PRESETATION REPORT ON NETWORK SECURITY

Submitted To :Ms. Amba Faculty,MRIU

Submitted By:Ramneek Kaur FET/CS(s)/2092

TABLE OF CONTENT

S.NO
1 2 3 4 5 6

Topic
Summary Objective Research Methodology Interpretation Conclusion Bibliography

Page No.
3 5 9 10 18 19

Summary
Computer and network security is a new and fast moving Technology and as such, is still being defined and most probably will always be still defined. Security incidents are rising at an alarming rate every year. As the complexity of the threats increases, so do the security measures required to protect networks. Data center operators, network administrators, and other data center professionals need to comprehend the basics of security in order to safely deploy and manage networks today. Securing the modern business network and IT infrastructure demands an end-toend approach and a firm grasp of vulnerabilities and associated protective measures. While such knowledge cannot thwart all attempts at network incursion or system attack, it can empower network engineers to eliminate certain general problems, greatly reduce potential damages, and quickly detect breaches. With the ever-increasing number and complexity of attacks, vigilant approaches to security in both large and small enterprises are a must Network security originally focused on algorithmic aspects such as encryption and hashing techniques. While these concepts rarely change, these skills alone are insufficient to protect computer networks. As crackers hacked away at networks and systems, security courses arose that emphasized the latest attacks. There is always fault management, fault software, abuse of resources connecting to computer networks. These are the main reasons which cause security problems for a Network. Today, security problem becomes one of the main problems for computer network and internet developing. However, there is no simple way to establish a secure computer network. In fact, we cannot find a network in the world, which does not have any security holes nowadays. The infrastructures of cyberspace are vulnerable due to three kinds of failure: complexity, accident, and hostile intent. Hundreds of millions of people now appreciate a cyber context for terms like viruses, denial of service, privacy, worms, fraud, and crime more generally. Attacks so far have been limited. While in some network attacks the value of losses is in the hundreds of millions, damage so far is seen as tolerable. While preventing attack is largely based on government authority and responsibility, the detailed knowledge needed to thwart an attack on a cyber system to prevent damage rests primarily with its owner. Protecting infrastructure systems arguably involves five coupled stages. First, it is necessary to attempt to deter potential attackers. Second, if attacked, the need is to thwart the attack and to prevent damage. Third, since success cannot be guaranteed in either preventing or thwarting an attack, the next stage is to limit the damage as much as possible. Fourth, having sustained some level of damage from an attack, the Defender must reconstitute the preattack state of affairs. Finally, since changing technology and incentives to attack influence both offence and defense, the final step is for the defender to learn from failure in order to improve performance, just as attackers will learn from their failures. The more specific defenses to be discussed may be usefully partitioned into two forms: passive and active. Passive defense essentially consists in target hardening. Active defense, in contrast, imposes some risk or penalty on the attacker. Risk or penalty may include identification and exposure, investigation and prosecution, or pre-emptive or counter attacks of various sorts.

Network security consists of the provisions and policies adopted by a network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, which is controlled by the network administrator. Users choose or are assigned an ID and password or other authenticating information that allows them access to information and programs within their authority. Network security covers a variety of computer networks, both public and private, that are used in everyday jobs conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access. Network security is involved in organizations, enterprises, and other types of institutions. It does as its title explains: It secures the network, as well as protecting and overseeing operations being done. The most common and simple way of protecting a network resource is by assigning it a unique name and a corresponding password.

Objective
The main objective of the research paper is to illustrate most common network threats and provide solution to protect users from threats, hackers and ensures that the data travelling across the networks is safe.

Network security concepts

Network security starts with authenticating, commonly with a username and a password. Since this requires just one detail authenticating the user name i.e. the password this is sometimes termed one-factor authentication. With two-factor authentication, something the user 'has' is also used (e.g. a security token or 'dongle', an ATM card, or a mobile phone); and with three-factor authentication, something the user 'is' is also used (e.g. a fingerprint or retinal scan). Once authenticated, a firewall enforces access policies such as what services are allowed to be accessed by the network users. Though effective to prevent unauthorized access, this component may fail to check potentially harmful content such as computer worms or Trojans being transmitted over the network. Anti-virus software or an intrusion prevention system (IPS) help detect and inhibit the action of such malware. An anomaly-based intrusion detection system may also monitor the network and traffic for unexpected (i.e. suspicious) content or behavior and other anomalies to protect resources, e.g. from denial of service attacks or an employee accessing files at strange times. Individual events occurring on the network may be logged for audit purposes and for later high-level analysis. Communication between two hosts using a network may be encrypted to maintain privacy. Honeypots, essentially decoy network-accessible resources, may be deployed in a network as surveillance and early-warning tools, as the honeypots are not normally accessed for legitimate purposes. Techniques used by the attackers that attempt to compromise these decoy resources are studied during and after an attack to keep an eye on new exploitation techniques. Such analysis may be used to further tighten security of the actual network being protected by the honeypot.

Security management
Security management for networks is different for all kinds of situations. A home or small office may only require basic security while large businesses may require high-maintenance and advanced software and hardware to prevent malicious attacks from hacking and spamming.

Homes & Small Businesses

A basic firewall or a unified threat management system. For Windows users, basic Antivirus software. An anti-spyware program would also be a good idea. There are many other types of antivirus or anti-spyware programs available. When using a wireless connection, use a robust password. Also try to use the strongest security supported by your wireless devices, such as WPA2 with AES. TKIP may be more widely supported by your devices and should only be considered in cases where they are NOT compliant with AES.

If using Wireless: Change the default SSID network name, also disable SSID Broadcast; as this function is unnecessary for home use. (Security experts consider this to be easily bypassed with modern technology and some knowledge of how wireless traffic is detected by software).

Enable MAC Address filtering to keep track of all home network MAC devices connecting to your router. (This is not a security feature per se; However it can be used to limit and strictly monitor your DHCP address pool for unwanted intruders if not just by exclusion, but by AP association.)

Assign STATIC IP addresses to network devices. (This is not a security feature per se; However it may be used, in conjunction with other features, to make your AP less desirable to would-be intruders.)

Disable ICMP ping on router. Review router or firewall logs to help identify abnormal network connections or traffic to the Use passwords for all accounts. For Windows users, Have multiple accounts per family member and use non-administrative accounts for day-to-day activities. Raise awareness about information security to children.

Medium businesses

A fairly strong firewall or Unified Threat Management System Strong Antivirus software and Internet Security Software. For authentication, use strong passwords and change them on a bi-weekly/monthly basis.
6

When using a wireless connection, use a robust password. Raise awareness about physical security to employees. Use an optional network analyzer or network monitor. An enlightened administrator or manager. Use a VPN, or Virtual Private Network, to communicate between a main office and satellite offices using the Internet as a connectivity medium. A VPN offers a solution to the expense of leasing a data line while providing a secure network for the offices to communicate. A VPN provides the business with a way to communicate between two in a way mimics a private leased line. Although the Internet is used, it is private because the link is encrypted and convenient to use. A medium sized business needing a secure way to connect several offices will find this a good choice.

Clear employee guidelines should be implemented for using the Internet, including access to non-work related websites, sending and receiving information. Individual accounts to log on and access company intranet and Internet with monitoring for accountability. Have a back-up policy to recover data in the event of a hardware failure or a security breach that changes, damages or deletes data. Disable Messenger. Assign several employees to monitor a group like CERT which studies Internet security vulnerabilities and develops training to help improve security.

Large businesses

A strong firewall and proxy, or network Guard, to keep unwanted people out. A strong Antivirus software package and Internet Security Software package. For authentication, use strong passwords and change it on a weekly/bi-weekly basis. When using a wireless connection, use a robust password. Exercise physical security precautions to employees. Prepare a network analyzer or network monitor and use it when needed. Implement physical security management like closed circuit television for entry areas and restricted zones. Security fencing to mark the company's perimeter.
7

Fire extinguishers for fire-sensitive areas like server rooms and security rooms. Security guards can help to maximize physical security.

School

An adjustable firewall and proxy to allow authorized users access from the outside and inside. Strong Antivirus software and Internet Security Software packages. Wireless connections that lead to firewalls. Children's Internet Protection Act compliance. (Only schools in the USA) Supervision of network to guarantee updates and changes based on popular site usage. Constant supervision by teachers, librarians, and administrators to guarantee protection against attacks by both internet andsneakernet sources. An enforceable and easy to understand acceptable use policy which differentiates between school owned and personally owned devices FERPA compliance for institutes of higher education network.

Large government

A strong firewall and proxy to keep unwanted people out. Strong antivirus software and Internet Security Software suites. Strong encryption. Whitelist authorized wireless connection, block all else. All network hardware is in secure zones. All hosts should be on a private network that is invisible from the outside. Host web servers in a DMZ, or a firewall from the outside and from the inside. Security fencing to mark perimeter and set wireless range to this. Inventory controls of government owned mobile .

Research Methodology
The data used in this research paper is Secondary data . The data is collected from various sites and is used in this research paper.

Interpretation
Types of Attacks
Networks are subject to attacks from malicious sources. Attacks can be from two categories: "Passive" when a network intruder intercepts data traveling through the network, and "Active" in which an intruder initiates commands to disrupt the network's normal operation. Types of attacks include: a) Passive Attack b) Active Attack - An "active attack" attempts to alter system resources or affect their operation.

Passive Attacks:Telephone Tapping- Telephone tapping (also wire tapping or wiretapping in American English) is the monitoring of telephone and Internet conversations by a third party, often by covert means. The wire tap received its name because, historically, the monitoring connection was an actual electrical tap on the telephone line. Legal wiretapping by a government agency is also called lawful interception. Passive wiretapping monitors or records the traffic, while active wiretapping alters or otherwise affects it. Port Scanner- A port scanner is a software application designed to probe a server or host for open ports. This is often used by administrators to verify security policies of their networks and by attackers to identify running services on a host with the view to compromise it. A port scan or portscan can be defined as an attack that sends client requests to a range of server port addresses on a host, with the goal of finding an active port and exploiting a known vulnerability of that service, although the majority of uses of a port scan are not attacks and are simple probes to determine services available on a remote machine. Idle Scan- The idle scan is a TCP port scan method that consists of sending spoofedpackets to a computer to find out what services are available. This is accomplished by impersonating another computer called a "zombie" (that is not transmitting or receiving information) and observing the behavior of the ''zombie'' system.

10

Active Attacks:Denial Of Service Attack (Dos Attack) - In computing, a denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the efforts of one or more people to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers. This technique has now seen extensive use in certain games, used by server owners, or disgruntled competitors on games such as Minecraft and League of Legends. The term is generally used relating to computer networks, but is not limited to this field; for example, it is also used in reference to CPU resource management. One common method of attack involves saturating the target machine with external communications requests, so much so that it cannot respond to legitimate traffic, or responds so slowly as to be rendered essentially unavailable. Such attacks usually lead to aserver overload. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately. Denial-of-service attacks are considered violations of the IAB's Internet proper use policy, and also violate the acceptable use policies of virtually all Internet service providers. They also commonly constitute violations of the laws of individual nations.

Spoofing Attack- In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage. Many of the protocols in the TCP/IP suite do not provide mechanisms for authenticating the source or destination of a message. They are thus vulnerable to spoofing attacks when extra precautions are not taken by applications to verify the identity of the sending or receiving host. IP spoofing and ARP spoofing in particular may be used to leverage man-in-the-middle attacks against hosts on a computer network. Spoofing attacks which take advantage of TCP/IP suite protocols may be mitigated with the use of firewalls capable
11

of deep packet inspection or by taking measures to verify the identity of the sender or recipient of a message. Man In The Middle Attack The man-in-the-middle attack (often abbreviated MITM, MitM, MIM, MiM, MITMA, also known as a bucket brigade attack, or sometimes Janus attack in cryptography and computer security is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances (for example, an attacker within reception range of an unencrypted Wi-Fi wireless access point, can insert himself as a man-in-the-middle). A man-in-the-middle attack can succeed only when the attacker can impersonate each endpoint to the satisfaction of the other it is an attack on mutual authentication (or lack thereof). Most cryptographic protocols include some form of endpoint authentication specifically to prevent MITM attacks. For example, SSL can authenticate one or both parties using a mutually trusted certification authority.

ARP

Spoofing-

ARP

spoofing is

technique

whereby

an

attacker

sends

fake

("spoofed")Address Resolution Protocol (ARP) messages onto a Local Area Network. Generally, the aim is to associate the attacker's MAC address with the IP address of another host (such as the default gateway), causing any traffic meant for that IP address to be sent to the attacker instead. ARP spoofing may allow an attacker to intercept data frames on a LAN, modify the traffic, or stop the traffic altogether. Often the attack is used as an opening for other attacks, such as denial of service, man in the middle, or session hijacking attacks. The attack can only be used on networks that make use of the Address Resolution Protocol (ARP), and is limited to local network segments. Buffer Overflow- In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to abuffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety.

12

Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program operates. This may result in erratic program behavior, including memory access errors, incorrect results, a crash, or a breach of system security. Thus, they are the basis of many software vulnerabilities and can be maliciously exploited. Programming languages commonly associated with buffer overflows include C and C++, which provide no built-in protection against accessing or overwriting data in any part of memory and do not automatically check that data written to an array (the built-in buffer type) is within the boundaries of that array. Bounds checking can prevent buffer overflows.

Heap Overflow- A heap overflow is a type of buffer overflow that occurs in the heap data area. Heap overflows are exploitable in a different manner to that of stack-based overflows. Memory on the heap is dynamically allocated by the application at run-time and typically contains program data. Exploitation is performed by corrupting this data in specific ways to cause the application to overwrite internal structures such as linked list pointers. The canonical heap overflow technique overwrites dynamic memory allocation linkage (such as malloc meta data) and uses the resulting pointer exchange to overwrite a program function pointer.

SQL Injection- SQL injection is a technique often used to attack data driven applications . This is done by including portions of SQL statements in an entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g., dump the database contents to the attacker). SQL injection is a code injection technique that exploits a security vulnerability in an application's software. The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL commands are thus injected from an application form into the database of an application (like queries) to change the database content or dump the database information like credit card or passwords to the attacker. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

13

FIREWALLS USAGE:
A firewall can either be software-based or hardware-based and is used to help keep a network secure. Its primary objective is to control the incoming and outgoing network traffic by analyzing the data packets and determining whether it should be allowed through or not, based on a predetermined rule set. A network's firewall builds a bridge between the internal network or computer it protects, upon securing that the other network is secure and trusted, usually an external (inter)network, such as the Internet, that is not assumed to be secure and trusted. Many personal computer operating systems include software-based firewalls to protect against threats from the public Internet. Many routers that pass data between networks contain firewall components and, conversely, many firewalls can perform basic routing functions.

14

Preventing An Attack:- Following steps must be followed in order to prevent any network
attack. These includes,

1) Preventing IP Spoofing
This section lets you enable Unicast Reverse Path Forwarding on an interface. Unicast RPF guards against IP spoofing (a packet uses an incorrect source IP address to obscure its true source) by ensuring that all packets have a source IP address that matches the correct source interface according to the routing table. Normally, the ASA only looks at the destination address when determining where to forward the packet. Unicast RPF instructs the ASA to also look at the source address; this is why it is called Reverse Path Forwarding. For any traffic that you want to allow through the ASA, the ASA routing table must include a route back to the source address. See RFC 2267 for more information. For outside traffic, for example, the ASA can use the default route to satisfy the Unicast RPF protection. If traffic enters from an outside interface, and the source address is not known to the routing table, the ASA uses the default route to correctly identify the outside interface as the source interface. If traffic enters the outside interface from an address that is known to the routing table, but is associated with the inside interface, then the ASA drops the packet. Similarly, if traffic enters the inside interface from an unknown source address, the ASA drops the packet because the matching route (the default route) indicates the outside interface. Unicast RPF is implemented as follows: ICMP packets have no session, so each packet is checked. UDP and TCP have sessions, so the initial packet requires a reverse route lookup. Subsequent packets arriving during the session are checked using an existing state maintained as part of the session. Non-initial packets are checked to ensure they arrived on the same interface used by the initial packet.

To enable Unicast RPF, enter the following command:

hostname(config)# ip verify reverse-path interface interface_name

2) Configuring the Fragment Size

By default, the ASA allows up to 24 fragments per IP packet, and up to 200 fragments awaiting reassembly. You might need to let fragments on your network if you have an application that routinely fragments packets, such as NFS over UDP. However, if you do not have an application that fragments traffic, we recommend that you do not allow fragments through the ASA. Fragmented packets are often used as DoS attacks. To set disallow fragments, enter the following command:
hostname(config)# fragment chain 1 [interface_name]

Enter an interface name if you want to prevent fragmentation on a specific interface. By default, this command applies to all interfaces.
15

3) Blocking Unwanted Connections

If you know that a host is attempting to attack your network (for example, system log messages show an attack), then you can block (or shun) connections based on the source IP address. All existing connections and new connections are blocked until you remove the shun.

LIMITING DAMAGE DURING A SUCCESSFUL ATTACK

The central idea of this strategic objective is to limit damage in the trans-attack period by constructing an incident management system. The premised technical capability is the ability of the defender to audit system operation, to be able to detect an attack underway, and to take steps in realtime to limit the extent of the damage. Defender can apply to the company level, the industry level, or the national level. Damage limitation implies, beyond having attack templates to enable recognition that an attack is under wa y, the linking of system operation centers to higher-level analysis centers for situation awareness and attack assessment. This also implies having pre-established response options at the company, industry, or national level. Several kinds of responses are possible. Adaptive defense allows a defender to increase levels of defense, Such as calling for re-authentication of all users, or those currently undertaking critical functions or accessing critical information, putting critical transactions in quarantine until they can be more thoroughly scrutinized, backing-up system status, providing real-time warning to other systems, and increasing the collection of forensic evidence In this regard, system design must have an explicitly defensive aspect, where models of attackers and their strategies and tactics are established and where tools for the collection of forensic data are provided. An analogy is the design of a military combat system. Not only must a system meet its functional objectives, but its defense in the face of hostile action is addressed at the beginning of the design process, not, as is often the case in commercial systems, the end of the process or even reactively. Information about the defense of the system should be concealed from potential attackers and the system should be designed to give unsuccessful attackers as little information as possible on which to develop improved attacks. As a second response toward improving effectiveness, during the development process, and after deployment, systems should be subject to independent penetration testing. Post-attack analysis of intrusion attempts, whether the attack was successful or not, is critical for a learning organization. While failure analysis is normal in areas such as transportation, power, and structural failure, it is less common in the case of information systems where failures are more difficult to diagnose and where forensic evidence is more difficult to collect. Such data as are collected must be analyzed, not only to assess damage,
16

but also to thwart a recurrence of that attack and to address possible inadequacies in forensic data collection. While this may smack of locking the barn door after the horse has been stolen, if successful, the same attacker or others may repeat attacks, and hence there is ample opportunity for learning in the large.

HALTING ATTACKS IN PROGRESS

Along with the sharing of information, system administrators also need procedures they can use to assist in ending attacks already under way. This need is particularly evident in DoS attacks, which can be of extended duration and which can shut down business operations while they occur. To aid in ending an attack, system administrators would profit by working with infrastructure operators to trace the attack to its source and then to block the attacker. Methods for halting attacks in progress as well as those for investigating attacks are constrained by the inability to easily identify and locate attackers. In the case of the Internet, because packet source addresses are easily forged, the only way to identify an attacker with confidence is to trace the path taken by the packet through the routing infrastructure. This tracing is a manual process and essentially requires the cooperation of every network operator between the attacker and his target. The inability to automatically trace the source of an attack in real-time significantly impairs the ability of targets and law enforcement agencies to respond to incidents.

17

Conclusion
The security issues in our networked systems as described in this paper identify some of the work that needs to be done, and the urgency with which concerns need to be addressed. Dependence on some of the IT-based infrastructures in several countries is such that serious national consequences could result from the exploitation of their vulnerabilities. And as the density of networks increases, the necessity for transnational participation in improving network security increases. The changing technologies and the potential for changing threats is taxing our understanding of the threats and how to deal with them. Due to the complexity and entanglement among networks and communities internationally, any increases in network security must involve the concerted efforts of as many nations as possible. We have to understand that a great deal can be accomplished through such mechanisms, but not without taking note of their earlier trouble spots. We must learn from prior unexpected consequences in international cooperation, just as in the battle to secure networked systems, and be ever more cautious as we move forward toward some type of international action. But move forward quickly we must if the benefits from the use of our networked systems are to be realized in the myriad ways that they have been and are hoped for in the future. Nations must cooperate fully within their capability in order to contain the actions of those who threaten our networks, and to realize the positive vision that we have for our societies.

18

BIBLIOGRAPHY
1. Google Query-Serving Architecture at National Conference sponsored by NACC (National Assessment and Accreditation Council) By Suyog Dixit & Dr. R. K. Dixit (HOD of Computer Science, Indore) 2. Intrusion Controls in Computer Networks: How Effective Are They and What a Computer Engineer Can Do?, Published in National Seminar, sponsored by Higher Education of M.P.) By Suyog Dixit & Dr. R. K. Dixit (HOD of Computer Science, Indore) 3. American Bar Association. International Cyber Crime Project of the ABA Privacy and Computer Crime Committee: http://www.abanet.org/scitech/computercrime/cybercrimepr oject.html. 4. Batista, E., IDC: Tech Bucks, Hack Threats Up, Wired News, 23 December 2002: http://www.wired.com/news/infostructure/0,1377,56902,00. html. 5. Brush, C., Surcharge for Insecurity. Information Security Magazine, July 2001: http://www.infosecuritymag.com/articles/july01/departments _news.shtml. CERT/CC, CERT/CC Statistics 1988-2002, 5 April 2002: http://www.cert.org/stats/cert_stats.html. 6. Coglianese, C., Globalization and the Design of International Institutions, In J. S. J. Nye, and John D. Donahue (Ed.), Governance in a Globalizing World, Washington D.C., Brookings Institution Press, 2002. Conry-Murray, A.Kerberos, Computer Security's Hellhound, Network Magazine, 5 July 2002, http://www.commweb.com/article/NMG20010620S0008/1. 7. Council of Europe, Convention on Cyber crime ETS no.: 185 - Explanatory Report (Article II, Section http://conventions.coe.int/Treaty/en/Reports/Html/185.htm.

II)

23

November

2001:

19