The Transport Layer Security Protocol application

TASK1

a) Operation of Transport Layer Security (TLS)

The Transport Layer Security Protocol is used to communicate between client-server application programs across a network. TLS helps in the communication preventing from the following

* Tampering,

* Eavesdropping,

* Message forgery.

TLS renders the authentication at the endpoints and confidentiality across the network utilizing cryptography and in addition it offers RSA security with 1024 and 2048 bit strengths

In regular end-user/browser usage, TLS authentication is one-sided: alone the server is authenticated (the client knows the server's identity), but not vice versa (the client remains unauthenticated or anonymous). TLS uses handshaking protocol for the communication across internet.

Following are the steps involved with TLS Handshake Protocol:-

1. Both client and server exchanges Hello messages to correspond on the algorithms exchange the random values and check for the session recommencement between them.
2. Both client and serer Exchange the essential cryptographic parameters to agree on a premaster secret.
3. The certificates and cryptographic data are exchanged between client and server for authenticating themselves. Generate a master secret from the premaster secret and exchanged random values.
4. Security parameters will be provided to the record layer.
5. It admits the client and server to verify that their peer has estimated the equal security parameters and that the handshake took place without fiddling by an attacker.

The Windows Server 2003 operating system can use 3 associated security protocols to allow authentication and secure communications across the Internet:

* Transport Layer Security Version 1.0

* Secure Socket Layer Version 3.0

* Secure Socket Layer Versions 2.0

IPSEC

IPSec is designed to offer practical, high caliber, cryptographically-based protection for IPv4 and IPv6. The set of security services provided lets in access control, protection against replays, connectionless integrity, encryption, data origin authentication, and confined traffic flow confidentiality. The set of IPSec protocols utilized in any context, and the modes in which they are utilized, will be found by the security and system requisites of users, applications, and/or sites.

When these mechanisms are properly enforced and deployed, they ought not to adversely impact users, hosts, and other Internet elements that do not utilize these security mechanisms for security of their traffic. These mechanisms also are configured to be independent of algorithm. This modularity allows choice of different sets of algorithms without impacting the different parts of the implementation.

Process of IPSec

We will discuss an overview of IPSec concepts which are central to realizing the IPSec operation, including the Internet Key Exchange (IKE) protocol and IPSec policy configuration. Furthermore, this topic shows how IPSec network traffic works, using two intranet computers (Computer A and Computer B) as an example.

IPSec Policy Configuration

In Windows 2000, Windows XP, and the Windows Server 2003 category, IPSec is implemented mainly as an administrative tool that could be used to carry out security policies on IP net traffic. A filter process specifies the security demands for the network traffic. A filter action can be configured to the following: Permit, Block, or Negotiate security (negotiate IPSec).

IPSec filters are enclosed into the IP layer of the computer TCP/IP networking protocol stack so that they can analyze (filter) altogether inbound or outbound IP packets. Except for a short delay involved to negotiate a security relationship between 2 computers, IPSec is very much transparent to end-user applications and operating system services.

Internet Key Exchange (IKE)

This is projected to firmly build a desire relationship between each computer, to negotiate security choices, and dynamically render shared, secret cryptographic describing material. The agreement of security settings is defined as security association or SA. They accomodate , integrity authenticity, and sometimes encryption of IP packets which are sent by the security association.

IKE manages 2 types of security associations:

* A main mode security association.

* IPSec security associations.

The IPSec service reads an IPSec policy, elaborating it into the elements that it demands to control the IKE negotiation. The packet filter is rendered in 2 ways: one uses alone the address and identity info to allow IKE to build a main mode SA; the other lets IKE to establish the security associations.

IPSec network traffic processing

The below example shows how IPSec works for 2 computers.

1. Alice, using a data application programs on Computer A, sends an IP packet to Bob on Computer B.

2. Then the IPSec driver on Computer A checks its outbound IP filter lists and decides that the packets should be secured.

3. The action is to negotiate security and therefore the IPSec driver advises IKE to begin negotiations.

4. The IKE service on Computer A finishes a policy lookup whereby its own IP address is the source and that of computer B is the destination. The main mode filter match ascertains the main mode settings that Computer A advises to Computer B. In main mode, Computer A sends the initial IKE message using UDP source and destination port 500. IKE packets receive exceptional processing by the IPSec driver to bypass filters.

5. Computer B receives an IKE main mode message requesting safe negotiation. It uses the source and destination IP address of the UDP packet to perform a main mode policy lookup, to find which security settings to accord to. Computer B bears a main mode file that is identical and so responds to commence negotiation of the main mode SA.

6. Computer A and Computer B now negotiate options, exchange identities, verify trust of the identities, and finally render a shared master key. Now they have established an IKE main mode SA. Computer A and Computer B must mutually trust one another.

7. Computer A using the fully filter to which the IPSec driver checked the outbound packet, executes an IKE quick mode policy lookup. Computer A chooses the fast mode security settings and advises them, and the quick mode filter, to Computer B. Computer B also does an IKE fast mode policy lookup, applying the filter description proposed by Computer A. Computer B selects the security settings needed by its policy and equates those settings to those proposed by computer A. Computer B takes one set of options and the remainder of IKE quick mode negotiation is completed to produce a pair of IPSec security associations.

8. The two IPSec SA are either inbound or outbound. The IPSec SAs that is introduced into the IPSec header of all packets sent are discovered by a Security Parameter Index (SPI).

9. The IPSec driver on Computer A utilizes the outbound SA to sign and may optionally encrypt the packets. The IPSec driver does not perform IPSec cryptographic functions if the network adapter can perform hardware offload but it does format the packets.

10. The IPSec driver communicates the packets to the network adapter driver, suggesting whether the adapter must do the IPSec cryptographic functions. The network adapter broadcasts the packets into the network.

11. The network adapter driver at Computer B receives the ciphered packets from the network. The receiver of the IPSec packet uses the SPI to find the appropriate IPSec security association, with the cryptographic keys expected to not only decrypt but also verify the packets. The network adapter first attempts to decrypt the packets in hardware and if that is possible, it checks if it can distinguish the SPI but if it cannot do both, it sends the packets to the IPSec driver.

12. The IPSec driver on Computer B utilizes the inbound SA SPI so as to retrieve the keys for validation, authentication and integrity and optionally to decrypt the packets.

13. The IPSec driver changes the packets format from IPSec to standard IP packet. The validated and decrypted IP packets are sent to the TCP/IP driver where it is passed to the receiving application which is on Computer B.

14. The IPSec SAs persist to provide very strong, transparent protection for application data traffic. By executing IKE quick mode negotiation, the IPSec SAs are automatically refreshed as long as the application receives and sends data but stops if they become stagnant and are erased.

15. The IKE main mode SA is not erased but has a lifespan of eight hrs. The main mode SA lifespan can be configured to be as short as five minutes to 48 hours. A new quick mode is started when more traffic is sent to create two new IPSec SAs that the application traffic may be protected. Since the main mode SA already exists, this process is quick. If a main mode SA deceases, it is automatically renegotiated as demanded.

b) Advantage of TLS

Encryption - Both request and response bodies are secured from intermediate prying eyes.

Server authenticated - Clients who record the server's SSL certificate can supervise it to make sure it doesn't change over time. Using a certificate signed by a signing authority can also offer a similar level of confidence for the client application.

Easy setup - No additional coding required, just configure the web server the advantages of SSL VPN are no any client software required in the client computer, they just need a web browser that can support SSL protocol is sufficient, because not a single client software required in the client computer, so no any additional license cost needed for the client pc to connect to the host.

Advantages of IPSec

There are, however, advantages to doing it at the IP level instead of,

IPSec is the most common mode to provide these services for the Internet.

* A single protocol is protected by Higher-level services.

* A single medium is protected by Lower level services.

IPSec, however, can protect any protocol running above IP and any medium which IP runs over. More to the point, it can secure a variety of application protocols running over a complicated combination of media. This is the normal situation for Internet communication.

Some security services in the background can be offered by IPSec, with no obvious impact on users. To use PGP encryption and signatures on mail, for example, the user must at least:

* remember his or her passphrase,

* keep it safe

* follow routines to validate correspondents keys

These systems can be configured so that the load on users is not burdensome, but any system will place a few requirements on users. No such system can hope to be safe if users are careless about coping with those requirements.

TASK 2

1)Internet Group Management Protocol

The Internet Group Management Protocol (IGMP) is a communications protocol applied to address the membership of Internet Protocol multicast groups. IGMP is employed by IP hosts and adjacent multicast routers to set up multicast group membership.

It is a built-in part of the IP multicast specification, working above the network layer, though it doesn't really act as a transport protocol. It is similar to ICMP for unicast connections. IGMP can be utilized for online streaming video and gaming, and admits more effective use of resources when supporting these types of applications.

IP multicast is a technique for one-to-many communication across an IP infrastructure in a network. It extends to a greater receiver population by not requiring prior knowledge of whom or how many receivers exist in the network. Multicast applies network infrastructure efficaciously by inquiring the source to transmit a packet only one time, even if it demands to be delivered to a multitude of receivers. The nodes in the network take precaution of duplicating the packet to reach multiple receivers only if essential. The most common low-level protocol to apply multicast addressing is User Datagram Protocol (UDP). Naturally, UDP is not reliable-messages perchance it is lost. Reliable multicast protocols such as Pragmatic General Multicast (PGM) have been formulated to contribute loss detection and retransmission with IP multicast.

Once the receivers join a specific IP multicast group, a multicast distribution tree is built for that group. The protocol commonly used is Protocol Independent Multicast (PIM). It arranges multicast distribution trees such that data packets from senders to multicast group contact all receivers which have joined the group.

The IP multicast model has been identified by Internet architect Dave Clark as follows: You put packets in at one end, and the network conspires to deliver them to anyone who asks.

Multicast compared with unicast broadcasting.

IP multicast produces state information per multicast distribution tree in the network, i.e., current IP multicast routing protocols do not combine state corresponding to multiple distribution trees. So if a router is part of 1000 multicast trees, it has 1000 multicast routing and forwarding entries. As a result there are concerns about scaling multicast to big numbers of distribution trees. However, since multicast state exists only along the distribution tree it is unlikely that any single router in the Internet keeps state for all multicast trees. This is a basic misinterpreting compared to unicast. A unicast router requires knowing how to reach all other unicast addresses in the Internet, even if it gets along this using just a default route. Only for this reason, aggregation is the key to scaling unicast routing. Also, there are core routers that carry routes in the hundred because they contain the Internet routing table. On the other hand, a multicast router doesn't want to know way to reach all other multicast trees in the Internet.

2)Multicast Process

Multicast is a process of sending an information to more than one recipients in a network. Multicast is entirely different than broadcast.

1. The client sends an IGMP join message to its assigned multicast router. The destination MAC address maps to the Class D address of group which is being linked, rather being the MAC address of the router. Also the body of the IGMP datagram includes the address of Class D Group.

2. The designated router logs the join message and it uses PIM or another multicast routing protocol to append this piece of segment to the multicast distribution tree.

3. IP multicast traffic broadcast from the server is now circularized via the assigned router to the client's subnet. The destination MAC address equates to the Class D address of group

4. The switch receives the multicast packet and analyses its forwarding table. If no entry exists for the MAC address, the packet will be swamped to all ports within the broadcast domain. If an entry does exist in the switch table, the packet will be forwarded only to the specified ports.

5. With IGMP V2, the client can terminate group membership by transmitting an IGMP leave message to the router. With IGMP V1, the client continues to be a member of the group until it fails to send a join message back as a reply to a query from the router. Multicast routers also periodically send an IGMP query to the all multicast hosts group or to a particular multicast group on the subnet to find out which groups are still alive within the subnet. Each host holds up its respond to a query by a small random period and will then respond only if no other host in the group has already responded. This mechanism prevents many hosts from congesting the network with coincidental reports.

3) PIM

Protocol Independent Multicast (PIM) is an aggregation of multicast routing protocols, each optimized for a dissimilar environment. There are 2 main PIM protocols, PIM Sparse Mode and PIM Dense Mode. A third PIM protocol, Bi-directional PIM, is less widely used.

Generally, either PIM Sparse Mode or PIM Dense Mode will be used throughout a multicast domain. Yet, they may also be utilized together within a single domain, using Sparse Mode for some groups and Dense Mode for others. This mixed-mode configuration is known as Sparse-Dense Mode. Likewise, Bi-directional PIM may be used on its own, or it may be used in conjugation with one or both of PIM Sparse Mode and PIM Dense Mode.

PIM Sparse Mode

PIM Sparse Mode (PIM-SM) is a multicast routing protocol configured on the assumption that recipients for any particular multicast group will be sparsely circularized throughout the network. In other words, it is adopted that most subnets in the network will not want any given multicast packet. In order to receive multicast data, routers must explicitly say their upstream neighbors about their concern in particular groups and sources. Routers use PIM Join and Prune messages to join and leave multicast distribution trees.

PIM-SM by default uses shared trees, which are multicast distribution trees frozen at some selected node and used by all sources sending to the multicast group. To send to the RP, sources must capsulated data in PIM control messages and send it by unicast to the RP. This is handled by the source's Designated Router (DR), which is a router on the source's local network. A single DR is selected from all PIM routers on a network, so that unessential control messages are not sent.

PIM-SM also supports the use of source-based trees, in which an individual multicast distribution tree is constructed for each source sending data to a multicast group. Each tree is rooted at a router next to the source, and sources send data directly to the root of the tree. Source-based trees enable the use of Source-Specific Multicast (SSM), which permits hosts to define the source from which they wish to receive data, as well as the multicast group they want to join. With SSM, a host discovers a multicast data stream with a source and group address pair (S,G), besides by group address solely.

PIM-SM may use source-based trees in the following conditions.

1. For SSM, a last-hop router will join a source-based tree from the outset.
2. To avoid data transmitted to an RP having to be capsulated, the RP might join a source-based tree.
3. To optimize the data path, a last-hop router may select to switch from the shared tree to a source-based tree.

PIM-SM is a soft-state protocol. I.e., all state is timed-out a while after getting the control message that instantiated it. To keep the state active, all PIM Join messages are periodically retransmitted.

PIM Dense Mode

PIM Dense Mode is a multicast routing protocol planned with the opposite assumption to PIM-SM, that is to say that the receivers for any multicast group are allotted thickly throughout the network. That is, it is assumed that most subnets in the network will require some given multicast packet. Multicast data is initially sent to all hosts in the network. Routers that do not have any concerned hosts then send PIM Prune messages to move out themselves from the tree.

When a source 1st begins transmitting data, each router on the source's LAN receives the data and forwards it to all its PIM neighbors and to all links with directly attached receivers for the data. Each router that receives a forwarded packet also forwards it as well, but only after ensuring that the packet came from its upstream interface. If not, the packet is rejected. This mechanism holds back forwarding loops from occurring. In this way, the data is swamped to all parts of the network.

Some routers will have no need of the data, either for straight connected receivers or for other PIM neighbors. These routers react to receipt of the data by sending a PIM Prune message upstream, which instantiates Prune state in the upstream router, making it to stop forwarding the data to its downstream neighbor. In turn, this may cause the upstream router to have no need of the data, sparking it to send a Prune message to its upstream neighbor. This 'broadcast and prune' behavior implies that finally the data is only sent to those parts of the network that require it.

TASK 3

LIST OF INTERNET PROTOCOLS USED TO SEND EMAIL MESSAGES

IMAP supports both connected and disconnected modes of process. E-mail clients using IMAP typically leave messages on the server until the user explicitly erases them. This and other facts of IMAP operation allow multiple clients to access the same mailbox.

Most e-mail clients support either POP3 or IMAP to retrieve messages; however, less Internet Service Providers (ISPs) support IMAP. IMAP4 provides access to the mail store; the client may store local copies of the messages, but these are conceived to be a impermanent cache; the server's store is authorized.

E-mail messages are usually directed to an e-mail server that stores received messages in the recipient's e-mail mailbox. The user afterwards calls back these messages using either a web browser or an e-mail client that uses one of a number of e-mail retrieval protocols. While a few clients and servers preferentially apply vendor particular, usually proprietary protocols, most support the Internet standard protocols SMTP for sending e-mail and POP3 and IMAP4 for retrieving e-mail, providing interoperability with other servers and clients.

E-mail clients can normally be configured to use either POP3 or IMAP4 to retrieve e-mail and in both cases use SMTP for sending. Most e-mail programs can also use Lightweight Directory Access Protocol (LDAP) for directory services.

Closely all subscribers to individual Internet service provider e-mail accounts are accessed with client software that uses POP3.

IMAP is frequently used in large networks;

EMAILS PROTOCOLS EXPLAINED

A protocol be defined as a set of rules or language for executing a specific task. Like, TCP/IP is the language that computers on the Internet use to speak to each other.

E-mail has it's own set of rules or protocols to control what means to your e-mail when it's moving around the Internet. The e-mail protocols are listed below.

POP3

Post Office Protocol 3 is a protocol or set of rules used to download e-mail from a mail server.

Most current e-mail applications like Outlook Express, Eudora, Pegasus Mail, etc.. supports POP3 and there is only exception to this rule is AOL.

SMTP

Simple Mail Transfer Protocol is a protocol or set of rules for sending e-mail between mail servers. The vast majority of mail servers use SMTP. SMTP is used to send the e-mail to a mail server though POP3 is used to retrieve or download the same e-mail.

IMAP

Internet Message Access Protocol is a protocol or set of rules for retrieving or downloading e-mail from a mail server. IMAP4 is the latest edition and is similar to POP3 but has some additional features such as being able to search through your e-mail messages by keyword while the e-mail is still on the server.

Received message differ from sent message:

This behavior occurs only if one of the following conditions are true.

The Recipient's E-mail Client doesn't make out Your E-mail Format

The recipient's e-mail program does not recognize your e-mail format. E.g., the recipient's e-mail program may not know Hypertext Markup Language (HTML). The e-mail format decides if the text is bolded, the use of bullets, the use of colored fonts, and if pictures can be tallied to the message body. If you send a message that contains a specific e-mail format, the message may not look the same for the recipient as some electronic mail programs may not support formatted messages or icons.

The Recipient's E-mail Client Does Not Recognize a Transport-Neutral Encapsulation Format (TNEF) File

TNEF is a proprietary method to package data for sending messages across the Internet. A TNEF-encoded message contains the plain text message, and a binary attachment that packages other parts of the original message. In most cases, the binary attachments are named the Winmail.dat file and may include, OLE objects, the formatted text, Outlook features (custom forms, voting buttons, and meeting requests) and normal file attachments.

The Recipient's E-mail Client Does Not realize Outlook Rich Text Format (RTF) or Microsoft Word

If you use Microsoft Word as your e-mail editor, it may create a Winmail.dat file attachment to your message when the recipient receives the mail. The Winmail.dat file includes formatting used with Outlook Rich Text format and Microsoft Word as the e-mail editor, and the recipient is not able to know this type of format.

The receiver E-mail Program doesn't understand cited Printable as It Converts Data from Your Message

Your message comes with "=" (without quotation marks) or "=20" (without quotation marks) throughout the text.

Task 4

Introduction to IPv6

Microsoft is delivering support for the coming forth update to the Internet Layer Protocol through Internet Protocol version 6 (or just IPv6 (RFC 2460)) for packet-switched inter-networks. IPv4 is currently the predominant Internet Protocol version, and was the 1st to acquire worlwide usage.

The Internet Engineering Task Force (IETF) has defined IPv6 as the alternate to version 4 for generalized usage on the Internet. It significantly step-ups the size of the address space utilized to describe communication resultants in the Internet, thereby letting it to carry on its enormous growing rate. The IPv6 is known as IP Next Generation i.e IPnG.

IPv4 Limitations

Nowadays internet utilizes IPv4, which is today nearly twenty years old. IPv4 was outstandingly but in spite of that it is commencing to have troubles. First and foremost, there is a arising shortfall of IPv4 addresses, which are required by all new machines increased the Internet.

The bounded address array pushes organizations to utilize Network Address Translation , firewalls to map multiple private addresses to a single public IP address. NATs doesn't support standards-based network-layer security and besides creates complicated barriers to VoIP, and other services.

Characteristics of IPv6

There is a new header format for IPV6 that is designed to cut down header overhead. This optimization is achieved by acquiring both non-essential fields and optional fields to extension headers that appear after the IPv6 header. Intermediate routes can work on the streamlined IPv6 header with efficiency. IPv4 headers and IPv6 headers don't interoperate. IPv6 is not a superset of functionality, that is backward compatible with IPv4 is not possible. A host or router essential utilize an execution of both IPv4 and IPv6 to realize and work on both header formats. The IPv6 header is only twice as large as the IPv4 header, even though IPv6 addresses are 4 times as big as IPv4 addresses.

IPv6 features a bigger address space than that of IPv4. IPv6 has 128-bit (16 byte) source and destination IP addresses. While 128 bits can state over 3.4x1038 potential combination's, the big address space of IPv6 has been configured for multiple levels of subnetting and address assignation from the Internet backbone to the individual subnets within an organization. The Time-to-Live field of IPv4 has been substituted by a Hop-Limit field.

IPv6 provides more high-level of built-in security, and it has been specifically planned with mobile devices in mind. The mobility gets in the form of Mobile IP, which lets casting between different networks without dropping off the specified IP address. Contrary to mobile IPv4, Mobile IPv6 (MIPv6) averts triangular routing and hence as effective as normal IPv6.

IPv6 can simply be extended by adding up extension headers after IPv6 header. Unlike options in the IPv4 header, which can support only 40 bytes of options, the size of IPv6 extension headers is strained only by the size of the IPv6 packet.

Difference between IPv4 and IPv6

IPv4

* The length of the source and destination addresses is 32 bits (4 bytes).

* The IPSec support might be an optional.

* IPv4 header doesn't distinguish packet stream for QoS handling by routers.

* Both routers and the broadcasting host break up packets.

* Header allows a checksum.

* Header allows options.

* Address Resolution Protocol (ARP) utilizes transmits ARP Request frames to resolve an IP address to a link-layer address.

* Internet Group Management Protocol (IGMP) handles membership in local subnet groups.

* Although it is optional, ICMP Router Discovery is utilized to decide the IPv4 address of the best default gateway.

* Broadcast addresses are utilized to transmit traffic to the whole nodes on a subnet.

* It should be configured either manually or through DHCP.

* Uses host address (A) resource records in Domain Name System (DNS) to map host names to IPv4 addresses.

* Makes use of pointer (PTR) resource records in the IN-ADDR.ARPA DNS domain to map IPv4 addresses to host names.

* It must support a 576-byte packet size.

IPv6

* Length of Source and destination addresses is 128 bits (16 bytes).

* IPSec support is very much needed.

* Only the host which is sending will fragments packets; but no the routers.

* No checksum will be included in header.

* All optional data will be moved to IPv6 extension headers.

* In local subnet groups the memberships are managed by Multicast Listener Discovery (MLD) messages.

* IPv6 utilizes a link-local scope all-nodes multicast address.

* Doesn't need manual configuration or DHCP.

* For mapping host names to IPv6 addresses it uses host address (AAAA) resource records in DNS.

* Uses pointer resource records in the IP6.ARPA DNS domain to map IPv6 addresses to host names.

* It should support a 1280-byte packet size (without fragmentation).

TASK 5

An intrusion detection system (IDS) is a device or an application that monitor network and system activities for malicious activities.

Intrusion detection is the method of supervising the events happening in a computer system or network and examining them for signs of possible incidents, which are violations or close threats of violation of computer security policies, acceptable use policies.

a) IDSes are classified ias active and passive, network-based and host-based, and knowledge-based and behavior-based:

Active and passive IDS

An active IDS is a system that's designed to automatically stop suspected attacks in progress without any interference needed by an operator. IPS has the advantage of allowing real-time corrective action in reaction to an attempt but has a lot of disadvantages too. An IPS must be located in-line along a network boundary; thus, the IPS itself is nonresistant to attack. Also, if fake alarms and legalize traffic have not been properly named and filtered, authorized users and applications may be improperly denied access. Finally, the IPS itself may be used to effect a Denial of Service (DoS) attack by deliberately overflowing the system with alarms that cause it to block connections until no connections or bandwidth are available.

Intrusion prevention systems built up in the late 1990s to solve ambiguities in passive network supervising by placing detection systems in-line.

A passive IDS is a system that's designed only to administer and examine network traffic activity and alert an operator to possible exposures and attacks. It isn't capable of doing any defensive or corrective functions on its own. The major advantages of passive IDSes are that these systems can be easily and quickly deployed and are not usually nonresistant to attack themselves.

Network-based and host-based IDS

A Network Intrusion Detection System (NIDS) is an intrusion detection system that tries to find malign activity such as denial of service attacks, port scans. A NIDS interprets all the entering packets and tries to find suspicious patterns known as signatures or rules. If, e.g., a large number of TCP connection requests to a really large number of unlike ports are noticed, one could assume that there is someone conducting a port scan in the network . It also attempts to find entering shellcodes in the similar way that an average intrusion detection system does.

A NIDS isn't bounded to inspecting incoming network traffic only. Often useful data about an current intrusion can be checked from outgoing or local traffic as well. Some attempts may even be staged from the inside of the supervised network, and are consequently not esteemed as an incoming traffic at all.

A network-based IDS generally comprises of a network appliance (or detector) with a Network Interface Card (NIC functioning in promiscuous mode and a apart management interface. The IDS is localized along a network segment or boundary and monitors all traffic on it.

A host-based IDS demands small programs (or agents) to be installed on individual systems to be supervised. The agents monitor the operating system and publish data to log files. A host-based ID can only supervise the individual host systems on which the agents are installed; it doesn't supervise the full network.

A host-based IDS supervises all or parts of the active behavior and the state of a computer system. Very much like a NIDS will dynamically audit network packets, a HIDS could notice which program accesses what resources and detect that, e.g., a word-processor has all of a sudden and inexplicably started changing the system password database. Likewise a HIDS may consider the state of a system, its stored data, whether in RAM, in the file system, log files; and assures that the contents of these look as anticipated.

One could think of a HIDS as an agent that supervises whether anything or anyone, whether internal or external, has circumvented the system's security policy .

Monitoring dynamic behavior

Many computer users have came across tools that supervise active system behaviour in the form of anti-virus (AV) software package. While AV programs often also monitor system state, they do spend a lot of their time considering who is acting what inside a computer - and whether a given program should or shouldn't have got access to specific system resources.

Monitoring state

The principle operation of a HIDS depends upon the fact that successful intruders will normally leave a trace of their actions. (In fact, such intruders often prefer to own the computer they've sniped, and will build their "ownership" by installing software that will grant the intruders future access to execute whatsoever activity they conceive of.

In theory, a computer user has the power to find any such changes, and the HIDS seeks to do just that and reports its findings.

Ideally a HIDS acts in conjunction with a NIDS, such that a HIDS discovers anything that slips past the NIDS.

Ironically, most eminent intruders, on entering a target machine, instantly implement best-practice security techniques to assure the system which they've penetrated, leaving only their own backdoor open, so that other intruders can't acquire over their computers.

Behavior-based and Knowledge-based IDS

A knowledge-based IDS references a database of previous attempt profiles and recognized system vulnerabilities to detect active intrusion attacks. Knowledge-based IDS is currently more common than behavior-based IDS. Advantages of knowledge-based systems include the following:

* Lower false alarm rates than behavior-based IDS.

* Alarms are more standardized and better understood than behavior-based IDS.

Disadvantages of knowledge-based systems let in these:

* Signature database must be continually updated and conserved.

* New, unique, or original attacks could not be found or may be improperly classified.

* A behavior-based (or statistical anomaly-based) IDS references a baseline or learned pattern of normal system activity to discover active intrusion attacks. Deviations from this baseline or pattern cause an alarm to be activated. Advantages of behavior-based systems include that they

* Dynamically adapt to new, unique, or original attacks.

* Are less dependent on differentiating particular operating system exposures.

Disadvantages of behavior-based systems include

· Higher false alarm rates than knowledge-based IDSes.

· Usage patterns that may alter frequently and could not be static adequate to implement effective behavior-based IDS.

b) BENEFITS OF AN IDS

In today's market, the most of the businesses consider the Internet as a major tool for communication with their customers and the corporate community. As a consequence businesses expect analyzing the risks concerned with using the Internet as communication tool, and the techniques available to them to mitigate these dangers. A lot of business organization is already aware of the types of risks that they are facing, and have enforced such as Firewalls, IDS, Virus detection software, security server, access control mechanisms etc. The genuine risk and threat comes from the "determined hacker". They will find a way of penetrating your system, with the use of some hacking software. Although above mentioned tools are preventative measures, an IDS is more of an analysis tool that will give you the following information:

· Instance of attack

· Method of attack

· Source of attack

· Signature of attack

This type of information is becoming progressively important when attempting to design and enforce the right security programmed for an organization. Although some of this information can be found in devices such as Firewalls and access control systems as they all hold log information on system activity In these instances the onus gets on the administrator to assure the logs to find out if an attempted attack has took place or after the event find out when the attack occurred and the source of the attack. Generally information concerning to the method of the attack and the signature of the attack can't be found in the logs. This is because devices such as Firewalls are configured to find out the IP packet header information, not the payload portion of the IP packet.

IDS will check the payload of the packet to find out if the pattern of data held within, matches that of a known attack signature. The benefits of the above information are as below:

Instance of attack: An IDS will warn signal when an attack is ongoing, this lets you to neutralizing the attack as it happens, without go through lengthy logs to determine the detail of attack.

Method of attack: An IDS will let you to recognize what area of your network or system on your network is under attack and how it's being compromised. This enables you to react consequently. it will help you to arrange proper security to proper place.

Source of attack: An IDS will permit you to know the source of an attack, then after its duty of administrator to check if it is a legitimate source. By finding out the legitimacy of the source the administrator is able to determine if he/she can make handicap the communications from this source.

Signatures of attack:

An IDS will discover the nature of the attack, and the pattern of the attack and alert consequently. This information warn to administrator of organization concerning the types of exposures which are liable and allows attacker to takeover command of network .

The above information lets an organization to:

· Construct a vulnerability profile of their network and the expected security

· Plan its defense scheme

· Budget for security expenditure.

LIMITATIONS OF IDS

Network intrusion detection systems are unsure enough that they should be viewed only as standby systems configured to backup the primary security systems.

Primary systems such as firewalls, encryption, and authentication are rock solid. Bugs or misconfiguration frequently lead to difficulties in these systems, but the fundamental concepts are "incontrovertibly" accurate. Intrusion detection systems suffer from the two problems whereby normal traffic makes many fake positives (cry wolf), and careful hackers can put off or disable the intrusion detection systems. Indeed, there are a lot of proofs that demonstrate how network intrusion detection systems will never be completely safe.

Resource limitations

Network intrusion detection systems placed at centralized locations on the network. They must be adequate to to analyze, and store information generated by potentially thousands of machines. It must emulate the combined entity of all the machines traffic through its segment. Evidently, it can't execute this fully.

Network traffic loads

Current NIDS have difficultness to keeping up with fully loaded segments. The average website has a frame size of approximately 180-bytes, which interprets about 50,000 packets/second on a 100-mbps Ethernet. Most IDS units can not abide by with this speed. Most customers have less than this, but it can still now and then be a concern.

TCP connections

IDS must keep up connection state for a large number of TCP connections. This demands extensive amount of memory. The difficulty is worsened by evasion processes, often asking the IDS to maintain connection even after the client/server have closed it.

c) Reasons to Acquire IDSs

Intrusion detection capabilities is speedily becoming basic to every large

Organization's security infrastructure.

However, it must justify the cost of an IDS.

There are at least three good reasons to justify the acquisition of IDSs: to find attacks and other security violations that can't be prevented, to prevent attackers from accessing a network, and to make a list of the intrusion threats.

Detecting attacks that can't be prevented

Attackers, using well-known methods, can get through many networks. This frequently happens when recognized vulnerabilities in the network can't be fixed. E.g., in many legacy systems, the operating systems can not be updated. In updated systems, administrators might not have the time to install all the necessary patches in a large number of hosts. In addition, it's normally not possible to absolutely map an organization's computer use policy to its access control mechanisms and thus authoritative users often can perform unauthorized actions. Users could also ask network services and protocols that are recognized to be flawed and subject to attack. Although, we would fix all vulnerabilities, this is rarely achievable. Hence, an excellent approach for protecting a network is to use an IDS to detect when an attacker has got across a system applying an unmanageable way. It's better at least to know that a system has been penetrated so that administrators can perform damage control and recovery the system has been compromis.

Preventing attackers from probing a network

A network without an IDS might let attackers to easy and without Payback explore its weaknesses. If even a single, known vulnerability exists in a network, a determined attacker will finally discover and exploit it. The network with an IDS set up is a much more challengable to an attacker. Although the attacker can[2] continue to examine the network for weaknesses, the IDS should find these Attacks and stop these attacks, It can alarm security personnel who could call for appropriate action.

Documenting the threat

It is crucial to verify that a network is under attack or expected to be attacked to justify spending money for securing the network. Moreover, it's important to realize the frequency and features of attacks so we could realize what security system are Set aside for the network. IDSs have a characteristic to determine inside and outside attacks to offer a full proof foundation for network security expenditures.

DISADVANTAGE:

Implementations of IDS depart based on the security requires of the network or host it's being enforced on. As we have come across, there Is not a general implementation of an IDS model that can permit the best intrusion detection monitoring in all situations.

The IDS methods themselves don't provide a foolproof system to detect ALL the intrusions an attack can comprise of. The information below details some of these shortcomings.

Anomaly Detection Disadvantages

1) As unusual detection functions by defining a "normal" model of system or network behavior, it usually confirms from a large number of fictive alarms due to the unpredictable conducts of users and networks.

2) Anomaly detection approaches often need extensive skill sets of network or system event records in order to characterize normal behavior of the network. These skill sets can comprise of several logs that capture the normal usage of the subject or object being monitored.

Abuse Detection Disadvantages

1) Since abuse detection functions by comparing known intrusive signatures against the observed log, abuse detectors suffer from the restriction of only being able to find attacks that are recognized.

2) Vulnerable to evasion.

Once a security hole has been detected and a signature has been written to capture it, several other loops of "copycat" exploitations normally surface to take advantage of the same security hole.

Host-Based IDS Disadvantages

1) The implementation of HIDS could get very complex in large networking environments. With several thousand possible termination points in a large network, collecting and inspecting the generated log files from each node can be a daunting task.

2) If the IDS system is compromised, the host could discontinue to function resulting in a stop on all logging activity.

Network-Based IDS Disadvantages

Network-based intrusion detection anticipates offer the most detection coverage while belittling the IDS deployment and maintenance overhead. However, the main difficulty with enforcing a NIDS with the methods identified in the previous sections are the higher rate of false alarms. Now a day's enterprise network magnifies this disadvantage due to the big amounts of dynamic and various data that requires to be examined.