TY BTech Semester-V (AY 2022-23)

Computer Science and Engineering

Disclaimer:
a. Information included in these slides came from multiple sources. We have tried our
best to cite the sources. Please refer to the references to learn about the sources,
when applicable.
b. The slides should be used only for preparing notes, academic purposes (e.g. in teaching
a class), and should not be used for commercial purposes.
 Syllabus
Network and Cyber Security:
Networks Security Fundamentals, Layer-wise Security concerns,
Firewalls: Packet filtering, Stateless and Stateful, Intrusion
detection systems: host based, network based IDS, Secured
Socket Layer Security, IP level IPSEC security, Email Security:
Unit: PGP, S/MIME.
IV 9
Cyber Security: Definition and origin, Cyber Crime and Hrs
information security, Types of Cyber Crime, Classification of
Cyber Criminals, Tools used in Cyber Crime, Challenges,
Strategies, The Legal Perspective-Indian/Global Perspective,
Types of Attack, Social Engineering, Cyber stalking, 2
Summary of Layers

3
 Layer wise Security concerns
• Each layer can be exploited and has inherent vulnerabilities.
Layer Security issues
Application layer Detecting and preventing viruses, worms, malicious codes,
and application abuses
Presentation Cryptographic flaws may be exploited to circumvent
Layer privacy protections
Session Layer Session identification may be subject to spoofing and hijack
Transport layer Authenticating and securing end-to-end communications
through data encryption
Network layer Protecting the ad hoc routing and forwarding protocols
Data Link layer Protecting the wireless MAC protocol and providing link-
layer security support
Physical layer Preventing signal jamming denial-of-service attacks 4
 Firewalls
❖ Two kinds of attacks on the
network

5
 FireWalls
❖ Similar to a Security Guard • A firewall defines a single choke point that keeps
unauthorized users out of the protected network,
❖ Protects an organization’s network
prohibits potentially vulnerable services from entering
❖ Stands between internet and or leaving the network, and provides protection from
► Intranet
Aims: various kinds of IP spoofing and routing attacks.
❖ Establish a controlled link

❖ Protect the premises network

from Internet-based attacks
❖ Provide a single choke point

6
 Types of Firewall: Packet Filtering
❖ Also called screening router or
screening filter Receive each packet. Apply
Filtering rules are based on rules.
number of fields in the IP and If no rules, apply default
TCP/UDP headers. rules.

Outgoing Incoming
packets packets

7
Filtering rule examples

8
 ❖ Advantages: ❖ Disadvantages:
• Simplicity • Difficulty of setting up packet
• Transparency to users filter rules correctly
• High speed • Lack of Authentication

• Packet filter firewalls do not examine upper-layer data, they cannot prevent attacks that
employ application-specific vulnerabilities or functions.
• Because of the limited information available to the firewall, the logging functionality
present in packet filter firewalls is limited.
• Most packet filter firewalls do not support advanced user authentication schemes.
• Packet filter firewalls are generally vulnerable to attacks and exploits that take
advantage of problems within the TCP/IP specification and protocol stack, such as
network layer address spoofing.
• Due to the small number of variables used in access control decisions, packet filter
firewalls are susceptible to security breaches caused by improper configurations. 9
 Countermeasures to attacks of Packet Filter
firewall
❖ IP address spoofing: The countermeasure is to discard packets with an
inside source address if the packet arrives on an external interface.

❖ Source routing attacks: The countermeasure is to discard all packets that do

not analyze the source routing information.
❖ Tiny fragment attacks: The countermeasure to inspect all fragment and
setting restriction on minimum size of packet.

10
 ❖ Dynamic packet filter or Stateful packet filter or Stateful firewall

• keeps track of the state of network

connections (such as TCP streams)
traveling across it.
• Stateful firewall is able to hold in
memory significant attributes of
each connection, from start to finish.
These attributes, which are
collectively known as the state of the
connection, may include such details
as the IP addresses and ports
involved in the connection and the
sequence numbers of the packets
11
traversing the connection.
❖ Stateless firewall

• Treats each network frame (Packet) in isolation. Such a firewall has no

way of knowing if any given packet is part of an existing connection, is
trying to establish a new connection, or is just a rogue packet.

• The classic example is the File Transfer Protocol, because by design it

opens new connections to random ports.

12
 Application-Level Gateway
❖ An application-level gateway, also called an application proxy, acts as a relay of
application-level traffic.
❖ The user contacts the gateway using a TCP/IP application, such as Telnet or FTP, and
the gateway asks the user for the name of the remote host to be accessed.
❖ When the user responds and provides a valid user ID and authentication information,
the gateway contacts the application on the remote host and relays TCP segments
containing the application data between the two endpoints.
❖ If the gateway does not implement the proxy code for a specific application, the
service is not supported and cannot be forwarded across the firewall.

HTTP
SMTP
FTP
Inside TELNET Outside
Application
connectio connectio
gateway
n n 13
 Circuit Gateway

Figure: Application gateway creates an

illusion

Figure: Circuit gateway

operation
• Application-level gateways tend to be more secure than packet filters.
• The application-level gateway only scrutinize a few allowable applications.
• The application level gateways logs and audit all incoming traffic at the
application level.
14
Drawback: Additional processing overhead on each connection.
 Intrusion Detection Systems (IDS)
❖ Intrusion: A set of actions aimed to compromise the security goals i.e.
Attempting to break into or misuse your system.
❖ Intrusion detection: The process of identifying and responding to intrusion
activities.
❖ Intrusion prevention: Extension of ID with exercises of access control to
protect computers from misuse.
❖ Intruders may be from outside the network or legitimate users of the network.

❖ Three types of intruders:

⚫ Masquerader: an unauthorized user who penetrates a system's access

control to exploit other's account; most likely an outsider
⚫ Misfeasor: a legitimate user but accesses data, program or resources for
which he/she is not authorized; generally an insider
⚫ Clandestine user: an individual who seizes supervisory control15 and
❖ IDS serve essential security functions: monitor, detect and respond to
unauthorized activity

❖ Respond automatically (in real-time) to a security break events: logging off a

user, disabling a user account and launching of some scripts

❖ Prepare for and deal with attacks by collecting information from a variety of
system and network sources, then analyzing the symptoms of security
problems

❖ Provides user friendly interface for security management of systems

❖ Maintains extensive attack signature database against which information

from the customers system can be matched
16
 IDS functions:
❖ It monitors and analyzes the user and system activities
❖ It performs auditing of the system files and other configurations and the
operating system
❖ It assesses the integrity of system and data files
❖ It conducts an analysis of patterns based on known attacks
❖ It detects errors in system configuration
❖ It detects and cautions if the system is in danger

17
 Firewall IDS
A firewall is a hardware and/or software which An Intrusion Detection System (IDS) is a
functions in a networked environment to block software or hardware device installed on the
unauthorized access while permitting authorized network (NIDS) or host (HIDS) to detect and
communications. report intrusion attempts to the network.
A firewall can block an unauthorized access to An IDS can only report an intrusion; it cannot
network (E.g. A watchman standing at gate can block it (E.g. A CCTV camera which can alert
block a thief) about a thief but cannot stop it)
A firewall cannot detect security breaches for IDS is fully capable of internal security by
traffic that does not pass through it (E.g. a collecting information from a variety of system
gateman can watch only at front gate. He is not and network resources and analyzing the
aware of wall-jumpers) symptoms of security problems
Firewall doesn’t inspect content of permitted IDS keeps a check of overall network
traffic. (A gateman will never suspect an
employee of the company )
No man-power is required to manage a firewall. An administrator (man-power) is required to
respond to threats issued by IDS
Firewalls are most visible part of a network to IDS are very difficult to be spotted in a network
an outsider. Hence, more vulnerable to be (especially stealth mode of IDS).
attacked first. (A gateman will be the first person 18
attacked by a thief!!)
 Intrusion Detection Method

Detection Method:

Analysis approach: piecing the evidences together

❖ Misuse detection (signature-based)

❖ Anomaly detection (statistical-based/behavior-based)

Deployment/Location :

❖ Network-based

❖ Host-based

19
 ❖ Misuse Detection (signature-based)

pattern
• data packets e.g. logs
• model of attack matchin
pattern g
known attacks report to Intrusio intrusio
admin n n
Eg. Can’t detect
• SNORT IDS new Patterns
attacks
activitie
s

20
 ❖ Anomaly detection (Statistical)

• This IDS models the normal usage

of the network as a noise probabl
characterization. e
• Anything distinct from the noise is activity intrusio
assumed to be an intrusion activity. measur n
– E.g flooding a host with lots of es
packet.
• The primary strength is its ability to
recognize novel attacks.
• Threshold
• Mean and standard deviation
21
 Host Based IDS

❖ Installed on individual host or device on network.

❖ Makes use of the resources of a host server – disk space, RAM and CPU time
❖ It monitor data packets from the device only and will alert the admin if suspicious
activity is detected.
❖ Monitoring user activities & system programs executions
❖ Works on snapshots.
❖ Tracks behavior changes associated with misuse.
❖ Using OS auditing mechanisms
❖ Audit information includes events like the use of identification and authentication
mechanisms (logins etc.), file opens and program executions, admin activities etc.
❖ This audit is then analyzed to detect trails of intrusion
22
❖ Strengths Of The Host Based IDS
• Attack verification
• System specific activity
• Monitoring key components
• Near Real-Time detection and response
• No additional hardware

❖ Drawback Of The Host Based IDS

• The kind of information needed to be logged in is a matter of
experience.
• Unselective logging of messages may greatly increase the audit and
analysis burdens.
• Selective logging runs the risk that attack manifestations could be
23
missed.
 Network Based IDS

• This IDS looks for attack signatures in network traffic

• Filter is applied to determine which traffic will be discarded or passed on to an
attack recognition module.
• Monitor, Capture and Analyze.
• Detect malicious data present into packet.
• Analysis: Matches traffic to the library of known attack.

Strengths Of The Network Based

IDS
• Limitations: NIDS Analysis very difficult in
• Packet analysis busy n/w.
• Real time detection and response
• Malicious intent detection
24
• Operating system independence
 Web Security
❖ Web now widely used by business, government, individuals
❖ But internet & web are vulnerable
❖ Have a variety of threats
• Integrity
• Confidentiality
• Denial of service
• Authentication
❖ Need added security mechanisms

25
 Web Traffic Security Approaches

❖ One way to provide Web security is to use IP security.

❖ IPsec is transparent to end users and applications and provides a general-
purpose solution.
❖ IPsec includes a filtering capability so that only selected traffic need incur
the overhead of IPsec processing.
❖ Foremost example of Ipsec is Secure Sockets Layer (SSL) and Transport
Layer Security (TLS).

(a) Network (c) Application

level (b) Transport level
level
26
 Secured Socket Layer (SSL) Security

❖ Security service provides: authentication and

confidentiality Application Layer

❖ World’s most widely used security mechanism on the SSL Layer

Internet Transport Layer
❖ Secures communication between a client and a server
Internet Layer
❖ Located between the Application and Transport
Data Link Layer
Layers of TCP/IP protocol suite
Physical Layer

27
 Data Exchange including SSL

⚫ SSL perform encryption on data and add encryption information

header
X Y

L5 data Application L5 data

L5 data SH SSL L5 data SH

L5 data H4 Transport L5 data H4

L4 data H3 Internet L4 data H3

L3 data H2 Data Link L3 data H2

010101010100010101010010 Physical 010101010100010101010010

Transmission medium

28
 How SSL Works?

SSL has 3 Sub-protocols: Message Type Parameters

Hello request None

❖ Handshake Protocol
Client hello Version, Random number, Session id, Cipher suite,
❖ Record Protocol Compression method
❖ Alert Protocol Server hello Version, Random number, Session id, Cipher suite,
Compression method
Certificate Chain of X.509V3 certificates
SSL Handshake Protocol Parameters, signature
Server key
and Message Format exchange request
Certificate Type, authorities
Typ
Length Content Server hello done None
e
Certificate verify Signature
1 3 bytes 1 or more
byte bytes Client key exchange Parameters, signature

Finished Hash value

29
 SSL Handshake Process

1. Establish security
capabilities
2. Server authentication and Web
Web
key Server
Browser
exchange
3. Client authentication and key
exchange
4. Finish

30
 SSL Handshake – Phase 1: Establish security capabilities

⚫ Version: 2, 3 or 3.1

⚫ Random Number: actual communication,

two sub-field:
⚫ 32-bit date time field
Step 1: Client hello
Web

⚫
Web
Browser Server
28-byte random number
⚫
Step 2: Server
Session id hello

⚫ Cipher suite: list of cryptographic algorithm

⚫ Compression method: list of compression

algorithms

31
 SSL Handshake – Phase 2: Server authentication and key
exchange

⚫ Server sends digital certificate Step 1: Certificate

and it is mandatory
⚫ Server key exchange is optional.
Web
Browser Step 2: Server key
exchange
Web
Server

The server send its public key as

the certificate is not available Step 3: Certificate

⚫ Client verify certificate sent by

request

the server and insure that all Step 4: Server hello

done
parameters send by server are
acceptable

32
 SSL Handshake – Phase 3: Client authentication and key
exchange

⚫ Client creates a 48-byte pre-

master secret and encrypts it 1. Certificate
with the server’s public key and
sends this encrypted pre-master 2. Client key
Web Web
secret it to the server Browser exchange Server

3. Certificate verify
⚫ Certificate verify is necessary
only if server had demanded
client authentication

33
 SSL Handshake – Phase 4: Finish

1. Change cipher
specs
Web
Browser
2. Finished
Web
Server
Step 3: Change cipher
specs

Step 4: Finished

⚫ The master secrete is used to generate keys and secrets for encryption and MAC
computations
Pre-master
Client random Server random
secret

Message Digest Algorithms

Master secret 34
⚫ Finally, the symmetric keys to be used by the client and the server are
generated.

Master secret Client random Server random

Message Digest Algorithms

Symmetric key

35
 The Record Protocol

⚫ Two service:
⚫
Confidentialit
y
⚫
⚫ Integrity ⚫
Each block size ≤ 2 14
Loss-less compression
mechanism
⚫ MAC for each block
⚫ Symmetric key algorithm

36
 ⚫ Append header

⚫ Handshake, alert, cipher

change

37
 Change Cipher Spec Protocol

• This protocol uses the SSL Record protocol and consists of a single message
(single byte with the value 1)

• The only purpose of this message is to cause the pending state to be copied
into the current state, which updates the cipher suite to be used on this
connection.

38
 Alert Protocol

⚫ When client or server detects an error, the detecting party sends an alert
message to the other party.
⚫ If an error is fatal, both the parties immediately close SSL connection

⚫ Other error, which are not severe, do not result in the termination of the
connection

39
Fatal Alert Description
Unexpected An inappropriate message was received.
message
Bad record MAC A message is received without a correct MAC.
Decompression The decompression function received an improper
failure input.
Handshake failure Sender was unable to negotiate an acceptable set of
security parameters from the available options.
Illegal parameters A field in the handshake message was out of range or
was inconsistent with the other fields.

40
 IP Security (IPsec)
❖ Idea: to encrypt and seal the transport and application layers data during
transmission

❖ Internet Protocol Security (IPsec) provides for various security services on the
IP layer, in IPv4 as well as IPv6, thus offering protection for protocols in the
upper layers
❖ IPsec is typically used to secure communications between hosts and security

gateways

❖ IPsec encompasses three functional areas: authentication, confidentiality, and

key management.
Internet header Transport Actual data (Encrypted)
(Not encrypted) header
(Encrypted)

41
❖ Applications
⚫ Secure remote Internet access

⚫ Secure branch office connectivity

⚫ Set up communication with other organizations

❖ Advantages
⚫ IPSec is transparent to the end users.

⚫ When IPSec is configured to work with a firewall, it becomes the only

entry - exit point for all traffic
⚫ IPSec works at the network layer.

42
⚫ IPsec can operate in two modes:
X
Y

❖ Tunnel mode P1 P2

⚫ typically used to tunnel IP traffic Prox

y
Tunnel
Prox
y
between two security gateways
∙∙∙∙ ∙∙∙∙
Network 1 Network 2

P1 <---> P2 … A <---> B
External IP header Internal IP header and data (encrypted)
(not encrypted)

43
⚫ IPsec protects the full IP datagram

⚫ The tunnel mode is normally

used between two routers, a host
and a router

44
❖ Transport mode

⚫ It does not hide source and destination

addresses
⚫ IPSec in the transport mode does not
protect the IP header; it only protects
the information coming from the
transport layer.
⚫ The transport mode is normally used
when we need host-to-host protection
(end-to-end encryption) of data.

45
 ⚫ IPsec provide two protocols:

⚫
IPsec offers two services: authentication and confidentiality. Also, provides
key management
❖ Authentification header (AH): allows to verify that the intermediate devices
have not
changed any of the data in the datagram

❖ Encapsulated security payload (ESP): AH ensures the integrity of the data in

a datagram, but not its privacy.
⚫ AH provides authentication,
integrity
⚫ ESP allows encryption to ensure
privacy of a message

46
 Internet Key Exchange (IKE) and Security Associations (SA)

• IPsec Security Association (SA) established using IKE

• Payload packets are encapsulated with ESP and/or AH
• IPsec Security Association could be configured manually (at least in theory) or using
some other protocol
• a one-way relationship between sender & receiver
– specifies IPSec related parameters
• Identified by 3 parameters:
– Destination IP Address
– Security Protocol: AH or ESP
– Security Parameters Index (SPI)
• A local 32-bit identifier (to be carried later to endpoints within AH and ESP)
• There are several other parameters associated with an SA
– stored locally in Security Association Databases (SAD)

47
 Authentication Header (AH)
⚫ AH deals with and prevents the replay attacks
⚫ AH is based on MAC
⚫ SPI used to identify SA for the traffic to which a datagram
belongs

48
⚫ AH transport mode and tunnel mode

⚫ In tunnel mode, entire IP packet is authenticated

49
 Encapsulating Security Payload
(ESP)
⚫ Provides confidentiality and integrity of messages
⚫ Based on symmetric key cryptography

50
⚫ ESP transport mode and tunnel mode

51
Thank You !!!!!!

52