C H

PT
E R ,12
NETWORK CONTROLS

INTRODUCTION
of various network devices USed in or.
description
communications, the security features in the
gives a brief
Thischaptertheir Usesin dataexercisedto ensure proper security governance
ganisations, controlsto be communication gadgets, communication
devices and the the that can be put in plog
chapter also deals withnormal security controls
The media andthe the hardware devices but also in tho
and
channels
enhance them not onlyin methodologies.
and waysto channels, protocols and is always hande:
communication complicated subject, which
security is a consistsof the policies ond
12.1.0 Network experienced professionals. It utilizationof netwot
well-trained and and ettective
by implementation to ensure proper of a computer networ
their modification, or denial
gadget to prevent misuse, various computer Networks, devices
resources. Before going into the look at some of the most commony
and let us have a brief
and security issues, various organisations and banks:
equipments used in
deployed network
Hubs
Modems
Routers
Switches
Bridges n'
does
Multiplexers it
hardware gadgets,days.This
12.1.1 Though the list above enumerates the modern
gadget moy ho
comprehensively cover all the network gadgets Usedin
only an illustrative list. Besides, some network equipment or
the features of one or more other equipments as well.

170
 CH. 12: NETWORK CONTROLS 171

12.1.2
Hubs
gdevicethat.serves as common termination point for multiple nodes
Ahub
isa
relaysignalssalong the appropriate paths. It is a physical connectivity
can
thotnumber of computer systems. It provides an easy way to
handling shitt-
and reconnections. There are also some intelligent hubs
fora
the machines
containthe built-in intelligence to communicate network management
ingof

that
ioformationto a software package.
12.1.3Modems
Modems
modulate the digital signal that acomputer system handles, into
onalog signalthata telecommunication line handles, at the sending end
Sothat
the data can be transmitted, and perform the reverse function at the
receiving end by demodulating the signal from analog to digital while the
computer.
dota enters the
12.1.4.1Routers
Boiers ore intelligent network devices connecting ifferent networks together,
which use the software-contigured network address to make decisions on
forwarding the data packets to aspecific destination. Routers normally oper
ote at the network layers and are among the most used network gadgets in
ony organisation, typically in most banks. Routers configuration has amajor
security significance. Some routers come with the capability to Use session
encryption between specified routers. Such a capability prevents the unau
thorised snooping by men in the middle and ensures connectivity between
two sites with secure routes.
12.1.4.2 Routing tables (information on routing the data across network) are
always confidential information and routing mechanism and the connected
design should be kept as aclassified information for use within the network
gement department strictly on aneed to know basis only. With such great
dependence
dble CBS,the
on network almost all banking products including the indispens
ubiquitous ATMs and the omnipresent internetbanking, routers
conhi gurationenormous
al ossumed and backup redundancy
for routers,and
significance
for router availability have
banks should ensure proper network
Occess controls to protect router information.
12.sessihe 1on.4.3encryption
Afeature that is being built into some routers isthe ability to use
between specified routers. Because traffictravelling across
Iime) ntetornetsnoopcan bearound,
seen by people in the middle who have the resources (and
these are advantageous for providing connectivity
betwe n two sites, such that there can be secure routes.
 SECURITY cONTROLS
MODULE B : IT
172
12.1.5.1 Switches
Switches ore basically hubs but with intelligence, providing dedicates.
each user. With such capobility. it is easier
mission chonnels for destination by using the hardware
to forward dota to its packets. Thus we can
can block MAC (Medio
dota
data
Control) address in the
to one segment or one PCin o
itself from occess by any
LAN or mgke one
ofher User.
segment or one
12.1.5.2 From security perspective, configuration ofsswitches issvery
v inpt
transr ie
P

in o LAN environment, if the security management wants to restrit

the switch con be configured occordingly and hence it
to one PC
shoud
the duty of security gdministrotors to ensure switch configurotion in ine wit
systems in line with the
the security policy and to protect all
criticality accorded to it. classificotion
12.1.6 Bridges
Bridge isa network device which divides networks to reduce overall net.
troffic. It ollows or prevents data from passing through itby reading the MA
oddress. Bridge is normally selective about the traffic it allows through, sing
it does the filtering by station address.
12.1.7 Mutipiexers
Amultiplexer is a device that accepts lower-speed data streoms from terminas
and combine them inio one high-speed data stream for transmission to the
other end. At the other end, it converts the combined data stream into fe
original mutiple lower-speed terminal data streams. Physical security of suc
'mux equipment, as is normolly called, is very important since inadequcie
control on such devices willcause the network to fail completely.
12.2.0 CONTROLS IN A LAYERED NETWORK
12,2.1 The seven layer model of the ISO/OSI is afamiliar framework to
layering network protocols. For the purpose of this course, it would suffice
we havea very brief idea of the seven layers especially from the view of how
security is built in these and how every layer protects or safeguards the troff
of dota from security perspective. Typically, security services at the bottom
protects troffic fromn the higher layers.
loyers
12.2.2 In a layered approach, when data to the lower
messages in the protocol are called N- Protocol gets passed Datoges
Units (PDU).
transrnitted by invoking facilities at the lower layer Data
and adding it
heoders ons
thePO
froilers and reassernbling the PDU at in
stores the security relevant data. every stage. The headers
 CH. 12: NETWORK CONTROLS 173

Application
Presentation
Session
Transport
Network
Data - Link
Physical
Seven Layers of OSI Model
Security in all these seven layers are built as per the features of the
12.2.3 physical layer, it isthe physical security of the equipment,
rinstance,
For in
layer. of cabling used and upkeep and maintenance of cables and
thecobles, type
cat
that matters. In the data-link layer, the security will be physical
connectivity it. In networks and transport layers, it is the routers and
above
ond one step which should be configuredto ensure security.
switches that sits on these layers program
presentation and then in the application layers,it isthe software
Inthe
off-the-shelf applications like MS Ofice or customized ones developed
innd access
organisations) that should take care of security like ensuring
for the
privileges, implementation of various policies like password
control, access
Access policy and conformance to standards etc.
policy, Interact
seven layered approach disCUSsed above, the TCP/IP
12.2.4 As against theProtocol/Internet Protocol) has only four layers as below:
(ransmission Control
Application
Transport
IP/Internet
Data Link
istaken
transmission, securityin communication
12.2.5 Typically in a TCP/IP seven layer model
Core of in these above layers. Though the OSl approach of TCP//P protocol
hos been under Use for a number of years, of late it is the
hat has become very popular and being referred often.
12.3.1 1P SECURITY transmits IP packets and
that
1Pihenceaso eachConnectionless and stateless protocol transfer unit associated with
basic
which is essentiallya independent entity. Earlierthere
packet
Was no
datagram,
switched network, istreated as an order of packets in the earlier
protection and there was no
security
 CONTROLS
MODUE B:ITSECURITY
174
version 4 publishedin1981.IPV6ploce. was
subsequently
version oflP anchitecture has since been
and IP Security
basically an
in
Internt Protocol suite a group o
ntrodu
12.3.2IPSecis communication and ensuring securily proloc
based
for securing lP encrypting eachlP packetin a
IPouthenticating communicatiocnontro's
ond security scheme operating at the internet \oyer
Sec is an end-to-end
above. Itcan be used in
ses on
between
the orstock
IPsuitea poir
proBecting
of hosts (host-to-host), between a pair of securily daBgaew
illustrated
security gateway and host
(netvork-to-network), or
Internet
between
security
a
systems in widespread use, Such
host). Some other TransportLoyer Security (TLS), and |Secure Shell
(networkto
Socket Layers (SSL), TCP//P mode stated above. IP Sec
opplication
erate in the trofficlayers the protecs
upper across anIP network. Proper use of the features enhance:on
of
organisation.
the network security in any host-to-host security,it does not provide
provides
12.3.3 Though IP Secapplication-to-applicationsecurity. It increases proloco
er-to-usersecurity nor time andlatency, as sender and the receiver boh
processing overheads and
perfom cryptographic operations.
12.4 VLANS
12.4.1VLAN environment too), security shoud
security (and in WAN
In allcases of LAN infrastructure and provided for in software to.Ih
be in-built in the hardwarerelevant to study briefly about VLANS. Virtual Locod
thiscontext, it would be common set of requirements
agroup of hosts with a
Area Network (VLAN) is attached to the same broadcast domon
they were
which communicate as if location. Though a VLAN has the same attibu
regardless of their physical it allows for end stotion to be grouped togelti
LAN membershiy
asa normal and physical same network switch physically. AVLAN
relocatingdevie
locoted on the
even if not
through software instead of physically
con be configured react
quiclh
or connections. and netvon
using VLANs, one can control traffic patternschangesin
12.4.2 By to
to adapt VLANs ore creoyN
to relocotions. VLANs provide the flexibility
administration. in
routers
AN
simplified
requirements and allow for traditionally ,provided
andnetworkrmanagemen
by
provide the segmentation services ond
signiticonttole

configurations by taking care to

view, VLAN architecture is very

orgonisation
Hence from security point of
managers in any
would be the main concern of security
 CH. 12:
NETWORK CONTROLS 175
the
VLAN
of VLAN design
care
the
architecture, to physically
ensuring protect the VLAN cabling and to
it does not fall
seCUre
areessentiallyprivate communications over apublicinto thenetwork.
wrong hands. VLANS
43Tunnelingthrough
1243
is
another concept that should be read in the
and Isecurity customersVLANswitches. By context of
WAN
configuredto support tunneling,
who have multiple singlea VLAN can be
cUstomer VLAN ids
and keeping VANS, preserving
the traffic in different while
regated.Besides better security, VLANS properly seg-
tunneling also
protocol with enhanced
and network that may be compatibility and enables flexibility in topology
in place. interoperability bypassing the
local
12.4.4.1 Of late, many banks and organisations using a public telecom
network,go in for Multiprotocol Label Switching (MPLS) network. MPLS is
ohighlyscalable data-carrying mechanism not depending upon any specific
profocoland works independent of it In an MPLS network, data packets are
assigned with labels. Packet-forwarding decisions are made solely on the
contents of this label, without the need to examine the packet itself. Since
itoperates at a layer that is generally considered to lie between troditional
definitions of layer 2 (data link layer) and layer 3(network layer) it is often
referred to as a "layer 2.5" protocol.
12.4.4.2 MPLS is a mechanism in high-performance telecom networks that
directs data from one network node to the next, based on short path labels
rather than long network addreses, avoiding complex lookups in a routing
toble. MPLS does not encrypt traffic and provides no specific security. MPLS
tratic is just as open across a carriers network as regular IP However, it does
provide VPN capabilities and from that angle it is secure enough. Hence it
Con be said that the security of an MPLS VPN is as good or as bad as that of
adedicated circuit.
12.4.4.3 In locations say bank
an MPLS connectivity, all units in remote ATM centres or other
brsiteas nches, administrative offices like regional office etc.,
are all connectedto the headquarters or the data centre through MPLS
connected to either the MPLS cloud or
doud. The Data Centre may itself be
Npically to the lnternet.
 MODULE B:IT SECURITY CONTROLS
176

MPLS/
Data Centre Internet
Remote
System
Rernote6
System
Remote
System 2 MPLS

Remote
System s
Remote Remote
System 3
System4

12.4.4.4Quite often there have been discUssions on the relative merits d

demerits of the kinds of lines viz leased lines, VPNs and MPLS. While
wise, leased lines are costlier compared to VPNs, MPLS depends upon the
service provider and their technological architecture. On the security fron.
since leased lines are dedicated toa speciticcustomer's trattic, they are more
secure compared to VPNs which function over the public Internet that are les
secure. MPLS has no inherent encryption since its security depends heavily on
the network and the configuration therein.
12.5.1 COMMUNICATION CHANNELS
Telephone systems offer us the connection services for use in organisations
especially inbanks to establish connectivity across differentparts of thecoutry
Such services can be terrestrial lines with cables drawn as dial up lines or 0s
leased lines. From security perspective, there is a basic difference between
these two lines. In the former, data goes as part of the public system wher
in the latter there is a possibility for, which we can opt for, what is cale0
VLAN IP Sec. Even otherwise the line and connectivity is 'leased' to US.In
essence, this term leased' does not mean solely dedicated with security l0
overcome this, it would be prudent to opt for IP Sec enabled lines with VLAN
from the telecom providers, so that it serves as an additional securityfor the
connectivity part and for the time the data is in transit, besides the application
level security that software will
anyway
12.5.2 For long distance, typically inhave. channels
a WAN set up satellite VSAT
established through VSAT (Very Small Aperture taken. Ina
Terminal) are
 CH. 12: NETWORK
CONTROLS 177
connectivi too,
in addition to the physical security
for the there
Out Doormust Unitbe
OD)andtheIn Door Unit (|DU) for the VSAT equipment,
basedsecurity
software initiatives in place like cryptography
etc. so that the
transmit adequately secure.
is
in
doto
12.5.3.1VolP Voice
overIP
is the transmission of voice
over
Pnehworksand is one of the
the
most important emerging trends packet-switched
in telecommu-
nicotions. As against traditional
vOICeindigitized format as data packetscircuit-based telephony,
and comes VolP transmits
at alower cost and
greoterflexibility. However, trom security perspective it needs
ofthe security problems involved in it and VolP components should carefulnotstudy
be
sinplypluggedintothe already secured network hopingit is also part of the
securitynetwork.
12.5.3.2 Many security measures implemented in traditional data networks
orenot applicable to VolP like firewalls, Intrusions Detection Systems etc.
which must be CUstomized for the VolP component. Besides, implementation
kuorious security measures Can cause amarked deterioration in the quality
dtransmission or sometimes may cause delay because of firewalls or blocking
itnffic and related features. The introduction of firewalls to the VolP network
moy also complicate certain aspects of VolP like dynamic port trafficking and
collsetup procedures etc.
12.5.3.3 VolP leverages the internet as an intrastructure for voice commu
nication carrying data packets like general internet traffic. It uses a shared
broadband circuit for many kinds of data packets be it data, voice, or video,
perhaps reducing the cost of transmission some time. Since the traffic is
Internet bound, offering Unified Communication (UC) as an integration ot
mputer and network, it is more prone to the inherent threats of internet
eavesdropping,
sate ond session hijacking etc. To make a VolP communication
oh all the secure, many security initiatives should be in place like the study
open ports, analyzing the traffic, vulnerability toa DoS or a DDoS
oitack etc. From the traceability point of view, even if asimple voice telephone
hondset
ne
is attachedto aVolP using it for just avoice communication, tracing
same is much more technologically complicatedthan a simple cell phone
Communi
hone towercationcommunication.
which with details recorded as part of the cell
are traceable

Vs12.ed 53.to 4hide Network Address

Translation (NAT) is a powerful tool that can be
network addresses and enable several endpoints within
internal
Use the same (external) IP address. Basic NATs of translation of one
towoonelP InPe address is normally used whenthere is arequirement tointerconnect
networks with incompatible addressing. Sometimes, it may be necessary
 IP
Paddess space benind a single address (or in
c Smo group
DE on
used. To avoid ambiguity in the
sonme
entreof IF adaresses)in another (usually public) address space. n
cases
J s n instanes, NATting is
one-to-many NAT must
provide higher level
hondling o
etume
noUtgoing
etum
acets, a
communications and must maintain a translation
CÁets can be corectly
translated back. informalion
table so ha
12.5.3.5 it has been often debated whether NATting is itself a security feo.
introduced as an enabler of translating the IP
Ture or not.
as stoted
Though
above, NATting
Although
has of late been deployed to deliver Some
fort
NAT routers are not purchased their security
addrseescureidty
eatures too.
benefits,
NAT routers inherently function as effective hardware firewalls also, since they
prevent unsolicited, unexpected and unwanted traffic from the public internet
cloud enteringthe user's private LAN network. Since allincoming data packets
nave the same IP address or the single IP address of the router, the router
incoming packet bythe One
dentifies the computer that should receive the returning pgcket
wich actually sent a packet first out to the source ot the
12.5.4 Cryptography
intormation, a popunr
12.5.4.1Toensure security in transmission ot data or
so that the intend.
mesTOd isto encrypt the message with a specitic algorithm no other intruder
ed recioient alone will be able to decrypt the message and
of hiding information.
can do that. Cryptography is the practice and studymathematics, computer
Modern cryptography intersects the disciplines of
extensively used in banks
scienceand engineering. Cryptography has beenfinancial remittances and
while communicating among banks, especially Even historicall,
related communications like ATM cards, e-payments etc.
Indian books too
there is a record of several early Hebrew ciphers and in old
cryptography finds o place like Kautilya's Arthashastra.
phones hove
12.5.4.2 From security angle, quite often we hear that the cell subscribers a
their own patented cryptographic technologies giving theirnetwork threats
confidence that their communication cannot be attacked by debates
like packet sniffers etc. In this context, there have been frequent
or otherwise rev
whether the state hos the power to ask for decryption tools
provideris bound
elation of the details of communication and whether the withthesub-
to keep the confidentiality in view of the contractual obligations Communication
scriber. Anyway, it is now a confirmed legal position that any withinthebrood
is always subject to the provisions of the law of the land and due diligence as
have
and
parometers of freedom of communication, data privacy Communication
provided for in the laws. Therefore, the details of any
 CH. 12: NETWORK CONTROLS 179
revealed
if so sought by the state or as part of judicial proceedings, as
pbe b ythelaw.
provided
Steganographyistheart anddthe science of writing hidden
1255.1.
Waythat no one
apart from the
sender and the messoges
suspecis intended
sUchothe existence of the message. It is considered to be aform recipient
of secUr-
in
message in an obscure manner. Visible messages may
he
often innocuous text and the appeor to be
some
ing common hidden text or message moy be
Some
invisibleink and the receiver will know howto take it out for reading
i12.5.5.2
n Steganography is advantageous over cryptography because in
cyptographythe message goes encrypted and will not be opened or readable
one. Sometimes, in
a communication territory or a ngtion ora chan-
any
nel,encryptionitself may be banned for security reasons. In stegonography
to
tcould be a normal mail or a picture or an audio file or any other commu-
nication outwardly but only the receiver will be able to read the hidden text
contained in it
ormessage
12.5.5.3 In computers especially in data communications, steganography
seful andinteresting technology for researchers. From security perspec
tive, itis at the same time a dreaded tool in the hands of criminals especially
oists, t has been Used in quite a tew terrorist attacks in the recent past.
Detection of steganographically encoded packages is called steganalysis.
The simplest method to detect moditied tiles, however, is to compare them
to known originals. Often, in acommunication, no one will normaly know
he orniginal version of the file or the picture and hence detection of stegan
ography used in a picture or an audio file sent over en email involves the
USe of specificsoftware tools and may bea little difficult, if not impossible.
12.5.5.4 Quite often, there have been clashes between law and technology,
Whatispuretechnology may be sometimes unlawtul orilegal and be therefore
PUnishable, when done with an intention of criminal purpose. For instance,
ganography is a technology but when done with apurpose of sending
SOme Communication in some terrorist outfit or in a criminal gang, the same
becomes an evidence in prosecution and the activity will be called illegal.
12.6.0 PROTOCOLS USED IN NETWORK
12.6.1 Though we wil not be discUSsing in detail the characteristics of all
he
prssocioottoecold s withUsedeach,
a in network public or private - and the security features
-
it would certainly be relevant to study the security
thHtectpu, rtp,es otTCP/P.
Some of the most commonly used protocols used in network like
 AMODULE B:IT SECURITY CONTROLS
180
12.6.2 HTTP
for Hyper Text Transfer (or sometimes Transport) Protocol
It stonds
stondard usedin world wide
web for wweb accessing port 80, to and is te
especially
ten
for hyper text documents in the web. HTTPS is HTTP
as HTTP over
and istoconsidered
(TIS)referred
Secure Socket Layer or CommuNSeiccoutret
Secure
Transport Layer
to be the secure version of HTTP protocol.
or .
providing for encrypted
combination of HTTP with SSL/TLS
securing identification of a network
Used for
web server. HTTPS Connections
payment transactions on the internet
especially for Co
aremmu N icaiootenn
financially critica
transactions

12.6.3Especially in banks,the use of HTTPS is quite significant,

a secure channel over an insecure network ensuring
reasongble sinceitcreates
from attacks like eavesdropping etc. and signaling confidence to theprotection
the server certificate is verified and trusted. Using HTTPS is compulsos. t
any website involving financial or critical transmission of data when the
trusts the certificote authority to vouch only for legitimate website. Allbonlg
now-0-days also display User Awareness material in their websites telling the
User-customers to ensure that the address bar in their internet banking pogg
displays a "https" and that a lock symbol isdisplayed on the page is alwos
displayed clicking which gives the server certificate details.
12.6.4 FTP
File Transfer Protocol is astandard network protocol used to transfer files from
one computer to another over a TCP network, often the lnternet. People no
mally use to upload web pages and documents to a web server that hosts the
web content. It permits users to enter through an authentication mechons
of user name and password. File Transfer Protocol is uUsed accessing port Z
when we wont to upload or download any file or document from or to on
internet site or a remote web server with the IP address of the server and wi
the server's permission as a registered user ot its
resources.
12.6.5 Though FTP is ideal for transferring files to a remote location,plainits
not known for its security, because it a network
in
transmits
text only. FTP is prone to attacks by hgckers and data Over Ifa fraudster
atempts to login with incorrect user and password interceptions. itlocksthe
User disabling the profile which repeatedly, bytheo
may sometimes be made Use of alreod
tacker to launch his attacks. SSL have
Layer) which we ensuresthot
discussed, is considered to (Secure Socket
be a secure usage of FTP access. It
interceptions
etc
communication
would
is
not be there. encrypted and hence the exposure to
 CH.
266 Thoughthe Use ot
anonymouS FIP is
12:NETWORK CONTROLS 181
onsterringnon-confidential
dota, this is sometimes recornmended tor
mous
FTPanyone can
upload to the serveralso froUght
without o
with risk with
anony-
be transterring pirated username password
ond
could
FTP essential
Hence is
in a softw are
or
malicioUS
networked environment programs,
or
virus etc.
seCUredepends
on the need and the and how best to make it
resultont
consideration, confiqurotion. uplooding
FTP
deserves utmost
since FTP entry From
perspective,
r downloadhngwith FTP access or security
outhenticated entry only. It shouldshould
be permitted strictly on the bosis of
be a conscious
pemitor denyFTP access in any decision of
developers to
noplication needs alone. application and be based purely on the
12.6.7Simple Mail Transfer Protocol (SNMTP) is an Internet stondard
onda widely used protocol for email transmission in P networks used for
outgoing mail transport in port No.25. Mail servers use SMTP for
ond receiving messages but user-level client
sending
sending messages to a mail server only and tor applications
use SMTPclient
receiving messages, for
oplications USUally use either the Post Office Protocol (POP) or the Internet
Message Access Protocol (MAP).
1968Now, have a brief look at the security in SMTP Since, SMTP uses relay
ie.sending mails to another mailserver on another domain, this feature was
best misused by spamsters to send bulk mails and spams since STMP would
not check to verify that the sender was actually he, who claims to be. There
ore some ways to check this and one way to do this, is to verify whether the
sender-computer is in the ISP's local network. Security con also be enhanced
by using the SMTP AUTH mechanism by which authenticotion is enabled.
Moil relay options can also be used to prevent'unauthorized mailings,such
0S promotional mails or bulk and spams and the relay options in the mail
ever should be configured accordingly.
12.6,9 Telnet
name of the
word Telnet' is itself quite interesting. Telnet is both the
Telnet is part of
application that uses the protocol.
heproTCP/
tocol, asprotocol suite
well as the servers are
defaut uses TCP port 23. Telnet network
sualy 1Unix-bosed
P and by
though the protocol is also usedusedforonaccessing
theInternet or a
deiAN ctes.o Telnet can be said to text-oriented communicationfacility using a
refer to o protocol
provide an interactive
itua Terminal connection to aremote server.often usedin accessing remote
12.erv6er.1s0, its study assumed
Since Telnet is aInetwork
r
protocoland
significance. Earlier elnet was in Unix based
systems
 SECURITY CONTROLS
182 MODULE B IT
on a command-line intertaces. Because of security issues while
issues in systems running
remote sever especially on contiguration

communication ac oesndinoWinsdoerur
preferred
NT etc, telnet access sometimes is not a
shel (SSH) started to be used.
12.6.11 The term Telnet sometimes also refers to the client side
run on almost on any computer system. Loosely, Telnet also
ing a connection with the Telnet protocol, either with meansline
command
with a programmatic intertace with aremote server, when text
phrase telnet to the server.. etc.
ebo ksstociireussnhte. he
12.6.12 In all these cases, it would be pertinent to note that
built into the application whenever a Telnet access is provided. securMosityt is t
opers do not permit Telnet access other than a front-end menu and devel
interface. Fromsecurity perspective, Telnet access is rarely given and
restricted by system managers. dis ShiCgrehn
12.6.13 While accessing aserver throughtheevarious protocols as
above, sometimes applications allocate logical pots for datg mentioned
in which case the developers should be trained to ensure proper and transmis ion,
usage of such logical ports assigning other numbers forthesservices.An secure
white box testing team should be able to detect any improper or deliberotal,
misleading assignment of port numbers, which will serve as a serious securi
eticient
lacuna paving the way for unauthorized access to the databose.
12.6.14 TCP/IP is a suite of protocols and perhaps the most widely used in
communications these days. It is the backbone ot the internet today, com.
prised of two protocols, TCP and IP. The Internet Protocol (IP), is the networ
layer of the Internet which routes the data packets to its destination, though
providing no guarantee for delivery. Transmission Control Protocol (TCP) rurs
on top of lP providing a connection oriented service between the sender and
the receiver, guaranteeing the delivery ensuring that the packets are delivered
in sequence using mechanisms like sequence numbers, acknowledgements
3-way handshakes and timers.
12.6.15 TCP/IP was not built originally for security, (for that matter, e
Internet itselt was not built for secure communication when it was original
Used by the US army, more for intra-defence department communication.
the years to come and with Internet almost being built on TCP/IP protocok
it has now become more of a problem. The widespread Use and availabilty
of the TCP/AP protocol suite has exposed its weaknesses. There are quite
o
protocos
fewwell-known
commonly used vulnerabilities
of
along with TCP/IPboth
and of some
(suchTCP/IP
as DNS)itself,as detailed below:
 CH. 12: NETWORK CONTROLS 183

TCP"SYN attacks
colleodSYN
flooding,ittakes advantage of three-way handshake in TCP
seqUence numbers when a computer receives the SYNrequest from a
Abko
Hth mustkeep track of the earlier partially opened connection ond if it
which
there
besn't
isno 'sync' breaches security.
IPSpoofing is an
attack where an attacker pretends to be sending
126.17
IP oddress other than its own. The |P layer assumes that the
from an IP
oddress on any packet it receives is the some IP address as the
thattactuallysent the packet-it does no authentication. Many higher
protocols and applications also make this assumption, so it seems that
9stem

lvel ableto forge the source address of an IP packet (called "spoofing"

onyone unauthorized
address) could get privileges.
on
126.18 Sequence guessing
guessing is an attack in the form of an attempt to predict
ATCP Sequencenumber used to identity the packets in a TCP connection. The
sequence
he.
number so that he can send counter
indker correctly guesses the sequence
packets in that place trom another host controlled by him. He can
tdota same IP address and attempt
do this by monitoring the tratic and using the
even a DoS attack.
vulnerability. When two
12.6.19 Similarly, connection hijacking is another each other, an attacker
hosts are desynchronized, discarding packets from
eaves-drop and can replicate
the is in the same communication path, can
correct sequence numbers
pockets and then inject forged packets with thecommunication). This is often
ond potentially modity oradd commands to the of an established connection.
done in adesynchronized state or in the middle
to IP
126.20 DNS Anacks: DNS is primarily used to map hostnames
do the reverse;
Dodresses (e.g. 192.38.11.), but it can also be used to teature to tool
use this
pping IP addresses to hostnames. An attacker can
the name-based authentication.
security vulnera-
12.6.21 t would be pertinent to note that despite all the continuing to
TCP//P is still the widest used protocol and efforts are
bicombat
ties, all the weaknesses as stated above.
12.7 INTRUSION DETECTION SYSTEM (IDS)
12.7.1 When prowl and keep hanging around looking for
cyber criminals
the attack, it is the well config-
tesourcesin the vulnerable
UTed IDS that should play asystems and start
vital role and send an alert to the systems or the
persons manning them.
 CONTROLS
MODULEB:IT SECURITY
184
ports, Un-monitored
potched systems
12.7.2 Trojan
systems, open
enty
etc. are the most vulnerable which will be copitalized
infected
by cyber criminals. The IDS immediately alerts that pointspr, s
a breach has token
system, so that real time responses can
detection system (|DS),therefore, is an activebe process ;
warning
12.7.3
and seves as a
An intrusion
device that analyzes system and network activityfor unauthorized enty or init cter,
or malicious activity. There are ditterent ways an IDS detects anomalies whic:
depends upon the nature of features built intoit, the configurations ond the
of IDS is to catch
basically the main function
settings. However,
before they do real damage to resources.
the actIDS often comes as a dedicate device or software application th
in12.7.4 perpetrotc,
malicious activities or policy vic.
monitors network and/or system activities for
lations and produces the necessary reports. It is primarilyfocuseddonidentifir;
possible incidents, logginginformation about them, and reporting ottemots
12.7.5intrusion Prevention Systems (IPS) are basically network service devc.
monitor network and system activities tor malicious gctivit
es Used to
stop intrusion i.e. thwart the attacks. While the IDs
attempt to or
report or a warning or alerts the
only to detect the activity, log them or give a ot preventing the atack fro
IPS actuallytakes the next and important step
impacting the information asset.
Some important terminologies associated with IDS and IPS are fo'ke
12.7.6
system will be ill-configured c
positive and false negative. Sometimes the the system incorrectly identites
some rules inappropriately framed by which harmful) as being malicious. This s
a benign activity (i.e. one which is not
colled false positive.
harmful activity willbe ler
12.7.7 Onthe other hand, sometimes a malign or harmless, which is colt
un-identified as such and will pass as benign and
dangerous and should be correcte
false negative. Both these are equally to decrease
immediately. Technologically, if the systems are configured too. Hencei
false negatives, it may result of increasing the false positives analysiso
needs adeeper knowledge of 'tuning' the system and adequate
the system behaviour and the system requirements. Prevention Syster
12.7.8 In addition, organizations uselDS (and also Intrusion security policies
IPS) for other purposes, such as identifying problems with violating secuni

documenting existingthreats, and deterring individuals from intrastructut

policies. IDPSs have become anecessaryy additionto the security are NIDS e
of nearly every organization. The two popular meethods ofIDS
(Host-based
Network based Intrusion Detection System and HIDS
Detection System).
 CH. 12: NETWORK CONTROLS 185

Intrusion detection and prevention systems (|DPS), are network se-

1279
appliancesthat monitor network and/or system activities for malicious
cuniy. main functions ot intrusion prevention systems are to identify
The
maliciousactivity, loginformation about said activity, attempt to block/stop
octiviy

andreport activity.
octivity
12710 Intrusion prevention systems are considered extensions of intrusion
systems because they both monitor network troffic and/or system
detection malicious activity. The main differences are, unlike intrusion de-
for
activities
systems, intrusion prevention systems are placed in-line and are able
tection prevent/block intrusions that are detected. More specifically, IPS
actively
o such actions as sending an alarm, dropping the malicious packets,
Contoke connection and/or blocking the traffic from the offending IP
resettingthhe
can also correct Cyclic Redundancy Check (CRC) errors,
address. An IPS
unfrogment packet streams, prevent TCP sequencing issues, and clean up
and network layer options.
unwanted transport
12.8 FIREWALLS
are access Control devices for the network and can assist in
12.8.1Firewalls from external attacks. There
internal network
orotecting an organisation's products
security existing between the internal network
fore, they are border Wherever the server is allowed to be accessed
ond the external network. firewalls
outside, such connection will be allowed by firewalls. Hence traffic.
from software, which should permit all web
moy not protect the web server any insider attacker, since all internalusers
Similarly, firewalls maynot protect
ore already in the internal network. packet
application layer firewalls and
firewalls:
I2.8.2 There are two types of depending upon the security policy of the or
used
hitering firewalls. Each is reguirement based on factors like confidentiality,
gonisation and the specific firewalls also called proxy firewalls which are
Cmcality etc. Application layer System like Windows NT or Unix. Firewalls
ionedabove the Operating related policy defines how
the
traffic
rules iie. the done as per specitic permission
configurations
from one network is sent to another. In the absence of
packets or denies the traffic. Here, the
to allowthe the should not have any
traffic, firewallwell drops from attack and
firewall itself should be protected
firewall is depicted in the
diagram below:
vulnerabilities. Typical function of a
 CONTROLS
186 ODULEBT SECURITY

Cliernt System Firewall System

Sends the connection
Recuest to the firewai!
Decodes the packet and analyses
the protocol according to policy
Server Syster
rules and if allowed, it initiates a
new Connection to the serves

12.8.3 As against the application layer firewalls, providing

route traffic that is destined for certain ports specifically
the firewall, the second type of firewalls namely Packet mechani
to a
system s
Filtering behind
ms c
force the policy rules through the use of packet inspection filters.firewalls en.
undertake stateful inspection i.e. aprocess of examining the packets The ilters
determining whether the traffic is allowed based on the
state of the protocol. In other words, when the policy rules and the
only certain packets are expected and permitted. protocol is in a certain sirte
walls do not have the overtoad of extra Since these types of fire.
connection setups (on behalf of the
dient, as stcted in the diagram above), they
C greater amout of traffic. have the capability of handing
1284
Net Gerneration Firewall is increasingly being spoken about these
Technologically, it is an advanced feature
firewall, with an
plattorm combining a traditional firewall with other integrated network
doys
like application firewall, IPS and
Deep
network functionaities
packet
incduding SSL interception. By virtue of these inspection and sometimes as
stateful inspection, VPN support etc. abundant features like Firewalls
NA
Because of these features, these these are called Nextgen
of afirewcll as per
the firewalls help the decision making proces
12.8.5 Normally, por configuration set, while dealing with network troffic.
ine as part of the port analysis can be done with the help of the command
Mirroring,
ot
operating
sometimes also system,
called SPAN
real (Switched
time trafficPort.
and network analyser:Por
method
a monitoring network traffic, with the
tAnalvzer), is a n used on
to network switchto send a copy of features of port analyzer.
is

ancther network switch port network packets seen on oneItswitch por

monitoring it.
 CH. 12: NETWORK CONTROLS 187
28.6
DMZ

A study of
28.6.1 firewalls will never be complete without
fhetechnicalitiesin a demilitarized zone
commonly called DMZ.understanding
It is essen
iallya computer host or small network inserted as a"neutral zone" between
organisation'sprivate network and the outside public network. It
outside usersfrom
the
prevents
getting direct access to aserver that has the organisation's
ADMZ is an optional and more secure approach to a firewll and
dota. server as well.
fectively acts as a proxy
12.8.6.22ina DMZ contiguration, a separate computer receives requests from
withinthhe private network for access to Web sites or other companies
USers
occessible on the public network. The DMZ host then initiates sessions for
requests on the public network. Users of the public network outside the
hese ny can access only the DMZ host. The DMZ may typically also have
's Web pages so these could be served to the outside wortd.
the company DMZ provides access to no other company data. In the event
However, the
outside User penetrated|the DMZ host's security, the Web pages might
thatan
no other company information would be exposed.
be corrupted but
12.8.6.3 Typically in a bank, especially a Core Banking Data Centre contcirs
(often oracle database),
the main data centre running the prime database provide the connectivity
there are a number of application servers whichATM, Internet in the case
an
from a user-level system (like a bank branch,servers). In this environment, a
functional
of e-banking, mail server or other (i.e. Internet cloud) and a data
coming from Internet Banking user
doata packet in the intranet cannot be treated
its own bank branch
packet coming from has to be
same manner. The former is prone to carry malware and
nne critical database. In such a scenario,
risked' or checked before enterina the
ne role of demilitarized zone assumes
enormoUs signiticance.

I29 UNIFIED THREAT MANAGEMENT

this is a comprehensive solution that is
12:9.1 Commonl y
known as UTM,
than 10years. Used
mainly as a
ot recent particularly in use for less organizations, it is basically
origin solution for
prtheimary network gateway defence
all-inclusive
the ability
security product that has network
to firewall bundled security
as an
in one single
appliancelike
perform multiple functions antivirus, VPN,Content filter
frIng,ewaloadl ing,balancing gateway
Intrusion Prevention System,appliance simplifies management of a
multiple
efc. Asingle UTMone devicetakingthe place centralized
of

ICompa
ayers ofny'shardware security strategy, with just from one single The UTM
With UTMs,
and software. be monitored and configured.
console, all the
security solutions can
188 MODULE B:IT SECURITY CONTROLS

has a customized OS holding all the security features at one piace.

can lead to better integration and effective functioning
rother
a collection of disparate devices. than
12.9.2 Let us conclude with the threat of system generated
computers when prompting the user to register or to log in
that the person logging in is actuallya living person and not
want
de,
logins. sme
a
matically creating user id, logging in and thus flooding the systern
To ensure that robots or systems generated accesS are denied
a new technique called CAPTCHA is used, which is an
acronym
cornnunicicr
entry, ci

the form.
pletely Automated Public Turing test to tell Computers and
This is a type of challenge-response test used to ensure that Humans Acor
generated by a person. The process usually involves one computer
asking a user to complete a simple test i.e. type the picture like
res0orse
characters in the screen which the computer has generated. The alpha numerc
are some of the examples, which the user will look at and enter in the
These are normally case sensitive and the user has to caretully note
foloir
the character is upper case or lower. wrete
1 2

H8FSe C u riT?
In the examples given above, the words are:
1. |BFSeCuriTy
2. MGUs5Rgod
12.9.3 There are many improvements in CAPTCHA, being adopted re
days. Since repeated data entry and multiple. thousands of access throt
ROBOTs is becoming a bigger attack to network fora remoteaccess ol
entry, improved CATCHAs are being deployed these days. Onesuch COmmO
improvement is a CATPCHA with Maths i.e. a captcha which will give
very simple mathematical question like "2 + 3 =" and you have to tyoe
answer as 5 in the space provided, so that the system will understandthot
human being is accessing the application and not a
12.9.4 In short, CAPTCHA is a machine.premisethot
software
would be impossible tor a computer control
to read built on the
the images and do dataen
Thus the user authentication is confirmed that it is a human being
accessing and not acomnputer system or other mechanical device.
 CH. 12 : NETWORK
CONTROLS 189
129.5
SIEM
29.5.1
As part of network security ond network controls, a concept that is
200puloris
nTeOSinglybecoming popularis.Security
SEM).Thisis atermfor.software productsInformation
and services andEvent
and
Manageme
gets its name since
Combination of SIM i.e. Security Information
mainly includeandgathering
sa Event Management. The features of SIEM Management
euriy SEM i.e.
on the network, analyzing and presenting such information from
doto mainly
identity and.access management, vulnerability management, policy
network,
ompliance tools etc.
12.9.5.2 Typically SIIEM products have the capabilities of alerting and no-
hcations, retaining the historical data and assisting in such data retrieval
There are many SIEM products including a few from
nd log management. etc.
dobal companies like HP IBM
129.5.3 According to a lecture on 28 Feb 2015 delivered by Shri G Pad
mangbhan, Executive Director, RBI "Today, tools like Security Incident and
ent Management (SIEM), Network Behaviour Anomaly Detection (NBAD),
visibility
Dato Leakage Prevention (DLP), etc are available which provides deep approach
intooperations and quickly detect a security breach. Besides, one having
tools and
being increasingly adopted by banks- apart from procuringusing analytics. We
rdles-is following the age-old and time tested method of Analytics. While
hove all read about the advantages of Big Data and Big Data
and customer behaviour
7s is more often Used for business development tor mapping
oralysis and customer preferences, there is scope of usingisthis
there an exception or
general customer behaviour patterns and whenever
n outlier, the computer system could trigger a warning."
SpeechesView.aspx?ld=945, retrieved
orce: https://rbi.org.in/scripts/BS
on 17 Nov 15)
12.9.6 Net neutrality
related to the security admin-
12.9.6.1 Though net neutrality is not directly
bearing on the security features of the
stration in a network, it has on the principlethat Internet Service Providers
a direct
nelwork. Nett neutrality is based
Internet without discrimination based on the
should treat all data on the
been considerable amount
content,
d site, platform, application etc. There have
and why all data should be
treatdebates open
on why the Internet should be
ed equally. concept of net neutrality
since
12.heyonly9teel.6.2that objectto the content
Some service providers right to ensure free traffic of that service
they should have the particular content providers (or
which has been provided bythe
 CONTROLS
190 MODULE B: IT SECURITY

providers) with whom they have a contractual l obligation and

the right to block or prioritize the contents in a network they shou
12.9.6.3 From security perspective, with net neutrality in
features in the content, will become the responsibility of the
who would have the right to block or permit or enhance
place,
service
the
network depending upon the content. With the contents of traffic speedproin,iter
widely known orforming part of the contractual obligation
ties, information security concerns too get shared between bet
the wtw
be
een
o
ingth
ande mote
laxity on the part of one will adversely affect the other,
dato owner ultimately. impacting gros iy he
KNOWYOUR PROGRESS
Network and connectivity is the essence of modern
day computing.
proper security controls are notin place to check network
would be disastrous. Many network gadgets are used in access, the res
HHernce
each device having its own specitictfeatures like hubs,
etc. Allthese are to be properly routers,organisations,
switches, oge
contigured with all security teaturesbribuit
Network configuration is of utmost
loyers or the TCP/1P modelof 4 layerimportance
be it the OSI Model of seee
in the network impacting the networkapproach.
and
Ihere are security concer:
the data that flows through t
IP Sec is an Internet Protocol suite for
securing IP based communication an:
ensuring security controls by authenticating and encrypting each IP pocketi
o communication session. VLAN is a
security
in a LAN to be grouped together even if feature allowing for computes
not located on the same networ
switch physically.
Muiti Protocol Label Switching (MPLS) is a highly
onism not depending upon any specific protocolscalable
and
data-carrying med
it. Voice over IP is the works independent o
ond is one ot the most transmission of voice over packet-switched I networs
As against the important emerging trends in telecommunicol
traditional
digitized format. circuit-based telephony, VolP transmits voiceino

can be used to hideNetwork Address Translation (NAT) is a powerfulendpoins

tool
internal
within aLAN to use the same network addresses
(external) lP address. several
engble NATs
and Basic of translatio
of one to one IP address is normally used when there is a requirementt
interconnect two IP networks with
Ihere are many
protocols used in
incompatible addressing. https,
telnet etc. all of which have some security features likeandtp,
communication are http,
Usefulforcetait
kinds of transmission. Firewalls are access control devices for thenetwot
and can assist in protecting an organisation's internal network fromextem