise-
vpn-solutions,2-885-2.html.
1193. VPN Haus {Mar 20, 2012), SOME VPNS STILL FACE COMPATIBILITY, CONNECTION ISSUES, from http://vpnhaus.ncp-
e.com/2012/03/20/some-vpns-still-face-compatibility-connection-issues/.
1195. February 20, 2015, How to Choose a VPN Provider?, from https://privatoria.net/blog/how-to-choose-a-vpn-provider/.
1196. How to Choose the Best VPN Service for Your Needs, from http://www.howtogeek.com/221929/how-to-choose-the-best-
vpn-service-for-your-needs/.
1197. December 13, 2012, 5 things to look for when choosing a VPN Provider, from https://vpnreviewer.com/5-things-to-look-
when-choosing-vpn-provider.
1198. Karen Scarfone, Four criteria for selecting the right SSL VPN products, from
http://sea rchsecu rity. techta rget. com/featu re/Fou r-criteri a-fo r-sel ecting-th e-right-SSL-VP N-prod ucts.
1200. VPN Consortium, January 2003, VPN Technologies: Definitions and Requirements, from
http://www.hit.bme.hu/~jakab/edu/1 itr/VPN/vpn-technologies. pdf .
1201. Andrew Tarantola {3/26/13), VPNs: What They Do, How They Work, and Why You're Dumb for Not Using One, from
http://gizmodo. com/5 99019 2/vpns-what-they-d o-h ow-they-work-and-why-you re-du m b-for-n ot-usi ng-one.
1202. ENIGMAX (APRIL 15, 2012), How To Make VPNs Even More Secure, from https://torrentfreak.com/how-to-make-vpns-
even-more-secure-120419/.
1204. Usman Javaid on December 02, 2011, What Is VPN & Tunneling; How To Create And Connect To VPN Network [Beginner's
Guide], from http://www.addictivetips.com/windows-tips/what-is-vpn-how-to-create-and-connect-to-vpn-network/.
1210. Networking - What are voluntary and compulsory tunnels?, from http://www.careerride.com/Networking-voluntary-and-
compulsory-tunnels.aspx.
1219. Abdulrahman Abdullah Alhajj, Abdulrahman Khalid Abumurad, Cryptanalysis of Microsoft's Point-to-Point.
1221. PPTP - Point to Point Tunneling Protocol (June 25, 2016), from
http://compnetworking.about.com/od/vpn/1/aa030103a.htm.
1222. K. Hamzeh, G. Pall, W. Verthein, J. Taarud, W. Little, G. Zorn(July 1999), Point-to-Point Tunneling Protocol (PPTP), from
http://www.ietf.org/rfc/rfc2637. txt.
1224. Layer Two Tunneling Protocol and Internet Protocol Security, from http://technet.microsoft.com/en-
us/library/cc958047.aspx.
1226. W. Townsley, A. Valencia, A. Rubens, G. Pall, G. Zorn, B. Palter(August 1999), Layer Two Tunneling Protocol "L2TP", from
https://www.ietf.org/rfc/rfc2661.txt.
1235. Penna Sparrow, Mesh Topology: Advantages and Disadvantages, from http://www.ianswer4u.com/201l/05/mesh-
topology-advantages-and.html#axzz3ElkXi5M9.
1236. Penna Sparrow, Star Topology: Advantages and Disadvantages, from http://www.ianswer4u.com/2011/05/star-topology-
advantages-and.html#axzz3ElkXi5M9.
1237. Roy Hills {17 January 2003), NTA MONITOR UDP BACKOFF PATTERN FINGERPRINTING WHITE PAPER, from
http://www.fi Iewatch er. com/p/i ke-sca n-1.9p0. tgz.1240159/share/d oc/i ke-sca n/u dp-backoff-fi ngerprinting-pa per. txt. htm I.
1238. ike-scan - IPsec VPN Scanning, Fingerprinting and Testing Tool, November 20, 2008, from
http://www.darknet.org.uk/2008/11/ike-scan-ipsec-vpn-scanning-fingerprinting-and-testing-tool/.
1243. 28 FEBRUARY 2013, How to Set up an L2TP/1Psec VPN Server on Windows, from
http://www.elastichosts.com/support/tutorials/windows-l2tpipsec-vpn-server/.