Chapter : 04

Computer Security Technology

and
Intrusion Detection
Marks = 24
4.1 Firewalls:
Need for Firewall, limitations, characteristics.
Types of Firewall : Hardware, Software, Packet filter, Proxy Server,
Hybrid, Application gateways, circuit level gateway, Implementing
Firewall.
4.2 Virtual Private Network work, Kerberos – concept, security topologies:
Security zones, DMZ, Internet, Intranet, VLAN.
4.3 Intrusion Detection: Intrusion detection systems (IDS), host based IDS,
network based IDS, Honey pots.
4.4 Email security: Email security standards: Working principle of SMTP,
PEM, PGP, S/MIME.
4.5 IP security: overview, architecture, IPSec Configuration, IPSec Security.
Firewall Basics
With the grow of network and introduction of Internet companies worried about
two type of access
o How & What, employees are accessing outside resources
o How outsiders accessing its own private data resource.

Inside info may leak

Internet
Company Network Router

Outside dangers may come

Fig. Company Network without firewall

 Only Encryption is not sufficient to provide protection in such environment
, so we desired better schemes to achieve protection and this is where firewall
comes into picture.

Inside Traffic F
I
R
E Internet
Company Network
W
A
L
Outside Traffic
L

Fig. Company Network protected with firewall

“Firewall is a network security device , that monitors all inside and outside
traffic , deny and accept traffic on the basis of predefined policies and
rules.”
Characteristics of a firewall
1. All traffic inside to outside and vice versa must pass through the firewall.
2. Only traffic that follow local security policy rules should be allowed.
3. Firewall must be strong to protect it self from attacks on it.
4. Firewall should provide user friendly environment to define policies.

Limitations of Firewalls
1. Cannot protect against attacks that bypass the firewall.
2. Doesn't protect against internal threats.
3. In some critical situations firewall cannot protect the network from virus
threats. Because of variety of operating systems and application programs in
a internal network it is impractical for firewall to scan all incoming e-mails
,messages and files.
Types of Firewalls
o Packet Filter
o Application Level Gateway
o Circuit Level Gateway
Packet filter firewall
● Applies set of rules to each packet , and based on the outcome decides to either
forward or discard the packet.
● In Packet filter firewall routers are configured to implement firewall functionality.
● Different policies are “default discard” or “default accept” or apply number of
rules.
● Number of rules are based on headers of IP and TCP/UDP. For example
● source / destination IP address
● TCP/UDP port numbers
● Consider a rule
“disallow all incoming traffic from an IP address 157.29.19.10”
to check this rule Packet filter firewall will use source IP address.
Application Gateway Firewall
Key points about Application Level
Application Gateway
Gateway Firewall
SMTP
• Such a firewall can filter packets at
the application layer of the OSI USER OUTSIDE HTTP USER INSIDE
model.
• Incoming or outgoing packets cannot FTP
access services for which there is no
proxy: TELNET
• for example, an application level
gateway that is configured to be a Fig Application Gateway Firewall
web proxy will not allow any ftp,
telnet or other application level traffic
through.
VIRTUAL PRIVATE NETWORK (VPN)
“A VPN is a mechanism of employing encryption, authentication, and integrity
protection so that we can use a public network as if it is a private network.”

VPN Architecture
Suppose an organization has two networks, Network 1 and Network 2, which are
physically apart from each other and we want to connect them using VPN approach. In
such case we set up two firewalls, Firewall 1 and Firewall 2.The encryption and decryption
are performed by firewalls. Network 1 connects to the Internet via a firewall named
Firewall 1 and Network 2 connects to the Internet with its own firewall , Firewall 2.

Fig. VPN Architecture

Working
Let us assume that host X on Network 1 wants to send a data packet to host Y on Network 2.
1) Host X creates the packet, inserts its own IP address as the source address and the IP address
of host Y as the destination address.
IP of host X Actual Data IP of host Y

Source IP Destination
address IP address

2) The packet reaches Firewall 1. Firewall 1 now adds new headers to the packet. It changes the
source IP address of the packet from that of host X to its own address(i.e. IP address of Firewall
1, F1).
IP of Firewall 1 Step 1 Header + Actual Data IP of Firewall 2

Source IP Destination
address IP address
3) It also changes the destination IP address of the packet from that of host Y to the IP address
of Firewall 2,F2.It also performs the packet encryption and authentication, depending on the
settings and sends the modified packet over the Internet

Firewall 1 IP IP of X Actual Data IP of Y Firewall 2 IP

ENCRYPTION & AUTHENTICATION
Source IP Destination
address IP address

4) The packet reaches to firewall 2 over the Internet, via routers. Firewall 2 discards the outer
header and performs the appropriate decryption. It then takes a look at the plain text contents
of the packet and realizes that the packet is meant for host Y. It delivers the packet to host Y.
KERBEROS
Kerberos is a mechanism through which we can authenticate a user who want to
access network resources. In one sentence we can say that
“Kerberos is a authentication protocol who restrict unauthorized users to access
network resources”

Four parties may involve in kerberos mechanism

1. User
2. Authentication Server
3. Ticket Granting Server
4. Service Server
 2 : AS verifies users access right in database,
1 : User logs on to creates ticket-granting ticket and session key.
workstation Results are encrypted using key derived from
Request TGT users password

TGT+ Session key1 AS Data

U base
S Request SGT TGS
E KERBEROS
R SGT + Session key2
4 : TGS decrypt ticket and authenticator, verifies
Request Service request then creates ticket for requested server

3: Workstation prompts user for

password and uses password to decrypt
incoming message, then sends Grant Service Service
ticket(TGT) and authenticator. server

5 : Workstation sends ticket(SGT) and 6 : server verifies that SGT and grant
authenticator to service server. service.

Fig : KERBEROS mechanism

Security Zones
Internet Zone
This zone have all websites you haven't
placed in any other zone.
Intranet Zone
This zone is for all websites found in your
local intranet.
Trusted Sites Zone
this zone contains all websites that you
trust not to damage your computer or your
files.
Restricted Sites Zone
this zone is for websites that might damage
your computer or your files.
Fig. Security tab IE to set security zones
Demilitarized Zone (DMZ)
o In computer networks, a DMZ (demilitarized zone) is a computer host or small network
inserted as a "neutral zone" between a company's private network and the outside public
network. It prevents outside users from getting direct access to a server that has company
data.
o A DMZ is an optional and more secure approach to a firewall and effectively acts as a
proxy server as well.
o In a typical DMZ configuration for a small company, a separate computer (or host in
network terms) receives requests from users within the private network for access to Web
sites or other companies accessible on the public network. The DMZ host then initiates
sessions for these requests on the public network.
o Users of the public network outside the company can access only the DMZ host. The
DMZ may typically also have the company's Web pages so these could be served to the
outside world. However, the DMZ provides access to no other company data. In the event
that an outside user penetrated the DMZ host's security, the Web pages might be
corrupted but no other company information would be exposed.
Fig Demilitarized Zone
Virtual LAN (VLAN)

VLAN's allow a network manager

to logically segment a LAN.
Since this is a logical
segmentation and not a physical
one, workstations do not have to
be physically located together.
Users on different floors of the
same building, or even in
different buildings can now
belong to the same LAN.

Fig : Concept of Virtual LAN

Types of VLAN
• Membership by Port
• Membership by MAC
• Membership by Protocol
• Membership by IP

Table1 Membership by Port Numbers Fig. Membership by MAC address

Fig. Membership by IP address

Fig. Membership by Protocol
 INTRUSION DETECTION SYSTEM
An intrusion detection system (IDS) monitors network traffic and monitors for suspicious
activity and alerts the system or network administrator. In some cases the IDS may also respond
to malicious traffic by taking action such as blocking the user or source IP address from
accessing the network.

IDS have following logical components

1) Traffic collection: collects activity as events from
IDS to examine. On Host-based IDS, this can be log
files, Audit logs or traffic coming to or leaving a system.
On network based IDS, this is typically a mechanism for
copying traffic of network link.
2) Analysis Engine: examines collected network traffic
& compares it to known patterns of suspicious or
malicious activity stored in digital signature. The
analysis engine act like a brain of IDS
3) Signature database: a collection of patterns &
definitions‟ of known suspicious or malicious activity.
4) User Interface & Reporting: interfaces with human
element, providing alerts when suitable & giving the
user a means to interact with & operate the IDS. Fig. Intrusion Detection System
IDS are mainly divided into two categories,
1) Host-based IDS 2) Network based IDS
1) Host based IDS looks for certain activities
in the log files are:
1. Logins at odd hours
2. Login authentication failure.
3. Adding new user account
4. Modification or access of critical systems files.
5. Modification or removal of binary files
6. Starting or stopping processes.
7. Privilege escalation
8. Use of certain program Fig. Host based IDS

2) Network based IDS looks for certain

activities like:
1. Denial of service attacks.
2. Port scans or sweeps
3. Malicious contents in the data payload of
packet(s)
4. Vulnerability of scanning
5. Trojans, Viruses or worms
6. Tunneling
7. Brute force attacks.
Fig. Network based IDS
Honey Pot

A relatively recent innovation in intrusion detection technology is the

honeypot.
Honeypots are decoy (fraudulent) systems that are designed to pull a
potential attacker away from critical systems.
Honeypots are designed to

• Divert an attacker from accessing critical systems.

• Collect information about the attacker’s activity.
• Encourage the attacker to stay on the system long enough for
administrators to respond.
SMTP (Simple Mail Transfer Protocol)
● SMTP provides a set of codes that simplify the communication of email messages
between servers.
● It's a kind of shorthand that allows a server to break up different parts of a message into
categories the other server can understand.
● Any email message has a sender, a recipient - or sometimes multiple recipients - a
message body, and usually a title heading.
● From the perspective of users, when they write an email message, they see the slick
interface of their email software, but once that message goes out on the Internet,
everything is turned into strings of text.
● This text is separated by code words or numbers that identify the purpose of each
section. SMTP provides those codes.
● The other purpose of SMTP is to set up communication rules between servers.
SMTP CODES
211 -- A system status or help reply.
214 -- Help Message.
220 -- The server is ready.
221 -- The server is ending the conversation.
250 -- The requested action was completed.
251 -- The specified user is not local, but the server will forward the mail message.
354 -- This is a reply to the DATA command. After getting this, start sending the body of the mail message,
ending with "\r\n.\r\n."
421 -- The mail server will be shut down. Save the mail message and try again later.
450 -- The mailbox that you are trying to reach is busy. Wait a little while and try again.
451 -- The requested action was not done. Some error occur in the mail server.
452 -- The requested action was not done. The mail server ran out of system storage.
500 -- The last command contained a syntax error or the command line was too long.
501 -- The parameters or arguments in the last command contained a syntax error.
502 -- The mail server has not implemented the last command.
503 -- The last command was sent out of sequence. For example, you might have sent DATA before sending
RECV.
504 -- One of the parameters of the last command has not been implemented by the server.
550 -- The mailbox that you are trying to reach can't be found or you don't have access rights.
551 -- The specified user is not local; part of the text of the message will contain a forwarding address.
552 -- The mailbox that you are trying to reach has run out of space. Store the message and try again tomorrow
or in a few days-after the user gets a chance to delete some messages.
553 -- The mail address that you specified was not syntactically correct.
554 -- The mail transaction has failed for unknown causes.
 S: 220 gmail.com Simple Mail Transfer Service Ready
C: HELO yahoo.com
S: 250 Hello gmail.com
C: MAIL FROM:<Atul@ yahoo.com >

S: 250 OK

C: RCPT TO:<john@gmail.com>

Sender S: 250 OK Receiver

SMTP SMTP
C: RCPT TO:<john@gmail.com>
server server
S: 250 OK
(client) (server)
C: DATA
S: 354 start mail input ; end with <CR><LF><LF>

C: Typed message (content)

C: <CR><LF><LF>
S: 250 OK
C: QUIT
S: 221 gmail.com service closing transmission channel
POP
server
Sender Receiver
Fig. Email Transfer using SMTP
EXAMPLE OF SMTP MAIL TRANSFER
S: 220 gmail.com Simple Mail Transfer Service Ready
C: HELO yahoo.com
S: 250 Hello gmail.com

C: MAIL FROM:<Atul@ yahoo.com >

S: 250 OK

C: RCPT TO:<john@gmail.com>
S: 250 OK
C: RCPT TO:<john@gmail.com>
S: 250 OK

C: DATA
S: 354 start mail input ; end with <CR><LF><LF>

C: Typed message (content)

C: <CR><LF><LF>

S: 250 OK

C: QUIT
S: 221 gmail.com service closing transmission channel
PGP (Pretty Good Privacy)
PGP is a email security package which provide following security services
● Authentication
● Confidentiality
● Compression
● Email Compatibility
● Segmentation and Reassembly
● PGP comes in two public key versions - Rivest-Shamir-Adleman (RSA) and Diffie-
Hellman. The RSA version, for which PGP must pay a license fee to RSA, uses the
IDEA algorithm to generate a short key for the entire message and RSA to encrypt the
short key. The Diffie-Hellman version uses the CAST algorithm for the short key to
encrypt the message and the Diffie-Hellman algorithm to encrypt the short key.
HOW PGP WORKS
SPRIVATE KEY
SHA DSS/RSA
MESSAGE ASYMMETRIC DIGITAL
HASHING HASH CODE
ENCRYPTION SIGNATURE

CAST-128/IDEA/3DES SSECRETE KEY

MESSAGE DS SYMMETRIC
ENCRYPTION

COMPRESSION ZIP

Email Compatibility TO RECEIVER

Radix-64
PEM (Privacy Enhanced Mail)
• PEM is a email security standard adopted by Internet Architecture Board(IAB) to provide
secure email communication over Internet.
• PEM described in four specification documents which are RFC 1421 to 1424.
• PEM provide Confidentiality, Non Repudiation and Message Integrity security services.

HOW PEM WORKS 1 Canonical Conversion

PEM allows three security options when sending email message.
These options are
2 . Digital Signature
o Signature only (step 1 & 2)

o Signature and Base 64 Encoding (step 1, 2 & 4)

3 . Encryption
o Signature ,Encryption and Base 64 Encoding (step 1 to 4)

4 . Base 64 Encoding

Fig PEM operations

Step 1: canonical conversion:
There is a distinct possibility that the sender and the receiver of an email message use computers that have
different architecture and operating systems. PEM transforms each email message into an abstract,
canonical representation. This means that regardless of the architecture and the operating system of the
sending and receiving computers, the email travels in a uniform, independent format.
Operating System Newline Character(s)
Microsoft Windows / MS-DOS 0Dh 0Ah
Apple Macintosh OS 9 and earlier 0Dh
Unix (e.g., Linux), also Apple OS X and higher 0Ah
Step 2 . Digital Signature
It starts by creating a MD of email message using an algorithm such as MD2 or MD5.

The MD thus created is then encrypted with sender’s private key to form the sender’s digital signature.
Step 3-encryption:
The original email and the digital signature are encrypted together with a symmetric key

Step 4: Base- 64 encoding

This process transforms arbitrary
binary input into printable character
output. The binary input is processed
in blocks of 3 octets or 24 bits. These
24 bits are considered to be made up of
4 sets, each of 6 bits. Each such set of
6 bits is mapped into an 8-bit output
character in this process.
S/MIME (Secure/Multipurpose Internet Mail Extension)

SMIME is a security enhancement to the MIME Internet e-mail format standard, based on
technology from RSA Data Security.
MIME is a protocol which support to SMTP to transfer NON ASCII data by defining following
header.

Fig. MIME Header

PROCESS OF S/MIME PROTOCOL
IP Security (IPSec)
Application
IPSec Overview
Transport
IPSec is a capability that is added to
IP protocol (IPv4 ,IPv6) by means IP Sec
of some extra header to avoid
Internet
following attacks at a network layer
– Replay Attack DataLink

– Authentication attack Physical

– Integrity Attack Fig. Position of IPSec in TCP/IP
– confidentiality attack Model

IP Sec Header IP Header DATA

AH ESP
 Authentication Header

Fig. Authentication Header in IPSec

Next Header is an 8-bit field that identifies the type of the next payload after the Authentication Header.
Payload Length is length of AH in 32 bit word minus 2
Sequence Number is a number assigned to each incoming packet.
Authentication Data a variable length value used to check authentication.
IPsec ESP Format
• Security Parameters Index (32 bits): Identifies a security association.

• Sequence Number (32 bits): A monotonically increasing counter value.

• Payload Data (variable): This is a transport-level segment (transport mode) or IP packet

(tunnel mode) that is protected by encryption.

• Padding (0–255 bytes): May be required if the encryption algorithm requires the plaintext
to be a multiple of some number of octets.

• Pad Length (8 bits): Indicates the number of pad bytes immediately preceding this field.

• Next Header (8 bits): Identifies the type of data contained in the Payload Data field by
identifying the first header in that payload (e.g., an extension header in IPv6, or an
upper-layer protocol such as TCP).

• ESP Authentication Data: A variable-length field (must be an integral number of

32-bit words) that contains the integrity check value computed over the ESP packet
minus the Authentication Data field.
IPsec ESP Format