What is security in network?

Network security is the practice of protecting a computer network from

unauthorized access, misuse, or attacks. It involves using tools, technologies, and policies to
ensure that data traveling over the network is safe and secure, keeping sensitive information
away from hackers and other threats.

Network Security - measures to protect data during their transmission

EXAMPLES OF SECURITY VIOLATIONS

1. User A transmits a file to user B. The file contains
sensitive information (e.g., payroll records) that is to be protected
from disclosure. User C, who is not authorized to read the file, is able
to monitor the transmission and capture a copy of the file during its
transmission.

Fig 1.1 Example 1

 2. A network manager, D, transmits a message to a computer, E, under its
management. The message instructs computer E to update an authorization file to include the
identities of a number of new users who are to be given access to that computer. User F
intercepts the message, alters its contents to add or delete entries, and then forwards the
message to E, which accepts the message as coming from manager D and updates its
authorization file accordingly.

Fig 1.2 Example 2

3. Rather than intercept a message, user F constructs its own message with
the desired entries and transmits that message to E as if it had come from manager D.
Computer E accepts the message as coming from manager D and updates its authorization
file accordingly.
4. A message is sent from a customer to a stockbroker with instructions for
various transactions. Subsequently, the investments lose value and the customer denies
sending the message.
Although this list by no means exhausts the possible types of security
violations, it illustrates the range of concerns of network security.

Security Attacks Threat

A potential for violation of security, which exists when there is a circumstance,
capability, action, or event that could breach security and cause harm. That is, a threat is a
possible danger that might exploit vulnerability.

Attack
An assault on system security that derives from an intelligent threat.That is, an
intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to
evade security services and violate the security policy of a system.
 Security attack: Any action that compromises the security of information owned by an
organization.

A useful means of classifying security attacks is in terms of passive attacks and active
attacks.A passive attack attempts to learn or make use of information from the system but
does not affect system resources.An active attack attempts to alter system resources or affect
their operation.

Passive Attacks
Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions
as shown in Fig 1.4. The goal of the opponent is to obtain information that is being
transmitted. Two types of passive attacks are the release of message contents and traffic
analysis.

Fig 1.4 Passive Attacks

The release of message contents is easily understood (Figure 1.5). A telephone
conversation, an electronic mail message, and a transferred file may contain sensitive or
confidential information. We would like to prevent an opponent from learning the contents of
these transmissions.
 Fig 1.5 Release of Message

A second type of passive attack, traffic analysis, is subtler (Figure 1.6). Suppose that
we had a way of masking the contents of messages or other information traffic so that
opponents, even if they captured the message, could not extract the information from the
message. The common technique for masking contents is encryption.

Fig 1.6 Traffic analysis

Passive attacks are very difficult to detect, because they do not involve any alteration
of the data. Typically, the message traffic is sent and received in an apparently normal
fashion, and neither the sender nor the receiver is aware that a third party has read the
messages or observed the traffic pattern. However, it is feasible to prevent the success of
these attacks, usually by means of encryption. Thus, the emphasis in dealing with passive
attacks is on prevention rather than detection.

Active Attacks

Active attacks involve some modification of the data stream or the creation of a false
stream and can be subdivided into four categories: masquerade, replay, modification of
messages, and denial of service.

A masquerade takes place when one entity pretends to be a different entity (Figure
1.7). A masquerade attack usually includes one of the other forms of active attack. For
example, authentication sequences can be captured and replayed after a valid authentication
sequence has taken place, thus enabling an authorized entity with few privileges to obtain
extra privileges by impersonating an entity that has those privileges.

Replay involves the passive capture of a data unit and its subsequent retransmission to
produce an unauthorized effect (Figure 1.8).

Modification of messages simply means that some portion of a legitimate message is

altered, or that messages are delayed or reordered, to produce an unauthorized effect (Figure
1.9). For example, a message meaning “Allow John Smith to read confidential file accounts”
is modified to mean “Allow Fred Brown to read confidential file accounts.”

The denial of service prevents or inhibits the normal use or management of

communications facilities (Figure 1.10). This attack may have a specific target; for example,
an entity may suppress all messages directed to a particular destination (e.g., the security
audit service). Another form of service denial is the disruption of an entire network—either
by disabling the network or by overloading it with messages so as to degrade performance.

Security aspects come into play when it is necessary or desirable to protect the
information transmission from an opponent who may present a threat to confidentiality,
authenticity, and so on. All of the techniques for providing security have two components:

A security-related transformation on the information to be sent. Examples include the

encryption of the message, which scrambles the message so that it is unreadable by the
opponent, and the addition of a code based on the contents of the message, which can be used
to verify the identity of the sender.

Some secret information shared by the two principals and, it is hoped, unknown to the
opponent. An example is an encryption key used in conjunction with the transformation to
scramble the message before transmission and unscramble it on reception.
Fig 1.7 Masquerade

Fig 1.8 Replay

 Fig 1.8 Modification of messages

Malicious Software: The most sophisticated types of threats to computer systems are
presented by programs that exploit vulnerabilities in computing systems. Such threats
are referred to as malicious software, or malware. In this context, we are concerned
with threats to application programs as well as utility programs, such as editors and
compilers, and kernel- level programs.

Malicious software is software that is intentionally

included or inserted in a system for a harmful purpose.
Malicious software can be divided into two categories: those that need a host program, and
those that are independent.
 The former, referred to as parasitic, are essentially fragments of programs that cannot
exist independently of some actual application program, utility, or system program.
Viruses, logic bombs, and backdoors are examples.
 Independent malware is a self-contained program that can be scheduled and run by
the operating system. Worms and bot programs are examples.

Backdoor:
A backdoor, also known as a trapdoor, is a secret entry point into a program that allows
someone who is aware of the backdoor to gain access without going through the usual
security access procedures. Programmers have used backdoors legitimately for many years to
debug and test programs; such a backdoor is called a maintenance hook. This usually is done
when the programmer is developing an application that has an authentication procedure, or a
long setup, requiring the user to enter many different values to run the application. To debug
the program, the developer may wish to gain special privileges or to avoid all the necessary
setup and authentication. Backdoors become threats when unscrupulous programmers use
them to gain unauthorized access. It is difficult to implement operating system controls for
backdoors. Security measures must focus on the program development and software update
activities.
 Logic Bomb:
One of the oldest types of program threat, predating viruses and worms, is the logic bomb.
The logic bomb is code embedded in some legitimate program that is set to “explode” when
certain conditions are met. Examples of conditions that can be used as triggers for a logic
bomb are the presence or absence of certain files, a particular day of the week or date, or a
particular user running the application. Once triggered, a bomb may alter or delete data or
entire files, cause a machine halt, or do some other damage.
 Table 5.1 Terminology of Malicious Programs

Name Description
Malware that, when executed, tries to replicate itself into other
Virus executable code; when it succeeds the code is said to be infected.
When the infected code is executed, the virus also executes.
A computer program that can run independently and can propagate a
Worm
complete working version of itself onto other hosts on a network.
A program inserted into software by an intruder. A logic bomb lies
Logic Bomb dormant until a predefined condition is met; the program then
triggers a unauthorized act.
A computer program that appears to have a useful function, but also
has a hidden and potentially malicious function that evades security
Trojan Horse
mechanisms, sometimes by exploiting legitimate authorizations of a
system entity that invokes the Trojan horse program.
Any mechanism that bypasses a normal security check; it may allow
Backdoor (trapdoor)
unauthorized access to functionality.
Software (e.g: script, macro, or other portable instruction) that can be
Mobile code shipped unchanged to a heterogenous collection or platforms and
execute with identical semantics.
Exploits Code specific to a single vulnerability or set of vulnerabilities.
Program that installs other items on a machine that is under attack.
Downloaders
Usually, a downloader is sent in e-mail.

Auto-rooter Malicious hacker tools used to break into new machines remotely.

Kit (virus generator) Set of tools for generating new viruses automatically.

Spammer programs Used to send large volumes of unwanted e-mail

Used to attack networked computer systems with a large volume of
Flooders
traffic to carry out a denial-of-service (DoS) attack
Keyloggers Captures keystrokes on a compromised system
Set of hacker tools used after attacker has broken into a computer
Rootkit
system and gained root-level access
Program activated on an infected machine that is activated to launch
Zombie, Bot
attacks on other machines.
Software that collects information from a computer and transmits it
Spyware
to another system.
Advertising that is integrated into software. It can result in pop-up
Adware
ads or redirection of a browser to a commercial site.
 Trojan Horses:
A Trojan horse is a useful, or apparently useful, program or command procedure containing
hidden code that, when invoked, performs some unwanted or harmful function. Trojan horse
programs can be used to accomplish functions indirectly that an unauthorized user could not
accomplish directly. For example, to gain access to the files of another user on a shared
system, a user could create a Trojan horse program that, when executed, changes the invoking
user’s file permissions so that the files are readable by any user.
Another common motivation for the Trojan horse is data destruction. The program appears to
be performing a useful function (e.g., a calculator program), but it may also be quietly
deleting the user’s files.
Trojan horses fit into one of three models:
 Continuing to perform the function of the original program and additionally
performing a separate malicious activity
 Continuing to perform the function of the original program but modifying the function
to perform malicious
 Performing a malicious function that completely replaces the function of the original
program.

Viruses:
A computer virus is a piece of software that can “infect” other programs by modifying them;
the modification includes injecting the original program with a routine to make copies of the
virus program, which can then go on to infect other programs. A virus can do anything that
other programs do. The difference is that a virus attaches itself to another program and
executes secretly when the host program is run. Once a virus is executing, it can perform any
function, such as erasing files and programs that is allowed by the privileges of the current
user. An unconventional acronym of virus in IT industry is Vital Information Resources
Under Siege.
A computer virus has three parts
• Infection mechanism: The means by which a virus spreads, enabling it to replicate. The
mechanism is also referred to as the infection vector.
• Trigger: The event or condition that determines when the payload is activated or
delivered.
• Payload: What the virus does, besides spreading. The payload may involve damage or
may involve benign but noticeable activity.

During its lifetime, a typical virus goes through the following four phases:
 Dormant phase: The virus is idle. The virus will eventually be activated by some
event, such as a date, the presence of another program or file, or the capacity of the
disk exceeding some limit. Not all viruses have this stage.
 Propagation phase: The virus places a copy of itself into other programs or into certain
system areas on the disk. The copy may not be identical to the propagating version;
 viruses often morph to evade detection. Each infected program will now contain a
clone of the virus, which will itself enter a propagation phase. • Triggering phase: The
virus is activated to perform the function for which it was intended. As with the
dormant phase, the triggering phase can be caused by a variety of system events,
including a count of the number of times that this copy of the virus has made copies of
itself. • Execution phase: The function is performed. The function may be harmless,
such as a message on the screen, or damaging, such as the destruction of programs and
data files. Most viruses carry out their work in a manner that is specific to a particular
operating system and, in some cases, specific to a particular hardware platform. Thus,
they are designed to take advantage of the details and weaknesses of particular
systems.
Viruses Classification
There has been a continuous arms race between virus writers and writers of antivirus software
since viruses first appeared. As effective countermeasures are developed for existing types of
viruses, newer types are developed. There is no simple or universally agreed upon
classification scheme for viruses. In this section, we classify viruses along two orthogonal
axes: the type of target the virus tries to infect and the method the virus uses to conceal itself
from detection by users and antivirus software. A virus classification by target includes the
following categories:
• Boot sector infector: Infects a master boot record or boot record and spreads when a
system is booted from the disk containing the virus.
• File infector: Infects files that the operating system or shell consider to be executable.
• Macro virus: Infects files with macro code that is interpreted by an application.

A virus classification by concealment strategy includes the following categories:

• Encrypted virus: A typical approach is as follows. A portion of the virus creates a
random encryption key and encrypts the remainder of the virus. The key is stored with
the virus. When an infected program is invoked, the virus uses the stored random key to
decrypt the virus. When the virus replicates, a different random key is selected. Because
the bulk of the virus is encrypted with a different key for each instance, there is no
constant bit pattern to observe.
• Stealth virus: A form of virus explicitly designed to hide itself from detection by
antivirus software. Thus, the entire virus, not just a payload is hidden.
• Polymorphic virus: A virus that mutates with every infection, making detection by the
“signature” of the virus impossible.
• Metamorphic virus: As with a polymorphic virus, a metamorphic virus mutates with
every infection. The difference is that a metamorphic virus rewrites itself completely at
each iteration, increasing the difficulty of detection. Metamorphic viruses may change
their behaviour as well as their appearance.

Virus Kits
Another weapon in the virus writers’ armory is the virus-creation toolkit. Such a toolkit
enables a relative novice to quickly create a number of different viruses. Although viruses
created with toolkits tend to be less sophisticated than viruses designed from scratch, the sheer
number of new viruses that can be generated using a toolkit creates a problem for antivirus
schemes.
E-Mail Viruses
A more recent development in malicious software is the e-mail virus. The first rapidly
spreading e-mail viruses, such as Melissa, made use of a Microsoft Word macro embedded in
an attachment. If the recipient opens the e-mail attachment, the Word macro is activated. Then
 The e-mail virus sends itself to everyone on the mailing list in the user’s e-mail
package.
 The virus does local damage on the user’s system.
In 1999, a more powerful version of the e-mail virus appeared. This newer version can be
activated merely by opening an e-mail that contains the virus rather than opening an
attachment. The virus uses the Visual Basic scripting language supported by the e-mail
package.
It arrives via e-mail and uses e-mail software features to replicate itself across the Internet.
The virus propagates itself as soon as it is activated (either by opening an e-mail attachment
or by opening the e-mail) to all of the e-mail addresses known to the infected host. This
makes it very difficult for antivirus software to respond before much damage is done.
Ultimately, a greater degree of security must be built into Internet utility and application
software on PCs to counter the growing threat.

Antivirus Approaches
The ideal solution to the threat of viruses is prevention: Do not allow a virus to get into the
system in the first place, or block the ability of a virus to modify any files containing
executable code or macros. This goal is, in general, impossible to achieve, although
prevention can reduce the number of successful viral attacks. The next best approach is to be
able to do the following:
• Detection: Once the infection has occurred, determine that it has occurred and locate the
virus.
• Identification: Once detection has been achieved, identify the specific virus that has infected
a program.
• Removal: Once the specific virus has been identified, remove all traces of the virus from the
infected program and restore it to its original state. Remove the virus from all infected
systems so that the virus cannot spread further.
If detection succeeds but either identification or removal is not possible, then the alternative is
to discard the infected file and reload a clean backup version. Advances in virus and antivirus
technology go hand in hand. Early viruses were relatively simple code fragments and could be
identified and purged with relatively simple antivirus software packages. As the virus arms
race has evolved, both viruses and, necessarily, antivirus software have grown more complex
and sophisticated.
• First generation: simple scanners
• Second generation: heuristic scanners
• Third generation: activity traps
• Fourth generation: full-featured protection
A first-generation scanner requires a virus signature to identify a virus. The virus may contain
“wildcards” but has essentially the same structure and bit pattern in all copies. Such signature-
specific scanners are limited to the detection of known viruses. Another type of first-
generation scanner maintains a record of the length of programs and looks for changes in
length.

A second-generation scanner does not rely on a specific signature. Rather, the scanner uses
heuristic rules to search for probable virus infection. One class of such scanners looks for
fragments of code that are often associated with viruses. For example, a scanner may look for
the beginning of an encryption loop used in a polymorphic virus and discover the encryption
key. Once the key is discovered, the scanner can decrypt the virus to identify it, then remove
the infection and return the program to service. Another second-generation approach is
integrity checking. A checksum can be appended to each program. If a virus infects the
program without changing the checksum, then an integrity check will catch the change. To
counter a virus that is sophisticated enough to change the checksum when it infects a
program, an encrypted hash function can be used.

Third-generation programs are memory-resident programs that identify a virus by its actions
rather than its structure in an infected program. Such programs have the advantage that it is
not necessary to develop signatures and heuristics for a wide array of viruses. Rather, it is
necessary only to identify the small set of actions that indicate an infection is being attempted
and then to intervene.

Fourth-generation products are packages consisting of a variety of antivirus techniques used

in conjunction. These include scanning and activity trap components. In addition, such a
package includes access control capability, which limits the ability of viruses to penetrate a
system and then limits the ability of a virus to update files in order to pass on the infection.

The arms race continues. With fourth-generation packages, a more comprehensive defence
strategy is employed, broadening the scope of defence to more general-purpose computer
security measures.

DISTRIBUTED DENIAL OF SERVICE (DDoS) ATTACKS

A denial of service (DoS) attack is an attempt to prevent legitimate users of a service from
using that service. When this attack comes from a single host or network node, then it is
simply referred to as a DoS attack. A more serious threat is posed by a DDoS attack. In a
DDoS attack, an attacker is able to recruit a number of hosts throughout the Internet to
simultaneously or in a coordinated fashion launch an attack upon the target.
DDoS attacks make computer systems inaccessible by flooding servers, networks, or even end
user systems with useless traffic so that legitimate users can no longer gain access to those
resources. In a typical DDoS attack, a large number of compromised hosts are amassed to
send useless packets.
DDoS Attack Description
A DDoS attack attempts to consume the target’s resources so that it cannot provide service.
One way to classify DDoS attacks is in terms of the type of resource that is consumed.
Broadly speaking, the resource consumed is either an internal host resource on the target
system or data transmission capacity in the local network to which the target is attacked.
A simple example of an internal resource attack is the SYN flood attack. Figure 10.9a shows
the steps involved:
a. The attacker takes control of multiple hosts over the Internet, instructing them to contact
the target Web server.
b. The slave hosts begin sending TCP/IP SYN (synchronize/initialization) packets, with
erroneous return IP address information, to the target.
c. Each SYN packet is a request to open a TCP connection. For each such packet, the Web
server responds with a SYN/ACK (synchronize/acknowledge) packet, trying to establish
a TCP connection with a TCP entity at a spurious IP address. The Web server maintains
a data structure for each SYN request waiting for a response back and becomes bogged
down as more traffic floods in. The result is that legitimate connections are denied while
the victim machine is waiting to complete bogus “half-open” connections.

Fig. 5.1 Distributed SYN flood attack

Fig. 5.2 Distributed ICMP attack

Figure illustrates an example of an attack that consumes data transmission resources. The
following steps are involved:
i. The attacker takes control of multiple hosts over the Internet, instructing them to send
ICMP ECHO packets with the target’s spoofed IP address to a group of hosts that act as
reflectors, as described subsequently.
ii. Nodes at the bounce site receive multiple spoofed requests and respond by sending echo
reply packets to the target site.
iii. The target’s router is flooded with packets from the bounce site, leaving no data
transmission capacity for legitimate traffic

Another way to classify DDoS attacks is as either direct or reflector DDoS attacks. In a direct
DDoS attack, the attacker is able to implant zombie software on a number of sites distributed
throughout the Internet. Often, the DDoS attack involves two levels of zombie machines:
master zombies and slave zombies. The hosts of both machines have been infected with
malicious code. The attacker coordinates and triggers the master zombies, which in turn
coordinate and trigger the slave zombies. The use of two levels of zombies makes it more
difficult to trace the attack back to its source and provides for a more resilient network of
attackers.

Fig. 5.3 Direct DDoS attack

Fig. 5.4 Reflector DDoS attack

A reflector DDoS attack adds another layer of machines (Figure 10.10b). In this type of
attack, the slave zombies construct packets requiring a response that contains the target’s IP
 address as the source IP address in the packet’s IP header. These packets are sent to
uninfected machines known as reflectors. The uninfected machines respond with packets
directed at the target machine. A reflector DDoS attack can easily involve more machines and
more traffic than a direct DDoS attack and hence be more damaging. Further, tracing back the
attack or filtering out the attack packets is more difficult because the attack comes from
widely dispersed uninfected machines.

DDoS Countermeasures
In general, there are three lines of defense against DDoS attacks.
 Attack prevention and pre-emption (before the attack): These mechanisms enable the
victim to endure attack attempts without denying service to legitimate clients.
Techniques include enforcing policies for resource consumption and providing backup
resources available on demand. In addition, prevention mechanisms modify systems and
protocols on the Internet to reduce the possibility of DDoS attacks.
 Attack detection and filtering (during the attack): These mechanisms attempt to detect
the attack as it begins and respond immediately. This minimizes the impact of the attack
on the target. Detection involves looking for suspicious patterns of behaviour. Response
involves filtering out packets likely to be part of the attack.
 Attack source traceback and identification (during and after the attack): This is an
attempt to identify the source of the attack as a first step in preventing future attacks.
However, this method typically does not yield results fast enough, if at all, to mitigate
an on-going attack.

Denial of Service Attacks

With a DoS attack, a hacker attempts to render a network or an Internet resource, such
as a web server, worthless to users. A DoS attack typically achieves its goal by sending large
amounts of repeated requests that paralyze the network or a server.

A common form of a DoS attack is a SYN flood, where the server is overwhelmed by
embryonic connections. A hacker sends to a server countless Transmission Control Protocol
(TCP) synchronization attempts known as SYN requests. The server answers each of those
requests with a SYN ACK reply and allocates some of its computing resources to servicing
this connection when it becomes a "full connection." Connections are said to be embryonic or
half-opened until the originator completes the three-way handshake with an ACK for each
request originated. A server that is inundated with half-opened connections soon runs out of
resources to allocate to upcoming connection requests, thus the expression "denial of service
attack."

The following sidebars provide the anatomy of DoS attacks and distributed DoS
(DDoS) attacks.
 Fig 1.9 DOS

Those handlers in turn scan their own corporate network, hunting for workstations
to compromise and turn into DDoS agents. Those agents are also referred to as bots, thus
the expression of botnets.

When his army of agents is strategically in place, the hacker launches the attack.
He transmits his orders for the mission to the handlers and agents; these orders usually
cause each of these hosts to send large quantities of packets to the same specific
destination, at a precise time, thus overwhelming the victim and the path to it. It also
creates significant congestion on corporate networks that are infected with handlers and
agents when they all simultaneously launch their attack on the ultimate victim.

A MODEL FOR NETWORK SECURITY:

A Network Security Model exhibits how the security service has been designed over
the network to prevent the opponent from causing a threat to the confidentiality or
authenticity of the information that is being transmitted through the network.
For a message to be sent or receive there must be a sender and a receiver. Both the sender and
receiver must also be mutually agreeing to the sharing of the message. Now, the transmission
of a message from sender to receiver needs a medium i.e. Information channel which is
an Internet service.

A logical route is defined through the network (Internet), from sender to the receiver and
using the communication protocols both the sender and the receiver established
communication.

Any security service would have the three components discussed below:

1. Transformation of the information which has to be sent to the receiver. So, that any
opponent present at the information channel is unable to read the message. This indicates
the encryption of the message.

It also includes the addition of code during the transformation of the information which will
be used in verifying the identity of the authentic receiver.

2. Sharing of the secret information between sender and receiver of which the opponent must
not any clue. Yes, we are talking of the encryption key which is used during the encryption of
the message at the sender’s end and also during the decryption of message at receiver’s end.

3. There must be a trusted third party which should take the responsibility of distributing the
secret information (key) to both the communicating parties and also prevent it from any
opponent.

Fig 1.11 A Model for Network Security

 The network security model presents the two communicating
parties sender and receiver who mutually agrees to exchange the information. The sender
has information to share with the receiver.
But sender cannot send the message on the information cannel in the readable form as
it will have a threat of being attacked by the opponent. So, before sending the message
through the information channel, it should be transformed into an unreadable format. Secret
information is used while transforming the message which will also be required when the
message will be retransformed at the recipient side. That’s why a trusted third party is
required which would take the responsibility of distributing this secret information to both
the parties involved in communication.
So, considering this general model of network security, one must consider the following four
tasks while designing the security model.

1. To transform a readable message at the sender side into an unreadable format, an

appropriate algorithm should be designed such that it should be difficult for an opponent to
crack that security algorithm.

2. Next, the network security model designer is concerned about the generation of the secret
information which is known as a key.

This secret information is used in conjunction with the security algorithm in order to
transform the message.

3. Now, the secret information is required at both the ends, sender’s end and receiver’s end.
At sender’s end, it is used to encrypt or transform the message into unreadable form and at
the receiver’s end, it is used to decrypt or retransform the message into readable form.
So, there must be a trusted third party who will distribute the secret information to both
sender and receiver. While designing the network security model designer must also
concentrate on developing the methods to distribute the key to the sender and receiver.
An appropriate methodology must be used to deliver the secret information to the
communicating parties without the interference of the opponent.
It is also taken care that the communication protocols that are used by the communicating
parties should be supporting the security algorithm and the secret key in order to achieve the
security service.
NETWORK ACCESS SECURITY MODEL
Network access security model which is designed to secure the information system which can
be accessed by the attacker through the network.
Attackers who attack your system that is accessible through the internet. These attackers fall
into two categories:

1. Hacker: The one who is only interested in penetrating into your system. They do not cause
any harm to your system they only get satisfied by getting access to your system.
2. Intruders: These attackers intend to do damage to your system or try to obtain the
information from the system which can be used to attain financial gain.
The attacker can place a logical program on your system
through the network which canaffect the software on your
system. This leads to two kinds of risks:
a. Information threat: This kind of threats modifies data on the
user’s behalf to which actuallyuser should not access. Like
enabling some crucial permission in the system.
b. Service threat: This kind of threat disables the user from accessing data on
the system.

Fig 1.12 Network access

security model
There are two ways to secure your system from attacker of
which the first is to introduce the gatekeeper function.
Introducing gatekeeper function means introducing
login- id and passwords which would keep away the unwanted
access.
In case the unwanted user gets access to the system the second
way to secure your system is introducing internal control which
would detect the unwanted user trying to access the system by
analyzing system activities. This second method we call as
antivirus which we install on our system to prevent the
unwanted user from accessing your computer system through
the internet.
 What is a VPN service?

A VPN, which stands for virtual private network, establishes

a digital connection between your computer and a remote server owned by a
VPN provider, creating a point-to-point tunnel that encrypts your personal data,
masks your IP address, and lets you sidestep website blocks and firewalls on the
internet. This ensures that your online experiences are private, protected, and
more secure.

By its very definition, a VPN connection is:

 Virtual because no physical cables are involved in the connection

process.

 Private because through this connection, no one else can see your data or
browsing activity.

 Networked because multiple devices—your computer and the VPN

server—work together to maintain an established link.

Now that you know the meaning behind VPN, as well as what VPN stands for,
let's explore the many benefits of a VPN, and why it might be advantageous to
use one.

Why should I use a VPN service?

For anyone seeking a safer, freer, and more secure online experience, the
benefits of using a VPN are myriad. A VPN protects its users by encrypting
their data and masking their IP address, leaving their browsing history and
location untraceable. This greater anonymity allows for greater privacy, as well
as greater freedom for those who wish to access blocked or region-bound
content.

Here are some common reasons as to why you might use a VPN:

Secure your data

Sensitive data like work emails, payment information, and location tagging is
constantly being transmitted online. This information is trackable and easy to
exploit, especially on a public network, where anyone who has access to the
network has potential access your personal data. A VPN connection scrambles
your data into code and renders it unreadable to anyone without an encryption
key. It hides your browsing activity so that no one else can see it.

Work from home

Today, remote work is more widespread than ever before. With a VPN, remote
workers can access company resources over a private connection from
anywhere, so long as they are able to get online. This provides employees with a
greater sense of flexibility, while also ensuring that company data remains
protected and secure, even on a public Wi-Fi network.

Access or stream regional content from anywhere

Some sites and services restrict their media content based on geographic
location, which means you may not have access to certain kinds of content. A
VPN disguises, or spoofs, the location of your local server so that it appears as
if it's based elsewhere, such as in another country.

Bypass censorship and surveillance

Some regions may not have access to certain sites or services due to government
restrictions, censorship, or surveillance. Location spoofing gives these users the
ability to circumvent firewalls, view blocked websites, and move freely online.

Prevent ISP and third-party tracking

Internet service providers (ISPs) log and track your browsing history through
your device's unique IP address. This information could potentially be sold to
third-party advertisers, given to the government, or left vulnerable in the face a
security compromise. By routing to a remote VPN server instead of your ISP's
servers, a VPN masks your IP address, prevents ISP tracking, and keeps your
personal data private.

Types of VPN connections

Today, you'll find a wide variety of VPNs for computers and mobile, both
premium and free, available for professional and personal use. Here are some of
the most common types:

Name Type Connection method Use Case

Remote access VPN Home Connect to a private For remote workers who need
(also known as client- network or third-party access to company files and
to-site VPN) server via SSL/TSL resources over a private
connection, or for users who
wish to browse the public
Internet over an encrypted
connection
Site-to-site VPN Private Network connects to another For large organizations that
network via LAN, WAN need to link their internal
networks across multiple sites
Name Type Connection method Use Case
in different locations, while
maintaining a secure
connection
VPN applications Mobile Connect to a private For mobile users who wish to
network via VPN app on take advantage of the benefits
mobile or smartphone of a VPN while on the go, or
device while experiencing an
unstable Internet connection

Remote access VPN (also known as client-to-site VPN)

One of the most widely used types of VPN for the computer, a remote access
VPN, gives off-site users the ability to connect to an organization's network, or
a remote server, from their personal device. This can be accomplished by
entering your authentication credentials via a login page, which then authorizes
you to make the connection through your web browser.

Users may also connect to the VPN through a virtual desktop client or VPN app,
which also connects to a network or server after you enter your credentials. A
client provides its users with an easy interface to work with, connectivity
information, and the ability to toggle between the VPN's various features.

A remote access VPN can be used for both professional and personal use, which
is why it's one of the most common forms of VPN. It gives remote workers the
ability to access company files and resources without having to be in the office,
and it safeguards the private data of remote-first companies so that it's likely to
stay private. As for individual users who simply wish to browse the public
Internet with increased autonomy and anonymity, a remote access VPN is
integral to avoiding content blocks, firewalls, and ISP tracking.
Site-to-site VPN

Large organizations in need of a more robust, custom solution may opt for site-
to-site VPNs. A site-to-site VPN is a private, internal network comprised of
multiple networks within an organization, which are connected to each other’s
local area networks (LANs) through the public Internet. This setup allows users
across two separate networks, either within or adjacent to the organization, to
share resources with each other while still limiting full access to all their
resources, ensuring that communication within the company remains as private
and as secure as possible. Due to the scale and complexity of site-to-site VPNs,
this type of connection is best suited for enterprise-level companies with
departments across multiple locations.

Within site-to-site VPNs, there are two network types:

Intranet

An intranet site-to-site VPN links several sites from the same organization
together by way of LAN. This is useful when multiple departments across
multiple locations need to collaborate with each other within a closed, private
network. Through a site-to-site connection, these departments can securely and
efficiently exchange resources with each other.

Extranet

An extranet site-to-site VPN links several sites from different organizations

together by way of LAN. An organization that frequently collaborates with
third-party suppliers, partners, or business vendors may need the ability to form
this network. Organizations may also customize the scope of access between
each network, so that only some resources are shared, while others remain
private.

Mobile VPN

While long-standing VPN providers typically cater toward desktop users,

smartphones have spurred a huge uptick in growth among VPNs for mobile—
and for good reason. For smartphone users looking for greater security and
protection while on the go, a mobile VPN is a necessity.

Mobile VPNs not only provide the benefits of a traditional VPN, but they also
continue to safeguard data when Internet connectivity is spotty or unstable, or
when toggling between mobile data and Wi-Fi. So long as the app is running,
the VPN connection remains secure, and your device remains protected.
Because of the flexibility, a mobile VPN is ideal for users who travel, or for
those who don’t have access to a reliable internet connection.

How does a VPN work?

When an attempted connection is made to the VPN provider's remote server, the
server authenticates the user and creates an encrypted tunnel for their data to run
through. The data that funnels through this tunnel gets scrambled into code and
rendered illegible by anyone who does not have access to the encryption key,
and therefore does not have permission to read it. Once this data reaches the
server, the server uses its own private key to decrypt the data and make it
readable. The server sends the decrypted data, along with a new IP address,
back to the site you’re attempting to connect with.

How this encryption process occurs—and whether it's fully secure—depends on

the type of protocol, or system of instructions, used to make the connection. A
VPN service can only guarantee security and peace of mind when backed by a
strong protocol. It's the engine that keeps a VPN running.

How a VPN protects your IP address

In addition to encryption, a VPN also masks your IP address from the public
internet, in turn masking your identity. When a user successfully connects their
computer to the VPN server, the VPN not only secures their data, it also assigns
them a new IP address that conceals their real IP address. This may come in the
form of a shared IP address, which groups multiple users into a single IP so that
activity from any one individual user becomes difficult to discern. This new IP
address may also correspond with the IP address of the VPN server, which
means the more servers there are across the globe, the more IP addresses you
have to choose from. Depending on your needs, this can be configured in the
settings of your VPN client.

When a VPN hides your IP address, it also spoofs, or hides, your location as
well. This is useful for bypassing content blocks and firewalls, which rely on
your IP to initiate the blocking. IP masking has also proven effective against
doxing, where your private identity is made public online, as well as DDoS
attacks, or distributed denial of service attacks. If no one knows your real IP
address, then no one can launch an attack against you.

PUBLIC-KEY INFRASTRUCTURE:
Public-key infrastructure (PKI) is the set of
hardware, software, people, policies, and procedures needed to
create, manage, store, distribute, and revoke digital certificates
based on asymmetric cryptography. The principal objective for
developing a PKI is to enable secure, convenient, and efficient
acquisition of public keys. The Internet Engineering Task Force
(IETF) Public Key Infrastructure X.509 (PKIX) working group
has been the driving force behind setting up a formal (and
generic) model based on X.509 that is suitable for deploying a
certificate-based architecture on the Internet. This section
describes the PKIX model.

• End entity: A generic term used to denote end users, devices

(e.g., servers, routers), or any other entity that can be identified
in the subject field of a public key certificate. End entities
typically consume and/or support PKI-related services.

• Certification authority (CA): The issuer of certificates and

(usually) certificate revocation lists (CRLs). It may also
support a variety of administrative functions, although these
areoften delegated to one or more registration authorities.

• Registration authority (RA): An optional component that

can assume a number of administrative functions from the CA.
The RA is often associated with the end entity registration
process, but can assist in a number of other areas as well

. • CRL issuer: An optional component that a CA can delegate to publish

CRLs.

Fig. 3.21: PKIX Architectural

Model
Figure 3.21 shows the interrelationship among the key elements of the PKIX model. These
elements are

• Repository: A generic term used to denote any method for storing certificates and CRLs so
that they can be retrieved by end entities. PKIX Management Functions PKIX identifies a
number of management functions that potentially need to be supported by management
protocols. These are indicated in Figure 3 and include the following:

• Registration: This is the process whereby a user first makes itself known to a CA (directly,
or through an RA), prior to that CA issuing a certificate or certificates for that user.
Registration begins the process of enrolling in a PKI. Registration usually involves some off-
line or online procedure for mutual authentication. Typically, the end entity is issued one or
more shared secret keys used for subsequent authentication.

• Initialization: Before a client system can operate securely, it is necessary to install key
materials that have the appropriate relationship with keys stored elsewhere in the
infrastructure. For example, the client needs to be securely initialized with the public key and
other assured information of the trusted CA(s) to be used in validating certificate paths.

• Certification: This is the process in which a CA issues a certificate for a user’s public key
and returns that certificate to the user’s client system and/or posts that certificate in a
repository.

• Key pair recovery: Key pairs can be used to support digital signature creation and
verification, encryption and decryption, or both. When a key pair is used for
encryption/decryption, it is important to provide a mechanism to recover the necessary
decryption keys when normal access to the keying material is no longer possible, otherwise it

will not be possible to recover the encrypted data. Loss of access to the decryption key can
result from forgotten passwords/PINs, corrupted disk drives, damage to hardware tokens, and
so on. Key pair recovery allows end entities to restore their encryption/decryption key pair
from an authorized key backup facility (typically, the CA that issued the end entity’s
certificate).

• Key pair update: All key pairs need to be updated regularly (i.e., replaced with a new key

pair) and new certificates issued. Update is required when the certificate lifetime expires and

as a result of certificate revocation.

• Revocation request: An authorized person advises a CA of
an abnormal situation requiring certificate revocation. Reasons
for revocation include private key compromise, change in
affiliation, and name change.

• Cross certification: Two CAs exchange information used in establishing a

cross certificate.

A cross-certificate is a certificate issued by one CA to

another CA that contains aCAsignature key used for issuing
certificates.
Secure Shell

The SSH(Secure Shell) is an access credential that is used in the SSH

Protocol. In other words, it is a cryptographic network protocol that is used for
transferring encrypted data over the network. The port number of SSH is
22(Twenty-Two). It allows you to connect to a server, or multiple servers,
without having to remember or enter your password for each system that is to
log remotely from one system to another. It always comes in key pairs:
 Public key – Everyone can see it, no need to protect it. (for encryption
function).
 Private key – Stays in computer, must be protected. (for decryption
function).
Key pairs can be of the following types:
 User Key – If the public key and private key remain with the user.
 Host Key – If public key and private key are on a remote system.
 Session key – Used when a large amount of data is to be transmitted.
Features of SSH
 Encryption: Encrypted data is exchanged between the server and client,
which ensures confidentiality and prevents unauthorized attacks on the
system.
 Authentication: For authentication, SSH uses public and private key pairs
which provide more security than traditional password authentication.
 Data Integrity: SSH provides Data Integrity of the message exchanged
during the communication.
 Tunneling: Through SSH we can create secure tunnels for forwarding
network connections over encrypted channels.
SSH Functions
There are multiple functions performed by SSH Function, here below are some
functions:
 SSH provides high security as it encrypts all messages of communication
between client and server.
 SSH provides confidentiality
 SSH allows remote login, hence is a better alternative to TELNET
 SSH provides a secure File Transfer Protocol, which means we can transfer
files over the Internet securely
 SSH supports tunneling which provides more secure connection
communication
SSH Protocol
To provide security between a client and a server the SSH protocol uses
encryption. All user authentication and file transfers are encrypted to protect
the network against attacks.

SSH Protocol

Techniques Used in SSH

There are majorly three major techniques used in SSH, which are
 Symmetric Cryptography: In Symmetric key cryptography the same key
used for encrypting and decrypting the message, a unique single shared key
 is kept between the sender and reciever. For ex: DES (Data Encryption
Standard) and AES (Advanced Encryption Standard).

Symmetric Cryptography

 Asymmetric Cryptography: In Asymmetric key cryptography the key

used for encrypting is different from the key used for decrypting the
message. For ex: RSA (Rivest–Shamir–Adleman) and Digital Signature
Algorithm.
Asymmetric Cryptography

 Hashing: Hashing is a procedure used in cryptography which convert

variable length string to a fixed length string, this fixed length value is
called hash value which is generated by hash function.

Hashing

The general procedure is:

 Public keys from the local computers (system) are passed to the server
which is to be accessed.
 The server then identifies if the public key is registered.
 If so, the server then creates a new secret key and encrypts it with the public
key which was sent to it via local computer.
 This encrypted code is sent to the local computer.
 This data is unlocked by the private key of the system and is sent to the
server.
 The server after receiving this data verifies the local computer.
 SSH creates a route and all the encrypted data are transferred through it
with no security issues.
Secure Socket Layer(SSL)
Secure Socket Layer (SSL) provides security to the data that is transferred
between web browser and server. SSL encrypts the link between a web server
and a browser which ensures that all data passed between them remain private
and free from attack. In this article, we are going to discuss SSL in detail, its
protocols, the silent features of SSL, and the version of SSL.
What is a Secure Socket Layer?
SSL, or Secure Sockets Layer, is an Internet security protocol that encrypts
data to keep it safe. It was created by Netscape in 1995 to ensure privacy,
authentication, and data integrity in online communications. SSL is the older
version of what we now call TLS (Transport Layer Security).
Websites using SSL/TLS have “HTTPS” in their URL instead of “HTTP.”
How does SSL work?
 Encryption: SSL encrypts data transmitted over the web, ensuring privacy.
If someone intercepts the data, they will see only a jumble of characters that
is nearly impossible to decode.
 Authentication: SSL starts an authentication process called a handshake
between two devices to confirm their identities, making sure both parties are
who they claim to be.
 Data Integrity: SSL digitally signs data to ensure it hasn’t been tampered
with, verifying that the data received is exactly what was sent by the sender.
Why is SSL Important?
Originally, data on the web was transmitted in plaintext, making it easy for
anyone who intercepted the message to read it. For example, if someone
logged into their email account, their username and password would travel
across the Internet unprotected.
SSL was created to solve this problem and protect user privacy. By encrypting
data between a user and a web server, SSL ensures that anyone who intercepts
the data sees only a scrambled mess of characters. This keeps the user’s login
credentials safe, visible only to the email service.
Additionally, SSL helps prevent cyber attacks by:
 Authenticating Web Servers: Ensuring that users are connecting to the
legitimate website, not a fake one set up by attackers.
 Preventing Data Tampering: Acting like a tamper-proof seal, SSL ensures
that the data sent and received hasn’t been altered during transit.
Secure Socket Layer Protocols
 SSL Record Protocol
 Handshake Protocol
 Change-Cipher Spec Protocol
 Alert Protocol

SSL Record Protocol

SSL Record provides two services to SSL connection.
 Confidentiality
 Message Integrity
In the SSL Record Protocol application data is divided into fragments. The
fragment is compressed and then encrypted MAC (Message Authentication
Code) generated by algorithms like SHA and MD5 is appended. After that
encryption of the data is done and in last SSL header is appended to the data.
 Handshake Protocol
Handshake Protocol is used to establish sessions. This protocol allows the
client and server to authenticate each other by sending a series of messages to
each other. Handshake protocol uses four phases to complete its cycle.
 Phase-1: In Phase-1 both Client and Server send hello-packets to each
other. In this IP session, cipher suite and protocol version are exchanged for
security purposes.
 Phase-2: Server sends his certificate and Server-key-exchange. The server
end phase-2 by sending the Server-hello-end packet.
 Phase-3: In this phase, Client replies to the server by sending his certificate
and Client-exchange-key.
 Phase-4: In Phase-4 Change-cipher suite occurs and after this the
Handshake Protocol ends.
Change-Cipher Protocol
This protocol uses the SSL record protocol. Unless Handshake Protocol is
completed, the SSL record Output will be in a pending state. After the
handshake protocol, the Pending state is converted into the current state.
Change-cipher protocol consists of a single message which is 1 byte in length
and can have only one value. This protocol’s purpose is to cause the pending
state to be copied into the current state.
Alert Protocol
This protocol is used to convey SSL-related alerts to the peer entity. Each
message in this protocol contains 2 bytes.

The level is further classified into two parts:

Warning (level = 1)
This Alert has no impact on the connection between sender and receiver. Some
of them are:
 Bad Certificate: When the received certificate is corrupt.
 No Certificate: When an appropriate certificate is not available.
 Certificate Expired: When a certificate has expired.
 Certificate Unknown: When some other unspecified issue arose in
processing the certificate, rendering it unacceptable.
 Close Notify: It notifies that the sender will no longer send any messages in
the connection.
 Unsupported Certificate: The type of certificate received is not supported.
 Certificate Revoked: The certificate received is in revocation list.
Fatal Error (level = 2):
This Alert breaks the connection between sender and receiver. The connection
will be stopped, cannot be resumed but can be restarted. Some of them are :
 Handshake Failure: When the sender is unable to negotiate an acceptable
set of security parameters given the options available.
 Decompression Failure: When the decompression function receives
improper input.
 Illegal Parameters: When a field is out of range or inconsistent with other
fields.
 Bad Record MAC: When an incorrect MAC was received.
 Unexpected Message: When an inappropriate message is received.
The second byte in the Alert protocol describes the error.
Salient Features of Secure Socket Layer
 The advantage of this approach is that the service can be tailored to the
specific needs of the given application.
 Secure Socket Layer was originated by Netscape.
 SSL is designed to make use of TCP to provide reliable end-to-end secure
service.
 This is a two-layered protocol.

IP security (IPSec)
The IP sec4rity (IPSec) is an Internet Engineering Task Force
(IETF) standard suite of protocols between 2 communication
points across the IP network that provide data authentication,
integrity, and confidentiality. It also defines the encrypted,
decrypted and authenticated packets. The protocols needed for
secure key exchange and key management are defined in it.
Uses of IP Security –
IPsec can be used to do the following things:
 To encrypt application layer data.

 To provide security for routers sending routing data across the public internet.

 To provide authentication without encryption, like to authenticate that the data

originates from a known sender.
 To protect network data by setting up circuits using IPsec tunneling in which all data is
being sent between the two endpoints is encrypted, as with a Virtual Private
Network(VPN) connection.
Components of IP Security –
It has the following components:
o Encapsulating Security Payload (ESP): It provides data integrity, encryption,
authentication and anti-replay. It also provides authentication for payload.
o Authentication Header (AH) : It also provides data integrity, authentication and anti-
replay and it does not provide encryption. The anti-replay protection, protects against
unauthorized transmission of packets. It does not protect data’s confidentiality.

Figure 4.9 Authentication Header

• Internet Key Exchange (IKE)
It is a network security protocol designed to dynamically exchange encryption keys and find
a way over Security Association (SA) between 2 devices. The Security Association (SA)
establishes shared security attributes between 2 network entities to support secure
communication. The Key Management Protocol (ISAKMP) and Internet Security Association
which provides a framework for authentication and key exchange. ISAKMP tells how the
setup of the Security Associations (SAs) and how direct connections between two hosts that
are using IPsec.
Internet Key Exchange (IKE) provides message content protection and also an open frame for
implementing standard algorithms such as SHA and MD5. The algorithm’s IP sec users
produces a unique identifier for each packet. This identifier then allows a device to determine
whether a packet has been correct or not. Packets which are not authorized are discarded and
not given to receiver.
 Figure 4.10 Internet Key Exchange
Working of IP Security –
• The host checks if the packet should be transmitted using IPsec or not. These packet
traffic triggers the security policy for themselves. This is done when the system
sending the packet apply an appropriate encryption. The incoming packets are also
checked by the host that they are encrypted properly or not.
• Then the IKE Phase 1 starts in which the 2 hosts( using IPsec ) authenticate
themselves to each other to start a secure channel. It has 2 modes. The Main
mode which provides the greater security and the Aggressive mode which enables the
host to establish an IPsec circuit more quickly.
• The channel created in the last step is then used to securely negotiate the way the IP
circuit will encrypt data accross the IP circuit.
• Now, the IKE Phase 2 is conducted over the secure channel in which the two hosts
negotiate the type of cryptographic algorithms to use on the session and agreeing on
secret keying material to be used with those algorithms.
• Then the data is exchanged across the newly created IPsec encrypted tunnel. These
packets are encrypted and decrypted by the hosts using IPsec SAs.
• When the communication between the hosts is completed or the session times out
then the IPsec tunnel is terminated by discarding the keys by both the hosts.
IPSec Architecture
IPSec (IP Security) architecture uses two protocols to secure the traffic or data flow.
These protocols are ESP (Encapsulation Security Payload) and AH (Authentication Header).
IPSec Architecture include protocols, algorithms, DOI, and Key Management. All these
components are very important in order to provide the three main services:
 Confidentiality
 Authentication
 Integrity
IP Security Architecture:

Figure 4.11 IP Security Architecture

• Architecture:
Architecture or IP Security Architecture covers the general concepts, definitions,
protocols, algorithms and security requirements of IP Security technology.
• ESP Protocol:
ESP (Encapsulation Security Payload) provide the confidentiality service. Encapsulation
Security Payload is implemented in either two ways:
 ESP with optional Authentication.
 ESP with Authentication.

Packet Format:

Figure 4.12 Packet Format

  Security Parameter Index (SPI):
This parameter is used in Security Association. It is used to give a unique number to
the connection build between Client and Server.
 Sequence Number:
Unique Sequence number are allotted to every packet so that at the receiver side
packets can be arranged properly.
 Payload Data:
Payload data means the actual data or the actual message. The Payload data is in
encrypted format to achieve confidentiality.
 Padding:
Extra bits or space added to the original message in order to ensure confidentiality.
Padding length is the size of the added bits or space in the original message.
 Next Header:
Next header means the next payload or next actual data.
 Authentication Data
This field is optional in ESP protocol packet format.
 Encryption algorithm: 
Encryption algorithm is the document that describes various encryption algorithm used for
Encapsulation Security Payload.
 AH Protocol: 
AH (Authentication Header) Protocol provides both Authentication and Integrity service.
Authentication Header is implemented in one way only: Authentication along with
Integrity.

Figure 4.13 AH Protocol

Authentication Header covers the packet format and general issue related to the use of AH for
packet authentication and integrity.
 Authentication Algorithm:
Authentication Algorithm contains the set of the documents that describe authentication
algorithm used for AH and for the authentication option of ESP.
 DOI (Domain of Interpretation):
DOI is the identifier which support both AH and ESP protocols. It contains values needed
for documentation related to each other.
 Key Management:
Key Management contains the document that describes how the keys are exchanged
between sender and receiver.

Firewalls

Firewall is a network device that isolates organization's internal network from larger
outside network/Internet. It can be a hardware, software, or combined system that prevents
unauthorized access to or from internal network.
A firewall is a network security device, either hardware or software-based, which monitors
all incoming and outgoing traffic and based on a defined set of security rules it accepts,
rejects or drops that specific traffic.
Accept : allow the traffic
Reject : block the traffic but reply with an “unreachable error”
Drop : block the traffic with no reply
A firewall establishes a barrier between secured internal networks and outside untrusted
network, such as the Internet.
 Figure 4.14 Basic Structure of Firewall

History and Need for Firewall

Before Firewalls, network security was performed by Access Control Lists (ACLs) residing
on routers. ACLs are rules that determine whether network access should be granted or
denied to specific IP address.
But ACLs cannot determine the nature of the packet it is blocking. Also, ACL alone does not
have the capacity to keep threats out of the network. Hence, the Firewall was introduced.
Connectivity to the Internet is no longer optional for organizations. However, accessing the
Internet provides benefits to the organization; it also enables the outside world to interact
with the internal network of the organization. This creates a threat to the organization. In
order to secure the internal network from unauthorized traffic, we need a Firewall.
How Firewall Works
Firewall match the network traffic against the rule set defined in its table. Once the rule is
matched, associate action is applied to the network traffic. For example, Rules are defined as
any employee from HR department cannot access the data from code server and at the same
time another rule is defined like system administrator can access the data from both HR and
technical department. Rules can be defined on the firewall based on the necessity and security
policies of the organization.
From the perspective of a server, network traffic can be either outgoing or incoming. Firewall
maintains a distinct set of rules for both the cases. Mostly the outgoing traffic, originated
from the server itself, allowed to pass. Still, setting a rule on outgoing traffic is always better
in order to achieve more security and prevent unwanted communication.
Incoming traffic is treated differently. Most traffic which reaches on the firewall is one of
these three major Transport Layer protocols- TCP, UDP or ICMP. All these types have a
source address and destination address. Also, TCP and UDP have port numbers. ICMP
uses type code instead of port number which identifies purpose of that packet.
 Default policy: It is very difficult to explicitly cover every possible rule on the firewall. For
this reason, the firewall must always have a default policy. Default policy only consists of
action (accept, reject or drop).

Suppose no rule is defined about SSH connection to the server on the firewall. So, it will
follow the default policy. If default policy on the firewall is set to accept, then any computer
outside of your office can establish an SSH connection to the server. Therefore, setting
default policy as drop (or reject) is always a good practice.
Generation of Firewall
Firewalls can be categorized based on its generation.
 First Generation- Packet Filtering Firewall: Packet filtering firewall is used to control
network access by monitoring outgoing and incoming packet and allowing them to pass
or stop based on source and destination IP address, protocols and ports. It analyses traffic
at the transport protocol layer (but mainly uses first 3 layers).
Packet firewalls treat each packet in isolation. They have no ability to tell whether a
packet is part of an existing stream of traffic. Only It can allow or deny the packets based
on unique packet headers.
 Packet filtering firewall maintains a filtering table which decides whether the packet will
be forwarded or discarded. From the given filtering table, the packets will be Filtered
according to following rules:



 Figure 4.15 Sample packet Filter Firewall Rule

o Incoming packets from network 192.168.21.0 are blocked.
o Incoming packets destined for internal TELNET server (port 23) are blocked.
o Incoming packets destined for host 192.168.21.3 are blocked.
o All well-known services to the network 192.168.21.0 are allowed.
 Second Generation- Stateful Inspection Firewall: Stateful firewalls (performs Stateful
Packet Inspection) are able to determine the connection state of packet, unlike Packet
filtering firewall, which makes it more efficient. It keeps track of the state of networks
connection travelling across it, such as TCP streams. So the filtering decisions would not
 only be based on defined rules, but also on packet’s history in the state table.
 Third Generation- Application Layer Firewall: Application layer firewall can inspect and
filter the packets on any OSI layer, up to the application layer. It has the ability to block
specific content, also recognize when certain application and protocols (like HTTP, FTP)
are being misused.
 In other words, Application layer firewalls are hosts that run proxy servers. A proxy
firewall prevents the direct connection between either side of the firewall, each packet has
to pass through the proxy. It can allow or block the traffic based on predefined rules.
 Note: Application layer firewalls can also be used as Network Address Translator (NAT).
 Next Generation Firewalls (NGFW) : Next Generation Firewalls are being deployed these
days to stop modern security breaches like advance malware attacks and application-layer
attacks. NGFW consists of Deep Packet Inspection, Application Inspection, SSL/SSH
inspection and many functionalities to protect the network from these modern threats.

Firewalls are generally of two types: Host-based and Network-based.

 Host- based Firewalls: Host-based firewall is installed on each network node which
controls each incoming and outgoing packet. It is a software application or suite of
applications, comes as a part of the operating system. Host-based firewalls are needed
because network firewalls cannot provide protection inside a trusted network. Host
firewall protects each host from attacks and unauthorized access.
 Network-based Firewalls: Network firewall function on network level. In other words,
these firewalls filter all incoming and outgoing traffic across the network. It protects
the internal network by filtering the traffic using rules defined on the firewall. A
Network firewall might have two or more network interface cards (NICs). A network-
based firewall is usually a dedicated system with proprietary software installed.
Both types of firewall have their own advantages.
Firewall is categorized into three basic types
 Packet filter (Stateless & Stateful) 

 Application-level gateway

 Circuit-level gateway

These three categories, however, are not mutually exclusive. Modern firewalls have a mix of
abilities that may place them in more than one of the three categories.
 Figure 4.16 Types of firewall
Stateless & Stateful Packet Filtering Firewall
In this type of firewall deployment, the internal network is connected to the external
network/Internet via a router firewall. The firewall inspects and filters data packet-by-packet.
Packet-filtering firewalls allow or block the packets mostly based on criteria such as source
and/or destination IP addresses, protocol, source and/or destination port numbers, and various
other parameters within the IP header.
The decision can be based on factors other than IP header fields such as ICMP message type,
TCP SYN and ACK bits, etc.
Packet filter rule has two parts −
 Selection criteria − It is a used as a condition and pattern matching for decision
making.
 Action field − This part specifies action to be taken if an IP packet meets the selection
criteria. The action could be either block (deny) or permit (allow) the packet across the
firewall. 
Packet filtering is generally accomplished by configuring Access Control Lists (ACL) on
routers or switches. ACL is a table of packet filter rules.
As traffic enters or exits an interface, firewall applies ACLs from top to bottom to each
incoming packet, finds matching criteria and either permits or denies the individual packets.

Figure 4.17 Stateless firewall

Stateless firewall is a kind of a rigid tool. It looks at packet and allows it if its meets the
criteria even if it is not part of any established ongoing communication.
Hence, such firewalls are replaced by stateful firewalls in modern networks. This type of
firewalls offer a more in-depth inspection method over the only ACL based packet inspection
methods of stateless firewalls.
Stateful firewall monitors the connection setup and teardown process to keep a check on
connections at the TCP/IP level. This allows them to keep track of connections state and
determine which hosts have open, authorized connections at any given point in time.
They reference the rule base only when a new connection is requested. Packets belonging to
existing connections are compared to the firewall's state table of open connections, and
decision to allow or block is taken. This process saves time and provides added security as
well. No packet is allowed to trespass the firewall unless it belongs to already established
connection. It can timeout inactive connections at firewall after which it no longer admit
packets for that connection.
Application Gateways
An application-level gateway acts as a relay node for the application-level traffic. They
intercept incoming and outgoing packets, run proxies that copy and forward information
across the gateway, and function as a proxy server, preventing any direct connection between
a trusted server or client and an untrusted host.
The proxies are application specific. They can filter packets at the application layer of the
OSI model.
Application-specific Proxies

Figure 4.18 Application-specific Proxies

An application-specific proxy accepts packets generated by only specified application for

which they are designed to copy, forward, and filter. For example, only a Telnet proxy can
copy, forward, and filter Telnet traffic.
If a network relies only on an application-level gateway, incoming and outgoing packets
cannot access services that have no proxies configured. For example, if a gateway runs FTP
and Telnet proxies, only packets generated by these services can pass through the firewall.
All other services are blocked.
Application-level Filtering
An application-level proxy gateway, examines and filters individual packets, rather than
simply copying them and blindly forwarding them across the gateway. Application-specific
proxies check each packet that passes through the gateway, verifying the contents of the
packet up through the application layer. These proxies can filter particular kinds of
commands or information in the application protocols.
Application gateways can restrict specific actions from being performed. For example, the
gateway could be configured to prevent users from performing the ‘FTP put’ command. This
can prevent modification of the information stored on the server by an attacker.
Transparent
Although application-level gateways can be transparent, many implementations require user
authentication before users can access an untrusted network, a process that reduces true
transparency. Authentication may be different if the user is from the internal network or from
the Internet. For an internal network, a simple list of IP addresses can be allowed to connect
to external applications. But from the Internet side a strong authentication should be
implemented.
An application gateway actually relays TCP segments between the two TCP connections in
the two directions (Client ↔ Proxy ↔ Server).
For outbound packets, the gateway may replace the source IP address by its own IP address.
The process is referred to as Network Address Translation (NAT). It ensures that internal IP
addresses are not exposed to the Internet.
Circuit-Level Gateway
The circuit-level gateway is an intermediate solution between the packet filter and the
application gateway. It runs at the transport layer and hence can act as proxy for any
application.
Similar to an application gateway, the circuit-level gateway also does not permit an end-to-
end TCP connection across the gateway. It sets up two TCP connections and relays the TCP
segments from one network to the other. But, it does not examine the application data like
application gateway. Hence, sometime it is called as ‘Pipe Proxy’.
Hybrids Systems: In an attempt combine the security of the application layer
gateways with the flexibility and speed of packet filtering; some vendors have created
systems that use the principle of both.
In some of these systems, new connections must be authenticated and approved at the
application layer. Once this has been done, the remainder of the connection is passed down to
the session layer, where packet filters watch the connection to ensure that only packets that
are part of an on-going (already authenticated and approved) conversation are-being passed.
Other possibilities include using both packet filtering and application layer proxies. The
benefits here include providing a measure of protection against the machines that provide
services to the internet (such as a public web server), as well as provide the security of an
application layer gateway to the internal network. Additionally, using this method, an
attacker, in order to get to services on the internal network, will have to break through the
access router, the bastion host, and the choke router.

Important Aspects of Effective Firewalls

Regardless of which security design logic or packet screening method is chosen, two
important aspects of the firewall's implementation can determine whether or not a firewall
solution will be effective:
First, the device or host system on which the firewall solution resides must be secure. If the
system can be compromised, then the firewall can also be compromised. If the firewalls you
choose is based on a well-known network operating system, make sure the operating system
is fully patched and all security updates have been applied. .
Second, for a firewall to be effective, all traffic to and from your network must pass
through it. If a firewall can be physically or logically bypassed, there is no guarantee that the
trusted network is safe. The architecture used for the firewall solution is very important.
Since firewall solutions can be configured using a single system or multiple systems, the
architecture used to implement the solution can be simple or complex. When deciding on a
specific architecture keep in mind that the most effective firewall solutions are implemented
to all network traffic passes through them. This implementation characteristic is evident in
the following commonly identified firewall architectures.
 INTRUDERS
One of the two most publicized threats to security is the intruder (the other is viruses), often
referred to as a hacker or cracker. In an important early study of intrusion, it had been
identified three classes of intruders:
• Masquerader: An individual who is not authorized to use the computer and who penetrates a
system’s access controls to exploit a legitimate user’s account.
• Misfeasor: A legitimate user who accesses data, programs, or resources for which such
access is not authorized, or who is authorized for such access but misuses his or her privileges
• Clandestine user: An individual who seizes supervisory control of the system and uses this
control to evade auditing and access controls or to suppress audit collection
The masquerader is likely to be an outsider; the misfeasor generally is an insider; and the
clandestine user can be either an outsider or an insider.
Some of the examples for intrusion are,
• Performing a remote root compromise of an e-mail server
• Defacing a Web server
• Guessing and cracking passwords
• Copying a database containing credit card numbers
• Viewing sensitive data, including payroll records and medical information, without
authorization
• Running a packet sniffer on a workstation to capture usernames and passwords

Intrusion detection systems

These have been developed to provide early warning of an intrusion so that defensive action
can be taken to prevent or minimize damage.
Intrusion detection involves detecting unusual patterns of activity or patterns of activity that
are known to correlate with intrusions.
Consumers commonly mistake an intrusion detection system (IDS)with a computer firewall.
Although both applications have a similar goal to protect end-users from nefarious hackers
and computer malware, an IDS differs from a firewall in that it can be either a device or
software program created to monitor an individual computer, computing device, or network
for either security policy violations or malicious activity. Once this type of behaviour is
observed, the intrusion detection system makes a report to a centralized management
component or station.
What is an Intrusion Detection System? Intrusion detection systems are designed to analyse
network traffic for potentially malicious behaviour and to report possible “intrusions” to a
centralized management node. Some IDSs are designed to take action to prevent these
attempts from being successful; however, stopping malicious attacks is not a required
component of an IDS. Many times, an organization will install an IDS to help document
existing threats to company networks, to identify existing issues with violations of security
policy, or to deter end-users from consistently violating company or organization security
policies. Since IDSs were first introduced, they have become a critical component to most
major organization’s security infrastructures.
The concept of an intrusion detection system dates to 1984 when Fred Cohen determined that
it was possible to detect network intrusions based on information available to network
administrators if enough computing resources were devoted to the task. By taking a hard look
at file access logs, user access logs, and system event logs, most unauthorized network
intrusions could be detected.
In 1986, Dorothy E. Denning assisted by Peter G. Neumann,
published a new IDS model that continues to serve as the basis
for intrusion detection systems in use today. Her model from
the mid-1980’s made use of statistical analysis for detecting
network anomalies. The resulting implementation of this work
was the Intrusion Detection Expert System (IDES) implemented
at SRI International that ran on Sun work stations. This
implementation made use of both rules set as well as a statistical
anomaly detection system that looked at host systems, target
systems, and end-users. Later, Lunt added an artificial neural
network as a third component to the system which all made
reports to a resolver application. The resulting work was
deployed in the Next generation Intrusion Detection Expert
System, or NIDES.

Types of Intrusion Detection Systems

There are three types of intrusion detection systems on the
market today: network instruction detection systems (NIDSs),
host-based instruction detection systems (HIDSs), and stack
based intrusion detection systems (SIDS). Network Intrusion
Detection System A network intrusion detection system
analyses network traffic and hosts to locate potential intrusions.
The NIDS system connects to a network hub, network tap, or
network switch that is configured to allow monitoring of
network traffic. When setting up a network intrusion detection
system, the monitoring points are setup at high-traffic areas on
the network to examine the network data
packets for potentially malicious actions.
 Host-Based Intrusion Detection System:
Host-based intrusion detection systems (HBIDs)are
designed to have one network host agent that uses
application logs, file-system modifications, and system call
analysis to locate intrusions to the network. The sensors in a
host-based intrusion detection system normally consist of
software agent(s). A common example of a HIDS are
OSSEC and
Tripwire.
 Stack-Based Intrusion Detection System:
Stack-based intrusion detection systems (SIDS) were
developed as a succeeding technology to HBIDs. SIDS
examine network packets as they travel through the network
stack (TCP/IP). As a result, the SIDS technology does not
 incur the overhead of having to communicate with the
network interface in promiscuous mode.
What are the Differences Between Statistical and Signature-
Based Intrusion Detection Systems?
Statistics-based intrusion detection systems have been deployed
for a number of years. This type of IDS will record normal
network activity such as the types of protocols commonly used,
devices connected to the network, ports used, and overall
bandwidth. When network activity is detected that is out of the
ordinary, the IDS will provide an alert to the network
administrator or end-user regarding the event(s). A signature-
based intrusion detection system compares network data packets
with pre-determined network attack patterns or signatures.
Unfortunately, there can be a significant delay in identifying
new threat signatures to upload to the IDS. This makes
signature-based IDSs vulnerable to emerging threats.
How Does an Intrusion Detection System Differ from a Firewall?
A common misconception amongst end-users is that firewalls
and intrusion detection systems are the same thing. Although
both technologies help preserve network and computer security,
 they have distinct functions. Firewalls are designed to limit access
from origins outside of the network to stop attacks from occurring.
They are unable to identify malicious actions that being inside of
the network. Intrusion detection systems are designed to identify
attacks once they have gained access to the network and can
evaluate potentially malicious actions which originate from within
the network. As technologies have matured; however, a hybrid
system referred to as an intrusion prevention system has been
developed. The IPS is designed to stop malicious network
connections and is also considered to be a firewall residing in the
application layer of the OSI network model.

Honeypot:
In a fully deployed IDS, some administrators may choose to install
a “honeypot,” essentially a system component set up as bait or
decoy for intruders. Honeypots can be used as early warning
systems of an attack, decoys from critical systems, and data
collection sources for attack analyses. Many IDS vendors maintain
honeypots for research purposes, and to develop new intrusion
signatures. Note that a honeypot should only be deployed when the
organization has the resources to maintain it. A honeypot left
unmanaged may become a significant liability because attackers
may use a compromised honeypot to attack other systems.

Limitations of Intrusion Detection Systems:

Intrusion detection systems are not perfect. Depending on the
design of the system, a number of false-positive results can be
generated. These “false alarms” can originate from bad software,
corrupt domain name server information, or local network traffic.
As a result, a real network attack can be missed if the IDS is not
properly configured for the defended network. Another
vulnerability of IDSs that rely on signature files is updating the
signature library to include the latest threats. When left undone, the
network can be open to attack from the most current threats.

Free Intrusion Detection Systems:

There are several freely available intrusion detection / prevention
systems available on the marketplace today. Some of the better-
known projects include Snort, File System Saint, and AIDE.
 Snort:
One of the most downloaded and installed intrusion detection and
prevention systems in the world today is Snort. Originally
published in 1998 by CTO Martin Roesch, the application is
designed to perform real-time packet logging and traffic analysis
on IP-based networks. At the time of this writing, Snort has been
downloaded more than four million times since initial release and
has more than 400,000 registered users of the software. The
application is based on a rule-based language that combines several
additional IDS technologies to include protocol, anomaly-based,
and signature detection methods.

 File System Saint:

File System Saint (FSS) is another open-source intrusion detection
system written in the Perl programming language. The software
project is designed to be lightweight, fast, and easy to use. FSS
works on the basic premise of storing an image of the live file
system of the network being protected and analyzes the system for
any changes to the baseline report. The
application also stores data about file owner, permissions, file size,
mtime, and ctime and reports changes to the computer owner via
email report. To guard against tampering, FSS saves a
cryptographic hash file to ensure legitimate data is being used while
in operation.
 AIDE:
AIDE (Advanced Intrusion Detection Environment) is deployed as
a free replacement for the commercially available Tripwire IDS.
The software application is designed to check the integrity of the
system’s file and directories. To achieve this functionality, AIDE
creates a database from the regular expression rules contained in
the software’s configuration files. After the database is created, it is
used to validate the file integrity of the protected computer.
Additional application features include support for the following
message digest algorithms: sha1, rmd160, md5, crc32, sha256,
sha512, tiger, and whirlpool. AIDE also supports gzip database
 compression if zlib support is installed on the protected computer.

IDS DEPLOYMENT (SNORT as example) Snort is

logically divided into multiple components. These
components work together to detect particular attacks and to
generate output in a required format from the detection
system. A Snort-based IDS consists of the following major
components.

Table 5.2 Components of an IDS

Name Description

Packet Decoder Prepares packet for processing

Used to normalize protocol headers, detect anomalies,
Pre-processors or Input Plugins
assembly and TCP stream re-assembly
Detection Engine Applies rules to packets
Logging and Alerting System Generates alert and log messages
Output Modules Process alerts and logs and generate final output

Packet Decoder:
Packet decoder takes packets from different types of network
interfaces and prepares packets to be pre-processed or to be sent to
the detection engine. The interfaces may be Ethernet, SLIP, PPP,
and so on.

Pre-processors:
Pre-processors are components or plug-ins that can be used with
Snort to arrange or modify data packets before the detection engine
does some operation to find out if the packet is being used by an
intruder.
The Detection Engine:
The detection engine is the most important part of snort. Its
responsibility is to detect if any intrusion activity exists in a packet.
The detection engine employs snort rules for this purpose.

Logging and Alerting System:

Depending upon what the detection engine find inside a packet may
be used to log the activity or generate an alert. Logs are kept in
simple text files, tcp-dump-style files or some other form.

Output Modules:
Output modules or plug-ins can do different operations depending
on how you want to save output generated by the logging and
alerting system of Snort. Basically, these modules control the type
of output generated by the logging and alerting system.

Figure below shows how these components are arranged. Any data
packet coming from the Internet enters the packet decoder. On its
way towards the output modules, it is either dropped, logged or an
alert is generated.

Fig. 5.6 Components of Snort

Wireless Terminologies
First, let's go through the bunch of basic terms, related to wireless communication.
Progressively, we will get into more advanced stuff going all along this path together.

Wireless Communication

Wireless communication refers to any type of data exchange between the parties that is
performed wirelessly (over the air). This definition is extremely wide, since it may correspond to
many types of wireless technologies, like −

 Wi-Fi Network Communication

 Bluetooth Communication
 Satellite Communication
 Mobile Communication

All the technologies mentioned above use different communication architecture, however they all
share the same "Wireless Medium" capability.

Wi-Fi

Wireless Fidelity (Wi-Fi) refers to wireless local area network, as we all know them. It is based
on IEEE 802.11 standard. Wi-Fi is a type of wireless network you meet almost everywhere, at your
home, workplace, in hotels, restaurants and even in taxis, trains or planes. These 802.11
communication standards operate on either 2.4 GHz or 5 GHz ISM radio bands.

These devices are easily available in the shops that are compatible with Wi-Fi standard, they
have following image visible on the device itself. I bet you have seen it hundreds of times in
various shops or other public places!
Due to the fact, that 802.11 based wireless network are so heavily used in all types of
environments - they are also the biggest subject for various security researches across other
802.11 standards.

Wireless Clients

Wireless clients are considered to be any end-devices with a wireless card or wireless adapter
installed. Now, in this 21st century, those devices can be almost anything −

 Modern Smartphones − These are one of the most universally used wireless devices you see
in the market. They support multiple wireless standards on one box, for example,
Bluetooth, Wi-Fi, GSM.
 Laptops − These are a type of device which we all use every single day!
 Smartwatch − An example of Sony based smartwatch is shown here. It can synchronize
with your smartphone via a Bluetooth.
 Smart-home Equipment − With the current progress of the technology, smart-home
equipment might be for example a freezer that you can control over Wi-Fi or a
temperature controller.
The list of possible client devices is growing every single day. It sounds a little scary that all of
those devices/utilities we use on a daily basis can be controlled via a wireless network so easily.
But at the same time, remember that all the communication flowing through a wireless medium
can be intercepted by anyone who is just standing at the right place at the right time.

Wireless Security - Access Point

Access Point (AP) is the central node in 802.11 wireless implementations. It is the interface
between wired and wireless network, that all the wireless clients associate to and exchange data
with.

For a home environment, most often you have a router, a switch, and an AP embedded in one
box, making it really usable for this purpose.
Wireless Controller (WLC)
In corporate wireless implementation, the number of Access Points is often counted in hundreds
or thousands of units. It would not be administratively possible to manage all the AP's and their
configuration (channel assignments, optimal output power, roaming configuration, creation of
SSID on each and every AP, etc.) separately.

This is the situation, where the concept of wireless controller comes into play. It is the
"Mastermind" behind all the wireless network operation. This centralized server which has the IP
connectivity to all the AP's on the network making it easy to manage all of them globally from
the single management platform, push configuration templates, monitor users from all the AP's
in real time and so on.
Service Set Identifier (SSID)
SSID directly identifies the wireless WLAN itself. In order to connect to Wireless LAN, the
wireless client needs to send the same exact SSID in the association frame as the SSID name,
preconfigured on the AP. So the question now arises how to find out which SSIDs are present in
your environment? That is easy as all the operating systems come with a built-in wireless client
that scans wireless spectrum for the wireless networks to join (as shows below). I am sure you
have done this process several times in your daily routine.

Cell
A cell is basically a geographical region covered by the AP's or BTS's antenna (transmitter). In
the following image, a cell is marked with a yellow line.

Most often, an AP has much more output power, when compared it with the capabilities of the
antenna built-in into the client device. The fact that, the client can receive frames transmitted
from the AP, does not mean that a 2-way communication can be established. The above picture
perfectly shows that situation. - In both situations, a client can hear AP's frames, but only in the
second situation, the 2-way communication can be established.

The outcome from this short example is that, when designing the wireless cell sizes, one has to
take into account, what is the average output transmitting power of the antennas that clients will
use.

Channel
Wireless Networks may be configured to support multiple 802.11 standards. Some of them
operate on the 2.4GHz band (example are: 802.11b/g/n) and other ones on the 5GHz band
(example: 802.11a/n/ac).

Depending on the band, there is a predefined set of sub-bands defined for each channel. In
environments with multiple APs placed in the same physical area, the smart channel assignment
is used in order to avoid collisions (collisions of the frames transmitted on exactly the same
frequency from multiple sources at the same time).
Let's have a look at the theoretical design of the 802.11b network with 3 cells, adjacent to each
other as shown in the above picture. Design on the left is composed of 3 non-overlapping
channels - it means that frames sent by APs and its clients in particular cell, will not interfere
with communication in other cells. On the right, we have a completely opposite situation, all the
frames flying around on the same channel leads to collisions and degrade the wireless
performance significantly.

Antennas
Antennas are used to "translate" information flowing as an electrical signal inside the cable and
into the electromagnetic field, which is used to transmit the frame over a wireless medium.
Every wireless device (either AP or any type of wireless client device) has an antenna that
includes a transmitter and the receiver module. It can be external and visible to everyone around
or built-in, as most of the laptops or smartphones nowadays have.

For wireless security testing or penetration tests of the wireless networks, external antenna is
one of the most important tools. You should get one of them, if you want to go into this field!
One of the biggest advantages of external antennas (comparing to most of the internal antennas
you might meet built-in to the equipment), is that they can be configured in a so-called "monitor
mode" - this is definitely something you need! It allows you to sniff the wireless traffic from your
PC using wireshark or other well-known tools like Kismet.

Wireless Security - Network

Wireless network may be classified into different categories based on the range of operation they
offer. The most common classification scheme divides the wireless networks into four categories
listed in the table below, together with short examples.

Category Coverage Examples Applications

Wireless Very short Bluetooth,  Data exchange between

Personal - max 10 802.15, IrDA smartphones
Area meters but communication  Headsets
Network usually  Smart watches
(WPAN) much
smaller
Wireless extension of the local
Moderate -
Wireless network used in −
inside the
Local Area  Enterprises
apartments 802.11 Wi-Fi
Network  Markets
or work
(WLAN)  Airport
places.
 Home

Wireless
Wimax, IEEE
Metropolitan
All around 802.16 or
Area Between homes and businesses
the city proprietary
Network
technologies
(WMAN)
Wireless
Wide Area Throughout
3G, LTE Wireless access to the internet from
Network the world
(WWAN)

This tutorial is mainly going to cover WLAN technology, however we will also cover the various
aspects of Bluetooth communication (WPAN).

Wi-Fi Networks
The choice of devices used in wireless deployments is influenced by the type of deployment
whether this is going to be a network for a small house, shop, a big enterprise network or the
one for hotels.

Scale Example Type of devices used

Most often home router/switch

Small deployments Home, Small shops
(integrated with wireless AP)

 Huge number of AP's

Hotels, Enterprises,  Centralized wireless controller
Big deployments
Universities  RFID based services
 Other type of wireless location
tracking services

Wireless Security - Standards

Since the beginning of IEEE 802.11 standard, the wireless networks were evolving at a
significant pace. People saw the potential in this type of data transmission, therefore 802.11
successors were showing up, few years after each other. The following table summarizes the
current 802.11 standards that are used in our times −

Standard Frequency Max speed

802.11 2.4 GHz 2 Mbps

802.11a 5 GHz 54 Mbps

802.11b 2.4 GHz 11 Mbps

802.11g 2.4 GHz 54 Mbps

802.11n 2.4 or 5 GHz 600 Mbps

802.11ac 5 GHz 1 Gbps

As you can see, Wi-Fi networks are becoming faster and faster. Following are a couple of limiting
factors why we don't see high speeds when we download data over Wi-Fi −

 There is a difference between the speed and actuals throughout. Since wireless
communication is half-duplex (single antenna can either transmit or receive at one time),
the actual throughput is actually around 50% of the speed. This condition is only true,
when there is one transmitter and one receiver, without any other clients involved, and
without interferences (that leads to collisions and retransmissions).
 The most cutting edge standards (802.11ac) are not that widely supported on end-
devices. Most of the laptops or smartphones on the market provides support for
802.11a/b/g/n, but not yet for 802.11ac standard. In addition to that, some devices are
equipped only with antenna, that supports 2,4 GHz frequency band, but not 5 GHz (that
lead to lack of 802.11ac support by default).
Wireless Security - Encryption
In general, encryption is the process of transforming the data, into some kind of cyphertext that
would be non-understandable for any 3rd party that would intercept the information. Nowadays,
we use encryption every single day, without even noticing. Every time you access your web bank
or mailbox, most often when you log in to any type of web page, or create a VPN tunnel back to
your corporate network.

Some information is too valuable, not to be protected. And, to protect the information efficiently,
it must be encrypted in a way that would not allow an attacker to decrypt it. To be honest with
you guys - there is no fully secure encryption scheme. All the algorithms that we use every day
may be broken, but what is its likelihood of this happening with current technology and time?
For example, it might take around eight years to break encryption "X" using new super-fast
computers. Is that risk big enough, to stop using algorithm "X" for encryption? I doubt it, the
information to be protected might be outdated at that point of time.

Types of Wireless Encryption

To start speaking about wireless encryption, it is worth saying that there are 2 types of
encryption algorithms: Stream Cipher and Block Cipher.

 Stream Cipher − It converts plaintext into cyphertext in a bit-by-bit fashion.

 Block Cipher − It operates on the fixed-size blocks of data.

The most common encryption algorithms are collected in the following table −

Encryption Algorithm Type of encryption algorithm Size of data block

RC4 Stream cipher ---

RC5 Block cypher 32/64/128 bits

DES Block cypher 56 bits

3DES Block cypher 56 bits

AES Block cypher 128 bits

The ones that you will most likely meet (in some form) on the wireless networks are RC4 and
AES.

WEP vs WPA vs WPA2

There are three widely known security standards in the world of wireless networking. The biggest
difference between those three, are the security model they can provide.

Encryption
Security Authentication
algorithm Possibility of breaking the encryption
Standard methods
user

 Initialization Vector (IV) collision attack

WEP Pre-Shared Key
WEP  Weak Key Attack
(based on (PSK)  Reinjection Attack
 Bit flipping attack
 RC4)

TKIP (based Pre-Shared Key

WPA
on RC4) (PSK) or 802.1x
- cracking the password during initial 4-way
handshake (assuming that it's relatively short
CCMP password <10 characters)
Pre-Shared Key
WPA2 (based on
(PSK) or 802.1x
AES)

WEP was the first wireless "secure" model that was supposed to add authentication and
encryption. It is based on RC4 algorithm and 24 bits of Initialization Vector (IV). This is the biggest
drawback of the implementation that leads to WEP being crack able within a few minutes, using
the tools that anyone can have installed on their PCs.

In order to enhance the security, WPA2 was invented with strong encryption model (AES) and a
very strong authentication model based on 802.1x (or PSK). WPA was introduced just as a staging
mechanism for smooth transition to WPA2. A lot of wireless cards did not support the new AES
(at that time), but all of them were using RC4 + TKIP. Therefore WPA was also based on that
mechanism, just with a few advancements.

Weak Initialization Vectors (IV)

Initialization Vector (IV) is one of the inputs to the WEP encryption algorithm. The whole
mechanism is presented in the following diagram −

As one can notice, there are two inputs to the algorithm, one of which is a 24-bit long IV (that is
also added to the final ciphertext in a clear text) and the other is a WEP key. When trying to
crack this security model (WEP), one has to collect a large number of wireless data frames (large
number of frames until the frame with duplicate IV vector value is found).

Assuming that for WEP, the IV has 24 bits. This means that it could be any number from two
frames (if you are lucky enough) to 224 + 1 (you collect every single possible IV value, and then,
the very next frame must be a duplicate). From the experience, I can say that, on a rather
crowded wireless LAN (around 3 clients sending the traffic all the time), it is a matter of 5-10
minutes to get enough frames, to crack the encryption and derive the PSK value.

This vulnerability is only present in WEP. WPA security model uses TKIP that solved weak IV by
increasing its size from 24 bits to 48 bits, and making other security enhancements to the
diagram. Those modifications made the WPA algorithm much more secure and prone to this type
of cracking.

Wireless Security - Break an Encryption

In this chapter, we will see how to break WEP and WPA encryptions. Let’s start with WEP
encryption.

How to Break WEP Encryption?

There are many possible tools that one can use to crack WEP, but all of the approaches follow
the same idea and order of steps.

Assuming that you have found your target network, you do as follows −

 Collect (sniff) WEP encrypted packets flying over the air. This step may be performed
using a Linux tool called "airodump-ng".
 When enough packets are collected (you have collected a set of frames with duplicate IV
vector), you try to crack the network using a tool called "aircrack-ng".

On a highly congested network, the above mentioned two steps can take around 5-10 minutes or
even less. It is that easy! The detailed step by step guide for hacking WEP will be shown under
the topic of "Pen Testing WEP Encrypted WLAN ".

How to Break WPA Encryption?

The way to break a WPA encryption has a slightly different approach. Wireless frames using
WPA, are using TKIP encryption that still uses the concept of IV and RC4 algorithm, however it is
modified in order to be more secure. TKIP modifies WEP with the following pointers −

 It uses temporal, dynamically created keys instead of static ones used by WEP.
 It uses sequencing to defend against replay and injection attacks.
 It uses an advanced key mixing algorithm in order to defeat IV collisions and weak-key
attacks in WEP.
 It introduces Enhanced Data Integrity (EDI) to defeat bit-flipping attack possible in WEP.

Taking all of these points into account, it makes WPA standard computationally not-possible to
crack (it does not say it is not possible, but it may take reasonably a very long time, assuming
you have advanced resources for breaking the algorithm). Authentication used in WPA standard
has also advanced in respect to one used in WEP. WPA uses 802.1x (EAP-based authentication)
for authentication of the clients. In fact, this is the only weak point, where you may try your
chances for breaking the WPA (and WPA2 in fact).

WPA and WPA2 standards supports two types of authentications - Pre-Shared Key (PSK) and true
802.1x based on external authentication server. When using 802.1x authentication - it is simply
not possible to break the password; it is only doable where local PSK mode is used. Just as a side-note
- all the enterprise wireless deployments, they use true 802.1x authentication, based on the
external RADIUS server, therefore, your only possible target might be very small businesses or
home networks.

One more remark is that, PSK used for protecting WPA/WPA2 must be reasonably short in size
(max 10 characters - in opposite to 64 characters allowed as max length), if you have the
intention to break it. The reason for that requirement is that, PSK is only transmitted once (not
in clear text) between wireless client and the AP during the initial 4-way handshake, and the only
way to derive the original key from those packets is by brute-forcing or using a good dictionary.

There is a pretty nice online calculator that can estimate the time it would take to brute-force the
PSK - http://lastbit.com/pswcalc.asp. Assuming that you have 1 PC that can try 1000 password
per second (composed of lower-case, upper-case, digits and common punctuations) it would take
28910 years to break the password (as maximum of course, if you are lucky it might take a few
hours).

The general process of breaking a WPA/WPA2 encryption (only when they use PSK) is as follows
−

 Collect (sniff) wireless packets flying over the air. This step may be performed using the
Linux tool called "airodump-ng".
 While packets are being collected, you should de-authenticate the current clients. By
doing that, you are getting to the situation, when the client would need to authenticate
again in order to use a Wi-Fi network. This is exactly what you wanted! By doing this, you
prepare a good environment to sniff a wireless user authenticating to the network. You
can use Linux based tool "aireplay-ng" to de-authenticate the current wireless clients.
 As you have a 4-way handshake sniffed (and saved in the dump file), you can once again
use "aircrack-ng" to crack the PSK. In this step, you have to reference a dictionary file
containing all the combinations of the password, that aircrack-ng tool will use. That is
why, a good dictionary file is a most important element here.

Detailed step-by-step hacking of WPA/WPA2 networks will be shown under the topic " Pen
Testing WPA/WPA2 Encrypted WLAN ".
How to Defend Against WPA Cracking?
I have a feeling, that after going through the last sections of this tutorial, you will already have
some idea, what should be done in order to make WPA cracking not possible (or rather say:
impossible within a reasonable period of time). Following are some pointers of the best practices
for securing your home/small business wireless network −

 If there is a chance for that, use WPA2 instead of WPA. It has a direct impact on the
encryption scheme used by a suite. AES (used by WPA2) is much more safe than TKIP
(used by WPA).
 As you saw earlier, the only way to break WPA/WPA2 is by sniffing the authentication 4-
way handshake and brute-force the PSK. To make it computationally impossible, use a
password of at least 10 characters composed of random combination (not any plain word
that you can meet in any dictionary) of lower case, upper case, special characters and
digits.
 Disable Wi-Fi Protected Setup (WPS) - WPS is one of the "cool features" invented to make
connecting new wireless clients to the network much more easy - just by putting a
special 8-digit PIN number of the AP. This 8-digit is a very short work for a brute-force
attack, and also this 8-digit may be found on the back of the AP box itself. Give yourself
a try and have a look at your home router - do you see WPS PIN on the back? Do you
have WPS feature enabled on your home router?

Wireless Security - Access Control Attacks

It is not a secret that wireless networks are much more vulnerable than their wired equivalents.
In addition to protocol vulnerabilities itself, it is a "wireless" shared medium that opens those
kind of networks to completely new set of attack surfaces. In the consecutive sub-chapters, I will
try to introduce many of the aspects (or rather threats) of wireless communications, that may be

Wireless Security - Integrity Attacks

Integrity of the information is a characteristic that ensures that data was not tampered, when
going from point A to point
 B over the network (either wireless or wired). When speaking about wireless communication,
802.11 radios can be overheard by any 3rd party on the same frequency channel. A simple type
of attack against integrity of the information is illustrated in the following diagram −

Let's imagine that legitimate wireless client called victim (Step 1) is writing an e-mail to the
friend (e-mail will go to the internet), asking for money return of 1000$ and putting bank
account number in the e-mail.

Assuming the information is not well encrypted (or attacker broke the encryption and have the
chance of reading everything in clear text), wireless attacker (Step 2) reads the whole packet
flowing in the air to the AP. The attacker modifies a message by swapping the bank account
number to its own and re-inject a message back to the air, to go to the internet via the AP.

In that situation, if there are no integrity checks that would detect a change in the content of the
message - the recipient would get a message with a modified bank account number. Probably,
the situation described would be extremely hard to implement in real life, since all the tools like
mail exchange, are secure against those types of attacks (via proper encryption and message
integrity checks), it perfectly shows the concept of the attack.

There are 2 main counter-measures against this type of an integrity attack − encryption (so that
attacker would not be able to read the message at all) and Message Integrity Codes (MICs) that are
basically hashing function like MD5 or SHA1 that take a footprint of the whole message and
create a hash of 128 bits (MD5) or 160 bits (SHA1). Anytime, there is a change in the packet
content, the hash value would also change, resulting in message being denied (already by
wireless router).

Wireless Security - Confidentiality Attacks

The role of attacks targeting the confidentiality of the information, is simply to break the
encryption model used in the wireless deployment. Looking at variety of security models in the
field the following general recommendations may be put −

 No Encryption/ WEP Encryption − These are not very secure approaches and should not be
used under any circumstances.
 TKIP Encryption − This encryption model is used in WPA deployments. It has not yet been
cracked, but TKIP is not considered as strong mean of encryption, due to the use of
weaker RC4 algorithm.
 CCMP Encryption − This is used with WPA2. So far, it is considered the safest encryption
model that is based on not-breakable (at least for today) AES algorithm.

The main goal of all kinds of attacks is to break the encryption and get a value of the key. This
would give the attacker 2 things: broken confidentiality of other users and direct access to the
wireless network.

Wireless Security - DoS Attack

The attacks which are directed at disabling the service (making the target not available) or
degrading its performance (lowering the availability) lands under the umbrella of Denial of Service
(DoS) attacks. The cost of such an attack may be very expensive for a victim or companies,
whose business is based on e-commerce. They can count the costs of the attack in millions of
dollars, depending on the length of their web service not being available.

Wireless networks are also playing a crucial part in productivity of the employees. We all use
wireless laptops and smartphones in a workplace. With the lack of wireless network working, our
productivity is decreased.

DoS attacks on availability may be divided into 3 types −

 Layer 1 DoS
 Layer 2 DoS
 Layer 3 DoS

We will discuss each of these attacks in detail in the following chapters.

Wireless Security - Layer 1 DoS

This is a consequence of radio frequency interference (either intentional or unintentional). Most
often, unintentional interferences are seen on the 2.4 GHz band, since it's very busy. Devices
such as RF video cameras, cordless phones or microwave ovens may use this band. As for
intentional interference, there are RF jammers that may interfere with 802.11 WLANs. The RF
jammers may be a hardware unit or a software tool (example "Websploit" framework shown
below).
The most common WiFi attack that use Layer 1 DoS is the Queensland Attack.

Wireless Security - Layer 2 DoS

These attacks are the ones which are most likely launched by malicious attackers. The main idea
behind this attack is to temper the 802.11 wireless frames and inject (or retransmit) them into
the air.

The most common types of Layer 2 DoS attacks involve spoofing of disassociation or de-
authentication management frames. The reason, why it is so efficient is that, those frames are
NOT the request frames but notifications!
Because authentication process is a pre-requisite for association (as illustrated above), a de-
authentication frame will automatically disassociate the client as well.

This kind of attack maybe (once again), started using aireplay-ng tool. Can you see how powerful
this tool is?

Targeting once again my home network with ESSID of "home_e1000", I first check connected
clients with airodump-ng.

Wireless Security - Layer 3 DoS

The idea of this Layer 3 DoS is to overwhelm the host with a large volume of traffic to process,
resulting in crashing of a host. Most often, this type of attack is originated from a set of hacker-
owned hosts, called botnet and is targeting the victim server on the internet.

The three most common types of Layer 3 DoS attacks are −

Fraggle Attack
Attacker sends a large amount of UDP echo requests to IP broadcast address. The source IP
address is spoofed and is set to a victim IP address. By doing that, all the replies originated on
by the clients on the broadcast subnet are sent back to the victim.
Ping Flood Attack
Attacker sends a large number of ICMP packet to the target computer using ping. Imagine a
malicious party that owns botnet of thousands of PCs. If we imagine a ping flood attack running
at the same time from all of those PC, then it may become pretty serious.

Smurf Attack
Exactly the same step by step operation, as in case of Fraggle Attack. The only difference is that,
Smurf attack uses ICMP echo request packets, opposite to Fraggle attack that uses UDP packets.

These type of Layer 3 DoS attacks are not specifically wireless technology attacks. They can be
used over any Layer 2 technology, either Ethernet, Frame Relay, ATM or Wireless. The main
requirement of this attack to be successful, is that the attacker is in control of a large amount of
overtaken PCs (botnet). Then particular packets are sent to the target from each and every
single infected host in the Botnet - assuming that botnet has 1000+ devices, the cumulative
traffic may be significant. Using a Layer 3 DoS from a single PC is not effective at all.

Wireless Security - Authentication Attacks

As you probably know by now, authentication is the method of verifying the presented identity
and credentials. Most of the authentication schemes used in wireless setups are secured with
proper encryption.

We have already described the scenario based on EAP-authentication used in WPA/WPA2, with
PSK authentication. By sniffing the 4-way handshake between the client and the authenticator
(AP), one may perform a brute-force attack (example – offline dictionary attack) to break the
encryption and derive the PSK value.

Another example can be LEAP (Lightweight Extensible Authentication Protocol). It was used in
olden times as a mechanism to generate dynamic WEP keys. In this setup, the password hashes
were flowing over-the-air hashed with MS-CHAP or MS-CHAPv2 algorithms (both of them are
crack-able with an offline dictionary attack). A short description of the authentication attack that
may be applied to LEAP would consist of the following steps −

 The username is sent in a clear text.

 There is a challenge text in clear text.
 The response text is hashed.
 Office dictionary attack, that can be used here (using aircrack-ng tool) to try all the
combinations of the password inside "function(password,challenge) = response" mathematical
formula, to find the right password.

Examples of such attacks will be illustrated step-by-step in the coming chapters.

Rogue Access Point Attacks

When we think about corporate networks, the corporate WLAN is an authorized and secured
wireless portal to the network resources. A rogue access device (AP) is any WLAN radio that is
connected to the corporate network (most often to some network switch) without the
authorization.
Most of the rogue access points that are installed by employees (malicious users or by mistake)
are actually not the same AP's that the IT department in the organization is using, but some
Small-office home-office (SOHO) wireless routers - the same ones, that you probably have at
home. In the situation when they are misconfigured or configured without any security - it opens
a next attack surface for having easy access to a very secure network).

With the current evolution of the IT industry, rogue access point might be very well hidden and
extremely hard to find. Would you be able to easily spot a Raspberry Pi connected to your
network switch, if it would be placed at the back of the rack hidden in between hundreds of
network cables? I can definitely say, you would NOT spot it at all!

If the network resources are exposed by a rogue access point, the following risks may be
identified −

 Data Theft − Corporate data may be compromised.

 Data Destruction − Databases may be erased.
 Loss of Services − Network services can be disabled.
 Malicious Data Insertion − An attacker may use a portal to upload viruses, key loggers or
pornography.
 3rd Party Attacks − A company's wired network may be used as a launching pad for
3rd party attacks against other networks across the internet.
Wireless Security - Client Misassociation
You may have already experienced the situation, that when you come with your PC and use
wireless at home, your PC is automatically connecting to the WLAN, without any actions required
from you. This is because, your laptop remembers the list of WLANs that you were connected to
in the past, and stores this list in the so-called Preferred Network List (in a windows world).

A malicious hacker may use this default behavior, and bring its own wireless AP to the physical
area, where you are normally using your Wi-Fi. If the signal from that AP, would be better than
the one from original AP, the laptop software will mis-associate to the fake (rogue) access point
provided by the hacker (thinking it is the legitimate AP, you have used in the past). These kind
of attacks are very easy to perform in some big open spaces, such as airports, office
environments or public areas. These kind of attacks are sometimes referred to as Honeypot AP
Attacks.

Creating a fake AP does not require any physical hardware. The Linux distribution, used through
all this tutorial is Kali Linux, has an internal tool called airbase-ng that can create AP with specific
MAC address and WLAN name (SSID) with a single command.

Let's create a following scenario. In the past, I have used the SSID of "Airport-Guest" at one of
the European airports. That way, I know that my smartphone has saved this SSID on the PNL
(Preferred Network List). So I create this SSID using airbase-ng.

After I have created the WLAN, I have used Layer 2 DoS attack described earlier, to constantly
de-authenticate my smartphone from Home_e1000 wireless network. At that point, my
smartphone detects the other SSID (Airport-Guest) with a very good link quality, so it connects
automatically to it.

This is something you see in the dump above starting from 21:48:19. At that point, we are in the
good situation to perform some additional attacks having this initial connection. It can be either
a man in the middle attack, to forward all the wireless traffic via attacker's PC (attacking
integrity and confidentiality of the traffic exchange. Or you may connect back from the attacker's
PC directly to smartphone by exploiting some vulnerabilities using Metasploit Framework... There
is a plethora of possible ways forward.

Misconfigured Access Point Attack

The Misconfigured APs are a type of security surface, that are the easiest to breach, if its
detected. The place, where you will most likely meet misconfigured AP's are home wireless
network or very small businesses. Large wireless environments are most likely using centralized
management platforms that control hundreds or thousands of AP and keep them synchronized,
therefore it is less likely to meet any configuration error there.

Most common areas of misconfiguration, that leads to wireless cracking’s are −

 Some AP configurations are left to factory defaults, like usernames and passwords or
default WLAN's broadcasted (SSID's) and default settings may be found in manuals of the
specific vendor on the internet.
 Human Error - advanced security policies are configured on a set of AP's across the
organization, and other ones are forgotten and left with default weak security settings.
As a counter-measure against misconfigured AP, organizations should follow the ongoing site
surveys as a tool to monitor a secure wireless environment.

Examples of a default username/password database for some of the Linksys wireless home
devices are −

Model Username Password

BEFSR series (none) or admin admin

E series admin or (none) admin or (none)

EA series admin admin or (none)

WAG series admin or (none) admin or (none)

WRT series (none) admin

Introduction to Email Security

Email (short for electronic mail) is a digital method by using it we exchange messages
between people over the internet or other computer networks. With the help of this, we
can send and receive text-based messages, often an attachment such as documents,
images, or videos, from one person or organization to another. In this article, we will
understand the concept of email security, how we can protect our email, email security
policies, and email security best practices, and one of the features of email is an email
that we can use to protect the email from unauthorized access.
What is Email Security?
Basically, Email security refers to the steps where we protect the email messages and
the information that they contain from unauthorized access, and damage. It involves
ensuring the confidentiality, integrity, and availability of email messages, as well as
safeguarding against phishing attacks, spam, viruses, and another form of malware. It
can be achieved through a combination of technical and non-technical measures.
Some standard technical measures include the encryption of email messages to protect
their contents, the use of digital signatures to verify the authenticity of the sender, and
email filtering systems to block unwanted emails and malware, and the non-technical
measures may include training employees on how to recognize and respond to phishing
attacks and other email security threats, establishing policies and procedures for email
use and management, and conducting regular security audits to identify and address
vulnerabilities.
Why is email security important?
 Protection Against Cyberattacks: Email is a top goal for cybercriminals. Malware,
phishing attacks, and other threats often arrive via email. In fact, 94% of malware is
 delivered through email channels1. By implementing robust email security measures,
organizations can defend against these threats.
 Reducing Risk: Cybersecurity incidents can have devastating consequences,
including financial losses, operational disruptions, and damage to an organization’s
reputation. Effective email security helps protect your brand, reputation, and bottom
line.
 Compliance: Email security ensures compliance with data protection laws like GDPR
and HIPAA. By safeguarding sensitive information, organizations avoid legal fines and
other intangible costs associated with cyberattacks.
 Productivity Enhancement: With email security in place, disruptions caused by
threats like phishing emails are minimized. This allows organizations to focus more on
business growth and less on handling security incidents.
Benefits of Email Security
 Shielding Against Phishing and Spoofing Attacks: Email security isn’t just about
tech jargon; it’s like having a digital bodyguard. It helps spot and tackle threats like
phishing or spoofing. These sneaky attacks can lead to serious breaches and even
unleash malware or other nasty viruses.
 Locking Down Data: Think of email encryption as a virtual vault. It keeps sensitive
info—like credit card numbers, bank accounts, and employee details—safe from prying
eyes. No more accidental leaks or costly data breaches!
 Whispers Only: Secure email encryption ensures that only the right people get the
message. It’s like passing a secret note in class—except the teacher won’t intercept it.
Your confidential content stays confidential.
 Spotting the Bad Apples: Email security acts like a spam filter on steroids. It sniffs
out malicious or spammy emails that might sneak past regular defenses. No more
falling for those “You’ve won a million dollars!” scams!
 Top-Secret Protection: Imagine your company’s secrets—intellectual property,
financial records, and classified info—wrapped in a digital force field. Email security
shields them from cyber villains like hackers and cybercriminals.
 Real-Time Guardian: Zero-day exploits? Not on our watch! Email security solutions
provide real-time protection. It’s like having a superhero squad that fights off malware
and spam before they even knock on your inbox.
 Locking Up Identity Theft: Email encryption keeps attackers from swiping your login
credentials or personal data. No more compromised accounts or identity theft
nightmares.
Email Security best practices
 Building a Strong Email Security Foundation: Think of email security like
constructing a sturdy fortress. Start by layering your defenses:
o Effective Email Protection Solutions: These are like the castle walls.
Choose tools that can spot threats and keep your inbox safe.
o Threat Detection and Reporting: Imagine sentries on the lookout, alerting
you to any suspicious activity.
o Regular Updates: Keep your defenses sharp—like sharpening swords—to
fend off the latest cyber threats.
 Guarding Sensitive Data: Picture a vault door. Implement policies to prevent users
from accidentally emailing sensitive info to outsiders. It’s like saying, “No, you can’t
send that secret recipe to the rival chef!”
 Training Your Troops: Educate your team! Teach them to spot phishing and spoofing
emails (those digital shape-shifters), create rock-solid passwords, and avoid clicking on
sketchy links or mysterious attachments.
 Encrypting Messages: Encrypting emails is like sealing them in an enchanted
envelope. Only the intended recipients can unlock the magic inside. No more
eavesdroppers!
 Layered Defenses: Imagine shields, armor, and magical spells all working together.
Authentication, encryption, and isolation form your multi-layered defense. They’ll fend
off elaborate phishing plots, ransomware attacks, and other sneaky threats.
 Stay Updated: Think of it as patching up your castle walls. Regularly update your
email security solutions to stay ahead of the cyber dragon’s fire-breath.
Types of Email threats
 Phishing: Imagine a crafty imposter pretending to be your bank or favorite online
store. They send you an email, asking for your sensitive info—like passwords or credit
card details. Sneaky, right?
 Social Engineering: Think of it as digital manipulation. The bad guys sweet-talk or
scare people into revealing confidential stuff. It’s like a cyber con artist pulling off a
heist.
 Spear Phishing: This one’s like a sniper attack. Instead of casting a wide net, the
attacker aims at specific individuals or organizations. They craft personalized emails,
luring victims into their trap.
 Ransomware: Picture your files locked up in a digital vault. The villain—malicious
software—holds them hostage until you pay a ransom. It’s like a cyber kidnapper!
 Malware: Sneaky software that infiltrates your computer without asking permission. It’s
like a digital ninja wreaking havoc behind the scenes.
 Spoofing: Imagine someone wearing a disguise at a masquerade ball. Attackers forge
email headers, making messages look legit—even when they’re not. Trust no masked
stranger!
 Man-in-the-Middle Attack: Visualize a sneaky eavesdropper intercepting your
messages. They can read, alter, or inject new content. It’s like a cyber spy messing
with your convo.
 Data Exfiltration: Sophisticated thieves sneak into an organization’s email system.
They swipe sensitive data—like secret recipes from a chef’s kitchen. Recipe theft,
anyone?
 Denial of Service: Attackers flood email servers with a deluge of messages. Servers
buckle under the pressure, like a dam bursting. Chaos ensues!
 Account Takeover: Imagine a cyber burglar breaking into your email house. They use
your account to send spam, phishing emails, or snoop around your secrets.
 Identity Theft: Someone swipes your personal info—name, address, social security
number. They wear your identity like a stolen cloak, committing digital crimes.
Steps should be taken to Secure Email
 Choose a secure password: Password must be at least 12 characters long, and
contains uppercase and lowercase letters, digits, and special characters.
 Two-factor authentication: Activate the two-factor authentication, which adds an
additional layer of security to your email account by requiring a code in addition to your
password.
 Use encryption: It encrypts your email messages so that only the intended receiver
can decipher them. Email encryption can be done by using the programs like PGP or
S/MIME.
 Keep your software up to date. Ensure that the most recent security updates are
installed on your operating system and email client.
 Beware of phishing scams: Hackers try to steal your personal information by
pretending as someone else in phishing scams. Be careful of emails that request
private information or have suspicious links because these are the resources of the
phishing attack.
 Choose a trustworthy email service provider: Search for a service provider that
protects your data using encryption and other security measures.
 Use a VPN: Using a VPN can help protect our email by encrypting our internet
connection and disguising our IP address, making it more difficult for hackers to
intercept our emails.
 Upgrade Your Application Regularly: People now frequently access their email
accounts through apps, although these tools are not perfect and can be taken
advantage of by hackers. A cybercriminal might use a vulnerability, for example, to
hack accounts and steal data or send spam mail. Because of this, it’s important to
update your programs frequently.

Email Security Policies

The email policies are a set of regulations and standards for protecting the privacy,
accuracy, and accessibility of email communication within the organization. An email
security policy should include the following essential components:
 Appropriate Use: The policy should outline what comprises acceptable email usage
inside the organization, including who is permitted to use email, how to use it, and for
what purpose email we have to use.
 Password and Authentication: The policy should require strong passwords and two-
factor authentication to ensure that only authorized users can access email accounts.
 Encryption: To avoid unwanted access, the policy should mandate that sensitive
material be encrypted before being sent through email.
 Virus Protection: The policy shall outline the period and timing of email messages and
attachment collection.
 Retention and Detection: The policy should outline how long email messages and
their attachments ought to be kept available, as well as when they should continue to
be removed.
 Training: The policy should demand that all staff members take a course on email best
practices, which includes how to identify phishing scams and other email-based
threats.
 Incident Reporting: The policy should outline the reporting and investigation
procedures for occurrences involving email security breaches or other problems.
 Monitoring: The policy should outline the procedures for monitoring email
communications to ensure that it is being followed, including any logging or auditing
that will be carried out.
 Compliance: The policy should ensure compliance with all essential laws and
regulations, including the health
 Insurance rules, including the health portability and accountability act and the General
Data Protection Regulation (GDPR)(HIPPA).
 Enforcement: The policy should specify the consequences for violating the email
security policy, including disciplinary action and legal consequences if necessary.
Hence, organizations may help safeguard sensitive information and lower the risk of data
breaches and other security incidents by creating an email security strategy.
Now, Let’s look at how to enable the confidential mode in our Gmail account. With
Gmail.com, there is a feature called confidential mode that we may use to safeguard our
email. These are the steps to use this feature:
Step 1: On your computer, go to Gmail and click compose as shown in the below
screenshot.

Step 2: If you have already enabled confidential mode for an email, click Edit in the
bottom right corner of the window to add an expiration date and a passcode. These
setting impact both the message text and any attachments.

If you select “No SMS passcode,” recipients using the Gmail app will be able to open it
directly and those who don’t use Gmail will receive an email with a passcode.
On the other hand, if you select the “SMS passcode” recipients will get a passcode by a
text message for that you have to provide the recipient’s phone number.
Step 3: After providing the phone number click the save button.
Step 4: In the next step write the email and sent it to the recipient.

Remove Access before Expiration:

We can prevent the receiver from viewing the email before it does. Prior to the message’s
expiration date or until the sender removes access, the recipient may examine the
message and any attached files. This mode disables attachments and prevents us from
copying, pasting, downloading, printing, or forwarding message text. Even so, while this
mode aids in preventing receivers from unintentionally sharing your email, it does not stop
them from capturing screenshots or images of your messages or attachments.
It does not stop receivers from capturing screenshots or images of your emails or
attachments, though this mode does make it more difficult for them to unintentionally
share your emails with others. The message or attachment can still be downloaded by the
recipient even if they have malicious software installed on their computer.

Mobile Security
Mobile security is the strategy, infrastructure, and software used to protect any device that
travels with users, including smartphones, tablets, and laptops. Cybersecurity for mobile
devices includes protecting data on the local device and the device-connected endpoints
and networking equipment. As mobile devices continue to be a user preference over
desktops, they will be bigger targets for attackers.

Why Is Mobile Security Important?

As more users travel and work from home, mobile devices have become
increasingly more integrated into their everyday lives, including corporate
employees. Internet browsing activity used to be limited to desktops, and
employees that traveled were the only ones with laptops. Now, mobile devices are
the preferred way to browse the internet, and traffic from these devices has become
the dominant form of web browsing over desktops.

Mobile devices have a much bigger attack surface than desktops, making them a
more significant threat to corporate security. A desktop is immobile with threats
mainly from outside attackers, but mobile devices are vulnerable to physical and
virtual attacks. Users carry mobile devices with them wherever they go, so
administrators must worry about more physical attacks (e.g., theft and loss) and
virtual threats from third-party applications and Wi-Fi hotspots (e.g., man-in-the-
middle attacks). Stationary desktops don’t move from the corporate network,
making it easier for administrators to control network and endpoint security. With
mobile devices, users can root them, add any app, and physically lose them.

For many of these reasons and more, corporations have a lot more overhead when
creating strategies surrounding mobile devices. Even with the overhead, it’s a
critical part of cybersecurity as mobile devices pose significant threats to data
integrity.

Physical Threats
There are two main physical threats to a mobile device: data loss and theft. Natural
disasters are also an issue, which would be the cause of data loss but not data theft.
Lost data can be recovered, but data theft is an expensive issue for organizations.
Mobile devices have lock screens to help stop data theft after a device is stolen, but
the technology must be strong enough to prevent an attacker from bypassing the
screen lock by removing the storage device and extracting the information.

Should the device be stolen, it should request a few PIN attempts to get only to the
home screen before locking the phone. This security feature stops brute-force
home screen PIN attacks. For devices with sensitive data, the company should use
wipe applications that delete all data on the phone after several incorrect home
screen PIN attempts. Encrypted storage drives stop attackers from exfiltrating data
directly from the device by bypassing the PIN feature.

Mobile Security Solutions

Protect the way your people work today—in email, social media, WiFi hotspots,
and mobile apps
Application Threats

Administrators can block applications from being installed on a desktop, but a user
with a mobile device can install anything. Third-party applications introduce
several issues to mobile device security. Corporations must create a policy
surrounding mobile devices to help users understand the dangers of installing
unapproved third-party apps.

Users should not be able to root their phones, but some do, rendering many of the
internal operating system security controls unusable. Third-party applications
running on rooted devices can disclose data to an attacker using a number of attack
methods.Third-party applications can also have
hidden malware and keyloggers embedded in the code. Anti-malware programs
can be installed, but rooted devices leave even these applications open to malware
manipulation.

Network Threats

With mobile devices – especially bring-your-own-device (BYOD) – they create a

threat for the internal network. It’s not uncommon for malware to scan the network
for open storage locations or vulnerable resources to drop malicious executables
and exploit them. This can happen silently on a mobile device that isn’t adequately
secured.

Administrators can force anyone with a BYOD to have antimalware installed, but
it still does not ensure that the software is up to date. If the corporation offers
public Wi-Fi hotspots for customers and employees, this too can be a point of
concern. When employees connect to public Wi-Fi and transfer data where other
users can read data, it leaves the network vulnerable to man-in-the-middle (MitM)
attacks and possible account takeover if the attacker steals credentials.

Web-Based and Endpoint Threats

Mobile apps connect to data and internal applications using endpoints. These
endpoints receive and process data, and then return a response to the mobile
device. The endpoints and any web-based application add threats to the
organization. Endpoints used by the application must be properly coded with
authentication and authentication controls to stop attackers. Incorrectly secured
endpoints could be the target of an attacker who can use them to compromise the
application and steal data.
 Because mobile devices have been increasingly more popular, some web-based
attacks target these users. Attackers use sites that look like official websites
tricking users into uploading sensitive data or downloading malicious applications.
It’s not uncommon for an attacker to tell a user that they must download an app to
view a video or other media source. Users download the app and don’t realize it’s a
malicious app used to probe the devices for vulnerabilities and disclose data.

Components of Mobile Security

Organizations that use mobile devices have several options to protect them from
attackers. Components in mobile security can be used to define cybersecurity
strategies surrounding mobile devices. In addition to the infrastructure added to
corporate strategy, it’s also important to create BYOD and mobile device policies
that instruct users what can and cannot be installed on the device.

The following components will help any organization protect from attacks directed
towards mobile devices:

 Penetration scanners: Automated scanning services can be used to find

vulnerabilities in endpoints. While this is not the only cybersecurity that should be
used on endpoints, it’s the first step in finding authentication and authorization
issues that could be used to compromise data.

 Virtual Private Network (VPN): Users connecting to the network from a remote
location should always use VPN. VPN services and always on VPN
alternatives installed on a mobile device will encrypt data from the device to the
endpoint or from the device to the internal network. Plenty of third-party services
are set up specifically for protecting corporate traffic from a mobile device to the
internal network.
 Auditing and device control: While administrators can’t remote control a
smartphone or tablet, they can require users to install remote wiping capabilities
and tracking services. GPS can be used to locate a stolen device, and remote
wiping software will remove all critical data should it be stolen.

 Email security: Phishing is one of the biggest threats to all organizations. Email
services are usually added to a mobile device so that users can obtain their email
messages. Any phishing messages could target mobile devices with malicious links
or attachments. Email filters should block messages that contain suspicious links
and attachments.