UNIT II - COMPUTER NETWORK SECURITY

What is Network Security ?

"Network security" refers to any activity designed to protect the usability and integrity of your
network and data. It includes both hardware and software technologies. Effective network security
manages access to the network. It targets a variety of threats and stops them from entering or
spreading on your network.

How does network security work?

Network security combines multiple layers of defenses at the edge and in the network. Each network
security layer implements policies and controls. Authorized users gain access to network resources,
but malicious actors are blocked from carrying out exploits and threats.

How do I benefit from network security?

Digitization has transformed our world. How we live, work, play, and learn have all changed. Every
organization that wants to deliver the services that customers and employees demand must protect its
network. Network security also helps you protect proprietary information from attack. Ultimately it
protects your reputation.

Types of network security

Access control
Not every user should have access to your network. To keep out potential attackers, you need to
recognize each user and each device. Then you can enforce your security policies. You can block
noncompliant endpoint devices or give them only limited access. This process is network access
control (NAC).

Antivirus and antimalware software

"Malware," short for "malicious software," includes viruses, worms, Trojans, ransomware, and
spyware. Sometimes malware will infect a network but lie dormant for days or even weeks. The best
antimalware programs not only scan for malware upon entry, but also continuously track files
afterward to find anomalies, remove malware, and fix damage.

Application security
Any software you use to run your business needs to be protected, whether your IT staff builds it or
whether you buy it. Unfortunately, any application may contain holes, or vulnerabilities, that attackers
can use to infiltrate your network. Application security encompasses the hardware, software, and
processes you use to close those holes.

Behavioral analytics
To detect abnormal network behavior, you must know what normal behavior looks like. Behavioral
analytics tools automatically discern activities that deviate from the norm. Your security team can
then better identify indicators of compromise that pose a potential problem and quickly remediate
threats.

Data loss prevention

Organizations must make sure that their staff does not send sensitive information outside the network.
Data loss prevention, or DLP, technologies can stop people from uploading, forwarding, or even
printing critical information in an unsafe manner.

Email security
Email gateways are the number one threat vector for a security breach. Attackers use personal
information and social engineering tactics to build sophisticated phishing campaigns to deceive
recipients and send them to sites serving up malware. An email security application blocks incoming
attacks and controls outbound messages to prevent the loss of sensitive data.

Firewalls
Firewalls put up a barrier between your trusted internal network and untrusted outside networks, such
as the Internet. They use a set of defined rules to allow or block traffic. A firewall can be hardware,
software, or both. Cisco offers unified threat management (UTM) devices and threat-focused next-
generation firewalls.

Intrusion prevention systems

An intrusion prevention system (IPS) scans network traffic to actively block attacks. Cisco Next-
Generation IPS (NGIPS) appliances do this by correlating huge amounts of global threat intelligence
to not only block malicious activity but also track the progression of suspect files and malware across
the network to prevent the spread of outbreaks and reinfection.

Mobile device security

Cybercriminals are increasingly targeting mobile devices and apps. Within the next 3 years, 90
percent of IT organizations may support corporate applications on personal mobile devices. Of
course, you need to control which devices can access your network. You will also need to configure
their connections to keep network traffic private.

Network segmentation
Software-defined segmentation puts network traffic into different classifications and makes enforcing
security policies easier. Ideally, the classifications are based on endpoint identity, not mere IP
addresses. You can assign access rights based on role, location, and more so that the right level of
access is given to the right people and suspicious devices are contained and remediated.

Security information and event management

SIEM products pull together the information that your security staff needs to identify and respond to
threats. These products come in various forms, including physical and virtual appliances and server
software.

VPN
A virtual private network encrypts the connection from an endpoint to a network, often over the
Internet. Typically, a remote-access VPN uses IPsec or Secure Sockets Layer to authenticate the
communication between device and network.

Web security
A web security solution will control your staff’s web use, block web-based threats, and deny access to
malicious websites. It will protect your web gateway on site or in the cloud. "Web security" also
refers to the steps you take to protect your own website.

Wireless security
Wireless networks are not as secure as wired ones. Without stringent security measures, installing a
wireless LAN can be like putting Ethernet ports everywhere, including the parking lot. To prevent an
exploit from taking hold, you need products specifically designed to protect a wireless network.

WHAT is authentication application?

Authentication is a process in which the credentials provided are compared to those on file in a
database of authorized users' information on a local operating system or within an authentication
server. If the credentials match, the process is completed and the user is granted authorization for
access.
Learning how authentication works will enable auditors to provide recommendations that maximize
the organization's return on investment and efficiency of security controls.

In many organizations, the function of verifying a user's identity — known as authentication — is

important in establishing trust in critical business processes. In its simplest form, authentication is the
act of verifying a person's claim on his or her identity and is usually implemented through a username
and password combination when logging into an IT system or application. As this definition suggests,
part of the authentication process consists of correctly identifying a user, application, or group. There
are multiple ways by which users can provide their identity, such as typing a username and password,
swiping a smart card, waving a token device, or using voice recognition. In fact, the basis of
authentication lies in the principle that without a proper form of identification, a system will not be
able to correlate an authentication factor with a specific subject.

Before an authentication tool or control is implemented, auditors should recommend that managers
use the following evaluation criteria to evaluate its effectiveness and efficiency:
 Cost. This includes the total cost of ownership (e.g., procurement, installation,
implementation, training, replacement, and maintenance costs).

 Awareness and resistance. Awareness refers to the proper training of staff on the tool's proper
use, while resistance refers to the system's ability to withstand malicious attacks, including
spyware, keylogging, Trojan, denial-of-service, and virus attacks.

 Strategic fit. This refers to the authentication method's ease of use; its ability to address the
needs of different users and support existing operating systems, platforms, and applications;
its roll-out period; centralized administration capabilities; and availability of customer
support.

 The effectiveness of the authentication process. This refers to the authentication system's
level of confidence. For instance, have user and customer confidence levels increased after
the authentication mechanism's implementation?
 Scalability. This is the solution's ability to cater to existing and future users and business needs
without changing the hardware's or the network's architecture and its capacity to address e-
mail security and physical access to a particular system.

 Reliability. This refers to the algorithm's and technology's strength, the authentication tool's
adequacy in protecting confidential information, its ability to address regulatory requirements,
 and its overall safety.

 Management support. This refers to senior management's support of the authentication

mechanism in use. One way management can show support is by establishing the proper tone
at the top and ensuring that employees have the right technical competencies to use the
authentication tool effectively.

What is Kerberos?
Kerberos is a network authentication protocol. It is designed to provide strong authentication for
client/server applications by using secret-key cryptography. A free implementation of this protocol is
available from the Massachusetts Institute of Technology. Kerberos is available in many commercial
products as well.
Kerberos is a protocol for authenticating service requests between trusted hosts across an untrusted
network, such as the internet. Kerberos is built in to all major operating systems, including Microsoft
Windows, Apple OS X, FreeBSD and Linux.

Kerberos is a computer network authentication protocol that works on the basis of 'tickets' to allow
nodes communicating over a non-secure network to prove their identity to one another in a secure
manner. The protocol was named after the character Kerberos (or Cerberus) from Greek mythology,
the ferocious three-headed guard dog of Hades. Its designers aimed it primarily at a client–server
model and it provides mutual authentication—both the user and the server verify each other's identity.
Kerberos protocol messages are protected against eavesdropping and replay attacks.
Kerberos builds on symmetric key cryptography and requires a trusted third party, and optionally may
use public-key cryptography during certain phases of authentication.[1] Kerberos uses UDP port 88
by default.
Kerberos is an authentication system developed as part of athena project in MIT. Kerberos uses a
trusted third party or call a middle man server, for authentication. And kerberos is based upon
needham-schroeder-protocol.
From the different versions available in kerberos, version 1 to 3 were never released for public use as
they were mainly internal releases. Version 4 and 5 were released, and due to some security flaw in
version 4 its seldom used these days. So we will be discussing kerberos version 5 throughout our
tutorial/documentation section. As of now the latest version of kerberos is version 5 Release 1.10.3.

Kerberos was designed to mitigate the following problems in network security:

 Password Sniffing
 Password database stealing.
Password and login credential is centralized in kerberos infrastructure, which prevents clients from
storing passwords on their machines.
Protocol weaknesses due to unencrypted data transfer on some network services can be reduced with
the help of kerberos.

Disadvantages of Kerberos:
 In kerberos infrastructure user login credentials are stored in the central server as mentioned
 before. So its a tedious job to migrate all login credentials from local machines /etc/passwd
and /etc/shadow files to the central server.
 If some attacker gets access to the central server, the entire infrastructure will be under threat.
 the applications that can be protected using kerberos must have kerberos functionality inbuilt
into them. There are many application programs currently without the support for kerberos.

Lets Learn some of the common terms used in Kerberos infrastructure.

1. GSS-API : this is the API that must be present in application programs, to be compatible with
Kerberos.
2. KDC: Key distribution Centre, this will be the server which we call the middle man server or
the central server arbitrator, which issues the keys for the communication.
3. REALM: a kerberos network identified by a name, mostly this is the domain name in all caps.
4. Principal: this is the name used by the kerberos central server to call users, service name etc.
5. TGS: Ticket Granting Server: this is mostly the same central server (KDC server), it grants the
tickets for a service.
6. TGT: A special ticket which contains the session key for communication between the client
machine and the central KDC server.

How it Works?
Step1: When the user logins to his or her machine. The principal, is sent to KDC server for login, and
the KDC server will provide TGT in return(this request to the KDC server can be sent by the login
program or we can also use kinit program) .
Step2: Kdc server searches the principal name in the database, on finding the principal, a TGT is
generated by the KDC, which will be encrypted by the users key, and send back to the user.
Step3: When the user gets the TGT, the user decrypts the TGT with the help of KINIT(with help of
the users key).
An important fact to note here is that, the client machine stores its key on its own machine only and
this is never transmitted over wire.
Step4: The TGT recieved by the client from the KDC server will be stored in the cache for use for the
session duration. There will always be an expiration time set on the TGT offered by the KDC server,
so that an expired TGT can never be used by an attacker.
Step5: Now the client has got TGT in hand. If suppose the client needs to communicate with some
service on that network, the client will ask the KDC server, for a ticket for that specific service with
the help of TGT.

X.509 Authentication Service

ITU-T (International Telecommunication Union – Telecommunication Standardization Sector)
recommendation X.509 is a part of the X.500 series of recommendations that define a directory service.
The directory is a server or distributed set of servers that maintains a database of information about
users. The information includes a mapping from user name to network address, as well as other
attributes and information about the users.
X.509 defines a framework for the provision of authentication services by the X.500 directory to its
users. The directory may serve as a repository of public-key certificates. Each certificate contains the
public key of a user and is signed with the private key of a trusted certification authority. X.509 defines
alternative authentication protocols based on the use of public-key certificates.
X.509 is an important standard because the certificate structure and authentication protocols defined in
X.509 are used in variety of contexts (SSL, SET, etc.).
A third version of X.509 was issued in 1995 and revised in 2000.
 Certificates
The heart of X.509 scheme is the public-key certificate associated with each user. These user certificates
are assumed to be created by some trusted certificate authority (CA) and placed in the directory by the
CA or by the user. The directory itself is not responsible for the creation of public keys or for the
certification function; it merely provides an easily accessible location for users to obtain certificates.
Figure 14.3a shows the general format of a certificate, which includes the following elements.

1 Version: Differentiates among successive versions of the certificate format: the default version is 1.
If the Issuer Unique Identifier or Subject Unique Identifier are present, the value must be version 2. If
one or more extensions are present, the version must be version 3.

2 Serial number: An integer value, unique within the issuing CA, that is unambiguously associated
with this certificate

3 Signature algorithm identifier: The algorithm used to sign the certificate, together with any
associated parameters. Because this information is repeated in the Signature field at the end of the
certificate, this field has little, if any, utility

4 Issuer name: X.500 name of the CA that created and signed this certificate (about X.500 names see,
for example, http://java.sun.com/products/jndi/tutorial/ldap/models/x500.html )

5 Period of validity: Consists of two dates: the first and the last on which certificate is valid
6 Subject name: The name of the user to whom this certificate refers. That is, this certificate certifies
the public key of the subject who holds the corresponding private key

7 Subject’s public key information: The public key of the subject, plus an identifier of the algorithm
for which this key is to be used, together with any associated parameters
8 Issuer unique identifier: An optional bit string field used to identify uniquely the issuing CA in the
event the X.500 name has been reused for different entities

9 Subject unique identifier: An optional bit string used to identify uniquely the subject in the event
the X.500 name has been reused for different entities

10 Extensions: A set of one or more extension fields. Extensions were added in version 3 and are
discussed later

11 Signature: Covers all of the other fields of the certificate; it contains the hash code of the other fields,
encrypted with the CA’s private key. This field includes the signature algorithm identifier
The unique identifier fields were added in version 2 to handle the possible reuse of subject and/or issuer
names over time. These fields are rarely used.
The standard uses the following notation to define a certificate:
CA<<A>> = CA{V,SN,AI,CA,T A,A,Ap}
Where
Y<<X>> = certificate of user X issued by certification authority Y
Y{I} = the signing of I by Y. It consists of I with an encrypted hash code appended
The CA signs the certificate with its private key. If the corresponding public key is known to a user,
then that user can verify that a certificate signed by the CA is valid.

Obtaining a User’s Certificate

User certificates generated by a CA have the following characteristics:

1 Any user with access to the public of the CA can verify the user public key that was encrypted
2 No party other than the CA can modify the certificate without this being detected
Because certificates are unforgeable, they can be placed in a directory without the need for the directory
to make special efforts to protect them.
If all users subscribe to the same CA, then there is a common trust of that CA. All user certificates can
be placed in the directory for access by all users. In addition, a user can transmit his certificate directly
to other users. In either case, once B is in possession of A’s certificate, B has confidence that message
it encrypts with A’s public key will be secure from eavesdropping and that messages signed with A’s
private key are unforgeable.
If there is a large community of users, it may not be practical for all users to subscribe to the same CA.
Because it is the CA that signs certificates, each participating user must have a copy of the CA’s own
public key to verify signatures. This public key must be provided to each user in an absolutely secure
(with respect to integrity and authenticity) way so that the user has confidence in the associated
certificates. Thus, with many users, it may be more practical for there to be a number of CAs, each of
which securely provides its public key to some fraction of the users.
Now suppose that A has obtained a certificate from certification authority X1 and B has obtained a
certificate from CA X2. If A does not securely know the public key of X2, then B’s certificate, issued
by X2, is useless to A. A can read B’s certificate, but A cannot verify the signature. However, if the
two CAs have securely exchanged their own public keys, the following procedure will enable A to
obtain B’s public key:

1. A obtains from directory, the certificate of X2 signed by X1. Because A securely knows X1’s public
key, A can obtain X2’s public key from its certificate and verify it by means of X1’s signature on the
certificate

2. A then goes back to the directory and obtains the certificate of B signed by X2. Because A now has
a trusted copy of X2’s public key, A can verify the signature and securely obtain B’s public key
A has used a chain of certificates to obtain B’s public key. In the notation of X.509, this chain is
expressed as
X1<<X2>>X2<<B>>
In the same fashion, B can obtain A’s public key with the chain:
X2<<X1>>X1<<A>>
This scheme need not be limited to a chain of two certificates. An arbitrarily long path of CAs can be
followed to produce a chain. A chain with N elements would be expressed as
X1<<X2>>X2<<X3>>…XN<<B>>
In this case, each pair of CAs in the chain (Xi, Xi+1) must have created certificates for each other.
All these certificates of CAs by CAs need to appear in the directory, and the user needs to know how
they are linked to follow a path to another user’s public-key certificate. X.509 suggests that CAs are
arranged in a hierarchy so that navigation is straightforward.
Figure 14.4, taken from X.509, is an example of such a hierarchy. The connected circles indicate the
hierarchical relationship among the CAs; the associated boxes indicate certificates maintained in the
directory for each CA entry. The directory entry for each CA includes two types of certificates:

 Forward certificates: Certificates of X generated by other CAs

 Reverse certificates: Certificates generated by X that are the certificates of other CAs