7 Network Security: Core Concepts

 

I.   Objectives

 

The prifinite Objective of this module is to provide the over all idea of the Network Security and its importance  in an organization.  The threats and challenges against network security and major kinds of threats found in a network will be discussed. In addition, proper remedies and measures to be taken to protect the data and information in a network environment is also highlighted. Major threats like virus, Trojan, malware, spyware, DoS attack, Hacking, IDS and implementation of anti virus as well as Firewall etc., are discussed.

 

 

II.   Learning Outcome

 

On completion of this lesson, you would attain knowledge on basics of network security and its importance for network  and  data  integrity. You will learn about major threats and challenges to network security and software and hardware solutions available for  network  security. You would also gain knowledge about implementation  of  proper network security by formulating appropriate policies for  the  user  as well as for the organization with proper network security devices.

 

 

 

III.   Module Structure

 

1.  Introduction

2.  Network Authentication

3.  Types of Network Attacks

3.1  Eavesdropping

3.2  Data Modification

3.3  Identity Spoofing (IP Address Spoofing)

3.4  Password-Based Attacks

3.5  Denial-of-Service (DOS) Attack

3.6  Man-in-the-Middle Attack

3.7  Compromised-Key Attack

3.8  Sniffer Attack

3.9  Application-Layer Attack

4.  Virus

4.1  Trojan Horse

4.2  Malware/Spyware

4.3  Anti- Virus Programmes

5.  Protection using UTM and  Firewall

6.  DMZ for hosting and IDS 7. Summary

8. References

 

 

 

1.   Introduction

 

Security is a global issue and one need to protect his valuables, data and information, even our home and nation with proper security. Physical security can be easily achieved by safeguarding it by physical means such as lock and key, fencing, creating walls, making compartments, etc. Physical security of computer system also can be attained by placing it in a safe place or put it  in  a  lock  and  key  or inside a compartment with proper security. But network security is a challenge since it involves interconnections of computers for resource sharing. Security for computer networks and information is to be implemented at various levels in order to protect data and information. The objective of this module is to discuss threats and  challenges towards network security, such as hacking, phishing attempt, virus, trojan, spyware, etc. over the network  and  various  measures  and methods of protection against these threats.

 

The    prime    objective     of    network    security    is    to    protect    the confidentiality of data by keeping the integrity and correctness of data and make the availability of data for use over the network on 24 × 7 basis. Everyone would  like to get seamless and uninterrupted access to the resources over the network. Since computer networks are technically a cluster of interconnections of computers, with the heterogeneous nature in its content and technology, ensuring security for the network is a major challenging task. The threats to the network may appear from both internal and external. The scope and function of network has grown into a bigger  magnitude  with  worldwide connections of  computers  i.e.  Internet.  Since,  each  computer  is getting connected to a global network, security is to  be  ensured  for every user and machines. The security has to be implemented at various levels, such as user level, organizational level  and  national level. Security also needs to be enforced for network of computers as well as information. Once the network is protected, information is also automatically getting protected to a great extent.

 

A major threat to individual user in a network environment  is  the threat of viruses and its variances. In addition to viruses,  there  are similar threats like Trojan, Spyware, Addware, etc. Before exploring these threats, let us discuss how does a legitimate user enter into  a system which is connected in the network and ensure  user  level security.

 

2.   Network Authentication

 

In a network, if a user is allowed to access information from his/her computer, one can ensure that he/she is a legitimate user on the network. This is established by using or by giving an identity for the user in the network system. Checking of such valid identity is called authentication. Authentication can be established  on  computer networks by providing a username and password or store IP address of the machine in advance in a centralised server. The IP address  is  a unique ID for a user over a network. It can be a local IP address (example 192.168.x.x or 172.16.x.x) or global IP address or public IP address (example 14.139.x.x or 8.8.8.8).

 

In addition to these mechanisms of authentication, one can also have recent techniques such as biometric, fingerprint,  face  reading software, voice recognition, etc. for making valid entry into a system.

 

These kind of tools are used for authenticating simple ‘login’ into the computer systems with his user name and password, a user  can  get his/her credentials for authenticating with the network. Unauthorized users can be denied access to information by providing a valid authentication for each and every user in the network. But, no one can create user names and passwords  for  all  users  over  a  wide  network like Internet. It is possible to provide service level passwords similar to assigning passwords for email services (example Gmail) as well as a user can have password for accessing e-resources, user can have different passwords for login purpose, but not easy to assign a single password for all services.

 

It is suggested to create users  with  authentication  at  different  level and every organization must have their own authentication policy for it. This level of authentication can protect the network from unauthorised user or strange user while trying to access resources. If a user is denied access into the network, he/she cannot access other resources as well. Therefore, authentication is the mechanism  by which one generally prevent illegitimate user to access the resources. As mentioned, a good password is a secured mechanism for a user to log in to a network. It is suggested not to use simple words or dictionary words for passwords, instead one should use alphanumeric characters along with combination of special characters for password. Banking sectors and other financial services over the Internet do not accept simple passwords. It is also suggested to change password at least once in three or six months so that even some inexperienced person cannot hack the system and get access to the data temporarily, the password change will help to retrieve the access. Authenticated systems are also vulnerable for threats from outside as well as from inside. Few of such threats are discussed below.

 

3.   Types of Network Attacks

 

Without proper security measures, data might be subjected to various kinds of attacks. Attacks are classified as passive attacks and active attack where information is altered  with  intent  to  corrupt  or  destroy the data or the network. Networks and data are vulnerable to any of the following types of attacks if one does not have a security plan in place.

 

3.1.  Eavesdropping

 

Network communication happens in unsecured or “clear text” format, which allows an attacker to “listen in” or interpret (read)  the  data which passes through the network if he/she get access to the network by wrong means. When an attacker is eavesdropping, it is referred to as sniffing or snooping. This kind of eavesdropping is the  biggest security problem that administrators face  while  managing  the network. Eavesdropping can be avoided by using strong encryption services that are based on cryptography.

 

3.2.     Data Modification

 

If an attacker gets access to someone’s data, the next logical step is to modify it. The smart attacker can even modify the data in the packet without the knowledge of the sender or receiver.

 

3.3.     Identity Spoofing (IP Address Spoofing)

 

The identity of a user on a network is through the IP address assigned to the user while login into the network. An IP address is a valid and unique identity which gives authorisation for a user. It is  possible  a smart attacker for an IP address to be falsely assumed, i.e. identity spoofing. An attacker can also use a special program to construct IP packets that appear to originate from valid addresses. After gaining access to the network with a valid IP address, the attacker can modify, reroute, or delete the data.

 

3.4.     Password-Based Attacks

 

As discussed in network authentication,  a  user  is  getting  access through a password-based access control. Access rights to a computer and network resources are determined by the identity a user has normally a user name and  password. When an attacker finds a valid user account and get the password, the attacker has the same rights as the real user. It will be very dangerous, if the user has administrator-level rights. In  such  cases  the  attacker gets full access right to do anything in the  system.  After  gaining access to a network with a valid account, an attacker can do any of the following:

 

•    Obtain   lists   of   valid   user   and   computer  names   and   network information;

•    Modify   server   and   network   configurations,   including   access controls and routing tables which is a very serious threat; or

•    Modify, reroute, or delete  data.

 

3.5.     Denial-of-Service (DOS) Attack

 

Unlike a password-based attack, the denial-of-service attack prevents normal use of a computer or network by valid users. DOS attack is generally caused by flooding a computer or the entire network with traffic until a shutdown occurs due to overload. DOS can also cause blocking the traffic, which results in a loss of access to network resources by authorized users.

 

3.6.     Man-in-the-Middle Attack

 

Man-in-the-middle attacks are like someone assuming the identity of a user in order to read his/her message. The person  on  the  other  end might believe it is you, because the attacker might be actively replying you to keep the exchange going and gain more information.

 

3.7.     Compromised-Key Attack

 

A key is a secret code or number necessary to interpret secured information. After an attacker obtains a key, that key is referred to as a compromised key. An attacker uses the compromised key to gain access to a secured communication without the sender or receiver being aware of the attack. With the compromised key, the attacker can decrypt or modify data, and tries to use the compromised key to compute additional keys.

 

3.9.     Application-Layer Attack

 

An application-layer attack targets application servers by causing  a fault in the server’s operating  system  or  applications.  This  results  in the attacker gaining the ability to bypass normal access controls. The attacker takes advantage of this situation, gaining control of your application, system, or network for introducing a virus Program or introduce a sniffer Program or disable other security controls to enable future attacks. Virus, Trojan, Worms, Addware and Spyware generally belongs to active attacks and major threats to the security.

 

4.   Virus

 

A virus is a computer program with malicious logic and replicate itself repeatedly over the network. Though Computer virus is working like a biological virus, i.e. enter into the computer without notice to the user of the system and spread to other  computers,  maintains  its  dormancy and keeps its polymorphic nature. The name is coined from Vital Information Resource Under Siege (VIRUS). Computer viruses are executable computer programs designed to replicate and damage the computer system without users’ knowledge and permission. Computer virus gets activated on certain triggered conditions known as “Catalyst”. A computer virus program is logical activity and have its own mechanism to avoid detection by the user and activate on a particular time or occasion. Such viruses are called “stealth viruses”. The trigger could be a particular date for example Thursday 12th (Alias CD), Friday the 13th for Jerusalem Virus. Some time a code is also embedded in some legislate programme, i.e. set to explore when certain conditions made and such viruses are called logical viruses.

 

A virus can affect operating system, computer files, data files, executable programs, bootable disk, hard disk partitions,  boot  sector etc. Generally, when it gets activated it can hide in RAM (Random Access Memory), Upper memory, High memory, TSR  (Terminate  and Stay Resident), MBR (Master Boot Record) extended and expanded memory. Viruses are categorized into boot sector  infectors  and program  file  infectors  (for example  .exe,  .doc,  .sys,  .dill,  .ovl,  .scr,.xa, .xls)

 

Nature of following viruses and illegal activities on the network may be  learned from anti-virus web sites:

•    Adware (advertising software)

•    Armored viruses

•    Benign virus

•    Bomb virus

•    Boot virus (boot sector virus)

•    Botware

•    Browser hijacker

•    Companion virus

•    Dialer (phone dialer)

•    FAT virus (File Allocation Table virus)

•    File deleting viruses

•    Keyloggers

•    Macro virus

•    Malware (malicious software)

•    Mass mailer viruses

•    Memory resident virus

•    Multipartite virus

•    Multiple characteristic viruses

•    Parasitic virus

•    Polymorphic virus

•    Programme virus

 

Some of the viruses attack web servers and network managed programme and stop the legitimate user to access data from the server by denial of service (DoS attacks) as discussed earlier. Zombi is an example of this type of virus. It is expected at least  100000  viruses spread as on date. Use of proper anti-virus software, regular update on the signature of the new virus can prevent the system from virus attack. The virus cannot damage hardware such as keyboards, monitor, printer etc. On the detection of the virus this can be isolated from the normal programme such can be quarantine time.

 

4.1.     Trojan Horse

 

Trojan Horse is a type of non-self-replicating type of malware programmes containing  malicious  code  which  carries  out predetermined actions based on the nature of Trojan. On execution it cost, loss or theft of data for slowing down the performance of the system. Trojan act as back-door entry programme gets dropped in a system without notice of the user. A trojan may also give  remote access to a hacker for the targeted computer systems. Harmful  trojan horse can damage system in many ways such as crashing the computer, data corruption, formatting disk, keystroke logging, deletion of files, data theft, perform automated spamming or denial-of-service attack, viewing user ’s webcam, modification of registry, downloading and installing third party malware etc.

 

4.2.     Malware/Spyware

 

Now  a  days,   virus   can  also  get  attacked  to  data  files  such  as  .doc, .xls, .pps, .mdb, etc. Such viruses called “Macros”. Some of these viruses are polymorphic in nature which mutates and changes its identifiable codes with each infection. Macro viruses are generally independent ‘malware’ programme which do not require any host. It replicates itself and spreads. In contrast to virus, some malicious programme do to replicate such programmes are called  “Trojan Horses”.

 

Spyware programme helps in gathering information  about  a  person and organisation without knowledge. Spyware is classified into four types: System monitors, Trojans, Adware and tracking cookies.

 

The threats like Virus, Trojan, Malware, Spyware, etc. can  be prevented by using anti-software from the popular vendors. Anti-virus software is a set of programme data designed to prevent, search for, detect and remove viruses and other malicious software like worms, trojan, adware, etc. These tools are critical at users level and has to be updated daily for the new inclusion of the viruses since more than 60,000 new pieces of  Malware  created  daily.  The  Anti-virus programme perform basic functions like scan specific files of directories, allow scheduled scans automatically. Initiate scan for specific drive, folders, CD ROM, Flash Drives in any time. The infected files can  be removed or quarantined to prevent the infection to other PCs.

 

Popular free anti-virus programs are AVG antivirus, Kaspersky, F Secure, and Avaste, and commercial software are Norton by Symantec, MaCafe, Trend Micro, eScan, Bitdefender, inoculate etc. It  depends upon organisation to choose the best product.

 

5.    Protection using UTM and Firewall

 

We have learned how to protect the computers against  unauthorised entry and also seen that whether a user is legitimate user or not with authentication. If unauthorised person can get access to a computer through network what she/he can  do?  Such  unauthorized  or illegitimate users are called hackers. Hackers use the vulnerability on a system. There could be loopholes in any  software  which  allows  to open ports (open entry) for entering data or programmes into the system. Such loopholes are called vulnerabilities in a system. This generally happens with computer programmes installed on the system to get access to valid resources of the computer. The attack by  a hacker could be passive in nature by which hacker just eavesdrops on information without modifying it. On the other hand, an active hacker can modify the data or destroy the data.

 

Hacker can get into the resources once he gets into the system  and he/she can work like any other normal user. This is one of the serious threats  in  the  network.  Hacking  attempt  is  there  in  every sectors  and banking sector loses huge amounts of money every year because unscrupulous people try to get access to confidential information through hacking and once this information is with hacker, he can play around with data, including malpractices,  which he has with him.

 

A Hacker or an unauthorized user can get access to system by  any means. Computer programme generally works in  a system  by connecting to another system over the network so that it allows  to access data. These relations are called connections in  the  network. These connections are generally open through some ports. Since ports are open to create some of the connections, security on this connection are compromised and through these open connections, unauthorised people can also get access to the computer. Technically, it can be said that each programme has a port that is an open place in the computer, through the port only a programme can communicate. For example, suppose we have a database server with us. Database server works on a particular port to get connected so that this port can also get accessed by a user or a network expert and he  can  launch  some  of  the programmes through the same open port. There are more  than  65000 ports which get opened on a system and some of them automatically open for services at the time of booting. A hacker can try to get access through this port into the computer and the process is called hacking attempt.

 

Fig.1: Hacking Attempt

This is a very serious security threat as whatever activities  a  user  is doing can be monitored as a spy or data can be sent to another website without notice of the user. It is also possible that whatever key a user is typing, it can be sent to a web site without knowledge of the user. This is possible by launching some of  the  programme  by  the  hacker into the system. Hence hacking threat on individual system as well as network is to be detected, network has to be monitored always for this kind of attempt on the server. There are sophisticated programmes called IDS (Intrusion Detection System) which are part of firewall which takes care of such attempts. Implementing Firewall and UTM appliances (Unified Threat Management Systems) in network can prevent many threats.

 

As shown in figure, network is created with many devices such as PCs, Mobile, Laptops, servers and other network devices. Once connected, the same machine/devices can launch an attack. Firewall creates a virtual protection mechanism to protect the network. Unauthorised attempts with data or traffic will be discarded by the firewall, if it is not through the known ports. Firewall protects the network against all sorts of known attacks and threats. Appliance based Firewall with Gateway level Anti Virus scanning can protect  spreading  of  viruses over the network. Spam Filtering in UTM can check for data whether it is a spam or  not.  Intrusion  Detection/Prevention  System  monitors the unauthorised entry into the  network  and  prevent  it.  Firewall  also has the facilities for bandwidth management, web content filtering, anti-phishing, load balancing, DNS resolution,  creation  of  proxy server, DMZ support etc.

 

This can be explained in detail by  using  the  following  diagram  that how a server and client is connected to share data. As it is seen in the diagram the PCs used by a user on the Internet  will  be  acting  as  a client and he/she will try to access the  information  from  the  server (web server) through the  network.  The  server  will  push  the information based on request to the client’s or user ’s  computer.  If there is no security between the user and server,  the  server  can  get direct access to the PC as well as the PC can also get direct access to server. The traffic will as well as nature of data will not be monitored in an unprotected environment.

 

Firewall plays a role to protect the network where servers  are connected. In organizational level,  this  protection  can  be  introduced by using a checkpoint between the user and outside network. Such check/verification point is called firewall. Firewall is an intermediary layer which can be software or hardware or appliances,  which  can reside in between the user and outside network. Any request which go through this equipment will be scanned and filtered for the content at the firewall level. Firewall is also added  as  filtering mechanism  for data through filtering gateways between the user and the outside network. It is essential that if one host the content in a network, then the hosting server is to be protected from outside world. For example, as shown in diagram, if an institution host web server, network admin need only to open the port which are required for accessing web service For example 8080 is a port number for Tomcat and 80 is port number for website. In general when a user type http: // URL, then by default, the request comes through the port number 80. If he is using any other web server like tomcat, it will be through 8080.  If  the hosting is done using web server, one need to open only two or three ports. All other ports than these 3 ports has to be  blocked.  Firewall works based on this principle.  Firewall  blocks  all  the  ports  and network admin has to open the valid port(s) for the user. As it is seen in the diagram, first deny all connections and allow only connections which are required for use.

 

6.    DMZ for hosting and IDS

 

In an organization, restriction on the server can be established by creating a special zone. First, allow only known used ports from the system which is to be used for service. In this context, there is an area in a normal network with a ‘de militarized zone’ (DMZ) which means to militarize the complete zone by denying all connections and allow only the known connections/ programmes to access the resource. Any other attempt to access can be stopped at the firewall level as shown in programme. In addition to stopping  such  request,  a  firewall  can  also act as a tool for the content filtering or  even  restricted  access  to content (for example Child sites restriction). Firewall blocks unauthorized network connections to the PC or local area networks including the server if a user is hosting services in the public domain. A firewall can also act as an Intrusion Detection System (IDS) which is a very common term used in network security to check any unauthorized entry into the system.

 

Any attempt by a hacker for passive as well as active intrusion has to be monitored and detected. There are many popular  firewalls  which have the facility for IDS as well as IPS i.e.. Intrusion Prevention System. Thus, the; firewall will function for checking each and every connection request even at the content level. Some of the programmes can also carry harmful content and need to be filtered before it enters into the system. In addition to protection, firewall can also act  as  a ‘proxy’ for sharing common Internet connection to many users. UTM equipment can also filter content,  act  as  load  balancing  between Internet connections from various ISPs,  or  authentication  mechanism for users for proxy. Now a days, all vendors come out with firewall products, which works as single UTM (Unified Threat Management system) so that UTM box or appliance available in the market can be procured directly and implement it in a network and configure the network so that every Internet connection or local connection for accessing outside or the internal data can be routed the traffic through this UTM (firewall). Some of the popular names of firewall/UTMs available in the market are Fortigate, Sonicwall,  Cyberoam  etc. Firewall can filter the content  as  mentioned  earlier,  which  can  check the port number through which a programme is  trying  to  access  and deny  any  kind  of  access  based  on  defined  rules.   Another  important threat is that many users try to continuously connect to a single server at same time which is also a kind of attack on the network.

 

Since many organisations have limited network resources like bandwidth, etc. proxy server can be used.  Proxy  servers  are vulnerable for DoS attacks. Suppose one network can accommodate 10000 users congruently at a time, an attempt by over 100000 users try to access the same server, the network will definitely chock  due  to heavy traffic which will lead to one of the threat like denial of service attack. Firewall can protect these kind of attacks for chocking the network by the hacker by monitor the flooding (UDP as well as ICMP). These are other kind  of  programmes  created  by  the unauthorised persons who generally does not seriously work for resources access but just for spying the information. These attacks can be classified as passive attack and active attack. In passive attack, people will be getting into a system to  know  what  is  available.  It  is kind of eves dropping, release of message content, traffic analysis etc and active attack, the hacker will also get into the system and modify the data, masquerading, replay, denial of service and alter data without giving any hint of change. Some people argue that ethical hacking is permitted, but cracking of a server is not permitted. Both ways, this kind of activity is a crime under  the  IT act. A person  should  not  get into the some’s server without someone’s asking permission. This kind of attack can be stopped by using suitable firewall rules.

 

Few products are named as solutions for antivirus, trojans, spyware, adware and other kind of threats. Firewall can be implemented as software programme also (for eg in Linux, IP table)  in  addition  to using as an equipment. This way firewall can take a shape of software as well as hardware and if software in the system, it comes along with the operating system where the firewall has to be enabled. It depends upon the user to prevent his system from external attack as well as internal attack. If the security is compromised at user level and organisation may not be aware who is using the resource since hacker generally will not reveal the identity. If an organisation is not protecting their system, it will not only damage but it will also work as platform for others to attack. It is important to take care of security of computer systems, information, data as well as network so that user will  enjoy seamless access to information world.