INDEX





Introduction…………………………………………………………
OSI Reference Model………………………………………………
TCP/IP……………………………………………………………...
UDP…………………………………………………………………
Network Security Threats…………………………………………..
o Denial of Services (DoS) Attack…………………………….
o Distributed Denial of Services (DDoS) Attack……………...
o IP Spoofing…………………………………………………..
o Network Scanners and Sniffers……………………………...
o Virus…………………………………………………………
o Worm………………………………………………………...
o Trojan Horse…………………………………………………
Securing Networks………………………………………………….
Firewalls…………………………………………………………….
Secure Network Devices……………………………………………
Limitations………………………………………………………...
Conclusion………………………………………………………...





 Bibliography……………………………………………….
 Appendix A – Glossary……………………………………
 Appendix B – Presentation Hand-outs…………………….
1
2
3
4
5
5
7
8
10
13
13
14
15
17
20
21
22
23
24
26
1.Introduction
The rapid growth of the Internet has fuelled the demand for universal connectivity.
However, the open environment of the Internet is a double-edged sword. While the
migration from private to public networks has made it possible for any organization to
extend the global reach of its business, it also exposes the enterprise to a larger variety of
security threats. The recent number of high-profile security breaches experienced by
prominent industry players reveals the inherent vulnerabilities in operating businesscritical applications over public IP-based networks.
According to a study conducted by the Computer Security Institute,
Take a look at these statistics:










Estimated computer crime losses range from $300M to $500B annually
Computer fraud in the U.S. alone exceeds $3B each year
Computer security breaches are rising 20% per year
91% of survey respondents detected computer security breaches
94% detected computer viruses
91% detected employee abuse of Internet access privileges
40% detected system penetration from the outside
Less than 1% of all computer intrusion cases are detected
34% of detected cases are reported
There are over 3,000 hacker web sites
Many organizations think that if they have a firewall or intrusion detection system (IDS)
in place, then they have covered their security bases. Experience bears out that this is not
the case. While important, a firewall alone cannot provide 100 percent protection. In
addition, the rate at which new security threats are unleashed into the public Internet is
phenomenal. Yesterday’s security architectures and general-purpose tools cannot keep
up. For this reason, incumbent network security policies and systems require ongoing
scrutiny in order to remain effective. As Internet access continues to expand and the
quantity and speed of data transfer increases, new security measures must be adapted. In
order to understand how best to secure the enterprise against newer-generation security
threats, it is first necessary to understand the nature of the problem.
2.The ISO/OSI Reference Model
The International Standards Organization (ISO) Open Systems Interconnect (OSI)
Reference Model defines seven layers of communications types, and the interfaces
among them. (See Figure) Each layer depends on the services provided by the layer
below it, all the way down to the physical network hardware, such as the computer's
network interface card, and the wires that connect the cards together.
(Fig: OSI Reference Model)

Physical Layer - Transmits bits over a medium

Data Link Layer - Organizes bits into frames and deals with node-to-node
delivery

Network Layer - Provides Internetworking

Transport Layer - End-to-End message delivery

Session Layer - Establish, Manage and Terminates Sessions

Presentation Layer - Translate, Encrypt, Compress Data

Application Layer - To allow access to Network Resources
3.TCP/IP
TCP/IP (Transport Control Protocol/Internet Protocol) is the ``language'' of the Internet.
Anything that can learn to ``speak TCP/IP'' can play on the Internet. This is functionality
that occurs at the Network (IP) and Transport (TCP) layers in the ISO/OSI Reference
Model. Consequently, a host that has TCP/IP functionality (such as Unix, OS/2, MacOS,
or Windows NT) can easily support applications (such as Netscape's Navigator) that uses
the network.
Open Design
One of the most important features of TCP/IP isn't a technological one: The protocol is
an “open” protocol, and anyone who wishes to implement it may do so freely. Engineers
and scientists from all over the world participate in the IETF (Internet Engineering Task
Force) working groups that design the protocols that make the Internet work. Their time
is typically donated by their companies, and the result is work that benefits everyone.
 TCP
TCP is a transport-layer protocol. It needs to sit on top of a network-layer protocol, and
was designed to ride atop IP. (Just as IP was designed to carry, among other things, TCP
packets.) Because TCP and IP were designed together and wherever you have one, you
typically have the other, the entire suite of Internet protocols is known collectively as
“TCP/IP”. TCP itself has a number of important features that we'll cover briefly.
Guaranteed Packet Delivery
Probably the most important is guaranteed packet delivery. Host A sending packets to
host B expects to get acknowledgments back for each packet. If B does not send an
acknowledgment within a specified amount of time, A will resend the packet.
Applications on host B will expect a data stream from a TCP session to be complete, and
in order. As noted, if a packet is missing, it will be resent by A, and if packets arrive out
of order, B will arrange them in proper order before passing the data to the requesting
application.
This is suited well toward a number of applications, such as a telnet session. A user
wants to be sure every keystroke is received by the remote host, and that it gets every
packet sent back, even if this means occasional slight delays in responsiveness while a
lost packet is resent, or while out-of-order packets are rearranged.
It is not suited well toward other applications, such as streaming audio or video,
however. In these, it doesn't really matter if a packet is lost (a lost packet in a stream of
100 won't be distinguishable) but it does matter if they arrive late (i.e., because of a host
resending a packet presumed lost), since the data stream will be paused while the lost
packet is being resent. Once the lost packet is received, it will be put in the proper slot in
the data stream, and then passed up to the application.
 IP
As noted, IP is a ``network layer'' protocol. This is the layer that allows the hosts to
actually ``talk'' to each other. Such things as carrying datagrams, mapping the Internet
address (such as 10.2.3.4) to a physical network address (such as 08:00:69:0a:ca:8f), and
routing, which takes care of making sure that all of the devices that have Internet
connectivity can find the way to each other.
IP has a number of very important features which make it an extremely robust and
flexible protocol. For our purposes, though, we're going to focus on the security of IP, or
more specifically, the lack thereof.
UDP
UDP (User Datagram Protocol) is a simple transport-layer protocol. It does not provide
the same features as TCP, and is thus considered ``unreliable.'' Again, although this is
unsuitable for some applications, it does have much more applicability in other
applications than the more reliable and robust TCP.
One of the things that make UDP nice is its simplicity. Because it doesn't need to keep
track of the sequence of packets, whether they ever made it to their destination, etc., it
has lower overhead than TCP. This is another reason why it's more suited to streamingdata applications: there's less screwing around that needs to be done with making sure all
the packets are there, in the right order, and that sort of thing.
4.Network Security Threats
There are various types of network threats. We will discuss a few very common threats
here –
Denial of Services (DoS) Attack
DoS (Denial-of-Service) attacks are probably the nastiest, and most difficult to address.
These are the nastiest, because they're very easy to launch, difficult (sometimes
impossible) to track, and it isn't easy to refuse the requests of the attacker, without also
refusing legitimate requests for service.
The premise of a DoS attack is simple: send more requests to the machine than it can
handle. There are toolkits available in the underground community that make this a
simple matter of running a program and telling it which host to blast with requests. The
attacker's program simply makes a connection on some service port, perhaps forging the
packet's header information that says where the packet came from, and then dropping the
connection. If the host is able to answer 20 requests per second, and the attacker is
sending 50 per second, obviously the host will be unable to service all of the attacker's
requests, much less any legitimate requests (hits on the web site running there, for
example).
Such attacks were fairly common in late 1996 and early 1997, but are now becoming less
popular.
Some things that can be done to reduce the risk of being stung by a denial of service
attack include


Not running your visible-to-the-world servers at a level too close to capacity
Using packet filtering to prevent obviously forged packets from entering into your
network address space.
Obviously forged packets would include those that claim to come from your own
hosts, addresses reserved for private networks as defined in RFC 1918 [4], and
the loop back network (127.0.0.0).

Keeping up-to-date on security-related patches for your hosts' operating systems.
Ping of Death Attack
The most common kind of DoS attack is simply to send more traffic to a network address
than the programmers who planned its data buffers anticipated someone might send. The
attacker may be aware that the target system has a weakness that can be exploited or the
attacker may simply try the attack in case it might work. A few of the better-known
attacks based on the buffer characteristics of a program or system include:
1. Sending e-mail messages that have attachments with 256-character file names to
Netscape and Microsoft mail programs
2. Sending oversized Internet Control Message Protocol (ICMP) packets (this is also
known as the Packet Internet or Inter-Network Groper)
3. Sending to a user of the Pine e-mail program a message with a "From" address
larger than 256 characters
Attacker doesn’t need to know anything about the machine he is attacking, except for its
IP address.
e.g. windows: ping –l 65527 –s 1 <hostname>.
SYN Attack
When a session is initiated between the Transport Control Program (TCP) client and
server in a network, a very small buffer space exists to handle the usually rapid "handshaking" exchange of messages that sets up the session. The session-establishing packets
include a SYN field that identifies the sequence in the message exchange. An attacker
can send a number of connection requests very rapidly and then fail to respond to the
reply. This leaves the first packet in the buffer so that other, legitimate connection
requests can't be accommodated. Although the packet in the buffer is dropped after a
certain period of time without a reply, the effect of many of these bogus connection
requests is to make it difficult for legitimate requests for a session to get established. In
general, this problem depends on the operating system providing correct settings or
allowing the network administrator to tune the size of the buffer and the timeout period.
Teardrop Attack
This type of denial of service attack exploits the way that the Internet Protocol (IP)
requires a packet that is too large for the next router to handle be divided into fragments.
The fragment packet identifies an offset to the beginning of the first packet that enables
the entire packet to be reassembled by the receiving system. In the teardrop attack, the
attacker's IP puts a confusing offset value in the second or later fragment. If the receiving
operating system does not have a plan for this situation, it can cause the system to crash.
Smurf Attack
In this attack, the perpetrator sends an IP ping (or "echo my message back to me") request
to a receiving site The ping packet specifies that it be broadcast to a number of hosts
within the receiving site's local network. The packet also indicates that the request is from
another site, the target site that is to receive the denial of service. (Sending a packet with
someone else's return address in it is called spoofing the return address.) The result will
be lots of ping replies flooding back to the innocent, spoofed host. If the flood is great
enough, the spoofed host will no longer be able to receive or distinguish real traffic.
Distributed Denial of Service
Another form of DoS is the DDoS attack. This uses an array of systems connected to the
Internet to stage a flood attack against a single site. Once hackers have gained access to
vulnerable Internet systems, software is installed on the compromised machines that can
be activated remotely to launch the attack. Although recent DDoS attacks have been
launched from both private corporate and public institutional systems, hackers tend to
favor university networks as launch sites because of their open, distributed nature.
Programs used to launch DDoS attacks include Trin00, TribeFlood Network (TFN),
TFN2K and Stacheldraht.
(Fig: Distributed Denial of Service Attack)
5.IP Spoofing
Criminals have long employed the tactic of masking their true identity, from disguises to
aliases to caller-id blocking. It should come as no surprise then, that criminals who
conduct their nefarious activities on networks and computers should employ such
techniques. IP spoofing is one of the most common forms of on-line camouflage. In IP
spoofing, an attacker gains unauthorized access to a computer or a network by making it
appear that a malicious message has come from a trusted machine by “spoofing” the IP
address of that machine. In this article, we will examine the concepts of IP spoofing: why
it is possible, how it works, what it is used for and how to defend against it.
There are a few variations on the types of attacks that successfully employ IP spoofing.
Although some are relatively dated, others are very pertinent to current security concerns.
Non-Blind Spoofing
This type of attack takes place when the attacker is on the same subnet as the victim. The
sequence and acknowledgement numbers can be sniffed, eliminating the potential
difficulty of calculating them accurately. The biggest threat of spoofing in this instance
would be session hijacking. This is accomplished by corrupting the data stream of an
established connection, then re-establishing it based on correct sequence and
acknowledgement numbers with the attack machine. Using this technique, an attacker
could effectively bypass any authentication measures taken place to build the connection.
Blind Spoofing
This is a more sophisticated attack, because the sequence and acknowledgement numbers
are unreachable. In order to circumvent this, several packets are sent to the target
machine in order to sample sequence numbers. While not the case today, machines in the
past used basic techniques for generating sequence numbers. It was relatively easy to
discover the exact formula by studying packets and TCP sessions. Today, most OS’s
implement random sequence number generation, making it difficult to predict them
accurately. If, however, the sequence number was compromised, data could be sent to the
target. Several years ago, many machines used host-based authentication services (i.e.
Rlogin). A properly crafted attack could add the requisite data to a system (i.e. a new user
account), blindly, enabling full access for the attacker who was impersonating a trusted
host.
Man In the Middle Attack
Both types of spoofing are forms of a common security violation known as a man in the
middle (MITM) attack. In these attacks, a malicious party intercepts a legitimate
communication between two friendly parties. The malicious host then controls the flow
of communication and can eliminate or alter the information sent by one of the original
participants without the knowledge of either the original sender or the recipient. In this
way, an attacker can fool a victim into disclosing confidential information by “spoofing”
the identity of the original sender, who is presumably trusted by the recipient.
Misconceptions of IP Spoofing
While some of the attacks described above are a bit outdated, such as session hijacking
for host-based authentication services, IP spoofing is still prevalent in network scanning
and probes, as well as denial of service floods. However, the technique does not allow for
anonymous Internet access, which is a common misconception for those unfamiliar with
the practice. Any sort of spoofing beyond simple floods is relatively advanced and used
in very specific instances such as evasion and connection hijacking.
REA
L
VICTIM
FAKE
(Fig: IP Spoofing)
Network Scanners and Sniffers
A "sniffer" is a program that monitors communications on a local area network, or
"LAN".
Many of LANs are made up of shared Ethernet network segments on which all systems
communicate using the same physical medium. Practically any systems on these shared
Ethernet LANs can be turned into a sniffer that can be used to steal passwords of users
connecting to and from hosts on that LAN.
Sniffers work by monitoring the communication flow on a LAN to find when someone
begins using a network service, such as a terminal emulator session using "telnet", a file
transfer session using "ftp", or a remote electronic mail session using IMAP or POP
services.
All these services are all handled with "protocols" and each protocol, or service, has its
own identifying number. When you connect from one computer to another computer
using a particular service, its like making a call to a switchboard, where an operator asks
what extension you want and then transfers your call, going back to wait patiently to
accept a new call.
Similar to the diplomatic term, "protocols" are strict rules that define how a particular
session is established, how your account is identified and authenticated, and how the
service is used. It is the authentication part of these protocols, which occurs at the start of
every session, that the sniffer gathers.
The first part of many protocols goes something like this:
A: Hello COMPUTER B? I'd like to start a file transfer session.
B: Hello, COMPUTER A. For whom should I transfer files?
A: USER "swar" would like transfer files.
B: What is the PASSWORD for "swar"?
A: The PASSWORD is "saurabhsule".
B: That matches the password for "swar" that I have stored; "saurabhsule"
may now transfer files.
...and so on.
Password Sniffing
To understand how the sniffer works, lets use an analogy of the LAN as a hallway in a
building, with each room being a computer.
Each room (computer) has a doorway connecting it to the hall (the network), and there is
a person standing in each doorway (a "network interface") to facilitate communication. A
client is a person sitting in one room, and they will communicate with a server, which is a
person sitting in another room.
The client and server communicate by sending each other postcards (which are the
"packets" of information that travel on a real LAN). Each postcard has a source address
(the client's identification and room where that postcard is sent FROM) and a destination
address (the room where the postcard is going TO). The server is also identified, by its
service, or protocol, number (FTP, used for file transfer, is service #21).
To handle just the first part of this protocol (establishing the FTP connection), someone
in room A addresses a postcard to someone in room B, requesting an FTP session, and
the postcard is passed out into the hallway. Each network interface sees each postcard as
it travels down the hall. If the postcard is not addressed to someone in that room, the
interface ignores the postcard and nobody inside the room sees it.
If, on the other hand, the interface is put into a special mode called "promiscuous mode",
that is like the person standing at the door making a photocopy of every postcard it sees
and passing it into the room to someone (the sniffer) who asks to see every postcard.
They aren't supposed to do this, but there is nothing to stop them in this scenario and no
way to tell they are doing it (sniffing is a passive activity, that leaves no trace on the
network itself; it does, however, leave a trace on the computer that is being used as the
sniffer.)
Playing out the protocol for transferring files shown above, but on postcards this time, the
sniffer in room C ends up with a stack of postcards that look like this:
From: A, To: B, service FTP – connect
From: B, To: A, service FTP -- connection accepted, USER?
From: A, To: B, service FTP -- USER swar
From: B, To: A, service FTP -- PASSWORD?
From: A, To: B, service FTP -- PASSWORD saurabhsule
From: B, To: A, service FTP -- READY
The sniffer only cares about the first few postcards that start the session, because this is
where all the good information is found. In this case, the sniffer makes a note in their
sniffer log that looks something like this:
Computer A => Computer B [FTP]
USER swar
PASS saurabhsule
----[END]----
This shows that we made an FTP connection, to an account on computer B with the name
"swar" and that our password is "saurabhsule". The person reading the log can also infer
that we may also have an account on computer A (if it is another Unix system and not a
single-user PC or Macintosh) and that the odds are good that we have the same password
on that system.
The key is that the sniffer is (a) able to monitor the communication channel and (b) our
password travels the channel in readable form, often called "clear text".
Typical uses of such sniffing programs include:





Logging network traffic.
Solving communication problems such as: finding out - why computer A cannot
communicate with computer B.
Analyzing network performance. The bottlenecks present in the network can be
discovered, or the part of the network where data is lost, due to network congestion
can be found.
Detection of network intruders - to discover hackers/crackers.
Retrieving user-names and passwords of people logging on to the network.
6.Virus
A virus is basically a computer program, which is coded such that it causes a lot of havoc
on the computer. This code produces certain unrequired tasks on our computer such as
producing sounds, crazy displays or even a hard disk crash!!!
Different types of viruses
 Boot sector virus
These viruses infect either the master boot record of the hard disk or the floppy
drive. The boot record program responsible for the booting of the operating
system is replaced by the virus. The virus either copies the master boot program
to another part of the hard disk or overwrites it. E.g. Michelangelo, Stone

File or program virus
These infect program files like files with extensions like .exe, .com, .bin, .drv and
.sys. Some file viruses just replicate while others destroy the program being used
at that time.

Multipartite virus
They are a hybrid between file and boot viruses. They first infect the boot sector
and once they are loaded into the memory they start infecting other files on the
hard disk.

Stealth virus
These viruses avoid detection by redirecting the head or reducing the size of the
program file so as to avoid detection by stealth antivirus software’s.

Polymorphic virus
These viruses have the ability to mutate implying that they change the viral code
known as the signature each time they spread or infect.

Macro virus
These viruses are evil visual Basic applications which create lots of problems on
our PC. E.g. Melissa virus.
Worm
A worm is a self-replicating virus that does not alter or damage files, but rather duplicates
itself to other computers over the network, Internet, or through e-mail.
Worms often go undetected until their attempts to spread overwhelm the computer or
network, bringing everything to a grinding halt.
e.g. Klez (sends itself to users listed in the Windows address book using forged return
addresses), Bugbear (spreads across Windows network shares and causes printers to spew
garbage), SQL Slammer (targets unpatched Microsoft SQL Servers)
Trojan Horse
The Trojan legacy was started in an ancient myth, according to which, during the war, the
Greeks presented a wooden horse to their enemy and during the night, Greek soldiers
jumped out of the wooden horse and defeated the enemy. It was restarted in the
computing world when "Cult of the Dead Cow" made "Back Orifice", which is the most
famous Trojan ever, and it's port 31337 is one of the most popular numbers.
A Trojan horse is a program that works against a user, more or less like a virus, and is
mostly contained in programs that look legitimate, but have a very dark side. These
Trojans work in the "background", i.e. invisible to you. They do things that can render
you almost powerless. All Trojans have a specific cause, for which hackers use them.
Most of them are RATs (Remote Administration Tools). These programs are used by
hackers to attack lamer. Having most Trojans on your computer is harmless. Executing
them causes the problem.
Different types of Trojans
a. Remote Access Tools (RAT)
b. Key loggers' Trojan
c. Password Retrievers
d. FTP Trojans
What does a Trojan do
A RAT Trojan runs a server on your computer, which enables the hacker to connect to
your computer and execute various functions. Even if you have some idea on these
Trojans, you most probably won't know that you're infected. This is because newer
Trojans are being developed everyday, that are better and more effective than the older
ones. Powerful Trojans give the hacker more control of your computer than you yourself
have, sitting in front of it! Others just allow some easy fun functions, and still others have
common functions like downloading/uploading. The Trojan also restarts every time you
put on your computer. About what a Trojan can do? It can at the most destroy your
computer!
How does a Trojan work
A RAT Trojan is mostly contained in bigger programs. So, when you run the program,
you automatically trigger the Trojan. This Trojan runs a server on a particular port, which
will enable the hacker to connect to the port in your computer with utmost ease and do
God Knows What! He now has access to all your system resources, if he's using a
powerful Trojan, he can do almost anything. There is nothing you can do to stop him, if
you don't know which is the Trojan and don't have any clue about what it is. The Trojan
then copies itself to a location on your computer, which, here there is almost 100%
possibility that you won't see, and even if you see, you won't realize that it is a Trojan.
Then, the Trojan makes a registry entry or changes the win.ini file, to enable itself to
restart every time you put on your computer.
6.Securing the Networks
Network administrators, besides maintaining computer networks, frequently play a major
role defending an organization’s critical information assets. It is much easier for them to
be effective if they choose a systematic approach to network security. One such method
was developed at the CERT Coordination Center. Called the Security Knowledge in
Practice method (or the “SKiP” method for short), it consists of steps to secure network
software, “harden” a network (make it difficult to break into), detect and respond to
network intrusions, and then to improve the system based on a review of events.
There are seven steps in the SKiP method, each with an associated set of security
practices:
1. Select systems software from a vendor and customize it according to an organization’s
needs.
2. Harden and secure the system against known vulnerabilities.
3. Prepare the system so that anomalies may be noticed and analyzed for potential
problems.
4. Detect those anomalies and any other system changes that could indicate evidence of
an intrusion.
5. Respond to intrusions when they occur.
6. Improve practices and procedures after updating the system.
7. Repeat the SKiP process as long as the organization needs to protect the system and its
information assets.
Customizing Vendor Software
The first step is to identify tasks a system must perform and configure it to fulfill
essential functions while eliminating those that are unnecessary or vulnerable. Because
securing a system is challenging (especially for a novice administrator) it is often
neglected. In this step, network administrators do the following:
 Eliminate services that are unneeded and insecurely configured
 Restrict access to vulnerable files and directories
 Turn off software “features” that introduce vulnerabilities
 Mitigate vulnerabilities that intruders can use to break into systems
Harden and Secure the Network
In the Harden/Secure step, network administrators configure their system to meet
organizational security requirements, retaining only those services and features needed to
address specific business needs. Securing a system against known attacks eliminates
vulnerabilities and other weaknesses commonly used by intruders. The practices
performed during this step may change over time to address new attacks and
vulnerabilities.
Prepare
To meet the challenge of recognizing new vulnerabilities, network administrators
characterize their system in the Prepare step. They work to understand and describe
normal system behavior since any deviations may indicate an intrusion. After completing
a system characterization, an administrator knows what to expect in terms of –




Changes in files and directories and the operating system
Normal processes, when they run, by whom, and what resources they consume
Network traffic consumed and produced
Hardware inventory on the system
Detect
In the Detect step, network administrators monitor the hardened and prepared system to
detect changes. While some changes are predictable and constitute normal behavior,
administrators concentrate on detecting signs of anomalous or unexpected behavior since
it may indicate possible intrusions and system compromise.
Administrators also watch for early warning signs of potential intruder actions such as
scanning and network mapping attempts. This step occurs as administrators monitor
systems running in a production environment (such as looking at the logs produced by a
firewall system or a public web server).
Respond
In the Respond step, the network administrator responds to an intrusion and contains it. A
successful response means that the system is returned to its normal operational capability.
There are many actions that make up this step. For instance, if some unexpected system
behavior caught the attention of the network administrator, they may choose to –
 Analyze the damage caused by the intrusion and respond by adding new
technology or procedures to combat it
 Monitor an intruder’s actions in order to discover all access paths and entry points
before acting to restrict intruder access.
 Eliminate future intruder access
 Return the system to a known, operational state while continuing to monitor and
analyze
Improve the System
After completing a review of the incident, network administrators improve their system
in this step. They may –




Hold a post-mortem review meeting to discuss lessons learned
Update policies and procedures
Select new tools
Collect data about the resources required to deal with the intrusion and document
the damage it caused
Repeat the Cycle of Steps
Finally, network administrators add any changes they made during the first six steps back
into the system’s characterization baseline. Now operating at a higher level of security,
the system will function as designed until a new security challenge arises. Then the
administrator can once again call upon the SKiP method.
7.Firewalls
As we've seen in our discussion of the Internet and similar networks, connecting an
organization to the Internet provides a two-way flow of traffic. This is clearly undesirable
in many organizations, as proprietary information is often displayed freely within a
corporate intranet (that is, a TCP/IP network, modeled after the Internet that only works
within the organization).
In order to provide some level of separation between an organization's intranet and the
Internet, firewalls have been employed. A firewall is simply a group of components that
collectively form a barrier between two networks. A number of terms specific to firewalls
and networking are going to be used throughout this section, so let's introduce them all
together.
Bastion host
A general-purpose computer used to control access between the internal (private)
network (intranet) and the Internet (or any other untrusted network). Typically, these are
hosts running a flavor of the Unix operating system that has been customized in order to
reduce its functionality to only what is necessary in order to support its functions. Many
of the general-purpose features have been turned off, and in many cases, completely
removed, in order to improve the security of the machine.
Router
A special purpose computer for connecting networks together. Routers also handle
certain functions, such as routing, or managing the traffic on the networks they connect.
Access Control List (ACL)
Many routers now have the ability to selectively perform their duties, based on a number
of facts about a packet that comes to it. This includes things like origination address,
destination address, destination service port, and so on. These can be employed to limit
the sorts of packets that are allowed to come in and go out of a given network.
Demilitarized Zone (DMZ)
The DMZ is a critical part of a firewall: it is a network that is neither part of the untrusted
network, nor part of the trusted network. But, this is a network that connects the untrusted
to the trusted. The importance of a DMZ is tremendous: someone who breaks into your
network from the Internet should have to get through several layers in order to
successfully do so. Those layers are provided by various components within the DMZ.
Proxy
This is the process of having one host act in behalf of another. A host that has the ability
to fetch documents from the Internet might be configured as a proxy server, and host on
the intranet might be configured to be proxy clients. In this situation, when a host on the
intranet wishes to fetch the <http://www.interhack.net/> web page, for example, the
browser will make a connection to the proxy server, and request the given URL. The
proxy server will fetch the document, and return the result to the client. In this way, all
hosts on the intranet are able to access resources on the Internet without having the ability
to direct talk to the Internet.
Types of Firewalls
There are three basic types of firewalls, and we'll consider each of them.
Application Gateways
The first firewalls were application gateways, and are sometimes known as proxy
gateways. These are made up of bastion hosts that run special software to act as a proxy
server. This software runs at the Application Layer of our old friend the ISO/OSI
Reference Model, hence the name. Clients behind the firewall must be prioritized (that is,
must know how to use the proxy, and be configured to do so) in order to use Internet
services. Traditionally, these have been the most secure, because they don't allow
anything to pass by default, but need to have the programs written and turned on in order
to begin passing traffic.
(Fig: Application Gateway)
These are also typically the slowest, because more processes need to be started in order to
have a request serviced. Figure shows a application gateway.
Packet Filtering
Packet filtering is a technique whereby routers have ACLs (Access Control Lists) turned
on. By default, a router will pass all traffic sent it, and will do so without any sort of
restrictions. Employing ACLs is a method for enforcing your security policy with regard
to what sorts of access you allow the outside world to have to your internal network, and
vice versa.
There are fewer overheads in packet filtering than with an application gateway, because
the feature of access control is performed at a lower ISO/OSI layer (typically, the
transport or session layer). Due to the lower overhead and the fact that packet filtering is
done with routers, which are specialized computers optimized for tasks related to
networking, a packet filtering gateway is often much faster than its application layer
cousins. Figure 6 shows a packet-filtering gateway.
Because we're working at a lower level, supporting new applications either comes
automatically, or is a simple matter of allowing a specific packet type to pass through the
gateway. (Not that the possibility of something automatically makes it a good idea;
opening things up this way might very well compromise your level of security below
what your policy allows.)
There are problems with this method, though. Remember, TCP/IP has absolutely no
means of guaranteeing that the source address is really what it claims to be. As a result,
we have to use layers of packet filters in order to localize the traffic. We can't get all the
way down to the actual host, but with two layers of packet filters, we can differentiate
between a packet that came from the Internet and one that came from our internal
network. We can identify which network the packet came from with certainty, but we
can't get more specific than that.
Hybrid Systems
In an attempt to marry the security of the application layer gateways with the flexibility
and speed of packet filtering, some vendors have created systems that use the principles
of both.
(Fig.: packet filtering gateway)
Other possibilities include using both packet filtering and application layer proxies. The
benefits here include providing a measure of protection against your machines that
provide services to the Internet (such as a public web server), as well as provide the
security of an application layer gateway to the internal network. Additionally, using this
method, an attacker, in order to get to services on the internal network, will have to break
through the access router, the bastion host, and the choke router.
8.Secure Network Devices
It's important to remember that the firewall only one entry point to your network.
Modems, if you allow them to answer incoming calls, can provide an easy means for an
attacker to sneak around your front door (or, firewall). Just as castles weren't built with
moats only in the front, your network needs to be protected at all of its entry points.
Secure Modems
If modem access is to be provided, this should be guarded carefully. The terminal server,
or network device that provides dial-up access to your network needs to be actively
administered, and its logs need to be examined for strange behavior. Its password need to
be strong -- not ones that can be guessed. Accounts that aren't actively used should be
disabled. In short, it's the easiest way to get into your network from remote: guard it
carefully.
There are some remote access systems that have the feature of a two-part procedure to
establish a connection. The first part is the remote user dialing into the system, and
providing the correct user-id and password. The system will then drop the connection,
and call the authenticated user back at a known telephone number. Once the remote user's
system answers that call, the connection is established, and the user is on the network.
This works well for folks working at home, but can be problematic for users wishing to
dial in from hotel rooms and such when on business trips.
Other possibilities include one-time password schemes, where the user enters his user-id,
and is presented with a ``challenge,'' a string of between six and eight numbers. He types
this challenge into a small device that he carries with him that looks like a calculator. He
then presses enter, and a ``response'' is displayed on the LCD screen. The user types the
response, and if all is correct, he login will proceed. These are useful devices for solving
the problem of good passwords, without requiring dial-back access. However, these have
their own problems, as they require the user to carry them, and they must be tracked,
much like building and office keys.
No doubt many other schemes exist. Take a look at your options, and find out how what
the vendors have to offer will help you enforce your security policy effectively.
Crypto-Capable Routers
A feature that is being built into some routers is the ability to session encryption between
specified routers. Because traffic traveling across the Internet can be seen by people in
the middle who have the resources (and time) to snoop around, these are advantageous
for providing connectivity between two sites, such that there can be secure routes.
Virtual Private Networks
Given the ubiquity of the Internet, and the considerable expense in private leased lines,
many organizations have been building VPNs (Virtual Private Networks). Traditionally,
for an organization to provide connectivity between a main office and a satellite one, an
expensive data line had to be leased in order to provide direct connectivity between the
two offices. Now, a solution that is often more economical is to provide both offices
connectivity to the Internet. Then, using the Internet as the medium, the two offices can
communicate.
The danger in doing this, of course, is that there is no privacy on this channel, and it's
difficult to provide the other office access to “internal” resources without providing those
resources to everyone on the Internet.
VPNs provide the ability for two offices to communicate with each other in such a way
that it looks like they're directly connected over a private leased line. The session
between them, although going over the Internet, is private (because the link is encrypted),
and the link is convenient, because each can see each other’s internal resources without
showing them off to the entire world.
A number of firewall vendors are including the ability to build VPNs in their offerings,
either directly with their base product, or as an add-on. If you need to connect several
offices together, this might very well be the best way to do it.
9.Limitations of Existing Security Solutions
Apart from providing only part of the overall security system needed to secure today’s
business networks, most security methods in use today are limited in terms of
functionality, capacity and performance.
For example, most firewalls use packet-filtering techniques to accept or deny incoming
packets based on information contained in the packets’ TCP and IP headers, such as
source address, destination address, application, protocol, source port number or
destination port number.
Firewalls and IDS solutions take this to the next level with intelligence capabilities that
allow them to look more deeply into packets and provide more granular application
traffic analysis. However, this often causes network latency problems for these solutions
alone. In order to determine if a flow is legitimate traffic, an intelligent firewall needs to
analyze a series of incoming packets in sequence before allowing or blocking each
packet’s entry into the network.
This can take its toll on the firewall’s server processor. If a firewall has to wait for five or
six packets to line up before making the appropriate determination for each packet, this
creates a 500 to 600 percent increase in network latency. This traffic flow slowdown is
counterproductive to the increased bandwidth provided by today’s high-speed WAN
environments. At speeds approaching a full T3 line (45Mbps), today’s firewalls do not
have the throughput to keep pace, especially when network traffic consists primarily of
small packets.
With LAN speeds and Internet link speeds pushed to 100Mbps and beyond, securityfiltering platforms need to be accelerated to keep up with the flow.
An additional limitation in most existing IDS solutions is the inability to entrap network
intruder data and redirect it to a secure location in order to perform forensic analysis. This
can be key to discovering network intrusion patterns and guarding against future attacks.
Furthermore, a current trend by organizations to centralize anti-virus protection on server
or firewall systems further contributes to overall network latency due to system
bottlenecks.
Conclusion
Security is a very difficult topic. Everyone has a different idea of what “security” is, and
what levels of risk are acceptable. The key for building a secure network is to define what
security means to your organization. Once that has been defined, everything that goes on
with the network can be evaluated with respect to that policy. Projects and systems can
then be broken down into their components, and it becomes much simpler to decide
whether what is proposed will conflict with your security policies and practices.
Many people pay great amounts of lip service to security, but do not want to be bothered
with it when it gets in their way. It's important to build systems and networks in such a
way that the user is not constantly reminded of the security system around him. Users
who find security policies and systems too restrictive will find ways around them. It's
important to get their feedback to understand what can be improved, and it's important to
let them know why what's been done has been, the sorts of risks that are deemed
unacceptable, and what has been done to minimize the organization's exposure to them.
Security is everybody's business, and only with everyone's cooperation, an intelligent
policy, and consistent practices, will it be achievable.
REFERENCES
 Network Security – Ankit Fadia

Data Communication and Networking – Behrouz Forouzn

J.P. Holbrook, J.K. Reynolds. “Site Security Handbook.'' RFC 1244.

http://www.cert.org/

http://www.google.com/

http://neworder.box.