7 Network Security: Core Concepts
Manoj Kumar
I. Objectives
The prifinite Objective of this module is to provide the over all idea of the Network Security and its importance in an organization. The threats and challenges against network security and major kinds of threats found in a network will be discussed. In addition, proper remedies and measures to be taken to protect the data and information in a network environment is also highlighted. Major threats like virus, Trojan, malware, spyware, DoS attack, Hacking, IDS and implementation of anti virus as well as Firewall etc., are discussed.
II. Learning Outcome
On completion of this lesson, you would attain knowledge on basics of network security and its importance for network and data integrity. You will learn about major threats and challenges to network security and software and hardware solutions available for network security. You would also gain knowledge about implementation of proper network security by formulating appropriate policies for the user as well as for the organization with proper network security devices.
III. Module Structure
1. Introduction
2. Network Authentication
3. Types of Network Attacks
3.1 Eavesdropping
3.2 Data Modification
3.3 Identity Spoofing (IP Address Spoofing)
3.4 Password-Based Attacks
3.5 Denial-of-Service (DOS) Attack
3.6 Man-in-the-Middle Attack
3.7 Compromised-Key Attack
3.8 Sniffer Attack
3.9 Application-Layer Attack
4. Virus
4.1 Trojan Horse
4.2 Malware/Spyware
4.3 Anti- Virus Programmes
5. Protection using UTM and Firewall
6. DMZ for hosting and IDS 7. Summary
8. References
1. Introduction
Security is a global issue and one need to protect his valuables, data and information, even our home and nation with proper security. Physical security can be easily achieved by safeguarding it by physical means such as lock and key, fencing, creating walls, making compartments, etc. Physical security of computer system also can be attained by placing it in a safe place or put it in a lock and key or inside a compartment with proper security. But network security is a challenge since it involves interconnections of computers for resource sharing. Security for computer networks and information is to be implemented at various levels in order to protect data and information. The objective of this module is to discuss threats and challenges towards network security, such as hacking, phishing attempt, virus, trojan, spyware, etc. over the network and various measures and methods of protection against these threats.
The prime objective of network security is to protect the confidentiality of data by keeping the integrity and correctness of data and make the availability of data for use over the network on 24 × 7 basis. Everyone would like to get seamless and uninterrupted access to the resources over the network. Since computer networks are technically a cluster of interconnections of computers, with the heterogeneous nature in its content and technology, ensuring security for the network is a major challenging task. The threats to the network may appear from both internal and external. The scope and function of network has grown into a bigger magnitude with worldwide connections of computers i.e. Internet. Since, each computer is getting connected to a global network, security is to be ensured for every user and machines. The security has to be implemented at various levels, such as user level, organizational level and national level. Security also needs to be enforced for network of computers as well as information. Once the network is protected, information is also automatically getting protected to a great extent.
A major threat to individual user in a network environment is the threat of viruses and its variances. In addition to viruses, there are similar threats like Trojan, Spyware, Addware, etc. Before exploring these threats, let us discuss how does a legitimate user enter into a system which is connected in the network and ensure user level security.
2. Network Authentication
In a network, if a user is allowed to access information from his/her computer, one can ensure that he/she is a legitimate user on the network. This is established by using or by giving an identity for the user in the network system. Checking of such valid identity is called authentication. Authentication can be established on computer networks by providing a username and password or store IP address of the machine in advance in a centralised server. The IP address is a unique ID for a user over a network. It can be a local IP address (example 192.168.x.x or 172.16.x.x) or global IP address or public IP address (example 14.139.x.x or 8.8.8.8).
In addition to these mechanisms of authentication, one can also have recent techniques such as biometric, fingerprint, face reading software, voice recognition, etc. for making valid entry into a system.
These kind of tools are used for authenticating simple ‘login’ into the computer systems with his user name and password, a user can get his/her credentials for authenticating with the network. Unauthorized users can be denied access to information by providing a valid authentication for each and every user in the network. But, no one can create user names and passwords for all users over a wide network like Internet. It is possible to provide service level passwords similar to assigning passwords for email services (example Gmail) as well as a user can have password for accessing e-resources, user can have different passwords for login purpose, but not easy to assign a single password for all services.
It is suggested to create users with authentication at different level and every organization must have their own authentication policy for it. This level of authentication can protect the network from unauthorised user or strange user while trying to access resources. If a user is denied access into the network, he/she cannot access other resources as well. Therefore, authentication is the mechanism by which one generally prevent illegitimate user to access the resources. As mentioned, a good password is a secured mechanism for a user to log in to a network. It is suggested not to use simple words or dictionary words for passwords, instead one should use alphanumeric characters along with combination of special characters for password. Banking sectors and other financial services over the Internet do not accept simple passwords. It is also suggested to change password at least once in three or six months so that even some inexperienced person cannot hack the system and get access to the data temporarily, the password change will help to retrieve the access. Authenticated systems are also vulnerable for threats from outside as well as from inside. Few of such threats are discussed below.
3. Types of Network Attacks
Without proper security measures, data might be subjected to various kinds of attacks. Attacks are classified as passive attacks and active attack where information is altered with intent to corrupt or destroy the data or the network. Networks and data are vulnerable to any of the following types of attacks if one does not have a security plan in place.
3.1. Eavesdropping
Network communication happens in unsecured or “clear text” format, which allows an attacker to “listen in” or interpret (read) the data which passes through the network if he/she get access to the network by wrong means. When an attacker is eavesdropping, it is referred to as sniffing or snooping. This kind of eavesdropping is the biggest security problem that administrators face while managing the network. Eavesdropping can be avoided by using strong encryption services that are based on cryptography.
3.2. Data Modification
If an attacker gets access to someone’s data, the next logical step is to modify it. The smart attacker can even modify the data in the packet without the knowledge of the sender or receiver.
3.3. Identity Spoofing (IP Address Spoofing)
The identity of a user on a network is through the IP address assigned to the user while login into the network. An IP address is a valid and unique identity which gives authorisation for a user. It is possible a smart attacker for an IP address to be falsely assumed, i.e. identity spoofing. An attacker can also use a special program to construct IP packets that appear to originate from valid addresses. After gaining access to the network with a valid IP address, the attacker can modify, reroute, or delete the data.
3.4. Password-Based Attacks
As discussed in network authentication, a user is getting access through a password-based access control. Access rights to a computer and network resources are determined by the identity a user has normally a user name and password. When an attacker finds a valid user account and get the password, the attacker has the same rights as the real user. It will be very dangerous, if the user has administrator-level rights. In such cases the attacker gets full access right to do anything in the system. After gaining access to a network with a valid account, an attacker can do any of the following:
• Obtain lists of valid user and computer names and network information;
• Modify server and network configurations, including access controls and routing tables which is a very serious threat; or
• Modify, reroute, or delete data.
3.5. Denial-of-Service (DOS) Attack
Unlike a password-based attack, the denial-of-service attack prevents normal use of a computer or network by valid users. DOS attack is generally caused by flooding a computer or the entire network with traffic until a shutdown occurs due to overload. DOS can also cause blocking the traffic, which results in a loss of access to network resources by authorized users.
3.6. Man-in-the-Middle Attack
Man-in-the-middle attacks are like someone assuming the identity of a user in order to read his/her message. The person on the other end might believe it is you, because the attacker might be actively replying you to keep the exchange going and gain more information.
3.7. Compromised-Key Attack
A key is a secret code or number necessary to interpret secured information. After an attacker obtains a key, that key is referred to as a compromised key. An attacker uses the compromised key to gain access to a secured communication without the sender or receiver being aware of the attack. With the compromised key, the attacker can decrypt or modify data, and tries to use the compromised key to compute additional keys.
3.8. Sniffer Attack
A sniffer is an application or device that can read, monitor, and capture network data exchanges and read network packets. If the packets are not encrypted, a sniffer provides a full view of the data inside the packet. Even encapsulated packets can be broken open and read unless they are encrypted. Using a sniffer, an attacker can analyze the entire network and gain information to eventually cause the network to crash or to become corrupted.
3.9. Application-Layer Attack
An application-layer attack targets application servers by causing a fault in the server’s operating system or applications. This results in the attacker gaining the ability to bypass normal access controls. The attacker takes advantage of this situation, gaining control of your application, system, or network for introducing a virus Program or introduce a sniffer Program or disable other security controls to enable future attacks. Virus, Trojan, Worms, Addware and Spyware generally belongs to active attacks and major threats to the security.
4. Virus
A virus is a computer program with malicious logic and replicate itself repeatedly over the network. Though Computer virus is working like a biological virus, i.e. enter into the computer without notice to the user of the system and spread to other computers, maintains its dormancy and keeps its polymorphic nature. The name is coined from Vital Information Resource Under Siege (VIRUS). Computer viruses are executable computer programs designed to replicate and damage the computer system without users’ knowledge and permission. Computer virus gets activated on certain triggered conditions known as “Catalyst”. A computer virus program is logical activity and have its own mechanism to avoid detection by the user and activate on a particular time or occasion. Such viruses are called “stealth viruses”. The trigger could be a particular date for example Thursday 12th (Alias CD), Friday the 13th for Jerusalem Virus. Some time a code is also embedded in some legislate programme, i.e. set to explore when certain conditions made and such viruses are called logical viruses.
A virus can affect operating system, computer files, data files, executable programs, bootable disk, hard disk partitions, boot sector etc. Generally, when it gets activated it can hide in RAM (Random Access Memory), Upper memory, High memory, TSR (Terminate and Stay Resident), MBR (Master Boot Record) extended and expanded memory. Viruses are categorized into boot sector infectors and program file infectors (for example .exe, .doc, .sys, .dill, .ovl, .scr,.xa, .xls)
Nature of following viruses and illegal activities on the network may be learned from anti-virus web sites:
• Adware (advertising software)
• Armored viruses
• Benign virus
• Bomb virus
• Boot virus (boot sector virus)
• Botware
• Browser hijacker
• Companion virus
• Dialer (phone dialer)
• FAT virus (File Allocation Table virus)
• File deleting viruses
• Keyloggers
• Macro virus
• Malware (malicious software)
• Mass mailer viruses
• Memory resident virus
• Multipartite virus
• Multiple characteristic viruses
• Parasitic virus
• Polymorphic virus
• Programme virus
Some of the viruses attack web servers and network managed programme and stop the legitimate user to access data from the server by denial of service (DoS attacks) as discussed earlier. Zombi is an example of this type of virus. It is expected at least 100000 viruses spread as on date. Use of proper anti-virus software, regular update on the signature of the new virus can prevent the system from virus attack. The virus cannot damage hardware such as keyboards, monitor, printer etc. On the detection of the virus this can be isolated from the normal programme such can be quarantine time.
4.1. Trojan Horse
Trojan Horse is a type of non-self-replicating type of malware programmes containing malicious code which carries out predetermined actions based on the nature of Trojan. On execution it cost, loss or theft of data for slowing down the performance of the system. Trojan act as back-door entry programme gets dropped in a system without notice of the user. A trojan may also give remote access to a hacker for the targeted computer systems. Harmful trojan horse can damage system in many ways such as crashing the computer, data corruption, formatting disk, keystroke logging, deletion of files, data theft, perform automated spamming or denial-of-service attack, viewing user ’s webcam, modification of registry, downloading and installing third party malware etc.
4.2. Malware/Spyware
Now a days, virus can also get attacked to data files such as .doc, .xls, .pps, .mdb, etc. Such viruses called “Macros”. Some of these viruses are polymorphic in nature which mutates and changes its identifiable codes with each infection. Macro viruses are generally independent ‘malware’ programme which do not require any host. It replicates itself and spreads. In contrast to virus, some malicious programme do to replicate such programmes are called “Trojan Horses”.
Spyware programme helps in gathering information about a person and organisation without knowledge. Spyware is classified into four types: System monitors, Trojans, Adware and tracking cookies.
4.3. Anti-Virus Programmes
The threats like Virus, Trojan, Malware, Spyware, etc. can be prevented by using anti-software from the popular vendors. Anti-virus software is a set of programme data designed to prevent, search for, detect and remove viruses and other malicious software like worms, trojan, adware, etc. These tools are critical at users level and has to be updated daily for the new inclusion of the viruses since more than 60,000 new pieces of Malware created daily. The Anti-virus programme perform basic functions like scan specific files of directories, allow scheduled scans automatically. Initiate scan for specific drive, folders, CD ROM, Flash Drives in any time. The infected files can be removed or quarantined to prevent the infection to other PCs.
Popular free anti-virus programs are AVG antivirus, Kaspersky, F Secure, and Avaste, and commercial software are Norton by Symantec, MaCafe, Trend Micro, eScan, Bitdefender, inoculate etc. It depends upon organisation to choose the best product.
5. Protection using UTM and Firewall
We have learned how to protect the computers against unauthorised entry and also seen that whether a user is legitimate user or not with authentication. If unauthorised person can get access to a computer through network what she/he can do? Such unauthorized or illegitimate users are called hackers. Hackers use the vulnerability on a system. There could be loopholes in any software which allows to open ports (open entry) for entering data or programmes into the system. Such loopholes are called vulnerabilities in a system. This generally happens with computer programmes installed on the system to get access to valid resources of the computer. The attack by a hacker could be passive in nature by which hacker just eavesdrops on information without modifying it. On the other hand, an active hacker can modify the data or destroy the data.
Hacker can get into the resources once he gets into the system and he/she can work like any other normal user. This is one of the serious threats in the network. Hacking attempt is there in every sectors and banking sector loses huge amounts of money every year because unscrupulous people try to get access to confidential information through hacking and once this information is with hacker, he can play around with data, including malpractices, which he has with him.
A Hacker or an unauthorized user can get access to system by any means. Computer programme generally works in a system by connecting to another system over the network so that it allows to access data. These relations are called connections in the network. These connections are generally open through some ports. Since ports are open to create some of the connections, security on this connection are compromised and through these open connections, unauthorised people can also get access to the computer. Technically, it can be said that each programme has a port that is an open place in the computer, through the port only a programme can communicate. For example, suppose we have a database server with us. Database server works on a particular port to get connected so that this port can also get accessed by a user or a network expert and he can launch some of the programmes through the same open port. There are more than 65000 ports which get opened on a system and some of them automatically open for services at the time of booting. A hacker can try to get access through this port into the computer and the process is called hacking attempt.
This is a very serious security threat as whatever activities a user is doing can be monitored as a spy or data can be sent to another website without notice of the user. It is also possible that whatever key a user is typing, it can be sent to a web site without knowledge of the user. This is possible by launching some of the programme by the hacker into the system. Hence hacking threat on individual system as well as network is to be detected, network has to be monitored always for this kind of attempt on the server. There are sophisticated programmes called IDS (Intrusion Detection System) which are part of firewall which takes care of such attempts. Implementing Firewall and UTM appliances (Unified Threat Management Systems) in network can prevent many threats.
As shown in figure, network is created with many devices such as PCs, Mobile, Laptops, servers and other network devices. Once connected, the same machine/devices can launch an attack. Firewall creates a virtual protection mechanism to protect the network. Unauthorised attempts with data or traffic will be discarded by the firewall, if it is not through the known ports. Firewall protects the network against all sorts of known attacks and threats. Appliance based Firewall with Gateway level Anti Virus scanning can protect spreading of viruses over the network. Spam Filtering in UTM can check for data whether it is a spam or not. Intrusion Detection/Prevention System monitors the unauthorised entry into the network and prevent it. Firewall also has the facilities for bandwidth management, web content filtering, anti-phishing, load balancing, DNS resolution, creation of proxy server, DMZ support etc.
This can be explained in detail by using the following diagram that how a server and client is connected to share data. As it is seen in the diagram the PCs used by a user on the Internet will be acting as a client and he/she will try to access the information from the server (web server) through the network. The server will push the information based on request to the client’s or user ’s computer. If there is no security between the user and server, the server can get direct access to the PC as well as the PC can also get direct access to server. The traffic will as well as nature of data will not be monitored in an unprotected environment.
Firewall plays a role to protect the network where servers are connected. In organizational level, this protection can be introduced by using a checkpoint between the user and outside network. Such check/verification point is called firewall. Firewall is an intermediary layer which can be software or hardware or appliances, which can reside in between the user and outside network. Any request which go through this equipment will be scanned and filtered for the content at the firewall level. Firewall is also added as filtering mechanism for data through filtering gateways between the user and the outside network. It is essential that if one host the content in a network, then the hosting server is to be protected from outside world. For example, as shown in diagram, if an institution host web server, network admin need only to open the port which are required for accessing web service For example 8080 is a port number for Tomcat and 80 is port number for website. In general when a user type http: // URL, then by default, the request comes through the port number 80. If he is using any other web server like tomcat, it will be through 8080. If the hosting is done using web server, one need to open only two or three ports. All other ports than these 3 ports has to be blocked. Firewall works based on this principle. Firewall blocks all the ports and network admin has to open the valid port(s) for the user. As it is seen in the diagram, first deny all connections and allow only connections which are required for use.
6. DMZ for hosting and IDS
In an organization, restriction on the server can be established by creating a special zone. First, allow only known used ports from the system which is to be used for service. In this context, there is an area in a normal network with a ‘de militarized zone’ (DMZ) which means to militarize the complete zone by denying all connections and allow only the known connections/ programmes to access the resource. Any other attempt to access can be stopped at the firewall level as shown in programme. In addition to stopping such request, a firewall can also act as a tool for the content filtering or even restricted access to content (for example Child sites restriction). Firewall blocks unauthorized network connections to the PC or local area networks including the server if a user is hosting services in the public domain. A firewall can also act as an Intrusion Detection System (IDS) which is a very common term used in network security to check any unauthorized entry into the system.
Any attempt by a hacker for passive as well as active intrusion has to be monitored and detected. There are many popular firewalls which have the facility for IDS as well as IPS i.e.. Intrusion Prevention System. Thus, the; firewall will function for checking each and every connection request even at the content level. Some of the programmes can also carry harmful content and need to be filtered before it enters into the system. In addition to protection, firewall can also act as a ‘proxy’ for sharing common Internet connection to many users. UTM equipment can also filter content, act as load balancing between Internet connections from various ISPs, or authentication mechanism for users for proxy. Now a days, all vendors come out with firewall products, which works as single UTM (Unified Threat Management system) so that UTM box or appliance available in the market can be procured directly and implement it in a network and configure the network so that every Internet connection or local connection for accessing outside or the internal data can be routed the traffic through this UTM (firewall). Some of the popular names of firewall/UTMs available in the market are Fortigate, Sonicwall, Cyberoam etc. Firewall can filter the content as mentioned earlier, which can check the port number through which a programme is trying to access and deny any kind of access based on defined rules. Another important threat is that many users try to continuously connect to a single server at same time which is also a kind of attack on the network.
Since many organisations have limited network resources like bandwidth, etc. proxy server can be used. Proxy servers are vulnerable for DoS attacks. Suppose one network can accommodate 10000 users congruently at a time, an attempt by over 100000 users try to access the same server, the network will definitely chock due to heavy traffic which will lead to one of the threat like denial of service attack. Firewall can protect these kind of attacks for chocking the network by the hacker by monitor the flooding (UDP as well as ICMP). These are other kind of programmes created by the unauthorised persons who generally does not seriously work for resources access but just for spying the information. These attacks can be classified as passive attack and active attack. In passive attack, people will be getting into a system to know what is available. It is kind of eves dropping, release of message content, traffic analysis etc and active attack, the hacker will also get into the system and modify the data, masquerading, replay, denial of service and alter data without giving any hint of change. Some people argue that ethical hacking is permitted, but cracking of a server is not permitted. Both ways, this kind of activity is a crime under the IT act. A person should not get into the some’s server without someone’s asking permission. This kind of attack can be stopped by using suitable firewall rules.
Few products are named as solutions for antivirus, trojans, spyware, adware and other kind of threats. Firewall can be implemented as software programme also (for eg in Linux, IP table) in addition to using as an equipment. This way firewall can take a shape of software as well as hardware and if software in the system, it comes along with the operating system where the firewall has to be enabled. It depends upon the user to prevent his system from external attack as well as internal attack. If the security is compromised at user level and organisation may not be aware who is using the resource since hacker generally will not reveal the identity. If an organisation is not protecting their system, it will not only damage but it will also work as platform for others to attack. It is important to take care of security of computer systems, information, data as well as network so that user will enjoy seamless access to information world.
7. Summary
Proper network security can be implemented by formulating very strong policy for the user as well as for the organisation with proper network security devices. The UTM (Unified Threat Management) appliances integrate many security protection features in systematic security implementation. Restriction on the user is always required in the organization to protect network from local threats. Use of proper antivirus software on individual PCs as well as gateway level protection against virus attacks is to be strictly implemented. Use of pendrives, flashdrives,CDs, DVDs, and other storage devices plugging directly into PC is to be strictly monitored. As per the IT Act, log records are to be created for each network activity as well as Internet usage in organization. All users should be given an individual user account with authentication and user privileges. Network security should be treated as an organization culture where ethical use of services is to be followed religiously.
8. References
- htt p:/ / w w w. w e broot. c om/ i n/e n/home / r e s ourc e s / t i ps/ pc- s e c uri t y / s e c uri t y – wha t – i s – a nti – vir us- s o ftw are
- An information Security Handbook, By John M D Hunter , Springer Publication