CS

4. Computer Security Technology and Intrusion Detection

4.1
 Firewalls:
 A firewall is a network security device, either hardware or software-based, which monitors all
incoming and outgoing traffic .Essentially, it acts as a protective wall between a private internal
network and the public Internet.
 And based on a defined set of security rules it accepts, rejects or drops that specific traffic.
-Accept : allow the traffic Reject :
-block the traffic but reply with an “unreachable error”
-Drop : block the traffic with no reply
 A firewall establishes a barrier between secured internal networks and external untrusted
network, such as the Internet.
 A network firewall is similar to firewalls in building construction, because in both cases they are
intended to isolate one "network" or "compartment" from another.

Public
Private
Network
Network

 Need of Firewall:
 Firewall is useful if you don't want external users to access a particular host or service within your
site.
 The firewall might also filter packets based on source's IP address .
 It is useful if you want to protect hosts within the site from an unwanted flood of packets from an
external host.
 Large corporations often have very complex firewalls in place to protect their extensive networks.
 On the outbound side, firewalls can be configured to prevent employees from sending certain
types of emails or transmitting sensitive data outside of the network.
 On the inbound side, firewalls can be programmed to prevent access to certain websites (like
social networking sites).
 Limitations of Firewall:

 Firewalls are not able to stop the users from accessing the data or information from malicious
websites, making them vulnerable to internal threats or attacks.
 It is not able to protect against the transfer of virus-infected files or software if security rules are
misconfigured, against non-technical security risks (social engineering)
 It does not prevent misuse of passwords and attackers with modems from dialing in to or out of
the internal network.
 Already infected systems are not secured by Firewalls.
Major characteristics related to firewall protection are described below.
 Firewall Characteristics:

1. Various protection levels

2. Wireless network (Wi-fi) Protection
3. Internet and network access
4. Blockage against unauthorized access
5. Protection against malware
6. Provide access only to valid data packets
7. Provision of different configurations
8. Provision of numerous security policies
9. Allowing to pass authorized traffic that fulfils a set of rules
10. Firewall functions like an immune system for malware and unauthorized access; therefore, it
ensures a secure system and an OS.
 Firewall Policies :
 To protect private networks and individual machines from the dangers of the greater Internet, a
firewall can be employed to filter incoming or outgoing traffic based on a predefined set of rules
called firewall policies.
 Packets flowing through a firewall can have one of three outcomes:
-Accepted: permitted through the firewall
-Dropped: not allowed through with no indication of failure
-Rejected: not allowed through, accompanied by an attempt to inform the source that the
packet was rejected
 Policies used by the firewall to handle packets are based on several properties of the packets
being inspected, including the protocol used, such as:
-TCP or UDP
-Source and destination IP addresses
-Source and destination ports
-Application-level payload of the packet (e.g., whether it contains a virus).
 Types of Firewalls :
There are multiple types of firewalls based on their traffic filtering methods, structure, and
functionality. A few of the types of firewalls are:
 Hardware Firewall :
 A hardware firewall is a physical piece of equipment that connects a computer network to a
gateway.
 Consider a broadband router as an example.
 An Appliance Firewall is another name for a hardware firewall.
 Advantages:
-Independently run so less prone to cyber-attacks.
-Installation is external so resources are free from the server.
-Increased bandwidth enables the handling of more data packets per second.
-Reduced latency.(delay in data transfer)
-VPN connection is also supported for increased security and encryption.

 Disadvantages:
-Hardware devices can take extra space
-A skilled IT person is required
-Upgradation challenge as it is not cost-effective because multiple devices need to be replaced

 Software Firewall :
 A software firewall, on the other hand, is a simple program that is installed on a computer and
operates via port numbers and other installed software.
 This type of firewall is also known as a Host Firewall.
 Advantages:
-Helpful in blocking particular sites
-Ease in maintenance
-Valuable for home users
-Assignment of different levels of access and permissions to the user can be done with ease.
 Disadvantages:
-Installation and up-gradation are required on individual computers.
-Slow Performance of the system.
-Due to its installation, system resources are consumed.
-Does not work on smart TVs, gaming consoles, etc.
 Packet Filtering Firewall :
 A Packet-filtering firewall filters all incoming and outgoing network packets. It tests them based
on a set of rules that include IP address, IP protocol, port number, and other aspects of the packet.
 If the packet passes the test, the firewall allows it to proceed to its destination and rejects those
that do not pass it.
 Packet filter firewall works on the network layer of the OSI model.
 Packet filters consider only the most basic attributes of each packet, and they don’t need to
remember anything about the traffic since each packet is examined in isolation. For this reason,
they can decide packet flow very quickly.
 Packets include two essential components:
 Packet headers: Data is directed to the correct location using packet headers. They include
internet protocol (IP) elements, addressing, and any other data needed to deliver packets to their
destination.
 Payload: The user data contained within the packet is referred to as the payload. This is the data
that is trying to get somewhere.
 Advantages:
-Simplicity
-Transparency to users
-High speed
 Disadvantages:
-Difficulty of setting up packet filter rules.
-Lack of Authentication.
-Payload is not examined.

 Packet filtering firewalls are divided into two categories :

-Stateless packet filtering firewalls
-Stateful packet filtering firewalls

 Stateless Firewall :
 A stateless firewall is one that doesn’t store information about the current state of a network
connection.
 Instead, it evaluates each packet individually and attempts to determine whether it is authorized
or unauthorized based on the data that it contains.
 Stateful Firewall :
 This firewall is situated at Layers 3(network layer) and 4(transport layer) of the Open Systems
Interconnection (OSI) model.
 As the name suggests, a stateful firewall always keeps track of the state of network connections.
 Once a particular kind of traffic has been approved by a stateful firewall, it is added to a state table.

 Application Gateway Firewall (Proxy Firewall/Bastion host) :

 Application-level gateway, also called Proxy firewall, is used to protect data at the application level.
 It protects from potential internet hackers by not disclosing our computer’s identity (IP address).
 Proxy firewalls analyze the context and content of data packets and compare them to a set of
previously defined rules using stateful and deep packet inspection.
 They either permit or reject a package based on the outcome. Because this firewall checks the
payload of received data packets, it is much slower than a packet-filtering firewall.
 - It works as follows:
Step-1: User contacts the application gateway using a TCP/IP application such as HTTP.
Step-2: The application gateway asks about the remote host with which the user wants to establish a
connection. It also asks for the user id and password that is required to access the services of
the application gateway.
Step-3: After verifying the authenticity of the user, the application gateway accesses the remote host
on behalf of the user to deliver the packets.

 Advantages:
-Higher security than packet filters
-Only need to scrutinize(examine) a few allowable applications
-Easy to log and audit all incoming traffic
 Disadvantages:
-Additional processing overhead on each connection (gateway as splice point).
-More Complex

Difference between Packet filtering and Aplication level firewall

Faster than App. Level firewall Slower than Packet Filtering firewall
 Hybrid Firewall :
 A hybrid firewall is a network security system that merges features from various kinds of firewalls.
 It combines features like packet filtering, circuit-level and application-level gateways.
 Hybrid firewall is implemented using Application firewall and Packet filtering firewall in a series
to enhance security.
 One benefit of a hybrid firewall architecture is you can add a new firewall to an existing security
system without having to remove or replace your current firewall.
 This hybrid firewall application enables you to add another layer of security without
compromising the benefits of your existing architecture.
 This firewall act in combination of packet firewall and application firewall. In this both firewall are
in series, if they are in parallel terms so only 1 of them will work.

Parellel Series

 Advantages :
-Comprehensive protection: A hybrid firewall includes the strengths of different firewall
types, leading to a better, wider security level.
-Flexibility and scalability: Hybrid firewalls can be customized to fit an organization’s specific
needs and adjusted as those needs change.
-Efficiency: Taking a hybrid approach instead of running a few separate firewalls can save
resources and reduce complexity.
-Advanced security features: Many hybrid firewalls include extra features such as VPN
support, intrusion detection/prevention systems (IDS/IPS), and deep packet inspection.
 Disadvantages :
-A hybrid firewall may unnecessarily complicate your network without providing much
tangible benefit.
-If one of your firewalls is not properly configured, threats can easily sneak through.
 Circuit-level gateway:
 A circuit level gateway works at the session layer of the open systems interconnection (OSI)
model.
 The firewall analyzes transmission control protocol (TCP) handshaking between packets to
identify legitimate traffic and block unauthorized access attempts.
 Only the header information is checked to ensure that the traffic meets the circuit level gateway
rules, while the content of data packets is skipped.
 It handles connections between trusted servers and clients with untrusted hosts.
 It is a Stand-alone system or Specialized function performed by an Application-level Gateway.
 Circuit level gateway sets up two TCP connections.
 The gateway typically relays TCP segments from one connection to the other without examining
the contents.

 Advantage :
-A circuit-level gateway acts as a proxy for hiding the internal host from the serving host.
-These gateways are inexpensive.
-Address schemes can easily develop.
-Simple to implement.
-Every application does not require a separate proxy server.
 Disadvantage:
-Circuit-level Gateway does not filter the individual packets
-Frequent updates are required
-Within the firewall, it does not offer protection against data leakage from devices.

4.2 Intrusion Detection:

 Intrusion Detection Systems(IDS):

 IDS is defined as the tools, methods, and resources to help identify, assess, and report
unauthorized ,unapproved , malicious or suspicious network activity.
 An IDS detects activity in traffic that may or may not be an intrusion.
 IDSes can detect and deal with insider attacks, as well as, external attacks, and are often very
useful in detecting violations of corporate security policy and other internal threats.
 How does an IDS work?
 An IDS (Intrusion Detection System) monitors the traffic on a computer network to detect any
suspicious activity.
 It analyzes the data flowing through the network to look for patterns and signs of abnormal
behavior.
 The IDS compares the network activity to a set of predefined rules and patterns to identify any
activity that might indicate an attack or intrusion.
 If the IDS detects something that matches one of these rules or patterns, it sends an alert to the
system administrator.
 The system administrator can then investigate the alert and take action to prevent any damage or
further intrusion.

 Classification of Intrusion Detection System:

 Host Intrusion Detection System (HIDS) :
 HIDS is a host-based IDS.
 Host intrusion detection systems (HIDS) run on independent hosts or devices on the network.
 A HIDS monitors the incoming and outgoing packets from the device only and will alert the
administrator if suspicious or malicious activity is detected.
 It takes a snapshot of existing system files and compares it with the previous snapshot.
 If the analytical system files were edited or deleted, an alert is sent to the administrator to
investigate.
 An example of HIDS usage can be seen on mission-critical machines, which are not expected to
change their layout.
 Advantages of HIDS:
-Analyze what an application does.
-Detects the attacks excluded from the network
 Disadvantage:
-Excluded from the network
-Needs to be installed on every host spot
-Passive in nature, so it just informs about the attack without doing anything about it.

 Network Intrusion Detection System (NIDS) :

 NIDS is a network-based IDS.
 Network intrusion detection systems (NIDS) are set up at a planned point within the network to
examine traffic from all devices on the network.
 It performs an observation of flowing traffic on the entire network and matches the traffic that is
passed on the network to the collection of known attacks.
 Once an attack is identified or abnormal behavior is observed, the alert can be sent to the
administrator.
 Advantage:
-Detect attacks in the entire network
-It can use the information collected from attacks on different hosts to detect attacks on a new
or fresh host.
-Host production/performance remains unaffected.
 Disadvantage:
-It might be slow as compared to the network speed.
-It is also passive in nature.
 Hybrid Intrusion Detection System :
 Are systems that combine both Host-based IDS, which monitors events occurring on the host
system and Network-based IDS, which monitors network traffic,functionality on the same security
platform is known as Hybrid IDS.
 A Hybrid IDS monitors system and application events, verifying file system integrity like a Host-
based IDS, but only analyzes network traffic for the device itself.
 A Hybrid IDS is often deployed on an organization’s most critical servers.

 Intrusion Detection Methods :

- Signature Based
- Anamoly Based

1. Signature-based IDS :
 Signature-Based Intrusion Detection Systems (IDS) are a category of security systems that
primarily focus on identifying known threats or attacks by comparing network traffic or system
activities against a database of predefined signatures or patterns.
 How Signature-Based IDS Works:
1. Signature Database: The core of a signature-based IDS is a database of signatures. These
signatures describe specific attack patterns or known vulnerabilities. For example, a signature
might represent the pattern of a particular virus, malware, or a common attack method like
SQL injection.

2. Traffic Monitoring: The IDS continuously monitors network traffic or system logs. In a
network setting, this can be at various points, such as routers, firewalls, or dedicated IDS
sensors.

3. Pattern Matching: As traffic flows through the IDS, it compares the observed data against
the signatures in its database. It's essentially looking for matches between the observed
patterns and the known signatures.

4. Alert Generation: When the IDS identifies a match between the observed data and a
signature in its database, it generates an alert. This alert can trigger various responses,
including notifying an administrator, blocking traffic, or taking other predefined actions.

 Advantages:
- Highly effective at detecting known threats and well-understood attack patterns.
- Low false positive rates, as it's looking for specific patterns.

 Disadvantages:
- Ineffectiveness Against Zero-Day Attacks : Signature-based IDS is powerless against
zero-day attacks or new, previously unknown threats. It cannot detect attacks for which
there are no predefined signatures.
- Signature Maintenance : Keeping the signature database up-to-date is critical. New signatures
must be continuously added to account for emerging threats.
2. Anamoly-based IDS :
 Anomaly-based Intrusion Detection System (IDS) is a type of security system designed to identify
abnormal or suspicious behavior within a computer network.
 It works by establishing a baseline of normal network activity and then detecting any deviations
from that baseline, which could indicate potential security threats or intrusions.
 How Signature-Based IDS Works:

1. Baseline Establishment: The IDS first establishes a baseline of normal network traffic, which
includes factors such as network bandwidth, system performance, and user behavior. This
baseline is typically learned over a period of time, and the IDS continuously updates it to adapt to
changing network conditions.

2. Anomaly Detection: After establishing the baseline, the IDS monitors network activity in real-
time. It compares current network behavior to the established baseline and looks for anomalies or
deviations. Anomalies could be unusual spikes in network traffic, unexpected patterns of data
transfer, or any other behavior that falls outside the norm.

3. Alert Generation: When the IDS detects an anomaly, it generates alerts or notifications. These
alerts can be sent to network administrators, security personnel, or a centralized monitoring
system, indicating that there may be a security threat or suspicious activity that requires
investigation.

4. Investigation and Response: Once an alert is generated, security professionals investigate the
detected anomaly to determine if it represents a genuine security threat. If a threat is confirmed,
appropriate security measures are taken to mitigate the risk, which could include blocking
network traffic, isolating affected systems, or applying security patches.
 Advantages:
- Effective at detecting unknown or novel threats, including zero-day attacks.
- Can adapt to evolving threats and changing network behavior.
 Disadvantages:
- Higher false positive rates, as it may flag unusual but benign(not dangerous) behavior.
- May not detect attacks that closely mimic normal behavior.

 Difference between Signature based and Anomaly based IDS:

Signature Based Anamoly Based
Signature-based IDS relies on a database of Anomaly-based IDS establishes a baseline
predefined attack patterns or signatures. of normal behavior for a network or
Detection Method These signatures are specific to known system. It then monitors for deviations
threats, including viruses, worms, and from this baseline, flagging any unusual or
common attack techniques. suspicious activity.
The system compares incoming network Anomaly-based IDS uses statistical
traffic or system events to the established analysis and machine learning techniques
How it works signatures. If there is a match, the IDS to identify deviations. When it detects
generates an alert or takes a predefined significant deviations from the baseline, it
action generates alerts.
Ineffective against new or previously Effective at detecting new, previously
Zero-day attacks unseen threats (zero-day attacks). unseen threats and zero-day attacks.

Highly accurate at detecting known May not recognize all known attacks or
Known threats threats. common patterns.

Positive rates Low false positive rates. Higher false positive rates, as normal
behavior can vary widely.
Well-suited for known and widely- Complex to set up and fine-tune the
--- distributed attacks. baseline.
Requires constant updates to maintain Adaptable to changing network conditions
--- effectiveness. and evolving threats.

 Honeypots :
 Honeypot is a network-attached system used as a trap for cyber-attackers to detect and study the
tricks and types of attacks used by hackers.
 It acts as a potential target on the internet and informs the defenders about any unauthorized
attempt to the information system.
 Objectives of Honeypots:
 Detection: Honeypots are designed to detect unauthorized access or suspicious activities. Any
interaction with a honeypot is likely malicious, as they have no legitimate use within the network.
 Data Collection: They collect data on attack patterns, vulnerabilities, and the techniques
employed by attackers. This data can be valuable for improving security measures.
 Diversion: By diverting an attacker's attention to a honeypot, real critical systems can be
protected from harm.

 Advantages of Honeypots:
-Acts as a rich source of information and helps collect real-time data.
-Identifies malicious activity even if encryption is used.
-Wastes hackers’ time and resources.
-Improves security.
 Disadvantages of honeypot:
- Being distinguishable from production systems, it can be easily identified by experienced
attackers.
- Having a narrow field of view, it can only identify direct attacks.
- A honeypot once attacked can be used to attack other systems.
- Fingerprinting(an attacker can identify the true identity of a honeypot ).

4.3 Email Security:

 Email Security Standards :
- Authetication
- Confidentiality
- Integrity
- Non repudiation
 SMTP :
 SMTP stands for Simple Mail Transfer Protocol.
 SMTP is a set of communication guidelines that allow software to transmit an electronic mail over
 the internet .
 It is a program used for sending messages to other computer users based on e-mail addresses.
 It provides a mail exchange between users on the same or different computers.
 It can send a single message to one or more recipients.
 Sending message can include text, voice, video or graphics.
 It can also send the messages on networks outside the internet.
 The main purpose of SMTP is used to set up communication rules between servers.
 The servers have a way of identifying themselves and announcing what kind of communication
they are trying to perform.
 They also have a way of handling the errors such as incorrect email address.
 For example, if the recipient address is wrong, then receiving server reply with an error message
of some kind.
 Components of SMTP:
- Mail User Agent (MUA)
- Mail Submission Agent (MSA)
- Mail Transfer Agent (MTA)
- Mail Delivery Agent (MDA)

1. Mail User Agent (MUA): It is a computer application that helps you in sending and retrieving mail.
It is responsible for creating email messages for transfer to the mail transfer agent(MTA).
2. Mail Submission Agent (MSA): It is a computer program that basically receives mail from a Mail
User Agent(MUA) and interacts with the Mail Transfer Agent(MTA) for the transfer of the mail.
3. Mail Transfer Agent(MTA): It is basically software that has the work to transfer mail from one
system to another with the help of SMTP.
4. Mail Delivery Agent(MDA): A mail Delivery agent or Local Delivery Agent is basically a system that
helps in the delivery of mail to the local system.

 Working principle of SMTP:

1.Composition of Mail:
 A user sends an e-mail by composing an electronic mail message usinga Mail User Agent
(MUA).Mail User Agent is a program which is used to send and receive mail.
 The message contains two parts: body and header. The body is the main part of the messagewhile
the header includes information such as the sender and recipient address. The header also
includes descriptive information such as the subject of the message. In this case, the message body
is like a letter and header is like an envelope that contains the recipient'saddress.
2.Submission of Mail:
 After composing an email, the mail client then submits the completed e-mail to the SMTP server
by using SMTP on TCP port 25.
3.Delivery of Mail:
 E-mail addresses contain two parts: username of the recipient and domain name.
 If the domain name of the recipient's email address is different from the sender's domain name,
then MSA will send the mail to the Mail Transfer Agent (MTA).
 To relay the email, the MTA will find the target domain. It checks the MX record from Domain
Name System to obtainthe target domain.
 The MX record contains the domain name and IP address of the recipient'sdomain. Once the
record is located, MTA connects to the exchange server to relay themessage.
4. Receipt and Processing of Mail:
 Once the incoming message is received, the exchange server delivers it to the incoming server
(Mail Delivery Agent) which stores the e-mail where it waitsfor the user to retrieve it.
5. Access and Retrieval of Mail:
 The stored email in MDA can be retrieved by using MUA (Mail User Agent). MUA can be accessed
by using login and password.

 Some SMTP Commands

 HELO – Identifies the client to the server, fully qualified domain name, only sent once per session.
 MAIL – Initiate a message transfer, the fully qualified domain of the originator.
 RCPT – Follows MAIL, identifies an addressee, typically the fully qualified name of the addressee,
and for multiple addressees use one RCPT for each addressee.
 DATA – send data line by line.

 PGP(Pretty Good Privacy):

 PGP stands for Pretty Good Privacy (PGP) which is invented by Phil Zimmermann.
 PGP was designed to provide all four aspects of security, i.e., privacy, integrity, authentication,and
non-repudiation in the sending of email.
 PGP uses a digital signature (a combination of hashing and public key encryption) to provide
integrity, authentication, and non-repudiation. PGP uses a combination of secret key encryption
and public key encryption to provide privacy. Therefore, we can say that the digitalsignature uses
one hash function, one secret key, and two private-public key pairs.
 PGP is an open source and freely available software package for email security.
 PGP provides authentication through the use of Digital Signature.
 It provides confidentiality through the use of symmetric block encryption.
 It provides compression by using the ZIP algorithm, and EMAIL compatibility using the radix-
64encoding scheme.
 PGP at the Sender site (A)

 Following are the steps taken by PGP to create secure e-mail at the sender site:
 The e-mail message is hashed by using a hashing function to create a digest.
 The digest is then encrypted to form a signed digest by using the sender's private key, and then
signed digest is added to the original email message.
 The original message and signed digest are encrypted by using a one-time secret key created by
the sender.
 The secret key is encrypted by using a receiver's public key.
 Both the encrypted secret key and the encrypted combination of message and digest are sent
together.

 PGP at the Receiver site (A) :

 Following are the steps taken to show how PGP uses hashing and a combination of three
keys to generate the original message:
 The receiver receives the combination of encrypted secret key and message digest is received.
 The encrypted secret key is decrypted by using the receiver's private key to get the one-time
secret key.
 The secret key is then used to decrypt the combination of message and digest.
 The digest is decrypted by using the sender's public key, and the original message is hashed by
using a hash function to create a digest.
 Both the digests are compared if both of them are equal means that all the aspects of security are
preserved.
 MIME :
 MIME stands for Multipurpose Internet Mail Extensions.
 It is used to extend the capabilities of Internet e-mail protocols such as SMTP. The MIME protocol
allows the users to exchange various types of digital content such as pictures, audio, video, and
various types of documents and files in the e-mail.
 MIME was created in 1991 by a computer scientist named Nathan Borenstein at a company called
Bell Communications.
 MIME is an e-mail extension protocol, i.e., it does not operate independently, but it helps to extend
the capabilities of e-mail in collaboration with other protocols such as SMTP.
 Since MIME was able to transfer only text written file in a limited size English language with the
help of the internet.
 At present, it is used by almost all e-mail related service companies such as Gmail, Yahoo-mail,
Hotmail.

 Need of MIME :
MIME protocol is used to transfer e-mail in the computer network for the following reasons:
 The MIME protocol supports multiple languages in e-mail, such as Hindi, French, Japanese,
Chinese, etc.
 Simple protocols can reject mail that exceeds a certain size, but there is no word limit in MIME.
 Images, audio, and video cannot be sent using simple e-mail protocols such as SMTP. These
require MIME protocol.
 Many times, emails are designed using code such as HTML and CSS, they are mainly used by
companies for marketing their product. This type of code uses MIME to send email created from
HTML and CSS.

 MIME Header
MIME adds five additional fields to the header portion of the actual e-mail to extend the properties of
the simple email protocol. These fields are as follows:
1. MIME Version : Defines the version of the MIME protocol. It must have the parameter Value 1.0,
which indicates that message is formatted using MIME.
2. Content Type : Type of data used in the body of the message. They are of different types like text
data (plain, HTML), audio content, or video content.
3. Content Type Encoding : It defines the method used for encoding the message. Like 7-bit encoding,
8-bit encoding, etc.
4. Content Id : It is used for uniquely identifying the message.
5. Content Description : It defines whether the body is actually an image, video, or audio.
 Features of MIME Protocol :

1. It supports multiple attachments in a single e-mail.

2. It supports the non-ASCII characters.
3. It supports unlimited e-mail length.
4. It supports multiple languages.

 Working of MIME Protocol :

 Advantage of the MIME :

The MIME protocol has the following advantages:
1. It is capable of sending various types of files in a message, such as text, audio, video files.
2. It also provides the facility to send and receive emails in different languages like Hindi,
French,Japanese, Chinese etc.
3. It also provides the facility of connecting HTML and CSS to email, due to which people can
design email as per their requirement and make it attractive and beautiful.
4. It is capable of sending the information contained in an email regardless of its length.
5. It assigns a unique id to all e-mails.