Cryptography and Network Security

Symmetric Encryption

• or conventional / private-key / single-key

• sender and recipient share a common key
• all classical encryption algorithms are
private-key
• was only type prior to invention of public-
key in 1970’s
• and by far most widely used
 Some Basic Terminology
• plaintext - original message
• ciphertext - coded message
• cipher - algorithm for transforming plaintext to ciphertext
• key - info used in cipher known only to sender/receiver
• encipher (encrypt) - converting plaintext to ciphertext
• decipher (decrypt) - recovering ciphertext from plaintext
• cryptography - study of encryption principles/methods
• cryptanalysis (codebreaking) - study of principles/ methods
of deciphering ciphertext without knowing key
• cryptology - field of both cryptography and cryptanalysis
 Cryptography
• characterize cryptographic system by:
– type of encryption operations used
• substitution / transposition / product
– number of keys used
• single-key or private / two-key or public
– way in which plaintext is processed
• block / stream
 Cryptanalysis

• objective to recover key not just message

• general approaches:
– cryptanalytic attack
– brute-force attack
Firewalls
Firewalls

• Sits between two networks

– Used to protect one from the other
– Places a bottleneck between the networks
• All communications must pass through the
bottleneck – this gives us a single point of control
Protection Methods
• Packet Filtering
– Rejects TCP/IP packets from unauthorized hosts and/or
connection attempts bt unauthorized hosts
• Network Address Translation (NAT)
– Translates the addresses of internal hosts so as to hide them from
the outside world
– Also known as IP masquerading
• Proxy Services
– Makes high level application level connections to external hosts on
behalf of internal hosts to completely break the network
connection between internal and external hosts
 Other common Firewall Services
• Encrypted Authentication
– Allows users on the external network to authenticate to the
Firewall to gain access to the private network
• Virtual Private Networking
– Establishes a secure connection between two private networks
over a public network
• This allows the use of the Internet as a connection medium rather
than the use of an expensive leased line
Packet Filters
• Compare network and transport protocols to a database of
rules and then forward only the packets that meet the
criteria of the rules
• Implemented in routers and sometimes in the TCP/IP
stacks of workstation machines
– in a router a filter prevents suspicious packets from reaching your
network
– in a TCP/IP stack it prevents that specific machine from
responding to suspicious traffic
• should only be used in addition to a filtered router not instead of a
filtered router
Limitations of Packet Filters
• IP addresses of hosts on the protected side of the filter can
be readily determined by observing the packet traffic on
the unprotected side of the filter
• filters cannot check all of the fragments of higher level
protocols (like TCP) as the TCP header information is only
available in the first fragment.
– Modern firewalls reconstruct fragments then checks them
• filters are not sophisticated enough to check the validity of
the application level protocols imbedded in the TCP
packets
Network Address Translation
• Single host makes requests on behalf of all internal users
– hides the internal users behind the NAT’s IP address
– internal users can have any IP address
• should use the reserved ranges of 192.168.n.m or 10.n.m.p to avoid
possible conflicts with duplicate external addresses
• Only works at the TCP/IP level
– doesn’t do anything for addresses in the payloads of the packets
Proxies
• Hides internal users from the external network by hiding
them behind the IP of the proxy
• Prevents low level network protocols from going through
the firewall eliminating some of the problems with NAT
• Restricts traffic to only the application level protocols
being proxied
• proxy is a combination of a client and a server; internal
users send requests to the server portion of the proxy
which then sends the internal users requests out through its
client ( keeps track of which users requested what, do
redirect returned data back to appropriate user)
Proxies
• Address seen by the external network is the address of the
proxy
• Everything possible is done to hide the identy if the
internal user
– e-mail addresses in the http headers are not propigated through the
proxy14
• Doesn’t have to be actual part of the Firewall, any server
sitting between the two networks and be used
Content filtering
• Since an enterprise owns the computing and network facilities used by
employees, it is perfectly within it’s rights to attempt to limit internet
access to sites that could be somehow related to business
– Since the proxy server is a natural bottle neck for observing all of the
external requests being made from the internal network it is the natural
place to check content
– This is usually done by subscription to a vendor that specializes in
categorizing websites into content types based on observation
– Usually an agent is installed into the proxy server that compares URL
requests to a database of URLs to reject
– All access are then logged and reported, most companies then review the
reported access violations and usually a committee reviews and decides
whether or not any personnel action should be taken (letter of reprimand,
dismissal, ect)
– Sites that are usually filtered are those containing information about or
pertaining to:
• Gambling
• Pornography
Virtual Private Networks (VPN)
• Used to connect two private networks via the internet
– Provides an encrypted tunnel between the two private networks
– Usually cheaper than a private leased line but should be studied on
an individual basis
– Once established and as long as the encryption remains secure the
VPN is impervious to exploitation
– For large organizations using VPNs to connect geographically
diverse sites, always attempt to use the same ISP to get best
performance.
• Try to avoid having to go through small Mom-n-Pop ISPs as they will
tend to be real bottlenecks
VPNs (more)
• Many firewall products include VPN capabilities
• But, most Operating Systems provide VPN capabilities
– Windows NT provides a point-to-point tunneling protocol via the Remote
Access server
– Windows 2000 provides L2TP and IPSec
– Most Linux distributions support encrypted tunnels one way or another
• Point-to-Point Protocol (PPP) over Secure Sockets Layer (SSL)
• Encrypted Authentication
– Many enterprises provide their employees VPN access from the Internet
for work-at-home programs or for employees on-the-road
• Usually done with a VPN client on portable workstations that allows
encryption to the firewall
– Good VPN clients disable connections to the internet while the VPN is running
– Problems include:
• A port must be exposed for the authentication
• Possible connection redirection
• Stolen laptops
• Work-at-home risks
Effective Border Security
• For an absolute minimum level of Internet security a
Firewall must provide all three basic functions
– Packet filtering
– Network Address translation
– High-level application proxying
• Use the Firewall machine just for the firewall
– Won’t have to worry about problems with vulnerabilities of the
application software
• If possible use one machine per application level server
– Just because a machine has a lot of capacity don’t just pile things on it.
• Isolate applications, a side benefit of this is if a server goes down
you don’t lose everything
– If possible make the Firewall as anonymous as possible
• Hide the product name and version details, esp, from the Internet
Problems Firewalls can’t fix
• Many e-mail hacks
– Remember in CS-328 how easy it is to spoof e-mail
• Vulnerabilities in application protocols you allow
– Ex. Incoming HTTP requests to an IIS server
• Modems
– Don’t allow users on the internal network to use a modem in their
machine to connect to and external ISP (AOL) to connect to the
Internet, this exposes everything that user is connected to the
external network
– Many users don’t like the restrictions that firewalls place on them
and will try to subvert those restrictions
Border Security Options
• Filtered packed services
• Single firewall with internal public servers
• Single firewall with external public servers
• Dual firewalls or DMZ firewalls
• Enterprise firewalls
• Disconnection
Filtered Packed Services
• Most ISP will provide packet filtering services for their
customers
– Issues:
• Remember that all of the other customers are also on the same side of
the packet filter, some of these customers may also be hackers
• Does the ISP have your best interests in mind or theirs
• Who is responsible for reliability
• Configuration issues, usually at ISPs mercy
– Benefits:
• No up-front capital expenditures
 Single firewall, internal public servers

Server Customer
Web
Server

Server Hacker
Firewall Router

Client Mail Hacker

Server

Internal Private Network External Private Network External Public Network

Single firewall, internal public servers

• Leaves the servers between the internal private network

and the external network exposed
– Servers in this area should provide limited functionality
• No services/software they don’t actually need
– These servers are at extreme risk
• Vulnerable to service specific hacks – HTTP, FTP, Mail, …
• Vulnerable to low level protocol (IP, ICMP, TCP) hacks and DoS
attacks
 DMZ

Server Customer
Web
Server

Server Hacker
Router Firewall

Client FTP Hacker

Server

Internal Private Network DMZ External Public Network

 Bastion Host
• Many firewalls make use of what is known as a
“bastion” host
– bastions are a host that is stripped down to have only
the bare fundamentals necessary
• no unnecessary services
• no unnecessary applications
• no unnecessary devices
• A combination of the “bastion” and its firewall are
the only things exposed to the internet
 Intrusion Detection
Prevention Systems

26
 Introduction
• Intrusion Detection Systems (IDSs) will be obsolete
very soon (if they aren't already). In it's place is
something much more capable, an Intrusion Prevention
System (IPS).
• IPSs are not a new technology, they are simply an
evolved version of IDS.
• IPSs combine IDSs and improved firewall
technologies, they make access control decisions based
on application content, rather than IP address or ports
as traditional firewalls had done.
• Because IDS and IPS technologies offer many of the
same capabilities, administrators can usually disable
prevention features in IPS products, causing them to
function as IDSs.
27
 Why Intrusion Detection
Prevention Systems should
be used?
• It’s a dire fact that while every enterprise has a
firewall, most still suffer from network security
problems. IT professionals are acutely aware of the
need for additional protective technologies, and
network equipment vendors are anxious to fill in the
gap.
• Intrusion Prevention Systems have been promoted as
cost-effective ways to block malicious traffic, to
detect and contain worm and virus threats, to serve as
a network monitoring point, to assist in compliance
requirements, and to act as a network sanitizing
agent.
28
 Classes of detection
methodologies:
• Signature-based: compares known threat signatures
to observed events to identify incidents.
• This is very effective at detecting known threats but
largely ineffective at detecting unknown threats and
many variants on known threats.
• Signature-based detection cannot track and understand
the state of complex communications, so it cannot
detect most attacks that comprise multiple events.
Examples:
• A telnet attempt with a username of “root”, which is a
violation of an organization’s security policy
• An e-mail with a subject of “Free pictures!” and an
attachment filename of “freepics.exe”, which are
characteristics of a known form of malware
29
• Anomaly-based detection: sample network activity
to compare to traffic that is known to be normal.
• When measured activity is outside baseline
parameters or clipping level, IDPS will trigger an
alert.
• Anomaly-based detection can detect new types of
attacks.
• Requires much more overhead and processing
capacity than signature-based .
• May generate many false positives.

30
• For example: a profile for a network might show that
Web activity comprises an average of 13% of
network bandwidth at the Internet border during
typical workday hours. The IDPS then uses statistical
methods to compare the characteristics of current
activity to thresholds related to the profile, such as
detecting when Web activity comprises significantly
more bandwidth than expected and alerting an
administrator of the anomaly. Profiles can be
developed for many behavioral attributes, such as the
number of e-mails sent by a user, the number of
failed login attempts for a host, and the level of
processor usage for a host in a given period of time.

31
• Stateful protocol analysis: A key development in
IDPS technologies was the use of protocol analyzers.
• Protocol analyzers can natively decode application-
layer network protocols, like HTTP or FTP. Once the
protocols are fully decoded, the IPS analysis engine can
evaluate different parts of the protocol for anomalous
behavior or exploits against predetermined profiles of
generally accepted definitions of benign protocol
activity for each protocol state.
• Problems with this type include that it is often very
difficult or impossible to develop completely accurate
models of protocols, it is very resource-intensive, and it
cannot detect attacks that do not violate the
characteristics of generally acceptable protocol
behavior.
32
• For example: the existence of a large binary file in
the User-Agent field of an HTTP request would be
very unusual and likely an intrusion. A protocol
analyzer could detect this anomalous behavior and
instruct the IPS engine to drop the offending packets.

• IDPS technologies cannot provide completely

accurate detection. When an IDPS incorrectly
identifies benign activity as being malicious, a false
positive has occurred. When an IDPS fails to identify
malicious activity, a false negative has occurred. It is
not possible to eliminate all false positives and
negatives; in most cases, reducing the occurrences of
one increases the occurrences of the other.

33
• Many organizations choose to decrease false
negatives at the cost of increasing false positives,
which means that more malicious events are detected
but more analysis resources are needed to
differentiate false positives from true malicious
events. Altering the configuration of an IDPS to
improve its detection accuracy is known as tuning.

34
 Types of IDPSs
1. Network-based: perform packet sniffing and analyze
network traffic to identify and stop suspicious
activity. They are typically deployed inline. Like a
network firewall. They receive packets, analyze them,
decide whether they should be permitted, and allow
acceptable packets to pass through.
• Allow some attacks ,such as network service worms,
e-mail.borne worms and viruses with easily
recognizable characteristics (e.g., subject, attachment
filename), to be detected on networks before they
reach their intended targets (e.g., e-mail servers, Web
servers).
• Most products use a combination of attack signatures
and analysis of network and application protocols.
35
• Network-based products might be able to detect and
stop some unknown threats through application
protocol analysis.
• Some products allow administrators to create and
deploy attack signatures for many major new malware
threats in a matter of minutes. Although poorly written
signature triggers false positives that block benign
activity, a custom signature can block a new malware
threat hours before antivirus signatures become
available.
• However, network-based products are generally not
capable of stopping malicious mobile code or Trojan
horses.
36
Placement of Network IDPSs

 Deployment options:
• Outside firewall
• Just inside firewall
-Combination of both will detect attacks getting through
firewall and may help to refine firewall rule set.
• Behind remote access server
• Between business units
• Between corporate network and partner networks
 Sensors may need to be placed in all switched
network segments

37
38
 Types of IDPSs
2. Host-based: are similar in principle and purpose to
network-based , except that a host-based product
monitors the characteristics of a single host and the
events occurring within that host, such as monitoring
network traffic (only for that host), system logs,
running processes, file access and modification, and
system and application configuration changes.
• They often use a combination of attack signatures and
knowledge of expected or typical behavior to identify
known and unknown attacks on systems.
• If a host-based product monitors the host’s network
traffic, it offers detection capabilities similar to a
network-based.
39
• Host-based IDPSs are most commonly deployed on
critical hosts such as publicly accessible servers and
servers containing sensitive information.
• For example: attempted changes to files can be
effective at detecting viruses attempting to infect files
and Trojan horses attempting to replace files, as well
as the use of attacker tools, such as rootkits, that often
are delivered by malware.

40
 Placement of host IDPSs
Deployment options:
• Key servers that contain mission-critical and
sensitive information.
• Web servers.
• FTP and DNS servers.
• E-commerce database servers, etc.
• Other high value assets.
May also emplace these randomly to obtain probabilistic
measure of hosts becoming compromised.
41
42
3.
Types of IDPSs
Network Behavior Analysis (NBA): examines
network traffic to identify threats that generate unusual
traffic flows, such as denial of service (DoS) and
distributed denial of service (DDoS) attacks, certain
forms of malware (e.g., worms, backdoors), and policy
violations (e.g., a client system providing network
services to other systems).
• NBA systems are most often deployed to monitor
flows on an organization’s internal networks, and are
also sometimes deployed where they can monitor
flows between an organization’s networks and external
networks (e.g., the Internet, business partners’
networks).
43
 Types of IDPSs
4. Wireless: monitors wireless network traffic and
analyzes its wireless networking protocols to identify
suspicious activity involving the protocols themselves.
• It cannot identify suspicious activity in the application
or higher-layer network protocols (e.g., TCP, UDP) that
the wireless network traffic is transferring.
• It is most commonly deployed within range of an
organization’s wireless network to monitor it, but can
also be deployed to locations where unauthorized
wireless networking could be occurring.

44
• organizations should consider using multiple types of
IDPS technologies to achieve more comprehensive and
accurate detection and prevention of malicious activity.
• For most environments, a combination of network-
based and host-based IDPSs is needed for an effective
IDPS solution.
• NBA technologies can also be deployed if
organizations desire additional detection capabilities
for DoS & DDoS attacks, worms, and other threats that
NBAs are particularly good at detecting.
• Wireless IDPSs may also be needed if the organization
determines that its wireless networks need additional
monitoring or if the organization wants to ensure that
rogue wireless networks are not in use in the
organization’s facilities.
45
• Before evaluating IDPS products organizations need
to understand the characteristics of their system and
network environments, so that a compatible IDPS can
be selected that can monitor the events of interest on
the systems and/or networks.
• Organizations should articulate the goals and
objectives they wish to attain by using an IDPS, such
as stopping common attacks, identifying
misconfigured wireless network devices, and
detecting misuse of the organization’s system and
network resources.
• Organizations should also review their existing
security policies, which serve as a specification for
many of the features that the IDPS products need to
provide.
46
• Organizations should determine if they require IDPSs or
other specific system security resources.

• Organizations also need to define specialized sets of

requirements for the following:

• Security capabilities: including information gathering,

logging, detection, and prevention.
• Performance: including maximum capacity and
performance features
• Management: including design and implementation
(e.g., reliability, interoperability, scalability, product
security), operation and maintenance (including software
updates), and training, documentation, and technical
support Life cycle costs, both initial and maintenance
costs.
47
 Network Management System
• The Concept
– From a central computer, network administrator
can manage entire network
• Collect data
• Give commands
– Moving gradually toward this ideal

Data

Command
 Network Management System

• Standards
– Most widely used is the Simple Network
Management Protocol (SNMP)
– Other standards exist

SNMP
 Network Management System
• The Manager
– Software on network administrator's computer
– Short for “network management software”
– Implements network management support

Manager
 Network Management System
• Managed Nodes
– Routers, client PCs, etc. that are managed

Managed
Node
 Network Management System
• Agents
– Network management agents
– Installed in managed nodes
– Communicate with the manager on behalf of
the node

Manager Agent

Managed Node
 Network Management System
• RMON Probes
– Remote MONitoring
– SNMP only
– Special type of agent
– Collects data on a LAN’s traffic: packet sizes,
error rates, etc.
RMON Probe
Manager
LAN
 Network Management System
• Objects
– Managed nodes have several objects that are
managed
– For instance, on a client PC, one object might
be the status of a TCP connection to a particular
server
– Another example would be the status of a
router port
Agent OBJ OBJ

OBJ OBJ
 Network Management System
• Objects
– A managed node may have several “instances”
of some objects; For instance, a router may
have several ports

Agent OBJ OBJ

OBJ OBJ
 Network Management System
• Management Information Base (MIB)
– Stores collected information
– Schema
• The overall design MIB
• Entities (objects) and attributes
• Object-oriented database
– The actual stored information
– “MIB” is used to refer both to the schema and
the actual data
 Network Management System
• Management Information Base (MIB)
– Full MIB is stored on the central administration
computer
– Relevant portion of the MIB is also stored by
each Agent

Manager Agent

MIB
MIB
Database Security
 Database Concepts
• Database
– a collection of data & set of rules that organize the data
– user works with a logical representation of the data
• Relational database
– in the relational model, data is organized as a collection of
RELATIONS or tables
– relations is a set of ATTRIBUTES or columns
– each row (or record) of a relation is called a TUPLE
• Database management system (DBMS)
– maintains the DB and controls read write access
• Database administrator (DBA)
– sets the organization of and access rules to the DB
 Database Concepts
• Relationships between tables (relations) must be in
the form of other relations
– base (‘real’) relations: named and autonomous
relations, not derived from other relations (have stored
data)
– views: named derived relations (no stored data)
– snapshots: like views are named, derived relations, but
they do have stored data
– query results: result of a query - may or may not have
name, and no persistent existence
 Database Concepts
• Within every relation, need to uniquely
identify every tuple
– a primary key of a relation is a unique and
minimal identifier for that relation
– can be a single attribute - or may be a choice of
attributes to use
– when primary key of one relation used as
attribute in another relation it is a foreign key
in that relation
 Database Concepts
• Structured Query Language (SQL)
– to manipulate relations and data in a relational database
• Types of SQL Commands
– Data Dictionary Language (DDL)
• define, maintain, drop schema objects
– Data Manipulation Language (DML)
• SELECT, INSERT, UPDATE
– Data Control Language (DCL):
• control security (GRANT,REVOKE) and concurrent access
(COMMIT , ROLLBACK)
 Security Requirements

• Physical database integrity

• Logical database integrity
• Element integrity
• Auditability
• Access control
• User authentication
• Availability
Data mining for intrusion detection
There are two types of intrusion attacks you can detect using data
mining methods:
•Host-based attacks, when the intruder focuses on a particular
machine or a group of machines
•Network-based attacks, when the intruder attacks the entire
network (for instance, causing a buffer overflow
 Data mining for fraud detection

•Fraudulent activities can be detected with the help

of supervised and unsupervised learning.
•With supervised learning, all available records are
classified as either fraudulent or non-fraudulent.
 Data mining pros

• Using data mining in cyber security lets you

• process large datasets faster;
• create a unique and effective model for each
particular use case;
• apply certain data mining techniques to
detect zero-day attacks.
 Data Mining Cons
• While this list of the benefits is impressive, there are
also certain drawbacks you need to know about:
• Data mining is complex, resource-intensive, and
expensive
• Building an appropriate classifier may be a challenge
• Potentially malicious files need to be inspected
manually
• Classifiers need to be constantly updated to include
samples of new malware
• There are certain data mining security issues, including
the risk of unauthorized disclosure of sensitive
information