Network protocols

Introduction:

Briefly describe why the TCP/IP network are considered unsecured?

The TCP and IP Network protocols could be considered the most important in the world today - they are the basis of the Internet. The protocols lack many features that are desirable or needed on an unsecured network.TCP/IP uses theclient/servermodel of communication in which a computer user requests and is provided a service by another computer in the network.

General weaknesses/unsecured OF TCP/IP.Here is some weakness points are given below:

An IP Spoofing Attack involves one entity falsely portraying itself as another entity. This type of attack can be carried out by a human user or a program. The spoofer can convince the end user that material being transmitted comes from a safe source.

A packet sniffer is a wire-tap devices that plugs into computer networks and eavesdrops on the network traffic.

The term WinNuke refers to a remote denial-of-service attack (DoS) that affected the Microsoft Windows 95, Microsoft Windows NT computer operating systems.

A Teardrop attack involves sending mangled IP fragments with overlapping, over-sized payloads to the target machine. This can crash various operating systems due to a bug in their TCP/IP fragmentation re-assembly code.

SSping DoS attacks and you still crash, and then the mode of attack is probably Teardrop or LAND. If you are using IRC, and your machine becomes disconnected from the network or Internet

Once attacker stops flooding server, it usually goes back to normal state (SYN floods rarely crash servers).

Man-in-the-middle attacks are also known as bucket-brigade attacks. The attacker may just have access to the messages or may modify them. Mutual authentication techniques can be used to alleviate the threats of this attack.

Describe how the following technologies are employed in securing TCP/IP implementation.

• SSL (Secure Socket Layer).
• IPSec (IP Security).
• Kerberos

The Secure Sockets Layer is a commonly-used protocol for managing the security of a message transmission on the Internet. SSL has recently been succeeded by Transport Layer Security, which is based on SSL. SSL uses a program layer located between the Internet's Hypertext Transfer Protocol and Transport Control Protocol layers.

Almost any Internet service can be protected with SSL. Common ones include Web Mail and other secure web sites such as banking sites and corporate sites, POP, IMAP, and SMTP. LuxSci provides SSL services to protect your username, password, and communications over all of these and other services.

SSL is of great concern for hosting an E commerce, shopping, banking portals, i.e. wherever an online transaction is involved, especially credit cards. There're specific SSL certificate providers.

The Secure Socket Layer, SSL for short, is a protocol by which many services that communicate over the Internet can do so in a secure fashion. Before we discuss how SSL works and what kinds of security it provides, let us first see what happens without SSL.

SSL actually works for securing your communications over the Internet. Before the communications occur, the following takes place:

• A company wishes to secure communications to their server company.com.
• They create a public and private key for company.com
• They go to a trusted third party company such as Thawte or Verisign:
• Once the verification is complete, Thawte gives the company a new public key that has some additional information.
• This certification information is encrypted using Thawte's private key.

• Unlimited business-to-business and business-to-customer expansion
• Enhanced consumer confidence
• Low total cost of ownership
• Cost-effective online delivery
• Faster time to revenue
• Faster setup
• Before you start
• Before you can begin the process of obtaining a Certificate, you must generate a Private Key and CSR pair off your web server. Before you purchase

Internet Protocol security is a framework of open standards for protecting communications over Internet Protocol (IP) networks through the use of cryptographic security services. IPsec supports network-level peer authentication, data origin authentication, data integrity, and data confidentiality encryption, and replay protection. IP Security Network are work in the Network Layer. The more secure Tunnel mode encrypts both the header and the payload. On the receiving side, an IPSec-compliant device decrypts each packet.

The IPSEC working group will restrict itself to the following short-termwork items to improve the existing key management protocol (IKE) andIPSEC encapsulation protocols:

1. Changes to IKE to support NAT/Firewall traversal
2. Changes to IKE to support SCTP
3. New cipher documents to support AES-CBC, AES-MAC, SHA-2, and a fastAES mode suitable for use in hardware encryptors.
4. IKE MIB documents
5. Sequence number extensions to ESP to support an expanded sequence number space.
6. Clarification and standardization of rekeying procedures in IKE.

This is the cognitive function of IPSec. The policy module examines the IPSec settings of a system and determines which traffic should be protected and some generic settings for that protection. It does not do the actual work of protecting the data; it simply alerts the IPSec driver that the traffic must be protected.

Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from theMassachusetts Institute of Technology. Kerberos is available in many commercial products as well.

The KDC stores authentication information and uses it to securely authenticate users and services.

This authentication is called secure because it:

• Does not occur in plaintext
• Does not rely on authentication by the host operating system
• Does not base trust on IP addresses
• Does not require physical security of the network hosts

IT Kerberosis the reference implementation. MIT Kerberos supports DEC UNIX, Linux, Irix, Solaris, Windows and MacOS.Several other commercial and non-commercial Kerberos implementations are also available. Microsoft added a slight modified version of Kerberos v5 authentication in Windows 2000.

Kerberos Weaknesses:

• Secure and synchronize clocks implied by use of timestamps.
• Password guess attacks, in real implementations initial shared keys are password driver.
• Reply attacks, reuse of authenticators within lifetime period.
• See bellovin and Merritt paper for more.
• These are weaknesses in the overall protocol, not with the underlying cryptography.

TCP/IP, as it exists today, has a general lack of security. Examples of implementations of SYN flooding, IP Spoofing, Connection Hijacking, etc. show that this lack of security has lead directly to the development of tools and techniques to exploit TCP/IP's weaknesses. Fixing some of these flaws today is possible (with add-ons like TCP Wrappers, Kerberos, and SKIP Thus, most communication on today's Internet is still unsecured.

Task 2

Introduction:

In this task discussing a Security evaluation by an independent body is a widely-accepted approach which is used as an important criterion of assurance of the security of a system. Writing a report Trusted Computer Security Evaluation Criteria (TCSEC), Trusted Network Interpretation (TNI), Information Technology Security Evaluation Criteria (ITSEC), The Common Criteria & What types of products are evaluated using a security evaluation criterion? About these.

Trusted Computer Security Evaluation Criteria A document published by the US Department of Defense which contains criteria used for evaluating the degree of security in a networked system. The TCSEC used to evaluate, classify and select computer systems being considered for the processing, storage and retrieval of sensitive or classified information.Which specified the well-known Class C2 rating. It characterizes security from D to. Most operating system and network operating system are classified at the C2 level. The TCSEC was used to evaluate, classify and select computer systems being considered for the processing, storage and retrieval of sensitive or classified information.

The TCSEC defines four divisions: D, C, B and A where division A has the highest security. Each division represents a significant difference in the trust an individual or organization can place on the evaluated system. Additionally divisions C, B and A are broken into a series of hierarchical subdivisions called classes: C1, C2, B1, B2, B3 and A1.

The Information Technology Security Evaluation Criteria (ITSEC) is a structured set of criteria for evaluating computer security within products and systems. The ITSEC places increased emphasis on integrity and availability, and attempts to provide a uniform approach to the evaluation of both products and systems. The ITSEC allows less restricted collections of requirements for a system at the expense of more complex and less comparable ratings and the need for effectiveness analysis of the features claimed for the evaluation. In the case of the ITSEC, it is recommended that if an appropriate C2 rated product is not available, that ITSEC rated FC2/E2 products be used. The security policy must be explicit, well-defined and enforced by the computer system.

The ITSEC did not require evaluated targets to contain specific technical features in order to achieve a particular assurance level. For example, an ITSEC target might provide authentication or integrity features without providing confidentiality or availability. A given target's security features were documented in a Security Target document, whose contents had to be evaluated and approved before the target itself was evaluated. Each ITSEC evaluation was based exclusively on verifying the security features identified in the Security Targ.

The Information Technology Security Evaluation Criteria (ITSEC) is a structured set of criteria for evaluating computer security within products and systems. The ITSEC did not require evaluated targets to contain specific technical features in order to achieve a particular assurance level.

For example, an ITSEC target might provide authentication or integrity features without providing confidentiality or availability. A given target's security features were documented in a Security Target document, whose contents had to be evaluated and approved before the target itself was evaluated. Each ITSEC evaluation was based exclusively on verifying the security features identified in the Security Target. The ITSEC and TCSEC have many similar requirements, there are some important distinctions. The ITSEC places increased emphasis on integrity and availability, and attempts to provide a uniform approach to the evaluation of both products and systems.

In so doing, the ITSEC allows less restricted collections of requirements for a system at the expense of more complex and less comparable ratings and the need for effectiveness analysis of the features claimed for the evaluation. The question of whether the ITSEC or TCSEC is the better approach is the subject of sometimes intense debate

The Common Criteria (CC) occasionally referred to as the Harmonized Criteria, is a multinational effort to write a successor to the TCSEC and ITSEC that combines the best aspects of both. The CC has a structure closer to the ITSEC than the TCSEC and includes the concept of a "profile" to collect requirements into easily specified and compared sets. The TPEP is actively working to develop profiles and an evaluation process for the CC Common Criteria evaluations are performed on computer security products and systems.

Common Criteria is a framework in which computer system users can specify their security functional and assurance requirements, vendors can then implement and/or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims. Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard manner

Common Criteria is very generic; it does not directly provide a list of product security requirements or features for specific products: this follows the approach taken by ITSEC.

These types of products are evulated using security evulation criteria these are given below:

Firewall: Firewall cans integrated security systems is enabling the user to control network traffic, i.e. data sent and received over the network by applications that are running on the user's computer. A component that offers such control is called a firewall.

For evaluate firewall effectiveness test to leak:

A firewall provides security which is additional to that provided by other security solutions and appliances. Additional security is becoming increasingly relevant due to the increase in the number of new malicious programs. Firewalls block undesirable network traffic, both inbound and outbound. Leak tests, which are the subject of this article, evaluate how reliably a firewall controls outbound traffic and protects the computer from data leaks.

Using IDS Testing Tools for security evaluations

A safer and faster alternative to using real exploits is to purchase and utilize an IDS testing tool. The best-known IDS testing tool isBlade IDS Informer, fromBlade Software. Informer works by replaying IP, UDP and ICMP packets, as well as complete TCP sessions that contain various scans, probes and attacks. Can be modifying the source and destination IP and MAC addresses that the packets use as needed. Informer comes with hundreds of attacks, divided into categories of related attacks; the user can select which attacks or groups of attacks they would like to use. Blade regularly updates the Informer attack suite so you can keep your IDS testing fairly current with new attacks and attack techniques.

Port scanner testing for security evaluation:

Port scanners offer the best return because of the subsequential information they apply the remote system .network. Port scanner test port using testing tools for security evaluation system logs, NIDS logs and Firewall logs used to target the network can record a significant amount of network activity when the port scanner is in use. The nmap utility is the primear tool for a security tster.Nmap is classified most popular port number. The nmap tool reveals open TCP and UDP ports on remote system and list application commonly associated with the ports.

Task-3

Introduction:

Intrusion detection system (IDS) refers to architecture of devices, software and other type's technology solutions that are designed to detect malicious activity. The rapid growth of intiurdsion salutations has occurred because companies realize that a healthy network depends on the ability of administrators to speak intelligently about the amount and type of malicious activity seen on the network.

Briefly described the following terms:

Intrusion Detection System (IDS) is a system for detecting misuse of network or computer resources. An IDS will have a number of sensors it utilizes to detect intrusions. Example sensors may be:

1. A sensor to monitorTCPconnection requests.
2. Log file monitors.
3. File integrity checkers.

The IDS system is responsible for collecting data from its sensors and analyzing this data to give the security administrator notice of malicious activity on the network.IDS technologies are commonly divided into, HIDS and Honeypots.

Intrusion Prevention System (IPS) solution provides powerful protection by blocking intrusion attempts, protecting against malware, Trojans, DoS attacks, malicious code transmission, backdoor activity and blended threats. It is a subscription service, offering the most comprehensive, zero-hour protection to enterprises in combination with the Cyberoamfirewall gateway anti-virus and anti-spyware, anti-spam and content & application filtering services. Attackers are increasingly turning to highly targeted external and internal attacks.

An intrusion detection system (IDS) monitors network traffic and monitors for suspicious activity and alerts the system or network administrator. The IDS may also respond to anomalous or malicious traffic by taking action such as blocking the user or source IP address from accessing the network. An IDS has three types of detection devices there are given below:

A Network IDS is an overall system of devices that work together to monitor the network.

NIDS at least consist of a sensor, a manager, a database and a console. Each equipment has a specific duty.

• Sensor: It work is monitor the network and reporting suspicious activity to manager.
• Manager: Collecting information passing the database for store.
• Database: Database collected report store and transmit the consol.
• Console: Analyze the reports and it's against take actions.
• Sensor: Sensors work is monitor the hosts and reporting suspicious activity to manager.
• Manager: Collecting reports passing the database for store
• Database: Database collected report store and transmit the consol.
• Console: Analyze the reports and it's against take actions.

Honeypots refers to a computer system masking it's identify and inviting abuse to collect information on attackers.

Honeypot install a web server monitors malicious traffic and report transmit to manager, manager these reports send to database, database its store and then send to console for analyze these report and take action against them.

Intrusion detection system evasion techniques bypass detection by creating different states on the IDS and on the targeted computer. The adversary accomplishes this by manipulating either the attack itself or the network traffic that contains the attack.

1. Most Network IDS products based their alerts purely on pattern matching packet contents against a database of known signatures.
2. Then came a new breed of IDS offerings that approached the problem in a completely different way - by doing a full protocol analysis on the data stream.
3. Others began to use heuristics or anomaly-based analysis to determine when an attempted attack had taken place.
4. Most IDS employ a mixture of these detection methods in a single product, though some will be more biased towards one method than another.
5. According to Cisco, there are five main methods of attack identification source.
6. Cisco Systems, The Science of Int rusion Detection System Attack Identification.

Many Intrusion Detection Systems are found on the internet and within these top level detection systems are Snort, OSSEC HIDS, Fragroute/Fragrouter, BASE and Sguil.These Intrusion detection system to my think most popular detection system is Snort. So I am selecting this WinPcap Detection System. Now my Opinion can I effectively demonstrate the typical function of Intrusion Detection Systems and Implement the selected IDS and Prepare a brief report describing my experience is given below:-

WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine and support for remote packet capture.WinPcap consists of a driver that extends the operating system to provide low-level network access, and a library that is used to easily access the low-level network layers. This library also contains the Windows version of the well knownlibpcapUnix API.

When implements this software any network computer then these functions provides WinPcap:

• The first one offers a low-level API that can be used to directly access the functions of the driver, with a programming interface independent from the Microsoft OS.
• The second one exports a more powerful set of high level capture primitives that are compatible with libpcap, the well known UNIX capture library. These functions enable packet capture in a manner that is independent of the underlying network hardware and operating system.

Task-4

Introduction:

In this task Peer-to-peer (P2P) networking technology has resulted in the creation of revolutionary applications in areas such as instant messaging, file sharing, shared workspaces, distributed repositories and audio/visual streaming. Most candidates should be Familiar with commonly known P2P applications. Unfortunately some people have been quick to exploit this technology and new vulnerabilities have been introduced into networked systems.

P2P networks have five vulnerabilities those are common with traditional networks these are given below-

1. Bandwidth requiring. Many ISPs are wise to the P2P ideas and unfortunately one person downloading the latest Adobe programs illegally and another person downloading a legal Linux distribution; do not differentiate between these most ISPs attempt to shape or throttle bandwidth in order to prevent P2P usage. It is entirely few blocks.
2. Data damages. This is less common with Bit Torrent and Ares, as they offer native methods of checking data integrity during reception; therefore overall it's still a problem with a lot of P2P applications. Even in programs that do support data integrity checking, unfortunately downloaded data can be damage then simply again downloaded retransfer.
3. Exposure. The Full main concept of P2P is root on connecting to anyone else in order to share files. There have no idea whether that anyone else is a FBI agent.
4. Backdoors. More similar P2P programs come packed with spyware, adware or another form of unlike and undesired software or program. The Most majority of common P2P programs to function properly require specific network and firewall settings. That an average person installing Limewire, these will have spyware and others running on their and a port or two open at all times which would normally not be open.
5. Signal to noise ratio. While downloading files, these are nearly impossible to tell a legitimate copy of a desired file from a fake one, one that is infected with a virus or other malware. It is easy to spot these things in the wild, but to your average person, it is not. So when someone hears they just search for it and download - but wind up infected in some way.

The vulnerabilities peculiar to the P2P technology:

1. Bugs:

In order for P2P file-sharing applications to work the appropriate software must be installed on the users system. If this software contains a bug it could expose the network to a number of risks e.g. conflict with business applications or even crash the system.

2. Authentication:

There is also the issue of authentication and authorization. When using P2P you have to be able to determine whether the peer accessing information is who they really say they are and that they access only authorized information. It is a peculiar vulnerability of p2p.

3. General Security:

P2P shares many security problems and solutions with networks and distributed systems such as data tampering, unreliable transport, latency problems, identification problems etc

4. Adding and Removing Users:

There must be an unfeasible method to add or delete users to the network create increasing vulnerability. The system is under the most threat from users and former users who know the ins and outs of the system e.g. the existence of trapdoors etc.

5. Private Business on a Public Network:

Many companies conduct private business on a public network. This leads to an exposure to various security risks. These risks must be addresses in order to avoid the liability this use entails.

This section speci?es the usual data corruption. Backdoor and Bandwidth trotting these malicious activities and countermeasures for in P2P network these are given bellow-

1. Countermeasure of Backdoor attacks:

On Windows computers, three tools commonly used by intruders to gain remote access to any computer are Back Orifice, Netbus, and Sub Seven. These back door or remote administration programs, once installed, allow other people to access and control your computer.

2. Data Corruptions:

Providing high availability and the ability to share data despite the weak connectivity of mobile computing raises the problem of trusting replicated data servers that may be corrupt. This occurs when less security. We describe the kinds of problems one must be prepared to deal with, noting that even users of secured, nondashportable computers are at risk if servers trust all authorized peers.

3. Adding and removing users:

The possibilities of fake root public key installation by an attacker in user's PC and show its countermeasures. The root public keys are used to verify the certificates for applet providers. Therefore the insertion of false public keys allows arbitrary numbers of rogue application to be executed on a user's PC. We propose a protection method for installing fake root keys in a user's PC.

Pick THREE P2P applications of choice and then describe the vulnerabilities of each of these:

Many businesses have been inspired by the success P2P applications and are busily brainstorming potentially interesting new P2P software. However, some in the networking community believe that the success of Napster, Kazaa and other P2P applications have little to do with technology and more to do with piracy

Popular P2P Applications

eMule's Queue and Credit systemhelps to ensurethat everyone will get the file he wants by promoting those that upload back to the network. eMule also allows you to use very complex Boolean searches that make the searches much more flexible.

eMule reserves all the diskspace it will need for the complete file, no matter how much it downloaded already. Suppose you have 10GB of free space, and you are downloading a 1GB file. This file is hard to find, so you can't download more than 10MB per day.eMule reserves 1GB as soon as you start downloading. This means that for 100 days, you have 1GB less diskspace. So disadvantage is that you miss a lot of space for a long time.

A BitTorrent client is any program that implements the BitTorrent protocol. Each client is capable of preparing, requesting, and transmitting any type of computer fileover a network, using the protocol. A peer is any computer running an instance of a client.To share a file or group of files, a peer first creates a small file called a torrent.

The vulnerability of Bit Torrents is that they can max out your broadband bandwidth (up & down) but you get your files quicker. The vulnerabilities are that the Bit Torrents come & go very quickly. So you've gotta be quick.

LimeWire is a popular P2P file sharing program using the Gnutella network that supports a wide range of languages and operating systems including Windows, Mac and Linux. The program features an open community of similar to optimize search performance

Vulnerability of File hosting and P2P are huge and in both cases you would get a get a difference of opinion when asking a user which they prefer. There are many online search engines available now that can find file hosted links, people can do a search for files to download without having to resort to peer-to-peer programs. This is a huge risk to privacy and may turn people away from using P2P.Rapid share is one of the most popular file-hosting websites.

References

1. www.dis.org/filez/vun-1s.pdf
2. http://www.slideshare.net/eroglu/t-c-p-i-p-weaknesses-and-solutions
3. http://www.governmentsecurity.org/forum/index.php?showtopic=1753
4. http://mudji.net/press/?p=152
5. http://whirlpool.net.au/wiki/?tag=setting_up_unsecured_wireless
6. http://www.linuxsecurity.com/resource_files/documentation/tcpip-security.html
7. http://www.whichssl.com/what_is_ssl.html
8. http://www.wbservr.com/ssl.html
9. http://www.topbits.com/what-is-kerberos.html
10. http://etutorials.org/Server+Administration/securing+windows+server+2003/Chapter+8.+IP+Security/8.2+How+Does+IPSec+Work/]
11. http://uk.answers.yahoo.com/question/index?qid=20100319003505AApij3J
12. http://all.net/CID/Attack/papers/PeerToPeer.html
13. http://uk.answers.yahoo.com/question/index?qid=20070331023318AARSK4N
14. http://en.wikipedia.org/wiki/Peer-to-peer
15. http://www.dmst.aueb.gr/dds/pubs/jrnl/2004-CompSec-p2pav/html/VAS04.html
16. http://en.wikipedia.org/wiki/Denial-of-service_attack
17. http://uk.answers.yahoo.com/question/index?qid=20100319003505AApij3J
18. http://all.net/CID/Attack/papers/PeerToPeer.html
19. http://netsecurity.about.com/cs/hackertools/a/aa030504.htm
20. http://en.kioskea.net/contents/detection/ids.php3
21. http://en.wikipedia.org/wiki/Intrusion_prevention_system
22. http://nsslabs.com/white-papers/gigabit-intrusion-detection-systems-ids.html
23. http://sectools.org/ids.html