Network security and cryptography)....Page no. (1-99 54 Introduction to ter Network Security (MU-Sem, ‘The result is “MYMTCMSALHRDY". la a 1 UQ. Encrypt “THIS 1S THE FINAL EXAM" with a) @ @ in the plaintext are encrypted differently. The yoo] Note:The cipher i polyeiphabetc because three occurences of zi ‘occurrences of ‘T" are also encrypted differently. art 1.11.5 Playfalr Cipher Playfair Cipher using the key “GUIDANCE”. ‘The Playfair cipher was the first practical digraph substitution cipher. ‘The scheme was invented in 1854 by Charles Wheatstone, but was named after Lord Playfair who promoted the use of the cipher. ‘The technique encrypts pairs of letters (digraphs), instead of single leters as inthe simple substitution cipher. ‘The Playfair is significantly harder to break since the frequency analysis used for simple substitution ciphers does not ‘work with it, Frequency analysis can still be undertaken, but on the 25%25=625 possible digraphs rather than the 25 Possible monographs. Frequency analysis thus requires much more ciphertext in order to work. Tt was used for tactical purposes by Britsh fore in the Second Boer War and in World War I and for the same purpose by the Australians during World War Il This was because Playfair is reasonably fast to use and requires no special equipment. It initially creates a key-table of 5x5 matrix, ‘The matrix contains alphabets that act as the key for ener Tepeated. Another point to note that there are 26 al always combined with 1 Playfair Cipher Encryption Rules First, split the plaintext into digraphs (pair of two letters) If the plaintext has the odd number of leters, append the letter Zat the end of even. For example, the plaintext MANGO has five letters, So, append a letter Z at the end of the plaintext, i. MANGOZ. If any leter appears twice (side by side), put X atthe place ofthe second occurrence, Suppose, the plaintext is COMMUNICATE, then its digraph becomes CO MX MU NI CA TE. Similarly, tyption of the plaintext. Note that any alphabet should not be iphabets and we have only 25 blocks to put a letter inside it. So, J is of the plaintext. It makes the plaintext itis not possible to make a digraph. So, we will the digraph for the plaintext JAZZ will be JA ZX ZX, and for plaintext GREET, the digraph will be GR EX ET. To determine the cipher (encryption) text, first, build a 5x5 key-matrix or kkey-table and fill it with the letters of alphabets, as directed below: Fill the frst row (lft o right) with the leters ofthe given keyword (say, Tenens (if any) avoid them. It means letter will be considered only on alphabetical order. Les create a $x5 key-matrix forthe Keyword ATHENS. Note that in the below matrix any letter is not repeated, The leters in ‘the first row (in bold) represent the keyword and the remaining letters sets in alphabetical order. ATHENS). If the keyword has duplicate e, After that, fill the remaining letters in A T H E s B c D co twik Tt oO P Q R Wa EW aX Ty) (MU-New Syllabus We, academic year 21-22)(M5-78)ter Network Securit m ‘Computer Net (Mu. S17) Aintroduction to Network security and cryptography) ...Page no. (1-23) (4) There may be the following three conditions () Ifa pair of letters (digray i a : ie PH) appears in the same row : In this case, replace each letter of the digraph withthe letters immediately to their right. 1f SNE: If there is no letter to the right, consider the fist letter of the same row as the right letter. Suppose, Z is " sane aac a Teter whose right letter is required, in such case, T will be right to Z. If a pair of letters (digraph) appears in t the letters immedi a) iately below them. If th the same column : In this case, replace each letter of the digraph with Suppose, X is a letter who's below letter is were is no letter below, wrap around to the top of the same column. Fequired, in such case, H will be below X. We pale of leters (digraph) appears in a different row and different cohimn : I the leters are in diferent ‘ows and columns, replace the pait withthe letters. on the same row respectively bu atthe other par of corners of the rectangle defined by the original pair, The orde is important = the frst encryped letter ofthe pair isthe one that lies e {he same row as the fist plaintext letter. For example, "BQ! will be encrypted as ‘CP", ‘DV* will be encrypted as ‘SY! "= Playfair Cipher Decryption ‘The decryption Procedure isthe same as encryption but the steps are applied in reverse order. For decryption cipher is symmetric (move let long rows and up along columns). The receiver of the plan text has the same key and can create the same key-table that is used to decrypt the message, Ex. 1.11.8 : Encrypt “COMMUNICATE” with Playfair Cipher using key “COMPUTER” Soin. : (1) First, split the plaintext into digraph as CO MX MU NI CA TE, (2) Construct a 5*5 key-matrix. In our cae, the key is COMPUTER. clo|mierl[u 7 E R A B virlilelulw k{[ir[niols "(Sv a [ (3) Now, we will traverse in key-matrx pair by pait and find the corresponding encipher forthe pair. The first digraph is CO. The pair appears in the same row. In this case, replace each letter of the digraph with the letters immediately to their right. CO gets encipher into OM. ‘The second digraph is MX. The pair appears in the same column. In this case, replace each letter of the digraph ‘with the letters immediately below them. MX gets encipher into RM. The third digraph is MU, The pair appears in the same row, In this case, replace each leter of the digraph with the letters immediately to their right. MU gets encipher into PC. ‘The fourth digraph is NI. The pair appears in different rows and different columns. If the leters are in different ows and columns, replace the pair with the letters on the same row respectively but at the other pair of corners of the rectangle defined by the original pair. NI gets encipher into SG. ‘The fifth digraph is CA. The pair appears in different rows and different columns. The pair appears in different ‘ows and different columns. If the letters are in different rows and columns, replace the pair with the letters on the same row respectively but at the other pair of comers of the rectangle defined by the original pair. CA gets ‘encipher into PT. (MU-New Syllabus w.e academic year 21-22)(M5+79) Tech-Neo Publications..A SACHIN SHAH VentureXAM gets encipher (encrypted) into PODRDRF ve the plaintext THIS ag. 151A). Vlenere Cipher ° etic substitution cipher is . pher is an example of « polyaiphabetic substitution cipher. A polyalphabetic sub es aie s a le enciphering the Me salphabetic substitution except that the cipher alphabet is changed periodically while enciphering sania to a monoaph ‘age. This makes the cipher less vulnerable to cryptanalysis using letter frequencies Hed the Vigenére cipher in 1585. piise de Vigendre developed what is now ite us table Known as the Vigendre square, to encipher messages as shown in Table 1.11.1 in addition tothe plaintext, the Vigendre cipher alyo requires a keyword, which is repeated so that the total length is equal to that of the plaintext ‘To encrypt pick a letter in the plaintext and its corresponding letter in the keyword, use the keyword letter and the pisinext leter as the row index and column index, respectively, and the entry at the row-column intersection is the Jeter in the ciphertext For example, the first letter in the plaintext is M and it of H and the column of M are used, and the entry TT at the intersection is the encrypted result. ‘The Vigenére cipher uses a different strategy to create the key stream. The key stream is a repetition of an initial secret key stream of length “m’, where I< m < 26. ‘The Vigenére key stream does not depend on the plaintext characters; it depends only on the position of the character in the plaintext. - The Vigenére cipher can be seen as combinations of ‘m” additive ciphers. (Pi + Ki) mod 26 - The general formula of decryption using Vigenére cipher is: Pi = (Cj - Kj) mod 26 ~ The Vigenre cipher do not preserve the frequency of characters, however, the intercepted ciphertext can be deciphered by finding the length of the key and finding the key itself. Ex. 1.11.10 : Use the Vigenére cipher with keyword “HEALTH” to encipher the message “LIFE IS FULL OF SURPRISES”. Soln. : The general formula of encryption using Vigenére cipher is: = (Pi+K;) mod 26 corresponding keyword letter is H. This means that the row ~The general formula of encryption using Vigenére cipher is; Ci= Given keyword : HEALTH Plaintext: LIFEISFULLOFSURPRISES Piaintert [L |t |F LE |t |S)/e Uc) Lilo lr E|s P's Values | 11 | 08 | 05 | 04 | 08 | 18 | 05 | 20] 11 | 11 | 14 | os 18 Key Stream | H |B} A |L IT HE alt TH ile A K’s Values | 07 | 04 | 00] 11 is [or 07 | 04 | 00} 11 | 19 | 07 caha CsValues_| 18 | 12 05 | 15 | 01 | 25 | 12 | 24 | 11 | 22 |o7 | a0 Coherent ['s [me [p |e [z [ly [u [whale alee The result is “SMFPBZMYLWHMZYRAKPZIS” (MU-New Syllabus wef academic year 21-22\M5-79)wn computer Network Security (MU-Sem 5-1 (introduction to Network security and cryptography)....Page no. of ye. 1.11,5(B) Hill Cipher 1 Hill Cipher in cryptography was invented and developed in 1929 by Lester S. Hill, a renowned American ae mathematician, Hill Cipher represents a polygraphic substitution cipher that follows a uniform substitution across multiple levels of blocks. Here, polygraphic substitution cipher defines that Hill Cipher can work seamlessly with digraphs (two-leter blocks), trigraphs (three-letter blocks), or any multiple-sized blocks for building a uniform cipher. Hill Cipher is based on a particular mathematical topic of linear Algebra and the sophisticated use of matrices in general, as well as rules for modulo arithmetic, - The way Hill Cipher works is explained below: (1) Treat every letter in the plaintext message as a number such that A = 00, B = Ol, .... (2) Organize the plaintext message as a matrix of numbers based on the above conversion. For example, if the plaintext is ATT. Based on the above step, we know that A = 00, T =19. Therefore, our plaintext would look as 00 follows: | 19 19 (3)_Now, the plaintext matrix is multiplied by a matrix of randomly chosen keys. The key matrix consists of size n x n, ‘where nis the number of rows in the plaintext, For example, we take the following matrix: 245 9. oun 3 Ty (4) Now, multiply the two matrices as shown below: 245 00. im 921 |x] 19 Je} 57 3177 19 456. (5) Now compute a modulo 26 value of the above matrix. That is, take the remainder after dit values by 26. m 15 57 |mod26=| 05 456 14 (6) Now, translate the numbers to alphabets, 15 = ”, 05 = F, 14 = O, Therefore, the ciphertext is “PFO”, (7) For decryption, take the ciphertext matrix and multiply it by the inverse of original key matrix. (8) After this take modulo 26 of this matrix. (9) Now, translate the numbers to alphabets. You will get the original plaintext back ‘successfully. a Hill cipher is vulnerable to the known-plaintext attack. This is because it is linear due to the possiblity to compute ‘smaller factors of the matrices, work on them individually, and then join them back as and when they are ready. Ex14142: Use aHi ipher to encipher the message “WE LIVE IN AN INSECURE WORLD”. a) 0s 07 Use towing key: k= (Geeks a7 7 7 J Tea spsliak (ABER stan Lassner 61 gf R(x) a | tll he ancagpil 18 — $$ 2 ]—_+-) Bee np 7_ ABashbased Message Authenticati ag scocet key in deriving the Cade (HMAC) is a meted MAC to inctde crypeogragisc bash forsee an - nving the messege aheatication 7 ea a ce of the code. Like any of the MAC, itis used for boc: data Sas? — Typically, MDS, SHA-I o¢ SHA-256 cry . 7 256 cry scuk AC valoe. HTTPS. SHIP. FIPS. 204 open: ich song me mec ccsbs 5 N = ‘We Wil sce in the Incr eccdles ta digal ignores re abecet similar w HMACS ic. they both employ 8 Ba fonction and a shared key. 4 Tue Eereace Bes in the keys ic, HMACS we symmenic key wie Signmares ese symmecis ayprsach (m0 Saierece bey. SF Working of HMAC 0 Sel: The message is divided im N block Each block isof b bats. 0 sep2: ‘To muuch the bey leaghh wi size of every block, the soe hey is left paid wih sto es coe cne of the HMAC is nthe secret hry longer then a bss is reromeoied, » Sep3: pas sc of revies sep ¥-ORE wh npt pl end cae ba Hock. Ths ipa coast “SS vades is DS repetition of the Sequence OD11O110 L<36 in xa, Te rach. rieo Pubications A SACHIN SHAH Venere pba key. if Mu-New Sylzbus wef academic yes" DMS® step 7: value is tv8 repetition of the sequence 01011100 i.e. SC in hexadecimal. ‘The resulting block is prepended to the block of Step 6- The result of Step 8 is applied to same hashing algorithm to create final n-bit HMAC. 5S Advantages (2) Dee to use of hash functions, HMACS are considered to be good high-performance systems. (2). Since it uses hashing twice, it is great for cryptanalysis attacks. £3” Disadvantages We cannot use the Hash-based Message Authentication Code in a case of more than one receiver because HMAC uses the symmetric key to generate MAC. (2) If we share the symmetric with multiple parties, there is no way the receiver to know that the message was prepared and sent by the which sender, also there is a possibility of not sharing the keys by some receivers. So, there is the possibility of fraud that one of the receivers may create false messages. (3) There is also a need for periodic refreshments of keys. ‘This inter-mediate HMAC is left padded with 0's to create b bit block. ‘Steps 2 and 3 are now repeated but with the new constant, output pad (opad). The Opad is a constant nbs (1826)Fig. 2.4.3 : Hash-based MAC10. (2-31 vmputer Network Security (MU-Sem 5.17 Pat sy 25 DIGITAL SIGNATURE Koy Mgmt, Distribution and user Authe, n sender Sends @ message to re +. Receiver needs 10 be ‘Wher iC 10 receiver, receiver needs to check the authenticity of the sender = wt the message is comi 1 sender to sign the nena ne from authentic sender and not an adversary, for which he can ask the sends iB message electronically ture is a mat sage, software _ A digital signat uhematical technique used to validate the authenticity and integrity of a messa or digital document. I allows us to verify the author name, date and time of signature, and authenticate the message contents. - The digital signatore offers far more inherent security and tended to solve the problem of tampering 24 Modal impersonation in digital communications, : Digital signatures are created and verified by using public key/asymmetrie key cryptography. The user who is creating the digital signature uses his private key to encrypt the signature-related document. There is only one way ly The receiver can compute the message digest from the message sent by sender. The receiver now has the message digest. The message digest computed by receiver and the previous message digest need to be same for ensuring integrity. (MU-New Syllabus w.e academic year 21-22\(MS-79) Tech-Neo Publications..A SACHIN SHAH Ventur‘yg. Design sample Digital Cerificate and explain each field off. ug. What is the significance of a digital signature on a certificate? Justify. - X.509 isa indard format for public key certificates, digital documents to verify that a public key belongs to the user, ‘computer or service identity contained within the certificate. X.509 has been adapted for internet use by the TETE’s Public-Key Infrastructure (X.509) (PKIX) working group. (WU-New Syllabus w.e.f academic year 21-22)(MS-79) TD rech.nveo Publications... SACHIN SHAH Ventisin X.S09 cert all ig field defines which X.509 ti Sans Ne “8 stificate. The version number version applies to the cer MO and currently itis version 2, started at 0a - This field defines serial number yume waa cuher certificates. Signature Algorithm information ; This field ‘demifics the algorithm used by the issuer to sign the certificate Issuer name : This filed defines the name of the cemtity issuing the certificate (usually a certificate w authority) () Vali Period of the certificate : This filed defines ‘starVend date and time the certificate is valid. (©) Subject name : This field defines the name of the ‘identity the certificate is issued to, the entity to which the public key belongs. (7) Subject public key informat + This field defines the public key associated with the identity a = (1B50)Fig. 2.7. the certificate) as well as the corresponding algori x ® ee aaa 2 This is ee eld which allows two issuers fo have same issver fel value (®) Subject unique identifier : This is an optional field which allows two subjects to have eee eect Field value (10) Extensions : This is an optional field which allows issuers to add more private information to the Certificate, (11) Signature : This field is comprised of three sub-fields: algorithms, parameters and encrypted. ly issues a new certificate if there is Format of X.509 Digital Certificate ~ Every certificate can be renewed after period of validity. The CA general Problem, before the old certificate expires. %. 2.7.2 Digital Certificate Vs. Digital Signature a Sr. | Feature Digital Signature Feb. i ee =e re j | Pefiniion | Digital signature is an attachment to a | Digital certificate is a file that ensures holder digital document that ensures its | identity and provides security. authenticity and integrity. 2. | Verification | It verifies identity of the document. It verifies identity of the ownership of an onlin of medium. 3. | Steps Hashed value of original message is | It is generated by CA (Certifying Authority) tha involved cnerypted with sender's secret key to involves four steps: Key Generation, Registration generate the digital signature, a Creation. 4 | lssued by | Tin ised ia Specific individual by anIt ensures that the signer can not non- repudiate the signed document. Tt ensures that both the parties in the communication are secure. It works on Digital Signature Standard. It follows X.509 Standard Format. 5. | Ensures 6. | Standard 7. | Security Services Authenticity of Sender, integrity of the document and non-repudiation. It provides security and authenticity of certificate pi 2.8 PUBLIC KEY INFRASTRUCTURE (PKI)"3 Digital Signature Schemes ~ A digital signature scheme confirms that a sender of a message received is also the original intended message. is the intended source of the message and the r )_ RSA Digital signature scheme 2) RSA Digital Signature Scheme “The concept of RSA is also used for signing and verifying a message which i called as RSA digital signature scheme As noted earlier, Digital signature scheme changes the role of the private and public keys. Instead of receiver, private and public keys of the sender are used, Sender uses her own private Key to sign the document and the receiver uses the sender's public key to verify it. (MU-New Syllabus w.ef academic year 21-22\(MS5-79) TB rech-Neo Publications..A SACHIN SHAH Ventutcomputer Network page no {2 ra Distribution and user Authe. 5 Key Generation generation in = Since concept of RSA is us is used, ke: ey generation in RSA digital signature scheme is exactly same as key > caleulates the RSA eryptosyste na stem, Sender selects two large prime name totient function; 6(n) = (p= 1) (q— 1) yumbers, p and q and calculates n = p * q. Sender also _ He then selects an encry; tion key ¢, public! nn. ' €, publicly announces (n,e) and calculates the decryption key d such that d= mod = Working _ Suppose sender wants to sen the ’ ida mess: 1 1 ssage M to the receiver along with the digital signature DS calculated over message M. The following steps will be followed riginal tep 1: The sender uses the message digest algorithm to calculate the message digest (MD1) over the ori message M. ‘Message Digest (M04) (voanFig. 2.5.2 : Step 1 ) Step 2: Signing The sender now encrypts the message digest with his private key. The private key would be M! mod n. (189Fig. 2.5.3 : Signing ear 21-22)(M5-79) Tech Neo Publications..A SACHIN SH?p step 1: Signing 1, The sender selects a random number r. Although public and private Keys can be used repeatedly, sender needs new every time he signs a new message. 3, The sender computes the first signature S1 using S1= | mod p. 4. The sender computes the second signature $2 using the equation: (M-4°X)) * Xe! mod (1) lodule Where P= large prime number; M = original message that needs to be signed ce 4. The sender sends M, SI and $2 to the receiver § Step2: Verifying ‘The receiver receives M, $1 and $2, which can be verified as follows: The receiver checks to see if O 3. Digital Signature Standard (DSS) — Digital Signature Standard (DSS) is a FIPS which defines algorthms that are used w generate digital signatures with the help of SHA for the authentication of electronic documents. _ DSS only provides us with the digital signature function and not with any encryption or key exchanging strategies. Unlike RSA, it cannot be used for encryption or key exchange, However, its a public-key technique. = Tre DSS approach also makes use of a hash function. The hash code is provided as input to signature function along with a random number k generated for this particular signature. The signature function also depends on the sender’s private key (PRa) and a set of parameters known to a group of communicating principals. We ean consider this set to constitute a global public key (PUg). The result isa signature consisting of two components, labelled as s and ~The verification function also depends on the global public key (PUg) as well as the sender's public key (PUa), which is paired with the sender's private key. = The output of the verification funetion is compared with the signature component ‘P. If the signature is valid, the output of the verification function is a value that is ‘equal to the signature component f. < ‘The signature function is such that only the sender, with knowledge ofthe private key, could have produced the valid signature. (1B44)Fig. 25.8: DSS approach (MU-New Syllabus we.f academic year 21-22(M5-79) [ rech-Neo Publications A SACHIN SHAH Venturea ananFig. 2.5.11 Verifying mod 4 12° Applications of Digital Signatures, — _ Digital signatures when applied to communications, provide authentication of sender, repudiation, “ e i nication channels : = _ Duo to this, they are added to the following communications to send the data over insecure commu (2) To send and receive encrypted e-mails. integrity of the message and non- 2) Tocarry out secure ontine transactions. Q) To identify participants of an online transaction. () To apply for tenders, e-filing with Registrar of Companies (MCA), e-filing of income tax returns and other relevant applications. (5) To sign and validate Word, Excel and PDF. document formats.What is meant by malicious software? work. Malware is a rae Tees to Say matlclous program thal coushd Bart Gis Salat sysinm or ox ee contraction for “Mal oe ae rtware.” Malware is a cover term for viruses, worms, trojans and other harmful ss creer which hackers use to inflict destruction ane Bain access to sensitive information. Their mission is often targeted at accomplishing unauth oftware without vole tits SUCH a8 robbing protected data, deleting confidential documents or add software wit = the user consent. Examples of common ‘malware includes viruses, worms, Trojan viruses, spyware, adware, bots, rootkits ransomware v3.1 TYPES OF MALICIOUS SOFTWARE ‘There are different ways Of categorizing malware; the first is by those that need a host program, and those that are incbeodent Another way to aigsctasf thoes SSA sts TONE not replicate and those that do. ve inalwares like vicwses, trojan horses trapdooes require hosts program to grow and spread across the network Orns, Worn spread thomntal Yesscruss gyms eae host software. Worms and zombie are standalone programs that spread by taking advantage of weaknesses in a network or the computers connected to a network A computer virus in: document is shared. Similarly, a worm travels from computer to computer making copies of itself while it looks for information to steal or destroy, concurrently looking for eecess wo oka Computers and networks. Worms and Viruses refer to malware that replicate themselves, - Malware can also be installed on ® computer manually by the attackers themselves, either by gaining physical access to the computer or using privilege e: Scalation to gain remote administrator access. ~ Fig: 3.1.1 shows classification of malicious software and table 3.1.1 gives brief overview of terminologies in malicious software which will be discussed in later sections of the chapter. (1onFig. 3.1.1: Types of Malicious Software Table 3.1.1: Terminology for Malware computer to another computer. A worm is a standalone piece of malicious software that reproduces itself and spreads from one ser's & Copy of itself into a document or another program, and spreads as that infected Program OF Mod, Simil: 3 fe Tech-Neo Publications..A SACHIN SHAH Venture (MU-New Syllabus w.e.f academic year 21-22)(M5-79)i of another Mandalone » | ine 0 oy | Virus A virus is apiece of computer code that inset itself wit | itself. ie and spread i = ____| then forces that program to take malicious action fades as legitimate wee \ masquer Trojan ‘A trojan is a program which cannot reproduce itself but | them into activating it so it can do its damage and spread on an unsuspecting uso. | | aaaaeeen ay gating 8 : | Spite Spyware is malware used for the purpose of secre! threat actor remit soos, Wan gives & Rootkit Rootkit isa program or a collection of software tools that “| coatral over control over a computer or other system. is ma Ransomvare Ransomware is a malware that encrypts your hard drive Bitcoin, in exchange forthe decryption key. 3 I redirect to web advertisements, whic, oh Adware ‘Adware is malware that forces your browser 10 ious software. themselves seek to download further, even more malicious ; record keystrokes made by a user Keyloggers are a type of monitoring software designed 10 is inserted into @ computer | Logic Bomb ‘A logic bomb is @ malicious piece of code that is secretly Detver, | ‘Operating system, or software application. . Phishing Phishing is a type of socal enginering attack often used to steal wser data, including j credentials and credit card numbers. | Boe Zombie ae aE ran a pea ot SEES 0 sna, buman activity. | | Trapdoor’ Backdoor Teber§ ase means of psig sec ain aces to a ested pat ofa coups] sysem. | Spam is defined as ineicvam messages the interet 2s am — advertising, phishing or releasing malw Spam is any kind of unwanted, unsolicited =. ‘= €nul commonly refed 2s e-mail sam, that gets sent in ‘aly Promoccnal. Kis ahage wast of time and resource,‘UB 4.2.3 Secure Socket Layer (SSL) Architecture fuq Wete short note on SSUTLS. ass $UQ. A user wishes to do online transactions with Amazon.com. Dis0I5 8 ALIN Wich Can te irs oo, : ‘communication channel and provide server side ard dient side authentication. Stam the ste, it . Randshake process. SSL ts the secure communications protocol of choice for a large here are many applications of SSL in existence, since it is capable of securing any tratwnivsiom over te, ~ Secure HTTP, or HTTPS, is a familiar application of SSL in e-commerce OF Password tramsacticnn, ‘The current version of SSL is version 3.0, released by Netscape in 1999. ~The Internet Engineering Task Force (IETF) has created a similar protocol in an aiesrgA to sarsdardine SSL wig Imernet community, , 2 The need to send sensitive information over the Internet is increasing, and 10 is the necessity to vecure ith ng Wansit through the Internet. = A common application of SSL with a web system is an online store where a client machine is sending arp, ‘merchant's server. 7 In order to apply the SSL protocol to a web system, some requirements must be met. Since the $51, integrated into most web browsers, and those browsers are normally used to access web applications, ‘configuration is required from the client's side of the SSL connection. (1) Configuration is relatively simple from the server side of the communication equation. Firs, the administrator must acquire a digital cenificate. This can be obtained from a Cenification Autty,it ‘VeriSign or RSA Data Security. CAs require that certificates be renewed after a set length of time, for ensuring the identity of the owner of the application's server. (2) The second requirement is the proper configuration of the web server to allow SSL connections, For exaznge 4 ‘Planet Web Server has the capability 1o store multiple certificates for multiple sites on one web server 1 capability allows the administrators to prove the identity of each application hosted by this server, and alin application users to correctly identify each application separately. (3) The third requirement is to add an accelerator to the ‘web server. SSL accelerators are PCI cards sold by several companies (Cisco, Broadcom, etc.) to speed up the processing actions required to encrypt information for secure communications, SSL connections do slow communications, mostly due 10 the exchanging of keys and other information during the startup phase of the session. The use of public key cryptography requires a “sizeable amount of information” to be passed between the client and server machines. (08F ig. 4.2.2 : SSL Protocol Stack ~ The various protocols in the SSL Protocol Stack are explained below. (1) Record Layer = The record layer formats the Alen, Change Cipher Spec, Handshake and application protocol mesages — This formatting provides a header for each message, and a hash, generated from a Message Authentication (MAC) at the end. ee (AU-New Syflabus we f academic year 21-22) (MS-79) &. saan io part of the Interne connerniity Pry, " hes, eo en, (CA) vs, 2.4 Mechafields that comprise the five-byte header of the Record Layer are: on (2 bytes) and the Length (2 bytes), versi ve tocol message that follow the header cannot be Foniger than 16.384 bytes specified bY cipherSpec Protocol aon communications re ChangeCipherSpec layer is composed of one message that signals the beginning of secure ~ gerween the client and server, pec message ‘Though the ChangeCipherSpec Protocol uses the Record Layer format, the actual ChangeCipherS) vr one bye Tong. and signals the change in communications protocol by having valve f'S 1 nen Protocol ‘tis protocol sends errors, problems or warnings about the connection between the wo Parties: ‘is layer is formed with two fields: Severity Level and Alert Description. Severity Level: > The Severity Level sends messages with aI" or 2’ value, depending on thelevel of concer”. © Armessage with a value of ‘1" isa cautionary or warning message, suggesting thatthe partics discontinue their session and reconnect using a new handshake. f g-Amecsage with a value of 2" sa fatal alert message, and requires that the parties discontinue their #9100 - Alert Description ae The Alert Description field indicates th specific error that caused the Alert Message tobe Sent from 8 Party. 8 this field is one byte, mapped to one of twelve specific numbers, and can take on one of the following meanings. © Those descriptions that always follow a “fatal” alert message are underlined. CloseNotify HandshakeFailure CertificateRevoked ‘UnexpectedMessage ‘NoCertificate CentificateExpired BadRecordMAC BadCertificate _CertificateUnknown ‘DecompressionFailure UnsupportedCertificate _egalParameter ) Handshake Protocol = Messages passed back and forth between the user’s browser (client) and web application (server) establish a handshake that begins a secure connection. ~The messages that compose this handshake are: ClientHello, ServerHello, ServerKeyExchange, ServerHelloDone, ClientKeyExchange, ChangeCipherSpec, Finished, ChangeCipherSpec, Finished. ~ A visual explanation of the Handshake Protocol is given. = Atthe end of this handshake process, the user will see a lock icon in the comer of his/her browser to indicate that a secure protocol has been agreed upon and i in use by hisfher browser and the web e-mail server. ~ Each of the message in handshake process is explained in detail ) Clienttetto = The first message is the ClientHello. Since the client machine is requesting the secure ¢ ‘set of options thatthe client is willing to use in order to comme mui munication session, this message involves ; nicate with =a as "New Siflabus we. academic year 21-22) (M5-79) Se Tech-Neo Publications. ions..A SACHIN Sip 1AH Vertu, refllowing figure illustrates the diffrence betw Fs between communication over hp and hits: ‘Table 4.2.2: HTTP Vs HTTPS uTTe Transfers da in hype (uscue text) format fe Uses port 80 by default Uses port 43 by default | Uses port 8Obydefaut | Uses port 443 by defal Not secure l, eeiea Starts with http:// Secured using SSL technolo ts with hetps:) 1g A25(A)_Advancage of harps secure Communication : bis makes a secure connection by establishing an eneryptd Tink Between Ne the server or any {0 systems, ss . _ pata Tntegrty:htps provides data inegity by encrypting the data and so, even i hackers manage 0 2? the they cannot read or modify it, ’ sively iste ___ privacy and Security: hups protects the privacy and security of website users by preventing hackers © PSS ee to communication between the browser and the server. ‘ size __ Faster Performance : https increases the speed of data transfer compared to hitp by encrypting Sele ofthe data. __ $60 : Use ofits increases Search Engine Opimizaton (SEO) ranking In Google Chrome, Gooele Ta Secure label in the browser if users’ data is collected over http. ye 4.2.6 Secure Shell (SSH) Protocol Stack The shell is the part of the operating system that allows users to access the computer, Normally this is the text-based command line (or command prom, terminal, or console), but the graphical user interface is also called a shell. The method of establishing a connection is called ‘secure shell” because the protocol creates # secure connection to the shell of another computer. SSH stands for Secure Shell or Secure Socket Shel. tis a eryptographie network protocol that allows ‘0 computers to communicate and share the data over an insecure network such as the internet. It is used to login to a remote server (0 execute commands and data transfer from one machine to another machine, = The SSH protocol was developed by SSH communication security Ltd to safely communicate withthe remote machine. secure communication provides a strong password authentication and encrypted communication witha public key over an insecure channel. It is used to replace unprotected remote login protocols such as Telnet, login, rsh, ete and insecure file transfer protocol FTP. — ts security features are widely used by network administrators for managing systems and applications remotely. = The SSH protocol protects the network from various attacks such as DNS spoofing, IP source routing, and IP spoofing. a4 = A simple example can be understood such as suppose you want to transfer a package to one of your friends. Without SSH protocol, it can be opened and read by anyone, But if you will send it using SSH protocol, it will be encrypted and secured with the public keys, and only the receiver can open it, (MU-New Syllabus w.e.f academic year 21-22) (M5-79) Tech-Neo Publications..A SACHIN SHAH Venturejransmission without and with SSH corPig. 4.2.11: Dal Ye 4.2.6(A) Usages of SSH Protocol spular usages of SSH protocol are given below: wwtomated processes. files from one system to another over an insecure network. Te Ir provides secure access to users and a Inisan easy and secure way to transfer It also issues remote commands to the USErS. the network infrastructure and other critical system components, which replaces Telnet and rlogin and is used to execute a single Ie hetps the users to manage 11 s used to log in to shell on a remote system (Host), command on the host, which replaces rsh. — It combines with syne utility to backup, COPY, = It can be used for forwarding a port. — By using SSH, we can set up the automatic login to a remote server such as OpenSSH. surely browse the web through the encrypted proxy connection with the SSH client, supporting the SOCKS and mirror files with complete security and efficiency. = Wecan sec protocol %. 4.2.6(B) Working of SSH ‘The SSH protocol works in a client-server model, which means it connects a secure shell client application (one where the session is displayed) with the SSH server (one where session executes). ~ As discussed above, it was initially developed to replace insecure login protocols such as Telnet, rlogin, and hence it performs the same function. ‘The basic use of SSH is to connect a remote system for a terminal session and to do this, following command is used: ash UserName@S 5 re anircoume.ccaeveay bath SE ~The above command enables the client to connect to the server, named server.test.com, using the ID UserName. = If we are connecting for the first time, it will prompt the ' . remote ygerprint below message will be prompt: py en ati The authenticity of host 'sample.ssh.com cannot be established. ; spe DSA key fingerprint i 01:23:45:67:89:absed: sure you want to continue connecting (yea/no)? Hserver.test.com . Are you (MU-New Syllabus w.e academic year 21-22) (M5-79)*~" syMIME (Secure/Multipurpose Internet Mail Excasanaiier is a widely accepted method (or more precisely, {or sending digitally signed and encrypted messages. S/MIME allows you to encrypt emails and digitally sign them. When you use S/MIME. with an email message, it helps the people who receive that message to be certain that what they sec in their inbox is the exact message that started with the sender. Itwill also help people who receive messages to be certain that the message came from the specific sender and not from someone pretending to be the sender. (Mi-New Syllabus w.e academic year 21-22) (MS-79) Te rech.neo Publications. SACHIN SHAH VentuO80. hl ic security services such as ‘authentication, message integrity, ,., He Mon, ion) for electronic messaging. SMTP to the next level: allowing wides mei — To do this, S/MIME provides for cryptographi repudiation of origin (using digital signatures). — It also belps enhance privacy and data security (using encrypt S/MIME is as important a standard as SMTP because it brin connectivity without compromising security. tures and Message encryption. S/MIME provides two security services: Digital signalBw 4.3.16 — PGP sam Pretty Good Privacy (PGP) Presty Good Privacy (PGP) which is invented by Phil Zimmermann _—— Provide all four aspeces of scary, Le peivaY. Snes ear gm cocryption) fo provide integrity, axthericas, ‘aad public key encryption 10 provide ‘secret key, and two private-public key pai ure (a combination of hashing and poblic key on. PGP uses a combination of secret key encryP08 sy that the digital signature uses one bash function, PF PGP is an open source and freely available software package for email secority- ‘cation through the use of Digital Signature through the use of symmetric block encryptio%- a compatibility using the Radix-64 encoding scheme, vides compression by using the ZIP algorithm, and EMAIL, — PGi == Working of PGP - Thee 4) message is hashed by using a hashing function to create a digest. The digest is then encrypted to form a signed digest by using the sender's private KEY, encrypted by using a one-time secret key created by the sender. and then signed digest is added the original email message. — The original message and signed digest are “The secret key is encrypted by using a receiver's public key- Both the encrypted secret key and the encrypted combination of message and digest are sent together. [Bl rect Neo pubtications.A SACHIN SHAH Vee ae (14U-New Syllabus w.ef academic year 21-22) (5-79)y (MU-Sem S17) (cowFig. 43.2 : PGP at the Sender Site pe ecciver receives the combination of encrypted secret key and message digest the encrypted secret key is decrypted by using the sender's private key to get the one-time secret key. The secret key is then used to decrypt the combination of message and digest. . ‘he digest is decrypted by using the sees public ean So ae ae ed create a digest. pute digest are compare, ib of tem ae equal it means that all the specs of seu are presen coiFig. 4.3.3 : PGP at the Receiver Siteurty & Email Secu Pa = Virwal Private Network (VPN) ta dt network hat enables #0 oF OME PAES © OMAN cy Ya Public network by creating private connection, Tone," between He 7 ar networks ver shared O Pubic neyo and hardware. be tend its safe encrypIed connecting internal network. VPN turn the jy." kr meg ~ _ VPN is a private point to.point connection betweer two machines the Internet. A Virtual Private Network is a combination of software ~ VPN (Virual Private Network technology, canbe ae in organization 62 secure Interne to camact remote wer, ranch os, and pare PYae ‘a simulated private WAN. ~ Thus “viman™ contorted hgh te inet rom bie mt te ay, Private Network is a technology which creates a network, and tha oe eh = The letter V in VPN stands for “virtual” means that it oo a % bt ~ For example, suppose there is a company which has two locations, eee em ‘i is communicate efficiently, the company has the choice tose up private ae earn sre ill cost the company 8 great dal of mo y lines would restrict public access and extend the useof ther bandwith Ht WO since they wold have to pcan conned SRR ge nee cst The company can hook their communication ies with focal SP in Bs cities. Thus, the ISP would ata, middleman, connecting the two locations. This would create corresponding physical network, ‘an affordable small area network fr the company. e 4.2.1(A) Types of VPN VPN is of three kinds : (1) Remote access VPN ‘The VPN which allows individual srt esbl secre conection witha rem computer networks nove as remote-access VPN. “There isa requirement of two component ike Network Access Servec (NAS) and Client Software in a remote access VPN. I enables the emote connectivity using any internet acess technology, user launches the VPN client to ceate a VPN tunnel, = Here, the remote (2) Intranet VPN 14 company has one or moe remote locations and the company wants o join those ns into a single PVH network, then that company can create an intranet VPN so that they can connect LAN of one site to another °% recto mbteatons LA SACHIN SHAH vert® (Mu-New Sylabus wer academic year 21-22) (5-79)yinaescomecns seve iat VPN hen it recs the WAN andi cows can aso COMNECL NEW sts neue Hes easly by using this network. N we ver any has the close ret yea commany ne ose relationship with the other company (that company ranch and another Partner company), then those companies can build an extrane' {AN of oe company tothe other allows al af the companies to work ina shared environ spe erat VEN fcaes ecommerce, uppliet. can be tei customer su = i VPN so that they AP os yment 2) VON Protocols jo ok UST Ue within VPN tap el protocol Security (IPSec) ~_wecan mike use of this protocol for eneryption. is sed asa protocols jus wed a8 a “protocol site for securing Inemet Protocol (IP) communications by authentcang ‘ech packet of IP ofa data stream.” f and encrypting __reqires expensive, time-consuming client instalation, which sits mos significant disadvaniabe pans Point Tunneling Protocol (PPTP) : 7 Genel, itis the most widely used VPN protocol among windows users. It was created PY Mict association with the other technology companies. ‘The most significant disadvantage of PPTP is that it does not provide encryption. Itreigs on PPP (Point-to-Point Protocol). It is implemented forthe security measures. 4 __itisalso available for Linux and Mac uses. As compared to othes methods, PPTP is faster. 4 tse 2 Tumeling Protocol (TP) jis another tunnelling protocol which supports VPN. L2TP is ereated by Microsoft and Cisco as a tetween PPTP and L2F (Layer 2 Forwarding). = LITP also does not provide encryption as like as PPTP, _ The main difference between both of them i that LTP delivers data confidentiality and data integrity, .4.2.1(C) VPN Configuration Treat following two ways to create a VPN connection. By dialing an Internet service provider (ISP): If you dial-in to an ISP, your ISP then makes another call to the rive network's remote access server fo establish the PPTP or L2TP tunnel After authentication, you can access the rvte network. = By connecting directly to the Internet : If you are already connected to an Internet, on a local area network, a cable rem, or a digital subserier line (DSL), you can make a tunnel through the Inmet and connects directly to the ‘emote acess sever. After authentication, you can access the corporate network, rosoft in combination Mien Sylabus wef academic year 21-22) (MS-79) Tech-Neo Publcations.A SACHIN SHAH Ventureza 4.2.1(D) Advantages of VPN security: The VPN should protect data while it's travelling onthe public network. If intruder, (So ald una o red orsit ee (2) Reliability : Employees and remote offices should be able to connect to VPN. The virtual etwork same quality of connection for each user even when it is handling the maximum number OF simutang \ ni Cone rigs Ts operational cot at strate he Fopprt ban 9 the service pode Ms oy M @ (4)_Itreduces the long-distance telephone charges. (5) Ireuts technical support. (6) Tteliminates the need for expensive private or leased lines. (7) Its management is straightforward. (8)_ Scalability : growth is flexible, i.., we can easily add new locations to the VPN. (©) tis efficient with broadband technology. (10) By using VPN, the equipment cost is also reduced. %.4.2.1(E) Disadvantages of VPN (1) For VPN network to establish, we require an in-depth understanding of the public network Security issues (2) VPNs need to accommodate complicated protocols other than IP. (3) There is a shortage of standardisation. The product from different vendors may or may not work well to, (The reliability and performance of an Internet-based private network depend on uncontrollable eon i is not under an organisation’s direct control. Factor,in addition 10 the rocessing i re ey sep he ntishing gatewayto-ga intishing 8 Baleway hy form ey ven gueways est aii 0 VE) aa ag ‘i, i t sreways wil ie provi all #8 i ies i ae ‘ sng cer test meses at gene the packer anton Any invalid anton See 41) Applications of 1? aoe 1 out ISP (Internet Service low are some applications of woe cam mae a cal wir ISP ( Povie —_ cess corporate etWOrk Facilities gy Sy Giver 1, Sectre remote in cnganization ret” nection between vari 10US bran connect 10 0a serveridesktons sy allows sunttons + As IP se f hey, a rosatupcommanicaton wih eet OFT rao sgnzatos ia 8 mann 3 ao be used 1. rene e010 the orpanizaton can secure branch fice connect #1 alO8 ganization 1 Si Fe panes verde inet, This ete reese the expense ganiaton branches crs te ities OF wane Benefits of IPSec Fatlowing are some of the Benefits of IPS: have secure access the organization that needs for conecng A countries. to the corporate network. the organization in a secure ‘and inexpensive manner. is no need for changes in the uPPer layers i.e application layer ayy allows fat traveling 0 ws imerconnectivity between branches of = ge works atthe network layer, therefore there incoming and outgoing traffic. It is also used in a firewall to protect the it becomes only an entry-exit point for all trafic to make When IP security is configured to work with the firewall extra secure. YB 4.1.2 IPSec Architecture ~ [PSec (IP Security) architecture uses ‘two. (Encapsulation Security Payload) and AH (Aut! DOL, and Key Management ll these component (2) Authentication @) Imegrity ‘of RFCs and draft IETF documents that can be categorized into te protocols to sere the trafic or data low. These protocols ar ESP hentcation Header) IPSec Architecture include protocols, algoithny sare very important in order to provide the three main services: (1) Confidentiality ‘The IPsec specification is scatered across dozens following groups. IPSec Architecture : Covers the general concepts, security requirements, defint IPsec technology. © Encapslating Security Payload (ESP): ESP consists of an encapsulating header and tiler used to prove encryption or combined encryption authentication. ‘© Authentication Header (AH) : AH is an extension header to provide message authentication. Because mss authentication is provided by ESP, the use of AH is deprecated. w tions, and mechanisms defig (MU-New Syllabus wef academic year 21-22) (M5-79) Wal rech-Neo ‘Publications.A SACHIN SHAH Vert® haagy Buchange (I ee Rene IKE) This ina collection of Meats desing He hy manawa ens fr we en es pe algorithms: This category encompasses cose 2 age St oF SCUMIENS tht tne and debe [~~ nse OME TOF eR, ese Senco, eM Monn (RI, a eee | Meera KY change {ed for the other documents to relate to each other spe isle deniers for approved encryption and snenscation algorithms, 88 well as operational pester soc sy eime (opFlg. 4.1 + IPSec Architecture 44.3 Protection Mechanism 3H pec provi 0 seCrity protocols for protecting dt “ip ation Header (AH) ¢ Beapaating Security Payload (ESP) Oc ra vit a ae aii, An ESP pa un ih 7 algorithm. Optionally, ~ {Jes proet data with an authentication algorithm. Each implementation of en algorithm is called a mechanism. 1p 41310) The Arthas a a Modul | te Authentication Header information is added into the packet which is generated by the sender, right between the es yework (Layer 3) and Transport (Layer 4) Layer. _-Aubeatication protects your network, and the data it carries, from tampering. ‘Tampering might be a hacker sitting eee the cient and sever, altering the content ofthe packets ent between the clint and server, or someone UN impersonate either the client or serve, thus fooling the other side and gaining access to sensitive data — Tuovecome this problem, IPSec uses an Authentication Header (AH) to digitally sign the entre contents of ach ict. This signature provides 3 benefits: () Protection against replay attacks : If anattcker can apr pockets, sve them and masify them, and then send them tothe destination, then they can impersonate a machine when that machine is not on the network. This is shat we calla replay attack. IPSec will prevent tis from happening by including the sender's signature on all packets (2) Protection against tampering : The signatures added to each packet by IPSec means that one can't alter any part ofa packet undetected. 1) Protection against spoofing: Each end ofa connection (e.g, cint-sever verifies the other’ identity with the ‘aubemtication headers used by IPSec. ee nae fech-Neo Publications..A SACHIN SHAH Ventureye 5.1.1 SNMPVS © with MDS OF as (2) SNMP ya: Te uses Hash based MAC ersion Of uses TEP, Therefore, conclusion isthe MENT views ‘Tee SNMP Version 3 feature provides secure ace 1? network, Simple Network Management Protocol. version 9 (SN defined in RFCs 3413 to MIS. security Features in SNMP Version 3: The seu features Pr (1) Message integrity Bnsures that a packet ts not een eam ce nes that the nies roma valid sou nines that the message i f being learned by a” unauthor! pe user + and te group 12 8 (2) Authentication : Deter {@) Encryption : Scrambles the content ofapacket 1 prevelt ee akg eee Us SSNMPy3 is a security model in which an entation sued! 7 wate resides security level isthe permed level of Sut ‘within a security MOTE ‘Acombination ofa security model and @ security evel determines ech oourty meehani™ = ‘SNMP packet. ‘Table $1.1 : SNMP Version 3 Securlty Levels << | i —]_ Bneryption ‘What Happens No ‘Uses a username match FOF ‘authentication. a No Provides ‘authentication based On the Hashed Message ‘Authentication ‘Code (HMAC)-MDS or _| HMACSHA algorithms. Data Encryption | Provides authentication based on the HMAC-MD5 Standard (DES) | HMACSHA algorithms. 1 addition t© suihenteaion, provides DES 56-bit encryption tased on the Cipher Block Chaining (cBO)-DES (DES-56) standard. Security Threats and SNMPV3 Protection” “eeue management with SNMPY3 Protec against five threats: SNMPra Protelon ‘eais ihe Went of the message's OvBiN BY checking the integrity of the data. Thwas accidental © Fmentona alterations of in-transit messages by checking the integrity of the data, including atime stamp. “Thwart replay atacks by checking messaBe ‘stream integrity, including a time stamp, ng by protocol analysers, ee, by Using encryption. critical data from intentional and/or accidental policy-based management). Prevents eavesdroppi Veh ‘operator authorization and protects corruption by using an access control table (pat of (MU-New Sylabus wef academi te year 21-22) (MS-79) Tech-Neo Publications..A SACI fel .-A SACHIN SHAH Ver enture >enwork ACESS COMED Page no (5-2) ter (Network Manas DiS... NETWORK MANAGEMENT SECURITY are working Property OF not isa ant devices, oe by one 20 SA = If an organization has 1000 of devices then to check is ment Protocol (SNMP) is used hectic task, To case these up, Simple Network Manage! = SNMPis an application ayer pono which wes UDP pot ume 161/162 cmon tc IMP is wed to monitor the network, detect network fas and sometimes 2 ak — SNMP Components : There are 3 ‘components of SNMP: (1) SNMP Manager : It isa centralised system used to monitor Station (NMS). (2) SNMP Agent tis software managemea! software modo insist om * be network devices like PC, router, switches, servers etc. (3) Management Information Base : MIB consists of information information is organised hierarchically t consists of objets instances — SNMP Messages : Various SNMP messages are listed below (1) GetRequest : SNMP eS ee ne ee ae, Cetera SE oe aed cane eee @) GetNextRequest : This message is anible ona SNMP agen. The SUMP ‘manager can request for data continvously unt 0 is le In his way, SNMP manager can ke knowledge of all the available data on SNMP agent @) GetBulkRRequest: This message is used to retrieve large is introduced in SNMPv2c. 4 ‘SetRequest: Itis used by SNMP manager to set the value oO Response : It is a message send from agent upon a request it wil contain the data requested. When sent in response to Set ‘confirmation that the value has been set. (6 Trap: These ar the message sei bythe agent witout being requested by he occurred. o setonatequest 1 ws induced in SNMPr2, wd 10 ienilyifthe map menage bs been ese by Bs aorta The agent can be congue ws ap cnt nl eves an Infor messi: § ame as trap but adds an acknowledgement that trap doesn't provide SNMP security levels I defies the typeof security algothm performed on SNMP packets. These are used in oaly ‘SNMPv3. There are 3 security levels namely: (a) noAuthNoPriv: This (no authentication, no privacy) no encryption for privacy. (2) authNopriv : This security evel (authentication, no encryption is used for privacy. iPr: Tis security level authentication, privacy) wses EMAC with MDS or SHA for authentication and for pwork Management ‘are to be managed. These of resources that ally variables. which are esseat nat once bythe SNMP managet from SNMP agent. I of an object instance on the SNMP agent. from manager. When sent in response to Get messages, message, it will contain the newly set value as manager. It is sent when a fault has security level ses community string for authentication and privacy) uses HMAC with MDS for authentication and 9° @) au encryption uses DES _ SNMP versions: There are 3 versions of SNMP: (1) SNMPy1: It uses community strings For authentication and use UDP only. (2) SNMPy2c: It uses community STiNgS franietexion 1 uss UDR a cb tigi smTCR, us wes academic year 21-22) (5-79) $6 algorithm. (Mu-New Syllal Ue ech We PubicationsA SACHIN SHAM Venture(System Security Page no Computer Network Security (MU-Sem 5:17 ~{8-2 DH 6.1 INTRUSION DETECTION SYSTEM (IDS) 1¢ that monitors network traffi or devie for anon An intrusion detection system (IDS) is a software application oF de Maloy pattems These pattems indicate potentially suspicious activity. 9 ‘ ransmission of unusually large ay ~ AM IDS also monitors for violations of established network policy (like the tr Y large amoune, data) Sof Upon detecting anomalies or violations, the IDS has Iwo possible responses. (1) Send alerts: Passive IDS solutions respond by rising alerts through email oF text: They may also notify a secury information and event management (SIEM) system. A SIEM will correlate the event with other security events help determine if this is an issue oF not (2) Defensive action : Active IDS also known as an intrusion prevention system (IPS), not only sends alerts, bu agg thas extra security features. These features give active IDS solutions the ability to (a) modify access control lists on Firewalls to block the suspicious traffic, (b) kill processes on the internal system involved in the communications, © (6) redirect traffic to a honeypot to further assess the threat. Fig. 6.1.1 depicts the intrusion detection system in the network. Fig, 6.1.1 : Intrusion Detection System. ‘2 6.1.1 Functions of Intrusion Detection System Following are the functions of IDS, which make it popular among its vatious clients, ~ _ It keeps an eye on the functions of routers, firewalls, key management servers, and files. ~ It provides continuous support to the users. ~ Arranges the various audit trails and other logs, ~ It generates an alarm when security breaches are detected, ~ Once the suspicious activity is detected, they block the server immediately, (MU-New Syllabus w.e.f academic year 21-22) (MS-79) Tech-Neo Publications...A SACHIN SHAH Venturecomputor Network Security (MU.Sem 517 (System Secu). Page no 61-2 Types of Incrusion Detection Syseems IDS are classified into $ types as explained below Network Intrusion Detection System (NIDS) (2) Host Intrusion Detection System (HIDS) (3) Protocol-hased Intrusion Detection System (PIDS) (4) Application Protocol-based Inirusion Detection System (APIDS) (5) Hybrid Intrusion Detection System + (1) Network Incrusion Detection System (NIDS) ~ _ Network intrusion detection systems (NIDS) are installed at a predetermined point within the network to examine traffic from all network devices. emonitors all passing trafic on the subnet and compares it to a database of known attacks, When an attack or unusual behavior is detected, an alert can be sent to the administrator. An example of an NIDS is installing it on the subnet where firewalls are I located in order to see if someone is trying crack the firewall > (2) Host Intrusion Detection System (HIDS) Host intrusion detection systems (HIDS) run on independent hosts or devices on the network. n A HIDS monitors the incoming and outgoing packets from the device only and will alert the administrator if suspicious or malicious activity is detected, It takes a snapshot of existing system files and compares it with the previous snapshot, ~ Ifthe analytical system files were edited or deleted, an alert is sent tothe administrator to investigate. An example of HIDS usage can be seen on mission critical machines, which are not expected to change their layout. (3) Protocol-based Intrusion Detection System (PIDS) ~ Protocol-based intrusion detection system (PIDS) comprises of a system or agent that would consistently resides at the front end of a server, controlling and interpreting the protocol between a user/device and the server. = Itis trying to secure the web server by regularly monitoring the HTTPS protocol stream and accept the related HTTP protocol. ~ As HTTPS is un-encrypted and before instantly entering its web presentation layer then this system would need to reside in this interface, between to use the HTTPS. > (4) Application Protocol-based Intrusion Detection System (APIDS) ~ Application Protocol-based Intrusion Detection System (APIDS) is a system or agent that generally resides within a group of servers, > Itidentifies the intrusions by monitoring and interpreting the communication on application specific protocols. ~ For example, this would monitor the SQL protocol explicit to the middleware as it transacts with the database in the web server, (MU-New Syllabus w.e.f academic year 21-22) (M5-79) ‘Tech-Neo Publications..A SACHIN SHAH Ventuii aches of the intrusion, more appro’ SWE oi6q aa network fOrMAKION 19 deye65 . (S) Hybrid Incrusion Detection System Hybcid inerusion detection system is made by the comPInd spsem - as gata is combined — In the hybrid intrusion detection system, host agent oF s¥Ste complete view of the network system. 5 nnrusion detect Hybrid ineruston detection system is more cffoctive in COPS he cE Prelude is an example of Hybrid IDS. rion system.ly device that monitors incoming and outgoing network traffic and data packets based on a set of security rules, network secu mit : work Permits oF biog your internal network and incoming traffic from external soun and hackers, Us purpose is to establish a barrier betwee PS (suc the internet) in order to block malicious traffic like viruse ‘Ss A firewall can be hardware, software, or both tis shown in Fig, 6.2.1 WR 6.2.1 Working of Firewall Firewalls carefully analyze incoming traffic based on pre-established rules and filter traffic coming from unsecureg suspicious sources to prevent attacks, é Firewalls guard waffic at a computer's entry point, called ports, which is where information is exchanged with extemal devices. " ~ _ Forexample, “Source address 172.18.1.1 is allowed to reach destination 172.18.2.1 over port 22." ~ Think of IP addresses as houses, and port numbers as rooms within the house. Only trusted People (source addresses Sas allowed to enter the house (destination address) at all. Then it's further filtered so that people within the house are Cnly allowed to access certain rooms (destination ports), depending on if they're the owner, a child, or « uest. The Cwner is allowed to any room (any port), while children and guests are allowed into a certain set of rooms Specific ports) Fig. 6.2.1: Firewall ‘%® 6.2.2 Firewall Design Principles Information systems in companies, government agencies and other organizations have undergone a continuous evolution. Here are some noteworthy developments : — Centralized data processing system, with a central mainframe supporting a number of terminals connected directly. = PCsand terminals are connected to each other and to the mainframe through local area networks (LANS). (MU-New Syllabus wef academic year 21-22) (M5-79) [Bl rech-teo Pubtcoions.A SACHIN SHAH VertareComputer Network Security (MU-Sen » FIREWALLS + UQ, What isa firewall? Explain different types of firewall Q. _ what of firewalls and list their advantages. ‘ . firewall? Explain diferent typ ~ A firewall is anetwork security device that monitors incoming and outgoing Network traffic and pe rmits ules. * blocky data packets based on a set of security ~ is purpose isto eats a barr ttwen your internal network and incoming tlie fom external ou the interned in onder to block malicious traffic like viruses and hackers, ch» ~ A firewall can be hantware, software, oF both, ~ This shown in Fig. 6.21 YS 6.2.1 Working of Firewall ~ Feels carly ane incoming ae don reexalsed as and feral coming eye suspicious sourves to prevent attacks, , ~ Firewalls guard traffic ata computer's entry point, called ports, which is where information is exchanged with te tera devices, : ~ _ Forexample, “Source address 172.18.1.1 is allowed to reach destination 172.18.2.1 over port 22.” ~ Think of IP addresses as houses, and port numbers as rooms within the house, Only trusted people (Source addresses are allowed to enter the house (destination address) at all. Then it’s further filtered so that People within the house. af caly allowed to access certhin roms (destination port), depending on if theyre the owner, a child ora gis The comer slowed to any room (any or) while childen and gusts are lowe ino «cern set of ons apes pont), 7 Fig. 6.2.1: Firewall % 6.2.2 Firewall Design Principles sf Informatio an systems in companies, government agencies and other organizations have undergone a continuous lution. Here are some noteworthy developments : ~ Centralized data processing system, with a central mainframe supporting a number of terminals connected dre. PCs and terminals are connected to each other and to the ‘mainframe through local area networks (LANS). (MU-New Syllabus wef academic year 21-22) (M5-79) Tech-Neo Publications. SACHIN SHAH Venture nu -ANS that rect PC's, servers, and poss utile eeoerpically dispersed premier networks are linked hy private wide area network (WAN) t0 form” 2” oyrseewide network gece access, iM which all of the premises networks are linked to the Internet and ean or may not be cannes ted by 4 WAN, private ‘te following are the design goals fora frewall itr from inside to outside and vice versa must flow tough the firewall, This ix wehieved by physically blocking atl agcess tothe Toeal network except through the firewall nly authorized trafic, as define hy the local security play, be allowed t let through the firewall. Various types of firewalls are used, which implement various types of security policies, ‘Te firewall itself is impenetrable, This implies the use ofa reliable system with a yecure operating syste 2.3, Firewall Characteristics » Frewalls use four general techniques to manage access and implement the sites security policy, which ae listed below «ty Service control: Determines whether inbound of outbound Internet resourees cun be uccessed. The firewall ean Filter traffic based on IP adress, protocol, oF port number; provide proxy software that receives and interprets each service request before passing it on; ot host the server software, such as a Web oF mail service itself, (2) Direction control : Determines the path in which specific service requests are permitted to be initiated and flow through the firewall {@) User control : Controls access toa service based on the customer who is trying to use it, This functionality is usually only available to users who are within the firewall perimeter (local users), Itcan also be used to protect incoming trafic from external users, but this includes the use of secure authentication technologies like IPsec. (4) Behavioral control : Controls how specific programs are used, The firewall, for example, may filter e-mail to prevent spam, oF it may allow external access to only a portion of the information on a local Web server. ©] Firewalls strengths / capabiiicles (1) They are excellent at enforcing corporate security polices, (2) They are used to restrict acess to specify services. (3). The majority of firewalls ean even provide selective access via authentication functionality. (4) Firewalls are singular in purpose and do not need tobe made between security and usability, (5) They are excellent auditors, (6) Firewalls are very good at altering appropriate people of specified evens, © Firewalls weakness /lmitatlons ()) Firewalls cannot protect against what has been authorized. (2) Iteannot stop social engineering atacks or an unauthorized user intentionally using their access for unwanted purposes. 8) Firewalls cannot fix poor administrative practices or poorly designed security policies, ) Iteannot stop attacks ifthe traffic does not pass through them. (5) They are only as effective as the rules they are configured to enforce. (MU-New Sylabus we academic year 21-22) (MS-79) fech-Neo Publications..A SACHIN SHAH Venture aComputes Network Socurty (MUSom 8.10 YW 6.2.4 Types of Firewalls = Airewall may act asa packet filler = Team act axa poiive fier, allowing only packets that meet certain criteria to passthrough, or a a nezative ip, refusing any packet that meets certain criteria = Depending on he ip of firewall, ech packet may be examined for one or more protocol header, the payload, ogy, Pattern created by a sequence of packets ~The different configurations of firewalls explained in this section are shown in Fig, 6.2.2. Y®._6.2.4(A) Packet Filtering Firewall = Asthe moa “ave” and oles ype of ewall achieture, packet ilerng fewalsascly create a chectprin traffic router or switch, ~ Packet filtering firewall is a network security technique that is used to control dataflow to and from a network = Tiva security mechanism that allows the movement of packets across the network and conto thet ow on th hy of a set of rules, protocols, IP addresses, and ports, ~ The packet itering firewall analyses forthe source and destination TP addresses, source, and destination port numben, and protocol IDs of IP packets as per an access control list (ACL), The firewall checks for the information the IP, TCP, or UDP header, and then it decides to accept or drop the packet depending upon the ACL. ~The firewall can allow the fragment type packets after comparing the information with the ACL, ~ Additionally, it has a default method, st by users, that allows the packets to pass even if these do not qualify with he ACL. ~ Default = discard : That which is not ‘expressly permitted is prohibited. ~ Default = forward : That which isnot expressly prohibited is permitted. 5S Advantages (1) tis fast because it operates on IP addresses and TCP/UDP port numbers alone, ignoring the data contents (aylas) of packets, (2) Due tothe fact that packet payload is ignored, application independence exists, (3) Least expensive than other types of firewalls, (4), Packet filtering rules are relatively easy to configure, (S)_ There are no configuration changes necessary tothe protected workstations, °F Disadvantages Contained in (1) Packet filtering firewall offers the least security because they allow a direct connection between endpoints through the firewall. 7 (2) There is no sreening of packet payload available, It is imposible to block users from visiting web sites deemed off limits, for example, (3) Logging of network traffic includes only IP addresses and. ‘available, and IP spoofing can penetrate this firewall. Complex Grewal policies ae dificult to implement using filtering rules alone. (MU-New Syllabus wes academic year 21-22) (M5-79) Tech-Neo Publications..A SACHIN SHAH Venture